]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add SSL_new_session_ticket() API
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
33388b44 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
5e30f2fd 31#include <openssl/provider.h>
2cb4b5f6
MC		 32
33#include "ssltestlib.h"
c887104f 34#include "testutil.h"
f297e4ec 35#include "testutil/output.h"
176db6dc 36#include "internal/nelem.h"
fe5d9450 37#include "internal/ktls.h"
706457b7 38#include "../ssl/ssl_local.h"
2cb4b5f6 39
852c2ed2
RS		 40DEFINE_STACK_OF(OCSP_RESPID)
41DEFINE_STACK_OF(X509)
42DEFINE_STACK_OF(X509_NAME)
43
5e30f2fd
MC		 44static OPENSSL_CTX *libctx = NULL;
45static OSSL_PROVIDER *defctxnull = NULL;
46
8614a4eb
MC		 47#ifndef OPENSSL_NO_TLS1_3
48
49static SSL_SESSION *clientpsk = NULL;
50static SSL_SESSION *serverpsk = NULL;
51static const char *pskid = "Identity";
52static const char *srvid;
53
54static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
55 size_t *idlen, SSL_SESSION **sess);
56static int find_session_cb(SSL *ssl, const unsigned char *identity,
57 size_t identity_len, SSL_SESSION **sess);
58
59static int use_session_cb_cnt = 0;
60static int find_session_cb_cnt = 0;
61
62static SSL_SESSION *create_a_psk(SSL *ssl);
63#endif
64
1a2a3a42 65static char *certsdir = NULL;
2cb4b5f6
MC		 66static char *cert = NULL;
67static char *privkey = NULL;
76fd7a1d
MC		 68static char *srpvfile = NULL;
69static char *tmpfilename = NULL;
2cb4b5f6 70
4f6c7044
MC		 71static int is_fips = 0;
72
cffe973c 73#define LOG_BUFFER_SIZE 2048
6acdd3e5 74static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 75static size_t server_log_buffer_index = 0;
6acdd3e5 76static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 77static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 78static int error_writing_log = 0;
79
8f8c11d8 80#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 81static const unsigned char orespder[] = "Dummy OCSP Response";
82static int ocsp_server_called = 0;
83static int ocsp_client_called = 0;
84
85static int cdummyarg = 1;
86static X509 *ocspcert = NULL;
8f8c11d8 87#endif
ba881d3b 88
84d5549e 89#define NUM_EXTRA_CERTS 40
cf72c757 90#define CLIENT_VERSION_LEN 2
84d5549e 91
f1a5939f
CB		 92/*
93 * This structure is used to validate that the correct number of log messages
94 * of various types are emitted when emitting secret logs.
95 */
96struct sslapitest_log_counts {
97 unsigned int rsa_key_exchange_count;
98 unsigned int master_secret_count;
cffe973c 99 unsigned int client_early_secret_count;
f1a5939f
CB		 100 unsigned int client_handshake_secret_count;
101 unsigned int server_handshake_secret_count;
102 unsigned int client_application_secret_count;
103 unsigned int server_application_secret_count;
01a2a654 104 unsigned int early_exporter_secret_count;
6329ce8f 105 unsigned int exporter_secret_count;
f1a5939f
CB		 106};
107
16afd71c
MC		 108
109static unsigned char serverinfov1[] = {
110 0xff, 0xff, /* Dummy extension type */
111 0x00, 0x01, /* Extension length is 1 byte */
112 0xff /* Dummy extension data */
113};
114
115static unsigned char serverinfov2[] = {
116 0x00, 0x00, 0x00,
117 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
118 0xff, 0xff, /* Dummy extension type */
119 0x00, 0x01, /* Extension length is 1 byte */
120 0xff /* Dummy extension data */
121};
122
104a733d
MC		 123static int hostname_cb(SSL *s, int *al, void *arg)
124{
125 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
126
127 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
128 || strcmp(hostname, "altgoodhost") == 0))
129 return SSL_TLSEXT_ERR_OK;
130
131 return SSL_TLSEXT_ERR_NOACK;
132}
133
710756a9
RS		 134static void client_keylog_callback(const SSL *ssl, const char *line)
135{
6acdd3e5
CB		 136 int line_length = strlen(line);
137
138 /* If the log doesn't fit, error out. */
710756a9
RS		 139 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
140 TEST_info("Client log too full");
6acdd3e5
CB		 141 error_writing_log = 1;
142 return;
143 }
144
145 strcat(client_log_buffer, line);
146 client_log_buffer_index += line_length;
710756a9 147 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 148}
149
710756a9
RS		 150static void server_keylog_callback(const SSL *ssl, const char *line)
151{
6acdd3e5
CB		 152 int line_length = strlen(line);
153
154 /* If the log doesn't fit, error out. */
710756a9 155 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 156 TEST_info("Server log too full");
6acdd3e5
CB		 157 error_writing_log = 1;
158 return;
159 }
160
161 strcat(server_log_buffer, line);
162 server_log_buffer_index += line_length;
710756a9 163 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 164}
165
166static int compare_hex_encoded_buffer(const char *hex_encoded,
167 size_t hex_length,
168 const uint8_t *raw,
710756a9
RS		 169 size_t raw_length)
170{
171 size_t i, j;
172 char hexed[3];
6acdd3e5 173
710756a9 174 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 175 return 1;
6acdd3e5 176
710756a9 177 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 178 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 179 if (!TEST_int_eq(hexed[0], hex_encoded[j])
180 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 181 return 1;
6acdd3e5
CB		 182 }
183
184 return 0;
185}
186
187static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 188 const SSL_SESSION *session,
710756a9
RS		 189 struct sslapitest_log_counts *expected)
190{
6acdd3e5
CB		 191 char *token = NULL;
192 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
193 size_t client_random_size = SSL3_RANDOM_SIZE;
194 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
195 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 196 unsigned int rsa_key_exchange_count = 0;
197 unsigned int master_secret_count = 0;
cffe973c 198 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 199 unsigned int client_handshake_secret_count = 0;
200 unsigned int server_handshake_secret_count = 0;
201 unsigned int client_application_secret_count = 0;
202 unsigned int server_application_secret_count = 0;
01a2a654 203 unsigned int early_exporter_secret_count = 0;
6329ce8f 204 unsigned int exporter_secret_count = 0;
6acdd3e5 205
710756a9
RS		 206 for (token = strtok(buffer, " \n"); token != NULL;
207 token = strtok(NULL, " \n")) {
6acdd3e5 208 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 209 /*
210 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 211 * hex-encoded encrypted secret, then the hex-encoded pre-master
212 * secret.
213 */
710756a9 214 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 215 return 0;
710756a9 216 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 217 return 0;
710756a9 218 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 219 return 0;
f1a5939f
CB		 220 /*
221 * We can't sensibly check the log because the premaster secret is
222 * transient, and OpenSSL doesn't keep hold of it once the master
223 * secret is generated.
224 */
225 rsa_key_exchange_count++;
6acdd3e5 226 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 227 /*
228 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 229 * client random, then the hex-encoded master secret.
230 */
231 client_random_size = SSL_get_client_random(ssl,
232 actual_client_random,
233 SSL3_RANDOM_SIZE);
710756a9 234 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 235 return 0;
6acdd3e5 236
710756a9 237 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 238 return 0;
710756a9 239 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 240 return 0;
710756a9
RS		 241 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
242 actual_client_random,
243 client_random_size)))
f1a5939f 244 return 0;
6acdd3e5 245
710756a9 246 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 247 return 0;
6acdd3e5
CB		 248 master_key_size = SSL_SESSION_get_master_key(session,
249 actual_master_key,
250 master_key_size);
710756a9 251 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 252 return 0;
710756a9
RS		 253 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
254 actual_master_key,
255 master_key_size)))
f1a5939f 256 return 0;
f1a5939f 257 master_secret_count++;
cffe973c
PW		 258 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
259 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 260 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
261 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 262 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 263 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 264 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 265 /*
266 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
267 * client random, and then the hex-encoded secret. In this case,
268 * we treat all of these secrets identically and then just
269 * distinguish between them when counting what we saw.
270 */
cffe973c
PW		 271 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
272 client_early_secret_count++;
273 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 274 client_handshake_secret_count++;
275 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
276 server_handshake_secret_count++;
277 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
278 client_application_secret_count++;
279 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
280 server_application_secret_count++;
01a2a654
PW		 281 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
282 early_exporter_secret_count++;
6329ce8f
PW		 283 else if (strcmp(token, "EXPORTER_SECRET") == 0)
284 exporter_secret_count++;
f1a5939f
CB		 285
286 client_random_size = SSL_get_client_random(ssl,
287 actual_client_random,
288 SSL3_RANDOM_SIZE);
710756a9 289 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 290 return 0;
f1a5939f 291
710756a9 292 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 293 return 0;
710756a9 294 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 295 return 0;
710756a9
RS		 296 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
297 actual_client_random,
298 client_random_size)))
f1a5939f 299 return 0;
6acdd3e5 300
710756a9 301 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 302 return 0;
f1a5939f
CB		 303
304 /*
305 * TODO(TLS1.3): test that application traffic secrets are what
306 * we expect */
6acdd3e5 307 } else {
710756a9 308 TEST_info("Unexpected token %s\n", token);
f1a5939f 309 return 0;
6acdd3e5 310 }
6acdd3e5
CB		 311 }
312
710756a9
RS		 313 /* Got what we expected? */
314 if (!TEST_size_t_eq(rsa_key_exchange_count,
315 expected->rsa_key_exchange_count)
316 || !TEST_size_t_eq(master_secret_count,
317 expected->master_secret_count)
cffe973c
PW		 318 || !TEST_size_t_eq(client_early_secret_count,
319 expected->client_early_secret_count)
710756a9
RS		 320 || !TEST_size_t_eq(client_handshake_secret_count,
321 expected->client_handshake_secret_count)
322 || !TEST_size_t_eq(server_handshake_secret_count,
323 expected->server_handshake_secret_count)
324 || !TEST_size_t_eq(client_application_secret_count,
325 expected->client_application_secret_count)
326 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 327 expected->server_application_secret_count)
01a2a654
PW		 328 || !TEST_size_t_eq(early_exporter_secret_count,
329 expected->early_exporter_secret_count)
6329ce8f
PW		 330 || !TEST_size_t_eq(exporter_secret_count,
331 expected->exporter_secret_count))
710756a9
RS		 332 return 0;
333 return 1;
6acdd3e5
CB		 334}
335
c423ecaa 336#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 337static int test_keylog(void)
338{
6acdd3e5
CB		 339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
341 int testresult = 0;
6fc1e624 342 struct sslapitest_log_counts expected;
6acdd3e5
CB		 343
344 /* Clean up logging space */
6fc1e624 345 memset(&expected, 0, sizeof(expected));
710756a9
RS		 346 memset(client_log_buffer, 0, sizeof(client_log_buffer));
347 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 348 client_log_buffer_index = 0;
349 server_log_buffer_index = 0;
350 error_writing_log = 0;
351
5e30f2fd 352 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 353 TLS_client_method(),
5c587fb6 354 TLS1_VERSION, 0,
710756a9 355 &sctx, &cctx, cert, privkey)))
6acdd3e5 356 return 0;
6acdd3e5
CB		 357
358 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
359 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
360 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
361
f0deb4d3 362 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 363 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 364 goto end;
f0deb4d3 365
cf10df81
RS		 366 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
367 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 368 goto end;
6acdd3e5 369 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 370 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
371 == client_keylog_callback))
6acdd3e5 372 goto end;
710756a9 373 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 374 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
375 == server_keylog_callback))
6acdd3e5 376 goto end;
6acdd3e5 377
710756a9
RS		 378 /* Now do a handshake and check that the logs have been written to. */
379 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
380 &clientssl, NULL, NULL))
381 || !TEST_true(create_ssl_connection(serverssl, clientssl,
382 SSL_ERROR_NONE))
383 || !TEST_false(error_writing_log)
384 || !TEST_int_gt(client_log_buffer_index, 0)
385 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 386 goto end;
6acdd3e5 387
f1a5939f
CB		 388 /*
389 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 390 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 391 * data we expect. For both client and server, we expect to see one master
392 * secret. The client should also see a RSA key exchange.
6acdd3e5 393 */
f1a5939f
CB		 394 expected.rsa_key_exchange_count = 1;
395 expected.master_secret_count = 1;
710756a9
RS		 396 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
397 SSL_get_session(clientssl), &expected)))
6acdd3e5 398 goto end;
f1a5939f
CB		 399
400 expected.rsa_key_exchange_count = 0;
710756a9
RS		 401 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
402 SSL_get_session(serverssl), &expected)))
6acdd3e5 403 goto end;
6acdd3e5
CB		 404
405 testresult = 1;
406
407end:
408 SSL_free(serverssl);
409 SSL_free(clientssl);
410 SSL_CTX_free(sctx);
411 SSL_CTX_free(cctx);
412
413 return testresult;
414}
c423ecaa 415#endif
6acdd3e5
CB		 416
417#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 418static int test_keylog_no_master_key(void)
419{
6acdd3e5
CB		 420 SSL_CTX *cctx = NULL, *sctx = NULL;
421 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 422 SSL_SESSION *sess = NULL;
6acdd3e5 423 int testresult = 0;
6fc1e624 424 struct sslapitest_log_counts expected;
cffe973c
PW		 425 unsigned char buf[1];
426 size_t readbytes, written;
6acdd3e5
CB		 427
428 /* Clean up logging space */
6fc1e624 429 memset(&expected, 0, sizeof(expected));
710756a9
RS		 430 memset(client_log_buffer, 0, sizeof(client_log_buffer));
431 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 432 client_log_buffer_index = 0;
433 server_log_buffer_index = 0;
434 error_writing_log = 0;
435
5e30f2fd
MC		 436 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
437 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 438 &sctx, &cctx, cert, privkey))
439 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 440 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 441 return 0;
6acdd3e5 442
cf10df81
RS		 443 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
444 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 445 goto end;
6acdd3e5
CB		 446
447 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 448 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
449 == client_keylog_callback))
6acdd3e5 450 goto end;
6acdd3e5 451
710756a9 452 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 453 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
454 == server_keylog_callback))
6acdd3e5 455 goto end;
6acdd3e5 456
710756a9
RS		 457 /* Now do a handshake and check that the logs have been written to. */
458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
459 &clientssl, NULL, NULL))
460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
461 SSL_ERROR_NONE))
462 || !TEST_false(error_writing_log))
6acdd3e5 463 goto end;
6acdd3e5 464
f1a5939f
CB		 465 /*
466 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 467 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 468 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 469 */
f1a5939f
CB		 470 expected.client_handshake_secret_count = 1;
471 expected.server_handshake_secret_count = 1;
472 expected.client_application_secret_count = 1;
473 expected.server_application_secret_count = 1;
6329ce8f 474 expected.exporter_secret_count = 1;
710756a9
RS		 475 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
476 SSL_get_session(clientssl), &expected))
477 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
478 SSL_get_session(serverssl),
479 &expected)))
6acdd3e5 480 goto end;
6acdd3e5 481
cffe973c
PW		 482 /* Terminate old session and resume with early data. */
483 sess = SSL_get1_session(clientssl);
484 SSL_shutdown(clientssl);
485 SSL_shutdown(serverssl);
486 SSL_free(serverssl);
487 SSL_free(clientssl);
488 serverssl = clientssl = NULL;
489
490 /* Reset key log */
491 memset(client_log_buffer, 0, sizeof(client_log_buffer));
492 memset(server_log_buffer, 0, sizeof(server_log_buffer));
493 client_log_buffer_index = 0;
494 server_log_buffer_index = 0;
495
496 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
497 &clientssl, NULL, NULL))
498 || !TEST_true(SSL_set_session(clientssl, sess))
499 /* Here writing 0 length early data is enough. */
500 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
501 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
502 &readbytes),
503 SSL_READ_EARLY_DATA_ERROR)
504 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
505 SSL_EARLY_DATA_ACCEPTED)
506 || !TEST_true(create_ssl_connection(serverssl, clientssl,
507 SSL_ERROR_NONE))
508 || !TEST_true(SSL_session_reused(clientssl)))
509 goto end;
510
511 /* In addition to the previous entries, expect early secrets. */
512 expected.client_early_secret_count = 1;
01a2a654 513 expected.early_exporter_secret_count = 1;
cffe973c
PW		 514 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
515 SSL_get_session(clientssl), &expected))
516 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
517 SSL_get_session(serverssl),
518 &expected)))
519 goto end;
520
6acdd3e5
CB		 521 testresult = 1;
522
523end:
cffe973c 524 SSL_SESSION_free(sess);
6acdd3e5
CB		 525 SSL_free(serverssl);
526 SSL_free(clientssl);
527 SSL_CTX_free(sctx);
528 SSL_CTX_free(cctx);
529
530 return testresult;
531}
532#endif
533
e9ee6536 534#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 535static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 536{
537 int *ctr = arg;
538 const unsigned char *p;
8ea404fb 539 int *exts;
2afaee51
BK		 540 /* We only configure two ciphers, but the SCSV is added automatically. */
541#ifdef OPENSSL_NO_EC
542 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
543#else
544 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
545 0x2c, 0x00, 0xff};
546#endif
8ea404fb
BK		 547 const int expected_extensions[] = {
548#ifndef OPENSSL_NO_EC
549 11, 10,
550#endif
10ed1b72 551 35, 22, 23, 13};
2afaee51
BK		 552 size_t len;
553
554 /* Make sure we can defer processing and get called back. */
555 if ((*ctr)++ == 0)
f1b97da1 556 return SSL_CLIENT_HELLO_RETRY;
2afaee51 557
a9c0d8be 558 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 559 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 560 || !TEST_size_t_eq(
561 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 562 || !TEST_int_eq(*p, 0))
f1b97da1 563 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 564 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 565 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 566 if (len != OSSL_NELEM(expected_extensions) ||
567 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 568 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 569 OPENSSL_free(exts);
f1b97da1 570 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 571 }
572 OPENSSL_free(exts);
f1b97da1 573 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 574}
575
a9c0d8be 576static int test_client_hello_cb(void)
710756a9 577{
2afaee51
BK		 578 SSL_CTX *cctx = NULL, *sctx = NULL;
579 SSL *clientssl = NULL, *serverssl = NULL;
580 int testctr = 0, testresult = 0;
581
5e30f2fd
MC		 582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
583 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 584 &sctx, &cctx, cert, privkey)))
2afaee51 585 goto end;
a9c0d8be 586 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 587
2afaee51
BK		 588 /* The gimpy cipher list we configure can't do TLS 1.3. */
589 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 590
710756a9
RS		 591 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
592 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
593 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL))
595 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 596 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 597 /*
598 * Passing a -1 literal is a hack since
599 * the real value was lost.
600 * */
a9c0d8be
DB		 601 || !TEST_int_eq(SSL_get_error(serverssl, -1),
602 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 603 || !TEST_true(create_ssl_connection(serverssl, clientssl,
604 SSL_ERROR_NONE)))
2afaee51 605 goto end;
2afaee51
BK		 606
607 testresult = 1;
608
088dfa13
TS		 609end:
610 SSL_free(serverssl);
611 SSL_free(clientssl);
612 SSL_CTX_free(sctx);
613 SSL_CTX_free(cctx);
614
615 return testresult;
616}
617
618static int test_no_ems(void)
619{
620 SSL_CTX *cctx = NULL, *sctx = NULL;
621 SSL *clientssl = NULL, *serverssl = NULL;
622 int testresult = 0;
623
5e30f2fd 624 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 625 TLS1_VERSION, TLS1_2_VERSION,
626 &sctx, &cctx, cert, privkey)) {
627 printf("Unable to create SSL_CTX pair\n");
628 goto end;
629 }
630
631 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
632
633 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
634 printf("Unable to create SSL objects\n");
635 goto end;
636 }
637
638 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
639 printf("Creating SSL connection failed\n");
640 goto end;
641 }
642
643 if (SSL_get_extms_support(serverssl)) {
644 printf("Server reports Extended Master Secret support\n");
645 goto end;
646 }
647
648 if (SSL_get_extms_support(clientssl)) {
649 printf("Client reports Extended Master Secret support\n");
650 goto end;
651 }
652 testresult = 1;
653
2afaee51
BK		 654end:
655 SSL_free(serverssl);
656 SSL_free(clientssl);
657 SSL_CTX_free(sctx);
658 SSL_CTX_free(cctx);
659
660 return testresult;
661}
662
3cd14e5e
BK		 663/*
664 * Very focused test to exercise a single case in the server-side state
665 * machine, when the ChangeCipherState message needs to actually change
666 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 667 * encryption to real encryption).
3cd14e5e
BK		 668 */
669static int test_ccs_change_cipher(void)
670{
671 SSL_CTX *cctx = NULL, *sctx = NULL;
672 SSL *clientssl = NULL, *serverssl = NULL;
673 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
674 int testresult = 0;
675 int i;
676 unsigned char buf;
677 size_t readbytes;
678
679 /*
680 * Create a conection so we can resume and potentially (but not) use
681 * a different cipher in the second connection.
682 */
5e30f2fd 683 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 684 TLS_client_method(),
685 TLS1_VERSION, TLS1_2_VERSION,
686 &sctx, &cctx, cert, privkey))
687 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
688 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
689 NULL, NULL))
690 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
691 || !TEST_true(create_ssl_connection(serverssl, clientssl,
692 SSL_ERROR_NONE))
693 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
694 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
695 goto end;
696
697 shutdown_ssl_connection(serverssl, clientssl);
698 serverssl = clientssl = NULL;
699
700 /* Resume, preferring a different cipher. Our server will force the
701 * same cipher to be used as the initial handshake. */
702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
703 NULL, NULL))
704 || !TEST_true(SSL_set_session(clientssl, sess))
705 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
706 || !TEST_true(create_ssl_connection(serverssl, clientssl,
707 SSL_ERROR_NONE))
708 || !TEST_true(SSL_session_reused(clientssl))
709 || !TEST_true(SSL_session_reused(serverssl))
710 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
711 || !TEST_ptr_eq(sesspre, sesspost)
712 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
713 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
714 goto end;
715 shutdown_ssl_connection(serverssl, clientssl);
716 serverssl = clientssl = NULL;
717
718 /*
719 * Now create a fresh connection and try to renegotiate a different
720 * cipher on it.
721 */
b3e6d666
BK		 722 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
723 NULL, NULL))
3cd14e5e
BK		 724 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
726 SSL_ERROR_NONE))
727 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
728 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
729 || !TEST_true(SSL_renegotiate(clientssl))
730 || !TEST_true(SSL_renegotiate_pending(clientssl)))
731 goto end;
732 /* Actually drive the renegotiation. */
733 for (i = 0; i < 3; i++) {
734 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
735 if (!TEST_ulong_eq(readbytes, 0))
736 goto end;
737 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
738 SSL_ERROR_WANT_READ)) {
739 goto end;
740 }
741 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
742 if (!TEST_ulong_eq(readbytes, 0))
743 goto end;
744 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
745 SSL_ERROR_WANT_READ)) {
746 goto end;
747 }
748 }
749 /* sesspre and sesspost should be different since the cipher changed. */
750 if (!TEST_false(SSL_renegotiate_pending(clientssl))
751 || !TEST_false(SSL_session_reused(clientssl))
752 || !TEST_false(SSL_session_reused(serverssl))
753 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
754 || !TEST_ptr_ne(sesspre, sesspost)
755 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
756 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
757 goto end;
758
759 shutdown_ssl_connection(serverssl, clientssl);
760 serverssl = clientssl = NULL;
761
762 testresult = 1;
763
764end:
765 SSL_free(serverssl);
766 SSL_free(clientssl);
767 SSL_CTX_free(sctx);
768 SSL_CTX_free(cctx);
769 SSL_SESSION_free(sess);
770
771 return testresult;
772}
fb121631 773#endif
3cd14e5e 774
84d5549e 775static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 776 const SSL_METHOD *cmeth,
777 int min_version, int max_version,
778 int read_ahead)
84d5549e
MC		 779{
780 SSL_CTX *cctx = NULL, *sctx = NULL;
781 SSL *clientssl = NULL, *serverssl = NULL;
782 int testresult = 0;
783 int i;
710756a9 784 BIO *certbio = NULL;
84d5549e
MC		 785 X509 *chaincert = NULL;
786 int certlen;
787
710756a9 788 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 789 goto end;
84d5549e 790 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 791 BIO_free(certbio);
792 certbio = NULL;
710756a9 793 if (!TEST_ptr(chaincert))
fa454945 794 goto end;
84d5549e 795
5e30f2fd
MC		 796 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
797 max_version, &sctx, &cctx, cert,
798 privkey)))
84d5549e 799 goto end;
84d5549e 800
710756a9 801 if (read_ahead) {
7856332e
MC		 802 /*
803 * Test that read_ahead works correctly when dealing with large
804 * records
805 */
806 SSL_CTX_set_read_ahead(cctx, 1);
807 }
808
84d5549e
MC		 809 /*
810 * We assume the supplied certificate is big enough so that if we add
811 * NUM_EXTRA_CERTS it will make the overall message large enough. The
812 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 813 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
814 * test we need to have a message larger than that.
84d5549e
MC		 815 */
816 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 817 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
818 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 819 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 820 if (!X509_up_ref(chaincert))
84d5549e 821 goto end;
84d5549e 822 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 823 X509_free(chaincert);
824 goto end;
825 }
826 }
827
710756a9
RS		 828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
829 NULL, NULL))
830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
831 SSL_ERROR_NONE)))
84d5549e 832 goto end;
84d5549e 833
4bf08600
MC		 834 /*
835 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 836 * doesn't leak.
4bf08600 837 */
710756a9 838 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 839 goto end;
84d5549e 840
4bf08600 841 testresult = 1;
84d5549e
MC		 842 end:
843 X509_free(chaincert);
844 SSL_free(serverssl);
845 SSL_free(clientssl);
846 SSL_CTX_free(sctx);
847 SSL_CTX_free(cctx);
848
849 return testresult;
850}
851
5e9072ed
MC		 852#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
853 && !defined(OPENSSL_NO_SOCK)
fe5d9450
BP		 854
855/* sock must be connected */
856static int ktls_chk_platform(int sock)
857{
858 if (!ktls_enable(sock))
859 return 0;
860 return 1;
861}
862
863static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
864{
865 static char count = 1;
866 unsigned char cbuf[16000] = {0};
867 unsigned char sbuf[16000];
868 size_t err = 0;
869 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
870 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
2fab79af
BP		 871 char crec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
872 char crec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
fe5d9450
BP		 873 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
874 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
875 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
876 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
877
878 cbuf[0] = count++;
879 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
880 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
2fab79af
BP		 881 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence,
882 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
fe5d9450
BP		 883 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
884 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
885 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
886 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
887
888 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
889 goto end;
890
891 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
892 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
893 goto end;
894 }
895 }
896
897 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
898 goto end;
899
900 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
901 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
902 goto end;
903 }
904 }
905
906 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
907 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
2fab79af
BP		 908 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence,
909 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
fe5d9450
BP		 910 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
911 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
912 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
913 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
914
915 /* verify the payload */
916 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
917 goto end;
918
919 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
920 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
921 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
922 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
923 goto end;
924 } else {
925 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
926 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
927 goto end;
928 }
929
930 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
931 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
932 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
933 goto end;
934 } else {
935 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
936 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
937 goto end;
938 }
939
2fab79af
BP		 940 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
941 if (!TEST_mem_ne(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
942 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
943 goto end;
944 } else {
945 if (!TEST_mem_eq(crec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
946 crec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
947 goto end;
948 }
949
950 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
951 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
952 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
953 goto end;
954 } else {
955 if (!TEST_mem_eq(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
956 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
957 goto end;
958 }
fe5d9450
BP		 959
960 return 1;
961end:
962 return 0;
963}
964
2fab79af
BP		 965static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
966 int sis_ktls_tx, int sis_ktls_rx)
fe5d9450
BP		 967{
968 SSL_CTX *cctx = NULL, *sctx = NULL;
969 SSL *clientssl = NULL, *serverssl = NULL;
970 int testresult = 0;
971 int cfd, sfd;
972
973 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
974 goto end;
975
976 /* Skip this test if the platform does not support ktls */
977 if (!ktls_chk_platform(cfd))
978 return 1;
979
980 /* Create a session based on SHA-256 */
5e30f2fd 981 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450
BP		 982 TLS_client_method(),
983 TLS1_2_VERSION, TLS1_2_VERSION,
984 &sctx, &cctx, cert, privkey))
985 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
986 "AES128-GCM-SHA256"))
987 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
988 &clientssl, sfd, cfd)))
989 goto end;
990
991 if (!cis_ktls_tx) {
992 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
993 goto end;
994 }
995
996 if (!sis_ktls_tx) {
997 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
998 goto end;
999 }
1000
2fab79af
BP		 1001 if (!cis_ktls_rx) {
1002 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1003 goto end;
1004 }
1005
1006 if (!sis_ktls_rx) {
1007 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1008 goto end;
1009 }
1010
fe5d9450
BP		 1011 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1012 SSL_ERROR_NONE)))
1013 goto end;
1014
1015 if (!cis_ktls_tx) {
1016 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1017 goto end;
1018 } else {
1019 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1020 goto end;
1021 }
1022
1023 if (!sis_ktls_tx) {
1024 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1025 goto end;
1026 } else {
1027 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1028 goto end;
1029 }
1030
2fab79af
BP		 1031 if (!cis_ktls_rx) {
1032 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1033 goto end;
1034 } else {
1035 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1036 goto end;
1037 }
1038
1039 if (!sis_ktls_rx) {
1040 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1041 goto end;
1042 } else {
1043 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1044 goto end;
1045 }
1046
fe5d9450
BP		 1047 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
1048 goto end;
1049
1050 testresult = 1;
1051end:
1052 if (clientssl) {
1053 SSL_shutdown(clientssl);
1054 SSL_free(clientssl);
1055 }
1056 if (serverssl) {
1057 SSL_shutdown(serverssl);
1058 SSL_free(serverssl);
1059 }
1060 SSL_CTX_free(sctx);
1061 SSL_CTX_free(cctx);
1062 serverssl = clientssl = NULL;
1063 return testresult;
1064}
1065
7c3a7561
BP		 1066#define SENDFILE_SZ (16 * 4096)
1067#define SENDFILE_CHUNK (4 * 4096)
1068#define min(a,b) ((a) > (b) ? (b) : (a))
1069
1070static int test_ktls_sendfile(void)
1071{
1072 SSL_CTX *cctx = NULL, *sctx = NULL;
1073 SSL *clientssl = NULL, *serverssl = NULL;
1074 unsigned char *buf, *buf_dst;
1075 BIO *out = NULL, *in = NULL;
1076 int cfd, sfd, ffd, err;
1077 ssize_t chunk_size = 0;
1078 off_t chunk_off = 0;
1079 int testresult = 0;
1080 FILE *ffdp;
1081
1082 buf = OPENSSL_zalloc(SENDFILE_SZ);
1083 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1084 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1085 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1086 goto end;
1087
1088 /* Skip this test if the platform does not support ktls */
1089 if (!ktls_chk_platform(sfd)) {
1090 testresult = 1;
1091 goto end;
1092 }
1093
1094 /* Create a session based on SHA-256 */
5e30f2fd 1095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561
BP		 1096 TLS_client_method(),
1097 TLS1_2_VERSION, TLS1_2_VERSION,
1098 &sctx, &cctx, cert, privkey))
1099 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1100 "AES128-GCM-SHA256"))
1101 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1102 &clientssl, sfd, cfd)))
1103 goto end;
1104
1105 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1106 SSL_ERROR_NONE))
1107 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1108 goto end;
1109
1110 RAND_bytes(buf, SENDFILE_SZ);
1111 out = BIO_new_file(tmpfilename, "wb");
1112 if (!TEST_ptr(out))
1113 goto end;
1114
1115 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1116 goto end;
1117
1118 BIO_free(out);
1119 out = NULL;
1120 in = BIO_new_file(tmpfilename, "rb");
1121 BIO_get_fp(in, &ffdp);
1122 ffd = fileno(ffdp);
1123
1124 while (chunk_off < SENDFILE_SZ) {
1125 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1126 while ((err = SSL_sendfile(serverssl,
1127 ffd,
1128 chunk_off,
1129 chunk_size,
1130 0)) != chunk_size) {
1131 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1132 goto end;
1133 }
1134 while ((err = SSL_read(clientssl,
1135 buf_dst + chunk_off,
1136 chunk_size)) != chunk_size) {
1137 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1138 goto end;
1139 }
1140
1141 /* verify the payload */
1142 if (!TEST_mem_eq(buf_dst + chunk_off,
1143 chunk_size,
1144 buf + chunk_off,
1145 chunk_size))
1146 goto end;
1147
1148 chunk_off += chunk_size;
1149 }
1150
1151 testresult = 1;
1152end:
1153 if (clientssl) {
1154 SSL_shutdown(clientssl);
1155 SSL_free(clientssl);
1156 }
1157 if (serverssl) {
1158 SSL_shutdown(serverssl);
1159 SSL_free(serverssl);
1160 }
1161 SSL_CTX_free(sctx);
1162 SSL_CTX_free(cctx);
1163 serverssl = clientssl = NULL;
1164 BIO_free(out);
1165 BIO_free(in);
1166 OPENSSL_free(buf);
1167 OPENSSL_free(buf_dst);
1168 return testresult;
1169}
1170
2fab79af
BP		 1171static int test_ktls_no_txrx_client_no_txrx_server(void)
1172{
1173 return execute_test_ktls(0, 0, 0, 0);
1174}
1175
1176static int test_ktls_no_rx_client_no_txrx_server(void)
1177{
1178 return execute_test_ktls(1, 0, 0, 0);
1179}
1180
1181static int test_ktls_no_tx_client_no_txrx_server(void)
1182{
1183 return execute_test_ktls(0, 1, 0, 0);
1184}
1185
1186static int test_ktls_client_no_txrx_server(void)
1187{
1188 return execute_test_ktls(1, 1, 0, 0);
1189}
1190
1191static int test_ktls_no_txrx_client_no_rx_server(void)
1192{
1193 return execute_test_ktls(0, 0, 1, 0);
1194}
1195
1196static int test_ktls_no_rx_client_no_rx_server(void)
1197{
1198 return execute_test_ktls(1, 0, 1, 0);
1199}
1200
1201static int test_ktls_no_tx_client_no_rx_server(void)
1202{
1203 return execute_test_ktls(0, 1, 1, 0);
1204}
1205
1206static int test_ktls_client_no_rx_server(void)
fe5d9450 1207{
2fab79af 1208 return execute_test_ktls(1, 1, 1, 0);
fe5d9450
BP		 1209}
1210
2fab79af 1211static int test_ktls_no_txrx_client_no_tx_server(void)
fe5d9450 1212{
2fab79af 1213 return execute_test_ktls(0, 0, 0, 1);
fe5d9450
BP		 1214}
1215
2fab79af 1216static int test_ktls_no_rx_client_no_tx_server(void)
fe5d9450 1217{
2fab79af 1218 return execute_test_ktls(1, 0, 0, 1);
fe5d9450
BP		 1219}
1220
2fab79af
BP		 1221static int test_ktls_no_tx_client_no_tx_server(void)
1222{
1223 return execute_test_ktls(0, 1, 0, 1);
1224}
1225
1226static int test_ktls_client_no_tx_server(void)
1227{
1228 return execute_test_ktls(1, 1, 0, 1);
1229}
1230
1231static int test_ktls_no_txrx_client_server(void)
1232{
1233 return execute_test_ktls(0, 0, 1, 1);
1234}
1235
1236static int test_ktls_no_rx_client_server(void)
1237{
1238 return execute_test_ktls(1, 0, 1, 1);
1239}
1240
1241static int test_ktls_no_tx_client_server(void)
1242{
1243 return execute_test_ktls(0, 1, 1, 1);
1244}
1245
1246static int test_ktls_client_server(void)
fe5d9450 1247{
2fab79af 1248 return execute_test_ktls(1, 1, 1, 1);
fe5d9450 1249}
fe5d9450
BP		 1250#endif
1251
84d5549e
MC		 1252static int test_large_message_tls(void)
1253{
7856332e 1254 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1255 TLS1_VERSION, 0, 0);
7856332e
MC		 1256}
1257
1258static int test_large_message_tls_read_ahead(void)
1259{
1260 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1261 TLS1_VERSION, 0, 1);
84d5549e
MC		 1262}
1263
55386bef 1264#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1265static int test_large_message_dtls(void)
1266{
7856332e
MC		 1267 /*
1268 * read_ahead is not relevant to DTLS because DTLS always acts as if
1269 * read_ahead is set.
1270 */
84d5549e 1271 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1272 DTLS_client_method(),
5c587fb6 1273 DTLS1_VERSION, 0, 0);
84d5549e 1274}
55386bef 1275#endif
84d5549e 1276
8f8c11d8 1277#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1278static int ocsp_server_cb(SSL *s, void *arg)
1279{
1280 int *argi = (int *)arg;
710756a9 1281 unsigned char *copy = NULL;
ba881d3b
MC		 1282 STACK_OF(OCSP_RESPID) *ids = NULL;
1283 OCSP_RESPID *id = NULL;
1284
1285 if (*argi == 2) {
1286 /* In this test we are expecting exactly 1 OCSP_RESPID */
1287 SSL_get_tlsext_status_ids(s, &ids);
1288 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1289 return SSL_TLSEXT_ERR_ALERT_FATAL;
1290
1291 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1292 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1293 return SSL_TLSEXT_ERR_ALERT_FATAL;
1294 } else if (*argi != 1) {
1295 return SSL_TLSEXT_ERR_ALERT_FATAL;
1296 }
1297
710756a9 1298 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1299 return SSL_TLSEXT_ERR_ALERT_FATAL;
1300
710756a9 1301 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1302 ocsp_server_called = 1;
ba881d3b
MC		 1303 return SSL_TLSEXT_ERR_OK;
1304}
1305
1306static int ocsp_client_cb(SSL *s, void *arg)
1307{
1308 int *argi = (int *)arg;
1309 const unsigned char *respderin;
1310 size_t len;
1311
1312 if (*argi != 1 && *argi != 2)
1313 return 0;
1314
1315 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1316 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1317 return 0;
1318
1319 ocsp_client_called = 1;
ba881d3b
MC		 1320 return 1;
1321}
1322
2cb4b5f6
MC		 1323static int test_tlsext_status_type(void)
1324{
ba881d3b
MC		 1325 SSL_CTX *cctx = NULL, *sctx = NULL;
1326 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1327 int testresult = 0;
ba881d3b
MC		 1328 STACK_OF(OCSP_RESPID) *ids = NULL;
1329 OCSP_RESPID *id = NULL;
1330 BIO *certbio = NULL;
2cb4b5f6 1331
5e30f2fd 1332 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1333 TLS1_VERSION, 0,
7d7f6834 1334 &sctx, &cctx, cert, privkey))
ba881d3b 1335 return 0;
2cb4b5f6 1336
710756a9 1337 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1338 goto end;
2cb4b5f6 1339
ba881d3b 1340 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1341
ba881d3b 1342 clientssl = SSL_new(cctx);
710756a9
RS		 1343 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1344 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1345 TLSEXT_STATUSTYPE_ocsp))
1346 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1347 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1348 goto end;
2cb4b5f6 1349
ba881d3b
MC		 1350 SSL_free(clientssl);
1351 clientssl = NULL;
2cb4b5f6 1352
710756a9
RS		 1353 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1354 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1355 goto end;
2cb4b5f6 1356
ba881d3b 1357 clientssl = SSL_new(cctx);
710756a9 1358 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1359 goto end;
ba881d3b
MC		 1360 SSL_free(clientssl);
1361 clientssl = NULL;
1362
1363 /*
1364 * Now actually do a handshake and check OCSP information is exchanged and
1365 * the callbacks get called
1366 */
ba881d3b
MC		 1367 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1368 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1369 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1370 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1372 &clientssl, NULL, NULL))
1373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1374 SSL_ERROR_NONE))
1375 || !TEST_true(ocsp_client_called)
1376 || !TEST_true(ocsp_server_called))
ba881d3b 1377 goto end;
ba881d3b
MC		 1378 SSL_free(serverssl);
1379 SSL_free(clientssl);
1380 serverssl = NULL;
1381 clientssl = NULL;
1382
1383 /* Try again but this time force the server side callback to fail */
1384 ocsp_client_called = 0;
1385 ocsp_server_called = 0;
1386 cdummyarg = 0;
710756a9
RS		 1387 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1388 &clientssl, NULL, NULL))
1389 /* This should fail because the callback will fail */
1390 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1391 SSL_ERROR_NONE))
1392 || !TEST_false(ocsp_client_called)
1393 || !TEST_false(ocsp_server_called))
ba881d3b 1394 goto end;
ba881d3b
MC		 1395 SSL_free(serverssl);
1396 SSL_free(clientssl);
1397 serverssl = NULL;
1398 clientssl = NULL;
1399
1400 /*
1401 * This time we'll get the client to send an OCSP_RESPID that it will
1402 * accept.
1403 */
1404 ocsp_client_called = 0;
1405 ocsp_server_called = 0;
1406 cdummyarg = 2;
710756a9
RS		 1407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1408 &clientssl, NULL, NULL)))
ba881d3b 1409 goto end;
ba881d3b
MC		 1410
1411 /*
1412 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1413 * specific one. We'll use the server cert.
ba881d3b 1414 */
710756a9
RS		 1415 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1416 || !TEST_ptr(id = OCSP_RESPID_new())
1417 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1418 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1419 NULL, NULL, NULL))
5e30f2fd 1420 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1421 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1422 goto end;
ba881d3b
MC		 1423 id = NULL;
1424 SSL_set_tlsext_status_ids(clientssl, ids);
1425 /* Control has been transferred */
1426 ids = NULL;
1427
1428 BIO_free(certbio);
1429 certbio = NULL;
1430
710756a9
RS		 1431 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1432 SSL_ERROR_NONE))
1433 || !TEST_true(ocsp_client_called)
1434 || !TEST_true(ocsp_server_called))
ba881d3b 1435 goto end;
ba881d3b 1436
2cb4b5f6
MC		 1437 testresult = 1;
1438
1439 end:
ba881d3b
MC		 1440 SSL_free(serverssl);
1441 SSL_free(clientssl);
1442 SSL_CTX_free(sctx);
1443 SSL_CTX_free(cctx);
1444 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1445 OCSP_RESPID_free(id);
1446 BIO_free(certbio);
1447 X509_free(ocspcert);
1448 ocspcert = NULL;
2cb4b5f6
MC		 1449
1450 return testresult;
1451}
8f8c11d8 1452#endif
2cb4b5f6 1453
bf208d95 1454#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1455static int new_called, remove_called, get_called;
eaa776da 1456
eaa776da
MC		 1457static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1458{
1459 new_called++;
c0537ebd
MC		 1460 /*
1461 * sess has been up-refed for us, but we don't actually need it so free it
1462 * immediately.
1463 */
1464 SSL_SESSION_free(sess);
eaa776da
MC		 1465 return 1;
1466}
1467
1468static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1469{
1470 remove_called++;
1471}
1472
7a301f08
MC		 1473static SSL_SESSION *get_sess_val = NULL;
1474
1475static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1476 int *copy)
1477{
0afca811 1478 get_called++;
7a301f08
MC		 1479 *copy = 1;
1480 return get_sess_val;
1481}
1482
7a301f08
MC		 1483static int execute_test_session(int maxprot, int use_int_cache,
1484 int use_ext_cache)
2cb4b5f6
MC		 1485{
1486 SSL_CTX *sctx = NULL, *cctx = NULL;
1487 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1488 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1489# ifndef OPENSSL_NO_TLS1_1
eaa776da 1490 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1491# endif
2cb4b5f6 1492 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1493 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1494
7e885b7b
P		 1495 new_called = remove_called = 0;
1496
36ff232c
MC		 1497 /* TLSv1.3 sends 2 NewSessionTickets */
1498 if (maxprot == TLS1_3_VERSION)
1499 numnewsesstick = 2;
1500
5e30f2fd
MC		 1501 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1502 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1503 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1504 return 0;
2cb4b5f6 1505
7a301f08
MC		 1506 /*
1507 * Only allow the max protocol version so we can force a connection failure
1508 * later
1509 */
1510 SSL_CTX_set_min_proto_version(cctx, maxprot);
1511 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1512
1513 /* Set up session cache */
7e885b7b 1514 if (use_ext_cache) {
eaa776da
MC		 1515 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1516 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1517 }
7e885b7b 1518 if (use_int_cache) {
eaa776da
MC		 1519 /* Also covers instance where both are set */
1520 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1521 } else {
1522 SSL_CTX_set_session_cache_mode(cctx,
1523 SSL_SESS_CACHE_CLIENT
1524 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1525 }
2cb4b5f6 1526
710756a9
RS		 1527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1528 NULL, NULL))
1529 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1530 SSL_ERROR_NONE))
1531 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1532 goto end;
2cb4b5f6 1533
710756a9 1534 /* Should fail because it should already be in the cache */
7e885b7b 1535 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1536 goto end;
7a301f08 1537 if (use_ext_cache
36ff232c
MC		 1538 && (!TEST_int_eq(new_called, numnewsesstick)
1539
1540 || !TEST_int_eq(remove_called, 0)))
b4982125 1541 goto end;
b4982125 1542
c0537ebd
MC		 1543 new_called = remove_called = 0;
1544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1545 &clientssl2, NULL, NULL))
1546 || !TEST_true(SSL_set_session(clientssl2, sess1))
1547 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1548 SSL_ERROR_NONE))
1549 || !TEST_true(SSL_session_reused(clientssl2)))
1550 goto end;
1551
7a301f08
MC		 1552 if (maxprot == TLS1_3_VERSION) {
1553 /*
1554 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1555 * resumed. Since we attempted a resume we should also have removed the
1556 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1557 */
1558 if (use_ext_cache
1559 && (!TEST_int_eq(new_called, 1)
4cb00457 1560 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1561 goto end;
1562 } else {
1563 /*
1564 * In TLSv1.2 we expect to have resumed so no sessions added or
1565 * removed.
1566 */
1567 if (use_ext_cache
1568 && (!TEST_int_eq(new_called, 0)
1569 || !TEST_int_eq(remove_called, 0)))
1570 goto end;
1571 }
c0537ebd
MC		 1572
1573 SSL_SESSION_free(sess1);
1574 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1575 goto end;
1576 shutdown_ssl_connection(serverssl2, clientssl2);
1577 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1578
1579 new_called = remove_called = 0;
710756a9
RS		 1580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1581 &clientssl2, NULL, NULL))
1582 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1583 SSL_ERROR_NONE)))
2cb4b5f6 1584 goto end;
2cb4b5f6 1585
710756a9 1586 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1587 goto end;
2cb4b5f6 1588
7a301f08 1589 if (use_ext_cache
36ff232c
MC		 1590 && (!TEST_int_eq(new_called, numnewsesstick)
1591 || !TEST_int_eq(remove_called, 0)))
eaa776da 1592 goto end;
eaa776da 1593
c0537ebd 1594 new_called = remove_called = 0;
2cb4b5f6 1595 /*
710756a9
RS		 1596 * This should clear sess2 from the cache because it is a "bad" session.
1597 * See SSL_set_session() documentation.
2cb4b5f6 1598 */
710756a9 1599 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1600 goto end;
7a301f08
MC		 1601 if (use_ext_cache
1602 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1603 goto end;
710756a9 1604 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1605 goto end;
2cb4b5f6 1606
7e885b7b 1607 if (use_int_cache) {
710756a9
RS		 1608 /* Should succeeded because it should not already be in the cache */
1609 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1610 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1611 goto end;
eaa776da
MC		 1612 }
1613
c0537ebd 1614 new_called = remove_called = 0;
eaa776da 1615 /* This shouldn't be in the cache so should fail */
710756a9 1616 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1617 goto end;
2cb4b5f6 1618
7a301f08
MC		 1619 if (use_ext_cache
1620 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1621 goto end;
2cb4b5f6 1622
bf208d95 1623# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1624 new_called = remove_called = 0;
eaa776da
MC		 1625 /* Force a connection failure */
1626 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1627 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1628 &clientssl3, NULL, NULL))
1629 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1630 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1631 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1632 SSL_ERROR_NONE)))
eaa776da 1633 goto end;
b4982125 1634
eaa776da 1635 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1636 if (use_ext_cache
1637 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1638 goto end;
2cb4b5f6 1639
710756a9 1640 /* Should succeed because it should not already be in the cache */
7e885b7b 1641 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1642 goto end;
bf208d95 1643# endif
eaa776da 1644
7a301f08
MC		 1645 /* Now do some tests for server side caching */
1646 if (use_ext_cache) {
1647 SSL_CTX_sess_set_new_cb(cctx, NULL);
1648 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1649 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1650 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1651 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1652 get_sess_val = NULL;
1653 }
1654
1655 SSL_CTX_set_session_cache_mode(cctx, 0);
1656 /* Internal caching is the default on the server side */
1657 if (!use_int_cache)
1658 SSL_CTX_set_session_cache_mode(sctx,
1659 SSL_SESS_CACHE_SERVER
1660 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1661
1662 SSL_free(serverssl1);
1663 SSL_free(clientssl1);
1664 serverssl1 = clientssl1 = NULL;
1665 SSL_free(serverssl2);
1666 SSL_free(clientssl2);
1667 serverssl2 = clientssl2 = NULL;
1668 SSL_SESSION_free(sess1);
1669 sess1 = NULL;
1670 SSL_SESSION_free(sess2);
1671 sess2 = NULL;
1672
1673 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1674 if (maxprot == TLS1_2_VERSION)
1675 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1676 new_called = remove_called = get_called = 0;
7a301f08
MC		 1677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1678 NULL, NULL))
1679 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1680 SSL_ERROR_NONE))
1681 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1682 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1683 goto end;
1684
ee94ec2e
MC		 1685 if (use_int_cache) {
1686 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1687 /*
1688 * In TLSv1.3 it should not have been added to the internal cache,
1689 * except in the case where we also have an external cache (in that
1690 * case it gets added to the cache in order to generate remove
1691 * events after timeout).
1692 */
1693 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1694 goto end;
1695 } else {
1696 /* Should fail because it should already be in the cache */
1697 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1698 goto end;
1699 }
1700 }
7a301f08
MC		 1701
1702 if (use_ext_cache) {
1703 SSL_SESSION *tmp = sess2;
1704
36ff232c 1705 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1706 || !TEST_int_eq(remove_called, 0)
1707 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1708 goto end;
1709 /*
1710 * Delete the session from the internal cache to force a lookup from
1711 * the external cache. We take a copy first because
1712 * SSL_CTX_remove_session() also marks the session as non-resumable.
1713 */
ee94ec2e 1714 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1715 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1716 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1717 goto end;
1718 SSL_SESSION_free(sess2);
1719 }
7a301f08
MC		 1720 sess2 = tmp;
1721 }
1722
0afca811 1723 new_called = remove_called = get_called = 0;
7a301f08
MC		 1724 get_sess_val = sess2;
1725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1726 &clientssl2, NULL, NULL))
1727 || !TEST_true(SSL_set_session(clientssl2, sess1))
1728 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1729 SSL_ERROR_NONE))
1730 || !TEST_true(SSL_session_reused(clientssl2)))
1731 goto end;
1732
0afca811 1733 if (use_ext_cache) {
32305f88 1734 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1735 goto end;
1736
1737 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1738 if (!TEST_int_eq(new_called, 1)
1739 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1740 goto end;
1741 } else {
32305f88
MC		 1742 if (!TEST_int_eq(new_called, 0)
1743 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1744 goto end;
1745 }
1746 }
7a301f08 1747
2cb4b5f6 1748 testresult = 1;
eaa776da 1749
2cb4b5f6
MC		 1750 end:
1751 SSL_free(serverssl1);
1752 SSL_free(clientssl1);
1753 SSL_free(serverssl2);
1754 SSL_free(clientssl2);
bf208d95 1755# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1756 SSL_free(serverssl3);
1757 SSL_free(clientssl3);
bf208d95 1758# endif
2cb4b5f6
MC		 1759 SSL_SESSION_free(sess1);
1760 SSL_SESSION_free(sess2);
1761 SSL_CTX_free(sctx);
1762 SSL_CTX_free(cctx);
1763
1764 return testresult;
1765}
bf208d95 1766#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1767
7fb4c820
MC		 1768static int test_session_with_only_int_cache(void)
1769{
7a301f08
MC		 1770#ifndef OPENSSL_NO_TLS1_3
1771 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1772 return 0;
1773#endif
1774
1775#ifndef OPENSSL_NO_TLS1_2
1776 return execute_test_session(TLS1_2_VERSION, 1, 0);
1777#else
1778 return 1;
1779#endif
eaa776da
MC		 1780}
1781
7fb4c820
MC		 1782static int test_session_with_only_ext_cache(void)
1783{
7a301f08
MC		 1784#ifndef OPENSSL_NO_TLS1_3
1785 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1786 return 0;
1787#endif
1788
1789#ifndef OPENSSL_NO_TLS1_2
1790 return execute_test_session(TLS1_2_VERSION, 0, 1);
1791#else
1792 return 1;
1793#endif
eaa776da
MC		 1794}
1795
7fb4c820
MC		 1796static int test_session_with_both_cache(void)
1797{
7a301f08
MC		 1798#ifndef OPENSSL_NO_TLS1_3
1799 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1800 return 0;
1801#endif
1802
1803#ifndef OPENSSL_NO_TLS1_2
1804 return execute_test_session(TLS1_2_VERSION, 1, 1);
1805#else
1806 return 1;
1807#endif
eaa776da
MC		 1808}
1809
04225915 1810#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1811static SSL_SESSION *sesscache[6];
1812static int do_cache;
36ff232c
MC		 1813
1814static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1815{
c22365b3
MC		 1816 if (do_cache) {
1817 sesscache[new_called] = sess;
1818 } else {
1819 /* We don't need the reference to the session, so free it */
1820 SSL_SESSION_free(sess);
1821 }
1822 new_called++;
1823
1824 return 1;
1825}
1826
1827static int post_handshake_verify(SSL *sssl, SSL *cssl)
1828{
1829 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1830 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1831 return 0;
1832
1833 /* Start handshake on the server and client */
1834 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1835 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1836 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1837 || !TEST_true(create_ssl_connection(sssl, cssl,
1838 SSL_ERROR_NONE)))
1839 return 0;
36ff232c
MC		 1840
1841 return 1;
1842}
1843
fbe9dafd 1844static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 1845 SSL_CTX **cctx)
1846{
1847 int sess_id_ctx = 1;
1848
5e30f2fd
MC		 1849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1850 TLS_client_method(), TLS1_VERSION, 0,
1851 sctx, cctx, cert, privkey))
03cdf559
MC		 1852 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1853 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1854 (void *)&sess_id_ctx,
1855 sizeof(sess_id_ctx))))
1856 return 0;
1857
1858 if (stateful)
1859 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1860
1861 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1862 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1863 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1864
1865 return 1;
1866}
1867
1868static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1869{
1870 SSL *serverssl = NULL, *clientssl = NULL;
1871 int i;
1872
1873 /* Test that we can resume with all the tickets we got given */
1874 for (i = 0; i < idx * 2; i++) {
1875 new_called = 0;
1876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1877 &clientssl, NULL, NULL))
1878 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1879 goto end;
1880
32097b33 1881 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 1882
1883 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1884 SSL_ERROR_NONE)))
1885 goto end;
1886
1887 /*
1888 * Following a successful resumption we only get 1 ticket. After a
1889 * failed one we should get idx tickets.
1890 */
1891 if (succ) {
1892 if (!TEST_true(SSL_session_reused(clientssl))
1893 || !TEST_int_eq(new_called, 1))
1894 goto end;
1895 } else {
1896 if (!TEST_false(SSL_session_reused(clientssl))
1897 || !TEST_int_eq(new_called, idx))
1898 goto end;
1899 }
1900
1901 new_called = 0;
1902 /* After a post-handshake authentication we should get 1 new ticket */
1903 if (succ
1904 && (!post_handshake_verify(serverssl, clientssl)
1905 || !TEST_int_eq(new_called, 1)))
1906 goto end;
1907
1908 SSL_shutdown(clientssl);
1909 SSL_shutdown(serverssl);
1910 SSL_free(serverssl);
1911 SSL_free(clientssl);
1912 serverssl = clientssl = NULL;
1913 SSL_SESSION_free(sesscache[i]);
1914 sesscache[i] = NULL;
1915 }
1916
1917 return 1;
1918
1919 end:
1920 SSL_free(clientssl);
1921 SSL_free(serverssl);
1922 return 0;
1923}
1924
04d7814a 1925static int test_tickets(int stateful, int idx)
36ff232c
MC		 1926{
1927 SSL_CTX *sctx = NULL, *cctx = NULL;
1928 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 1929 int testresult = 0;
36ff232c
MC		 1930 size_t j;
1931
1932 /* idx is the test number, but also the number of tickets we want */
1933
1934 new_called = 0;
c22365b3 1935 do_cache = 1;
36ff232c 1936
fbe9dafd 1937 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 1938 goto end;
1939
03cdf559
MC		 1940 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1941 &clientssl, NULL, NULL)))
1942 goto end;
1943
1944 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1945 SSL_ERROR_NONE))
1946 /* Check we got the number of tickets we were expecting */
1947 || !TEST_int_eq(idx, new_called))
1948 goto end;
04d7814a 1949
03cdf559
MC		 1950 SSL_shutdown(clientssl);
1951 SSL_shutdown(serverssl);
1952 SSL_free(serverssl);
1953 SSL_free(clientssl);
1954 SSL_CTX_free(sctx);
1955 SSL_CTX_free(cctx);
1956 clientssl = serverssl = NULL;
1957 sctx = cctx = NULL;
1958
1959 /*
1960 * Now we try to resume with the tickets we previously created. The
1961 * resumption attempt is expected to fail (because we're now using a new
1962 * SSL_CTX). We should see idx number of tickets issued again.
1963 */
1964
1965 /* Stop caching sessions - just count them */
1966 do_cache = 0;
1967
fbe9dafd 1968 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 1969 goto end;
1970
1971 if (!check_resumption(idx, sctx, cctx, 0))
1972 goto end;
1973
1974 /* Start again with caching sessions */
1975 new_called = 0;
1976 do_cache = 1;
fbe9dafd
MC		 1977 SSL_CTX_free(sctx);
1978 SSL_CTX_free(cctx);
1979 sctx = cctx = NULL;
03cdf559 1980
fbe9dafd 1981 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 1982 goto end;
36ff232c
MC		 1983
1984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1985 &clientssl, NULL, NULL)))
1986 goto end;
1987
32097b33 1988 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 1989
1990 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1991 SSL_ERROR_NONE))
1992 /* Check we got the number of tickets we were expecting */
1993 || !TEST_int_eq(idx, new_called))
1994 goto end;
1995
1996 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1997 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1998 || !TEST_int_eq(idx * 2, new_called))
1999 goto end;
2000
36ff232c
MC		 2001 SSL_shutdown(clientssl);
2002 SSL_shutdown(serverssl);
2003 SSL_free(serverssl);
2004 SSL_free(clientssl);
2005 serverssl = clientssl = NULL;
2006
c22365b3
MC		 2007 /* Stop caching sessions - just count them */
2008 do_cache = 0;
2009
03cdf559
MC		 2010 /*
2011 * Check we can resume with all the tickets we created. This time around the
2012 * resumptions should all be successful.
2013 */
2014 if (!check_resumption(idx, sctx, cctx, 1))
2015 goto end;
36ff232c
MC		 2016
2017 testresult = 1;
2018
2019 end:
2020 SSL_free(serverssl);
2021 SSL_free(clientssl);
c22365b3 2022 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2023 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2024 sesscache[j] = NULL;
2025 }
36ff232c
MC		 2026 SSL_CTX_free(sctx);
2027 SSL_CTX_free(cctx);
2028
2029 return testresult;
2030}
04d7814a
MC		 2031
2032static int test_stateless_tickets(int idx)
2033{
2034 return test_tickets(0, idx);
2035}
2036
2037static int test_stateful_tickets(int idx)
2038{
2039 return test_tickets(1, idx);
2040}
8614a4eb
MC		 2041
2042static int test_psk_tickets(void)
2043{
2044 SSL_CTX *sctx = NULL, *cctx = NULL;
2045 SSL *serverssl = NULL, *clientssl = NULL;
2046 int testresult = 0;
2047 int sess_id_ctx = 1;
2048
5e30f2fd
MC		 2049 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2050 TLS_client_method(), TLS1_VERSION, 0,
2051 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2052 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2053 (void *)&sess_id_ctx,
2054 sizeof(sess_id_ctx))))
2055 goto end;
2056
2057 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2058 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2059 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2060 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2061 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2062 use_session_cb_cnt = 0;
2063 find_session_cb_cnt = 0;
2064 srvid = pskid;
2065 new_called = 0;
2066
2067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2068 NULL, NULL)))
2069 goto end;
2070 clientpsk = serverpsk = create_a_psk(clientssl);
2071 if (!TEST_ptr(clientpsk))
2072 goto end;
2073 SSL_SESSION_up_ref(clientpsk);
2074
2075 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2076 SSL_ERROR_NONE))
2077 || !TEST_int_eq(1, find_session_cb_cnt)
2078 || !TEST_int_eq(1, use_session_cb_cnt)
2079 /* We should always get 1 ticket when using external PSK */
2080 || !TEST_int_eq(1, new_called))
2081 goto end;
2082
2083 testresult = 1;
2084
2085 end:
2086 SSL_free(serverssl);
2087 SSL_free(clientssl);
2088 SSL_CTX_free(sctx);
2089 SSL_CTX_free(cctx);
2090 SSL_SESSION_free(clientpsk);
2091 SSL_SESSION_free(serverpsk);
2092 clientpsk = serverpsk = NULL;
2093
2094 return testresult;
2095}
04225915 2096#endif
36ff232c 2097
7d4488bb
MC		 2098#define USE_NULL 0
2099#define USE_BIO_1 1
2100#define USE_BIO_2 2
2101#define USE_DEFAULT 3
2102
2103#define CONNTYPE_CONNECTION_SUCCESS 0
2104#define CONNTYPE_CONNECTION_FAIL 1
2105#define CONNTYPE_NO_CONNECTION 2
2106
2107#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2108#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2109#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2110# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2111#else
2112# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2113#endif
2114
7d4488bb
MC		 2115#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2116 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2117 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2118
2119static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2120{
2121 switch (type) {
2122 case USE_NULL:
2123 *res = NULL;
2124 break;
2125 case USE_BIO_1:
2126 *res = bio1;
2127 break;
2128 case USE_BIO_2:
2129 *res = bio2;
2130 break;
2131 }
2132}
2133
7d4488bb
MC		 2134
2135/*
2136 * Tests calls to SSL_set_bio() under various conditions.
2137 *
2138 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2139 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2140 * then do more tests where we create a successful connection first using our
2141 * standard connection setup functions, and then call SSL_set_bio() with
2142 * various combinations of valid BIOs or NULL. We then repeat these tests
2143 * following a failed connection. In this last case we are looking to check that
2144 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2145 */
7fb4c820
MC		 2146static int test_ssl_set_bio(int idx)
2147{
7d4488bb 2148 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2149 BIO *bio1 = NULL;
2150 BIO *bio2 = NULL;
0fae8150 2151 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2152 SSL *serverssl = NULL, *clientssl = NULL;
2153 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2154 int testresult = 0;
2155
7d4488bb
MC		 2156 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2157 initrbio = idx % 3;
2158 idx /= 3;
2159 initwbio = idx % 3;
2160 idx /= 3;
2161 newrbio = idx % 3;
2162 idx /= 3;
2163 newwbio = idx % 3;
2164 conntype = CONNTYPE_NO_CONNECTION;
2165 } else {
2166 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2167 initrbio = initwbio = USE_DEFAULT;
2168 newrbio = idx % 2;
2169 idx /= 2;
2170 newwbio = idx % 2;
2171 idx /= 2;
2172 conntype = idx % 2;
2173 }
710756a9 2174
5e30f2fd
MC		 2175 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2176 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2177 &sctx, &cctx, cert, privkey)))
2178 goto end;
2179
2180 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2181 /*
2182 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2183 * because we reduced the number of tests in the definition of
2184 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2185 * mismatched protocol versions we will force a connection failure.
2186 */
2187 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2188 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2189 }
2190
2191 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2192 NULL, NULL)))
710756a9 2193 goto end;
7fb4c820 2194
710756a9
RS		 2195 if (initrbio == USE_BIO_1
2196 || initwbio == USE_BIO_1
2197 || newrbio == USE_BIO_1
7fb4c820 2198 || newwbio == USE_BIO_1) {
710756a9 2199 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2200 goto end;
7fb4c820
MC		 2201 }
2202
710756a9
RS		 2203 if (initrbio == USE_BIO_2
2204 || initwbio == USE_BIO_2
2205 || newrbio == USE_BIO_2
7fb4c820 2206 || newwbio == USE_BIO_2) {
710756a9 2207 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2208 goto end;
7fb4c820
MC		 2209 }
2210
7d4488bb
MC		 2211 if (initrbio != USE_DEFAULT) {
2212 setupbio(&irbio, bio1, bio2, initrbio);
2213 setupbio(&iwbio, bio1, bio2, initwbio);
2214 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2215
7d4488bb
MC		 2216 /*
2217 * We want to maintain our own refs to these BIO, so do an up ref for
2218 * each BIO that will have ownership transferred in the SSL_set_bio()
2219 * call
2220 */
2221 if (irbio != NULL)
2222 BIO_up_ref(irbio);
2223 if (iwbio != NULL && iwbio != irbio)
2224 BIO_up_ref(iwbio);
2225 }
7fb4c820 2226
7d4488bb
MC		 2227 if (conntype != CONNTYPE_NO_CONNECTION
2228 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2229 SSL_ERROR_NONE)
2230 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2231 goto end;
7fb4c820
MC		 2232
2233 setupbio(&nrbio, bio1, bio2, newrbio);
2234 setupbio(&nwbio, bio1, bio2, newwbio);
2235
2236 /*
2237 * We will (maybe) transfer ownership again so do more up refs.
2238 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2239 * already been set!
2240 */
710756a9
RS		 2241 if (nrbio != NULL
2242 && nrbio != irbio
2243 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2244 BIO_up_ref(nrbio);
710756a9
RS		 2245 if (nwbio != NULL
2246 && nwbio != nrbio
2247 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2248 BIO_up_ref(nwbio);
2249
7d4488bb 2250 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2251
2252 testresult = 1;
2253
2254 end:
7fb4c820
MC		 2255 BIO_free(bio1);
2256 BIO_free(bio2);
710756a9 2257
7fb4c820
MC		 2258 /*
2259 * This test is checking that the ref counting for SSL_set_bio is correct.
2260 * If we get here and we did too many frees then we will fail in the above
742ccab3 2261 * functions.
7fb4c820 2262 */
7d4488bb
MC		 2263 SSL_free(serverssl);
2264 SSL_free(clientssl);
2265 SSL_CTX_free(sctx);
2266 SSL_CTX_free(cctx);
7fb4c820
MC		 2267 return testresult;
2268}
2269
7e885b7b 2270typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2271
7e885b7b 2272static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2273{
2274 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2275 SSL_CTX *ctx;
9a716987
MC		 2276 SSL *ssl = NULL;
2277 int testresult = 0;
2278
5e30f2fd 2279 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
710756a9
RS		 2280 || !TEST_ptr(ssl = SSL_new(ctx))
2281 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2282 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2283 goto end;
9a716987
MC		 2284
2285 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2286
2287 /*
742ccab3 2288 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2289 */
2290 BIO_push(sslbio, membio1);
2291
69687aa8 2292 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2293 if (change_bio != NO_BIO_CHANGE) {
710756a9 2294 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2295 goto end;
7e885b7b 2296 if (change_bio == CHANGE_RBIO)
65e2d672 2297 SSL_set0_rbio(ssl, membio2);
9a716987 2298 else
65e2d672 2299 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2300 }
2301 ssl = NULL;
2302
7e885b7b 2303 if (pop_ssl)
9a716987
MC		 2304 BIO_pop(sslbio);
2305 else
2306 BIO_pop(membio1);
2307
2308 testresult = 1;
2309 end:
2310 BIO_free(membio1);
2311 BIO_free(sslbio);
2312 SSL_free(ssl);
2313 SSL_CTX_free(ctx);
2314
2315 return testresult;
2316}
2317
2318static int test_ssl_bio_pop_next_bio(void)
2319{
7e885b7b 2320 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2321}
2322
2323static int test_ssl_bio_pop_ssl_bio(void)
2324{
7e885b7b 2325 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2326}
2327
2328static int test_ssl_bio_change_rbio(void)
2329{
7e885b7b 2330 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2331}
2332
2333static int test_ssl_bio_change_wbio(void)
2334{
7e885b7b 2335 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2336}
2337
c423ecaa 2338#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2339typedef struct {
2340 /* The list of sig algs */
2341 const int *list;
2342 /* The length of the list */
2343 size_t listlen;
2344 /* A sigalgs list in string format */
2345 const char *liststr;
2346 /* Whether setting the list should succeed */
2347 int valid;
2348 /* Whether creating a connection with the list should succeed */
2349 int connsuccess;
2350} sigalgs_list;
2351
2352static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2353# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2354static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2355static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2356# endif
f1b25aae
MC		 2357static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2358static const int invalidlist2[] = {NID_sha256, NID_undef};
2359static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2360static const int invalidlist4[] = {NID_sha256};
2361static const sigalgs_list testsigalgs[] = {
2362 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2363# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2364 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2365 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2366# endif
f1b25aae 2367 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2368# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2369 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2370 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2371# endif
f1b25aae
MC		 2372 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2373 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2374 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2375 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2376 {NULL, 0, "RSA", 0, 0},
2377 {NULL, 0, "SHA256", 0, 0},
2378 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2379 {NULL, 0, "Invalid", 0, 0}
2380};
f1b25aae
MC		 2381
2382static int test_set_sigalgs(int idx)
2383{
2384 SSL_CTX *cctx = NULL, *sctx = NULL;
2385 SSL *clientssl = NULL, *serverssl = NULL;
2386 int testresult = 0;
2387 const sigalgs_list *curr;
2388 int testctx;
2389
2390 /* Should never happen */
710756a9 2391 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2392 return 0;
2393
2394 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2395 curr = testctx ? &testsigalgs[idx]
2396 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2397
5e30f2fd
MC		 2398 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2399 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2400 &sctx, &cctx, cert, privkey)))
f1b25aae 2401 return 0;
f1b25aae 2402
d2e491f2
MC		 2403 /*
2404 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2405 * for TLSv1.2 for now until we add a new API.
2406 */
2407 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2408
f1b25aae
MC		 2409 if (testctx) {
2410 int ret;
710756a9 2411
f1b25aae
MC		 2412 if (curr->list != NULL)
2413 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2414 else
2415 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2416
2417 if (!ret) {
2418 if (curr->valid)
710756a9 2419 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2420 else
2421 testresult = 1;
2422 goto end;
2423 }
2424 if (!curr->valid) {
710756a9 2425 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2426 goto end;
2427 }
2428 }
2429
710756a9
RS		 2430 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2431 &clientssl, NULL, NULL)))
f1b25aae 2432 goto end;
f1b25aae
MC		 2433
2434 if (!testctx) {
2435 int ret;
2436
2437 if (curr->list != NULL)
2438 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2439 else
2440 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2441 if (!ret) {
2442 if (curr->valid)
710756a9 2443 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2444 else
2445 testresult = 1;
2446 goto end;
2447 }
710756a9 2448 if (!curr->valid)
f1b25aae 2449 goto end;
f1b25aae
MC		 2450 }
2451
710756a9
RS		 2452 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2453 SSL_ERROR_NONE),
2454 curr->connsuccess))
f1b25aae 2455 goto end;
f1b25aae
MC		 2456
2457 testresult = 1;
2458
2459 end:
2460 SSL_free(serverssl);
2461 SSL_free(clientssl);
2462 SSL_CTX_free(sctx);
2463 SSL_CTX_free(cctx);
2464
2465 return testresult;
2466}
c423ecaa 2467#endif
f1b25aae 2468
fff202e5 2469#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2470static int psk_client_cb_cnt = 0;
2471static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2472
2473static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2474 size_t *idlen, SSL_SESSION **sess)
2475{
2476 switch (++use_session_cb_cnt) {
2477 case 1:
2478 /* The first call should always have a NULL md */
2479 if (md != NULL)
2480 return 0;
2481 break;
2482
2483 case 2:
2484 /* The second call should always have an md */
2485 if (md == NULL)
2486 return 0;
2487 break;
2488
2489 default:
2490 /* We should only be called a maximum of twice */
2491 return 0;
2492 }
2493
57dee9bb
MC		 2494 if (clientpsk != NULL)
2495 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2496
57dee9bb 2497 *sess = clientpsk;
02a3ed5a
MC		 2498 *id = (const unsigned char *)pskid;
2499 *idlen = strlen(pskid);
2500
2501 return 1;
2502}
2503
c2b290c3 2504#ifndef OPENSSL_NO_PSK
532f9578
MC		 2505static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2506 unsigned int max_id_len,
2507 unsigned char *psk,
2508 unsigned int max_psk_len)
2509{
2510 unsigned int psklen = 0;
2511
2512 psk_client_cb_cnt++;
2513
2514 if (strlen(pskid) + 1 > max_id_len)
2515 return 0;
2516
2517 /* We should only ever be called a maximum of twice per connection */
2518 if (psk_client_cb_cnt > 2)
2519 return 0;
2520
2521 if (clientpsk == NULL)
2522 return 0;
2523
2524 /* We'll reuse the PSK we set up for TLSv1.3 */
2525 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2526 return 0;
2527 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2528 strncpy(id, pskid, max_id_len);
2529
2530 return psklen;
2531}
c2b290c3 2532#endif /* OPENSSL_NO_PSK */
532f9578 2533
02a3ed5a
MC		 2534static int find_session_cb(SSL *ssl, const unsigned char *identity,
2535 size_t identity_len, SSL_SESSION **sess)
2536{
2537 find_session_cb_cnt++;
2538
2539 /* We should only ever be called a maximum of twice per connection */
2540 if (find_session_cb_cnt > 2)
2541 return 0;
2542
57dee9bb 2543 if (serverpsk == NULL)
02a3ed5a
MC		 2544 return 0;
2545
2546 /* Identity should match that set by the client */
2547 if (strlen(srvid) != identity_len
2548 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2549 /* No PSK found, continue but without a PSK */
2550 *sess = NULL;
2551 return 1;
2552 }
2553
57dee9bb
MC		 2554 SSL_SESSION_up_ref(serverpsk);
2555 *sess = serverpsk;
02a3ed5a
MC		 2556
2557 return 1;
2558}
2559
c2b290c3 2560#ifndef OPENSSL_NO_PSK
532f9578
MC		 2561static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2562 unsigned char *psk, unsigned int max_psk_len)
2563{
2564 unsigned int psklen = 0;
2565
2566 psk_server_cb_cnt++;
2567
2568 /* We should only ever be called a maximum of twice per connection */
2569 if (find_session_cb_cnt > 2)
2570 return 0;
2571
2572 if (serverpsk == NULL)
2573 return 0;
2574
2575 /* Identity should match that set by the client */
2576 if (strcmp(srvid, identity) != 0) {
2577 return 0;
2578 }
2579
2580 /* We'll reuse the PSK we set up for TLSv1.3 */
2581 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2582 return 0;
2583 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2584
2585 return psklen;
2586}
c2b290c3 2587#endif /* OPENSSL_NO_PSK */
532f9578 2588
5f982038
MC		 2589#define MSG1 "Hello"
2590#define MSG2 "World."
2591#define MSG3 "This"
2592#define MSG4 "is"
2593#define MSG5 "a"
90049cea
MC		 2594#define MSG6 "test"
2595#define MSG7 "message."
5f982038 2596
02a3ed5a 2597#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 2598#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 2599
8614a4eb
MC		 2600
2601static SSL_SESSION *create_a_psk(SSL *ssl)
2602{
2603 const SSL_CIPHER *cipher = NULL;
2604 const unsigned char key[] = {
2605 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2606 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2607 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2608 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2609 0x2c, 0x2d, 0x2e, 0x2f
2610 };
2611 SSL_SESSION *sess = NULL;
2612
2613 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2614 sess = SSL_SESSION_new();
2615 if (!TEST_ptr(sess)
2616 || !TEST_ptr(cipher)
2617 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2618 sizeof(key)))
2619 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2620 || !TEST_true(
2621 SSL_SESSION_set_protocol_version(sess,
2622 TLS1_3_VERSION))) {
2623 SSL_SESSION_free(sess);
2624 return NULL;
2625 }
2626 return sess;
2627}
2628
5f982038
MC		 2629/*
2630 * Helper method to setup objects for early data test. Caller frees objects on
2631 * error.
2632 */
2633static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 2634 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 2635{
5a421415 2636 if (*sctx == NULL
5e30f2fd 2637 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 2638 TLS_client_method(),
5c587fb6 2639 TLS1_VERSION, 0,
5a421415
MC		 2640 sctx, cctx, cert, privkey)))
2641 return 0;
2642
2643 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 2644 return 0;
5f982038 2645
02a3ed5a
MC		 2646 if (idx == 1) {
2647 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 2648 SSL_CTX_set_read_ahead(*cctx, 1);
2649 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 2650 } else if (idx == 2) {
2651 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2652 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2653 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2654 use_session_cb_cnt = 0;
2655 find_session_cb_cnt = 0;
2656 srvid = pskid;
3cb47b4e
MC		 2657 }
2658
710756a9 2659 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 2660 NULL, NULL)))
2661 return 0;
2662
141e4709
MC		 2663 /*
2664 * For one of the run throughs (doesn't matter which one), we'll try sending
2665 * some SNI data in the initial ClientHello. This will be ignored (because
2666 * there is no SNI cb set up by the server), so it should not impact
2667 * early_data.
2668 */
2669 if (idx == 1
2670 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2671 return 0;
2672
02a3ed5a 2673 if (idx == 2) {
8614a4eb 2674 clientpsk = create_a_psk(*clientssl);
57dee9bb 2675 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 2676 /*
2677 * We just choose an arbitrary value for max_early_data which
2678 * should be big enough for testing purposes.
2679 */
57dee9bb
MC		 2680 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2681 0x100))
2682 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2683 SSL_SESSION_free(clientpsk);
2684 clientpsk = NULL;
02a3ed5a
MC		 2685 return 0;
2686 }
57dee9bb 2687 serverpsk = clientpsk;
02a3ed5a 2688
c20e3b28
MC		 2689 if (sess != NULL) {
2690 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2691 SSL_SESSION_free(clientpsk);
2692 SSL_SESSION_free(serverpsk);
2693 clientpsk = serverpsk = NULL;
2694 return 0;
2695 }
57dee9bb 2696 *sess = clientpsk;
c20e3b28 2697 }
02a3ed5a
MC		 2698 return 1;
2699 }
2700
2701 if (sess == NULL)
2702 return 1;
2703
2704 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2705 SSL_ERROR_NONE)))
5f982038 2706 return 0;
5f982038
MC		 2707
2708 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 2709 SSL_shutdown(*clientssl);
2710 SSL_shutdown(*serverssl);
5f982038
MC		 2711 SSL_free(*serverssl);
2712 SSL_free(*clientssl);
2713 *serverssl = *clientssl = NULL;
2714
710756a9
RS		 2715 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2716 clientssl, NULL, NULL))
2717 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 2718 return 0;
5f982038
MC		 2719
2720 return 1;
2721}
2722
3cb47b4e 2723static int test_early_data_read_write(int idx)
5f982038
MC		 2724{
2725 SSL_CTX *cctx = NULL, *sctx = NULL;
2726 SSL *clientssl = NULL, *serverssl = NULL;
2727 int testresult = 0;
2728 SSL_SESSION *sess = NULL;
9b5c865d
MC		 2729 unsigned char buf[20], data[1024];
2730 size_t readbytes, written, eoedlen, rawread, rawwritten;
2731 BIO *rbio;
5f982038 2732
710756a9
RS		 2733 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2734 &serverssl, &sess, idx)))
5f982038
MC		 2735 goto end;
2736
2737 /* Write and read some early data */
710756a9
RS		 2738 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2739 &written))
2740 || !TEST_size_t_eq(written, strlen(MSG1))
2741 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2742 sizeof(buf), &readbytes),
2743 SSL_READ_EARLY_DATA_SUCCESS)
2744 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2745 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2746 SSL_EARLY_DATA_ACCEPTED))
5f982038 2747 goto end;
5f982038
MC		 2748
2749 /*
09f28874 2750 * Server should be able to write data, and client should be able to
5f982038
MC		 2751 * read it.
2752 */
710756a9
RS		 2753 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2754 &written))
2755 || !TEST_size_t_eq(written, strlen(MSG2))
2756 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2757 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2758 goto end;
5f982038
MC		 2759
2760 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 2761 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2762 &written))
2763 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 2764 goto end;
5f982038 2765
09f28874 2766 /* Server should still be able read early data after writing data */
710756a9
RS		 2767 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2768 &readbytes),
2769 SSL_READ_EARLY_DATA_SUCCESS)
2770 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2771 goto end;
5f982038 2772
09f28874 2773 /* Write more data from server and read it from client */
710756a9
RS		 2774 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2775 &written))
2776 || !TEST_size_t_eq(written, strlen(MSG4))
2777 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2778 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2779 goto end;
5f982038
MC		 2780
2781 /*
2782 * If client writes normal data it should mean writing early data is no
2783 * longer possible.
2784 */
710756a9
RS		 2785 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2786 || !TEST_size_t_eq(written, strlen(MSG5))
2787 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2788 SSL_EARLY_DATA_ACCEPTED))
5f982038 2789 goto end;
5f982038 2790
9b5c865d
MC		 2791 /*
2792 * At this point the client has written EndOfEarlyData, ClientFinished and
2793 * normal (fully protected) data. We are going to cause a delay between the
2794 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2795 * in the read BIO, and then just put back the EndOfEarlyData message.
2796 */
2797 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2798 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2799 || !TEST_size_t_lt(rawread, sizeof(data))
2800 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2801 goto end;
710756a9 2802
9b5c865d
MC		 2803 /* Record length is in the 4th and 5th bytes of the record header */
2804 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2805 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2806 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2807 goto end;
9b5c865d 2808
5f982038 2809 /* Server should be told that there is no more early data */
710756a9
RS		 2810 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2811 &readbytes),
2812 SSL_READ_EARLY_DATA_FINISH)
2813 || !TEST_size_t_eq(readbytes, 0))
5f982038 2814 goto end;
5f982038 2815
9b5c865d
MC		 2816 /*
2817 * Server has not finished init yet, so should still be able to write early
2818 * data.
2819 */
710756a9
RS		 2820 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2821 &written))
2822 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2823 goto end;
9b5c865d 2824
f8a303fa 2825 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2826 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2827 &rawwritten))
2828 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2829 goto end;
f8a303fa 2830
5f982038 2831 /* Server should be able to read normal data */
710756a9
RS		 2832 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2833 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2834 goto end;
5f982038 2835
09f28874 2836 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2837 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2838 &written)))
5f982038 2839 goto end;
5f982038 2840 ERR_clear_error();
710756a9
RS		 2841 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2842 &readbytes),
2843 SSL_READ_EARLY_DATA_ERROR))
5f982038 2844 goto end;
5f982038
MC		 2845 ERR_clear_error();
2846
9b5c865d 2847 /* Client should be able to read the data sent by the server */
710756a9
RS		 2848 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2849 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2850 goto end;
710756a9 2851
f8a303fa 2852 /*
36ff232c
MC		 2853 * Make sure we process the two NewSessionTickets. These arrive
2854 * post-handshake. We attempt reads which we do not expect to return any
2855 * data.
f8a303fa 2856 */
36ff232c
MC		 2857 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2858 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2859 &readbytes)))
f8a303fa 2860 goto end;
5f982038 2861
90049cea 2862 /* Server should be able to write normal data */
710756a9
RS		 2863 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2864 || !TEST_size_t_eq(written, strlen(MSG7))
2865 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2866 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2867 goto end;
90049cea 2868
c20e3b28 2869 SSL_SESSION_free(sess);
5f982038 2870 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2871 use_session_cb_cnt = 0;
2872 find_session_cb_cnt = 0;
5f982038
MC		 2873
2874 SSL_shutdown(clientssl);
2875 SSL_shutdown(serverssl);
5f982038
MC		 2876 SSL_free(serverssl);
2877 SSL_free(clientssl);
2878 serverssl = clientssl = NULL;
710756a9
RS		 2879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2880 &clientssl, NULL, NULL))
2881 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2882 goto end;
5f982038
MC		 2883
2884 /* Write and read some early data */
710756a9
RS		 2885 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2886 &written))
2887 || !TEST_size_t_eq(written, strlen(MSG1))
2888 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2889 &readbytes),
2890 SSL_READ_EARLY_DATA_SUCCESS)
2891 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2892 goto end;
5f982038 2893
710756a9
RS		 2894 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2895 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2896 goto end;
5f982038 2897
09f28874 2898 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2899 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2900 &written)))
5f982038 2901 goto end;
5f982038 2902 ERR_clear_error();
710756a9
RS		 2903 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2904 &readbytes),
2905 SSL_READ_EARLY_DATA_ERROR))
5f982038 2906 goto end;
5f982038
MC		 2907 ERR_clear_error();
2908
2909 /* Client and server should be able to write/read normal data */
710756a9
RS		 2910 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2911 || !TEST_size_t_eq(written, strlen(MSG5))
2912 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2913 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2914 goto end;
5f982038
MC		 2915
2916 testresult = 1;
2917
2918 end:
c20e3b28 2919 SSL_SESSION_free(sess);
57dee9bb
MC		 2920 SSL_SESSION_free(clientpsk);
2921 SSL_SESSION_free(serverpsk);
2922 clientpsk = serverpsk = NULL;
5f982038
MC		 2923 SSL_free(serverssl);
2924 SSL_free(clientssl);
2925 SSL_CTX_free(sctx);
2926 SSL_CTX_free(cctx);
5f982038
MC		 2927 return testresult;
2928}
2929
5a421415
MC		 2930static int allow_ed_cb_called = 0;
2931
2932static int allow_early_data_cb(SSL *s, void *arg)
2933{
2934 int *usecb = (int *)arg;
2935
2936 allow_ed_cb_called++;
2937
2938 if (*usecb == 1)
2939 return 0;
2940
2941 return 1;
2942}
2943
2944/*
2945 * idx == 0: Standard early_data setup
2946 * idx == 1: early_data setup using read_ahead
2947 * usecb == 0: Don't use a custom early data callback
2948 * usecb == 1: Use a custom early data callback and reject the early data
2949 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 2950 * confopt == 0: Configure anti-replay directly
2951 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 2952 */
3bb5e5b0 2953static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 2954{
2955 SSL_CTX *cctx = NULL, *sctx = NULL;
2956 SSL *clientssl = NULL, *serverssl = NULL;
2957 int testresult = 0;
2958 SSL_SESSION *sess = NULL;
5a421415
MC		 2959 size_t readbytes, written;
2960 unsigned char buf[20];
2961
2962 allow_ed_cb_called = 0;
2963
5e30f2fd
MC		 2964 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2965 TLS_client_method(), TLS1_VERSION, 0,
2966 &sctx, &cctx, cert, privkey)))
5a421415
MC		 2967 return 0;
2968
2969 if (usecb > 0) {
3bb5e5b0
MC		 2970 if (confopt == 0) {
2971 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2972 } else {
2973 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2974
2975 if (!TEST_ptr(confctx))
2976 goto end;
2977 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2978 | SSL_CONF_FLAG_SERVER);
2979 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2980 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2981 2)) {
2982 SSL_CONF_CTX_free(confctx);
2983 goto end;
2984 }
2985 SSL_CONF_CTX_free(confctx);
2986 }
5a421415
MC		 2987 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2988 }
78fb5374
MC		 2989
2990 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2991 &serverssl, &sess, idx)))
2992 goto end;
2993
2994 /*
2995 * The server is configured to accept early data. Create a connection to
2996 * "use up" the ticket
2997 */
2998 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2999 || !TEST_true(SSL_session_reused(clientssl)))
3000 goto end;
3001
3002 SSL_shutdown(clientssl);
3003 SSL_shutdown(serverssl);
3004 SSL_free(serverssl);
3005 SSL_free(clientssl);
3006 serverssl = clientssl = NULL;
3007
3008 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3009 &clientssl, NULL, NULL))
5a421415
MC		 3010 || !TEST_true(SSL_set_session(clientssl, sess)))
3011 goto end;
3012
3013 /* Write and read some early data */
3014 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3015 &written))
3016 || !TEST_size_t_eq(written, strlen(MSG1)))
3017 goto end;
3018
3019 if (usecb <= 1) {
3020 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3021 &readbytes),
3022 SSL_READ_EARLY_DATA_FINISH)
3023 /*
3024 * The ticket was reused, so the we should have rejected the
3025 * early data
3026 */
3027 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3028 SSL_EARLY_DATA_REJECTED))
3029 goto end;
3030 } else {
3031 /* In this case the callback decides to accept the early data */
3032 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3033 &readbytes),
3034 SSL_READ_EARLY_DATA_SUCCESS)
3035 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3036 /*
3037 * Server will have sent its flight so client can now send
3038 * end of early data and complete its half of the handshake
3039 */
3040 || !TEST_int_gt(SSL_connect(clientssl), 0)
3041 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3042 &readbytes),
3043 SSL_READ_EARLY_DATA_FINISH)
3044 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3045 SSL_EARLY_DATA_ACCEPTED))
3046 goto end;
3047 }
3048
3049 /* Complete the connection */
3050 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3051 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3052 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3053 goto end;
3054
3055 testresult = 1;
3056
3057 end:
c20e3b28 3058 SSL_SESSION_free(sess);
78fb5374
MC		 3059 SSL_SESSION_free(clientpsk);
3060 SSL_SESSION_free(serverpsk);
3061 clientpsk = serverpsk = NULL;
3062 SSL_free(serverssl);
3063 SSL_free(clientssl);
3064 SSL_CTX_free(sctx);
3065 SSL_CTX_free(cctx);
3066 return testresult;
3067}
3068
5a421415
MC		 3069static int test_early_data_replay(int idx)
3070{
3bb5e5b0 3071 int ret = 1, usecb, confopt;
5a421415 3072
3bb5e5b0
MC		 3073 for (usecb = 0; usecb < 3; usecb++) {
3074 for (confopt = 0; confopt < 2; confopt++)
3075 ret &= test_early_data_replay_int(idx, usecb, confopt);
3076 }
5a421415
MC		 3077
3078 return ret;
3079}
3080
710756a9 3081/*
6b84e6bf
MC		 3082 * Helper function to test that a server attempting to read early data can
3083 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3084 * testtype: 0 == No HRR
3085 * testtype: 1 == HRR
0efa0ba4
MC		 3086 * testtype: 2 == HRR, invalid early_data sent after HRR
3087 * testtype: 3 == recv_max_early_data set to 0
710756a9 3088 */
0d1b7789 3089static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3090{
3091 SSL_CTX *cctx = NULL, *sctx = NULL;
3092 SSL *clientssl = NULL, *serverssl = NULL;
3093 int testresult = 0;
018fcbec 3094 SSL_SESSION *sess = NULL;
5f982038
MC		 3095 unsigned char buf[20];
3096 size_t readbytes, written;
3097
710756a9
RS		 3098 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3099 &serverssl, &sess, idx)))
5f982038
MC		 3100 goto end;
3101
0efa0ba4 3102 if (testtype == 1 || testtype == 2) {
6b84e6bf 3103 /* Force an HRR to occur */
dbc6268f
MC		 3104#if defined(OPENSSL_NO_EC)
3105 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3106 goto end;
3107#else
6b84e6bf
MC		 3108 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3109 goto end;
dbc6268f 3110#endif
02a3ed5a
MC		 3111 } else if (idx == 2) {
3112 /*
3113 * We force early_data rejection by ensuring the PSK identity is
3114 * unrecognised
3115 */
3116 srvid = "Dummy Identity";
6b84e6bf
MC		 3117 } else {
3118 /*
3119 * Deliberately corrupt the creation time. We take 20 seconds off the
3120 * time. It could be any value as long as it is not within tolerance.
3121 * This should mean the ticket is rejected.
3122 */
5d99881e 3123 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3124 goto end;
3125 }
5f982038 3126
0efa0ba4 3127 if (testtype == 3
0d1b7789
MC		 3128 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3129 goto end;
3130
5f982038 3131 /* Write some early data */
710756a9
RS		 3132 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3133 &written))
3134 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3135 goto end;
5f982038 3136
0d1b7789 3137 /* Server should reject the early data */
710756a9
RS		 3138 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3139 &readbytes),
3140 SSL_READ_EARLY_DATA_FINISH)
3141 || !TEST_size_t_eq(readbytes, 0)
3142 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3143 SSL_EARLY_DATA_REJECTED))
5f982038 3144 goto end;
5f982038 3145
0efa0ba4
MC		 3146 switch (testtype) {
3147 case 0:
3148 /* Nothing to do */
3149 break;
3150
3151 case 1:
6b84e6bf
MC		 3152 /*
3153 * Finish off the handshake. We perform the same writes and reads as
3154 * further down but we expect them to fail due to the incomplete
3155 * handshake.
3156 */
3157 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3158 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3159 &readbytes)))
3160 goto end;
0efa0ba4
MC		 3161 break;
3162
3163 case 2:
3164 {
3165 BIO *wbio = SSL_get_wbio(clientssl);
3166 /* A record that will appear as bad early_data */
3167 const unsigned char bad_early_data[] = {
3168 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3169 };
3170
3171 /*
3172 * We force the client to attempt a write. This will fail because
3173 * we're still in the handshake. It will cause the second
3174 * ClientHello to be sent.
3175 */
3176 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3177 &written)))
3178 goto end;
3179
3180 /*
3181 * Inject some early_data after the second ClientHello. This should
3182 * cause the server to fail
3183 */
3184 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3185 sizeof(bad_early_data), &written)))
3186 goto end;
3187 }
3188 /* fallthrough */
3189
3190 case 3:
0d1b7789 3191 /*
0efa0ba4
MC		 3192 * This client has sent more early_data than we are willing to skip
3193 * (case 3) or sent invalid early_data (case 2) so the connection should
3194 * abort.
0d1b7789
MC		 3195 */
3196 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3197 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3198 goto end;
3199
3200 /* Connection has failed - nothing more to do */
3201 testresult = 1;
3202 goto end;
0efa0ba4
MC		 3203
3204 default:
3205 TEST_error("Invalid test type");
3206 goto end;
6b84e6bf
MC		 3207 }
3208
0d1b7789
MC		 3209 /*
3210 * Should be able to send normal data despite rejection of early data. The
3211 * early_data should be skipped.
3212 */
710756a9
RS		 3213 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3214 || !TEST_size_t_eq(written, strlen(MSG2))
3215 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3216 SSL_EARLY_DATA_REJECTED)
3217 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3218 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3219 goto end;
5f982038
MC		 3220
3221 testresult = 1;
3222
3223 end:
c20e3b28 3224 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3225 SSL_SESSION_free(serverpsk);
3226 clientpsk = serverpsk = NULL;
5f982038
MC		 3227 SSL_SESSION_free(sess);
3228 SSL_free(serverssl);
3229 SSL_free(clientssl);
3230 SSL_CTX_free(sctx);
3231 SSL_CTX_free(cctx);
5f982038
MC		 3232 return testresult;
3233}
3234
6b84e6bf
MC		 3235/*
3236 * Test that a server attempting to read early data can handle a connection
3237 * from a client where the early data is not acceptable.
3238 */
3239static int test_early_data_skip(int idx)
3240{
3241 return early_data_skip_helper(0, idx);
3242}
3243
3244/*
3245 * Test that a server attempting to read early data can handle a connection
3246 * from a client where an HRR occurs.
3247 */
3248static int test_early_data_skip_hrr(int idx)
3249{
3250 return early_data_skip_helper(1, idx);
3251}
3252
0efa0ba4
MC		 3253/*
3254 * Test that a server attempting to read early data can handle a connection
3255 * from a client where an HRR occurs and correctly fails if early_data is sent
3256 * after the HRR
3257 */
3258static int test_early_data_skip_hrr_fail(int idx)
3259{
3260 return early_data_skip_helper(2, idx);
3261}
3262
0d1b7789
MC		 3263/*
3264 * Test that a server attempting to read early data will abort if it tries to
3265 * skip over too much.
3266 */
3267static int test_early_data_skip_abort(int idx)
3268{
0efa0ba4 3269 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3270}
3271
710756a9
RS		 3272/*
3273 * Test that a server attempting to read early data can handle a connection
3274 * from a client that doesn't send any.
3275 */
3cb47b4e 3276static int test_early_data_not_sent(int idx)
5f982038
MC		 3277{
3278 SSL_CTX *cctx = NULL, *sctx = NULL;
3279 SSL *clientssl = NULL, *serverssl = NULL;
3280 int testresult = 0;
018fcbec 3281 SSL_SESSION *sess = NULL;
5f982038
MC		 3282 unsigned char buf[20];
3283 size_t readbytes, written;
3284
710756a9
RS		 3285 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3286 &serverssl, &sess, idx)))
5f982038
MC		 3287 goto end;
3288
3289 /* Write some data - should block due to handshake with server */
3290 SSL_set_connect_state(clientssl);
710756a9 3291 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3292 goto end;
5f982038
MC		 3293
3294 /* Server should detect that early data has not been sent */
710756a9
RS		 3295 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3296 &readbytes),
3297 SSL_READ_EARLY_DATA_FINISH)
3298 || !TEST_size_t_eq(readbytes, 0)
3299 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3300 SSL_EARLY_DATA_NOT_SENT)
3301 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3302 SSL_EARLY_DATA_NOT_SENT))
5f982038 3303 goto end;
5f982038
MC		 3304
3305 /* Continue writing the message we started earlier */
710756a9
RS		 3306 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3307 || !TEST_size_t_eq(written, strlen(MSG1))
3308 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3309 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3310 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3311 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3312 goto end;
5f982038 3313
710756a9
RS		 3314 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3315 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3316 goto end;
5f982038
MC		 3317
3318 testresult = 1;
3319
3320 end:
5f982038 3321 SSL_SESSION_free(sess);
c20e3b28 3322 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3323 SSL_SESSION_free(serverpsk);
3324 clientpsk = serverpsk = NULL;
5f982038
MC		 3325 SSL_free(serverssl);
3326 SSL_free(clientssl);
3327 SSL_CTX_free(sctx);
3328 SSL_CTX_free(cctx);
5f982038
MC		 3329 return testresult;
3330}
3331
976e5323
MC		 3332static const char *servalpn;
3333
c7558d5b
PY		 3334static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3335 unsigned char *outlen, const unsigned char *in,
3336 unsigned int inlen, void *arg)
976e5323 3337{
c7558d5b 3338 unsigned int protlen = 0;
976e5323
MC		 3339 const unsigned char *prot;
3340
c7558d5b
PY		 3341 for (prot = in; prot < in + inlen; prot += protlen) {
3342 protlen = *prot++;
5d99881e 3343 if (in + inlen < prot + protlen)
976e5323
MC		 3344 return SSL_TLSEXT_ERR_NOACK;
3345
3346 if (protlen == strlen(servalpn)
0bd42fde 3347 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3348 *out = prot;
3349 *outlen = protlen;
3350 return SSL_TLSEXT_ERR_OK;
3351 }
3352 }
3353
3354 return SSL_TLSEXT_ERR_NOACK;
3355}
3356
57dee9bb 3357/* Test that a PSK can be used to send early_data */
976e5323
MC		 3358static int test_early_data_psk(int idx)
3359{
3360 SSL_CTX *cctx = NULL, *sctx = NULL;
3361 SSL *clientssl = NULL, *serverssl = NULL;
3362 int testresult = 0;
3363 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3364 unsigned char alpnlist[] = {
3365 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3366 'l', 'p', 'n'
3367 };
3368#define GOODALPNLEN 9
3369#define BADALPNLEN 8
3370#define GOODALPN (alpnlist)
3371#define BADALPN (alpnlist + GOODALPNLEN)
3372 int err = 0;
976e5323
MC		 3373 unsigned char buf[20];
3374 size_t readbytes, written;
57dee9bb 3375 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3376 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3377
3378 /* We always set this up with a final parameter of "2" for PSK */
3379 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3380 &serverssl, &sess, 2)))
3381 goto end;
3382
976e5323
MC		 3383 servalpn = "goodalpn";
3384
57dee9bb
MC		 3385 /*
3386 * Note: There is no test for inconsistent SNI with late client detection.
3387 * This is because servers do not acknowledge SNI even if they are using
3388 * it in a resumption handshake - so it is not actually possible for a
3389 * client to detect a problem.
3390 */
976e5323
MC		 3391 switch (idx) {
3392 case 0:
57dee9bb 3393 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3394 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3395 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3396 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3397 goto end;
3398 break;
3399
3400 case 1:
57dee9bb 3401 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3402 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3403 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3404 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3405 GOODALPNLEN))
3406 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3407 BADALPNLEN)))
976e5323
MC		 3408 goto end;
3409 break;
3410
3411 case 2:
3412 /*
3413 * Set invalid protocol version. Technically this affects PSKs without
3414 * early_data too, but we test it here because it is similar to the
3415 * SNI/ALPN consistency tests.
3416 */
3417 err = SSL_R_BAD_PSK;
3418 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3419 goto end;
3420 break;
3421
3422 case 3:
3423 /*
49ef3d07
MC		 3424 * Set inconsistent SNI (server side). In this case the connection
3425 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3426 * is associated with each handshake - not the session. Therefore it
3427 * should not matter that we used a different server name last time.
976e5323 3428 */
281bf233
MC		 3429 SSL_SESSION_free(serverpsk);
3430 serverpsk = SSL_SESSION_dup(clientpsk);
3431 if (!TEST_ptr(serverpsk)
3432 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3433 goto end;
976e5323
MC		 3434 /* Fall through */
3435 case 4:
3436 /* Set consistent SNI */
976e5323
MC		 3437 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3438 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3439 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3440 hostname_cb)))
3441 goto end;
3442 break;
3443
3444 case 5:
3445 /*
3446 * Set inconsistent ALPN (server detected). In this case the connection
3447 * will succeed but reject early_data.
3448 */
3449 servalpn = "badalpn";
3450 edstatus = SSL_EARLY_DATA_REJECTED;
3451 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3452 /* Fall through */
3453 case 6:
976e5323 3454 /*
57dee9bb 3455 * Set consistent ALPN.
976e5323
MC		 3456 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3457 * accepts a list of protos (each one length prefixed).
3458 * SSL_set1_alpn_selected accepts a single protocol (not length
3459 * prefixed)
3460 */
57dee9bb
MC		 3461 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3462 GOODALPNLEN - 1))
3463 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3464 GOODALPNLEN)))
976e5323
MC		 3465 goto end;
3466
3467 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3468 break;
3469
57dee9bb
MC		 3470 case 7:
3471 /* Set inconsistent ALPN (late client detection) */
3472 SSL_SESSION_free(serverpsk);
3473 serverpsk = SSL_SESSION_dup(clientpsk);
3474 if (!TEST_ptr(serverpsk)
3475 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3476 BADALPN + 1,
3477 BADALPNLEN - 1))
3478 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3479 GOODALPN + 1,
3480 GOODALPNLEN - 1))
3481 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3482 sizeof(alpnlist))))
3483 goto end;
3484 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3485 edstatus = SSL_EARLY_DATA_ACCEPTED;
3486 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3487 /* SSL_connect() call should fail */
3488 connectres = -1;
3489 break;
3490
976e5323
MC		 3491 default:
3492 TEST_error("Bad test index");
3493 goto end;
3494 }
3495
3496 SSL_set_connect_state(clientssl);
3497 if (err != 0) {
3498 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3499 &written))
3500 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3501 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3502 goto end;
3503 } else {
3504 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3505 &written)))
3506 goto end;
3507
3508 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3509 &readbytes), readearlyres)
976e5323
MC		 3510 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3511 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3512 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3513 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3514 goto end;
3515 }
3516
3517 testresult = 1;
3518
3519 end:
c20e3b28 3520 SSL_SESSION_free(sess);
57dee9bb
MC		 3521 SSL_SESSION_free(clientpsk);
3522 SSL_SESSION_free(serverpsk);
3523 clientpsk = serverpsk = NULL;
976e5323
MC		 3524 SSL_free(serverssl);
3525 SSL_free(clientssl);
3526 SSL_CTX_free(sctx);
3527 SSL_CTX_free(cctx);
3528 return testresult;
3529}
3530
710756a9
RS		 3531/*
3532 * Test that a server that doesn't try to read early data can handle a
3533 * client sending some.
3534 */
3cb47b4e 3535static int test_early_data_not_expected(int idx)
5f982038
MC		 3536{
3537 SSL_CTX *cctx = NULL, *sctx = NULL;
3538 SSL *clientssl = NULL, *serverssl = NULL;
3539 int testresult = 0;
018fcbec 3540 SSL_SESSION *sess = NULL;
5f982038
MC		 3541 unsigned char buf[20];
3542 size_t readbytes, written;
3543
710756a9
RS		 3544 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3545 &serverssl, &sess, idx)))
5f982038
MC		 3546 goto end;
3547
3548 /* Write some early data */
710756a9
RS		 3549 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3550 &written)))
5f982038 3551 goto end;
5f982038
MC		 3552
3553 /*
3554 * Server should skip over early data and then block waiting for client to
3555 * continue handshake
3556 */
710756a9
RS		 3557 if (!TEST_int_le(SSL_accept(serverssl), 0)
3558 || !TEST_int_gt(SSL_connect(clientssl), 0)
3559 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3560 SSL_EARLY_DATA_REJECTED)
3561 || !TEST_int_gt(SSL_accept(serverssl), 0)
3562 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3563 SSL_EARLY_DATA_REJECTED))
5f982038 3564 goto end;
5f982038
MC		 3565
3566 /* Send some normal data from client to server */
710756a9
RS		 3567 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3568 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3569 goto end;
5f982038 3570
710756a9
RS		 3571 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3572 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3573 goto end;
5f982038
MC		 3574
3575 testresult = 1;
3576
3577 end:
5f982038 3578 SSL_SESSION_free(sess);
c20e3b28 3579 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3580 SSL_SESSION_free(serverpsk);
3581 clientpsk = serverpsk = NULL;
5f982038
MC		 3582 SSL_free(serverssl);
3583 SSL_free(clientssl);
3584 SSL_CTX_free(sctx);
3585 SSL_CTX_free(cctx);
5f982038
MC		 3586 return testresult;
3587}
3588
3589
3590# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 3591/*
3592 * Test that a server attempting to read early data can handle a connection
3593 * from a TLSv1.2 client.
3594 */
3cb47b4e 3595static int test_early_data_tls1_2(int idx)
5f982038
MC		 3596{
3597 SSL_CTX *cctx = NULL, *sctx = NULL;
3598 SSL *clientssl = NULL, *serverssl = NULL;
3599 int testresult = 0;
3600 unsigned char buf[20];
3601 size_t readbytes, written;
3602
02a3ed5a
MC		 3603 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3604 &serverssl, NULL, idx)))
5f982038 3605 goto end;
5f982038
MC		 3606
3607 /* Write some data - should block due to handshake with server */
3608 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3609 SSL_set_connect_state(clientssl);
710756a9 3610 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3611 goto end;
5f982038
MC		 3612
3613 /*
3614 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 3615 * messages from client after ServerDone. Then SSL_read_early_data should
3616 * finish and detect that early data has not been sent
5f982038 3617 */
710756a9
RS		 3618 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3619 &readbytes),
3620 SSL_READ_EARLY_DATA_ERROR))
5f982038 3621 goto end;
5f982038
MC		 3622
3623 /*
3624 * Continue writing the message we started earlier. Will still block waiting
3625 * for the CCS/Finished from server
3626 */
710756a9
RS		 3627 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3628 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3629 &readbytes),
3630 SSL_READ_EARLY_DATA_FINISH)
3631 || !TEST_size_t_eq(readbytes, 0)
3632 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3633 SSL_EARLY_DATA_NOT_SENT))
5f982038 3634 goto end;
5f982038
MC		 3635
3636 /* Continue writing the message we started earlier */
710756a9
RS		 3637 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3638 || !TEST_size_t_eq(written, strlen(MSG1))
3639 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3640 SSL_EARLY_DATA_NOT_SENT)
3641 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3642 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3643 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3644 || !TEST_size_t_eq(written, strlen(MSG2))
3645 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3646 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3647 goto end;
5f982038
MC		 3648
3649 testresult = 1;
3650
3651 end:
57dee9bb
MC		 3652 SSL_SESSION_free(clientpsk);
3653 SSL_SESSION_free(serverpsk);
3654 clientpsk = serverpsk = NULL;
5f982038
MC		 3655 SSL_free(serverssl);
3656 SSL_free(clientssl);
3657 SSL_CTX_free(sctx);
3658 SSL_CTX_free(cctx);
3659
3660 return testresult;
3661}
ca0413ae
MC		 3662# endif /* OPENSSL_NO_TLS1_2 */
3663
034cb87b
MC		 3664/*
3665 * Test configuring the TLSv1.3 ciphersuites
3666 *
3667 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3668 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3669 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3670 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3671 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3672 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3673 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3674 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3675 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3676 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3677 */
3678static int test_set_ciphersuite(int idx)
3679{
3680 SSL_CTX *cctx = NULL, *sctx = NULL;
3681 SSL *clientssl = NULL, *serverssl = NULL;
3682 int testresult = 0;
3683
5e30f2fd
MC		 3684 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3685 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 3686 &sctx, &cctx, cert, privkey))
3687 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3688 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3689 goto end;
3690
3691 if (idx >=4 && idx <= 7) {
3692 /* SSL_CTX explicit cipher list */
3693 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3694 goto end;
3695 }
3696
3697 if (idx == 0 || idx == 4) {
3698 /* Default ciphersuite */
3699 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3700 "TLS_AES_128_GCM_SHA256")))
3701 goto end;
3702 } else if (idx == 1 || idx == 5) {
3703 /* Non default ciphersuite */
3704 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3705 "TLS_AES_128_CCM_SHA256")))
3706 goto end;
3707 }
3708
3709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3710 &clientssl, NULL, NULL)))
3711 goto end;
3712
3713 if (idx == 8 || idx == 9) {
3714 /* SSL explicit cipher list */
3715 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3716 goto end;
3717 }
3718
3719 if (idx == 2 || idx == 6 || idx == 8) {
3720 /* Default ciphersuite */
3721 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3722 "TLS_AES_128_GCM_SHA256")))
3723 goto end;
3724 } else if (idx == 3 || idx == 7 || idx == 9) {
3725 /* Non default ciphersuite */
3726 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3727 "TLS_AES_128_CCM_SHA256")))
3728 goto end;
3729 }
3730
3731 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3732 goto end;
3733
3734 testresult = 1;
3735
3736 end:
3737 SSL_free(serverssl);
3738 SSL_free(clientssl);
3739 SSL_CTX_free(sctx);
3740 SSL_CTX_free(cctx);
3741
3742 return testresult;
3743}
3744
ca0413ae
MC		 3745static int test_ciphersuite_change(void)
3746{
3747 SSL_CTX *cctx = NULL, *sctx = NULL;
3748 SSL *clientssl = NULL, *serverssl = NULL;
3749 SSL_SESSION *clntsess = NULL;
3750 int testresult = 0;
3751 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3752
3753 /* Create a session based on SHA-256 */
5e30f2fd
MC		 3754 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3755 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 3756 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 3757 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3758 "TLS_AES_128_GCM_SHA256:"
3759 "TLS_AES_256_GCM_SHA384:"
3760 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 3761 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3762 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 3763 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3764 &clientssl, NULL, NULL))
3765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3766 SSL_ERROR_NONE)))
3767 goto end;
3768
3769 clntsess = SSL_get1_session(clientssl);
3770 /* Save for later */
3771 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3772 SSL_shutdown(clientssl);
3773 SSL_shutdown(serverssl);
3774 SSL_free(serverssl);
3775 SSL_free(clientssl);
3776 serverssl = clientssl = NULL;
3777
3778 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 3779 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 3780 "TLS_AES_128_CCM_SHA256"))
3781 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3782 &clientssl, NULL, NULL))
ca0413ae
MC		 3783 || !TEST_true(SSL_set_session(clientssl, clntsess))
3784 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3785 SSL_ERROR_NONE))
3786 || !TEST_true(SSL_session_reused(clientssl)))
3787 goto end;
3788
3789 SSL_SESSION_free(clntsess);
3790 clntsess = SSL_get1_session(clientssl);
3791 SSL_shutdown(clientssl);
3792 SSL_shutdown(serverssl);
3793 SSL_free(serverssl);
3794 SSL_free(clientssl);
3795 serverssl = clientssl = NULL;
3796
3797 /*
3798 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 3799 * succeeds but does not resume.
ca0413ae 3800 */
f865b081 3801 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3802 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3803 NULL, NULL))
3804 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 3805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 3806 SSL_ERROR_SSL))
0de6d66d 3807 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 3808 goto end;
3809
3810 SSL_SESSION_free(clntsess);
3811 clntsess = NULL;
3812 SSL_shutdown(clientssl);
3813 SSL_shutdown(serverssl);
3814 SSL_free(serverssl);
3815 SSL_free(clientssl);
3816 serverssl = clientssl = NULL;
3817
3818 /* Create a session based on SHA384 */
f865b081 3819 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3820 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3821 &clientssl, NULL, NULL))
3822 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3823 SSL_ERROR_NONE)))
3824 goto end;
3825
3826 clntsess = SSL_get1_session(clientssl);
3827 SSL_shutdown(clientssl);
3828 SSL_shutdown(serverssl);
3829 SSL_free(serverssl);
3830 SSL_free(clientssl);
3831 serverssl = clientssl = NULL;
3832
f865b081
MC		 3833 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3834 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3835 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3836 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3837 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3838 NULL, NULL))
3839 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 3840 /*
3841 * We use SSL_ERROR_WANT_READ below so that we can pause the
3842 * connection after the initial ClientHello has been sent to
3843 * enable us to make some session changes.
3844 */
ca0413ae
MC		 3845 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3846 SSL_ERROR_WANT_READ)))
3847 goto end;
3848
3849 /* Trick the client into thinking this session is for a different digest */
3850 clntsess->cipher = aes_128_gcm_sha256;
3851 clntsess->cipher_id = clntsess->cipher->id;
3852
3853 /*
3b0e88d3
MC		 3854 * Continue the previously started connection. Server has selected a SHA-384
3855 * ciphersuite, but client thinks the session is for SHA-256, so it should
3856 * bail out.
ca0413ae
MC		 3857 */
3858 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3859 SSL_ERROR_SSL))
3860 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3861 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3862 goto end;
3863
3864 testresult = 1;
3865
3866 end:
3867 SSL_SESSION_free(clntsess);
3868 SSL_free(serverssl);
3869 SSL_free(clientssl);
3870 SSL_CTX_free(sctx);
3871 SSL_CTX_free(cctx);
3872
3873 return testresult;
3874}
3875
8e63900a 3876/*
5bf2eade 3877 * Test TLSv1.3 Key exchange
3878 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
3879 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
3880 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
3881 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
3882 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
3883 * Test 5 = Test NID_X448 with TLSv1.3 client and server
3884 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
3885 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
3886 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
3887 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
3888 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
3889 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
3890 * Test 12 = Test all ECDHE with TLSv1.2 client and server
3891 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 3892 */
db26ec80 3893static int test_key_exchange(int idx)
8e63900a 3894{
3895 SSL_CTX *sctx = NULL, *cctx = NULL;
3896 SSL *serverssl = NULL, *clientssl = NULL;
3897 int testresult = 0;
5bf2eade 3898# ifndef OPENSSL_NO_EC
3899 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
3900 NID_secp521r1, NID_X25519, NID_X448};
3901# endif
3902# ifndef OPENSSL_NO_DH
8e63900a 3903 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
3904 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 3905# endif
fb8c6db4 3906 int kexch_alg;
3907 int *kexch_groups = &kexch_alg;
3908 int kexch_groups_size = 1;
8e63900a 3909 int max_version = TLS1_3_VERSION;
8e63900a 3910
3911 switch (idx) {
5bf2eade 3912# ifndef OPENSSL_NO_EC
db26ec80 3913# ifndef OPENSSL_NO_TLS1_2
5bf2eade 3914 case 12:
fb8c6db4 3915 max_version = TLS1_2_VERSION;
db26ec80 3916# endif
fb8c6db4 3917 /* Fall through */
3918 case 0:
3919 kexch_groups = ecdhe_kexch_groups;
3920 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
3921 break;
5bf2eade 3922 case 1:
fb8c6db4 3923 kexch_alg = NID_X9_62_prime256v1;
3924 break;
5bf2eade 3925 case 2:
fb8c6db4 3926 kexch_alg = NID_secp384r1;
3927 break;
5bf2eade 3928 case 3:
fb8c6db4 3929 kexch_alg = NID_secp521r1;
3930 break;
5bf2eade 3931 case 4:
fb8c6db4 3932 kexch_alg = NID_X25519;
3933 break;
5bf2eade 3934 case 5:
fb8c6db4 3935 kexch_alg = NID_X448;
3936 break;
5bf2eade 3937# endif
3938# ifndef OPENSSL_NO_DH
db26ec80 3939# ifndef OPENSSL_NO_TLS1_2
5bf2eade 3940 case 13:
dbc6268f 3941 max_version = TLS1_2_VERSION;
db26ec80 3942# endif
dbc6268f 3943 /* Fall through */
5bf2eade 3944 case 6:
8e63900a 3945 kexch_groups = ffdhe_kexch_groups;
3946 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
3947 break;
5bf2eade 3948 case 7:
fb8c6db4 3949 kexch_alg = NID_ffdhe2048;
3950 break;
5bf2eade 3951 case 8:
fb8c6db4 3952 kexch_alg = NID_ffdhe3072;
3953 break;
5bf2eade 3954 case 9:
fb8c6db4 3955 kexch_alg = NID_ffdhe4096;
3956 break;
5bf2eade 3957 case 10:
fb8c6db4 3958 kexch_alg = NID_ffdhe6144;
3959 break;
5bf2eade 3960 case 11:
fb8c6db4 3961 kexch_alg = NID_ffdhe8192;
8e63900a 3962 break;
5bf2eade 3963# endif
6597d62b
MC		 3964 default:
3965 /* We're skipping this test */
3966 return 1;
8e63900a 3967 }
3968
5e30f2fd
MC		 3969 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3970 TLS_client_method(), TLS1_VERSION,
3971 max_version, &sctx, &cctx, cert,
3972 privkey)))
8e63900a 3973 goto end;
3974
5bf2eade 3975 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
3976 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 3977 goto end;
3978
5bf2eade 3979 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3980 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 3981 goto end;
3982
5bf2eade 3983 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
3984 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 3985 goto end;
3986
dbc6268f
MC		 3987 /*
3988 * Must include an EC ciphersuite so that we send supported groups in
3989 * TLSv1.2
3990 */
5bf2eade 3991# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 3992 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
3993 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
3994 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 3995 goto end;
5bf2eade 3996# endif
8e63900a 3997
3998 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3999 NULL, NULL)))
4000 goto end;
4001
4002 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4003 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4004 goto end;
4005
5bf2eade 4006 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4007 goto end;
8e63900a 4008
dbc6268f 4009 /*
5bf2eade 4010 * If Handshake succeeds the negotiated kexch alg should be the first one in
4011 * configured, except in the case of FFDHE groups (idx 13), which are
4012 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4013 */
4014 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4015 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4016 goto end;
fb8c6db4 4017 if (max_version == TLS1_3_VERSION) {
4018 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4019 goto end;
4020 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4021 goto end;
4022 }
8e63900a 4023
4024 testresult = 1;
4025 end:
4026 SSL_free(serverssl);
4027 SSL_free(clientssl);
4028 SSL_CTX_free(sctx);
4029 SSL_CTX_free(cctx);
4030 return testresult;
4031}
4032
5bf2eade 4033/*
4034 * Test TLSv1.3 Cipher Suite
4035 * Test 0 = Set TLS1.3 cipher on context
4036 * Test 1 = Set TLS1.3 cipher on SSL
4037 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4038 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4039 */
4040static int test_tls13_ciphersuite(int idx)
4041{
4042 SSL_CTX *sctx = NULL, *cctx = NULL;
4043 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4044 static const struct {
4045 const char *ciphername;
4046 int fipscapable;
4047 } t13_ciphers[] = {
4048 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4049 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4050 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4051# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4052 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4053 { TLS1_3_RFC_AES_256_GCM_SHA384
4054 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4055# endif
4f6c7044 4056 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4057 };
4058 const char *t13_cipher = NULL;
4059 const char *t12_cipher = NULL;
4060 const char *negotiated_scipher;
4061 const char *negotiated_ccipher;
4062 int set_at_ctx = 0;
4063 int set_at_ssl = 0;
4064 int testresult = 0;
4065 int max_ver;
4066 size_t i;
4067
4068 switch (idx) {
4069 case 0:
4070 set_at_ctx = 1;
4071 break;
4072 case 1:
4073 set_at_ssl = 1;
4074 break;
4075 case 2:
4076 set_at_ctx = 1;
2d900758 4077 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4078 break;
4079 case 3:
4080 set_at_ssl = 1;
2d900758 4081 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4082 break;
4083 }
4084
4085 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4086# ifdef OPENSSL_NO_TLS1_2
4087 if (max_ver == TLS1_2_VERSION)
4088 continue;
4089# endif
4090 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4091 if (is_fips && !t13_ciphers[i].fipscapable)
4092 continue;
4093 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4094 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4095 TLS_client_method(),
4096 TLS1_VERSION, max_ver,
4097 &sctx, &cctx, cert, privkey)))
4098 goto end;
4099
4100 if (set_at_ctx) {
4101 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4102 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4103 goto end;
4104 if (t12_cipher != NULL) {
4105 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4106 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4107 t12_cipher)))
4108 goto end;
4109 }
4110 }
4111
4112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4113 &clientssl, NULL, NULL)))
4114 goto end;
4115
4116 if (set_at_ssl) {
4117 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4118 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4119 goto end;
4120 if (t12_cipher != NULL) {
4121 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4122 || !TEST_true(SSL_set_cipher_list(clientssl,
4123 t12_cipher)))
4124 goto end;
4125 }
4126 }
4127
4128 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4129 SSL_ERROR_NONE)))
4130 goto end;
4131
4132 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4133 serverssl));
4134 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4135 clientssl));
4136 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4137 goto end;
4138
4139 /*
4140 * TEST_strn_eq is used below because t13_cipher can contain
4141 * multiple ciphersuites
4142 */
4143 if (max_ver == TLS1_3_VERSION
4144 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4145 strlen(negotiated_scipher)))
4146 goto end;
4147
4148# ifndef OPENSSL_NO_TLS1_2
4149 /* Below validation is not done when t12_cipher is NULL */
4150 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4151 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4152 goto end;
4153# endif
4154
4155 SSL_free(serverssl);
4156 serverssl = NULL;
4157 SSL_free(clientssl);
4158 clientssl = NULL;
4159 SSL_CTX_free(sctx);
4160 sctx = NULL;
4161 SSL_CTX_free(cctx);
4162 cctx = NULL;
4163 }
4164 }
4165
4166 testresult = 1;
4167 end:
4168 SSL_free(serverssl);
4169 SSL_free(clientssl);
4170 SSL_CTX_free(sctx);
4171 SSL_CTX_free(cctx);
4172 return testresult;
4173}
4174
0d8da779
MC		 4175/*
4176 * Test TLSv1.3 PSKs
4177 * Test 0 = Test new style callbacks
4178 * Test 1 = Test both new and old style callbacks
4179 * Test 2 = Test old style callbacks
4180 * Test 3 = Test old style callbacks with no certificate
4181 */
532f9578 4182static int test_tls13_psk(int idx)
ca8c71ba
MC		 4183{
4184 SSL_CTX *sctx = NULL, *cctx = NULL;
4185 SSL *serverssl = NULL, *clientssl = NULL;
4186 const SSL_CIPHER *cipher = NULL;
4187 const unsigned char key[] = {
4188 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4189 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4190 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4191 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4192 };
4193 int testresult = 0;
4194
5e30f2fd
MC		 4195 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4196 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 4197 &sctx, &cctx, idx == 3 ? NULL : cert,
4198 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4199 goto end;
4200
0d8da779
MC		 4201 if (idx != 3) {
4202 /*
4203 * We use a ciphersuite with SHA256 to ease testing old style PSK
4204 * callbacks which will always default to SHA256. This should not be
4205 * necessary if we have no cert/priv key. In that case the server should
4206 * prefer SHA256 automatically.
4207 */
4208 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4209 "TLS_AES_128_GCM_SHA256")))
4210 goto end;
4f6c7044
MC		 4211 } else {
4212 /*
4213 * As noted above the server should prefer SHA256 automatically. However
4214 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4215 * code works even if we are testing with only the FIPS provider loaded.
4216 */
4217 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4218 "TLS_AES_256_GCM_SHA384:"
4219 "TLS_AES_128_GCM_SHA256")))
4220 goto end;
0d8da779 4221 }
532f9578
MC		 4222
4223 /*
4224 * Test 0: New style callbacks only
4225 * Test 1: New and old style callbacks (only the new ones should be used)
4226 * Test 2: Old style callbacks only
4227 */
4228 if (idx == 0 || idx == 1) {
4229 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4230 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4231 }
c2b290c3 4232#ifndef OPENSSL_NO_PSK
0d8da779 4233 if (idx >= 1) {
532f9578
MC		 4234 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4235 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4236 }
c2b290c3 4237#endif
ca8c71ba 4238 srvid = pskid;
02a3ed5a
MC		 4239 use_session_cb_cnt = 0;
4240 find_session_cb_cnt = 0;
532f9578
MC		 4241 psk_client_cb_cnt = 0;
4242 psk_server_cb_cnt = 0;
ca8c71ba 4243
0d8da779
MC		 4244 if (idx != 3) {
4245 /*
4246 * Check we can create a connection if callback decides not to send a
4247 * PSK
4248 */
4249 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4250 NULL, NULL))
4251 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4252 SSL_ERROR_NONE))
4253 || !TEST_false(SSL_session_reused(clientssl))
4254 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4255 goto end;
532f9578 4256
0d8da779
MC		 4257 if (idx == 0 || idx == 1) {
4258 if (!TEST_true(use_session_cb_cnt == 1)
4259 || !TEST_true(find_session_cb_cnt == 0)
4260 /*
4261 * If no old style callback then below should be 0
4262 * otherwise 1
4263 */
4264 || !TEST_true(psk_client_cb_cnt == idx)
4265 || !TEST_true(psk_server_cb_cnt == 0))
4266 goto end;
4267 } else {
4268 if (!TEST_true(use_session_cb_cnt == 0)
4269 || !TEST_true(find_session_cb_cnt == 0)
4270 || !TEST_true(psk_client_cb_cnt == 1)
4271 || !TEST_true(psk_server_cb_cnt == 0))
4272 goto end;
4273 }
4274
4275 shutdown_ssl_connection(serverssl, clientssl);
4276 serverssl = clientssl = NULL;
4277 use_session_cb_cnt = psk_client_cb_cnt = 0;
4278 }
ca8c71ba
MC		 4279
4280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4281 NULL, NULL)))
4282 goto end;
4283
4284 /* Create the PSK */
532f9578 4285 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4286 clientpsk = SSL_SESSION_new();
4287 if (!TEST_ptr(clientpsk)
ca8c71ba 4288 || !TEST_ptr(cipher)
57dee9bb
MC		 4289 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4290 sizeof(key)))
4291 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4292 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4293 TLS1_3_VERSION))
4294 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4295 goto end;
57dee9bb 4296 serverpsk = clientpsk;
ca8c71ba
MC		 4297
4298 /* Check we can create a connection and the PSK is used */
4299 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4300 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4301 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4302 goto end;
4303
532f9578
MC		 4304 if (idx == 0 || idx == 1) {
4305 if (!TEST_true(use_session_cb_cnt == 1)
4306 || !TEST_true(find_session_cb_cnt == 1)
4307 || !TEST_true(psk_client_cb_cnt == 0)
4308 || !TEST_true(psk_server_cb_cnt == 0))
4309 goto end;
4310 } else {
4311 if (!TEST_true(use_session_cb_cnt == 0)
4312 || !TEST_true(find_session_cb_cnt == 0)
4313 || !TEST_true(psk_client_cb_cnt == 1)
4314 || !TEST_true(psk_server_cb_cnt == 1))
4315 goto end;
4316 }
4317
ca8c71ba
MC		 4318 shutdown_ssl_connection(serverssl, clientssl);
4319 serverssl = clientssl = NULL;
4320 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4321 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4322
4323 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4324 NULL, NULL)))
4325 goto end;
4326
4327 /* Force an HRR */
dbc6268f
MC		 4328#if defined(OPENSSL_NO_EC)
4329 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4330 goto end;
4331#else
ca8c71ba
MC		 4332 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4333 goto end;
dbc6268f 4334#endif
ca8c71ba
MC		 4335
4336 /*
4337 * Check we can create a connection, the PSK is used and the callbacks are
4338 * called twice.
4339 */
4340 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4341 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4342 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4343 goto end;
4344
532f9578
MC		 4345 if (idx == 0 || idx == 1) {
4346 if (!TEST_true(use_session_cb_cnt == 2)
4347 || !TEST_true(find_session_cb_cnt == 2)
4348 || !TEST_true(psk_client_cb_cnt == 0)
4349 || !TEST_true(psk_server_cb_cnt == 0))
4350 goto end;
4351 } else {
4352 if (!TEST_true(use_session_cb_cnt == 0)
4353 || !TEST_true(find_session_cb_cnt == 0)
4354 || !TEST_true(psk_client_cb_cnt == 2)
4355 || !TEST_true(psk_server_cb_cnt == 2))
4356 goto end;
4357 }
4358
ca8c71ba
MC		 4359 shutdown_ssl_connection(serverssl, clientssl);
4360 serverssl = clientssl = NULL;
4361 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4362 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4363
0d8da779
MC		 4364 if (idx != 3) {
4365 /*
4366 * Check that if the server rejects the PSK we can still connect, but with
4367 * a full handshake
4368 */
4369 srvid = "Dummy Identity";
4370 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4371 NULL, NULL))
4372 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4373 SSL_ERROR_NONE))
4374 || !TEST_false(SSL_session_reused(clientssl))
4375 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4376 goto end;
532f9578 4377
0d8da779
MC		 4378 if (idx == 0 || idx == 1) {
4379 if (!TEST_true(use_session_cb_cnt == 1)
4380 || !TEST_true(find_session_cb_cnt == 1)
4381 || !TEST_true(psk_client_cb_cnt == 0)
4382 /*
4383 * If no old style callback then below should be 0
4384 * otherwise 1
4385 */
4386 || !TEST_true(psk_server_cb_cnt == idx))
4387 goto end;
4388 } else {
4389 if (!TEST_true(use_session_cb_cnt == 0)
4390 || !TEST_true(find_session_cb_cnt == 0)
4391 || !TEST_true(psk_client_cb_cnt == 1)
4392 || !TEST_true(psk_server_cb_cnt == 1))
4393 goto end;
4394 }
4395
4396 shutdown_ssl_connection(serverssl, clientssl);
4397 serverssl = clientssl = NULL;
4398 }
ca8c71ba
MC		 4399 testresult = 1;
4400
4401 end:
57dee9bb
MC		 4402 SSL_SESSION_free(clientpsk);
4403 SSL_SESSION_free(serverpsk);
4404 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4405 SSL_free(serverssl);
4406 SSL_free(clientssl);
4407 SSL_CTX_free(sctx);
4408 SSL_CTX_free(cctx);
4409 return testresult;
4410}
4411
c7b8ff25
MC		 4412static unsigned char cookie_magic_value[] = "cookie magic";
4413
4414static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4415 unsigned int *cookie_len)
4416{
4417 /*
4418 * Not suitable as a real cookie generation function but good enough for
4419 * testing!
4420 */
97ea1e7f
MC		 4421 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4422 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 4423
4424 return 1;
4425}
4426
4427static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4428 unsigned int cookie_len)
4429{
97ea1e7f 4430 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 4431 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4432 return 1;
4433
4434 return 0;
4435}
4436
3fa2812f
BS		 4437static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4438 size_t *cookie_len)
4439{
4440 unsigned int temp;
4441 int res = generate_cookie_callback(ssl, cookie, &temp);
4442 *cookie_len = temp;
4443 return res;
4444}
4445
4446static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4447 size_t cookie_len)
4448{
4449 return verify_cookie_callback(ssl, cookie, cookie_len);
4450}
4451
c7b8ff25
MC		 4452static int test_stateless(void)
4453{
4454 SSL_CTX *sctx = NULL, *cctx = NULL;
4455 SSL *serverssl = NULL, *clientssl = NULL;
4456 int testresult = 0;
4457
5e30f2fd
MC		 4458 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4459 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4460 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 4461 goto end;
4462
e440f513
MC		 4463 /* The arrival of CCS messages can confuse the test */
4464 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4465
4466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4467 NULL, NULL))
4468 /* Send the first ClientHello */
4469 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4470 SSL_ERROR_WANT_READ))
4471 /*
4472 * This should fail with a -1 return because we have no callbacks
4473 * set up
4474 */
4475 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4476 goto end;
4477
4478 /* Fatal error so abandon the connection from this client */
4479 SSL_free(clientssl);
4480 clientssl = NULL;
4481
c7b8ff25 4482 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 4483 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4484 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 4485
e440f513
MC		 4486 /*
4487 * Create a new connection from the client (we can reuse the server SSL
4488 * object).
4489 */
c7b8ff25
MC		 4490 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4491 NULL, NULL))
4492 /* Send the first ClientHello */
4493 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4494 SSL_ERROR_WANT_READ))
4495 /* This should fail because there is no cookie */
e440f513 4496 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 4497 goto end;
4498
4499 /* Abandon the connection from this client */
4500 SSL_free(clientssl);
4501 clientssl = NULL;
4502
4503 /*
4504 * Now create a connection from a new client but with the same server SSL
4505 * object
4506 */
4507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4508 NULL, NULL))
4509 /* Send the first ClientHello */
4510 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4511 SSL_ERROR_WANT_READ))
4512 /* This should fail because there is no cookie */
e440f513 4513 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 4514 /* Send the second ClientHello */
4515 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4516 SSL_ERROR_WANT_READ))
4517 /* This should succeed because a cookie is now present */
e440f513 4518 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 4519 /* Complete the connection */
4520 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4521 SSL_ERROR_NONE)))
4522 goto end;
4523
4524 shutdown_ssl_connection(serverssl, clientssl);
4525 serverssl = clientssl = NULL;
4526 testresult = 1;
4527
4528 end:
4529 SSL_free(serverssl);
4530 SSL_free(clientssl);
4531 SSL_CTX_free(sctx);
4532 SSL_CTX_free(cctx);
4533 return testresult;
4534
4535}
ca0413ae 4536#endif /* OPENSSL_NO_TLS1_3 */
5f982038 4537
a37008d9
MC		 4538static int clntaddoldcb = 0;
4539static int clntparseoldcb = 0;
4540static int srvaddoldcb = 0;
4541static int srvparseoldcb = 0;
4542static int clntaddnewcb = 0;
4543static int clntparsenewcb = 0;
4544static int srvaddnewcb = 0;
4545static int srvparsenewcb = 0;
bb01ef3f 4546static int snicb = 0;
a37008d9
MC		 4547
4548#define TEST_EXT_TYPE1 0xff00
4549
4550static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4551 size_t *outlen, int *al, void *add_arg)
4552{
4553 int *server = (int *)add_arg;
4554 unsigned char *data;
4555
4556 if (SSL_is_server(s))
4557 srvaddoldcb++;
4558 else
4559 clntaddoldcb++;
4560
710756a9
RS		 4561 if (*server != SSL_is_server(s)
4562 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4563 return -1;
4564
4565 *data = 1;
4566 *out = data;
4567 *outlen = sizeof(char);
a37008d9
MC		 4568 return 1;
4569}
4570
4571static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4572 void *add_arg)
4573{
4574 OPENSSL_free((unsigned char *)out);
4575}
4576
4577static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4578 size_t inlen, int *al, void *parse_arg)
4579{
4580 int *server = (int *)parse_arg;
4581
4582 if (SSL_is_server(s))
4583 srvparseoldcb++;
4584 else
4585 clntparseoldcb++;
4586
710756a9
RS		 4587 if (*server != SSL_is_server(s)
4588 || inlen != sizeof(char)
4589 || *in != 1)
a37008d9
MC		 4590 return -1;
4591
4592 return 1;
4593}
4594
4595static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
4596 const unsigned char **out, size_t *outlen, X509 *x,
4597 size_t chainidx, int *al, void *add_arg)
4598{
4599 int *server = (int *)add_arg;
4600 unsigned char *data;
4601
4602 if (SSL_is_server(s))
4603 srvaddnewcb++;
4604 else
4605 clntaddnewcb++;
4606
710756a9
RS		 4607 if (*server != SSL_is_server(s)
4608 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4609 return -1;
4610
4611 *data = 1;
4612 *out = data;
710756a9 4613 *outlen = sizeof(*data);
a37008d9
MC		 4614 return 1;
4615}
4616
4617static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
4618 const unsigned char *out, void *add_arg)
4619{
4620 OPENSSL_free((unsigned char *)out);
4621}
4622
4623static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
4624 const unsigned char *in, size_t inlen, X509 *x,
4625 size_t chainidx, int *al, void *parse_arg)
4626{
4627 int *server = (int *)parse_arg;
4628
4629 if (SSL_is_server(s))
4630 srvparsenewcb++;
4631 else
4632 clntparsenewcb++;
4633
710756a9
RS		 4634 if (*server != SSL_is_server(s)
4635 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 4636 return -1;
4637
4638 return 1;
4639}
bb01ef3f
MC		 4640
4641static int sni_cb(SSL *s, int *al, void *arg)
4642{
4643 SSL_CTX *ctx = (SSL_CTX *)arg;
4644
4645 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
4646 *al = SSL_AD_INTERNAL_ERROR;
4647 return SSL_TLSEXT_ERR_ALERT_FATAL;
4648 }
4649 snicb++;
4650 return SSL_TLSEXT_ERR_OK;
4651}
4652
a37008d9
MC		 4653/*
4654 * Custom call back tests.
4655 * Test 0: Old style callbacks in TLSv1.2
4656 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 4657 * Test 2: New style callbacks in TLSv1.2 with SNI
4658 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
4659 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 4660 */
710756a9
RS		 4661static int test_custom_exts(int tst)
4662{
bb01ef3f 4663 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 4664 SSL *clientssl = NULL, *serverssl = NULL;
4665 int testresult = 0;
4666 static int server = 1;
4667 static int client = 0;
4668 SSL_SESSION *sess = NULL;
4669 unsigned int context;
4670
c423ecaa
MC		 4671#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
4672 /* Skip tests for TLSv1.2 and below in this case */
4673 if (tst < 3)
4674 return 1;
4675#endif
4676
a37008d9
MC		 4677 /* Reset callback counters */
4678 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
4679 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 4680 snicb = 0;
a37008d9 4681
5e30f2fd
MC		 4682 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4683 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4684 &sctx, &cctx, cert, privkey)))
710756a9 4685 goto end;
a37008d9 4686
bb01ef3f 4687 if (tst == 2
5e30f2fd 4688 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 4689 TLS1_VERSION, 0,
7d7f6834 4690 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 4691 goto end;
4692
4693
4694 if (tst < 3) {
a37008d9
MC		 4695 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
4696 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 4697 if (sctx2 != NULL)
4698 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 4699 }
4700
bb01ef3f 4701 if (tst == 4) {
710756a9
RS		 4702 context = SSL_EXT_CLIENT_HELLO
4703 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4704 | SSL_EXT_TLS1_3_SERVER_HELLO
4705 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
4706 | SSL_EXT_TLS1_3_CERTIFICATE
4707 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
4708 } else {
710756a9
RS		 4709 context = SSL_EXT_CLIENT_HELLO
4710 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 4711 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
4712 }
4713
4714 /* Create a client side custom extension */
4715 if (tst == 0) {
710756a9
RS		 4716 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4717 old_add_cb, old_free_cb,
4718 &client, old_parse_cb,
4719 &client)))
4720 goto end;
a37008d9 4721 } else {
710756a9
RS		 4722 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4723 new_add_cb, new_free_cb,
4724 &client, new_parse_cb, &client)))
4725 goto end;
a37008d9
MC		 4726 }
4727
4728 /* Should not be able to add duplicates */
710756a9
RS		 4729 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4730 old_add_cb, old_free_cb,
4731 &client, old_parse_cb,
4732 &client))
4733 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4734 context, new_add_cb,
4735 new_free_cb, &client,
4736 new_parse_cb, &client)))
4737 goto end;
a37008d9
MC		 4738
4739 /* Create a server side custom extension */
4740 if (tst == 0) {
710756a9
RS		 4741 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4742 old_add_cb, old_free_cb,
4743 &server, old_parse_cb,
4744 &server)))
4745 goto end;
a37008d9 4746 } else {
710756a9
RS		 4747 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4748 new_add_cb, new_free_cb,
4749 &server, new_parse_cb, &server)))
4750 goto end;
bb01ef3f
MC		 4751 if (sctx2 != NULL
4752 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4753 context, new_add_cb,
4754 new_free_cb, &server,
4755 new_parse_cb, &server)))
4756 goto end;
a37008d9
MC		 4757 }
4758
4759 /* Should not be able to add duplicates */
710756a9
RS		 4760 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4761 old_add_cb, old_free_cb,
4762 &server, old_parse_cb,
4763 &server))
4764 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4765 context, new_add_cb,
4766 new_free_cb, &server,
4767 new_parse_cb, &server)))
a37008d9 4768 goto end;
a37008d9 4769
bb01ef3f
MC		 4770 if (tst == 2) {
4771 /* Set up SNI */
4772 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4773 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4774 goto end;
4775 }
4776
710756a9
RS		 4777 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4778 &clientssl, NULL, NULL))
4779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4780 SSL_ERROR_NONE)))
a37008d9 4781 goto end;
a37008d9
MC		 4782
4783 if (tst == 0) {
710756a9
RS		 4784 if (clntaddoldcb != 1
4785 || clntparseoldcb != 1
4786 || srvaddoldcb != 1
4787 || srvparseoldcb != 1)
a37008d9 4788 goto end;
bb01ef3f 4789 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4790 if (clntaddnewcb != 1
4791 || clntparsenewcb != 1
4792 || srvaddnewcb != 1
bb01ef3f
MC		 4793 || srvparsenewcb != 1
4794 || (tst != 2 && snicb != 0)
4795 || (tst == 2 && snicb != 1))
a37008d9 4796 goto end;
a37008d9 4797 } else {
36ff232c 4798 /* In this case there 2 NewSessionTicket messages created */
710756a9 4799 if (clntaddnewcb != 1
36ff232c
MC		 4800 || clntparsenewcb != 5
4801 || srvaddnewcb != 5
710756a9 4802 || srvparsenewcb != 1)
a37008d9 4803 goto end;
a37008d9
MC		 4804 }
4805
4806 sess = SSL_get1_session(clientssl);
a37008d9
MC		 4807 SSL_shutdown(clientssl);
4808 SSL_shutdown(serverssl);
a37008d9
MC		 4809 SSL_free(serverssl);
4810 SSL_free(clientssl);
4811 serverssl = clientssl = NULL;
4812
bb01ef3f
MC		 4813 if (tst == 3) {
4814 /* We don't bother with the resumption aspects for this test */
4815 testresult = 1;
4816 goto end;
4817 }
4818
710756a9
RS		 4819 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4820 NULL, NULL))
4821 || !TEST_true(SSL_set_session(clientssl, sess))
4822 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4823 SSL_ERROR_NONE)))
a37008d9 4824 goto end;
a37008d9
MC		 4825
4826 /*
4827 * For a resumed session we expect to add the ClientHello extension. For the
4828 * old style callbacks we ignore it on the server side because they set
4829 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4830 * them.
4831 */
4832 if (tst == 0) {
710756a9
RS		 4833 if (clntaddoldcb != 2
4834 || clntparseoldcb != 1
4835 || srvaddoldcb != 1
4836 || srvparseoldcb != 1)
a37008d9 4837 goto end;
bb01ef3f 4838 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4839 if (clntaddnewcb != 2
4840 || clntparsenewcb != 2
4841 || srvaddnewcb != 2
4842 || srvparsenewcb != 2)
a37008d9 4843 goto end;
a37008d9 4844 } else {
36ff232c
MC		 4845 /*
4846 * No Certificate message extensions in the resumption handshake,
4847 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4848 */
710756a9 4849 if (clntaddnewcb != 2
36ff232c
MC		 4850 || clntparsenewcb != 8
4851 || srvaddnewcb != 8
710756a9 4852 || srvparsenewcb != 2)
a37008d9 4853 goto end;
a37008d9
MC		 4854 }
4855
4856 testresult = 1;
4857
4858end:
4859 SSL_SESSION_free(sess);
4860 SSL_free(serverssl);
4861 SSL_free(clientssl);
bb01ef3f 4862 SSL_CTX_free(sctx2);
a37008d9
MC		 4863 SSL_CTX_free(sctx);
4864 SSL_CTX_free(cctx);
a37008d9
MC		 4865 return testresult;
4866}
4867
16afd71c
MC		 4868/*
4869 * Test loading of serverinfo data in various formats. test_sslmessages actually
4870 * tests to make sure the extensions appear in the handshake
4871 */
4872static int test_serverinfo(int tst)
4873{
4874 unsigned int version;
4875 unsigned char *sibuf;
4876 size_t sibuflen;
4877 int ret, expected, testresult = 0;
4878 SSL_CTX *ctx;
4879
5e30f2fd 4880 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
16afd71c
MC		 4881 if (!TEST_ptr(ctx))
4882 goto end;
4883
4884 if ((tst & 0x01) == 0x01)
4885 version = SSL_SERVERINFOV2;
4886 else
4887 version = SSL_SERVERINFOV1;
4888
4889 if ((tst & 0x02) == 0x02) {
4890 sibuf = serverinfov2;
4891 sibuflen = sizeof(serverinfov2);
4892 expected = (version == SSL_SERVERINFOV2);
4893 } else {
4894 sibuf = serverinfov1;
4895 sibuflen = sizeof(serverinfov1);
4896 expected = (version == SSL_SERVERINFOV1);
4897 }
4898
4899 if ((tst & 0x04) == 0x04) {
4900 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4901 } else {
4902 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4903
4904 /*
4905 * The version variable is irrelevant in this case - it's what is in the
4906 * buffer that matters
4907 */
4908 if ((tst & 0x02) == 0x02)
4909 expected = 0;
4910 else
4911 expected = 1;
4912 }
4913
4914 if (!TEST_true(ret == expected))
4915 goto end;
4916
4917 testresult = 1;
4918
4919 end:
4920 SSL_CTX_free(ctx);
4921
4922 return testresult;
4923}
4924
2197d1df
MC		 4925/*
4926 * Test that SSL_export_keying_material() produces expected results. There are
4927 * no test vectors so all we do is test that both sides of the communication
4928 * produce the same results for different protocol versions.
4929 */
0fb2815b
MC		 4930#define SMALL_LABEL_LEN 10
4931#define LONG_LABEL_LEN 249
2197d1df
MC		 4932static int test_export_key_mat(int tst)
4933{
a599574b 4934 int testresult = 0;
2197d1df
MC		 4935 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4936 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 4937 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 4938 const unsigned char context[] = "context";
4939 const unsigned char *emptycontext = NULL;
4940 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4941 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 4942 size_t labellen;
a599574b
MC		 4943 const int protocols[] = {
4944 TLS1_VERSION,
4945 TLS1_1_VERSION,
4946 TLS1_2_VERSION,
0fb2815b
MC		 4947 TLS1_3_VERSION,
4948 TLS1_3_VERSION,
a599574b
MC		 4949 TLS1_3_VERSION
4950 };
2197d1df
MC		 4951
4952#ifdef OPENSSL_NO_TLS1
4953 if (tst == 0)
4954 return 1;
4955#endif
4956#ifdef OPENSSL_NO_TLS1_1
4957 if (tst == 1)
4958 return 1;
4959#endif
4f6c7044
MC		 4960 if (is_fips && (tst == 0 || tst == 1))
4961 return 1;
2197d1df
MC		 4962#ifdef OPENSSL_NO_TLS1_2
4963 if (tst == 2)
4964 return 1;
4965#endif
4966#ifdef OPENSSL_NO_TLS1_3
0fb2815b 4967 if (tst >= 3)
2197d1df
MC		 4968 return 1;
4969#endif
5e30f2fd
MC		 4970 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4971 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4972 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 4973 goto end;
4974
a599574b
MC		 4975 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4976 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4977 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 4978
4979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4980 NULL))
4981 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4982 SSL_ERROR_NONE)))
4983 goto end;
4984
0fb2815b
MC		 4985 if (tst == 5) {
4986 /*
4987 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4988 * go over that.
4989 */
4990 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4991 sizeof(ckeymat1), label,
4992 LONG_LABEL_LEN + 1, context,
4993 sizeof(context) - 1, 1), 0))
4994 goto end;
4995
4996 testresult = 1;
4997 goto end;
4998 } else if (tst == 4) {
4999 labellen = LONG_LABEL_LEN;
5000 } else {
5001 labellen = SMALL_LABEL_LEN;
5002 }
5003
2197d1df
MC		 5004 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5005 sizeof(ckeymat1), label,
0fb2815b 5006 labellen, context,
2197d1df
MC		 5007 sizeof(context) - 1, 1), 1)
5008 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5009 sizeof(ckeymat2), label,
0fb2815b 5010 labellen,
2197d1df
MC		 5011 emptycontext,
5012 0, 1), 1)
5013 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5014 sizeof(ckeymat3), label,
0fb2815b 5015 labellen,
2197d1df
MC		 5016 NULL, 0, 0), 1)
5017 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5018 sizeof(skeymat1), label,
0fb2815b 5019 labellen,
2197d1df
MC		 5020 context,
5021 sizeof(context) -1, 1),
5022 1)
5023 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5024 sizeof(skeymat2), label,
0fb2815b 5025 labellen,
2197d1df
MC		 5026 emptycontext,
5027 0, 1), 1)
5028 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5029 sizeof(skeymat3), label,
0fb2815b 5030 labellen,
2197d1df
MC		 5031 NULL, 0, 0), 1)
5032 /*
5033 * Check that both sides created the same key material with the
5034 * same context.
5035 */
5036 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5037 sizeof(skeymat1))
5038 /*
5039 * Check that both sides created the same key material with an
5040 * empty context.
5041 */
5042 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5043 sizeof(skeymat2))
5044 /*
5045 * Check that both sides created the same key material without a
5046 * context.
5047 */
5048 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5049 sizeof(skeymat3))
5050 /* Different contexts should produce different results */
5051 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5052 sizeof(ckeymat2)))
5053 goto end;
5054
5055 /*
5056 * Check that an empty context and no context produce different results in
5057 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5058 */
0fb2815b 5059 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5060 sizeof(ckeymat3)))
0fb2815b
MC		 5061 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5062 sizeof(ckeymat3))))
2197d1df
MC		 5063 goto end;
5064
5065 testresult = 1;
5066
5067 end:
5068 SSL_free(serverssl);
5069 SSL_free(clientssl);
5070 SSL_CTX_free(sctx2);
5071 SSL_CTX_free(sctx);
5072 SSL_CTX_free(cctx);
5073
5074 return testresult;
5075}
5076
b38ede80
TT		 5077#ifndef OPENSSL_NO_TLS1_3
5078/*
5079 * Test that SSL_export_keying_material_early() produces expected
5080 * results. There are no test vectors so all we do is test that both
5081 * sides of the communication produce the same results for different
5082 * protocol versions.
5083 */
5084static int test_export_key_mat_early(int idx)
5085{
5086 static const char label[] = "test label";
5087 static const unsigned char context[] = "context";
5088 int testresult = 0;
5089 SSL_CTX *cctx = NULL, *sctx = NULL;
5090 SSL *clientssl = NULL, *serverssl = NULL;
5091 SSL_SESSION *sess = NULL;
5092 const unsigned char *emptycontext = NULL;
5093 unsigned char ckeymat1[80], ckeymat2[80];
5094 unsigned char skeymat1[80], skeymat2[80];
5095 unsigned char buf[1];
5096 size_t readbytes, written;
5097
5098 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5099 &sess, idx)))
5100 goto end;
5101
5102 /* Here writing 0 length early data is enough. */
5103 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5104 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5105 &readbytes),
5106 SSL_READ_EARLY_DATA_ERROR)
5107 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5108 SSL_EARLY_DATA_ACCEPTED))
5109 goto end;
5110
5111 if (!TEST_int_eq(SSL_export_keying_material_early(
5112 clientssl, ckeymat1, sizeof(ckeymat1), label,
5113 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5114 || !TEST_int_eq(SSL_export_keying_material_early(
5115 clientssl, ckeymat2, sizeof(ckeymat2), label,
5116 sizeof(label) - 1, emptycontext, 0), 1)
5117 || !TEST_int_eq(SSL_export_keying_material_early(
5118 serverssl, skeymat1, sizeof(skeymat1), label,
5119 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5120 || !TEST_int_eq(SSL_export_keying_material_early(
5121 serverssl, skeymat2, sizeof(skeymat2), label,
5122 sizeof(label) - 1, emptycontext, 0), 1)
5123 /*
5124 * Check that both sides created the same key material with the
5125 * same context.
5126 */
5127 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5128 sizeof(skeymat1))
5129 /*
5130 * Check that both sides created the same key material with an
5131 * empty context.
5132 */
5133 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5134 sizeof(skeymat2))
5135 /* Different contexts should produce different results */
5136 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5137 sizeof(ckeymat2)))
5138 goto end;
5139
5140 testresult = 1;
5141
5142 end:
c20e3b28 5143 SSL_SESSION_free(sess);
b38ede80
TT		 5144 SSL_SESSION_free(clientpsk);
5145 SSL_SESSION_free(serverpsk);
34ff74eb 5146 clientpsk = serverpsk = NULL;
b38ede80
TT		 5147 SSL_free(serverssl);
5148 SSL_free(clientssl);
5149 SSL_CTX_free(sctx);
5150 SSL_CTX_free(cctx);
5151
5152 return testresult;
5153}
3409a5ff
MC		 5154
5155#define NUM_KEY_UPDATE_MESSAGES 40
5156/*
5157 * Test KeyUpdate.
5158 */
5159static int test_key_update(void)
5160{
5161 SSL_CTX *cctx = NULL, *sctx = NULL;
5162 SSL *clientssl = NULL, *serverssl = NULL;
5163 int testresult = 0, i, j;
5164 char buf[20];
5165 static char *mess = "A test message";
5166
5e30f2fd 5167 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 5168 TLS_client_method(),
5169 TLS1_3_VERSION,
5170 0,
5171 &sctx, &cctx, cert, privkey))
5172 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5173 NULL, NULL))
5174 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5175 SSL_ERROR_NONE)))
5176 goto end;
5177
5178 for (j = 0; j < 2; j++) {
5179 /* Send lots of KeyUpdate messages */
5180 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5181 if (!TEST_true(SSL_key_update(clientssl,
5182 (j == 0)
5183 ? SSL_KEY_UPDATE_NOT_REQUESTED
5184 : SSL_KEY_UPDATE_REQUESTED))
5185 || !TEST_true(SSL_do_handshake(clientssl)))
5186 goto end;
5187 }
5188
5189 /* Check that sending and receiving app data is ok */
5190 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5191 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5192 strlen(mess)))
5193 goto end;
a77b4dba
MC		 5194
5195 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5196 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5197 strlen(mess)))
5198 goto end;
3409a5ff
MC		 5199 }
5200
5201 testresult = 1;
5202
5203 end:
5204 SSL_free(serverssl);
5205 SSL_free(clientssl);
5206 SSL_CTX_free(sctx);
5207 SSL_CTX_free(cctx);
5208
5209 return testresult;
5210}
a77b4dba
MC		 5211
5212/*
5213 * Test we can handle a KeyUpdate (update requested) message while write data
5214 * is pending.
5215 * Test 0: Client sends KeyUpdate while Server is writing
5216 * Test 1: Server sends KeyUpdate while Client is writing
5217 */
5218static int test_key_update_in_write(int tst)
5219{
5220 SSL_CTX *cctx = NULL, *sctx = NULL;
5221 SSL *clientssl = NULL, *serverssl = NULL;
5222 int testresult = 0;
5223 char buf[20];
5224 static char *mess = "A test message";
5225 BIO *bretry = BIO_new(bio_s_always_retry());
5226 BIO *tmp = NULL;
5227 SSL *peerupdate = NULL, *peerwrite = NULL;
5228
5229 if (!TEST_ptr(bretry)
5e30f2fd 5230 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 5231 TLS_client_method(),
5232 TLS1_3_VERSION,
5233 0,
5234 &sctx, &cctx, cert, privkey))
5235 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5236 NULL, NULL))
5237 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5238 SSL_ERROR_NONE)))
5239 goto end;
5240
5241 peerupdate = tst == 0 ? clientssl : serverssl;
5242 peerwrite = tst == 0 ? serverssl : clientssl;
5243
5244 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5245 || !TEST_true(SSL_do_handshake(peerupdate)))
5246 goto end;
5247
5248 /* Swap the writing endpoint's write BIO to force a retry */
5249 tmp = SSL_get_wbio(peerwrite);
5250 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5251 tmp = NULL;
5252 goto end;
5253 }
5254 SSL_set0_wbio(peerwrite, bretry);
5255 bretry = NULL;
5256
5257 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5258 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5259 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5260 goto end;
5261
5262 /* Reinstate the original writing endpoint's write BIO */
5263 SSL_set0_wbio(peerwrite, tmp);
5264 tmp = NULL;
5265
5266 /* Now read some data - we will read the key update */
5267 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5268 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5269 goto end;
5270
5271 /*
5272 * Complete the write we started previously and read it from the other
5273 * endpoint
5274 */
5275 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5276 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5277 goto end;
5278
5279 /* Write more data to ensure we send the KeyUpdate message back */
5280 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5281 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5282 goto end;
5283
5284 testresult = 1;
5285
5286 end:
5287 SSL_free(serverssl);
5288 SSL_free(clientssl);
5289 SSL_CTX_free(sctx);
5290 SSL_CTX_free(cctx);
5291 BIO_free(bretry);
5292 BIO_free(tmp);
5293
5294 return testresult;
5295}
b38ede80
TT		 5296#endif /* OPENSSL_NO_TLS1_3 */
5297
e11b6aa4
MC		 5298static int test_ssl_clear(int idx)
5299{
5300 SSL_CTX *cctx = NULL, *sctx = NULL;
5301 SSL *clientssl = NULL, *serverssl = NULL;
5302 int testresult = 0;
5303
5304#ifdef OPENSSL_NO_TLS1_2
5305 if (idx == 1)
5306 return 1;
5307#endif
5308
5309 /* Create an initial connection */
5e30f2fd
MC		 5310 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5311 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5312 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5313 || (idx == 1
5314 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5315 TLS1_2_VERSION)))
5316 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5317 &clientssl, NULL, NULL))
5318 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5319 SSL_ERROR_NONE)))
5320 goto end;
5321
5322 SSL_shutdown(clientssl);
5323 SSL_shutdown(serverssl);
5324 SSL_free(serverssl);
5325 serverssl = NULL;
5326
5327 /* Clear clientssl - we're going to reuse the object */
5328 if (!TEST_true(SSL_clear(clientssl)))
5329 goto end;
5330
5331 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5332 NULL, NULL))
5333 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5334 SSL_ERROR_NONE))
5335 || !TEST_true(SSL_session_reused(clientssl)))
5336 goto end;
5337
5338 SSL_shutdown(clientssl);
5339 SSL_shutdown(serverssl);
5340
5341 testresult = 1;
5342
5343 end:
5344 SSL_free(serverssl);
5345 SSL_free(clientssl);
5346 SSL_CTX_free(sctx);
5347 SSL_CTX_free(cctx);
5348
5349 return testresult;
5350}
5351
cf72c757
F		 5352/* Parse CH and retrieve any MFL extension value if present */
5353static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5354{
5355 long len;
5356 unsigned char *data;
72962d02 5357 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5358 unsigned int MFL_code = 0, type = 0;
5359
5360 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5361 goto end;
5362
72962d02
P		 5363 memset(&pkt, 0, sizeof(pkt));
5364 memset(&pkt2, 0, sizeof(pkt2));
5365 memset(&pkt3, 0, sizeof(pkt3));
5366
cf72c757
F		 5367 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5368 /* Skip the record header */
5369 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5370 /* Skip the handshake message header */
5371 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5372 /* Skip client version and random */
5373 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5374 + SSL3_RANDOM_SIZE))
5375 /* Skip session id */
5376 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5377 /* Skip ciphers */
5378 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5379 /* Skip compression */
5380 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5381 /* Extensions len */
5382 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5383 goto end;
5384
5385 /* Loop through all extensions */
5386 while (PACKET_remaining(&pkt2)) {
5387 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5388 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5389 goto end;
5390
5391 if (type == TLSEXT_TYPE_max_fragment_length) {
5392 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5393 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5394 goto end;
5395
5396 *mfl_codemfl_code = MFL_code;
5397 return 1;
5398 }
5399 }
5400
5401 end:
5402 return 0;
5403}
5404
5405/* Maximum-Fragment-Length TLS extension mode to test */
5406static const unsigned char max_fragment_len_test[] = {
5407 TLSEXT_max_fragment_length_512,
5408 TLSEXT_max_fragment_length_1024,
5409 TLSEXT_max_fragment_length_2048,
5410 TLSEXT_max_fragment_length_4096
5411};
5412
5413static int test_max_fragment_len_ext(int idx_tst)
5414{
5415 SSL_CTX *ctx;
5416 SSL *con = NULL;
5417 int testresult = 0, MFL_mode = 0;
5418 BIO *rbio, *wbio;
5419
5e30f2fd 5420 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
cf72c757
F		 5421 if (!TEST_ptr(ctx))
5422 goto end;
5423
5424 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5425 ctx, max_fragment_len_test[idx_tst])))
5426 goto end;
5427
5428 con = SSL_new(ctx);
5429 if (!TEST_ptr(con))
5430 goto end;
5431
5432 rbio = BIO_new(BIO_s_mem());
5433 wbio = BIO_new(BIO_s_mem());
5434 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5435 BIO_free(rbio);
5436 BIO_free(wbio);
5437 goto end;
5438 }
5439
5440 SSL_set_bio(con, rbio, wbio);
5441 SSL_set_connect_state(con);
5442
5443 if (!TEST_int_le(SSL_connect(con), 0)) {
5444 /* This shouldn't succeed because we don't have a server! */
5445 goto end;
5446 }
5447
5448 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5449 /* no MFL in client hello */
5450 goto end;
5451 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5452 goto end;
5453
5454 testresult = 1;
5455
5456end:
5457 SSL_free(con);
5458 SSL_CTX_free(ctx);
5459
5460 return testresult;
5461}
5462
9d75dce3
TS		 5463#ifndef OPENSSL_NO_TLS1_3
5464static int test_pha_key_update(void)
5465{
5466 SSL_CTX *cctx = NULL, *sctx = NULL;
5467 SSL *clientssl = NULL, *serverssl = NULL;
5468 int testresult = 0;
5469
5e30f2fd
MC		 5470 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5471 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 5472 &sctx, &cctx, cert, privkey)))
5473 return 0;
5474
5475 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5476 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5477 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5478 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5479 goto end;
5480
e97be718 5481 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 5482
5483 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5484 NULL, NULL)))
5485 goto end;
5486
9d75dce3
TS		 5487 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5488 SSL_ERROR_NONE)))
5489 goto end;
5490
5491 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5492 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5493 goto end;
5494
5495 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5496 goto end;
5497
5498 /* Start handshake on the server */
5499 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5500 goto end;
5501
5502 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5503 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5504 SSL_ERROR_NONE)))
5505 goto end;
5506
5507 SSL_shutdown(clientssl);
5508 SSL_shutdown(serverssl);
5509
5510 testresult = 1;
5511
5512 end:
5513 SSL_free(serverssl);
5514 SSL_free(clientssl);
5515 SSL_CTX_free(sctx);
5516 SSL_CTX_free(cctx);
5517 return testresult;
5518}
5519#endif
5520
76fd7a1d
MC		 5521#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5522
5523static SRP_VBASE *vbase = NULL;
5524
852c2ed2
RS		 5525DEFINE_STACK_OF(SRP_user_pwd)
5526
76fd7a1d
MC		 5527static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5528{
5529 int ret = SSL3_AL_FATAL;
5530 char *username;
5531 SRP_user_pwd *user = NULL;
5532
5533 username = SSL_get_srp_username(s);
5534 if (username == NULL) {
5535 *ad = SSL_AD_INTERNAL_ERROR;
5536 goto err;
5537 }
5538
5539 user = SRP_VBASE_get1_by_user(vbase, username);
5540 if (user == NULL) {
5541 *ad = SSL_AD_INTERNAL_ERROR;
5542 goto err;
5543 }
5544
5545 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5546 user->info) <= 0) {
5547 *ad = SSL_AD_INTERNAL_ERROR;
5548 goto err;
5549 }
5550
5551 ret = 0;
5552
5553 err:
5554 SRP_user_pwd_free(user);
5555 return ret;
5556}
5557
5558static int create_new_vfile(char *userid, char *password, const char *filename)
5559{
5560 char *gNid = NULL;
5561 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5562 TXT_DB *db = NULL;
5563 int ret = 0;
5564 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5565 size_t i;
5566
5567 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5568 goto end;
5569
20c00d0a 5570 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 5571 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 5572 if (!TEST_ptr(gNid))
5573 goto end;
5574
5575 /*
5576 * The only way to create an empty TXT_DB is to provide a BIO with no data
5577 * in it!
5578 */
5579 db = TXT_DB_read(dummy, DB_NUMBER);
5580 if (!TEST_ptr(db))
5581 goto end;
5582
5583 out = BIO_new_file(filename, "w");
5584 if (!TEST_ptr(out))
5585 goto end;
5586
5587 row[DB_srpid] = OPENSSL_strdup(userid);
5588 row[DB_srptype] = OPENSSL_strdup("V");
5589 row[DB_srpgN] = OPENSSL_strdup(gNid);
5590
5591 if (!TEST_ptr(row[DB_srpid])
5592 || !TEST_ptr(row[DB_srptype])
5593 || !TEST_ptr(row[DB_srpgN])
5594 || !TEST_true(TXT_DB_insert(db, row)))
5595 goto end;
5596
5597 row = NULL;
5598
5599 if (!TXT_DB_write(out, db))
5600 goto end;
5601
5602 ret = 1;
5603 end:
5604 if (row != NULL) {
5605 for (i = 0; i < DB_NUMBER; i++)
5606 OPENSSL_free(row[i]);
5607 }
5608 OPENSSL_free(row);
5609 BIO_free(dummy);
5610 BIO_free(out);
5611 TXT_DB_free(db);
5612
5613 return ret;
5614}
5615
5616static int create_new_vbase(char *userid, char *password)
5617{
5618 BIGNUM *verifier = NULL, *salt = NULL;
5619 const SRP_gN *lgN = NULL;
5620 SRP_user_pwd *user_pwd = NULL;
5621 int ret = 0;
5622
5623 lgN = SRP_get_default_gN(NULL);
5624 if (!TEST_ptr(lgN))
5625 goto end;
5626
20c00d0a 5627 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 5628 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 5629 goto end;
5630
5631 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
5632 if (!TEST_ptr(user_pwd))
5633 goto end;
5634
5635 user_pwd->N = lgN->N;
5636 user_pwd->g = lgN->g;
5637 user_pwd->id = OPENSSL_strdup(userid);
5638 if (!TEST_ptr(user_pwd->id))
5639 goto end;
5640
5641 user_pwd->v = verifier;
5642 user_pwd->s = salt;
5643 verifier = salt = NULL;
5644
5645 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
5646 goto end;
5647 user_pwd = NULL;
5648
5649 ret = 1;
5650end:
5651 SRP_user_pwd_free(user_pwd);
5652 BN_free(salt);
5653 BN_free(verifier);
5654
5655 return ret;
5656}
5657
5658/*
5659 * SRP tests
5660 *
5661 * Test 0: Simple successful SRP connection, new vbase
5662 * Test 1: Connection failure due to bad password, new vbase
5663 * Test 2: Simple successful SRP connection, vbase loaded from existing file
5664 * Test 3: Connection failure due to bad password, vbase loaded from existing
5665 * file
5666 * Test 4: Simple successful SRP connection, vbase loaded from new file
5667 * Test 5: Connection failure due to bad password, vbase loaded from new file
5668 */
5669static int test_srp(int tst)
5670{
5671 char *userid = "test", *password = "password", *tstsrpfile;
5672 SSL_CTX *cctx = NULL, *sctx = NULL;
5673 SSL *clientssl = NULL, *serverssl = NULL;
5674 int ret, testresult = 0;
5675
5676 vbase = SRP_VBASE_new(NULL);
5677 if (!TEST_ptr(vbase))
5678 goto end;
5679
5680 if (tst == 0 || tst == 1) {
5681 if (!TEST_true(create_new_vbase(userid, password)))
5682 goto end;
5683 } else {
5684 if (tst == 4 || tst == 5) {
5685 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
5686 goto end;
5687 tstsrpfile = tmpfilename;
5688 } else {
5689 tstsrpfile = srpvfile;
5690 }
5691 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
5692 goto end;
5693 }
5694
5e30f2fd
MC		 5695 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5696 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 5697 &sctx, &cctx, cert, privkey)))
5698 goto end;
5699
5700 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
5701 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
5702 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
5703 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
5704 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
5705 goto end;
5706
5707 if (tst % 2 == 1) {
5708 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
5709 goto end;
5710 } else {
5711 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
5712 goto end;
5713 }
5714
5715 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5716 NULL, NULL)))
5717 goto end;
5718
5719 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5720 if (ret) {
5721 if (!TEST_true(tst % 2 == 0))
5722 goto end;
5723 } else {
5724 if (!TEST_true(tst % 2 == 1))
5725 goto end;
5726 }
5727
5728 testresult = 1;
5729
5730 end:
5731 SRP_VBASE_free(vbase);
5732 vbase = NULL;
5733 SSL_free(serverssl);
5734 SSL_free(clientssl);
5735 SSL_CTX_free(sctx);
5736 SSL_CTX_free(cctx);
5737
5738 return testresult;
5739}
5740#endif
5741
5718fe45
MC		 5742static int info_cb_failed = 0;
5743static int info_cb_offset = 0;
5744static int info_cb_this_state = -1;
5745
5746static struct info_cb_states_st {
5747 int where;
5748 const char *statestr;
5749} info_cb_states[][60] = {
5750 {
5751 /* TLSv1.2 server followed by resumption */
5752 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5753 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5754 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
5755 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
5756 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
5757 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5758 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5759 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5760 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
5761 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5762 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
5763 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5764 {SSL_CB_EXIT, NULL}, {0, NULL},
5765 }, {
5766 /* TLSv1.2 client followed by resumption */
5767 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5768 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5769 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
5770 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
5771 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
5772 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5773 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5774 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5775 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5776 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
5777 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5778 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
5779 }, {
5780 /* TLSv1.3 server followed by resumption */
5781 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5782 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5783 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
5784 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5785 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 5786 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5787 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
5788 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5789 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5790 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5791 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
5792 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5793 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5794 }, {
5795 /* TLSv1.3 client followed by resumption */
5796 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5797 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
5798 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
5799 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
5800 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 5801 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5802 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
5803 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 5804 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
5805 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5806 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5807 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
5808 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 5809 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
5810 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5811 }, {
5812 /* TLSv1.3 server, early_data */
5813 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5814 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5815 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
5816 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5817 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5818 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 5819 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 5820 {SSL_CB_EXIT, NULL}, {0, NULL},
5821 }, {
5822 /* TLSv1.3 client, early_data */
5823 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
5824 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
5825 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5826 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
5827 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
5828 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
5829 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 5830 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
5831 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 5832 }, {
5833 {0, NULL},
5834 }
5835};
5836
5837static void sslapi_info_callback(const SSL *s, int where, int ret)
5838{
5839 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
5840
5841 /* We do not ever expect a connection to fail in this test */
5842 if (!TEST_false(ret == 0)) {
5843 info_cb_failed = 1;
5844 return;
5845 }
5846
5847 /*
5848 * Do some sanity checks. We never expect these things to happen in this
5849 * test
5850 */
5851 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
5852 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
5853 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5854 info_cb_failed = 1;
5855 return;
5856 }
5857
5858 /* Now check we're in the right state */
5859 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5860 info_cb_failed = 1;
5861 return;
5862 }
5863 if ((where & SSL_CB_LOOP) != 0
5864 && !TEST_int_eq(strcmp(SSL_state_string(s),
5865 state[info_cb_this_state].statestr), 0)) {
5866 info_cb_failed = 1;
5867 return;
5868 }
033c181b 5869
4af5836b
MC		 5870 /*
5871 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
5872 */
5873 if ((where & SSL_CB_HANDSHAKE_DONE)
5874 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 5875 info_cb_failed = 1;
5876 return;
5877 }
5718fe45
MC		 5878}
5879
5880/*
5881 * Test the info callback gets called when we expect it to.
5882 *
5883 * Test 0: TLSv1.2, server
5884 * Test 1: TLSv1.2, client
5885 * Test 2: TLSv1.3, server
5886 * Test 3: TLSv1.3, client
5887 * Test 4: TLSv1.3, server, early_data
5888 * Test 5: TLSv1.3, client, early_data
5889 */
5890static int test_info_callback(int tst)
5891{
5892 SSL_CTX *cctx = NULL, *sctx = NULL;
5893 SSL *clientssl = NULL, *serverssl = NULL;
5894 SSL_SESSION *clntsess = NULL;
5895 int testresult = 0;
5896 int tlsvers;
5897
5898 if (tst < 2) {
1aac20f5
MC		 5899/* We need either ECDHE or DHE for the TLSv1.2 test to work */
5900#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5901 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 5902 tlsvers = TLS1_2_VERSION;
5903#else
5904 return 1;
5905#endif
5906 } else {
5907#ifndef OPENSSL_NO_TLS1_3
5908 tlsvers = TLS1_3_VERSION;
5909#else
5910 return 1;
5911#endif
5912 }
5913
5914 /* Reset globals */
5915 info_cb_failed = 0;
5916 info_cb_this_state = -1;
5917 info_cb_offset = tst;
5918
6e07834c 5919#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 5920 if (tst >= 4) {
5921 SSL_SESSION *sess = NULL;
5922 size_t written, readbytes;
5923 unsigned char buf[80];
5924
5925 /* early_data tests */
5926 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5927 &serverssl, &sess, 0)))
5928 goto end;
5929
5930 /* We don't actually need this reference */
5931 SSL_SESSION_free(sess);
5932
5933 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5934 sslapi_info_callback);
5935
5936 /* Write and read some early data and then complete the connection */
5937 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5938 &written))
5939 || !TEST_size_t_eq(written, strlen(MSG1))
5940 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5941 sizeof(buf), &readbytes),
5942 SSL_READ_EARLY_DATA_SUCCESS)
5943 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5944 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5945 SSL_EARLY_DATA_ACCEPTED)
5946 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5947 SSL_ERROR_NONE))
5948 || !TEST_false(info_cb_failed))
5949 goto end;
5950
5951 testresult = 1;
5952 goto end;
5953 }
6e07834c 5954#endif
5718fe45 5955
5e30f2fd 5956 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 5957 TLS_client_method(),
5958 tlsvers, tlsvers, &sctx, &cctx, cert,
5959 privkey)))
5960 goto end;
5961
5962 /*
5963 * For even numbered tests we check the server callbacks. For odd numbers we
5964 * check the client.
5965 */
5966 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5967 sslapi_info_callback);
5968
5969 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5970 &clientssl, NULL, NULL))
5971 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5972 SSL_ERROR_NONE))
5973 || !TEST_false(info_cb_failed))
5974 goto end;
5975
5976
5977
5978 clntsess = SSL_get1_session(clientssl);
5979 SSL_shutdown(clientssl);
5980 SSL_shutdown(serverssl);
5981 SSL_free(serverssl);
5982 SSL_free(clientssl);
5983 serverssl = clientssl = NULL;
5984
5985 /* Now do a resumption */
5986 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5987 NULL))
5988 || !TEST_true(SSL_set_session(clientssl, clntsess))
5989 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5990 SSL_ERROR_NONE))
5991 || !TEST_true(SSL_session_reused(clientssl))
5992 || !TEST_false(info_cb_failed))
5993 goto end;
5994
5995 testresult = 1;
5996
5997 end:
5998 SSL_free(serverssl);
5999 SSL_free(clientssl);
6000 SSL_SESSION_free(clntsess);
6001 SSL_CTX_free(sctx);
6002 SSL_CTX_free(cctx);
6003 return testresult;
6004}
6005
4a432af8
MC		 6006static int test_ssl_pending(int tst)
6007{
6008 SSL_CTX *cctx = NULL, *sctx = NULL;
6009 SSL *clientssl = NULL, *serverssl = NULL;
6010 int testresult = 0;
6011 char msg[] = "A test message";
6012 char buf[5];
6013 size_t written, readbytes;
6014
6015 if (tst == 0) {
5e30f2fd 6016 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6017 TLS_client_method(),
5c587fb6 6018 TLS1_VERSION, 0,
4a432af8
MC		 6019 &sctx, &cctx, cert, privkey)))
6020 goto end;
6021 } else {
6022#ifndef OPENSSL_NO_DTLS
5e30f2fd 6023 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6024 DTLS_client_method(),
5c587fb6 6025 DTLS1_VERSION, 0,
4a432af8
MC		 6026 &sctx, &cctx, cert, privkey)))
6027 goto end;
6028#else
6029 return 1;
6030#endif
6031 }
6032
6033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6034 NULL, NULL))
6035 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6036 SSL_ERROR_NONE)))
6037 goto end;
6038
e8251092
MC		 6039 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6040 || !TEST_false(SSL_has_pending(clientssl))
6041 || !TEST_int_eq(SSL_pending(serverssl), 0)
6042 || !TEST_false(SSL_has_pending(serverssl))
6043 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6044 || !TEST_size_t_eq(written, sizeof(msg))
6045 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6046 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6047 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6048 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6049 goto end;
6050
6051 testresult = 1;
6052
6053 end:
6054 SSL_free(serverssl);
6055 SSL_free(clientssl);
6056 SSL_CTX_free(sctx);
6057 SSL_CTX_free(cctx);
6058
6059 return testresult;
6060}
6061
e401389a
MC		 6062static struct {
6063 unsigned int maxprot;
6064 const char *clntciphers;
6065 const char *clnttls13ciphers;
6066 const char *srvrciphers;
6067 const char *srvrtls13ciphers;
6068 const char *shared;
6069} shared_ciphers_data[] = {
60155b9a
MC		 6070/*
6071 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6072 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6073 */
6074#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6075 {
6076 TLS1_2_VERSION,
6077 "AES128-SHA:AES256-SHA",
6078 NULL,
6079 "AES256-SHA:DHE-RSA-AES128-SHA",
6080 NULL,
6081 "AES256-SHA"
6082 },
6083 {
6084 TLS1_2_VERSION,
6085 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6086 NULL,
6087 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6088 NULL,
6089 "AES128-SHA:AES256-SHA"
6090 },
6091 {
6092 TLS1_2_VERSION,
6093 "AES128-SHA:AES256-SHA",
6094 NULL,
6095 "AES128-SHA:DHE-RSA-AES128-SHA",
6096 NULL,
6097 "AES128-SHA"
6098 },
60155b9a
MC		 6099#endif
6100/*
6101 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6102 * enabled.
6103 */
6104#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6105 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6106 {
6107 TLS1_3_VERSION,
6108 "AES128-SHA:AES256-SHA",
6109 NULL,
6110 "AES256-SHA:AES128-SHA256",
6111 NULL,
6112 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
6113 "TLS_AES_128_GCM_SHA256:AES256-SHA"
6114 },
60155b9a
MC		 6115#endif
6116#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 6117 {
6118 TLS1_3_VERSION,
6119 "AES128-SHA",
6120 "TLS_AES_256_GCM_SHA384",
6121 "AES256-SHA",
6122 "TLS_AES_256_GCM_SHA384",
6123 "TLS_AES_256_GCM_SHA384"
6124 },
6125#endif
6126};
6127
6128static int test_ssl_get_shared_ciphers(int tst)
6129{
6130 SSL_CTX *cctx = NULL, *sctx = NULL;
6131 SSL *clientssl = NULL, *serverssl = NULL;
6132 int testresult = 0;
6133 char buf[1024];
6134
5e30f2fd 6135 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 6136 TLS_client_method(),
6137 TLS1_VERSION,
6138 shared_ciphers_data[tst].maxprot,
6139 &sctx, &cctx, cert, privkey)))
6140 goto end;
6141
6142 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6143 shared_ciphers_data[tst].clntciphers))
6144 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6145 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6146 shared_ciphers_data[tst].clnttls13ciphers)))
6147 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6148 shared_ciphers_data[tst].srvrciphers))
6149 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6150 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6151 shared_ciphers_data[tst].srvrtls13ciphers))))
6152 goto end;
6153
6154
6155 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6156 NULL, NULL))
6157 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6158 SSL_ERROR_NONE)))
6159 goto end;
6160
6161 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
6162 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
6163 TEST_info("Shared ciphers are: %s\n", buf);
6164 goto end;
6165 }
6166
6167 testresult = 1;
6168
6169 end:
6170 SSL_free(serverssl);
6171 SSL_free(clientssl);
6172 SSL_CTX_free(sctx);
6173 SSL_CTX_free(cctx);
6174
6175 return testresult;
6176}
6177
d0191fe0 6178static const char *appdata = "Hello World";
61fb5923
MC		 6179static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6180static int tick_key_renew = 0;
6181static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6182
6183static int gen_tick_cb(SSL *s, void *arg)
6184{
6185 gen_tick_called = 1;
6186
6187 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6188 strlen(appdata));
6189}
6190
6191static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6192 const unsigned char *keyname,
6193 size_t keyname_length,
61fb5923
MC		 6194 SSL_TICKET_STATUS status,
6195 void *arg)
d0191fe0
MC		 6196{
6197 void *tickdata;
6198 size_t tickdlen;
6199
6200 dec_tick_called = 1;
6201
61fb5923
MC		 6202 if (status == SSL_TICKET_EMPTY)
6203 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6204
61fb5923
MC		 6205 if (!TEST_true(status == SSL_TICKET_SUCCESS
6206 || status == SSL_TICKET_SUCCESS_RENEW))
6207 return SSL_TICKET_RETURN_ABORT;
6208
6209 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6210 &tickdlen))
d0191fe0
MC		 6211 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6212 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6213 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6214
61fb5923
MC		 6215 if (tick_key_cb_called) {
6216 /* Don't change what the ticket key callback wanted to do */
6217 switch (status) {
6218 case SSL_TICKET_NO_DECRYPT:
6219 return SSL_TICKET_RETURN_IGNORE_RENEW;
6220
6221 case SSL_TICKET_SUCCESS:
6222 return SSL_TICKET_RETURN_USE;
d0191fe0 6223
61fb5923
MC		 6224 case SSL_TICKET_SUCCESS_RENEW:
6225 return SSL_TICKET_RETURN_USE_RENEW;
6226
6227 default:
6228 return SSL_TICKET_RETURN_ABORT;
6229 }
6230 }
6231 return tick_dec_ret;
6232
6233}
d0191fe0 6234
a76ce286 6235#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6236static int tick_key_cb(SSL *s, unsigned char key_name[16],
6237 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6238 HMAC_CTX *hctx, int enc)
6239{
6240 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6241 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 6242 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6243 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6244 int ret;
d0191fe0 6245
61fb5923 6246 tick_key_cb_called = 1;
d0191fe0
MC		 6247 memset(iv, 0, AES_BLOCK_SIZE);
6248 memset(key_name, 0, 16);
5e30f2fd
MC		 6249 if (aes128cbc == NULL
6250 || sha256 == NULL
6251 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6252 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6253 NULL))
6254 ret = -1;
6255 else
6256 ret = tick_key_renew ? 2 : 1;
d0191fe0 6257
5e30f2fd
MC		 6258 EVP_CIPHER_free(aes128cbc);
6259 EVP_MD_free(sha256);
6260
6261 return ret;
d0191fe0 6262}
a76ce286
P		 6263#endif
6264
6265static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6266 unsigned char iv[EVP_MAX_IV_LENGTH],
6267 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6268{
6269 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6270 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6271 OSSL_PARAM params[3];
5e30f2fd
MC		 6272 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6273 int ret;
a76ce286
P		 6274
6275 tick_key_cb_called = 1;
6276 memset(iv, 0, AES_BLOCK_SIZE);
6277 memset(key_name, 0, 16);
6278 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6279 "SHA256", 0);
6280 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6281 tick_hmac_key,
6282 sizeof(tick_hmac_key));
6283 params[2] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 6284 if (aes128cbc == NULL
6285 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
a76ce286
P		 6286 || !EVP_MAC_CTX_set_params(hctx, params)
6287 || !EVP_MAC_init(hctx))
5e30f2fd
MC		 6288 ret = -1;
6289 else
6290 ret = tick_key_renew ? 2 : 1;
6291
6292 EVP_CIPHER_free(aes128cbc);
a76ce286 6293
5e30f2fd 6294 return ret;
a76ce286 6295}
d0191fe0
MC		 6296
6297/*
6298 * Test the various ticket callbacks
61fb5923
MC		 6299 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6300 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6301 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6302 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6303 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6304 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6305 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6306 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6307 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6308 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6309 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6310 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6311 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6312 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6313 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6314 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6315 */
6316static int test_ticket_callbacks(int tst)
6317{
6318 SSL_CTX *cctx = NULL, *sctx = NULL;
6319 SSL *clientssl = NULL, *serverssl = NULL;
6320 SSL_SESSION *clntsess = NULL;
6321 int testresult = 0;
6322
6323#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6324 if (tst % 2 == 0)
d0191fe0
MC		 6325 return 1;
6326#endif
6327#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 6328 if (tst % 2 == 1)
d0191fe0
MC		 6329 return 1;
6330#endif
a76ce286
P		 6331#ifdef OPENSSL_NO_DEPRECATED_3_0
6332 if (tst >= 8 && tst <= 11)
6333 return 1;
6334#endif
d0191fe0 6335
61fb5923 6336 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6337
6338 /* Which tests the ticket key callback should request renewal for */
a76ce286 6339 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6340 tick_key_renew = 1;
d0191fe0 6341 else
61fb5923
MC		 6342 tick_key_renew = 0;
6343
6344 /* Which tests the decrypt ticket callback should request renewal for */
6345 switch (tst) {
6346 case 0:
6347 case 1:
6348 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6349 break;
6350
6351 case 2:
6352 case 3:
6353 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6354 break;
6355
6356 case 4:
6357 case 5:
6358 tick_dec_ret = SSL_TICKET_RETURN_USE;
6359 break;
6360
6361 case 6:
6362 case 7:
6363 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6364 break;
6365
6366 default:
6367 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6368 }
d0191fe0 6369
5e30f2fd 6370 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 6371 TLS_client_method(),
6372 TLS1_VERSION,
61fb5923
MC		 6373 ((tst % 2) == 0) ? TLS1_2_VERSION
6374 : TLS1_3_VERSION,
d0191fe0
MC		 6375 &sctx, &cctx, cert, privkey)))
6376 goto end;
6377
61fb5923
MC		 6378 /*
6379 * We only want sessions to resume from tickets - not the session cache. So
6380 * switch the cache off.
6381 */
6382 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6383 goto end;
6384
d0191fe0
MC		 6385 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6386 NULL)))
6387 goto end;
6388
a76ce286
P		 6389 if (tst >= 12) {
6390 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6391 goto end;
6392#ifndef OPENSSL_NO_DEPRECATED_3_0
6393 } else if (tst >= 8) {
6394 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6395 goto end;
6396#endif
6397 }
d0191fe0
MC		 6398
6399 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6400 NULL, NULL))
6401 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6402 SSL_ERROR_NONE)))
6403 goto end;
6404
61fb5923
MC		 6405 /*
6406 * The decrypt ticket key callback in TLSv1.2 should be called even though
6407 * we have no ticket yet, because it gets called with a status of
6408 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6409 * actually send any ticket data). This does not happen in TLSv1.3 because
6410 * it is not valid to send empty ticket data in TLSv1.3.
6411 */
d0191fe0 6412 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 6413 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 6414 goto end;
6415
6416 gen_tick_called = dec_tick_called = 0;
6417
6418 clntsess = SSL_get1_session(clientssl);
6419 SSL_shutdown(clientssl);
6420 SSL_shutdown(serverssl);
6421 SSL_free(serverssl);
6422 SSL_free(clientssl);
6423 serverssl = clientssl = NULL;
6424
6425 /* Now do a resumption */
6426 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6427 NULL))
6428 || !TEST_true(SSL_set_session(clientssl, clntsess))
6429 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 6430 SSL_ERROR_NONE)))
d0191fe0
MC		 6431 goto end;
6432
61fb5923
MC		 6433 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6434 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6435 if (!TEST_false(SSL_session_reused(clientssl)))
6436 goto end;
6437 } else {
6438 if (!TEST_true(SSL_session_reused(clientssl)))
6439 goto end;
6440 }
6441
d0191fe0 6442 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 6443 (tick_key_renew
6444 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6445 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6446 ? 1 : 0)
d0191fe0
MC		 6447 || !TEST_int_eq(dec_tick_called, 1))
6448 goto end;
6449
6450 testresult = 1;
6451
6452 end:
6453 SSL_SESSION_free(clntsess);
6454 SSL_free(serverssl);
6455 SSL_free(clientssl);
6456 SSL_CTX_free(sctx);
6457 SSL_CTX_free(cctx);
6458
6459 return testresult;
6460}
6461
c748834f
MC		 6462/*
6463 * Test bi-directional shutdown.
6464 * Test 0: TLSv1.2
6465 * Test 1: TLSv1.2, server continues to read/write after client shutdown
6466 * Test 2: TLSv1.3, no pending NewSessionTicket messages
6467 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 6468 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
6469 * sends key update, client reads it
57d7b988
MC		 6470 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
6471 * sends CertificateRequest, client reads and ignores it
6472 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 6473 * doesn't read it
6474 */
6475static int test_shutdown(int tst)
6476{
6477 SSL_CTX *cctx = NULL, *sctx = NULL;
6478 SSL *clientssl = NULL, *serverssl = NULL;
6479 int testresult = 0;
6480 char msg[] = "A test message";
6481 char buf[80];
6482 size_t written, readbytes;
80eff008 6483 SSL_SESSION *sess;
c748834f
MC		 6484
6485#ifdef OPENSSL_NO_TLS1_2
a97d19f7 6486 if (tst <= 1)
c748834f
MC		 6487 return 1;
6488#endif
6489#ifdef OPENSSL_NO_TLS1_3
a97d19f7 6490 if (tst >= 2)
c748834f
MC		 6491 return 1;
6492#endif
6493
5e30f2fd 6494 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 6495 TLS_client_method(),
6496 TLS1_VERSION,
6497 (tst <= 1) ? TLS1_2_VERSION
6498 : TLS1_3_VERSION,
57d7b988
MC		 6499 &sctx, &cctx, cert, privkey)))
6500 goto end;
6501
6502 if (tst == 5)
6503 SSL_CTX_set_post_handshake_auth(cctx, 1);
6504
6505 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 6506 NULL, NULL)))
6507 goto end;
6508
6509 if (tst == 3) {
6510 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 6511 SSL_ERROR_NONE, 1))
80eff008
KR		 6512 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6513 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 6514 goto end;
6515 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 6516 SSL_ERROR_NONE))
6517 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6518 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 6519 goto end;
6520 }
6521
6522 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
6523 goto end;
6524
6525 if (tst >= 4) {
6526 /*
6527 * Reading on the server after the client has sent close_notify should
6528 * fail and provide SSL_ERROR_ZERO_RETURN
6529 */
6530 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
6531 || !TEST_int_eq(SSL_get_error(serverssl, 0),
6532 SSL_ERROR_ZERO_RETURN)
6533 || !TEST_int_eq(SSL_get_shutdown(serverssl),
6534 SSL_RECEIVED_SHUTDOWN)
6535 /*
6536 * Even though we're shutdown on receive we should still be
6537 * able to write.
6538 */
80eff008
KR		 6539 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
6540 goto end;
57d7b988
MC		 6541 if (tst == 4
6542 && !TEST_true(SSL_key_update(serverssl,
6543 SSL_KEY_UPDATE_REQUESTED)))
6544 goto end;
6545 if (tst == 5) {
6546 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6547 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6548 goto end;
6549 }
6550 if ((tst == 4 || tst == 5)
6551 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 6552 goto end;
6553 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 6554 goto end;
57d7b988 6555 if (tst == 4 || tst == 5) {
80eff008 6556 /* Should still be able to read data from server */
c748834f 6557 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 6558 &readbytes))
6559 || !TEST_size_t_eq(readbytes, sizeof(msg))
6560 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
6561 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
6562 &readbytes))
c748834f
MC		 6563 || !TEST_size_t_eq(readbytes, sizeof(msg))
6564 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
6565 goto end;
6566 }
6567 }
6568
6569 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 6570 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 6571 goto end;
6572
6573 if (tst < 4) {
6574 /*
6575 * For these tests the client has sent close_notify but it has not yet
6576 * been received by the server. The server has not sent close_notify
6577 * yet.
6578 */
6579 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 6580 /*
6581 * Writing on the server after sending close_notify shouldn't
6582 * be possible.
6583 */
6584 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 6585 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 6586 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6587 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 6588 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
6589 goto end;
57d7b988 6590 } else if (tst == 4 || tst == 5) {
c748834f
MC		 6591 /*
6592 * In this test the client has sent close_notify and it has been
6593 * received by the server which has responded with a close_notify. The
358ffa05 6594 * client needs to read the close_notify sent by the server.
c748834f 6595 */
80eff008
KR		 6596 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
6597 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
6598 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 6599 goto end;
358ffa05
MC		 6600 } else {
6601 /*
57d7b988 6602 * tst == 6
358ffa05
MC		 6603 *
6604 * The client has sent close_notify and is expecting a close_notify
6605 * back, but instead there is application data first. The shutdown
6606 * should fail with a fatal error.
6607 */
6608 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
6609 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
6610 goto end;
c748834f
MC		 6611 }
6612
6613 testresult = 1;
6614
6615 end:
6616 SSL_free(serverssl);
6617 SSL_free(clientssl);
6618 SSL_CTX_free(sctx);
6619 SSL_CTX_free(cctx);
6620
6621 return testresult;
6622}
6623
7f1d923a 6624#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 6625static int cert_cb_cnt;
6626
6627static int cert_cb(SSL *s, void *arg)
6628{
6629 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 6630 BIO *in = NULL;
6631 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 6632 X509 *x509 = NULL, *rootx = NULL;
6633 STACK_OF(X509) *chain = NULL;
6634 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
6635 int ret = 0;
cd6fe29f
MC		 6636
6637 if (cert_cb_cnt == 0) {
6638 /* Suspend the handshake */
6639 cert_cb_cnt++;
6640 return -1;
6641 } else if (cert_cb_cnt == 1) {
6642 /*
6643 * Update the SSL_CTX, set the certificate and private key and then
6644 * continue the handshake normally.
6645 */
6646 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
6647 return 0;
6648
6649 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
6650 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
6651 SSL_FILETYPE_PEM))
6652 || !TEST_true(SSL_check_private_key(s)))
6653 return 0;
6654 cert_cb_cnt++;
6655 return 1;
7cb8fb07
BK		 6656 } else if (cert_cb_cnt == 3) {
6657 int rv;
1a2a3a42
MC		 6658
6659 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
6660 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
6661 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
6662 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
6663 goto out;
6664 chain = sk_X509_new_null();
6665 if (!TEST_ptr(chain))
6666 goto out;
7cb8fb07 6667 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42
MC		 6668 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6669 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
6670 || !TEST_true(sk_X509_push(chain, rootx)))
6671 goto out;
6672 rootx = NULL;
6673 BIO_free(in);
6674 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
6675 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7cb8fb07
BK		 6676 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
6677 goto out;
6678 BIO_free(in);
6679 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 6680 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7cb8fb07
BK		 6681 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
6682 goto out;
1a2a3a42 6683 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 6684 /*
6685 * If the cert doesn't show as valid here (e.g., because we don't
6686 * have any shared sigalgs), then we will not set it, and there will
6687 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
6688 * will cause tls_choose_sigalgs() to fail the connection.
6689 */
1a2a3a42
MC		 6690 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
6691 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 6692 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
6693 goto out;
6694 }
1a2a3a42
MC		 6695
6696 ret = 1;
cd6fe29f
MC		 6697 }
6698
6699 /* Abort the handshake */
7cb8fb07 6700 out:
1a2a3a42
MC		 6701 OPENSSL_free(ecdsacert);
6702 OPENSSL_free(ecdsakey);
6703 OPENSSL_free(rootfile);
7cb8fb07
BK		 6704 BIO_free(in);
6705 EVP_PKEY_free(pkey);
6706 X509_free(x509);
1a2a3a42
MC		 6707 X509_free(rootx);
6708 sk_X509_pop_free(chain, X509_free);
6709 return ret;
cd6fe29f
MC		 6710}
6711
6712/*
6713 * Test the certificate callback.
6714 * Test 0: Callback fails
6715 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
6716 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 6717 * Test 3: Success - Call SSL_check_chain from the callback
6718 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
6719 * chain
6720 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 6721 */
6722static int test_cert_cb_int(int prot, int tst)
6723{
6724 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
6725 SSL *clientssl = NULL, *serverssl = NULL;
6726 int testresult = 0, ret;
6727
1a2a3a42
MC		 6728#ifdef OPENSSL_NO_EC
6729 /* We use an EC cert in these tests, so we skip in a no-ec build */
6730 if (tst >= 3)
6731 return 1;
6732#endif
6733
5e30f2fd 6734 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 6735 TLS_client_method(),
6736 TLS1_VERSION,
6737 prot,
6738 &sctx, &cctx, NULL, NULL)))
6739 goto end;
6740
6741 if (tst == 0)
6742 cert_cb_cnt = -1;
1a2a3a42 6743 else if (tst >= 3)
7cb8fb07 6744 cert_cb_cnt = 3;
cd6fe29f
MC		 6745 else
6746 cert_cb_cnt = 0;
1a2a3a42 6747
cd6fe29f
MC		 6748 if (tst == 2)
6749 snictx = SSL_CTX_new(TLS_server_method());
6750 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
6751
6752 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6753 NULL, NULL)))
6754 goto end;
6755
1a2a3a42
MC		 6756 if (tst == 4) {
6757 /*
6758 * We cause SSL_check_chain() to fail by specifying sig_algs that
6759 * the chain doesn't meet (the root uses an RSA cert)
6760 */
6761 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6762 "ecdsa_secp256r1_sha256")))
6763 goto end;
6764 } else if (tst == 5) {
6765 /*
6766 * We cause SSL_check_chain() to fail by specifying sig_algs that
6767 * the ee cert doesn't meet (the ee uses an ECDSA cert)
6768 */
6769 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
6770 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
6771 goto end;
6772 }
6773
cd6fe29f 6774 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 6775 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 6776 || (tst > 0
6777 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 6778 goto end;
6779 }
6780
6781 testresult = 1;
6782
6783 end:
6784 SSL_free(serverssl);
6785 SSL_free(clientssl);
6786 SSL_CTX_free(sctx);
6787 SSL_CTX_free(cctx);
6788 SSL_CTX_free(snictx);
6789
6790 return testresult;
6791}
7f1d923a 6792#endif
cd6fe29f
MC		 6793
6794static int test_cert_cb(int tst)
6795{
6796 int testresult = 1;
6797
6798#ifndef OPENSSL_NO_TLS1_2
6799 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
6800#endif
7f1d923a 6801#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 6802 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
6803#endif
6804
6805 return testresult;
6806}
6807
6e46c065
MC		 6808static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
6809{
6810 X509 *xcert, *peer;
6811 EVP_PKEY *privpkey;
6812 BIO *in = NULL;
6813
6814 /* Check that SSL_get_peer_certificate() returns something sensible */
6815 peer = SSL_get_peer_certificate(ssl);
6816 if (!TEST_ptr(peer))
6817 return 0;
6818 X509_free(peer);
6819
6820 in = BIO_new_file(cert, "r");
6821 if (!TEST_ptr(in))
6822 return 0;
6823
6824 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
6825 BIO_free(in);
6826 if (!TEST_ptr(xcert))
6827 return 0;
6828
6829 in = BIO_new_file(privkey, "r");
6830 if (!TEST_ptr(in)) {
6831 X509_free(xcert);
6832 return 0;
6833 }
6834
6835 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
6836 BIO_free(in);
6837 if (!TEST_ptr(privpkey)) {
6838 X509_free(xcert);
6839 return 0;
6840 }
6841
6842 *x509 = xcert;
6843 *pkey = privpkey;
6844
6845 return 1;
6846}
6847
6848static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6849{
6850 return 1;
6851}
6852
6853static int test_client_cert_cb(int tst)
6854{
6855 SSL_CTX *cctx = NULL, *sctx = NULL;
6856 SSL *clientssl = NULL, *serverssl = NULL;
6857 int testresult = 0;
6858
6859#ifdef OPENSSL_NO_TLS1_2
6860 if (tst == 0)
6861 return 1;
6862#endif
6863#ifdef OPENSSL_NO_TLS1_3
6864 if (tst == 1)
6865 return 1;
6866#endif
6867
5e30f2fd 6868 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 6869 TLS_client_method(),
6870 TLS1_VERSION,
6871 tst == 0 ? TLS1_2_VERSION
6872 : TLS1_3_VERSION,
6873 &sctx, &cctx, cert, privkey)))
6874 goto end;
6875
6876 /*
6877 * Test that setting a client_cert_cb results in a client certificate being
6878 * sent.
6879 */
6880 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
6881 SSL_CTX_set_verify(sctx,
6882 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6883 verify_cb);
fb8c8359
MC		 6884
6885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6886 NULL, NULL))
6887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6888 SSL_ERROR_NONE)))
6889 goto end;
6890
6891 testresult = 1;
6892
6893 end:
6894 SSL_free(serverssl);
6895 SSL_free(clientssl);
6896 SSL_CTX_free(sctx);
6897 SSL_CTX_free(cctx);
6898
6899 return testresult;
6900}
6901
6902#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
6903/*
6904 * Test setting certificate authorities on both client and server.
6905 *
6906 * Test 0: SSL_CTX_set0_CA_list() only
6907 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
6908 * Test 2: Only SSL_CTX_set_client_CA_list()
6909 */
6910static int test_ca_names_int(int prot, int tst)
6911{
6912 SSL_CTX *cctx = NULL, *sctx = NULL;
6913 SSL *clientssl = NULL, *serverssl = NULL;
6914 int testresult = 0;
6915 size_t i;
6916 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
6917 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
6918 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
6919 const STACK_OF(X509_NAME) *sktmp = NULL;
6920
6921 for (i = 0; i < OSSL_NELEM(name); i++) {
6922 name[i] = X509_NAME_new();
6923 if (!TEST_ptr(name[i])
6924 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
6925 MBSTRING_ASC,
6926 (unsigned char *)
6927 strnames[i],
6928 -1, -1, 0)))
6929 goto end;
6930 }
6931
5e30f2fd 6932 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 6933 TLS_client_method(),
6934 TLS1_VERSION,
6935 prot,
6936 &sctx, &cctx, cert, privkey)))
6937 goto end;
6938
6939 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
6940
6941 if (tst == 0 || tst == 1) {
6942 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6943 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
6944 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
6945 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6946 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
6947 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
6948 goto end;
6949
6950 SSL_CTX_set0_CA_list(sctx, sk1);
6951 SSL_CTX_set0_CA_list(cctx, sk2);
6952 sk1 = sk2 = NULL;
6953 }
6954 if (tst == 1 || tst == 2) {
6955 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
6956 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
6957 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
6958 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
6959 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
6960 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
6961 goto end;
6962
6963 SSL_CTX_set_client_CA_list(sctx, sk1);
6964 SSL_CTX_set_client_CA_list(cctx, sk2);
6965 sk1 = sk2 = NULL;
6966 }
6967
6e46c065
MC		 6968 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6969 NULL, NULL))
6970 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6971 SSL_ERROR_NONE)))
6972 goto end;
6973
fb8c8359
MC		 6974 /*
6975 * We only expect certificate authorities to have been sent to the server
6976 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
6977 */
6978 sktmp = SSL_get0_peer_CA_list(serverssl);
6979 if (prot == TLS1_3_VERSION
6980 && (tst == 0 || tst == 1)) {
6981 if (!TEST_ptr(sktmp)
6982 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
6983 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
6984 name[0]), 0)
6985 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6986 name[1]), 0))
6987 goto end;
6988 } else if (!TEST_ptr_null(sktmp)) {
6989 goto end;
6990 }
6991
6992 /*
6993 * In all tests we expect certificate authorities to have been sent to the
6994 * client. However, SSL_set_client_CA_list() should override
6995 * SSL_set0_CA_list()
6996 */
6997 sktmp = SSL_get0_peer_CA_list(clientssl);
6998 if (!TEST_ptr(sktmp)
6999 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7000 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7001 name[tst == 0 ? 0 : 2]), 0)
7002 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7003 name[tst == 0 ? 1 : 3]), 0))
7004 goto end;
7005
6e46c065
MC		 7006 testresult = 1;
7007
7008 end:
7009 SSL_free(serverssl);
7010 SSL_free(clientssl);
7011 SSL_CTX_free(sctx);
7012 SSL_CTX_free(cctx);
fb8c8359
MC		 7013 for (i = 0; i < OSSL_NELEM(name); i++)
7014 X509_NAME_free(name[i]);
7015 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7016 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7017
7018 return testresult;
7019}
7020#endif
7021
7022static int test_ca_names(int tst)
7023{
7024 int testresult = 1;
7025
7026#ifndef OPENSSL_NO_TLS1_2
7027 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7028#endif
7029#ifndef OPENSSL_NO_TLS1_3
7030 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7031#endif
6e46c065
MC		 7032
7033 return testresult;
7034}
7035
0d2bfe52
SL		 7036#ifndef OPENSSL_NO_TLS1_2
7037static const char *multiblock_cipherlist_data[]=
7038{
7039 "AES128-SHA",
7040 "AES128-SHA256",
7041 "AES256-SHA",
7042 "AES256-SHA256",
7043};
7044
7045/* Reduce the fragment size - so the multiblock test buffer can be small */
7046# define MULTIBLOCK_FRAGSIZE 512
7047
7048static int test_multiblock_write(int test_index)
7049{
7050 static const char *fetchable_ciphers[]=
7051 {
7052 "AES-128-CBC-HMAC-SHA1",
7053 "AES-128-CBC-HMAC-SHA256",
7054 "AES-256-CBC-HMAC-SHA1",
7055 "AES-256-CBC-HMAC-SHA256"
7056 };
7057 const char *cipherlist = multiblock_cipherlist_data[test_index];
7058 const SSL_METHOD *smeth = TLS_server_method();
7059 const SSL_METHOD *cmeth = TLS_client_method();
7060 int min_version = TLS1_VERSION;
7061 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7062 SSL_CTX *cctx = NULL, *sctx = NULL;
7063 SSL *clientssl = NULL, *serverssl = NULL;
7064 int testresult = 0;
7065
7066 /*
7067 * Choose a buffer large enough to perform a multi-block operation
7068 * i.e: write_len >= 4 * frag_size
7069 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7070 */
7071 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7072 unsigned char buf[sizeof(msg)], *p = buf;
7073 size_t readbytes, written, len;
7074 EVP_CIPHER *ciph = NULL;
7075
7076 /*
7077 * Check if the cipher exists before attempting to use it since it only has
7078 * a hardware specific implementation.
7079 */
7080 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7081 if (ciph == NULL) {
7082 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7083 return 1;
7084 }
7085 EVP_CIPHER_free(ciph);
7086
7087 /* Set up a buffer with some data that will be sent to the client */
7088 RAND_bytes(msg, sizeof(msg));
7089
5e30f2fd
MC		 7090 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7091 max_version, &sctx, &cctx, cert,
7092 privkey)))
0d2bfe52
SL		 7093 goto end;
7094
7095 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7096 goto end;
7097
7098 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7099 NULL, NULL)))
7100 goto end;
7101
7102 /* settings to force it to use AES-CBC-HMAC_SHA */
7103 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7104 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7105 goto end;
7106
7107 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7108 goto end;
7109
7110 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7111 || !TEST_size_t_eq(written, sizeof(msg)))
7112 goto end;
7113
7114 len = written;
7115 while (len > 0) {
7116 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7117 goto end;
7118 p += readbytes;
7119 len -= readbytes;
7120 }
7121 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7122 goto end;
7123
7124 testresult = 1;
7125end:
7126 SSL_free(serverssl);
7127 SSL_free(clientssl);
7128 SSL_CTX_free(sctx);
7129 SSL_CTX_free(cctx);
7130
7131 return testresult;
7132}
7133#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7134
49ef3d07
MC		 7135/*
7136 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7137 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7138 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7139 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7140 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7141 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7142 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7143 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7144 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7145 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7146 */
7147static int test_servername(int tst)
7148{
7149 SSL_CTX *cctx = NULL, *sctx = NULL;
7150 SSL *clientssl = NULL, *serverssl = NULL;
7151 int testresult = 0;
7152 SSL_SESSION *sess = NULL;
7153 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7154
7155#ifdef OPENSSL_NO_TLS1_2
7156 if (tst <= 4)
7157 return 1;
7158#endif
7159#ifdef OPENSSL_NO_TLS1_3
7160 if (tst >= 5)
7161 return 1;
7162#endif
7163
5e30f2fd 7164 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 7165 TLS_client_method(),
7166 TLS1_VERSION,
7167 (tst <= 4) ? TLS1_2_VERSION
7168 : TLS1_3_VERSION,
7169 &sctx, &cctx, cert, privkey))
7170 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7171 NULL, NULL)))
7172 goto end;
7173
7174 if (tst != 1 && tst != 6) {
7175 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7176 hostname_cb)))
7177 goto end;
7178 }
7179
7180 if (tst != 3 && tst != 8) {
7181 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7182 goto end;
7183 sexpectedhost = cexpectedhost = "goodhost";
7184 }
7185
7186 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7187 goto end;
7188
7189 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7190 cexpectedhost)
7191 || !TEST_str_eq(SSL_get_servername(serverssl,
7192 TLSEXT_NAMETYPE_host_name),
7193 sexpectedhost))
7194 goto end;
7195
7196 /* Now repeat with a resumption handshake */
7197
7198 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7199 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7200 || !TEST_true(SSL_SESSION_is_resumable(sess))
7201 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7202 goto end;
7203
7204 SSL_free(clientssl);
7205 SSL_free(serverssl);
7206 clientssl = serverssl = NULL;
7207
7208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7209 NULL)))
7210 goto end;
7211
7212 if (!TEST_true(SSL_set_session(clientssl, sess)))
7213 goto end;
7214
7215 sexpectedhost = cexpectedhost = "goodhost";
7216 if (tst == 2 || tst == 7) {
7217 /* Set an inconsistent hostname */
7218 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7219 goto end;
7220 /*
7221 * In TLSv1.2 we expect the hostname from the original handshake, in
7222 * TLSv1.3 we expect the hostname from this handshake
7223 */
7224 if (tst == 7)
7225 sexpectedhost = cexpectedhost = "altgoodhost";
7226
7227 if (!TEST_str_eq(SSL_get_servername(clientssl,
7228 TLSEXT_NAMETYPE_host_name),
7229 "altgoodhost"))
7230 goto end;
7231 } else if (tst == 4 || tst == 9) {
7232 /*
7233 * A TLSv1.3 session does not associate a session with a servername,
7234 * but a TLSv1.2 session does.
7235 */
7236 if (tst == 9)
7237 sexpectedhost = cexpectedhost = NULL;
7238
7239 if (!TEST_str_eq(SSL_get_servername(clientssl,
7240 TLSEXT_NAMETYPE_host_name),
7241 cexpectedhost))
7242 goto end;
7243 } else {
7244 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7245 goto end;
7246 /*
7247 * In a TLSv1.2 resumption where the hostname was not acknowledged
7248 * we expect the hostname on the server to be empty. On the client we
7249 * return what was requested in this case.
7250 *
7251 * Similarly if the client didn't set a hostname on an original TLSv1.2
7252 * session but is now, the server hostname will be empty, but the client
7253 * is as we set it.
7254 */
7255 if (tst == 1 || tst == 3)
7256 sexpectedhost = NULL;
7257
7258 if (!TEST_str_eq(SSL_get_servername(clientssl,
7259 TLSEXT_NAMETYPE_host_name),
7260 "goodhost"))
7261 goto end;
7262 }
7263
7264 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7265 goto end;
7266
7267 if (!TEST_true(SSL_session_reused(clientssl))
7268 || !TEST_true(SSL_session_reused(serverssl))
7269 || !TEST_str_eq(SSL_get_servername(clientssl,
7270 TLSEXT_NAMETYPE_host_name),
7271 cexpectedhost)
7272 || !TEST_str_eq(SSL_get_servername(serverssl,
7273 TLSEXT_NAMETYPE_host_name),
7274 sexpectedhost))
7275 goto end;
7276
7277 testresult = 1;
7278
7279 end:
7280 SSL_SESSION_free(sess);
7281 SSL_free(serverssl);
7282 SSL_free(clientssl);
7283 SSL_CTX_free(sctx);
7284 SSL_CTX_free(cctx);
7285
7286 return testresult;
7287}
7288
5e30f2fd 7289OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 7290
ad887416 7291int setup_tests(void)
2cb4b5f6 7292{
5e30f2fd
MC		 7293 char *modulename;
7294 char *configfile;
7295
7296 libctx = OPENSSL_CTX_new();
7297 if (!TEST_ptr(libctx))
7298 return 0;
7299
7300 defctxnull = OSSL_PROVIDER_load(NULL, "null");
7301
7302 /*
7303 * Verify that the default and fips providers in the default libctx are not
7304 * available
7305 */
7306 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
7307 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
7308 return 0;
7309
8d242823
MC		 7310 if (!test_skip_common_options()) {
7311 TEST_error("Error parsing test options\n");
7312 return 0;
7313 }
7314
1a2a3a42
MC		 7315 if (!TEST_ptr(certsdir = test_get_argument(0))
7316 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 7317 || !TEST_ptr(tmpfilename = test_get_argument(2))
7318 || !TEST_ptr(modulename = test_get_argument(3))
7319 || !TEST_ptr(configfile = test_get_argument(4)))
7320 return 0;
7321
7322 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
7323 return 0;
7324
7325 /* Check we have the expected provider available */
7326 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
7327 return 0;
7328
7329 /* Check the default provider is not available */
7330 if (strcmp(modulename, "default") != 0
7331 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 7332 return 0;
2cb4b5f6 7333
4f6c7044
MC		 7334 if (strcmp(modulename, "fips") == 0)
7335 is_fips = 1;
7336
f297e4ec
RS		 7337 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
7338#ifdef OPENSSL_NO_CRYPTO_MDEBUG
7339 TEST_error("not supported in this build");
7340 return 0;
7341#else
7342 int i, mcount, rcount, fcount;
7343
7344 for (i = 0; i < 4; i++)
7345 test_export_key_mat(i);
7346 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
7347 test_printf_stdout("malloc %d realloc %d free %d\n",
7348 mcount, rcount, fcount);
7349 return 1;
7350#endif
7351 }
7352
1a2a3a42
MC		 7353 cert = test_mk_file_path(certsdir, "servercert.pem");
7354 if (cert == NULL)
7355 return 0;
7356
7357 privkey = test_mk_file_path(certsdir, "serverkey.pem");
7358 if (privkey == NULL) {
7359 OPENSSL_free(cert);
7360 return 0;
7361 }
7362
5e9072ed
MC		 7363#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
7364 && !defined(OPENSSL_NO_SOCK)
2fab79af
BP		 7365 ADD_TEST(test_ktls_no_txrx_client_no_txrx_server);
7366 ADD_TEST(test_ktls_no_rx_client_no_txrx_server);
7367 ADD_TEST(test_ktls_no_tx_client_no_txrx_server);
7368 ADD_TEST(test_ktls_client_no_txrx_server);
7369 ADD_TEST(test_ktls_no_txrx_client_no_rx_server);
7370 ADD_TEST(test_ktls_no_rx_client_no_rx_server);
7371 ADD_TEST(test_ktls_no_tx_client_no_rx_server);
7372 ADD_TEST(test_ktls_client_no_rx_server);
7373 ADD_TEST(test_ktls_no_txrx_client_no_tx_server);
7374 ADD_TEST(test_ktls_no_rx_client_no_tx_server);
7375 ADD_TEST(test_ktls_no_tx_client_no_tx_server);
7376 ADD_TEST(test_ktls_client_no_tx_server);
7377 ADD_TEST(test_ktls_no_txrx_client_server);
7378 ADD_TEST(test_ktls_no_rx_client_server);
7379 ADD_TEST(test_ktls_no_tx_client_server);
fe5d9450 7380 ADD_TEST(test_ktls_client_server);
7c3a7561 7381 ADD_TEST(test_ktls_sendfile);
fe5d9450 7382#endif
84d5549e 7383 ADD_TEST(test_large_message_tls);
7856332e 7384 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 7385#ifndef OPENSSL_NO_DTLS
84d5549e 7386 ADD_TEST(test_large_message_dtls);
55386bef 7387#endif
8f8c11d8 7388#ifndef OPENSSL_NO_OCSP
c887104f 7389 ADD_TEST(test_tlsext_status_type);
8f8c11d8 7390#endif
eaa776da
MC		 7391 ADD_TEST(test_session_with_only_int_cache);
7392 ADD_TEST(test_session_with_only_ext_cache);
7393 ADD_TEST(test_session_with_both_cache);
36ff232c 7394#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 7395 ADD_ALL_TESTS(test_stateful_tickets, 3);
7396 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 7397 ADD_TEST(test_psk_tickets);
36ff232c 7398#endif
7fb4c820 7399 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 7400 ADD_TEST(test_ssl_bio_pop_next_bio);
7401 ADD_TEST(test_ssl_bio_pop_ssl_bio);
7402 ADD_TEST(test_ssl_bio_change_rbio);
7403 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 7404#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 7405 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 7406 ADD_TEST(test_keylog);
c423ecaa 7407#endif
6acdd3e5
CB		 7408#ifndef OPENSSL_NO_TLS1_3
7409 ADD_TEST(test_keylog_no_master_key);
7410#endif
e9ee6536 7411#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 7412 ADD_TEST(test_client_hello_cb);
088dfa13 7413 ADD_TEST(test_no_ems);
3cd14e5e 7414 ADD_TEST(test_ccs_change_cipher);
5f982038
MC		 7415#endif
7416#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 7417 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 7418 /*
7419 * We don't do replay tests for external PSK. Replay protection isn't used
7420 * in that scenario.
7421 */
7422 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 7423 ADD_ALL_TESTS(test_early_data_skip, 3);
7424 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 7425 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 7426 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 7427 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 7428 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 7429 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 7430# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 7431 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 7432# endif
e9ee6536 7433#endif
a273157a 7434#ifndef OPENSSL_NO_TLS1_3
034cb87b 7435 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 7436 ADD_TEST(test_ciphersuite_change);
5bf2eade 7437 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
7438# ifdef OPENSSL_NO_PSK
c2b290c3 7439 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 7440# else
0d8da779 7441 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 7442# endif /* OPENSSL_NO_PSK */
7443# ifndef OPENSSL_NO_TLS1_2
7444 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 7445 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 7446# else
7447 /* Test with only TLSv1.3 versions */
7448 ADD_ALL_TESTS(test_key_exchange, 12);
7449# endif
bb01ef3f 7450 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 7451 ADD_TEST(test_stateless);
9d75dce3 7452 ADD_TEST(test_pha_key_update);
a273157a 7453#else
bb01ef3f 7454 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 7455#endif
16afd71c 7456 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 7457 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 7458#ifndef OPENSSL_NO_TLS1_3
7459 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 7460 ADD_TEST(test_key_update);
a77b4dba 7461 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 7462#endif
e11b6aa4 7463 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 7464 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 7465#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7466 ADD_ALL_TESTS(test_srp, 6);
7467#endif
5718fe45 7468 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 7469 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 7470 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 7471 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 7472 ADD_ALL_TESTS(test_shutdown, 7);
1a2a3a42 7473 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 7474 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 7475 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 7476#ifndef OPENSSL_NO_TLS1_2
7477 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
7478#endif
49ef3d07 7479 ADD_ALL_TESTS(test_servername, 10);
ad887416
P		 7480 return 1;
7481}
2cb4b5f6 7482
ad887416
P		 7483void cleanup_tests(void)
7484{
1a2a3a42
MC		 7485 OPENSSL_free(cert);
7486 OPENSSL_free(privkey);
fa454945 7487 bio_s_mempacket_test_free();
a77b4dba 7488 bio_s_always_retry_free();
5e30f2fd
MC		 7489 OSSL_PROVIDER_unload(defctxnull);
7490 OPENSSL_CTX_free(libctx);
2cb4b5f6 7491}
A mirror of the official openssl repository