]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
evp_test: updates for the new additional MAC_init arguments
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
4333b89f 2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
2cb4b5f6 34
20f8bc72 35#include "helpers/ssltestlib.h"
c887104f 36#include "testutil.h"
f297e4ec 37#include "testutil/output.h"
176db6dc 38#include "internal/nelem.h"
fe5d9450 39#include "internal/ktls.h"
706457b7 40#include "../ssl/ssl_local.h"
b0001d0c 41#include "filterprov.h"
2cb4b5f6 42
a763ca11
MC		 43#undef OSSL_NO_USABLE_TLS1_3
44#if defined(OPENSSL_NO_TLS1_3) \
45 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
46/*
47 * If we don't have ec or dh then there are no built-in groups that are usable
48 * with TLSv1.3
49 */
50# define OSSL_NO_USABLE_TLS1_3
51#endif
52
0c13cdf8
MC		 53/* Defined in tls-provider.c */
54int tls_provider_init(const OSSL_CORE_HANDLE *handle,
55 const OSSL_DISPATCH *in,
56 const OSSL_DISPATCH **out,
57 void **provctx);
852c2ed2 58
b4250010 59static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 60static OSSL_PROVIDER *defctxnull = NULL;
61
a763ca11 62#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 63
64static SSL_SESSION *clientpsk = NULL;
65static SSL_SESSION *serverpsk = NULL;
66static const char *pskid = "Identity";
67static const char *srvid;
68
69static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
70 size_t *idlen, SSL_SESSION **sess);
71static int find_session_cb(SSL *ssl, const unsigned char *identity,
72 size_t identity_len, SSL_SESSION **sess);
73
74static int use_session_cb_cnt = 0;
75static int find_session_cb_cnt = 0;
76
77static SSL_SESSION *create_a_psk(SSL *ssl);
78#endif
79
1a2a3a42 80static char *certsdir = NULL;
2cb4b5f6
MC		 81static char *cert = NULL;
82static char *privkey = NULL;
b3842539
MC		 83static char *cert2 = NULL;
84static char *privkey2 = NULL;
3105d846
MC		 85static char *cert1024 = NULL;
86static char *privkey1024 = NULL;
87static char *cert3072 = NULL;
88static char *privkey3072 = NULL;
89static char *cert4096 = NULL;
90static char *privkey4096 = NULL;
91static char *cert8192 = NULL;
92static char *privkey8192 = NULL;
76fd7a1d
MC		 93static char *srpvfile = NULL;
94static char *tmpfilename = NULL;
2cb4b5f6 95
4f6c7044
MC		 96static int is_fips = 0;
97
cffe973c 98#define LOG_BUFFER_SIZE 2048
6acdd3e5 99static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 100static size_t server_log_buffer_index = 0;
6acdd3e5 101static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 102static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 103static int error_writing_log = 0;
104
8f8c11d8 105#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 106static const unsigned char orespder[] = "Dummy OCSP Response";
107static int ocsp_server_called = 0;
108static int ocsp_client_called = 0;
109
110static int cdummyarg = 1;
111static X509 *ocspcert = NULL;
8f8c11d8 112#endif
ba881d3b 113
84d5549e 114#define NUM_EXTRA_CERTS 40
cf72c757 115#define CLIENT_VERSION_LEN 2
84d5549e 116
f1a5939f
CB		 117/*
118 * This structure is used to validate that the correct number of log messages
119 * of various types are emitted when emitting secret logs.
120 */
121struct sslapitest_log_counts {
122 unsigned int rsa_key_exchange_count;
123 unsigned int master_secret_count;
cffe973c 124 unsigned int client_early_secret_count;
f1a5939f
CB		 125 unsigned int client_handshake_secret_count;
126 unsigned int server_handshake_secret_count;
127 unsigned int client_application_secret_count;
128 unsigned int server_application_secret_count;
01a2a654 129 unsigned int early_exporter_secret_count;
6329ce8f 130 unsigned int exporter_secret_count;
f1a5939f
CB		 131};
132
16afd71c
MC		 133
134static unsigned char serverinfov1[] = {
135 0xff, 0xff, /* Dummy extension type */
136 0x00, 0x01, /* Extension length is 1 byte */
137 0xff /* Dummy extension data */
138};
139
140static unsigned char serverinfov2[] = {
141 0x00, 0x00, 0x00,
142 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
143 0xff, 0xff, /* Dummy extension type */
144 0x00, 0x01, /* Extension length is 1 byte */
145 0xff /* Dummy extension data */
146};
147
104a733d
MC		 148static int hostname_cb(SSL *s, int *al, void *arg)
149{
150 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
151
152 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
153 || strcmp(hostname, "altgoodhost") == 0))
154 return SSL_TLSEXT_ERR_OK;
155
156 return SSL_TLSEXT_ERR_NOACK;
157}
158
710756a9
RS		 159static void client_keylog_callback(const SSL *ssl, const char *line)
160{
6acdd3e5
CB		 161 int line_length = strlen(line);
162
163 /* If the log doesn't fit, error out. */
710756a9
RS		 164 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
165 TEST_info("Client log too full");
6acdd3e5
CB		 166 error_writing_log = 1;
167 return;
168 }
169
170 strcat(client_log_buffer, line);
171 client_log_buffer_index += line_length;
710756a9 172 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 173}
174
710756a9
RS		 175static void server_keylog_callback(const SSL *ssl, const char *line)
176{
6acdd3e5
CB		 177 int line_length = strlen(line);
178
179 /* If the log doesn't fit, error out. */
710756a9 180 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 181 TEST_info("Server log too full");
6acdd3e5
CB		 182 error_writing_log = 1;
183 return;
184 }
185
186 strcat(server_log_buffer, line);
187 server_log_buffer_index += line_length;
710756a9 188 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 189}
190
191static int compare_hex_encoded_buffer(const char *hex_encoded,
192 size_t hex_length,
193 const uint8_t *raw,
710756a9
RS		 194 size_t raw_length)
195{
196 size_t i, j;
197 char hexed[3];
6acdd3e5 198
710756a9 199 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 200 return 1;
6acdd3e5 201
710756a9 202 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 203 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 204 if (!TEST_int_eq(hexed[0], hex_encoded[j])
205 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 206 return 1;
6acdd3e5
CB		 207 }
208
209 return 0;
210}
211
212static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 213 const SSL_SESSION *session,
710756a9
RS		 214 struct sslapitest_log_counts *expected)
215{
6acdd3e5
CB		 216 char *token = NULL;
217 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
218 size_t client_random_size = SSL3_RANDOM_SIZE;
219 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
220 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 221 unsigned int rsa_key_exchange_count = 0;
222 unsigned int master_secret_count = 0;
cffe973c 223 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 224 unsigned int client_handshake_secret_count = 0;
225 unsigned int server_handshake_secret_count = 0;
226 unsigned int client_application_secret_count = 0;
227 unsigned int server_application_secret_count = 0;
01a2a654 228 unsigned int early_exporter_secret_count = 0;
6329ce8f 229 unsigned int exporter_secret_count = 0;
6acdd3e5 230
710756a9
RS		 231 for (token = strtok(buffer, " \n"); token != NULL;
232 token = strtok(NULL, " \n")) {
6acdd3e5 233 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 234 /*
235 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 236 * hex-encoded encrypted secret, then the hex-encoded pre-master
237 * secret.
238 */
710756a9 239 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 240 return 0;
710756a9 241 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 242 return 0;
710756a9 243 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 244 return 0;
f1a5939f
CB		 245 /*
246 * We can't sensibly check the log because the premaster secret is
247 * transient, and OpenSSL doesn't keep hold of it once the master
248 * secret is generated.
249 */
250 rsa_key_exchange_count++;
6acdd3e5 251 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 252 /*
253 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 254 * client random, then the hex-encoded master secret.
255 */
256 client_random_size = SSL_get_client_random(ssl,
257 actual_client_random,
258 SSL3_RANDOM_SIZE);
710756a9 259 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 260 return 0;
6acdd3e5 261
710756a9 262 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 263 return 0;
710756a9 264 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 265 return 0;
710756a9
RS		 266 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
267 actual_client_random,
268 client_random_size)))
f1a5939f 269 return 0;
6acdd3e5 270
710756a9 271 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 272 return 0;
6acdd3e5
CB		 273 master_key_size = SSL_SESSION_get_master_key(session,
274 actual_master_key,
275 master_key_size);
710756a9 276 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 277 return 0;
710756a9
RS		 278 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
279 actual_master_key,
280 master_key_size)))
f1a5939f 281 return 0;
f1a5939f 282 master_secret_count++;
cffe973c
PW		 283 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
284 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 285 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
286 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 287 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 288 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 289 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 290 /*
291 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
292 * client random, and then the hex-encoded secret. In this case,
293 * we treat all of these secrets identically and then just
294 * distinguish between them when counting what we saw.
295 */
cffe973c
PW		 296 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
297 client_early_secret_count++;
298 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 299 client_handshake_secret_count++;
300 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
301 server_handshake_secret_count++;
302 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
303 client_application_secret_count++;
304 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
305 server_application_secret_count++;
01a2a654
PW		 306 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
307 early_exporter_secret_count++;
6329ce8f
PW		 308 else if (strcmp(token, "EXPORTER_SECRET") == 0)
309 exporter_secret_count++;
f1a5939f
CB		 310
311 client_random_size = SSL_get_client_random(ssl,
312 actual_client_random,
313 SSL3_RANDOM_SIZE);
710756a9 314 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 315 return 0;
f1a5939f 316
710756a9 317 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 318 return 0;
710756a9 319 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 320 return 0;
710756a9
RS		 321 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
322 actual_client_random,
323 client_random_size)))
f1a5939f 324 return 0;
6acdd3e5 325
710756a9 326 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 327 return 0;
f1a5939f
CB		 328
329 /*
330 * TODO(TLS1.3): test that application traffic secrets are what
331 * we expect */
6acdd3e5 332 } else {
710756a9 333 TEST_info("Unexpected token %s\n", token);
f1a5939f 334 return 0;
6acdd3e5 335 }
6acdd3e5
CB		 336 }
337
710756a9
RS		 338 /* Got what we expected? */
339 if (!TEST_size_t_eq(rsa_key_exchange_count,
340 expected->rsa_key_exchange_count)
341 || !TEST_size_t_eq(master_secret_count,
342 expected->master_secret_count)
cffe973c
PW		 343 || !TEST_size_t_eq(client_early_secret_count,
344 expected->client_early_secret_count)
710756a9
RS		 345 || !TEST_size_t_eq(client_handshake_secret_count,
346 expected->client_handshake_secret_count)
347 || !TEST_size_t_eq(server_handshake_secret_count,
348 expected->server_handshake_secret_count)
349 || !TEST_size_t_eq(client_application_secret_count,
350 expected->client_application_secret_count)
351 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 352 expected->server_application_secret_count)
01a2a654
PW		 353 || !TEST_size_t_eq(early_exporter_secret_count,
354 expected->early_exporter_secret_count)
6329ce8f
PW		 355 || !TEST_size_t_eq(exporter_secret_count,
356 expected->exporter_secret_count))
710756a9
RS		 357 return 0;
358 return 1;
6acdd3e5
CB		 359}
360
a763ca11 361#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 362static int test_keylog(void)
363{
6acdd3e5
CB		 364 SSL_CTX *cctx = NULL, *sctx = NULL;
365 SSL *clientssl = NULL, *serverssl = NULL;
366 int testresult = 0;
6fc1e624 367 struct sslapitest_log_counts expected;
6acdd3e5
CB		 368
369 /* Clean up logging space */
6fc1e624 370 memset(&expected, 0, sizeof(expected));
710756a9
RS		 371 memset(client_log_buffer, 0, sizeof(client_log_buffer));
372 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 373 client_log_buffer_index = 0;
374 server_log_buffer_index = 0;
375 error_writing_log = 0;
376
5e30f2fd 377 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 378 TLS_client_method(),
5c587fb6 379 TLS1_VERSION, 0,
710756a9 380 &sctx, &cctx, cert, privkey)))
6acdd3e5 381 return 0;
6acdd3e5
CB		 382
383 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
384 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
385 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
386
f0deb4d3 387 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 388 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 389 goto end;
f0deb4d3 390
cf10df81
RS		 391 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
392 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 393 goto end;
6acdd3e5 394 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 395 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
396 == client_keylog_callback))
6acdd3e5 397 goto end;
710756a9 398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
6acdd3e5 401 goto end;
6acdd3e5 402
710756a9
RS		 403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
407 SSL_ERROR_NONE))
408 || !TEST_false(error_writing_log)
409 || !TEST_int_gt(client_log_buffer_index, 0)
410 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 411 goto end;
6acdd3e5 412
f1a5939f
CB		 413 /*
414 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 415 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 416 * data we expect. For both client and server, we expect to see one master
417 * secret. The client should also see a RSA key exchange.
6acdd3e5 418 */
f1a5939f
CB		 419 expected.rsa_key_exchange_count = 1;
420 expected.master_secret_count = 1;
710756a9
RS		 421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected)))
6acdd3e5 423 goto end;
f1a5939f
CB		 424
425 expected.rsa_key_exchange_count = 0;
710756a9
RS		 426 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
427 SSL_get_session(serverssl), &expected)))
6acdd3e5 428 goto end;
6acdd3e5
CB		 429
430 testresult = 1;
431
432end:
433 SSL_free(serverssl);
434 SSL_free(clientssl);
435 SSL_CTX_free(sctx);
436 SSL_CTX_free(cctx);
437
438 return testresult;
439}
c423ecaa 440#endif
6acdd3e5 441
a763ca11 442#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 443static int test_keylog_no_master_key(void)
444{
6acdd3e5
CB		 445 SSL_CTX *cctx = NULL, *sctx = NULL;
446 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 447 SSL_SESSION *sess = NULL;
6acdd3e5 448 int testresult = 0;
6fc1e624 449 struct sslapitest_log_counts expected;
cffe973c
PW		 450 unsigned char buf[1];
451 size_t readbytes, written;
6acdd3e5
CB		 452
453 /* Clean up logging space */
6fc1e624 454 memset(&expected, 0, sizeof(expected));
710756a9
RS		 455 memset(client_log_buffer, 0, sizeof(client_log_buffer));
456 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 457 client_log_buffer_index = 0;
458 server_log_buffer_index = 0;
459 error_writing_log = 0;
460
5e30f2fd
MC		 461 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
462 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 463 &sctx, &cctx, cert, privkey))
464 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 465 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 466 return 0;
6acdd3e5 467
cf10df81
RS		 468 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
469 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 470 goto end;
6acdd3e5
CB		 471
472 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 473 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
474 == client_keylog_callback))
6acdd3e5 475 goto end;
6acdd3e5 476
710756a9 477 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 478 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
479 == server_keylog_callback))
6acdd3e5 480 goto end;
6acdd3e5 481
710756a9
RS		 482 /* Now do a handshake and check that the logs have been written to. */
483 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
484 &clientssl, NULL, NULL))
485 || !TEST_true(create_ssl_connection(serverssl, clientssl,
486 SSL_ERROR_NONE))
487 || !TEST_false(error_writing_log))
6acdd3e5 488 goto end;
6acdd3e5 489
f1a5939f
CB		 490 /*
491 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 492 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 493 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 494 */
f1a5939f
CB		 495 expected.client_handshake_secret_count = 1;
496 expected.server_handshake_secret_count = 1;
497 expected.client_application_secret_count = 1;
498 expected.server_application_secret_count = 1;
6329ce8f 499 expected.exporter_secret_count = 1;
710756a9
RS		 500 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
501 SSL_get_session(clientssl), &expected))
502 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
503 SSL_get_session(serverssl),
504 &expected)))
6acdd3e5 505 goto end;
6acdd3e5 506
cffe973c
PW		 507 /* Terminate old session and resume with early data. */
508 sess = SSL_get1_session(clientssl);
509 SSL_shutdown(clientssl);
510 SSL_shutdown(serverssl);
511 SSL_free(serverssl);
512 SSL_free(clientssl);
513 serverssl = clientssl = NULL;
514
515 /* Reset key log */
516 memset(client_log_buffer, 0, sizeof(client_log_buffer));
517 memset(server_log_buffer, 0, sizeof(server_log_buffer));
518 client_log_buffer_index = 0;
519 server_log_buffer_index = 0;
520
521 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
522 &clientssl, NULL, NULL))
523 || !TEST_true(SSL_set_session(clientssl, sess))
524 /* Here writing 0 length early data is enough. */
525 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
526 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
527 &readbytes),
528 SSL_READ_EARLY_DATA_ERROR)
529 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
530 SSL_EARLY_DATA_ACCEPTED)
531 || !TEST_true(create_ssl_connection(serverssl, clientssl,
532 SSL_ERROR_NONE))
533 || !TEST_true(SSL_session_reused(clientssl)))
534 goto end;
535
536 /* In addition to the previous entries, expect early secrets. */
537 expected.client_early_secret_count = 1;
01a2a654 538 expected.early_exporter_secret_count = 1;
cffe973c
PW		 539 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
540 SSL_get_session(clientssl), &expected))
541 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
542 SSL_get_session(serverssl),
543 &expected)))
544 goto end;
545
6acdd3e5
CB		 546 testresult = 1;
547
548end:
cffe973c 549 SSL_SESSION_free(sess);
6acdd3e5
CB		 550 SSL_free(serverssl);
551 SSL_free(clientssl);
552 SSL_CTX_free(sctx);
553 SSL_CTX_free(cctx);
554
555 return testresult;
556}
557#endif
558
0c3eb279
DDO		 559static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
560{
561 int res = X509_verify_cert(ctx);
562
563 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
564 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
565 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
566 return res;
567}
568
569static int test_client_cert_verify_cb(void)
570{
571 /* server key, cert, chain, and root */
572 char *skey = test_mk_file_path(certsdir, "leaf.key");
573 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
574 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
575 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
576 char *root = test_mk_file_path(certsdir, "rootCA.pem");
577 X509 *crt1 = NULL, *crt2 = NULL;
578 STACK_OF(X509) *server_chain;
579 SSL_CTX *cctx = NULL, *sctx = NULL;
580 SSL *clientssl = NULL, *serverssl = NULL;
581 int testresult = 0;
582
583 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
584 TLS_client_method(), TLS1_VERSION, 0,
585 &sctx, &cctx, NULL, NULL)))
586 goto end;
587 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
588 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
589 SSL_FILETYPE_PEM), 1)
590 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
591 goto end;
592 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
593 goto end;
594 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
595 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
596 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
597 &clientssl, NULL, NULL)))
598 goto end;
599
600 /* attempt SSL_connect() with incomplete server chain */
601 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
602 SSL_ERROR_WANT_RETRY_VERIFY)))
603 goto end;
604
605 /* application provides intermediate certs needed to verify server cert */
606 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
607 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
608 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
609 goto end;
610 /* add certs in reverse order to demonstrate real chain building */
611 if (!TEST_true(sk_X509_push(server_chain, crt1)))
612 goto end;
613 crt1 = NULL;
614 if (!TEST_true(sk_X509_push(server_chain, crt2)))
615 goto end;
616 crt2 = NULL;
617
618 /* continue SSL_connect(), must now succeed with completed server chain */
619 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
620 SSL_ERROR_NONE)))
621 goto end;
622
623 testresult = 1;
624
625end:
626 X509_free(crt1);
627 X509_free(crt2);
628 SSL_shutdown(clientssl);
629 SSL_shutdown(serverssl);
630 SSL_free(serverssl);
631 SSL_free(clientssl);
632 SSL_CTX_free(sctx);
633 SSL_CTX_free(cctx);
634
635 OPENSSL_free(skey);
636 OPENSSL_free(leaf);
637 OPENSSL_free(int2);
638 OPENSSL_free(int1);
639 OPENSSL_free(root);
640
641 return testresult;
642}
643
e9ee6536 644#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 645static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 646{
647 int *ctr = arg;
648 const unsigned char *p;
8ea404fb 649 int *exts;
2afaee51
BK		 650 /* We only configure two ciphers, but the SCSV is added automatically. */
651#ifdef OPENSSL_NO_EC
652 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
653#else
654 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
655 0x2c, 0x00, 0xff};
656#endif
8ea404fb
BK		 657 const int expected_extensions[] = {
658#ifndef OPENSSL_NO_EC
659 11, 10,
660#endif
10ed1b72 661 35, 22, 23, 13};
2afaee51
BK		 662 size_t len;
663
664 /* Make sure we can defer processing and get called back. */
665 if ((*ctr)++ == 0)
f1b97da1 666 return SSL_CLIENT_HELLO_RETRY;
2afaee51 667
a9c0d8be 668 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 669 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 670 || !TEST_size_t_eq(
671 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 672 || !TEST_int_eq(*p, 0))
f1b97da1 673 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 674 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 675 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 676 if (len != OSSL_NELEM(expected_extensions) ||
677 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 678 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 679 OPENSSL_free(exts);
f1b97da1 680 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 681 }
682 OPENSSL_free(exts);
f1b97da1 683 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 684}
685
a9c0d8be 686static int test_client_hello_cb(void)
710756a9 687{
2afaee51
BK		 688 SSL_CTX *cctx = NULL, *sctx = NULL;
689 SSL *clientssl = NULL, *serverssl = NULL;
690 int testctr = 0, testresult = 0;
691
5e30f2fd
MC		 692 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
693 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 694 &sctx, &cctx, cert, privkey)))
2afaee51 695 goto end;
a9c0d8be 696 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 697
2afaee51
BK		 698 /* The gimpy cipher list we configure can't do TLS 1.3. */
699 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 700
710756a9
RS		 701 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
702 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
703 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
704 &clientssl, NULL, NULL))
705 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 706 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 707 /*
708 * Passing a -1 literal is a hack since
709 * the real value was lost.
710 * */
a9c0d8be
DB		 711 || !TEST_int_eq(SSL_get_error(serverssl, -1),
712 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 713 || !TEST_true(create_ssl_connection(serverssl, clientssl,
714 SSL_ERROR_NONE)))
2afaee51 715 goto end;
2afaee51
BK		 716
717 testresult = 1;
718
088dfa13
TS		 719end:
720 SSL_free(serverssl);
721 SSL_free(clientssl);
722 SSL_CTX_free(sctx);
723 SSL_CTX_free(cctx);
724
725 return testresult;
726}
727
728static int test_no_ems(void)
729{
730 SSL_CTX *cctx = NULL, *sctx = NULL;
731 SSL *clientssl = NULL, *serverssl = NULL;
732 int testresult = 0;
733
5e30f2fd 734 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 735 TLS1_VERSION, TLS1_2_VERSION,
736 &sctx, &cctx, cert, privkey)) {
737 printf("Unable to create SSL_CTX pair\n");
738 goto end;
739 }
740
741 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
742
743 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
744 printf("Unable to create SSL objects\n");
745 goto end;
746 }
747
748 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
749 printf("Creating SSL connection failed\n");
750 goto end;
751 }
752
753 if (SSL_get_extms_support(serverssl)) {
754 printf("Server reports Extended Master Secret support\n");
755 goto end;
756 }
757
758 if (SSL_get_extms_support(clientssl)) {
759 printf("Client reports Extended Master Secret support\n");
760 goto end;
761 }
762 testresult = 1;
763
2afaee51
BK		 764end:
765 SSL_free(serverssl);
766 SSL_free(clientssl);
767 SSL_CTX_free(sctx);
768 SSL_CTX_free(cctx);
769
770 return testresult;
771}
772
3cd14e5e
BK		 773/*
774 * Very focused test to exercise a single case in the server-side state
775 * machine, when the ChangeCipherState message needs to actually change
776 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 777 * encryption to real encryption).
3cd14e5e
BK		 778 */
779static int test_ccs_change_cipher(void)
780{
781 SSL_CTX *cctx = NULL, *sctx = NULL;
782 SSL *clientssl = NULL, *serverssl = NULL;
783 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
784 int testresult = 0;
785 int i;
786 unsigned char buf;
787 size_t readbytes;
788
789 /*
790 * Create a conection so we can resume and potentially (but not) use
791 * a different cipher in the second connection.
792 */
5e30f2fd 793 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 794 TLS_client_method(),
795 TLS1_VERSION, TLS1_2_VERSION,
796 &sctx, &cctx, cert, privkey))
797 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
798 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
799 NULL, NULL))
800 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
801 || !TEST_true(create_ssl_connection(serverssl, clientssl,
802 SSL_ERROR_NONE))
803 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
804 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
805 goto end;
806
807 shutdown_ssl_connection(serverssl, clientssl);
808 serverssl = clientssl = NULL;
809
810 /* Resume, preferring a different cipher. Our server will force the
811 * same cipher to be used as the initial handshake. */
812 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
813 NULL, NULL))
814 || !TEST_true(SSL_set_session(clientssl, sess))
815 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
816 || !TEST_true(create_ssl_connection(serverssl, clientssl,
817 SSL_ERROR_NONE))
818 || !TEST_true(SSL_session_reused(clientssl))
819 || !TEST_true(SSL_session_reused(serverssl))
820 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
821 || !TEST_ptr_eq(sesspre, sesspost)
822 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
823 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
824 goto end;
825 shutdown_ssl_connection(serverssl, clientssl);
826 serverssl = clientssl = NULL;
827
828 /*
829 * Now create a fresh connection and try to renegotiate a different
830 * cipher on it.
831 */
b3e6d666
BK		 832 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
833 NULL, NULL))
3cd14e5e
BK		 834 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
835 || !TEST_true(create_ssl_connection(serverssl, clientssl,
836 SSL_ERROR_NONE))
837 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
838 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
839 || !TEST_true(SSL_renegotiate(clientssl))
840 || !TEST_true(SSL_renegotiate_pending(clientssl)))
841 goto end;
842 /* Actually drive the renegotiation. */
843 for (i = 0; i < 3; i++) {
844 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
845 if (!TEST_ulong_eq(readbytes, 0))
846 goto end;
847 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
848 SSL_ERROR_WANT_READ)) {
849 goto end;
850 }
851 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
852 if (!TEST_ulong_eq(readbytes, 0))
853 goto end;
854 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
855 SSL_ERROR_WANT_READ)) {
856 goto end;
857 }
858 }
859 /* sesspre and sesspost should be different since the cipher changed. */
860 if (!TEST_false(SSL_renegotiate_pending(clientssl))
861 || !TEST_false(SSL_session_reused(clientssl))
862 || !TEST_false(SSL_session_reused(serverssl))
863 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
864 || !TEST_ptr_ne(sesspre, sesspost)
865 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
866 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
867 goto end;
868
869 shutdown_ssl_connection(serverssl, clientssl);
870 serverssl = clientssl = NULL;
871
872 testresult = 1;
873
874end:
875 SSL_free(serverssl);
876 SSL_free(clientssl);
877 SSL_CTX_free(sctx);
878 SSL_CTX_free(cctx);
879 SSL_SESSION_free(sess);
880
881 return testresult;
882}
fb121631 883#endif
3cd14e5e 884
84d5549e 885static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 886 const SSL_METHOD *cmeth,
887 int min_version, int max_version,
888 int read_ahead)
84d5549e
MC		 889{
890 SSL_CTX *cctx = NULL, *sctx = NULL;
891 SSL *clientssl = NULL, *serverssl = NULL;
892 int testresult = 0;
893 int i;
710756a9 894 BIO *certbio = NULL;
84d5549e
MC		 895 X509 *chaincert = NULL;
896 int certlen;
897
710756a9 898 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 899 goto end;
6725682d 900
d8652be0 901 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 902 goto end;
903
904 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
905 goto end;
fa454945
MC		 906 BIO_free(certbio);
907 certbio = NULL;
84d5549e 908
5e30f2fd
MC		 909 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
910 max_version, &sctx, &cctx, cert,
911 privkey)))
84d5549e 912 goto end;
84d5549e 913
710756a9 914 if (read_ahead) {
7856332e
MC		 915 /*
916 * Test that read_ahead works correctly when dealing with large
917 * records
918 */
919 SSL_CTX_set_read_ahead(cctx, 1);
920 }
921
84d5549e
MC		 922 /*
923 * We assume the supplied certificate is big enough so that if we add
924 * NUM_EXTRA_CERTS it will make the overall message large enough. The
925 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 926 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
927 * test we need to have a message larger than that.
84d5549e
MC		 928 */
929 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 930 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
931 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 932 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 933 if (!X509_up_ref(chaincert))
84d5549e 934 goto end;
84d5549e 935 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 936 X509_free(chaincert);
937 goto end;
938 }
939 }
940
710756a9
RS		 941 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
942 NULL, NULL))
943 || !TEST_true(create_ssl_connection(serverssl, clientssl,
944 SSL_ERROR_NONE)))
84d5549e 945 goto end;
84d5549e 946
4bf08600
MC		 947 /*
948 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 949 * doesn't leak.
4bf08600 950 */
710756a9 951 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 952 goto end;
84d5549e 953
4bf08600 954 testresult = 1;
84d5549e 955 end:
6725682d 956 BIO_free(certbio);
84d5549e
MC		 957 X509_free(chaincert);
958 SSL_free(serverssl);
959 SSL_free(clientssl);
960 SSL_CTX_free(sctx);
961 SSL_CTX_free(cctx);
962
963 return testresult;
964}
965
da4db160 966#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 967 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
da4db160 968#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
fe5d9450
BP		 969/* sock must be connected */
970static int ktls_chk_platform(int sock)
971{
972 if (!ktls_enable(sock))
973 return 0;
974 return 1;
975}
976
da4db160 977static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
fe5d9450
BP		 978{
979 static char count = 1;
980 unsigned char cbuf[16000] = {0};
981 unsigned char sbuf[16000];
982 size_t err = 0;
da4db160
VF		 983 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
984 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
985 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
986 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
987 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
988 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
989 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
990 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
fe5d9450
BP		 991
992 cbuf[0] = count++;
da4db160
VF		 993 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
994 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
995 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
996 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 997
998 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
999 goto end;
1000
1001 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1002 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1003 goto end;
1004 }
1005 }
1006
1007 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1008 goto end;
1009
1010 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1011 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1012 goto end;
1013 }
1014 }
1015
da4db160
VF		 1016 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
1017 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
1018 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
1019 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 1020
1021 /* verify the payload */
1022 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1023 goto end;
1024
1025 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
1026 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 1027 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
1028 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 1029 goto end;
1030 } else {
da4db160
VF		 1031 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
1032 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 1033 goto end;
1034 }
1035
1036 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 1037 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
1038 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 1039 goto end;
1040 } else {
da4db160
VF		 1041 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
1042 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 1043 goto end;
1044 }
1045
2fab79af 1046 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 1047 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
1048 crec_rseq_after, rec_seq_size))
2fab79af
BP		 1049 goto end;
1050 } else {
da4db160
VF		 1051 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
1052 crec_rseq_after, rec_seq_size))
2fab79af
BP		 1053 goto end;
1054 }
1055
1056 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 1057 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
1058 srec_rseq_after, rec_seq_size))
2fab79af
BP		 1059 goto end;
1060 } else {
da4db160
VF		 1061 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
1062 srec_rseq_after, rec_seq_size))
2fab79af
BP		 1063 goto end;
1064 }
fe5d9450
BP		 1065
1066 return 1;
1067end:
1068 return 0;
1069}
1070
2fab79af 1071static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
da4db160
VF		 1072 int sis_ktls_tx, int sis_ktls_rx,
1073 int tls_version, const char *cipher,
1074 int rec_seq_size)
fe5d9450
BP		 1075{
1076 SSL_CTX *cctx = NULL, *sctx = NULL;
1077 SSL *clientssl = NULL, *serverssl = NULL;
1078 int testresult = 0;
1079 int cfd, sfd;
1080
1081 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1082 goto end;
1083
1084 /* Skip this test if the platform does not support ktls */
1085 if (!ktls_chk_platform(cfd))
1086 return 1;
1087
1088 /* Create a session based on SHA-256 */
5e30f2fd 1089 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1090 TLS_client_method(),
da4db160 1091 tls_version, tls_version,
fe5d9450 1092 &sctx, &cctx, cert, privkey))
da4db160 1093 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1094 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
fe5d9450
BP		 1095 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1096 &clientssl, sfd, cfd)))
1097 goto end;
1098
1099 if (!cis_ktls_tx) {
1100 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1101 goto end;
1102 }
1103
1104 if (!sis_ktls_tx) {
1105 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1106 goto end;
1107 }
1108
2fab79af
BP		 1109 if (!cis_ktls_rx) {
1110 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1111 goto end;
1112 }
1113
1114 if (!sis_ktls_rx) {
1115 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1116 goto end;
1117 }
1118
fe5d9450
BP		 1119 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1120 SSL_ERROR_NONE)))
1121 goto end;
1122
1123 if (!cis_ktls_tx) {
1124 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1125 goto end;
1126 } else {
1127 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1128 goto end;
1129 }
1130
1131 if (!sis_ktls_tx) {
1132 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1133 goto end;
1134 } else {
1135 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1136 goto end;
1137 }
1138
2fab79af
BP		 1139 if (!cis_ktls_rx) {
1140 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1141 goto end;
1142 } else {
1143 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1144 goto end;
1145 }
1146
1147 if (!sis_ktls_rx) {
1148 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1149 goto end;
1150 } else {
1151 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1152 goto end;
1153 }
1154
da4db160
VF		 1155 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1156 rec_seq_size)))
fe5d9450
BP		 1157 goto end;
1158
1159 testresult = 1;
1160end:
1161 if (clientssl) {
1162 SSL_shutdown(clientssl);
1163 SSL_free(clientssl);
1164 }
1165 if (serverssl) {
1166 SSL_shutdown(serverssl);
1167 SSL_free(serverssl);
1168 }
1169 SSL_CTX_free(sctx);
1170 SSL_CTX_free(cctx);
1171 serverssl = clientssl = NULL;
1172 return testresult;
1173}
1174
7c3a7561
BP		 1175#define SENDFILE_SZ (16 * 4096)
1176#define SENDFILE_CHUNK (4 * 4096)
1177#define min(a,b) ((a) > (b) ? (b) : (a))
1178
da4db160 1179static int test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1180{
1181 SSL_CTX *cctx = NULL, *sctx = NULL;
1182 SSL *clientssl = NULL, *serverssl = NULL;
1183 unsigned char *buf, *buf_dst;
1184 BIO *out = NULL, *in = NULL;
1185 int cfd, sfd, ffd, err;
1186 ssize_t chunk_size = 0;
1187 off_t chunk_off = 0;
1188 int testresult = 0;
1189 FILE *ffdp;
1190
1191 buf = OPENSSL_zalloc(SENDFILE_SZ);
1192 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1193 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1194 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1195 goto end;
1196
1197 /* Skip this test if the platform does not support ktls */
1198 if (!ktls_chk_platform(sfd)) {
1199 testresult = 1;
1200 goto end;
1201 }
1202
1203 /* Create a session based on SHA-256 */
5e30f2fd 1204 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1205 TLS_client_method(),
da4db160 1206 tls_version, tls_version,
7c3a7561 1207 &sctx, &cctx, cert, privkey))
da4db160 1208 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1209 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
7c3a7561
BP		 1210 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1211 &clientssl, sfd, cfd)))
1212 goto end;
1213
1214 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1215 SSL_ERROR_NONE))
1216 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1217 goto end;
1218
72c1e374
JB		 1219 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1220 goto end;
1221
7c3a7561
BP		 1222 out = BIO_new_file(tmpfilename, "wb");
1223 if (!TEST_ptr(out))
1224 goto end;
1225
1226 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1227 goto end;
1228
1229 BIO_free(out);
1230 out = NULL;
1231 in = BIO_new_file(tmpfilename, "rb");
1232 BIO_get_fp(in, &ffdp);
1233 ffd = fileno(ffdp);
1234
1235 while (chunk_off < SENDFILE_SZ) {
1236 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1237 while ((err = SSL_sendfile(serverssl,
1238 ffd,
1239 chunk_off,
1240 chunk_size,
1241 0)) != chunk_size) {
1242 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1243 goto end;
1244 }
1245 while ((err = SSL_read(clientssl,
1246 buf_dst + chunk_off,
1247 chunk_size)) != chunk_size) {
1248 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1249 goto end;
1250 }
1251
1252 /* verify the payload */
1253 if (!TEST_mem_eq(buf_dst + chunk_off,
1254 chunk_size,
1255 buf + chunk_off,
1256 chunk_size))
1257 goto end;
1258
1259 chunk_off += chunk_size;
1260 }
1261
1262 testresult = 1;
1263end:
1264 if (clientssl) {
1265 SSL_shutdown(clientssl);
1266 SSL_free(clientssl);
1267 }
1268 if (serverssl) {
1269 SSL_shutdown(serverssl);
1270 SSL_free(serverssl);
1271 }
1272 SSL_CTX_free(sctx);
1273 SSL_CTX_free(cctx);
1274 serverssl = clientssl = NULL;
1275 BIO_free(out);
1276 BIO_free(in);
1277 OPENSSL_free(buf);
1278 OPENSSL_free(buf_dst);
1279 return testresult;
1280}
1281
a763ca11 1282#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
da4db160
VF		 1283static int test_ktls(int test)
1284{
eb818d23
JB		 1285 int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
1286 int tlsver, testresult;
da4db160
VF		 1287
1288 if (test > 15) {
a763ca11 1289#if defined(OSSL_NO_USABLE_TLS1_3)
da4db160
VF		 1290 return 1;
1291#else
1292 test -= 16;
1293 tlsver = TLS1_3_VERSION;
1294#endif
1295 } else {
1296#if defined(OPENSSL_NO_TLS1_2)
1297 return 1;
1298#else
1299 tlsver = TLS1_2_VERSION;
1300#endif
1301 }
1302
eb818d23
JB		 1303 cis_ktls_tx = (test & 1) != 0;
1304 cis_ktls_rx = (test & 2) != 0;
1305 sis_ktls_tx = (test & 4) != 0;
1306 sis_ktls_rx = (test & 8) != 0;
1307
cd03b5dc
JB		 1308#if defined(OPENSSL_NO_KTLS_RX)
1309 if (cis_ktls_rx || sis_ktls_rx)
1310 return 1;
1311#endif
a763ca11 1312#if !defined(OSSL_NO_USABLE_TLS1_3)
18efb630
JB		 1313 if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
1314 return 1;
1315#endif
cd03b5dc 1316
eb818d23
JB		 1317 testresult = 1;
1318#ifdef OPENSSL_KTLS_AES_GCM_128
1319 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1320 sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
1321 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1322#endif
1323#ifdef OPENSSL_KTLS_AES_CCM_128
1324 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
ab114c6d 1325 sis_ktls_rx, tlsver, "AES128-CCM",
eb818d23
JB		 1326 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1327#endif
1328#ifdef OPENSSL_KTLS_AES_GCM_256
1329 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1330 sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
1331 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1332#endif
1333 return testresult;
2fab79af
BP		 1334}
1335
da4db160 1336static int test_ktls_sendfile_anytls(int tst)
fe5d9450 1337{
ab114c6d 1338 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
da4db160
VF		 1339 int tlsver;
1340
1341 if (tst > 2) {
a763ca11 1342#if defined(OSSL_NO_USABLE_TLS1_3)
da4db160
VF		 1343 return 1;
1344#else
1345 tst -= 3;
1346 tlsver = TLS1_3_VERSION;
1347#endif
1348 } else {
1349#if defined(OPENSSL_NO_TLS1_2)
1350 return 1;
1351#else
1352 tlsver = TLS1_2_VERSION;
1353#endif
1354 }
1355
1356#ifndef OPENSSL_KTLS_AES_GCM_128
1357 if(tst == 0) return 1;
1358#endif
1359#ifndef OPENSSL_KTLS_AES_CCM_128
1360 if(tst == 1) return 1;
1361#endif
1362#ifndef OPENSSL_KTLS_AES_GCM_256
1363 if(tst == 2) return 1;
1364#endif
1365 return test_ktls_sendfile(tlsver, cipher[tst]);
fe5d9450 1366}
da4db160
VF		 1367
1368#endif
fe5d9450
BP		 1369#endif
1370
84d5549e
MC		 1371static int test_large_message_tls(void)
1372{
7856332e 1373 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1374 TLS1_VERSION, 0, 0);
7856332e
MC		 1375}
1376
1377static int test_large_message_tls_read_ahead(void)
1378{
1379 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1380 TLS1_VERSION, 0, 1);
84d5549e
MC		 1381}
1382
55386bef 1383#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1384static int test_large_message_dtls(void)
1385{
7856332e
MC		 1386 /*
1387 * read_ahead is not relevant to DTLS because DTLS always acts as if
1388 * read_ahead is set.
1389 */
84d5549e 1390 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1391 DTLS_client_method(),
5c587fb6 1392 DTLS1_VERSION, 0, 0);
84d5549e 1393}
55386bef 1394#endif
84d5549e 1395
163b8016
ME		 1396static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1397 const SSL_METHOD *cmeth,
1398 int min_version, int max_version)
1399{
1400 size_t i;
1401 SSL_CTX *cctx = NULL, *sctx = NULL;
1402 SSL *clientssl = NULL, *serverssl = NULL;
1403 int testresult = 0;
1404 SSL3_RECORD *rr;
1405 void *zbuf;
1406
1407 static unsigned char cbuf[16000];
1408 static unsigned char sbuf[16000];
1409
1410 if (!TEST_true(create_ssl_ctx_pair(libctx,
1411 smeth, cmeth,
1412 min_version, max_version,
1413 &sctx, &cctx, cert,
1414 privkey)))
1415 goto end;
1416
1417 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1418 NULL, NULL)))
1419 goto end;
1420
1421 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1422 goto end;
1423
1424 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1425 SSL_ERROR_NONE)))
1426 goto end;
1427
1428 for (i = 0; i < sizeof(cbuf); i++) {
1429 cbuf[i] = i & 0xff;
1430 }
1431
1432 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1433 goto end;
1434
1435 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1436 goto end;
1437
1438 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1439 goto end;
1440
1441 /*
1442 * Since we called SSL_peek(), we know the data in the record
1443 * layer is a plaintext record. We can gather the pointer to check
1444 * for zeroization after SSL_read().
1445 */
1446 rr = serverssl->rlayer.rrec;
1447 zbuf = &rr->data[rr->off];
1448 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1449 goto end;
1450
1451 /*
1452 * After SSL_peek() the plaintext must still be stored in the
1453 * record.
1454 */
1455 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1456 goto end;
1457
1458 memset(sbuf, 0, sizeof(sbuf));
1459 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1460 goto end;
1461
1462 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1463 goto end;
1464
1465 /* Check if rbuf is cleansed */
1466 memset(cbuf, 0, sizeof(cbuf));
1467 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1468 goto end;
1469
1470 testresult = 1;
1471 end:
1472 SSL_free(serverssl);
1473 SSL_free(clientssl);
1474 SSL_CTX_free(sctx);
1475 SSL_CTX_free(cctx);
1476
1477 return testresult;
1478}
1479
1480static int test_cleanse_plaintext(void)
1481{
1482#if !defined(OPENSSL_NO_TLS1_2)
1483 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1484 TLS_client_method(),
1485 TLS1_2_VERSION,
1486 TLS1_2_VERSION)))
1487 return 0;
1488
1489#endif
1490
a763ca11 1491#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1492 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1493 TLS_client_method(),
1494 TLS1_3_VERSION,
1495 TLS1_3_VERSION)))
1496 return 0;
1497#endif
1498
1499#if !defined(OPENSSL_NO_DTLS)
1500 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1501 DTLS_client_method(),
1502 DTLS1_VERSION,
1503 0)))
1504 return 0;
1505#endif
1506 return 1;
1507}
1508
8f8c11d8 1509#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1510static int ocsp_server_cb(SSL *s, void *arg)
1511{
1512 int *argi = (int *)arg;
710756a9 1513 unsigned char *copy = NULL;
ba881d3b
MC		 1514 STACK_OF(OCSP_RESPID) *ids = NULL;
1515 OCSP_RESPID *id = NULL;
1516
1517 if (*argi == 2) {
1518 /* In this test we are expecting exactly 1 OCSP_RESPID */
1519 SSL_get_tlsext_status_ids(s, &ids);
1520 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1521 return SSL_TLSEXT_ERR_ALERT_FATAL;
1522
1523 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1524 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1525 return SSL_TLSEXT_ERR_ALERT_FATAL;
1526 } else if (*argi != 1) {
1527 return SSL_TLSEXT_ERR_ALERT_FATAL;
1528 }
1529
710756a9 1530 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1531 return SSL_TLSEXT_ERR_ALERT_FATAL;
1532
710756a9 1533 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1534 ocsp_server_called = 1;
ba881d3b
MC		 1535 return SSL_TLSEXT_ERR_OK;
1536}
1537
1538static int ocsp_client_cb(SSL *s, void *arg)
1539{
1540 int *argi = (int *)arg;
1541 const unsigned char *respderin;
1542 size_t len;
1543
1544 if (*argi != 1 && *argi != 2)
1545 return 0;
1546
1547 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1548 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1549 return 0;
1550
1551 ocsp_client_called = 1;
ba881d3b
MC		 1552 return 1;
1553}
1554
2cb4b5f6
MC		 1555static int test_tlsext_status_type(void)
1556{
ba881d3b
MC		 1557 SSL_CTX *cctx = NULL, *sctx = NULL;
1558 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1559 int testresult = 0;
ba881d3b
MC		 1560 STACK_OF(OCSP_RESPID) *ids = NULL;
1561 OCSP_RESPID *id = NULL;
1562 BIO *certbio = NULL;
2cb4b5f6 1563
5e30f2fd 1564 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1565 TLS1_VERSION, 0,
7d7f6834 1566 &sctx, &cctx, cert, privkey))
ba881d3b 1567 return 0;
2cb4b5f6 1568
710756a9 1569 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1570 goto end;
2cb4b5f6 1571
ba881d3b 1572 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1573
ba881d3b 1574 clientssl = SSL_new(cctx);
710756a9
RS		 1575 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1576 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1577 TLSEXT_STATUSTYPE_ocsp))
1578 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1579 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1580 goto end;
2cb4b5f6 1581
ba881d3b
MC		 1582 SSL_free(clientssl);
1583 clientssl = NULL;
2cb4b5f6 1584
710756a9
RS		 1585 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1586 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1587 goto end;
2cb4b5f6 1588
ba881d3b 1589 clientssl = SSL_new(cctx);
710756a9 1590 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1591 goto end;
ba881d3b
MC		 1592 SSL_free(clientssl);
1593 clientssl = NULL;
1594
1595 /*
1596 * Now actually do a handshake and check OCSP information is exchanged and
1597 * the callbacks get called
1598 */
ba881d3b
MC		 1599 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1600 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1601 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1602 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1603 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1604 &clientssl, NULL, NULL))
1605 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1606 SSL_ERROR_NONE))
1607 || !TEST_true(ocsp_client_called)
1608 || !TEST_true(ocsp_server_called))
ba881d3b 1609 goto end;
ba881d3b
MC		 1610 SSL_free(serverssl);
1611 SSL_free(clientssl);
1612 serverssl = NULL;
1613 clientssl = NULL;
1614
1615 /* Try again but this time force the server side callback to fail */
1616 ocsp_client_called = 0;
1617 ocsp_server_called = 0;
1618 cdummyarg = 0;
710756a9
RS		 1619 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1620 &clientssl, NULL, NULL))
1621 /* This should fail because the callback will fail */
1622 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1623 SSL_ERROR_NONE))
1624 || !TEST_false(ocsp_client_called)
1625 || !TEST_false(ocsp_server_called))
ba881d3b 1626 goto end;
ba881d3b
MC		 1627 SSL_free(serverssl);
1628 SSL_free(clientssl);
1629 serverssl = NULL;
1630 clientssl = NULL;
1631
1632 /*
1633 * This time we'll get the client to send an OCSP_RESPID that it will
1634 * accept.
1635 */
1636 ocsp_client_called = 0;
1637 ocsp_server_called = 0;
1638 cdummyarg = 2;
710756a9
RS		 1639 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1640 &clientssl, NULL, NULL)))
ba881d3b 1641 goto end;
ba881d3b
MC		 1642
1643 /*
1644 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1645 * specific one. We'll use the server cert.
ba881d3b 1646 */
710756a9
RS		 1647 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1648 || !TEST_ptr(id = OCSP_RESPID_new())
1649 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1650 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1651 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1652 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1653 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1654 goto end;
ba881d3b
MC		 1655 id = NULL;
1656 SSL_set_tlsext_status_ids(clientssl, ids);
1657 /* Control has been transferred */
1658 ids = NULL;
1659
1660 BIO_free(certbio);
1661 certbio = NULL;
1662
710756a9
RS		 1663 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1664 SSL_ERROR_NONE))
1665 || !TEST_true(ocsp_client_called)
1666 || !TEST_true(ocsp_server_called))
ba881d3b 1667 goto end;
ba881d3b 1668
2cb4b5f6
MC		 1669 testresult = 1;
1670
1671 end:
ba881d3b
MC		 1672 SSL_free(serverssl);
1673 SSL_free(clientssl);
1674 SSL_CTX_free(sctx);
1675 SSL_CTX_free(cctx);
1676 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1677 OCSP_RESPID_free(id);
1678 BIO_free(certbio);
1679 X509_free(ocspcert);
1680 ocspcert = NULL;
2cb4b5f6
MC		 1681
1682 return testresult;
1683}
8f8c11d8 1684#endif
2cb4b5f6 1685
a763ca11 1686#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1687static int new_called, remove_called, get_called;
eaa776da 1688
eaa776da
MC		 1689static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1690{
1691 new_called++;
c0537ebd
MC		 1692 /*
1693 * sess has been up-refed for us, but we don't actually need it so free it
1694 * immediately.
1695 */
1696 SSL_SESSION_free(sess);
eaa776da
MC		 1697 return 1;
1698}
1699
1700static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1701{
1702 remove_called++;
1703}
1704
7a301f08
MC		 1705static SSL_SESSION *get_sess_val = NULL;
1706
1707static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1708 int *copy)
1709{
0afca811 1710 get_called++;
7a301f08
MC		 1711 *copy = 1;
1712 return get_sess_val;
1713}
1714
7a301f08 1715static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1716 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1717{
1718 SSL_CTX *sctx = NULL, *cctx = NULL;
1719 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1720 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1721# ifndef OPENSSL_NO_TLS1_1
eaa776da 1722 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1723# endif
2cb4b5f6 1724 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1725 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1726
7e885b7b
P		 1727 new_called = remove_called = 0;
1728
36ff232c
MC		 1729 /* TLSv1.3 sends 2 NewSessionTickets */
1730 if (maxprot == TLS1_3_VERSION)
1731 numnewsesstick = 2;
1732
5e30f2fd
MC		 1733 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1734 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1735 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1736 return 0;
2cb4b5f6 1737
7a301f08
MC		 1738 /*
1739 * Only allow the max protocol version so we can force a connection failure
1740 * later
1741 */
1742 SSL_CTX_set_min_proto_version(cctx, maxprot);
1743 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1744
1745 /* Set up session cache */
7e885b7b 1746 if (use_ext_cache) {
eaa776da
MC		 1747 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1748 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1749 }
7e885b7b 1750 if (use_int_cache) {
eaa776da
MC		 1751 /* Also covers instance where both are set */
1752 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1753 } else {
1754 SSL_CTX_set_session_cache_mode(cctx,
1755 SSL_SESS_CACHE_CLIENT
1756 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1757 }
2cb4b5f6 1758
90fc2c26
NM		 1759 if (s_options) {
1760 SSL_CTX_set_options(sctx, s_options);
1761 }
1762
710756a9
RS		 1763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1764 NULL, NULL))
1765 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1766 SSL_ERROR_NONE))
1767 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1768 goto end;
2cb4b5f6 1769
710756a9 1770 /* Should fail because it should already be in the cache */
7e885b7b 1771 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1772 goto end;
7a301f08 1773 if (use_ext_cache
36ff232c
MC		 1774 && (!TEST_int_eq(new_called, numnewsesstick)
1775
1776 || !TEST_int_eq(remove_called, 0)))
b4982125 1777 goto end;
b4982125 1778
c0537ebd
MC		 1779 new_called = remove_called = 0;
1780 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1781 &clientssl2, NULL, NULL))
1782 || !TEST_true(SSL_set_session(clientssl2, sess1))
1783 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1784 SSL_ERROR_NONE))
1785 || !TEST_true(SSL_session_reused(clientssl2)))
1786 goto end;
1787
7a301f08
MC		 1788 if (maxprot == TLS1_3_VERSION) {
1789 /*
1790 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1791 * resumed. Since we attempted a resume we should also have removed the
1792 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1793 */
1794 if (use_ext_cache
1795 && (!TEST_int_eq(new_called, 1)
4cb00457 1796 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1797 goto end;
1798 } else {
1799 /*
1800 * In TLSv1.2 we expect to have resumed so no sessions added or
1801 * removed.
1802 */
1803 if (use_ext_cache
1804 && (!TEST_int_eq(new_called, 0)
1805 || !TEST_int_eq(remove_called, 0)))
1806 goto end;
1807 }
c0537ebd
MC		 1808
1809 SSL_SESSION_free(sess1);
1810 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1811 goto end;
1812 shutdown_ssl_connection(serverssl2, clientssl2);
1813 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1814
1815 new_called = remove_called = 0;
710756a9
RS		 1816 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1817 &clientssl2, NULL, NULL))
1818 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1819 SSL_ERROR_NONE)))
2cb4b5f6 1820 goto end;
2cb4b5f6 1821
710756a9 1822 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1823 goto end;
2cb4b5f6 1824
7a301f08 1825 if (use_ext_cache
36ff232c
MC		 1826 && (!TEST_int_eq(new_called, numnewsesstick)
1827 || !TEST_int_eq(remove_called, 0)))
eaa776da 1828 goto end;
eaa776da 1829
c0537ebd 1830 new_called = remove_called = 0;
2cb4b5f6 1831 /*
710756a9
RS		 1832 * This should clear sess2 from the cache because it is a "bad" session.
1833 * See SSL_set_session() documentation.
2cb4b5f6 1834 */
710756a9 1835 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1836 goto end;
7a301f08
MC		 1837 if (use_ext_cache
1838 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1839 goto end;
710756a9 1840 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1841 goto end;
2cb4b5f6 1842
7e885b7b 1843 if (use_int_cache) {
710756a9
RS		 1844 /* Should succeeded because it should not already be in the cache */
1845 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1846 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1847 goto end;
eaa776da
MC		 1848 }
1849
c0537ebd 1850 new_called = remove_called = 0;
eaa776da 1851 /* This shouldn't be in the cache so should fail */
710756a9 1852 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1853 goto end;
2cb4b5f6 1854
7a301f08
MC		 1855 if (use_ext_cache
1856 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1857 goto end;
2cb4b5f6 1858
bf208d95 1859# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1860 new_called = remove_called = 0;
eaa776da
MC		 1861 /* Force a connection failure */
1862 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1863 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1864 &clientssl3, NULL, NULL))
1865 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1866 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1867 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1868 SSL_ERROR_NONE)))
eaa776da 1869 goto end;
b4982125 1870
eaa776da 1871 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1872 if (use_ext_cache
1873 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1874 goto end;
2cb4b5f6 1875
710756a9 1876 /* Should succeed because it should not already be in the cache */
7e885b7b 1877 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1878 goto end;
bf208d95 1879# endif
eaa776da 1880
7a301f08
MC		 1881 /* Now do some tests for server side caching */
1882 if (use_ext_cache) {
1883 SSL_CTX_sess_set_new_cb(cctx, NULL);
1884 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1885 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1886 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1887 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1888 get_sess_val = NULL;
1889 }
1890
1891 SSL_CTX_set_session_cache_mode(cctx, 0);
1892 /* Internal caching is the default on the server side */
1893 if (!use_int_cache)
1894 SSL_CTX_set_session_cache_mode(sctx,
1895 SSL_SESS_CACHE_SERVER
1896 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1897
1898 SSL_free(serverssl1);
1899 SSL_free(clientssl1);
1900 serverssl1 = clientssl1 = NULL;
1901 SSL_free(serverssl2);
1902 SSL_free(clientssl2);
1903 serverssl2 = clientssl2 = NULL;
1904 SSL_SESSION_free(sess1);
1905 sess1 = NULL;
1906 SSL_SESSION_free(sess2);
1907 sess2 = NULL;
1908
1909 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1910 if (maxprot == TLS1_2_VERSION)
1911 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1912 new_called = remove_called = get_called = 0;
7a301f08
MC		 1913 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1914 NULL, NULL))
1915 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1916 SSL_ERROR_NONE))
1917 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1918 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1919 goto end;
1920
ee94ec2e
MC		 1921 if (use_int_cache) {
1922 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1923 /*
1924 * In TLSv1.3 it should not have been added to the internal cache,
1925 * except in the case where we also have an external cache (in that
1926 * case it gets added to the cache in order to generate remove
1927 * events after timeout).
1928 */
1929 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1930 goto end;
1931 } else {
1932 /* Should fail because it should already be in the cache */
1933 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1934 goto end;
1935 }
1936 }
7a301f08
MC		 1937
1938 if (use_ext_cache) {
1939 SSL_SESSION *tmp = sess2;
1940
36ff232c 1941 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1942 || !TEST_int_eq(remove_called, 0)
1943 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1944 goto end;
1945 /*
1946 * Delete the session from the internal cache to force a lookup from
1947 * the external cache. We take a copy first because
1948 * SSL_CTX_remove_session() also marks the session as non-resumable.
1949 */
ee94ec2e 1950 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1951 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1952 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1953 goto end;
1954 SSL_SESSION_free(sess2);
1955 }
7a301f08
MC		 1956 sess2 = tmp;
1957 }
1958
0afca811 1959 new_called = remove_called = get_called = 0;
7a301f08
MC		 1960 get_sess_val = sess2;
1961 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1962 &clientssl2, NULL, NULL))
1963 || !TEST_true(SSL_set_session(clientssl2, sess1))
1964 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1965 SSL_ERROR_NONE))
1966 || !TEST_true(SSL_session_reused(clientssl2)))
1967 goto end;
1968
0afca811 1969 if (use_ext_cache) {
32305f88 1970 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1971 goto end;
1972
1973 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1974 if (!TEST_int_eq(new_called, 1)
1975 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1976 goto end;
1977 } else {
32305f88
MC		 1978 if (!TEST_int_eq(new_called, 0)
1979 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1980 goto end;
1981 }
1982 }
7a301f08 1983
2cb4b5f6 1984 testresult = 1;
eaa776da 1985
2cb4b5f6
MC		 1986 end:
1987 SSL_free(serverssl1);
1988 SSL_free(clientssl1);
1989 SSL_free(serverssl2);
1990 SSL_free(clientssl2);
bf208d95 1991# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1992 SSL_free(serverssl3);
1993 SSL_free(clientssl3);
bf208d95 1994# endif
2cb4b5f6
MC		 1995 SSL_SESSION_free(sess1);
1996 SSL_SESSION_free(sess2);
1997 SSL_CTX_free(sctx);
1998 SSL_CTX_free(cctx);
1999
2000 return testresult;
2001}
a763ca11 2002#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2003
7fb4c820
MC		 2004static int test_session_with_only_int_cache(void)
2005{
a763ca11 2006#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2007 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2008 return 0;
2009#endif
2010
2011#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2012 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2013#else
2014 return 1;
2015#endif
eaa776da
MC		 2016}
2017
7fb4c820
MC		 2018static int test_session_with_only_ext_cache(void)
2019{
a763ca11 2020#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2021 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2022 return 0;
2023#endif
2024
2025#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2026 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2027#else
2028 return 1;
2029#endif
eaa776da
MC		 2030}
2031
7fb4c820
MC		 2032static int test_session_with_both_cache(void)
2033{
a763ca11 2034#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2035 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2036 return 0;
2037#endif
2038
2039#ifndef OPENSSL_NO_TLS1_2
2040 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2041#else
2042 return 1;
2043#endif
2044}
2045
2046static int test_session_wo_ca_names(void)
2047{
a763ca11 2048#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2049 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2050 return 0;
2051#endif
2052
2053#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2054 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2055#else
2056 return 1;
2057#endif
eaa776da
MC		 2058}
2059
90fc2c26 2060
a763ca11 2061#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2062static SSL_SESSION *sesscache[6];
2063static int do_cache;
36ff232c
MC		 2064
2065static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2066{
c22365b3
MC		 2067 if (do_cache) {
2068 sesscache[new_called] = sess;
2069 } else {
2070 /* We don't need the reference to the session, so free it */
2071 SSL_SESSION_free(sess);
2072 }
2073 new_called++;
2074
2075 return 1;
2076}
2077
2078static int post_handshake_verify(SSL *sssl, SSL *cssl)
2079{
2080 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2081 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2082 return 0;
2083
2084 /* Start handshake on the server and client */
2085 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2086 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2087 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2088 || !TEST_true(create_ssl_connection(sssl, cssl,
2089 SSL_ERROR_NONE)))
2090 return 0;
36ff232c
MC		 2091
2092 return 1;
2093}
2094
fbe9dafd 2095static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2096 SSL_CTX **cctx)
2097{
2098 int sess_id_ctx = 1;
2099
5e30f2fd
MC		 2100 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2101 TLS_client_method(), TLS1_VERSION, 0,
2102 sctx, cctx, cert, privkey))
03cdf559
MC		 2103 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2104 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2105 (void *)&sess_id_ctx,
2106 sizeof(sess_id_ctx))))
2107 return 0;
2108
2109 if (stateful)
2110 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2111
2112 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2113 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2114 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2115
2116 return 1;
2117}
2118
2119static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2120{
2121 SSL *serverssl = NULL, *clientssl = NULL;
2122 int i;
2123
2124 /* Test that we can resume with all the tickets we got given */
2125 for (i = 0; i < idx * 2; i++) {
2126 new_called = 0;
2127 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2128 &clientssl, NULL, NULL))
2129 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2130 goto end;
2131
32097b33 2132 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2133
2134 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2135 SSL_ERROR_NONE)))
2136 goto end;
2137
2138 /*
2139 * Following a successful resumption we only get 1 ticket. After a
2140 * failed one we should get idx tickets.
2141 */
2142 if (succ) {
2143 if (!TEST_true(SSL_session_reused(clientssl))
2144 || !TEST_int_eq(new_called, 1))
2145 goto end;
2146 } else {
2147 if (!TEST_false(SSL_session_reused(clientssl))
2148 || !TEST_int_eq(new_called, idx))
2149 goto end;
2150 }
2151
2152 new_called = 0;
2153 /* After a post-handshake authentication we should get 1 new ticket */
2154 if (succ
2155 && (!post_handshake_verify(serverssl, clientssl)
2156 || !TEST_int_eq(new_called, 1)))
2157 goto end;
2158
2159 SSL_shutdown(clientssl);
2160 SSL_shutdown(serverssl);
2161 SSL_free(serverssl);
2162 SSL_free(clientssl);
2163 serverssl = clientssl = NULL;
2164 SSL_SESSION_free(sesscache[i]);
2165 sesscache[i] = NULL;
2166 }
2167
2168 return 1;
2169
2170 end:
2171 SSL_free(clientssl);
2172 SSL_free(serverssl);
2173 return 0;
2174}
2175
04d7814a 2176static int test_tickets(int stateful, int idx)
36ff232c
MC		 2177{
2178 SSL_CTX *sctx = NULL, *cctx = NULL;
2179 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2180 int testresult = 0;
36ff232c
MC		 2181 size_t j;
2182
2183 /* idx is the test number, but also the number of tickets we want */
2184
2185 new_called = 0;
c22365b3 2186 do_cache = 1;
36ff232c 2187
fbe9dafd 2188 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2189 goto end;
2190
03cdf559
MC		 2191 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2192 &clientssl, NULL, NULL)))
2193 goto end;
2194
2195 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2196 SSL_ERROR_NONE))
2197 /* Check we got the number of tickets we were expecting */
2198 || !TEST_int_eq(idx, new_called))
2199 goto end;
04d7814a 2200
03cdf559
MC		 2201 SSL_shutdown(clientssl);
2202 SSL_shutdown(serverssl);
2203 SSL_free(serverssl);
2204 SSL_free(clientssl);
2205 SSL_CTX_free(sctx);
2206 SSL_CTX_free(cctx);
2207 clientssl = serverssl = NULL;
2208 sctx = cctx = NULL;
2209
2210 /*
2211 * Now we try to resume with the tickets we previously created. The
2212 * resumption attempt is expected to fail (because we're now using a new
2213 * SSL_CTX). We should see idx number of tickets issued again.
2214 */
2215
2216 /* Stop caching sessions - just count them */
2217 do_cache = 0;
2218
fbe9dafd 2219 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2220 goto end;
2221
2222 if (!check_resumption(idx, sctx, cctx, 0))
2223 goto end;
2224
2225 /* Start again with caching sessions */
2226 new_called = 0;
2227 do_cache = 1;
fbe9dafd
MC		 2228 SSL_CTX_free(sctx);
2229 SSL_CTX_free(cctx);
2230 sctx = cctx = NULL;
03cdf559 2231
fbe9dafd 2232 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2233 goto end;
36ff232c
MC		 2234
2235 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2236 &clientssl, NULL, NULL)))
2237 goto end;
2238
32097b33 2239 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2240
2241 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2242 SSL_ERROR_NONE))
2243 /* Check we got the number of tickets we were expecting */
2244 || !TEST_int_eq(idx, new_called))
2245 goto end;
2246
2247 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2248 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2249 || !TEST_int_eq(idx * 2, new_called))
2250 goto end;
2251
36ff232c
MC		 2252 SSL_shutdown(clientssl);
2253 SSL_shutdown(serverssl);
2254 SSL_free(serverssl);
2255 SSL_free(clientssl);
2256 serverssl = clientssl = NULL;
2257
c22365b3
MC		 2258 /* Stop caching sessions - just count them */
2259 do_cache = 0;
2260
03cdf559
MC		 2261 /*
2262 * Check we can resume with all the tickets we created. This time around the
2263 * resumptions should all be successful.
2264 */
2265 if (!check_resumption(idx, sctx, cctx, 1))
2266 goto end;
36ff232c
MC		 2267
2268 testresult = 1;
2269
2270 end:
2271 SSL_free(serverssl);
2272 SSL_free(clientssl);
c22365b3 2273 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2274 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2275 sesscache[j] = NULL;
2276 }
36ff232c
MC		 2277 SSL_CTX_free(sctx);
2278 SSL_CTX_free(cctx);
2279
2280 return testresult;
2281}
04d7814a
MC		 2282
2283static int test_stateless_tickets(int idx)
2284{
2285 return test_tickets(0, idx);
2286}
2287
2288static int test_stateful_tickets(int idx)
2289{
2290 return test_tickets(1, idx);
2291}
8614a4eb
MC		 2292
2293static int test_psk_tickets(void)
2294{
2295 SSL_CTX *sctx = NULL, *cctx = NULL;
2296 SSL *serverssl = NULL, *clientssl = NULL;
2297 int testresult = 0;
2298 int sess_id_ctx = 1;
2299
5e30f2fd
MC		 2300 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2301 TLS_client_method(), TLS1_VERSION, 0,
2302 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2303 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2304 (void *)&sess_id_ctx,
2305 sizeof(sess_id_ctx))))
2306 goto end;
2307
2308 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2309 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2310 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2311 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2312 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2313 use_session_cb_cnt = 0;
2314 find_session_cb_cnt = 0;
2315 srvid = pskid;
2316 new_called = 0;
2317
2318 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2319 NULL, NULL)))
2320 goto end;
2321 clientpsk = serverpsk = create_a_psk(clientssl);
2322 if (!TEST_ptr(clientpsk))
2323 goto end;
2324 SSL_SESSION_up_ref(clientpsk);
2325
2326 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2327 SSL_ERROR_NONE))
2328 || !TEST_int_eq(1, find_session_cb_cnt)
2329 || !TEST_int_eq(1, use_session_cb_cnt)
2330 /* We should always get 1 ticket when using external PSK */
2331 || !TEST_int_eq(1, new_called))
2332 goto end;
2333
2334 testresult = 1;
2335
2336 end:
2337 SSL_free(serverssl);
2338 SSL_free(clientssl);
2339 SSL_CTX_free(sctx);
2340 SSL_CTX_free(cctx);
2341 SSL_SESSION_free(clientpsk);
2342 SSL_SESSION_free(serverpsk);
2343 clientpsk = serverpsk = NULL;
2344
2345 return testresult;
2346}
f0049b86
BK		 2347
2348static int test_extra_tickets(int idx)
2349{
2350 SSL_CTX *sctx = NULL, *cctx = NULL;
2351 SSL *serverssl = NULL, *clientssl = NULL;
2352 BIO *bretry = BIO_new(bio_s_always_retry());
2353 BIO *tmp = NULL;
2354 int testresult = 0;
2355 int stateful = 0;
2356 size_t nbytes;
2357 unsigned char c, buf[1];
2358
2359 new_called = 0;
2360 do_cache = 1;
2361
2362 if (idx >= 3) {
2363 idx -= 3;
2364 stateful = 1;
2365 }
2366
2367 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2368 goto end;
2369 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2370 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2371 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2372
2373 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2374 &clientssl, NULL, NULL)))
2375 goto end;
2376
2377 /*
2378 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2379 * incremented by both client and server.
2380 */
2381 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2382 SSL_ERROR_NONE))
2383 /* Check we got the number of tickets we were expecting */
2384 || !TEST_int_eq(idx * 2, new_called)
2385 || !TEST_true(SSL_new_session_ticket(serverssl))
2386 || !TEST_true(SSL_new_session_ticket(serverssl))
2387 || !TEST_int_eq(idx * 2, new_called))
2388 goto end;
2389
2390 /* Now try a (real) write to actually send the tickets */
2391 c = '1';
2392 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2393 || !TEST_size_t_eq(1, nbytes)
2394 || !TEST_int_eq(idx * 2 + 2, new_called)
2395 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2396 || !TEST_int_eq(idx * 2 + 4, new_called)
2397 || !TEST_int_eq(sizeof(buf), nbytes)
2398 || !TEST_int_eq(c, buf[0])
2399 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2400 goto end;
2401
2402 /* Try with only requesting one new ticket, too */
2403 c = '2';
2404 new_called = 0;
2405 if (!TEST_true(SSL_new_session_ticket(serverssl))
2406 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2407 || !TEST_size_t_eq(sizeof(c), nbytes)
2408 || !TEST_int_eq(1, new_called)
2409 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2410 || !TEST_int_eq(2, new_called)
2411 || !TEST_size_t_eq(sizeof(buf), nbytes)
2412 || !TEST_int_eq(c, buf[0]))
2413 goto end;
2414
2415 /* Do it again but use dummy writes to drive the ticket generation */
2416 c = '3';
2417 new_called = 0;
2418 if (!TEST_true(SSL_new_session_ticket(serverssl))
2419 || !TEST_true(SSL_new_session_ticket(serverssl))
2420 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2421 || !TEST_size_t_eq(0, nbytes)
2422 || !TEST_int_eq(2, new_called)
2423 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2424 || !TEST_int_eq(4, new_called))
2425 goto end;
2426
2427 /*
2428 * Use the always-retry BIO to exercise the logic that forces ticket
2429 * generation to wait until a record boundary.
2430 */
2431 c = '4';
2432 new_called = 0;
2433 tmp = SSL_get_wbio(serverssl);
2434 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2435 tmp = NULL;
2436 goto end;
2437 }
2438 SSL_set0_wbio(serverssl, bretry);
2439 bretry = NULL;
2440 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2441 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2442 || !TEST_size_t_eq(nbytes, 0))
2443 goto end;
2444 /* Restore a BIO that will let the write succeed */
2445 SSL_set0_wbio(serverssl, tmp);
2446 tmp = NULL;
2447 /* These calls should just queue the request and not send anything. */
2448 if (!TEST_true(SSL_new_session_ticket(serverssl))
2449 || !TEST_true(SSL_new_session_ticket(serverssl))
2450 || !TEST_int_eq(0, new_called))
2451 goto end;
2452 /* Re-do the write; still no tickets sent */
2453 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2454 || !TEST_size_t_eq(1, nbytes)
2455 || !TEST_int_eq(0, new_called)
2456 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2457 || !TEST_int_eq(0, new_called)
2458 || !TEST_int_eq(sizeof(buf), nbytes)
2459 || !TEST_int_eq(c, buf[0])
2460 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2461 goto end;
2462 /* Now the *next* write should send the tickets */
2463 c = '5';
2464 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2465 || !TEST_size_t_eq(1, nbytes)
2466 || !TEST_int_eq(2, new_called)
2467 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2468 || !TEST_int_eq(4, new_called)
2469 || !TEST_int_eq(sizeof(buf), nbytes)
2470 || !TEST_int_eq(c, buf[0])
2471 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2472 goto end;
2473
2474 SSL_shutdown(clientssl);
2475 SSL_shutdown(serverssl);
2476 testresult = 1;
2477
2478 end:
2479 BIO_free(bretry);
2480 BIO_free(tmp);
2481 SSL_free(serverssl);
2482 SSL_free(clientssl);
2483 SSL_CTX_free(sctx);
2484 SSL_CTX_free(cctx);
2485 clientssl = serverssl = NULL;
2486 sctx = cctx = NULL;
2487 return testresult;
2488}
04225915 2489#endif
36ff232c 2490
7d4488bb
MC		 2491#define USE_NULL 0
2492#define USE_BIO_1 1
2493#define USE_BIO_2 2
2494#define USE_DEFAULT 3
2495
2496#define CONNTYPE_CONNECTION_SUCCESS 0
2497#define CONNTYPE_CONNECTION_FAIL 1
2498#define CONNTYPE_NO_CONNECTION 2
2499
2500#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2501#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2502#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2503# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2504#else
2505# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2506#endif
2507
7d4488bb
MC		 2508#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2509 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2510 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2511
2512static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2513{
2514 switch (type) {
2515 case USE_NULL:
2516 *res = NULL;
2517 break;
2518 case USE_BIO_1:
2519 *res = bio1;
2520 break;
2521 case USE_BIO_2:
2522 *res = bio2;
2523 break;
2524 }
2525}
2526
7d4488bb
MC		 2527
2528/*
2529 * Tests calls to SSL_set_bio() under various conditions.
2530 *
2531 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2532 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2533 * then do more tests where we create a successful connection first using our
2534 * standard connection setup functions, and then call SSL_set_bio() with
2535 * various combinations of valid BIOs or NULL. We then repeat these tests
2536 * following a failed connection. In this last case we are looking to check that
2537 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2538 */
7fb4c820
MC		 2539static int test_ssl_set_bio(int idx)
2540{
7d4488bb 2541 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2542 BIO *bio1 = NULL;
2543 BIO *bio2 = NULL;
0fae8150 2544 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2545 SSL *serverssl = NULL, *clientssl = NULL;
2546 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2547 int testresult = 0;
2548
7d4488bb
MC		 2549 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2550 initrbio = idx % 3;
2551 idx /= 3;
2552 initwbio = idx % 3;
2553 idx /= 3;
2554 newrbio = idx % 3;
2555 idx /= 3;
2556 newwbio = idx % 3;
2557 conntype = CONNTYPE_NO_CONNECTION;
2558 } else {
2559 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2560 initrbio = initwbio = USE_DEFAULT;
2561 newrbio = idx % 2;
2562 idx /= 2;
2563 newwbio = idx % 2;
2564 idx /= 2;
2565 conntype = idx % 2;
2566 }
710756a9 2567
5e30f2fd
MC		 2568 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2569 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2570 &sctx, &cctx, cert, privkey)))
2571 goto end;
2572
2573 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2574 /*
2575 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2576 * because we reduced the number of tests in the definition of
2577 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2578 * mismatched protocol versions we will force a connection failure.
2579 */
2580 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2581 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2582 }
2583
2584 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2585 NULL, NULL)))
710756a9 2586 goto end;
7fb4c820 2587
710756a9
RS		 2588 if (initrbio == USE_BIO_1
2589 || initwbio == USE_BIO_1
2590 || newrbio == USE_BIO_1
7fb4c820 2591 || newwbio == USE_BIO_1) {
710756a9 2592 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2593 goto end;
7fb4c820
MC		 2594 }
2595
710756a9
RS		 2596 if (initrbio == USE_BIO_2
2597 || initwbio == USE_BIO_2
2598 || newrbio == USE_BIO_2
7fb4c820 2599 || newwbio == USE_BIO_2) {
710756a9 2600 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2601 goto end;
7fb4c820
MC		 2602 }
2603
7d4488bb
MC		 2604 if (initrbio != USE_DEFAULT) {
2605 setupbio(&irbio, bio1, bio2, initrbio);
2606 setupbio(&iwbio, bio1, bio2, initwbio);
2607 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2608
7d4488bb
MC		 2609 /*
2610 * We want to maintain our own refs to these BIO, so do an up ref for
2611 * each BIO that will have ownership transferred in the SSL_set_bio()
2612 * call
2613 */
2614 if (irbio != NULL)
2615 BIO_up_ref(irbio);
2616 if (iwbio != NULL && iwbio != irbio)
2617 BIO_up_ref(iwbio);
2618 }
7fb4c820 2619
7d4488bb
MC		 2620 if (conntype != CONNTYPE_NO_CONNECTION
2621 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2622 SSL_ERROR_NONE)
2623 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2624 goto end;
7fb4c820
MC		 2625
2626 setupbio(&nrbio, bio1, bio2, newrbio);
2627 setupbio(&nwbio, bio1, bio2, newwbio);
2628
2629 /*
2630 * We will (maybe) transfer ownership again so do more up refs.
2631 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2632 * already been set!
2633 */
710756a9
RS		 2634 if (nrbio != NULL
2635 && nrbio != irbio
2636 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2637 BIO_up_ref(nrbio);
710756a9
RS		 2638 if (nwbio != NULL
2639 && nwbio != nrbio
2640 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2641 BIO_up_ref(nwbio);
2642
7d4488bb 2643 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2644
2645 testresult = 1;
2646
2647 end:
7fb4c820
MC		 2648 BIO_free(bio1);
2649 BIO_free(bio2);
710756a9 2650
7fb4c820
MC		 2651 /*
2652 * This test is checking that the ref counting for SSL_set_bio is correct.
2653 * If we get here and we did too many frees then we will fail in the above
742ccab3 2654 * functions.
7fb4c820 2655 */
7d4488bb
MC		 2656 SSL_free(serverssl);
2657 SSL_free(clientssl);
2658 SSL_CTX_free(sctx);
2659 SSL_CTX_free(cctx);
7fb4c820
MC		 2660 return testresult;
2661}
2662
7e885b7b 2663typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2664
7e885b7b 2665static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2666{
2667 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2668 SSL_CTX *ctx;
9a716987
MC		 2669 SSL *ssl = NULL;
2670 int testresult = 0;
2671
d8652be0 2672 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2673 || !TEST_ptr(ssl = SSL_new(ctx))
2674 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2675 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2676 goto end;
9a716987
MC		 2677
2678 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2679
2680 /*
742ccab3 2681 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2682 */
2683 BIO_push(sslbio, membio1);
2684
69687aa8 2685 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2686 if (change_bio != NO_BIO_CHANGE) {
710756a9 2687 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2688 goto end;
7e885b7b 2689 if (change_bio == CHANGE_RBIO)
65e2d672 2690 SSL_set0_rbio(ssl, membio2);
9a716987 2691 else
65e2d672 2692 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2693 }
2694 ssl = NULL;
2695
7e885b7b 2696 if (pop_ssl)
9a716987
MC		 2697 BIO_pop(sslbio);
2698 else
2699 BIO_pop(membio1);
2700
2701 testresult = 1;
2702 end:
2703 BIO_free(membio1);
2704 BIO_free(sslbio);
2705 SSL_free(ssl);
2706 SSL_CTX_free(ctx);
2707
2708 return testresult;
2709}
2710
2711static int test_ssl_bio_pop_next_bio(void)
2712{
7e885b7b 2713 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2714}
2715
2716static int test_ssl_bio_pop_ssl_bio(void)
2717{
7e885b7b 2718 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2719}
2720
2721static int test_ssl_bio_change_rbio(void)
2722{
7e885b7b 2723 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2724}
2725
2726static int test_ssl_bio_change_wbio(void)
2727{
7e885b7b 2728 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2729}
2730
a763ca11 2731#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 2732typedef struct {
2733 /* The list of sig algs */
2734 const int *list;
2735 /* The length of the list */
2736 size_t listlen;
2737 /* A sigalgs list in string format */
2738 const char *liststr;
2739 /* Whether setting the list should succeed */
2740 int valid;
2741 /* Whether creating a connection with the list should succeed */
2742 int connsuccess;
2743} sigalgs_list;
2744
2745static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2746# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2747static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2748static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2749# endif
f1b25aae
MC		 2750static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2751static const int invalidlist2[] = {NID_sha256, NID_undef};
2752static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2753static const int invalidlist4[] = {NID_sha256};
2754static const sigalgs_list testsigalgs[] = {
2755 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2756# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2757 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2758 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2759# endif
f1b25aae 2760 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2761# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2762 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2763 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2764# endif
f1b25aae
MC		 2765 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2766 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2767 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2768 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2769 {NULL, 0, "RSA", 0, 0},
2770 {NULL, 0, "SHA256", 0, 0},
2771 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2772 {NULL, 0, "Invalid", 0, 0}
2773};
f1b25aae
MC		 2774
2775static int test_set_sigalgs(int idx)
2776{
2777 SSL_CTX *cctx = NULL, *sctx = NULL;
2778 SSL *clientssl = NULL, *serverssl = NULL;
2779 int testresult = 0;
2780 const sigalgs_list *curr;
2781 int testctx;
2782
2783 /* Should never happen */
710756a9 2784 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2785 return 0;
2786
2787 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2788 curr = testctx ? &testsigalgs[idx]
2789 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2790
5e30f2fd
MC		 2791 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2792 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2793 &sctx, &cctx, cert, privkey)))
f1b25aae 2794 return 0;
f1b25aae 2795
d2e491f2
MC		 2796 /*
2797 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2798 * for TLSv1.2 for now until we add a new API.
2799 */
2800 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2801
f1b25aae
MC		 2802 if (testctx) {
2803 int ret;
710756a9 2804
f1b25aae
MC		 2805 if (curr->list != NULL)
2806 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2807 else
2808 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2809
2810 if (!ret) {
2811 if (curr->valid)
710756a9 2812 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2813 else
2814 testresult = 1;
2815 goto end;
2816 }
2817 if (!curr->valid) {
710756a9 2818 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2819 goto end;
2820 }
2821 }
2822
710756a9
RS		 2823 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2824 &clientssl, NULL, NULL)))
f1b25aae 2825 goto end;
f1b25aae
MC		 2826
2827 if (!testctx) {
2828 int ret;
2829
2830 if (curr->list != NULL)
2831 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2832 else
2833 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2834 if (!ret) {
2835 if (curr->valid)
710756a9 2836 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2837 else
2838 testresult = 1;
2839 goto end;
2840 }
710756a9 2841 if (!curr->valid)
f1b25aae 2842 goto end;
f1b25aae
MC		 2843 }
2844
710756a9
RS		 2845 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2846 SSL_ERROR_NONE),
2847 curr->connsuccess))
f1b25aae 2848 goto end;
f1b25aae
MC		 2849
2850 testresult = 1;
2851
2852 end:
2853 SSL_free(serverssl);
2854 SSL_free(clientssl);
2855 SSL_CTX_free(sctx);
2856 SSL_CTX_free(cctx);
2857
2858 return testresult;
2859}
c423ecaa 2860#endif
f1b25aae 2861
a763ca11 2862#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 2863static int psk_client_cb_cnt = 0;
2864static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2865
2866static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2867 size_t *idlen, SSL_SESSION **sess)
2868{
2869 switch (++use_session_cb_cnt) {
2870 case 1:
2871 /* The first call should always have a NULL md */
2872 if (md != NULL)
2873 return 0;
2874 break;
2875
2876 case 2:
2877 /* The second call should always have an md */
2878 if (md == NULL)
2879 return 0;
2880 break;
2881
2882 default:
2883 /* We should only be called a maximum of twice */
2884 return 0;
2885 }
2886
57dee9bb
MC		 2887 if (clientpsk != NULL)
2888 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2889
57dee9bb 2890 *sess = clientpsk;
02a3ed5a
MC		 2891 *id = (const unsigned char *)pskid;
2892 *idlen = strlen(pskid);
2893
2894 return 1;
2895}
2896
c2b290c3 2897#ifndef OPENSSL_NO_PSK
532f9578
MC		 2898static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2899 unsigned int max_id_len,
2900 unsigned char *psk,
2901 unsigned int max_psk_len)
2902{
2903 unsigned int psklen = 0;
2904
2905 psk_client_cb_cnt++;
2906
2907 if (strlen(pskid) + 1 > max_id_len)
2908 return 0;
2909
2910 /* We should only ever be called a maximum of twice per connection */
2911 if (psk_client_cb_cnt > 2)
2912 return 0;
2913
2914 if (clientpsk == NULL)
2915 return 0;
2916
2917 /* We'll reuse the PSK we set up for TLSv1.3 */
2918 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2919 return 0;
2920 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2921 strncpy(id, pskid, max_id_len);
2922
2923 return psklen;
2924}
c2b290c3 2925#endif /* OPENSSL_NO_PSK */
532f9578 2926
02a3ed5a
MC		 2927static int find_session_cb(SSL *ssl, const unsigned char *identity,
2928 size_t identity_len, SSL_SESSION **sess)
2929{
2930 find_session_cb_cnt++;
2931
2932 /* We should only ever be called a maximum of twice per connection */
2933 if (find_session_cb_cnt > 2)
2934 return 0;
2935
57dee9bb 2936 if (serverpsk == NULL)
02a3ed5a
MC		 2937 return 0;
2938
2939 /* Identity should match that set by the client */
2940 if (strlen(srvid) != identity_len
2941 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2942 /* No PSK found, continue but without a PSK */
2943 *sess = NULL;
2944 return 1;
2945 }
2946
57dee9bb
MC		 2947 SSL_SESSION_up_ref(serverpsk);
2948 *sess = serverpsk;
02a3ed5a
MC		 2949
2950 return 1;
2951}
2952
c2b290c3 2953#ifndef OPENSSL_NO_PSK
532f9578
MC		 2954static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2955 unsigned char *psk, unsigned int max_psk_len)
2956{
2957 unsigned int psklen = 0;
2958
2959 psk_server_cb_cnt++;
2960
2961 /* We should only ever be called a maximum of twice per connection */
2962 if (find_session_cb_cnt > 2)
2963 return 0;
2964
2965 if (serverpsk == NULL)
2966 return 0;
2967
2968 /* Identity should match that set by the client */
2969 if (strcmp(srvid, identity) != 0) {
2970 return 0;
2971 }
2972
2973 /* We'll reuse the PSK we set up for TLSv1.3 */
2974 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2975 return 0;
2976 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2977
2978 return psklen;
2979}
c2b290c3 2980#endif /* OPENSSL_NO_PSK */
532f9578 2981
5f982038
MC		 2982#define MSG1 "Hello"
2983#define MSG2 "World."
2984#define MSG3 "This"
2985#define MSG4 "is"
2986#define MSG5 "a"
90049cea
MC		 2987#define MSG6 "test"
2988#define MSG7 "message."
5f982038 2989
532f9578 2990#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 2991#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2992#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2993#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2994#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 2995
8614a4eb
MC		 2996
2997static SSL_SESSION *create_a_psk(SSL *ssl)
2998{
2999 const SSL_CIPHER *cipher = NULL;
3000 const unsigned char key[] = {
3001 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3002 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3003 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3004 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3005 0x2c, 0x2d, 0x2e, 0x2f
3006 };
3007 SSL_SESSION *sess = NULL;
3008
3009 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3010 sess = SSL_SESSION_new();
3011 if (!TEST_ptr(sess)
3012 || !TEST_ptr(cipher)
3013 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3014 sizeof(key)))
3015 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3016 || !TEST_true(
3017 SSL_SESSION_set_protocol_version(sess,
3018 TLS1_3_VERSION))) {
3019 SSL_SESSION_free(sess);
3020 return NULL;
3021 }
3022 return sess;
3023}
3024
5f982038
MC		 3025/*
3026 * Helper method to setup objects for early data test. Caller frees objects on
3027 * error.
3028 */
3029static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3030 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3031{
5a421415 3032 if (*sctx == NULL
5e30f2fd 3033 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3034 TLS_client_method(),
5c587fb6 3035 TLS1_VERSION, 0,
5a421415
MC		 3036 sctx, cctx, cert, privkey)))
3037 return 0;
3038
3039 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3040 return 0;
5f982038 3041
02a3ed5a
MC		 3042 if (idx == 1) {
3043 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3044 SSL_CTX_set_read_ahead(*cctx, 1);
3045 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3046 } else if (idx == 2) {
3047 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3048 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3049 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3050 use_session_cb_cnt = 0;
3051 find_session_cb_cnt = 0;
3052 srvid = pskid;
3cb47b4e
MC		 3053 }
3054
710756a9 3055 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3056 NULL, NULL)))
3057 return 0;
3058
141e4709
MC		 3059 /*
3060 * For one of the run throughs (doesn't matter which one), we'll try sending
3061 * some SNI data in the initial ClientHello. This will be ignored (because
3062 * there is no SNI cb set up by the server), so it should not impact
3063 * early_data.
3064 */
3065 if (idx == 1
3066 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3067 return 0;
3068
02a3ed5a 3069 if (idx == 2) {
8614a4eb 3070 clientpsk = create_a_psk(*clientssl);
57dee9bb 3071 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3072 /*
3073 * We just choose an arbitrary value for max_early_data which
3074 * should be big enough for testing purposes.
3075 */
57dee9bb
MC		 3076 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3077 0x100))
3078 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3079 SSL_SESSION_free(clientpsk);
3080 clientpsk = NULL;
02a3ed5a
MC		 3081 return 0;
3082 }
57dee9bb 3083 serverpsk = clientpsk;
02a3ed5a 3084
c20e3b28
MC		 3085 if (sess != NULL) {
3086 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3087 SSL_SESSION_free(clientpsk);
3088 SSL_SESSION_free(serverpsk);
3089 clientpsk = serverpsk = NULL;
3090 return 0;
3091 }
57dee9bb 3092 *sess = clientpsk;
c20e3b28 3093 }
02a3ed5a
MC		 3094 return 1;
3095 }
3096
3097 if (sess == NULL)
3098 return 1;
3099
3100 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3101 SSL_ERROR_NONE)))
5f982038 3102 return 0;
5f982038
MC		 3103
3104 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3105 SSL_shutdown(*clientssl);
3106 SSL_shutdown(*serverssl);
5f982038
MC		 3107 SSL_free(*serverssl);
3108 SSL_free(*clientssl);
3109 *serverssl = *clientssl = NULL;
3110
710756a9
RS		 3111 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3112 clientssl, NULL, NULL))
3113 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3114 return 0;
5f982038
MC		 3115
3116 return 1;
3117}
3118
3cb47b4e 3119static int test_early_data_read_write(int idx)
5f982038
MC		 3120{
3121 SSL_CTX *cctx = NULL, *sctx = NULL;
3122 SSL *clientssl = NULL, *serverssl = NULL;
3123 int testresult = 0;
3124 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3125 unsigned char buf[20], data[1024];
3126 size_t readbytes, written, eoedlen, rawread, rawwritten;
3127 BIO *rbio;
5f982038 3128
710756a9
RS		 3129 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3130 &serverssl, &sess, idx)))
5f982038
MC		 3131 goto end;
3132
3133 /* Write and read some early data */
710756a9
RS		 3134 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3135 &written))
3136 || !TEST_size_t_eq(written, strlen(MSG1))
3137 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3138 sizeof(buf), &readbytes),
3139 SSL_READ_EARLY_DATA_SUCCESS)
3140 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3141 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3142 SSL_EARLY_DATA_ACCEPTED))
5f982038 3143 goto end;
5f982038
MC		 3144
3145 /*
09f28874 3146 * Server should be able to write data, and client should be able to
5f982038
MC		 3147 * read it.
3148 */
710756a9
RS		 3149 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3150 &written))
3151 || !TEST_size_t_eq(written, strlen(MSG2))
3152 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3153 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3154 goto end;
5f982038
MC		 3155
3156 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3157 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3158 &written))
3159 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3160 goto end;
5f982038 3161
09f28874 3162 /* Server should still be able read early data after writing data */
710756a9
RS		 3163 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3164 &readbytes),
3165 SSL_READ_EARLY_DATA_SUCCESS)
3166 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3167 goto end;
5f982038 3168
09f28874 3169 /* Write more data from server and read it from client */
710756a9
RS		 3170 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3171 &written))
3172 || !TEST_size_t_eq(written, strlen(MSG4))
3173 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3174 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3175 goto end;
5f982038
MC		 3176
3177 /*
3178 * If client writes normal data it should mean writing early data is no
3179 * longer possible.
3180 */
710756a9
RS		 3181 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3182 || !TEST_size_t_eq(written, strlen(MSG5))
3183 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3184 SSL_EARLY_DATA_ACCEPTED))
5f982038 3185 goto end;
5f982038 3186
9b5c865d
MC		 3187 /*
3188 * At this point the client has written EndOfEarlyData, ClientFinished and
3189 * normal (fully protected) data. We are going to cause a delay between the
3190 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3191 * in the read BIO, and then just put back the EndOfEarlyData message.
3192 */
3193 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3194 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3195 || !TEST_size_t_lt(rawread, sizeof(data))
3196 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3197 goto end;
710756a9 3198
9b5c865d
MC		 3199 /* Record length is in the 4th and 5th bytes of the record header */
3200 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3201 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3202 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3203 goto end;
9b5c865d 3204
5f982038 3205 /* Server should be told that there is no more early data */
710756a9
RS		 3206 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3207 &readbytes),
3208 SSL_READ_EARLY_DATA_FINISH)
3209 || !TEST_size_t_eq(readbytes, 0))
5f982038 3210 goto end;
5f982038 3211
9b5c865d
MC		 3212 /*
3213 * Server has not finished init yet, so should still be able to write early
3214 * data.
3215 */
710756a9
RS		 3216 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3217 &written))
3218 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3219 goto end;
9b5c865d 3220
f8a303fa 3221 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3222 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3223 &rawwritten))
3224 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3225 goto end;
f8a303fa 3226
5f982038 3227 /* Server should be able to read normal data */
710756a9
RS		 3228 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3229 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3230 goto end;
5f982038 3231
09f28874 3232 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3233 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3234 &written)))
5f982038 3235 goto end;
5f982038 3236 ERR_clear_error();
710756a9
RS		 3237 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3238 &readbytes),
3239 SSL_READ_EARLY_DATA_ERROR))
5f982038 3240 goto end;
5f982038
MC		 3241 ERR_clear_error();
3242
9b5c865d 3243 /* Client should be able to read the data sent by the server */
710756a9
RS		 3244 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3245 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3246 goto end;
710756a9 3247
f8a303fa 3248 /*
36ff232c
MC		 3249 * Make sure we process the two NewSessionTickets. These arrive
3250 * post-handshake. We attempt reads which we do not expect to return any
3251 * data.
f8a303fa 3252 */
36ff232c
MC		 3253 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3254 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3255 &readbytes)))
f8a303fa 3256 goto end;
5f982038 3257
90049cea 3258 /* Server should be able to write normal data */
710756a9
RS		 3259 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3260 || !TEST_size_t_eq(written, strlen(MSG7))
3261 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3262 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3263 goto end;
90049cea 3264
c20e3b28 3265 SSL_SESSION_free(sess);
5f982038 3266 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3267 use_session_cb_cnt = 0;
3268 find_session_cb_cnt = 0;
5f982038
MC		 3269
3270 SSL_shutdown(clientssl);
3271 SSL_shutdown(serverssl);
5f982038
MC		 3272 SSL_free(serverssl);
3273 SSL_free(clientssl);
3274 serverssl = clientssl = NULL;
710756a9
RS		 3275 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3276 &clientssl, NULL, NULL))
3277 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3278 goto end;
5f982038
MC		 3279
3280 /* Write and read some early data */
710756a9
RS		 3281 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3282 &written))
3283 || !TEST_size_t_eq(written, strlen(MSG1))
3284 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3285 &readbytes),
3286 SSL_READ_EARLY_DATA_SUCCESS)
3287 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3288 goto end;
5f982038 3289
710756a9
RS		 3290 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3291 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3292 goto end;
5f982038 3293
09f28874 3294 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3295 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3296 &written)))
5f982038 3297 goto end;
5f982038 3298 ERR_clear_error();
710756a9
RS		 3299 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3300 &readbytes),
3301 SSL_READ_EARLY_DATA_ERROR))
5f982038 3302 goto end;
5f982038
MC		 3303 ERR_clear_error();
3304
3305 /* Client and server should be able to write/read normal data */
710756a9
RS		 3306 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3307 || !TEST_size_t_eq(written, strlen(MSG5))
3308 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3309 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3310 goto end;
5f982038
MC		 3311
3312 testresult = 1;
3313
3314 end:
c20e3b28 3315 SSL_SESSION_free(sess);
57dee9bb
MC		 3316 SSL_SESSION_free(clientpsk);
3317 SSL_SESSION_free(serverpsk);
3318 clientpsk = serverpsk = NULL;
5f982038
MC		 3319 SSL_free(serverssl);
3320 SSL_free(clientssl);
3321 SSL_CTX_free(sctx);
3322 SSL_CTX_free(cctx);
5f982038
MC		 3323 return testresult;
3324}
3325
5a421415
MC		 3326static int allow_ed_cb_called = 0;
3327
3328static int allow_early_data_cb(SSL *s, void *arg)
3329{
3330 int *usecb = (int *)arg;
3331
3332 allow_ed_cb_called++;
3333
3334 if (*usecb == 1)
3335 return 0;
3336
3337 return 1;
3338}
3339
3340/*
3341 * idx == 0: Standard early_data setup
3342 * idx == 1: early_data setup using read_ahead
3343 * usecb == 0: Don't use a custom early data callback
3344 * usecb == 1: Use a custom early data callback and reject the early data
3345 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3346 * confopt == 0: Configure anti-replay directly
3347 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3348 */
3bb5e5b0 3349static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3350{
3351 SSL_CTX *cctx = NULL, *sctx = NULL;
3352 SSL *clientssl = NULL, *serverssl = NULL;
3353 int testresult = 0;
3354 SSL_SESSION *sess = NULL;
5a421415
MC		 3355 size_t readbytes, written;
3356 unsigned char buf[20];
3357
3358 allow_ed_cb_called = 0;
3359
5e30f2fd
MC		 3360 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3361 TLS_client_method(), TLS1_VERSION, 0,
3362 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3363 return 0;
3364
3365 if (usecb > 0) {
3bb5e5b0
MC		 3366 if (confopt == 0) {
3367 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3368 } else {
3369 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3370
3371 if (!TEST_ptr(confctx))
3372 goto end;
3373 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3374 | SSL_CONF_FLAG_SERVER);
3375 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3376 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3377 2)) {
3378 SSL_CONF_CTX_free(confctx);
3379 goto end;
3380 }
3381 SSL_CONF_CTX_free(confctx);
3382 }
5a421415
MC		 3383 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3384 }
78fb5374
MC		 3385
3386 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3387 &serverssl, &sess, idx)))
3388 goto end;
3389
3390 /*
3391 * The server is configured to accept early data. Create a connection to
3392 * "use up" the ticket
3393 */
3394 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3395 || !TEST_true(SSL_session_reused(clientssl)))
3396 goto end;
3397
3398 SSL_shutdown(clientssl);
3399 SSL_shutdown(serverssl);
3400 SSL_free(serverssl);
3401 SSL_free(clientssl);
3402 serverssl = clientssl = NULL;
3403
3404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3405 &clientssl, NULL, NULL))
5a421415
MC		 3406 || !TEST_true(SSL_set_session(clientssl, sess)))
3407 goto end;
3408
3409 /* Write and read some early data */
3410 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3411 &written))
3412 || !TEST_size_t_eq(written, strlen(MSG1)))
3413 goto end;
3414
3415 if (usecb <= 1) {
3416 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3417 &readbytes),
3418 SSL_READ_EARLY_DATA_FINISH)
3419 /*
3420 * The ticket was reused, so the we should have rejected the
3421 * early data
3422 */
3423 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3424 SSL_EARLY_DATA_REJECTED))
3425 goto end;
3426 } else {
3427 /* In this case the callback decides to accept the early data */
3428 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3429 &readbytes),
3430 SSL_READ_EARLY_DATA_SUCCESS)
3431 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3432 /*
3433 * Server will have sent its flight so client can now send
3434 * end of early data and complete its half of the handshake
3435 */
3436 || !TEST_int_gt(SSL_connect(clientssl), 0)
3437 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3438 &readbytes),
3439 SSL_READ_EARLY_DATA_FINISH)
3440 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3441 SSL_EARLY_DATA_ACCEPTED))
3442 goto end;
3443 }
3444
3445 /* Complete the connection */
3446 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3447 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3448 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3449 goto end;
3450
3451 testresult = 1;
3452
3453 end:
c20e3b28 3454 SSL_SESSION_free(sess);
78fb5374
MC		 3455 SSL_SESSION_free(clientpsk);
3456 SSL_SESSION_free(serverpsk);
3457 clientpsk = serverpsk = NULL;
3458 SSL_free(serverssl);
3459 SSL_free(clientssl);
3460 SSL_CTX_free(sctx);
3461 SSL_CTX_free(cctx);
3462 return testresult;
3463}
3464
5a421415
MC		 3465static int test_early_data_replay(int idx)
3466{
3bb5e5b0 3467 int ret = 1, usecb, confopt;
5a421415 3468
3bb5e5b0
MC		 3469 for (usecb = 0; usecb < 3; usecb++) {
3470 for (confopt = 0; confopt < 2; confopt++)
3471 ret &= test_early_data_replay_int(idx, usecb, confopt);
3472 }
5a421415
MC		 3473
3474 return ret;
3475}
3476
710756a9 3477/*
6b84e6bf
MC		 3478 * Helper function to test that a server attempting to read early data can
3479 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3480 * testtype: 0 == No HRR
3481 * testtype: 1 == HRR
0efa0ba4
MC		 3482 * testtype: 2 == HRR, invalid early_data sent after HRR
3483 * testtype: 3 == recv_max_early_data set to 0
710756a9 3484 */
0d1b7789 3485static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3486{
3487 SSL_CTX *cctx = NULL, *sctx = NULL;
3488 SSL *clientssl = NULL, *serverssl = NULL;
3489 int testresult = 0;
018fcbec 3490 SSL_SESSION *sess = NULL;
5f982038
MC		 3491 unsigned char buf[20];
3492 size_t readbytes, written;
3493
710756a9
RS		 3494 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3495 &serverssl, &sess, idx)))
5f982038
MC		 3496 goto end;
3497
0efa0ba4 3498 if (testtype == 1 || testtype == 2) {
6b84e6bf 3499 /* Force an HRR to occur */
dbc6268f
MC		 3500#if defined(OPENSSL_NO_EC)
3501 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3502 goto end;
3503#else
6b84e6bf
MC		 3504 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3505 goto end;
dbc6268f 3506#endif
02a3ed5a
MC		 3507 } else if (idx == 2) {
3508 /*
3509 * We force early_data rejection by ensuring the PSK identity is
3510 * unrecognised
3511 */
3512 srvid = "Dummy Identity";
6b84e6bf
MC		 3513 } else {
3514 /*
3515 * Deliberately corrupt the creation time. We take 20 seconds off the
3516 * time. It could be any value as long as it is not within tolerance.
3517 * This should mean the ticket is rejected.
3518 */
5d99881e 3519 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3520 goto end;
3521 }
5f982038 3522
0efa0ba4 3523 if (testtype == 3
0d1b7789
MC		 3524 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3525 goto end;
3526
5f982038 3527 /* Write some early data */
710756a9
RS		 3528 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3529 &written))
3530 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3531 goto end;
5f982038 3532
0d1b7789 3533 /* Server should reject the early data */
710756a9
RS		 3534 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3535 &readbytes),
3536 SSL_READ_EARLY_DATA_FINISH)
3537 || !TEST_size_t_eq(readbytes, 0)
3538 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3539 SSL_EARLY_DATA_REJECTED))
5f982038 3540 goto end;
5f982038 3541
0efa0ba4
MC		 3542 switch (testtype) {
3543 case 0:
3544 /* Nothing to do */
3545 break;
3546
3547 case 1:
6b84e6bf
MC		 3548 /*
3549 * Finish off the handshake. We perform the same writes and reads as
3550 * further down but we expect them to fail due to the incomplete
3551 * handshake.
3552 */
3553 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3554 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3555 &readbytes)))
3556 goto end;
0efa0ba4
MC		 3557 break;
3558
3559 case 2:
3560 {
3561 BIO *wbio = SSL_get_wbio(clientssl);
3562 /* A record that will appear as bad early_data */
3563 const unsigned char bad_early_data[] = {
3564 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3565 };
3566
3567 /*
3568 * We force the client to attempt a write. This will fail because
3569 * we're still in the handshake. It will cause the second
3570 * ClientHello to be sent.
3571 */
3572 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3573 &written)))
3574 goto end;
3575
3576 /*
3577 * Inject some early_data after the second ClientHello. This should
3578 * cause the server to fail
3579 */
3580 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3581 sizeof(bad_early_data), &written)))
3582 goto end;
3583 }
3584 /* fallthrough */
3585
3586 case 3:
0d1b7789 3587 /*
0efa0ba4
MC		 3588 * This client has sent more early_data than we are willing to skip
3589 * (case 3) or sent invalid early_data (case 2) so the connection should
3590 * abort.
0d1b7789
MC		 3591 */
3592 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3593 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3594 goto end;
3595
3596 /* Connection has failed - nothing more to do */
3597 testresult = 1;
3598 goto end;
0efa0ba4
MC		 3599
3600 default:
3601 TEST_error("Invalid test type");
3602 goto end;
6b84e6bf
MC		 3603 }
3604
0d1b7789
MC		 3605 /*
3606 * Should be able to send normal data despite rejection of early data. The
3607 * early_data should be skipped.
3608 */
710756a9
RS		 3609 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3610 || !TEST_size_t_eq(written, strlen(MSG2))
3611 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3612 SSL_EARLY_DATA_REJECTED)
3613 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3614 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3615 goto end;
5f982038
MC		 3616
3617 testresult = 1;
3618
3619 end:
c20e3b28 3620 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3621 SSL_SESSION_free(serverpsk);
3622 clientpsk = serverpsk = NULL;
5f982038
MC		 3623 SSL_SESSION_free(sess);
3624 SSL_free(serverssl);
3625 SSL_free(clientssl);
3626 SSL_CTX_free(sctx);
3627 SSL_CTX_free(cctx);
5f982038
MC		 3628 return testresult;
3629}
3630
6b84e6bf
MC		 3631/*
3632 * Test that a server attempting to read early data can handle a connection
3633 * from a client where the early data is not acceptable.
3634 */
3635static int test_early_data_skip(int idx)
3636{
3637 return early_data_skip_helper(0, idx);
3638}
3639
3640/*
3641 * Test that a server attempting to read early data can handle a connection
3642 * from a client where an HRR occurs.
3643 */
3644static int test_early_data_skip_hrr(int idx)
3645{
3646 return early_data_skip_helper(1, idx);
3647}
3648
0efa0ba4
MC		 3649/*
3650 * Test that a server attempting to read early data can handle a connection
3651 * from a client where an HRR occurs and correctly fails if early_data is sent
3652 * after the HRR
3653 */
3654static int test_early_data_skip_hrr_fail(int idx)
3655{
3656 return early_data_skip_helper(2, idx);
3657}
3658
0d1b7789
MC		 3659/*
3660 * Test that a server attempting to read early data will abort if it tries to
3661 * skip over too much.
3662 */
3663static int test_early_data_skip_abort(int idx)
3664{
0efa0ba4 3665 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3666}
3667
710756a9
RS		 3668/*
3669 * Test that a server attempting to read early data can handle a connection
3670 * from a client that doesn't send any.
3671 */
3cb47b4e 3672static int test_early_data_not_sent(int idx)
5f982038
MC		 3673{
3674 SSL_CTX *cctx = NULL, *sctx = NULL;
3675 SSL *clientssl = NULL, *serverssl = NULL;
3676 int testresult = 0;
018fcbec 3677 SSL_SESSION *sess = NULL;
5f982038
MC		 3678 unsigned char buf[20];
3679 size_t readbytes, written;
3680
710756a9
RS		 3681 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3682 &serverssl, &sess, idx)))
5f982038
MC		 3683 goto end;
3684
3685 /* Write some data - should block due to handshake with server */
3686 SSL_set_connect_state(clientssl);
710756a9 3687 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3688 goto end;
5f982038
MC		 3689
3690 /* Server should detect that early data has not been sent */
710756a9
RS		 3691 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3692 &readbytes),
3693 SSL_READ_EARLY_DATA_FINISH)
3694 || !TEST_size_t_eq(readbytes, 0)
3695 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3696 SSL_EARLY_DATA_NOT_SENT)
3697 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3698 SSL_EARLY_DATA_NOT_SENT))
5f982038 3699 goto end;
5f982038
MC		 3700
3701 /* Continue writing the message we started earlier */
710756a9
RS		 3702 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3703 || !TEST_size_t_eq(written, strlen(MSG1))
3704 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3705 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3706 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3707 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3708 goto end;
5f982038 3709
710756a9
RS		 3710 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3711 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3712 goto end;
5f982038
MC		 3713
3714 testresult = 1;
3715
3716 end:
5f982038 3717 SSL_SESSION_free(sess);
c20e3b28 3718 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3719 SSL_SESSION_free(serverpsk);
3720 clientpsk = serverpsk = NULL;
5f982038
MC		 3721 SSL_free(serverssl);
3722 SSL_free(clientssl);
3723 SSL_CTX_free(sctx);
3724 SSL_CTX_free(cctx);
5f982038
MC		 3725 return testresult;
3726}
3727
976e5323
MC		 3728static const char *servalpn;
3729
c7558d5b
PY		 3730static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3731 unsigned char *outlen, const unsigned char *in,
3732 unsigned int inlen, void *arg)
976e5323 3733{
c7558d5b 3734 unsigned int protlen = 0;
976e5323
MC		 3735 const unsigned char *prot;
3736
c7558d5b
PY		 3737 for (prot = in; prot < in + inlen; prot += protlen) {
3738 protlen = *prot++;
5d99881e 3739 if (in + inlen < prot + protlen)
976e5323
MC		 3740 return SSL_TLSEXT_ERR_NOACK;
3741
3742 if (protlen == strlen(servalpn)
0bd42fde 3743 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3744 *out = prot;
3745 *outlen = protlen;
3746 return SSL_TLSEXT_ERR_OK;
3747 }
3748 }
3749
3750 return SSL_TLSEXT_ERR_NOACK;
3751}
3752
57dee9bb 3753/* Test that a PSK can be used to send early_data */
976e5323
MC		 3754static int test_early_data_psk(int idx)
3755{
3756 SSL_CTX *cctx = NULL, *sctx = NULL;
3757 SSL *clientssl = NULL, *serverssl = NULL;
3758 int testresult = 0;
3759 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3760 unsigned char alpnlist[] = {
3761 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3762 'l', 'p', 'n'
3763 };
3764#define GOODALPNLEN 9
3765#define BADALPNLEN 8
3766#define GOODALPN (alpnlist)
3767#define BADALPN (alpnlist + GOODALPNLEN)
3768 int err = 0;
976e5323
MC		 3769 unsigned char buf[20];
3770 size_t readbytes, written;
57dee9bb 3771 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3772 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3773
3774 /* We always set this up with a final parameter of "2" for PSK */
3775 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3776 &serverssl, &sess, 2)))
3777 goto end;
3778
976e5323
MC		 3779 servalpn = "goodalpn";
3780
57dee9bb
MC		 3781 /*
3782 * Note: There is no test for inconsistent SNI with late client detection.
3783 * This is because servers do not acknowledge SNI even if they are using
3784 * it in a resumption handshake - so it is not actually possible for a
3785 * client to detect a problem.
3786 */
976e5323
MC		 3787 switch (idx) {
3788 case 0:
57dee9bb 3789 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3790 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3791 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3792 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3793 goto end;
3794 break;
3795
3796 case 1:
57dee9bb 3797 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3798 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3799 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3800 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3801 GOODALPNLEN))
3802 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3803 BADALPNLEN)))
976e5323
MC		 3804 goto end;
3805 break;
3806
3807 case 2:
3808 /*
3809 * Set invalid protocol version. Technically this affects PSKs without
3810 * early_data too, but we test it here because it is similar to the
3811 * SNI/ALPN consistency tests.
3812 */
3813 err = SSL_R_BAD_PSK;
3814 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3815 goto end;
3816 break;
3817
3818 case 3:
3819 /*
49ef3d07
MC		 3820 * Set inconsistent SNI (server side). In this case the connection
3821 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3822 * is associated with each handshake - not the session. Therefore it
3823 * should not matter that we used a different server name last time.
976e5323 3824 */
281bf233
MC		 3825 SSL_SESSION_free(serverpsk);
3826 serverpsk = SSL_SESSION_dup(clientpsk);
3827 if (!TEST_ptr(serverpsk)
3828 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3829 goto end;
976e5323
MC		 3830 /* Fall through */
3831 case 4:
3832 /* Set consistent SNI */
976e5323
MC		 3833 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3834 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3835 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3836 hostname_cb)))
3837 goto end;
3838 break;
3839
3840 case 5:
3841 /*
3842 * Set inconsistent ALPN (server detected). In this case the connection
3843 * will succeed but reject early_data.
3844 */
3845 servalpn = "badalpn";
3846 edstatus = SSL_EARLY_DATA_REJECTED;
3847 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3848 /* Fall through */
3849 case 6:
976e5323 3850 /*
57dee9bb 3851 * Set consistent ALPN.
976e5323
MC		 3852 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3853 * accepts a list of protos (each one length prefixed).
3854 * SSL_set1_alpn_selected accepts a single protocol (not length
3855 * prefixed)
3856 */
57dee9bb
MC		 3857 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3858 GOODALPNLEN - 1))
3859 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3860 GOODALPNLEN)))
976e5323
MC		 3861 goto end;
3862
3863 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3864 break;
3865
57dee9bb
MC		 3866 case 7:
3867 /* Set inconsistent ALPN (late client detection) */
3868 SSL_SESSION_free(serverpsk);
3869 serverpsk = SSL_SESSION_dup(clientpsk);
3870 if (!TEST_ptr(serverpsk)
3871 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3872 BADALPN + 1,
3873 BADALPNLEN - 1))
3874 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3875 GOODALPN + 1,
3876 GOODALPNLEN - 1))
3877 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3878 sizeof(alpnlist))))
3879 goto end;
3880 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3881 edstatus = SSL_EARLY_DATA_ACCEPTED;
3882 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3883 /* SSL_connect() call should fail */
3884 connectres = -1;
3885 break;
3886
976e5323
MC		 3887 default:
3888 TEST_error("Bad test index");
3889 goto end;
3890 }
3891
3892 SSL_set_connect_state(clientssl);
3893 if (err != 0) {
3894 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3895 &written))
3896 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3897 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3898 goto end;
3899 } else {
3900 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3901 &written)))
3902 goto end;
3903
3904 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3905 &readbytes), readearlyres)
976e5323
MC		 3906 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3907 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3908 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3909 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3910 goto end;
3911 }
3912
3913 testresult = 1;
3914
3915 end:
c20e3b28 3916 SSL_SESSION_free(sess);
57dee9bb
MC		 3917 SSL_SESSION_free(clientpsk);
3918 SSL_SESSION_free(serverpsk);
3919 clientpsk = serverpsk = NULL;
976e5323
MC		 3920 SSL_free(serverssl);
3921 SSL_free(clientssl);
3922 SSL_CTX_free(sctx);
3923 SSL_CTX_free(cctx);
3924 return testresult;
3925}
3926
0b2b0be9 3927/*
3928 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3929 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3930 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3931 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3932 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3933 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3934 */
3935static int test_early_data_psk_with_all_ciphers(int idx)
3936{
3937 SSL_CTX *cctx = NULL, *sctx = NULL;
3938 SSL *clientssl = NULL, *serverssl = NULL;
3939 int testresult = 0;
3940 SSL_SESSION *sess = NULL;
3941 unsigned char buf[20];
3942 size_t readbytes, written;
3943 const SSL_CIPHER *cipher;
3944 const char *cipher_str[] = {
3945 TLS1_3_RFC_AES_128_GCM_SHA256,
3946 TLS1_3_RFC_AES_256_GCM_SHA384,
3947# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3948 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3949# else
3950 NULL,
3951# endif
3952 TLS1_3_RFC_AES_128_CCM_SHA256,
3953 TLS1_3_RFC_AES_128_CCM_8_SHA256
3954 };
3955 const unsigned char *cipher_bytes[] = {
3956 TLS13_AES_128_GCM_SHA256_BYTES,
3957 TLS13_AES_256_GCM_SHA384_BYTES,
3958# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3959 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3960# else
3961 NULL,
3962# endif
3963 TLS13_AES_128_CCM_SHA256_BYTES,
3964 TLS13_AES_128_CCM_8_SHA256_BYTES
3965 };
3966
3967 if (cipher_str[idx] == NULL)
3968 return 1;
3969 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3970 if (idx == 2 && is_fips == 1)
3971 return 1;
3972
3973 /* We always set this up with a final parameter of "2" for PSK */
3974 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3975 &serverssl, &sess, 2)))
3976 goto end;
3977
3978 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3979 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3980 goto end;
3981
3982 /*
3983 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3984 * and assigns to both client and server with incremented reference
3985 * and the same instance is updated in 'sess'.
3986 * So updating ciphersuite in 'sess' which will get reflected in
3987 * PSK handshake using psk use sess and find sess cb.
3988 */
3989 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3990 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3991 goto end;
3992
3993 SSL_set_connect_state(clientssl);
3994 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3995 &written)))
3996 goto end;
3997
3998 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3999 &readbytes),
4000 SSL_READ_EARLY_DATA_SUCCESS)
4001 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4002 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4003 SSL_EARLY_DATA_ACCEPTED)
4004 || !TEST_int_eq(SSL_connect(clientssl), 1)
4005 || !TEST_int_eq(SSL_accept(serverssl), 1))
4006 goto end;
4007
4008 /* Send some normal data from client to server */
4009 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4010 || !TEST_size_t_eq(written, strlen(MSG2)))
4011 goto end;
4012
4013 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4014 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4015 goto end;
4016
4017 testresult = 1;
4018 end:
4019 SSL_SESSION_free(sess);
4020 SSL_SESSION_free(clientpsk);
4021 SSL_SESSION_free(serverpsk);
4022 clientpsk = serverpsk = NULL;
4023 if (clientssl != NULL)
4024 SSL_shutdown(clientssl);
4025 if (serverssl != NULL)
4026 SSL_shutdown(serverssl);
4027 SSL_free(serverssl);
4028 SSL_free(clientssl);
4029 SSL_CTX_free(sctx);
4030 SSL_CTX_free(cctx);
4031 return testresult;
4032}
4033
710756a9
RS		 4034/*
4035 * Test that a server that doesn't try to read early data can handle a
4036 * client sending some.
4037 */
3cb47b4e 4038static int test_early_data_not_expected(int idx)
5f982038
MC		 4039{
4040 SSL_CTX *cctx = NULL, *sctx = NULL;
4041 SSL *clientssl = NULL, *serverssl = NULL;
4042 int testresult = 0;
018fcbec 4043 SSL_SESSION *sess = NULL;
5f982038
MC		 4044 unsigned char buf[20];
4045 size_t readbytes, written;
4046
710756a9
RS		 4047 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4048 &serverssl, &sess, idx)))
5f982038
MC		 4049 goto end;
4050
4051 /* Write some early data */
710756a9
RS		 4052 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4053 &written)))
5f982038 4054 goto end;
5f982038
MC		 4055
4056 /*
4057 * Server should skip over early data and then block waiting for client to
4058 * continue handshake
4059 */
710756a9
RS		 4060 if (!TEST_int_le(SSL_accept(serverssl), 0)
4061 || !TEST_int_gt(SSL_connect(clientssl), 0)
4062 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4063 SSL_EARLY_DATA_REJECTED)
4064 || !TEST_int_gt(SSL_accept(serverssl), 0)
4065 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4066 SSL_EARLY_DATA_REJECTED))
5f982038 4067 goto end;
5f982038
MC		 4068
4069 /* Send some normal data from client to server */
710756a9
RS		 4070 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4071 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4072 goto end;
5f982038 4073
710756a9
RS		 4074 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4075 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4076 goto end;
5f982038
MC		 4077
4078 testresult = 1;
4079
4080 end:
5f982038 4081 SSL_SESSION_free(sess);
c20e3b28 4082 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4083 SSL_SESSION_free(serverpsk);
4084 clientpsk = serverpsk = NULL;
5f982038
MC		 4085 SSL_free(serverssl);
4086 SSL_free(clientssl);
4087 SSL_CTX_free(sctx);
4088 SSL_CTX_free(cctx);
5f982038
MC		 4089 return testresult;
4090}
4091
4092
4093# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4094/*
4095 * Test that a server attempting to read early data can handle a connection
4096 * from a TLSv1.2 client.
4097 */
3cb47b4e 4098static int test_early_data_tls1_2(int idx)
5f982038
MC		 4099{
4100 SSL_CTX *cctx = NULL, *sctx = NULL;
4101 SSL *clientssl = NULL, *serverssl = NULL;
4102 int testresult = 0;
4103 unsigned char buf[20];
4104 size_t readbytes, written;
4105
02a3ed5a
MC		 4106 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4107 &serverssl, NULL, idx)))
5f982038 4108 goto end;
5f982038
MC		 4109
4110 /* Write some data - should block due to handshake with server */
4111 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4112 SSL_set_connect_state(clientssl);
710756a9 4113 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4114 goto end;
5f982038
MC		 4115
4116 /*
4117 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4118 * messages from client after ServerDone. Then SSL_read_early_data should
4119 * finish and detect that early data has not been sent
5f982038 4120 */
710756a9
RS		 4121 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4122 &readbytes),
4123 SSL_READ_EARLY_DATA_ERROR))
5f982038 4124 goto end;
5f982038
MC		 4125
4126 /*
4127 * Continue writing the message we started earlier. Will still block waiting
4128 * for the CCS/Finished from server
4129 */
710756a9
RS		 4130 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4131 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4132 &readbytes),
4133 SSL_READ_EARLY_DATA_FINISH)
4134 || !TEST_size_t_eq(readbytes, 0)
4135 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4136 SSL_EARLY_DATA_NOT_SENT))
5f982038 4137 goto end;
5f982038
MC		 4138
4139 /* Continue writing the message we started earlier */
710756a9
RS		 4140 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4141 || !TEST_size_t_eq(written, strlen(MSG1))
4142 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4143 SSL_EARLY_DATA_NOT_SENT)
4144 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4145 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4146 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4147 || !TEST_size_t_eq(written, strlen(MSG2))
4148 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4149 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4150 goto end;
5f982038
MC		 4151
4152 testresult = 1;
4153
4154 end:
57dee9bb
MC		 4155 SSL_SESSION_free(clientpsk);
4156 SSL_SESSION_free(serverpsk);
4157 clientpsk = serverpsk = NULL;
5f982038
MC		 4158 SSL_free(serverssl);
4159 SSL_free(clientssl);
4160 SSL_CTX_free(sctx);
4161 SSL_CTX_free(cctx);
4162
4163 return testresult;
4164}
ca0413ae
MC		 4165# endif /* OPENSSL_NO_TLS1_2 */
4166
034cb87b
MC		 4167/*
4168 * Test configuring the TLSv1.3 ciphersuites
4169 *
4170 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4171 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4172 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4173 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4174 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4175 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4176 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4177 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4178 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4179 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4180 */
4181static int test_set_ciphersuite(int idx)
4182{
4183 SSL_CTX *cctx = NULL, *sctx = NULL;
4184 SSL *clientssl = NULL, *serverssl = NULL;
4185 int testresult = 0;
4186
5e30f2fd
MC		 4187 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4188 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4189 &sctx, &cctx, cert, privkey))
4190 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4191 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4192 goto end;
4193
4194 if (idx >=4 && idx <= 7) {
4195 /* SSL_CTX explicit cipher list */
4196 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4197 goto end;
4198 }
4199
4200 if (idx == 0 || idx == 4) {
4201 /* Default ciphersuite */
4202 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4203 "TLS_AES_128_GCM_SHA256")))
4204 goto end;
4205 } else if (idx == 1 || idx == 5) {
4206 /* Non default ciphersuite */
4207 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4208 "TLS_AES_128_CCM_SHA256")))
4209 goto end;
4210 }
4211
4212 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4213 &clientssl, NULL, NULL)))
4214 goto end;
4215
4216 if (idx == 8 || idx == 9) {
4217 /* SSL explicit cipher list */
4218 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4219 goto end;
4220 }
4221
4222 if (idx == 2 || idx == 6 || idx == 8) {
4223 /* Default ciphersuite */
4224 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4225 "TLS_AES_128_GCM_SHA256")))
4226 goto end;
4227 } else if (idx == 3 || idx == 7 || idx == 9) {
4228 /* Non default ciphersuite */
4229 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4230 "TLS_AES_128_CCM_SHA256")))
4231 goto end;
4232 }
4233
4234 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4235 goto end;
4236
4237 testresult = 1;
4238
4239 end:
4240 SSL_free(serverssl);
4241 SSL_free(clientssl);
4242 SSL_CTX_free(sctx);
4243 SSL_CTX_free(cctx);
4244
4245 return testresult;
4246}
4247
ca0413ae
MC		 4248static int test_ciphersuite_change(void)
4249{
4250 SSL_CTX *cctx = NULL, *sctx = NULL;
4251 SSL *clientssl = NULL, *serverssl = NULL;
4252 SSL_SESSION *clntsess = NULL;
4253 int testresult = 0;
4254 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4255
4256 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4257 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4258 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4259 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4260 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4261 "TLS_AES_128_GCM_SHA256:"
4262 "TLS_AES_256_GCM_SHA384:"
4263 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 4264 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4265 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 4266 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4267 &clientssl, NULL, NULL))
4268 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4269 SSL_ERROR_NONE)))
4270 goto end;
4271
4272 clntsess = SSL_get1_session(clientssl);
4273 /* Save for later */
4274 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4275 SSL_shutdown(clientssl);
4276 SSL_shutdown(serverssl);
4277 SSL_free(serverssl);
4278 SSL_free(clientssl);
4279 serverssl = clientssl = NULL;
4280
4281 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4282 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4283 "TLS_AES_128_CCM_SHA256"))
4284 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4285 &clientssl, NULL, NULL))
ca0413ae
MC		 4286 || !TEST_true(SSL_set_session(clientssl, clntsess))
4287 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4288 SSL_ERROR_NONE))
4289 || !TEST_true(SSL_session_reused(clientssl)))
4290 goto end;
4291
4292 SSL_SESSION_free(clntsess);
4293 clntsess = SSL_get1_session(clientssl);
4294 SSL_shutdown(clientssl);
4295 SSL_shutdown(serverssl);
4296 SSL_free(serverssl);
4297 SSL_free(clientssl);
4298 serverssl = clientssl = NULL;
4299
4300 /*
4301 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4302 * succeeds but does not resume.
ca0413ae 4303 */
f865b081 4304 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4305 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4306 NULL, NULL))
4307 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4308 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4309 SSL_ERROR_SSL))
0de6d66d 4310 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4311 goto end;
4312
4313 SSL_SESSION_free(clntsess);
4314 clntsess = NULL;
4315 SSL_shutdown(clientssl);
4316 SSL_shutdown(serverssl);
4317 SSL_free(serverssl);
4318 SSL_free(clientssl);
4319 serverssl = clientssl = NULL;
4320
4321 /* Create a session based on SHA384 */
f865b081 4322 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4323 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4324 &clientssl, NULL, NULL))
4325 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4326 SSL_ERROR_NONE)))
4327 goto end;
4328
4329 clntsess = SSL_get1_session(clientssl);
4330 SSL_shutdown(clientssl);
4331 SSL_shutdown(serverssl);
4332 SSL_free(serverssl);
4333 SSL_free(clientssl);
4334 serverssl = clientssl = NULL;
4335
f865b081
MC		 4336 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4337 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4338 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4339 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4340 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4341 NULL, NULL))
4342 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4343 /*
4344 * We use SSL_ERROR_WANT_READ below so that we can pause the
4345 * connection after the initial ClientHello has been sent to
4346 * enable us to make some session changes.
4347 */
ca0413ae
MC		 4348 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4349 SSL_ERROR_WANT_READ)))
4350 goto end;
4351
4352 /* Trick the client into thinking this session is for a different digest */
4353 clntsess->cipher = aes_128_gcm_sha256;
4354 clntsess->cipher_id = clntsess->cipher->id;
4355
4356 /*
3b0e88d3
MC		 4357 * Continue the previously started connection. Server has selected a SHA-384
4358 * ciphersuite, but client thinks the session is for SHA-256, so it should
4359 * bail out.
ca0413ae
MC		 4360 */
4361 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4362 SSL_ERROR_SSL))
4363 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4364 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4365 goto end;
4366
4367 testresult = 1;
4368
4369 end:
4370 SSL_SESSION_free(clntsess);
4371 SSL_free(serverssl);
4372 SSL_free(clientssl);
4373 SSL_CTX_free(sctx);
4374 SSL_CTX_free(cctx);
4375
4376 return testresult;
4377}
4378
8e63900a 4379/*
5bf2eade 4380 * Test TLSv1.3 Key exchange
4381 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4382 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4383 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4384 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4385 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4386 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4387 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4388 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4389 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4390 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4391 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4392 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4393 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4394 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4395 */
db26ec80 4396static int test_key_exchange(int idx)
8e63900a 4397{
4398 SSL_CTX *sctx = NULL, *cctx = NULL;
4399 SSL *serverssl = NULL, *clientssl = NULL;
4400 int testresult = 0;
5bf2eade 4401# ifndef OPENSSL_NO_EC
4402 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4403 NID_secp521r1, NID_X25519, NID_X448};
4404# endif
4405# ifndef OPENSSL_NO_DH
8e63900a 4406 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4407 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 4408# endif
fb8c6db4 4409 int kexch_alg;
4410 int *kexch_groups = &kexch_alg;
4411 int kexch_groups_size = 1;
8e63900a 4412 int max_version = TLS1_3_VERSION;
becbacd7 4413 char *kexch_name0 = NULL;
8e63900a 4414
4415 switch (idx) {
5bf2eade 4416# ifndef OPENSSL_NO_EC
db26ec80 4417# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4418 case 12:
fb8c6db4 4419 max_version = TLS1_2_VERSION;
db26ec80 4420# endif
fb8c6db4 4421 /* Fall through */
4422 case 0:
4423 kexch_groups = ecdhe_kexch_groups;
4424 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4425 kexch_name0 = "secp256r1";
fb8c6db4 4426 break;
5bf2eade 4427 case 1:
fb8c6db4 4428 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4429 kexch_name0 = "secp256r1";
fb8c6db4 4430 break;
5bf2eade 4431 case 2:
fb8c6db4 4432 kexch_alg = NID_secp384r1;
becbacd7 4433 kexch_name0 = "secp384r1";
fb8c6db4 4434 break;
5bf2eade 4435 case 3:
fb8c6db4 4436 kexch_alg = NID_secp521r1;
becbacd7 4437 kexch_name0 = "secp521r1";
fb8c6db4 4438 break;
5bf2eade 4439 case 4:
fb8c6db4 4440 kexch_alg = NID_X25519;
becbacd7 4441 kexch_name0 = "x25519";
fb8c6db4 4442 break;
5bf2eade 4443 case 5:
fb8c6db4 4444 kexch_alg = NID_X448;
becbacd7 4445 kexch_name0 = "x448";
fb8c6db4 4446 break;
5bf2eade 4447# endif
4448# ifndef OPENSSL_NO_DH
db26ec80 4449# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4450 case 13:
dbc6268f 4451 max_version = TLS1_2_VERSION;
becbacd7 4452 kexch_name0 = "ffdhe2048";
db26ec80 4453# endif
dbc6268f 4454 /* Fall through */
5bf2eade 4455 case 6:
8e63900a 4456 kexch_groups = ffdhe_kexch_groups;
4457 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4458 kexch_name0 = "ffdhe2048";
8e63900a 4459 break;
5bf2eade 4460 case 7:
fb8c6db4 4461 kexch_alg = NID_ffdhe2048;
becbacd7 4462 kexch_name0 = "ffdhe2048";
fb8c6db4 4463 break;
5bf2eade 4464 case 8:
fb8c6db4 4465 kexch_alg = NID_ffdhe3072;
becbacd7 4466 kexch_name0 = "ffdhe3072";
fb8c6db4 4467 break;
5bf2eade 4468 case 9:
fb8c6db4 4469 kexch_alg = NID_ffdhe4096;
becbacd7 4470 kexch_name0 = "ffdhe4096";
fb8c6db4 4471 break;
5bf2eade 4472 case 10:
fb8c6db4 4473 kexch_alg = NID_ffdhe6144;
becbacd7 4474 kexch_name0 = "ffdhe6144";
fb8c6db4 4475 break;
5bf2eade 4476 case 11:
fb8c6db4 4477 kexch_alg = NID_ffdhe8192;
becbacd7 4478 kexch_name0 = "ffdhe8192";
8e63900a 4479 break;
5bf2eade 4480# endif
6597d62b
MC		 4481 default:
4482 /* We're skipping this test */
4483 return 1;
8e63900a 4484 }
4485
5e30f2fd
MC		 4486 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4487 TLS_client_method(), TLS1_VERSION,
4488 max_version, &sctx, &cctx, cert,
4489 privkey)))
8e63900a 4490 goto end;
4491
5bf2eade 4492 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4493 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4494 goto end;
4495
5bf2eade 4496 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4497 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4498 goto end;
4499
5bf2eade 4500 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4501 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4502 goto end;
4503
dbc6268f
MC		 4504 /*
4505 * Must include an EC ciphersuite so that we send supported groups in
4506 * TLSv1.2
4507 */
5bf2eade 4508# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 4509 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4510 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4511 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4512 goto end;
5bf2eade 4513# endif
8e63900a 4514
4515 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4516 NULL, NULL)))
4517 goto end;
4518
4519 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4520 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4521 goto end;
4522
5bf2eade 4523 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4524 goto end;
8e63900a 4525
dbc6268f 4526 /*
5bf2eade 4527 * If Handshake succeeds the negotiated kexch alg should be the first one in
4528 * configured, except in the case of FFDHE groups (idx 13), which are
4529 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4530 */
4531 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4532 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4533 goto end;
becbacd7
MB		 4534
4535 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4536 kexch_name0))
4537 goto end;
4538
fb8c6db4 4539 if (max_version == TLS1_3_VERSION) {
4540 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4541 goto end;
4542 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4543 goto end;
4544 }
8e63900a 4545
4546 testresult = 1;
4547 end:
4548 SSL_free(serverssl);
4549 SSL_free(clientssl);
4550 SSL_CTX_free(sctx);
4551 SSL_CTX_free(cctx);
4552 return testresult;
4553}
4554
5bf2eade 4555/*
4556 * Test TLSv1.3 Cipher Suite
4557 * Test 0 = Set TLS1.3 cipher on context
4558 * Test 1 = Set TLS1.3 cipher on SSL
4559 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4560 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4561 */
4562static int test_tls13_ciphersuite(int idx)
4563{
4564 SSL_CTX *sctx = NULL, *cctx = NULL;
4565 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4566 static const struct {
4567 const char *ciphername;
4568 int fipscapable;
4569 } t13_ciphers[] = {
4570 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4571 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4572 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4573# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4574 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4575 { TLS1_3_RFC_AES_256_GCM_SHA384
4576 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4577# endif
4f6c7044 4578 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4579 };
4580 const char *t13_cipher = NULL;
4581 const char *t12_cipher = NULL;
4582 const char *negotiated_scipher;
4583 const char *negotiated_ccipher;
4584 int set_at_ctx = 0;
4585 int set_at_ssl = 0;
4586 int testresult = 0;
4587 int max_ver;
4588 size_t i;
4589
4590 switch (idx) {
4591 case 0:
4592 set_at_ctx = 1;
4593 break;
4594 case 1:
4595 set_at_ssl = 1;
4596 break;
4597 case 2:
4598 set_at_ctx = 1;
2d900758 4599 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4600 break;
4601 case 3:
4602 set_at_ssl = 1;
2d900758 4603 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4604 break;
4605 }
4606
4607 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4608# ifdef OPENSSL_NO_TLS1_2
4609 if (max_ver == TLS1_2_VERSION)
4610 continue;
4611# endif
4612 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4613 if (is_fips && !t13_ciphers[i].fipscapable)
4614 continue;
4615 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4616 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4617 TLS_client_method(),
4618 TLS1_VERSION, max_ver,
4619 &sctx, &cctx, cert, privkey)))
4620 goto end;
4621
4622 if (set_at_ctx) {
4623 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4624 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4625 goto end;
4626 if (t12_cipher != NULL) {
4627 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4628 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4629 t12_cipher)))
4630 goto end;
4631 }
4632 }
4633
4634 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4635 &clientssl, NULL, NULL)))
4636 goto end;
4637
4638 if (set_at_ssl) {
4639 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4640 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4641 goto end;
4642 if (t12_cipher != NULL) {
4643 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4644 || !TEST_true(SSL_set_cipher_list(clientssl,
4645 t12_cipher)))
4646 goto end;
4647 }
4648 }
4649
4650 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4651 SSL_ERROR_NONE)))
4652 goto end;
4653
4654 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4655 serverssl));
4656 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4657 clientssl));
4658 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4659 goto end;
4660
4661 /*
4662 * TEST_strn_eq is used below because t13_cipher can contain
4663 * multiple ciphersuites
4664 */
4665 if (max_ver == TLS1_3_VERSION
4666 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4667 strlen(negotiated_scipher)))
4668 goto end;
4669
4670# ifndef OPENSSL_NO_TLS1_2
4671 /* Below validation is not done when t12_cipher is NULL */
4672 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4673 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4674 goto end;
4675# endif
4676
4677 SSL_free(serverssl);
4678 serverssl = NULL;
4679 SSL_free(clientssl);
4680 clientssl = NULL;
4681 SSL_CTX_free(sctx);
4682 sctx = NULL;
4683 SSL_CTX_free(cctx);
4684 cctx = NULL;
4685 }
4686 }
4687
4688 testresult = 1;
4689 end:
4690 SSL_free(serverssl);
4691 SSL_free(clientssl);
4692 SSL_CTX_free(sctx);
4693 SSL_CTX_free(cctx);
4694 return testresult;
4695}
4696
0d8da779
MC		 4697/*
4698 * Test TLSv1.3 PSKs
4699 * Test 0 = Test new style callbacks
4700 * Test 1 = Test both new and old style callbacks
4701 * Test 2 = Test old style callbacks
4702 * Test 3 = Test old style callbacks with no certificate
4703 */
532f9578 4704static int test_tls13_psk(int idx)
ca8c71ba
MC		 4705{
4706 SSL_CTX *sctx = NULL, *cctx = NULL;
4707 SSL *serverssl = NULL, *clientssl = NULL;
4708 const SSL_CIPHER *cipher = NULL;
4709 const unsigned char key[] = {
4710 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4711 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4712 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4713 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4714 };
4715 int testresult = 0;
4716
5e30f2fd
MC		 4717 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4718 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 4719 &sctx, &cctx, idx == 3 ? NULL : cert,
4720 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4721 goto end;
4722
0d8da779
MC		 4723 if (idx != 3) {
4724 /*
4725 * We use a ciphersuite with SHA256 to ease testing old style PSK
4726 * callbacks which will always default to SHA256. This should not be
4727 * necessary if we have no cert/priv key. In that case the server should
4728 * prefer SHA256 automatically.
4729 */
4730 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4731 "TLS_AES_128_GCM_SHA256")))
4732 goto end;
4f6c7044
MC		 4733 } else {
4734 /*
4735 * As noted above the server should prefer SHA256 automatically. However
4736 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4737 * code works even if we are testing with only the FIPS provider loaded.
4738 */
4739 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4740 "TLS_AES_256_GCM_SHA384:"
4741 "TLS_AES_128_GCM_SHA256")))
4742 goto end;
0d8da779 4743 }
532f9578
MC		 4744
4745 /*
4746 * Test 0: New style callbacks only
4747 * Test 1: New and old style callbacks (only the new ones should be used)
4748 * Test 2: Old style callbacks only
4749 */
4750 if (idx == 0 || idx == 1) {
4751 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4752 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4753 }
c2b290c3 4754#ifndef OPENSSL_NO_PSK
0d8da779 4755 if (idx >= 1) {
532f9578
MC		 4756 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4757 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4758 }
c2b290c3 4759#endif
ca8c71ba 4760 srvid = pskid;
02a3ed5a
MC		 4761 use_session_cb_cnt = 0;
4762 find_session_cb_cnt = 0;
532f9578
MC		 4763 psk_client_cb_cnt = 0;
4764 psk_server_cb_cnt = 0;
ca8c71ba 4765
0d8da779
MC		 4766 if (idx != 3) {
4767 /*
4768 * Check we can create a connection if callback decides not to send a
4769 * PSK
4770 */
4771 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4772 NULL, NULL))
4773 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4774 SSL_ERROR_NONE))
4775 || !TEST_false(SSL_session_reused(clientssl))
4776 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4777 goto end;
532f9578 4778
0d8da779
MC		 4779 if (idx == 0 || idx == 1) {
4780 if (!TEST_true(use_session_cb_cnt == 1)
4781 || !TEST_true(find_session_cb_cnt == 0)
4782 /*
4783 * If no old style callback then below should be 0
4784 * otherwise 1
4785 */
4786 || !TEST_true(psk_client_cb_cnt == idx)
4787 || !TEST_true(psk_server_cb_cnt == 0))
4788 goto end;
4789 } else {
4790 if (!TEST_true(use_session_cb_cnt == 0)
4791 || !TEST_true(find_session_cb_cnt == 0)
4792 || !TEST_true(psk_client_cb_cnt == 1)
4793 || !TEST_true(psk_server_cb_cnt == 0))
4794 goto end;
4795 }
4796
4797 shutdown_ssl_connection(serverssl, clientssl);
4798 serverssl = clientssl = NULL;
4799 use_session_cb_cnt = psk_client_cb_cnt = 0;
4800 }
ca8c71ba
MC		 4801
4802 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4803 NULL, NULL)))
4804 goto end;
4805
4806 /* Create the PSK */
532f9578 4807 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4808 clientpsk = SSL_SESSION_new();
4809 if (!TEST_ptr(clientpsk)
ca8c71ba 4810 || !TEST_ptr(cipher)
57dee9bb
MC		 4811 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4812 sizeof(key)))
4813 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4814 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4815 TLS1_3_VERSION))
4816 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4817 goto end;
57dee9bb 4818 serverpsk = clientpsk;
ca8c71ba
MC		 4819
4820 /* Check we can create a connection and the PSK is used */
4821 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4822 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4823 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4824 goto end;
4825
532f9578
MC		 4826 if (idx == 0 || idx == 1) {
4827 if (!TEST_true(use_session_cb_cnt == 1)
4828 || !TEST_true(find_session_cb_cnt == 1)
4829 || !TEST_true(psk_client_cb_cnt == 0)
4830 || !TEST_true(psk_server_cb_cnt == 0))
4831 goto end;
4832 } else {
4833 if (!TEST_true(use_session_cb_cnt == 0)
4834 || !TEST_true(find_session_cb_cnt == 0)
4835 || !TEST_true(psk_client_cb_cnt == 1)
4836 || !TEST_true(psk_server_cb_cnt == 1))
4837 goto end;
4838 }
4839
ca8c71ba
MC		 4840 shutdown_ssl_connection(serverssl, clientssl);
4841 serverssl = clientssl = NULL;
4842 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4843 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4844
4845 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4846 NULL, NULL)))
4847 goto end;
4848
4849 /* Force an HRR */
dbc6268f
MC		 4850#if defined(OPENSSL_NO_EC)
4851 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4852 goto end;
4853#else
ca8c71ba
MC		 4854 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4855 goto end;
dbc6268f 4856#endif
ca8c71ba
MC		 4857
4858 /*
4859 * Check we can create a connection, the PSK is used and the callbacks are
4860 * called twice.
4861 */
4862 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4863 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4864 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4865 goto end;
4866
532f9578
MC		 4867 if (idx == 0 || idx == 1) {
4868 if (!TEST_true(use_session_cb_cnt == 2)
4869 || !TEST_true(find_session_cb_cnt == 2)
4870 || !TEST_true(psk_client_cb_cnt == 0)
4871 || !TEST_true(psk_server_cb_cnt == 0))
4872 goto end;
4873 } else {
4874 if (!TEST_true(use_session_cb_cnt == 0)
4875 || !TEST_true(find_session_cb_cnt == 0)
4876 || !TEST_true(psk_client_cb_cnt == 2)
4877 || !TEST_true(psk_server_cb_cnt == 2))
4878 goto end;
4879 }
4880
ca8c71ba
MC		 4881 shutdown_ssl_connection(serverssl, clientssl);
4882 serverssl = clientssl = NULL;
4883 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4884 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4885
0d8da779
MC		 4886 if (idx != 3) {
4887 /*
4888 * Check that if the server rejects the PSK we can still connect, but with
4889 * a full handshake
4890 */
4891 srvid = "Dummy Identity";
4892 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4893 NULL, NULL))
4894 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4895 SSL_ERROR_NONE))
4896 || !TEST_false(SSL_session_reused(clientssl))
4897 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4898 goto end;
532f9578 4899
0d8da779
MC		 4900 if (idx == 0 || idx == 1) {
4901 if (!TEST_true(use_session_cb_cnt == 1)
4902 || !TEST_true(find_session_cb_cnt == 1)
4903 || !TEST_true(psk_client_cb_cnt == 0)
4904 /*
4905 * If no old style callback then below should be 0
4906 * otherwise 1
4907 */
4908 || !TEST_true(psk_server_cb_cnt == idx))
4909 goto end;
4910 } else {
4911 if (!TEST_true(use_session_cb_cnt == 0)
4912 || !TEST_true(find_session_cb_cnt == 0)
4913 || !TEST_true(psk_client_cb_cnt == 1)
4914 || !TEST_true(psk_server_cb_cnt == 1))
4915 goto end;
4916 }
4917
4918 shutdown_ssl_connection(serverssl, clientssl);
4919 serverssl = clientssl = NULL;
4920 }
ca8c71ba
MC		 4921 testresult = 1;
4922
4923 end:
57dee9bb
MC		 4924 SSL_SESSION_free(clientpsk);
4925 SSL_SESSION_free(serverpsk);
4926 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4927 SSL_free(serverssl);
4928 SSL_free(clientssl);
4929 SSL_CTX_free(sctx);
4930 SSL_CTX_free(cctx);
4931 return testresult;
4932}
4933
c7b8ff25
MC		 4934static unsigned char cookie_magic_value[] = "cookie magic";
4935
4936static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4937 unsigned int *cookie_len)
4938{
4939 /*
4940 * Not suitable as a real cookie generation function but good enough for
4941 * testing!
4942 */
97ea1e7f
MC		 4943 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4944 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 4945
4946 return 1;
4947}
4948
4949static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4950 unsigned int cookie_len)
4951{
97ea1e7f 4952 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 4953 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4954 return 1;
4955
4956 return 0;
4957}
4958
3fa2812f
BS		 4959static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4960 size_t *cookie_len)
4961{
4962 unsigned int temp;
4963 int res = generate_cookie_callback(ssl, cookie, &temp);
4964 *cookie_len = temp;
4965 return res;
4966}
4967
4968static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4969 size_t cookie_len)
4970{
4971 return verify_cookie_callback(ssl, cookie, cookie_len);
4972}
4973
c7b8ff25
MC		 4974static int test_stateless(void)
4975{
4976 SSL_CTX *sctx = NULL, *cctx = NULL;
4977 SSL *serverssl = NULL, *clientssl = NULL;
4978 int testresult = 0;
4979
5e30f2fd
MC		 4980 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4981 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4982 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 4983 goto end;
4984
e440f513
MC		 4985 /* The arrival of CCS messages can confuse the test */
4986 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4987
4988 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4989 NULL, NULL))
4990 /* Send the first ClientHello */
4991 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4992 SSL_ERROR_WANT_READ))
4993 /*
4994 * This should fail with a -1 return because we have no callbacks
4995 * set up
4996 */
4997 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4998 goto end;
4999
5000 /* Fatal error so abandon the connection from this client */
5001 SSL_free(clientssl);
5002 clientssl = NULL;
5003
c7b8ff25 5004 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5005 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5006 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5007
e440f513
MC		 5008 /*
5009 * Create a new connection from the client (we can reuse the server SSL
5010 * object).
5011 */
c7b8ff25
MC		 5012 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5013 NULL, NULL))
5014 /* Send the first ClientHello */
5015 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5016 SSL_ERROR_WANT_READ))
5017 /* This should fail because there is no cookie */
e440f513 5018 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5019 goto end;
5020
5021 /* Abandon the connection from this client */
5022 SSL_free(clientssl);
5023 clientssl = NULL;
5024
5025 /*
5026 * Now create a connection from a new client but with the same server SSL
5027 * object
5028 */
5029 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5030 NULL, NULL))
5031 /* Send the first ClientHello */
5032 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5033 SSL_ERROR_WANT_READ))
5034 /* This should fail because there is no cookie */
e440f513 5035 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5036 /* Send the second ClientHello */
5037 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5038 SSL_ERROR_WANT_READ))
5039 /* This should succeed because a cookie is now present */
e440f513 5040 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5041 /* Complete the connection */
5042 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5043 SSL_ERROR_NONE)))
5044 goto end;
5045
5046 shutdown_ssl_connection(serverssl, clientssl);
5047 serverssl = clientssl = NULL;
5048 testresult = 1;
5049
5050 end:
5051 SSL_free(serverssl);
5052 SSL_free(clientssl);
5053 SSL_CTX_free(sctx);
5054 SSL_CTX_free(cctx);
5055 return testresult;
5056
5057}
a763ca11 5058#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5059
a37008d9
MC		 5060static int clntaddoldcb = 0;
5061static int clntparseoldcb = 0;
5062static int srvaddoldcb = 0;
5063static int srvparseoldcb = 0;
5064static int clntaddnewcb = 0;
5065static int clntparsenewcb = 0;
5066static int srvaddnewcb = 0;
5067static int srvparsenewcb = 0;
bb01ef3f 5068static int snicb = 0;
a37008d9
MC		 5069
5070#define TEST_EXT_TYPE1 0xff00
5071
5072static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5073 size_t *outlen, int *al, void *add_arg)
5074{
5075 int *server = (int *)add_arg;
5076 unsigned char *data;
5077
5078 if (SSL_is_server(s))
5079 srvaddoldcb++;
5080 else
5081 clntaddoldcb++;
5082
710756a9
RS		 5083 if (*server != SSL_is_server(s)
5084 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5085 return -1;
5086
5087 *data = 1;
5088 *out = data;
5089 *outlen = sizeof(char);
a37008d9
MC		 5090 return 1;
5091}
5092
5093static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5094 void *add_arg)
5095{
5096 OPENSSL_free((unsigned char *)out);
5097}
5098
5099static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5100 size_t inlen, int *al, void *parse_arg)
5101{
5102 int *server = (int *)parse_arg;
5103
5104 if (SSL_is_server(s))
5105 srvparseoldcb++;
5106 else
5107 clntparseoldcb++;
5108
710756a9
RS		 5109 if (*server != SSL_is_server(s)
5110 || inlen != sizeof(char)
5111 || *in != 1)
a37008d9
MC		 5112 return -1;
5113
5114 return 1;
5115}
5116
5117static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5118 const unsigned char **out, size_t *outlen, X509 *x,
5119 size_t chainidx, int *al, void *add_arg)
5120{
5121 int *server = (int *)add_arg;
5122 unsigned char *data;
5123
5124 if (SSL_is_server(s))
5125 srvaddnewcb++;
5126 else
5127 clntaddnewcb++;
5128
710756a9
RS		 5129 if (*server != SSL_is_server(s)
5130 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5131 return -1;
5132
5133 *data = 1;
5134 *out = data;
710756a9 5135 *outlen = sizeof(*data);
a37008d9
MC		 5136 return 1;
5137}
5138
5139static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5140 const unsigned char *out, void *add_arg)
5141{
5142 OPENSSL_free((unsigned char *)out);
5143}
5144
5145static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5146 const unsigned char *in, size_t inlen, X509 *x,
5147 size_t chainidx, int *al, void *parse_arg)
5148{
5149 int *server = (int *)parse_arg;
5150
5151 if (SSL_is_server(s))
5152 srvparsenewcb++;
5153 else
5154 clntparsenewcb++;
5155
710756a9
RS		 5156 if (*server != SSL_is_server(s)
5157 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5158 return -1;
5159
5160 return 1;
5161}
bb01ef3f
MC		 5162
5163static int sni_cb(SSL *s, int *al, void *arg)
5164{
5165 SSL_CTX *ctx = (SSL_CTX *)arg;
5166
5167 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5168 *al = SSL_AD_INTERNAL_ERROR;
5169 return SSL_TLSEXT_ERR_ALERT_FATAL;
5170 }
5171 snicb++;
5172 return SSL_TLSEXT_ERR_OK;
5173}
5174
a37008d9
MC		 5175/*
5176 * Custom call back tests.
5177 * Test 0: Old style callbacks in TLSv1.2
5178 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5179 * Test 2: New style callbacks in TLSv1.2 with SNI
5180 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5181 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 5182 */
710756a9
RS		 5183static int test_custom_exts(int tst)
5184{
bb01ef3f 5185 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5186 SSL *clientssl = NULL, *serverssl = NULL;
5187 int testresult = 0;
5188 static int server = 1;
5189 static int client = 0;
5190 SSL_SESSION *sess = NULL;
5191 unsigned int context;
5192
a763ca11 5193#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5194 /* Skip tests for TLSv1.2 and below in this case */
5195 if (tst < 3)
5196 return 1;
5197#endif
5198
a37008d9
MC		 5199 /* Reset callback counters */
5200 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5201 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5202 snicb = 0;
a37008d9 5203
5e30f2fd
MC		 5204 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5205 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5206 &sctx, &cctx, cert, privkey)))
710756a9 5207 goto end;
a37008d9 5208
bb01ef3f 5209 if (tst == 2
5e30f2fd 5210 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5211 TLS1_VERSION, 0,
7d7f6834 5212 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5213 goto end;
5214
5215
5216 if (tst < 3) {
a37008d9
MC		 5217 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5218 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5219 if (sctx2 != NULL)
5220 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5221 }
5222
bb01ef3f 5223 if (tst == 4) {
710756a9
RS		 5224 context = SSL_EXT_CLIENT_HELLO
5225 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5226 | SSL_EXT_TLS1_3_SERVER_HELLO
5227 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5228 | SSL_EXT_TLS1_3_CERTIFICATE
5229 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5230 } else {
710756a9
RS		 5231 context = SSL_EXT_CLIENT_HELLO
5232 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5233 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5234 }
5235
5236 /* Create a client side custom extension */
5237 if (tst == 0) {
710756a9
RS		 5238 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5239 old_add_cb, old_free_cb,
5240 &client, old_parse_cb,
5241 &client)))
5242 goto end;
a37008d9 5243 } else {
710756a9
RS		 5244 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5245 new_add_cb, new_free_cb,
5246 &client, new_parse_cb, &client)))
5247 goto end;
a37008d9
MC		 5248 }
5249
5250 /* Should not be able to add duplicates */
710756a9
RS		 5251 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5252 old_add_cb, old_free_cb,
5253 &client, old_parse_cb,
5254 &client))
5255 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5256 context, new_add_cb,
5257 new_free_cb, &client,
5258 new_parse_cb, &client)))
5259 goto end;
a37008d9
MC		 5260
5261 /* Create a server side custom extension */
5262 if (tst == 0) {
710756a9
RS		 5263 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5264 old_add_cb, old_free_cb,
5265 &server, old_parse_cb,
5266 &server)))
5267 goto end;
a37008d9 5268 } else {
710756a9
RS		 5269 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5270 new_add_cb, new_free_cb,
5271 &server, new_parse_cb, &server)))
5272 goto end;
bb01ef3f
MC		 5273 if (sctx2 != NULL
5274 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5275 context, new_add_cb,
5276 new_free_cb, &server,
5277 new_parse_cb, &server)))
5278 goto end;
a37008d9
MC		 5279 }
5280
5281 /* Should not be able to add duplicates */
710756a9
RS		 5282 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5283 old_add_cb, old_free_cb,
5284 &server, old_parse_cb,
5285 &server))
5286 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5287 context, new_add_cb,
5288 new_free_cb, &server,
5289 new_parse_cb, &server)))
a37008d9 5290 goto end;
a37008d9 5291
bb01ef3f
MC		 5292 if (tst == 2) {
5293 /* Set up SNI */
5294 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5295 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5296 goto end;
5297 }
5298
710756a9
RS		 5299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5300 &clientssl, NULL, NULL))
5301 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5302 SSL_ERROR_NONE)))
a37008d9 5303 goto end;
a37008d9
MC		 5304
5305 if (tst == 0) {
710756a9
RS		 5306 if (clntaddoldcb != 1
5307 || clntparseoldcb != 1
5308 || srvaddoldcb != 1
5309 || srvparseoldcb != 1)
a37008d9 5310 goto end;
bb01ef3f 5311 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5312 if (clntaddnewcb != 1
5313 || clntparsenewcb != 1
5314 || srvaddnewcb != 1
bb01ef3f
MC		 5315 || srvparsenewcb != 1
5316 || (tst != 2 && snicb != 0)
5317 || (tst == 2 && snicb != 1))
a37008d9 5318 goto end;
a37008d9 5319 } else {
36ff232c 5320 /* In this case there 2 NewSessionTicket messages created */
710756a9 5321 if (clntaddnewcb != 1
36ff232c
MC		 5322 || clntparsenewcb != 5
5323 || srvaddnewcb != 5
710756a9 5324 || srvparsenewcb != 1)
a37008d9 5325 goto end;
a37008d9
MC		 5326 }
5327
5328 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5329 SSL_shutdown(clientssl);
5330 SSL_shutdown(serverssl);
a37008d9
MC		 5331 SSL_free(serverssl);
5332 SSL_free(clientssl);
5333 serverssl = clientssl = NULL;
5334
bb01ef3f
MC		 5335 if (tst == 3) {
5336 /* We don't bother with the resumption aspects for this test */
5337 testresult = 1;
5338 goto end;
5339 }
5340
710756a9
RS		 5341 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5342 NULL, NULL))
5343 || !TEST_true(SSL_set_session(clientssl, sess))
5344 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5345 SSL_ERROR_NONE)))
a37008d9 5346 goto end;
a37008d9
MC		 5347
5348 /*
5349 * For a resumed session we expect to add the ClientHello extension. For the
5350 * old style callbacks we ignore it on the server side because they set
5351 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5352 * them.
5353 */
5354 if (tst == 0) {
710756a9
RS		 5355 if (clntaddoldcb != 2
5356 || clntparseoldcb != 1
5357 || srvaddoldcb != 1
5358 || srvparseoldcb != 1)
a37008d9 5359 goto end;
bb01ef3f 5360 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5361 if (clntaddnewcb != 2
5362 || clntparsenewcb != 2
5363 || srvaddnewcb != 2
5364 || srvparsenewcb != 2)
a37008d9 5365 goto end;
a37008d9 5366 } else {
36ff232c
MC		 5367 /*
5368 * No Certificate message extensions in the resumption handshake,
5369 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5370 */
710756a9 5371 if (clntaddnewcb != 2
36ff232c
MC		 5372 || clntparsenewcb != 8
5373 || srvaddnewcb != 8
710756a9 5374 || srvparsenewcb != 2)
a37008d9 5375 goto end;
a37008d9
MC		 5376 }
5377
5378 testresult = 1;
5379
5380end:
5381 SSL_SESSION_free(sess);
5382 SSL_free(serverssl);
5383 SSL_free(clientssl);
bb01ef3f 5384 SSL_CTX_free(sctx2);
a37008d9
MC		 5385 SSL_CTX_free(sctx);
5386 SSL_CTX_free(cctx);
a37008d9
MC		 5387 return testresult;
5388}
5389
16afd71c
MC		 5390/*
5391 * Test loading of serverinfo data in various formats. test_sslmessages actually
5392 * tests to make sure the extensions appear in the handshake
5393 */
5394static int test_serverinfo(int tst)
5395{
5396 unsigned int version;
5397 unsigned char *sibuf;
5398 size_t sibuflen;
5399 int ret, expected, testresult = 0;
5400 SSL_CTX *ctx;
5401
d8652be0 5402 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5403 if (!TEST_ptr(ctx))
5404 goto end;
5405
5406 if ((tst & 0x01) == 0x01)
5407 version = SSL_SERVERINFOV2;
5408 else
5409 version = SSL_SERVERINFOV1;
5410
5411 if ((tst & 0x02) == 0x02) {
5412 sibuf = serverinfov2;
5413 sibuflen = sizeof(serverinfov2);
5414 expected = (version == SSL_SERVERINFOV2);
5415 } else {
5416 sibuf = serverinfov1;
5417 sibuflen = sizeof(serverinfov1);
5418 expected = (version == SSL_SERVERINFOV1);
5419 }
5420
5421 if ((tst & 0x04) == 0x04) {
5422 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5423 } else {
5424 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5425
5426 /*
5427 * The version variable is irrelevant in this case - it's what is in the
5428 * buffer that matters
5429 */
5430 if ((tst & 0x02) == 0x02)
5431 expected = 0;
5432 else
5433 expected = 1;
5434 }
5435
5436 if (!TEST_true(ret == expected))
5437 goto end;
5438
5439 testresult = 1;
5440
5441 end:
5442 SSL_CTX_free(ctx);
5443
5444 return testresult;
5445}
5446
2197d1df
MC		 5447/*
5448 * Test that SSL_export_keying_material() produces expected results. There are
5449 * no test vectors so all we do is test that both sides of the communication
5450 * produce the same results for different protocol versions.
5451 */
0fb2815b
MC		 5452#define SMALL_LABEL_LEN 10
5453#define LONG_LABEL_LEN 249
2197d1df
MC		 5454static int test_export_key_mat(int tst)
5455{
a599574b 5456 int testresult = 0;
2197d1df
MC		 5457 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5458 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5459 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5460 const unsigned char context[] = "context";
5461 const unsigned char *emptycontext = NULL;
5462 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5463 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5464 size_t labellen;
a599574b
MC		 5465 const int protocols[] = {
5466 TLS1_VERSION,
5467 TLS1_1_VERSION,
5468 TLS1_2_VERSION,
0fb2815b
MC		 5469 TLS1_3_VERSION,
5470 TLS1_3_VERSION,
a599574b
MC		 5471 TLS1_3_VERSION
5472 };
2197d1df
MC		 5473
5474#ifdef OPENSSL_NO_TLS1
5475 if (tst == 0)
5476 return 1;
5477#endif
5478#ifdef OPENSSL_NO_TLS1_1
5479 if (tst == 1)
5480 return 1;
5481#endif
4f6c7044
MC		 5482 if (is_fips && (tst == 0 || tst == 1))
5483 return 1;
2197d1df
MC		 5484#ifdef OPENSSL_NO_TLS1_2
5485 if (tst == 2)
5486 return 1;
5487#endif
a763ca11 5488#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 5489 if (tst >= 3)
2197d1df
MC		 5490 return 1;
5491#endif
5e30f2fd
MC		 5492 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5493 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5494 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5495 goto end;
5496
a599574b
MC		 5497 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5498 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5499 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5500 if ((protocols[tst] < TLS1_2_VERSION) &&
5501 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5502 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5503 goto end;
2197d1df
MC		 5504
5505 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5506 NULL)))
5507 goto end;
5508
5509 /*
5510 * Premature call of SSL_export_keying_material should just fail.
5511 */
5512 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5513 sizeof(ckeymat1), label,
5514 SMALL_LABEL_LEN + 1, context,
5515 sizeof(context) - 1, 1), 0))
5516 goto end;
5517
5518 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5519 SSL_ERROR_NONE)))
2197d1df
MC		 5520 goto end;
5521
0fb2815b
MC		 5522 if (tst == 5) {
5523 /*
5524 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5525 * go over that.
5526 */
5527 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5528 sizeof(ckeymat1), label,
5529 LONG_LABEL_LEN + 1, context,
5530 sizeof(context) - 1, 1), 0))
5531 goto end;
5532
5533 testresult = 1;
5534 goto end;
5535 } else if (tst == 4) {
5536 labellen = LONG_LABEL_LEN;
5537 } else {
5538 labellen = SMALL_LABEL_LEN;
5539 }
5540
2197d1df
MC		 5541 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5542 sizeof(ckeymat1), label,
0fb2815b 5543 labellen, context,
2197d1df
MC		 5544 sizeof(context) - 1, 1), 1)
5545 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5546 sizeof(ckeymat2), label,
0fb2815b 5547 labellen,
2197d1df
MC		 5548 emptycontext,
5549 0, 1), 1)
5550 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5551 sizeof(ckeymat3), label,
0fb2815b 5552 labellen,
2197d1df
MC		 5553 NULL, 0, 0), 1)
5554 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5555 sizeof(skeymat1), label,
0fb2815b 5556 labellen,
2197d1df
MC		 5557 context,
5558 sizeof(context) -1, 1),
5559 1)
5560 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5561 sizeof(skeymat2), label,
0fb2815b 5562 labellen,
2197d1df
MC		 5563 emptycontext,
5564 0, 1), 1)
5565 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5566 sizeof(skeymat3), label,
0fb2815b 5567 labellen,
2197d1df
MC		 5568 NULL, 0, 0), 1)
5569 /*
5570 * Check that both sides created the same key material with the
5571 * same context.
5572 */
5573 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5574 sizeof(skeymat1))
5575 /*
5576 * Check that both sides created the same key material with an
5577 * empty context.
5578 */
5579 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5580 sizeof(skeymat2))
5581 /*
5582 * Check that both sides created the same key material without a
5583 * context.
5584 */
5585 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5586 sizeof(skeymat3))
5587 /* Different contexts should produce different results */
5588 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5589 sizeof(ckeymat2)))
5590 goto end;
5591
5592 /*
5593 * Check that an empty context and no context produce different results in
5594 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5595 */
0fb2815b 5596 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5597 sizeof(ckeymat3)))
0fb2815b
MC		 5598 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5599 sizeof(ckeymat3))))
2197d1df
MC		 5600 goto end;
5601
5602 testresult = 1;
5603
5604 end:
5605 SSL_free(serverssl);
5606 SSL_free(clientssl);
5607 SSL_CTX_free(sctx2);
5608 SSL_CTX_free(sctx);
5609 SSL_CTX_free(cctx);
5610
5611 return testresult;
5612}
5613
a763ca11 5614#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 5615/*
5616 * Test that SSL_export_keying_material_early() produces expected
5617 * results. There are no test vectors so all we do is test that both
5618 * sides of the communication produce the same results for different
5619 * protocol versions.
5620 */
5621static int test_export_key_mat_early(int idx)
5622{
5623 static const char label[] = "test label";
5624 static const unsigned char context[] = "context";
5625 int testresult = 0;
5626 SSL_CTX *cctx = NULL, *sctx = NULL;
5627 SSL *clientssl = NULL, *serverssl = NULL;
5628 SSL_SESSION *sess = NULL;
5629 const unsigned char *emptycontext = NULL;
5630 unsigned char ckeymat1[80], ckeymat2[80];
5631 unsigned char skeymat1[80], skeymat2[80];
5632 unsigned char buf[1];
5633 size_t readbytes, written;
5634
5635 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5636 &sess, idx)))
5637 goto end;
5638
5639 /* Here writing 0 length early data is enough. */
5640 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5641 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5642 &readbytes),
5643 SSL_READ_EARLY_DATA_ERROR)
5644 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5645 SSL_EARLY_DATA_ACCEPTED))
5646 goto end;
5647
5648 if (!TEST_int_eq(SSL_export_keying_material_early(
5649 clientssl, ckeymat1, sizeof(ckeymat1), label,
5650 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5651 || !TEST_int_eq(SSL_export_keying_material_early(
5652 clientssl, ckeymat2, sizeof(ckeymat2), label,
5653 sizeof(label) - 1, emptycontext, 0), 1)
5654 || !TEST_int_eq(SSL_export_keying_material_early(
5655 serverssl, skeymat1, sizeof(skeymat1), label,
5656 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5657 || !TEST_int_eq(SSL_export_keying_material_early(
5658 serverssl, skeymat2, sizeof(skeymat2), label,
5659 sizeof(label) - 1, emptycontext, 0), 1)
5660 /*
5661 * Check that both sides created the same key material with the
5662 * same context.
5663 */
5664 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5665 sizeof(skeymat1))
5666 /*
5667 * Check that both sides created the same key material with an
5668 * empty context.
5669 */
5670 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5671 sizeof(skeymat2))
5672 /* Different contexts should produce different results */
5673 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5674 sizeof(ckeymat2)))
5675 goto end;
5676
5677 testresult = 1;
5678
5679 end:
c20e3b28 5680 SSL_SESSION_free(sess);
b38ede80
TT		 5681 SSL_SESSION_free(clientpsk);
5682 SSL_SESSION_free(serverpsk);
34ff74eb 5683 clientpsk = serverpsk = NULL;
b38ede80
TT		 5684 SSL_free(serverssl);
5685 SSL_free(clientssl);
5686 SSL_CTX_free(sctx);
5687 SSL_CTX_free(cctx);
5688
5689 return testresult;
5690}
3409a5ff
MC		 5691
5692#define NUM_KEY_UPDATE_MESSAGES 40
5693/*
5694 * Test KeyUpdate.
5695 */
5696static int test_key_update(void)
5697{
5698 SSL_CTX *cctx = NULL, *sctx = NULL;
5699 SSL *clientssl = NULL, *serverssl = NULL;
5700 int testresult = 0, i, j;
5701 char buf[20];
5702 static char *mess = "A test message";
5703
5e30f2fd 5704 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 5705 TLS_client_method(),
5706 TLS1_3_VERSION,
5707 0,
5708 &sctx, &cctx, cert, privkey))
5709 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5710 NULL, NULL))
5711 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5712 SSL_ERROR_NONE)))
5713 goto end;
5714
5715 for (j = 0; j < 2; j++) {
5716 /* Send lots of KeyUpdate messages */
5717 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5718 if (!TEST_true(SSL_key_update(clientssl,
5719 (j == 0)
5720 ? SSL_KEY_UPDATE_NOT_REQUESTED
5721 : SSL_KEY_UPDATE_REQUESTED))
5722 || !TEST_true(SSL_do_handshake(clientssl)))
5723 goto end;
5724 }
5725
5726 /* Check that sending and receiving app data is ok */
5727 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5728 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5729 strlen(mess)))
5730 goto end;
a77b4dba
MC		 5731
5732 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5733 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5734 strlen(mess)))
5735 goto end;
3409a5ff
MC		 5736 }
5737
5738 testresult = 1;
5739
5740 end:
5741 SSL_free(serverssl);
5742 SSL_free(clientssl);
5743 SSL_CTX_free(sctx);
5744 SSL_CTX_free(cctx);
5745
5746 return testresult;
5747}
a77b4dba
MC		 5748
5749/*
5750 * Test we can handle a KeyUpdate (update requested) message while write data
5751 * is pending.
5752 * Test 0: Client sends KeyUpdate while Server is writing
5753 * Test 1: Server sends KeyUpdate while Client is writing
5754 */
5755static int test_key_update_in_write(int tst)
5756{
5757 SSL_CTX *cctx = NULL, *sctx = NULL;
5758 SSL *clientssl = NULL, *serverssl = NULL;
5759 int testresult = 0;
5760 char buf[20];
5761 static char *mess = "A test message";
5762 BIO *bretry = BIO_new(bio_s_always_retry());
5763 BIO *tmp = NULL;
5764 SSL *peerupdate = NULL, *peerwrite = NULL;
5765
5766 if (!TEST_ptr(bretry)
5e30f2fd 5767 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 5768 TLS_client_method(),
5769 TLS1_3_VERSION,
5770 0,
5771 &sctx, &cctx, cert, privkey))
5772 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5773 NULL, NULL))
5774 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5775 SSL_ERROR_NONE)))
5776 goto end;
5777
5778 peerupdate = tst == 0 ? clientssl : serverssl;
5779 peerwrite = tst == 0 ? serverssl : clientssl;
5780
5781 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5782 || !TEST_true(SSL_do_handshake(peerupdate)))
5783 goto end;
5784
5785 /* Swap the writing endpoint's write BIO to force a retry */
5786 tmp = SSL_get_wbio(peerwrite);
5787 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5788 tmp = NULL;
5789 goto end;
5790 }
5791 SSL_set0_wbio(peerwrite, bretry);
5792 bretry = NULL;
5793
5794 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5795 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5796 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5797 goto end;
5798
5799 /* Reinstate the original writing endpoint's write BIO */
5800 SSL_set0_wbio(peerwrite, tmp);
5801 tmp = NULL;
5802
5803 /* Now read some data - we will read the key update */
5804 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5805 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5806 goto end;
5807
5808 /*
5809 * Complete the write we started previously and read it from the other
5810 * endpoint
5811 */
5812 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5813 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5814 goto end;
5815
5816 /* Write more data to ensure we send the KeyUpdate message back */
5817 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5818 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5819 goto end;
5820
5821 testresult = 1;
5822
5823 end:
5824 SSL_free(serverssl);
5825 SSL_free(clientssl);
5826 SSL_CTX_free(sctx);
5827 SSL_CTX_free(cctx);
5828 BIO_free(bretry);
5829 BIO_free(tmp);
5830
5831 return testresult;
5832}
a763ca11 5833#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 5834
e11b6aa4
MC		 5835static int test_ssl_clear(int idx)
5836{
5837 SSL_CTX *cctx = NULL, *sctx = NULL;
5838 SSL *clientssl = NULL, *serverssl = NULL;
5839 int testresult = 0;
5840
5841#ifdef OPENSSL_NO_TLS1_2
5842 if (idx == 1)
5843 return 1;
5844#endif
5845
5846 /* Create an initial connection */
5e30f2fd
MC		 5847 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5848 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5849 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5850 || (idx == 1
5851 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5852 TLS1_2_VERSION)))
5853 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5854 &clientssl, NULL, NULL))
5855 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5856 SSL_ERROR_NONE)))
5857 goto end;
5858
5859 SSL_shutdown(clientssl);
5860 SSL_shutdown(serverssl);
5861 SSL_free(serverssl);
5862 serverssl = NULL;
5863
5864 /* Clear clientssl - we're going to reuse the object */
5865 if (!TEST_true(SSL_clear(clientssl)))
5866 goto end;
5867
5868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5869 NULL, NULL))
5870 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5871 SSL_ERROR_NONE))
5872 || !TEST_true(SSL_session_reused(clientssl)))
5873 goto end;
5874
5875 SSL_shutdown(clientssl);
5876 SSL_shutdown(serverssl);
5877
5878 testresult = 1;
5879
5880 end:
5881 SSL_free(serverssl);
5882 SSL_free(clientssl);
5883 SSL_CTX_free(sctx);
5884 SSL_CTX_free(cctx);
5885
5886 return testresult;
5887}
5888
cf72c757
F		 5889/* Parse CH and retrieve any MFL extension value if present */
5890static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5891{
5892 long len;
5893 unsigned char *data;
72962d02 5894 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5895 unsigned int MFL_code = 0, type = 0;
5896
5897 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5898 goto end;
5899
72962d02
P		 5900 memset(&pkt, 0, sizeof(pkt));
5901 memset(&pkt2, 0, sizeof(pkt2));
5902 memset(&pkt3, 0, sizeof(pkt3));
5903
cf72c757
F		 5904 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5905 /* Skip the record header */
5906 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5907 /* Skip the handshake message header */
5908 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5909 /* Skip client version and random */
5910 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5911 + SSL3_RANDOM_SIZE))
5912 /* Skip session id */
5913 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5914 /* Skip ciphers */
5915 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5916 /* Skip compression */
5917 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5918 /* Extensions len */
5919 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5920 goto end;
5921
5922 /* Loop through all extensions */
5923 while (PACKET_remaining(&pkt2)) {
5924 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5925 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5926 goto end;
5927
5928 if (type == TLSEXT_TYPE_max_fragment_length) {
5929 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5930 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5931 goto end;
5932
5933 *mfl_codemfl_code = MFL_code;
5934 return 1;
5935 }
5936 }
5937
5938 end:
5939 return 0;
5940}
5941
5942/* Maximum-Fragment-Length TLS extension mode to test */
5943static const unsigned char max_fragment_len_test[] = {
5944 TLSEXT_max_fragment_length_512,
5945 TLSEXT_max_fragment_length_1024,
5946 TLSEXT_max_fragment_length_2048,
5947 TLSEXT_max_fragment_length_4096
5948};
5949
5950static int test_max_fragment_len_ext(int idx_tst)
5951{
a763ca11 5952 SSL_CTX *ctx = NULL;
cf72c757
F		 5953 SSL *con = NULL;
5954 int testresult = 0, MFL_mode = 0;
5955 BIO *rbio, *wbio;
5956
a763ca11
MC		 5957 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
5958 TLS1_VERSION, 0, NULL, &ctx, NULL,
5959 NULL)))
5960 return 0;
cf72c757
F		 5961
5962 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5963 ctx, max_fragment_len_test[idx_tst])))
5964 goto end;
5965
5966 con = SSL_new(ctx);
5967 if (!TEST_ptr(con))
5968 goto end;
5969
5970 rbio = BIO_new(BIO_s_mem());
5971 wbio = BIO_new(BIO_s_mem());
5972 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5973 BIO_free(rbio);
5974 BIO_free(wbio);
5975 goto end;
5976 }
5977
5978 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 5979
5980 if (!TEST_int_le(SSL_connect(con), 0)) {
5981 /* This shouldn't succeed because we don't have a server! */
5982 goto end;
5983 }
5984
5985 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5986 /* no MFL in client hello */
5987 goto end;
5988 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5989 goto end;
5990
5991 testresult = 1;
5992
5993end:
5994 SSL_free(con);
5995 SSL_CTX_free(ctx);
5996
5997 return testresult;
5998}
5999
a763ca11 6000#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 6001static int test_pha_key_update(void)
6002{
6003 SSL_CTX *cctx = NULL, *sctx = NULL;
6004 SSL *clientssl = NULL, *serverssl = NULL;
6005 int testresult = 0;
6006
5e30f2fd
MC		 6007 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6008 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6009 &sctx, &cctx, cert, privkey)))
6010 return 0;
6011
6012 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6013 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6014 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6015 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6016 goto end;
6017
e97be718 6018 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6019
6020 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6021 NULL, NULL)))
6022 goto end;
6023
9d75dce3
TS		 6024 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6025 SSL_ERROR_NONE)))
6026 goto end;
6027
6028 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6029 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6030 goto end;
6031
6032 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6033 goto end;
6034
6035 /* Start handshake on the server */
6036 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6037 goto end;
6038
6039 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6040 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6041 SSL_ERROR_NONE)))
6042 goto end;
6043
6044 SSL_shutdown(clientssl);
6045 SSL_shutdown(serverssl);
6046
6047 testresult = 1;
6048
6049 end:
6050 SSL_free(serverssl);
6051 SSL_free(clientssl);
6052 SSL_CTX_free(sctx);
6053 SSL_CTX_free(cctx);
6054 return testresult;
6055}
6056#endif
6057
76fd7a1d
MC		 6058#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6059
6060static SRP_VBASE *vbase = NULL;
6061
6062static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6063{
6064 int ret = SSL3_AL_FATAL;
6065 char *username;
6066 SRP_user_pwd *user = NULL;
6067
6068 username = SSL_get_srp_username(s);
6069 if (username == NULL) {
6070 *ad = SSL_AD_INTERNAL_ERROR;
6071 goto err;
6072 }
6073
6074 user = SRP_VBASE_get1_by_user(vbase, username);
6075 if (user == NULL) {
6076 *ad = SSL_AD_INTERNAL_ERROR;
6077 goto err;
6078 }
6079
6080 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6081 user->info) <= 0) {
6082 *ad = SSL_AD_INTERNAL_ERROR;
6083 goto err;
6084 }
6085
6086 ret = 0;
6087
6088 err:
6089 SRP_user_pwd_free(user);
6090 return ret;
6091}
6092
6093static int create_new_vfile(char *userid, char *password, const char *filename)
6094{
6095 char *gNid = NULL;
6096 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6097 TXT_DB *db = NULL;
6098 int ret = 0;
6099 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6100 size_t i;
6101
6102 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6103 goto end;
6104
20c00d0a 6105 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6106 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6107 if (!TEST_ptr(gNid))
6108 goto end;
6109
6110 /*
6111 * The only way to create an empty TXT_DB is to provide a BIO with no data
6112 * in it!
6113 */
6114 db = TXT_DB_read(dummy, DB_NUMBER);
6115 if (!TEST_ptr(db))
6116 goto end;
6117
6118 out = BIO_new_file(filename, "w");
6119 if (!TEST_ptr(out))
6120 goto end;
6121
6122 row[DB_srpid] = OPENSSL_strdup(userid);
6123 row[DB_srptype] = OPENSSL_strdup("V");
6124 row[DB_srpgN] = OPENSSL_strdup(gNid);
6125
6126 if (!TEST_ptr(row[DB_srpid])
6127 || !TEST_ptr(row[DB_srptype])
6128 || !TEST_ptr(row[DB_srpgN])
6129 || !TEST_true(TXT_DB_insert(db, row)))
6130 goto end;
6131
6132 row = NULL;
6133
6134 if (!TXT_DB_write(out, db))
6135 goto end;
6136
6137 ret = 1;
6138 end:
6139 if (row != NULL) {
6140 for (i = 0; i < DB_NUMBER; i++)
6141 OPENSSL_free(row[i]);
6142 }
6143 OPENSSL_free(row);
6144 BIO_free(dummy);
6145 BIO_free(out);
6146 TXT_DB_free(db);
6147
6148 return ret;
6149}
6150
6151static int create_new_vbase(char *userid, char *password)
6152{
6153 BIGNUM *verifier = NULL, *salt = NULL;
6154 const SRP_gN *lgN = NULL;
6155 SRP_user_pwd *user_pwd = NULL;
6156 int ret = 0;
6157
6158 lgN = SRP_get_default_gN(NULL);
6159 if (!TEST_ptr(lgN))
6160 goto end;
6161
20c00d0a 6162 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6163 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6164 goto end;
6165
6166 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6167 if (!TEST_ptr(user_pwd))
6168 goto end;
6169
6170 user_pwd->N = lgN->N;
6171 user_pwd->g = lgN->g;
6172 user_pwd->id = OPENSSL_strdup(userid);
6173 if (!TEST_ptr(user_pwd->id))
6174 goto end;
6175
6176 user_pwd->v = verifier;
6177 user_pwd->s = salt;
6178 verifier = salt = NULL;
6179
6180 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6181 goto end;
6182 user_pwd = NULL;
6183
6184 ret = 1;
6185end:
6186 SRP_user_pwd_free(user_pwd);
6187 BN_free(salt);
6188 BN_free(verifier);
6189
6190 return ret;
6191}
6192
6193/*
6194 * SRP tests
6195 *
6196 * Test 0: Simple successful SRP connection, new vbase
6197 * Test 1: Connection failure due to bad password, new vbase
6198 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6199 * Test 3: Connection failure due to bad password, vbase loaded from existing
6200 * file
6201 * Test 4: Simple successful SRP connection, vbase loaded from new file
6202 * Test 5: Connection failure due to bad password, vbase loaded from new file
6203 */
6204static int test_srp(int tst)
6205{
6206 char *userid = "test", *password = "password", *tstsrpfile;
6207 SSL_CTX *cctx = NULL, *sctx = NULL;
6208 SSL *clientssl = NULL, *serverssl = NULL;
6209 int ret, testresult = 0;
6210
6211 vbase = SRP_VBASE_new(NULL);
6212 if (!TEST_ptr(vbase))
6213 goto end;
6214
6215 if (tst == 0 || tst == 1) {
6216 if (!TEST_true(create_new_vbase(userid, password)))
6217 goto end;
6218 } else {
6219 if (tst == 4 || tst == 5) {
6220 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6221 goto end;
6222 tstsrpfile = tmpfilename;
6223 } else {
6224 tstsrpfile = srpvfile;
6225 }
6226 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6227 goto end;
6228 }
6229
5e30f2fd
MC		 6230 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6231 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6232 &sctx, &cctx, cert, privkey)))
6233 goto end;
6234
6235 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6236 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6237 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6238 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6239 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6240 goto end;
6241
6242 if (tst % 2 == 1) {
6243 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6244 goto end;
6245 } else {
6246 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6247 goto end;
6248 }
6249
6250 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6251 NULL, NULL)))
6252 goto end;
6253
6254 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6255 if (ret) {
6256 if (!TEST_true(tst % 2 == 0))
6257 goto end;
6258 } else {
6259 if (!TEST_true(tst % 2 == 1))
6260 goto end;
6261 }
6262
6263 testresult = 1;
6264
6265 end:
6266 SRP_VBASE_free(vbase);
6267 vbase = NULL;
6268 SSL_free(serverssl);
6269 SSL_free(clientssl);
6270 SSL_CTX_free(sctx);
6271 SSL_CTX_free(cctx);
6272
6273 return testresult;
6274}
6275#endif
6276
5718fe45
MC		 6277static int info_cb_failed = 0;
6278static int info_cb_offset = 0;
6279static int info_cb_this_state = -1;
6280
6281static struct info_cb_states_st {
6282 int where;
6283 const char *statestr;
6284} info_cb_states[][60] = {
6285 {
6286 /* TLSv1.2 server followed by resumption */
6287 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6288 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6289 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6290 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6291 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6292 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6293 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6294 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6295 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6296 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6297 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6298 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6299 {SSL_CB_EXIT, NULL}, {0, NULL},
6300 }, {
6301 /* TLSv1.2 client followed by resumption */
6302 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6303 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6304 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6305 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6306 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6307 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6308 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6309 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6310 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6311 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6312 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6313 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6314 }, {
6315 /* TLSv1.3 server followed by resumption */
6316 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6317 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6318 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6319 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6320 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6321 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6322 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6323 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6324 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6325 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6326 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6327 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6328 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6329 }, {
6330 /* TLSv1.3 client followed by resumption */
6331 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6332 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6333 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6334 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6335 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6336 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6337 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6338 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 6339 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6340 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6341 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6342 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6343 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 6344 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6345 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6346 }, {
6347 /* TLSv1.3 server, early_data */
6348 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6349 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6350 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6351 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6352 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6353 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 6354 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 6355 {SSL_CB_EXIT, NULL}, {0, NULL},
6356 }, {
6357 /* TLSv1.3 client, early_data */
6358 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6359 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6360 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6361 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6362 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6363 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6364 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6365 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6366 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6367 }, {
6368 {0, NULL},
6369 }
6370};
6371
6372static void sslapi_info_callback(const SSL *s, int where, int ret)
6373{
6374 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6375
6376 /* We do not ever expect a connection to fail in this test */
6377 if (!TEST_false(ret == 0)) {
6378 info_cb_failed = 1;
6379 return;
6380 }
6381
6382 /*
6383 * Do some sanity checks. We never expect these things to happen in this
6384 * test
6385 */
6386 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6387 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6388 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6389 info_cb_failed = 1;
6390 return;
6391 }
6392
6393 /* Now check we're in the right state */
6394 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6395 info_cb_failed = 1;
6396 return;
6397 }
6398 if ((where & SSL_CB_LOOP) != 0
6399 && !TEST_int_eq(strcmp(SSL_state_string(s),
6400 state[info_cb_this_state].statestr), 0)) {
6401 info_cb_failed = 1;
6402 return;
6403 }
033c181b 6404
4af5836b
MC		 6405 /*
6406 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6407 */
6408 if ((where & SSL_CB_HANDSHAKE_DONE)
6409 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 6410 info_cb_failed = 1;
6411 return;
6412 }
5718fe45
MC		 6413}
6414
6415/*
6416 * Test the info callback gets called when we expect it to.
6417 *
6418 * Test 0: TLSv1.2, server
6419 * Test 1: TLSv1.2, client
6420 * Test 2: TLSv1.3, server
6421 * Test 3: TLSv1.3, client
6422 * Test 4: TLSv1.3, server, early_data
6423 * Test 5: TLSv1.3, client, early_data
6424 */
6425static int test_info_callback(int tst)
6426{
6427 SSL_CTX *cctx = NULL, *sctx = NULL;
6428 SSL *clientssl = NULL, *serverssl = NULL;
6429 SSL_SESSION *clntsess = NULL;
6430 int testresult = 0;
6431 int tlsvers;
6432
6433 if (tst < 2) {
1aac20f5
MC		 6434/* We need either ECDHE or DHE for the TLSv1.2 test to work */
6435#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6436 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 6437 tlsvers = TLS1_2_VERSION;
6438#else
6439 return 1;
6440#endif
6441 } else {
a763ca11 6442#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 6443 tlsvers = TLS1_3_VERSION;
6444#else
6445 return 1;
6446#endif
6447 }
6448
6449 /* Reset globals */
6450 info_cb_failed = 0;
6451 info_cb_this_state = -1;
6452 info_cb_offset = tst;
6453
a763ca11 6454#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 6455 if (tst >= 4) {
6456 SSL_SESSION *sess = NULL;
6457 size_t written, readbytes;
6458 unsigned char buf[80];
6459
6460 /* early_data tests */
6461 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6462 &serverssl, &sess, 0)))
6463 goto end;
6464
6465 /* We don't actually need this reference */
6466 SSL_SESSION_free(sess);
6467
6468 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6469 sslapi_info_callback);
6470
6471 /* Write and read some early data and then complete the connection */
6472 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6473 &written))
6474 || !TEST_size_t_eq(written, strlen(MSG1))
6475 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6476 sizeof(buf), &readbytes),
6477 SSL_READ_EARLY_DATA_SUCCESS)
6478 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6479 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6480 SSL_EARLY_DATA_ACCEPTED)
6481 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6482 SSL_ERROR_NONE))
6483 || !TEST_false(info_cb_failed))
6484 goto end;
6485
6486 testresult = 1;
6487 goto end;
6488 }
6e07834c 6489#endif
5718fe45 6490
5e30f2fd 6491 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 6492 TLS_client_method(),
6493 tlsvers, tlsvers, &sctx, &cctx, cert,
6494 privkey)))
6495 goto end;
6496
33c39a06
MC		 6497 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6498 goto end;
6499
5718fe45
MC		 6500 /*
6501 * For even numbered tests we check the server callbacks. For odd numbers we
6502 * check the client.
6503 */
6504 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6505 sslapi_info_callback);
6506
6507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6508 &clientssl, NULL, NULL))
6509 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6510 SSL_ERROR_NONE))
6511 || !TEST_false(info_cb_failed))
6512 goto end;
6513
6514
6515
6516 clntsess = SSL_get1_session(clientssl);
6517 SSL_shutdown(clientssl);
6518 SSL_shutdown(serverssl);
6519 SSL_free(serverssl);
6520 SSL_free(clientssl);
6521 serverssl = clientssl = NULL;
6522
6523 /* Now do a resumption */
6524 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6525 NULL))
6526 || !TEST_true(SSL_set_session(clientssl, clntsess))
6527 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6528 SSL_ERROR_NONE))
6529 || !TEST_true(SSL_session_reused(clientssl))
6530 || !TEST_false(info_cb_failed))
6531 goto end;
6532
6533 testresult = 1;
6534
6535 end:
6536 SSL_free(serverssl);
6537 SSL_free(clientssl);
6538 SSL_SESSION_free(clntsess);
6539 SSL_CTX_free(sctx);
6540 SSL_CTX_free(cctx);
6541 return testresult;
6542}
6543
4a432af8
MC		 6544static int test_ssl_pending(int tst)
6545{
6546 SSL_CTX *cctx = NULL, *sctx = NULL;
6547 SSL *clientssl = NULL, *serverssl = NULL;
6548 int testresult = 0;
6549 char msg[] = "A test message";
6550 char buf[5];
6551 size_t written, readbytes;
6552
6553 if (tst == 0) {
5e30f2fd 6554 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6555 TLS_client_method(),
5c587fb6 6556 TLS1_VERSION, 0,
4a432af8
MC		 6557 &sctx, &cctx, cert, privkey)))
6558 goto end;
6559 } else {
6560#ifndef OPENSSL_NO_DTLS
5e30f2fd 6561 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6562 DTLS_client_method(),
5c587fb6 6563 DTLS1_VERSION, 0,
4a432af8
MC		 6564 &sctx, &cctx, cert, privkey)))
6565 goto end;
6566#else
6567 return 1;
6568#endif
6569 }
6570
6571 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6572 NULL, NULL))
6573 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6574 SSL_ERROR_NONE)))
6575 goto end;
6576
e8251092
MC		 6577 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6578 || !TEST_false(SSL_has_pending(clientssl))
6579 || !TEST_int_eq(SSL_pending(serverssl), 0)
6580 || !TEST_false(SSL_has_pending(serverssl))
6581 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6582 || !TEST_size_t_eq(written, sizeof(msg))
6583 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6584 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6585 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6586 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6587 goto end;
6588
6589 testresult = 1;
6590
6591 end:
6592 SSL_free(serverssl);
6593 SSL_free(clientssl);
6594 SSL_CTX_free(sctx);
6595 SSL_CTX_free(cctx);
6596
6597 return testresult;
6598}
6599
e401389a
MC		 6600static struct {
6601 unsigned int maxprot;
6602 const char *clntciphers;
6603 const char *clnttls13ciphers;
6604 const char *srvrciphers;
6605 const char *srvrtls13ciphers;
6606 const char *shared;
a96e6c34 6607 const char *fipsshared;
e401389a 6608} shared_ciphers_data[] = {
60155b9a
MC		 6609/*
6610 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6611 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6612 */
a763ca11 6613#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6614 {
6615 TLS1_2_VERSION,
6616 "AES128-SHA:AES256-SHA",
6617 NULL,
6618 "AES256-SHA:DHE-RSA-AES128-SHA",
6619 NULL,
a96e6c34 6620 "AES256-SHA",
e401389a
MC		 6621 "AES256-SHA"
6622 },
a96e6c34
MC		 6623# if !defined(OPENSSL_NO_CHACHA) \
6624 && !defined(OPENSSL_NO_POLY1305) \
6625 && !defined(OPENSSL_NO_EC)
6626 {
6627 TLS1_2_VERSION,
6628 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6629 NULL,
6630 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6631 NULL,
6632 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6633 "AES128-SHA"
6634 },
6635# endif
e401389a
MC		 6636 {
6637 TLS1_2_VERSION,
6638 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6639 NULL,
6640 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6641 NULL,
a96e6c34 6642 "AES128-SHA:AES256-SHA",
e401389a
MC		 6643 "AES128-SHA:AES256-SHA"
6644 },
6645 {
6646 TLS1_2_VERSION,
6647 "AES128-SHA:AES256-SHA",
6648 NULL,
6649 "AES128-SHA:DHE-RSA-AES128-SHA",
6650 NULL,
a96e6c34 6651 "AES128-SHA",
e401389a
MC		 6652 "AES128-SHA"
6653 },
60155b9a
MC		 6654#endif
6655/*
6656 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6657 * enabled.
6658 */
a763ca11 6659#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 6660 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6661 {
6662 TLS1_3_VERSION,
6663 "AES128-SHA:AES256-SHA",
6664 NULL,
6665 "AES256-SHA:AES128-SHA256",
6666 NULL,
6667 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 6668 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6669 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 6670 },
60155b9a 6671#endif
a763ca11 6672#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 6673 {
6674 TLS1_3_VERSION,
6675 "AES128-SHA",
6676 "TLS_AES_256_GCM_SHA384",
6677 "AES256-SHA",
6678 "TLS_AES_256_GCM_SHA384",
a96e6c34 6679 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 6680 "TLS_AES_256_GCM_SHA384"
6681 },
6682#endif
6683};
6684
a96e6c34 6685static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 6686{
6687 SSL_CTX *cctx = NULL, *sctx = NULL;
6688 SSL *clientssl = NULL, *serverssl = NULL;
6689 int testresult = 0;
6690 char buf[1024];
b4250010 6691 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 6692
6693 if (!TEST_ptr(tmplibctx))
6694 goto end;
6695
6696 /*
6697 * Regardless of whether we're testing with the FIPS provider loaded into
6698 * libctx, we want one peer to always use the full set of ciphersuites
6699 * available. Therefore we use a separate libctx with the default provider
6700 * loaded into it. We run the same tests twice - once with the client side
6701 * having the full set of ciphersuites and once with the server side.
6702 */
6703 if (clnt) {
d8652be0 6704 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 6705 if (!TEST_ptr(cctx))
6706 goto end;
6707 } else {
d8652be0 6708 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 6709 if (!TEST_ptr(sctx))
6710 goto end;
6711 }
e401389a 6712
5e30f2fd 6713 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 6714 TLS_client_method(),
6715 TLS1_VERSION,
6716 shared_ciphers_data[tst].maxprot,
6717 &sctx, &cctx, cert, privkey)))
6718 goto end;
6719
6720 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6721 shared_ciphers_data[tst].clntciphers))
6722 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6723 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6724 shared_ciphers_data[tst].clnttls13ciphers)))
6725 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6726 shared_ciphers_data[tst].srvrciphers))
6727 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6728 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6729 shared_ciphers_data[tst].srvrtls13ciphers))))
6730 goto end;
6731
6732
6733 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6734 NULL, NULL))
6735 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6736 SSL_ERROR_NONE)))
6737 goto end;
6738
6739 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 6740 || !TEST_int_eq(strcmp(buf,
6741 is_fips
6742 ? shared_ciphers_data[tst].fipsshared
6743 : shared_ciphers_data[tst].shared),
6744 0)) {
e401389a
MC		 6745 TEST_info("Shared ciphers are: %s\n", buf);
6746 goto end;
6747 }
6748
6749 testresult = 1;
6750
6751 end:
6752 SSL_free(serverssl);
6753 SSL_free(clientssl);
6754 SSL_CTX_free(sctx);
6755 SSL_CTX_free(cctx);
b4250010 6756 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 6757
6758 return testresult;
6759}
6760
a96e6c34
MC		 6761static int test_ssl_get_shared_ciphers(int tst)
6762{
6763 return int_test_ssl_get_shared_ciphers(tst, 0)
6764 && int_test_ssl_get_shared_ciphers(tst, 1);
6765}
6766
6767
d0191fe0 6768static const char *appdata = "Hello World";
61fb5923
MC		 6769static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6770static int tick_key_renew = 0;
6771static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6772
6773static int gen_tick_cb(SSL *s, void *arg)
6774{
6775 gen_tick_called = 1;
6776
6777 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6778 strlen(appdata));
6779}
6780
6781static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6782 const unsigned char *keyname,
6783 size_t keyname_length,
61fb5923
MC		 6784 SSL_TICKET_STATUS status,
6785 void *arg)
d0191fe0
MC		 6786{
6787 void *tickdata;
6788 size_t tickdlen;
6789
6790 dec_tick_called = 1;
6791
61fb5923
MC		 6792 if (status == SSL_TICKET_EMPTY)
6793 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6794
61fb5923
MC		 6795 if (!TEST_true(status == SSL_TICKET_SUCCESS
6796 || status == SSL_TICKET_SUCCESS_RENEW))
6797 return SSL_TICKET_RETURN_ABORT;
6798
6799 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6800 &tickdlen))
d0191fe0
MC		 6801 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6802 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6803 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6804
61fb5923
MC		 6805 if (tick_key_cb_called) {
6806 /* Don't change what the ticket key callback wanted to do */
6807 switch (status) {
6808 case SSL_TICKET_NO_DECRYPT:
6809 return SSL_TICKET_RETURN_IGNORE_RENEW;
6810
6811 case SSL_TICKET_SUCCESS:
6812 return SSL_TICKET_RETURN_USE;
d0191fe0 6813
61fb5923
MC		 6814 case SSL_TICKET_SUCCESS_RENEW:
6815 return SSL_TICKET_RETURN_USE_RENEW;
6816
6817 default:
6818 return SSL_TICKET_RETURN_ABORT;
6819 }
6820 }
6821 return tick_dec_ret;
6822
6823}
d0191fe0 6824
a76ce286 6825#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6826static int tick_key_cb(SSL *s, unsigned char key_name[16],
6827 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6828 HMAC_CTX *hctx, int enc)
6829{
6830 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6831 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 6832 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6833 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6834 int ret;
d0191fe0 6835
61fb5923 6836 tick_key_cb_called = 1;
d0191fe0
MC		 6837 memset(iv, 0, AES_BLOCK_SIZE);
6838 memset(key_name, 0, 16);
5e30f2fd
MC		 6839 if (aes128cbc == NULL
6840 || sha256 == NULL
6841 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6842 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6843 NULL))
6844 ret = -1;
6845 else
6846 ret = tick_key_renew ? 2 : 1;
d0191fe0 6847
5e30f2fd
MC		 6848 EVP_CIPHER_free(aes128cbc);
6849 EVP_MD_free(sha256);
6850
6851 return ret;
d0191fe0 6852}
a76ce286
P		 6853#endif
6854
6855static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6856 unsigned char iv[EVP_MAX_IV_LENGTH],
6857 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6858{
6859 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6860 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6861 OSSL_PARAM params[3];
5e30f2fd
MC		 6862 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6863 int ret;
a76ce286
P		 6864
6865 tick_key_cb_called = 1;
6866 memset(iv, 0, AES_BLOCK_SIZE);
6867 memset(key_name, 0, 16);
6868 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6869 "SHA256", 0);
6870 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6871 tick_hmac_key,
6872 sizeof(tick_hmac_key));
6873 params[2] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 6874 if (aes128cbc == NULL
6875 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
865adf97 6876 || !EVP_MAC_CTX_set_params(hctx, params)
a76ce286 6877 || !EVP_MAC_init(hctx))
5e30f2fd
MC		 6878 ret = -1;
6879 else
6880 ret = tick_key_renew ? 2 : 1;
6881
6882 EVP_CIPHER_free(aes128cbc);
a76ce286 6883
5e30f2fd 6884 return ret;
a76ce286 6885}
d0191fe0
MC		 6886
6887/*
6888 * Test the various ticket callbacks
61fb5923
MC		 6889 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6890 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6891 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6892 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6893 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6894 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6895 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6896 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6897 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6898 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6899 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6900 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6901 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6902 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6903 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6904 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6905 */
6906static int test_ticket_callbacks(int tst)
6907{
6908 SSL_CTX *cctx = NULL, *sctx = NULL;
6909 SSL *clientssl = NULL, *serverssl = NULL;
6910 SSL_SESSION *clntsess = NULL;
6911 int testresult = 0;
6912
6913#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6914 if (tst % 2 == 0)
d0191fe0
MC		 6915 return 1;
6916#endif
a763ca11 6917#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 6918 if (tst % 2 == 1)
d0191fe0
MC		 6919 return 1;
6920#endif
a76ce286
P		 6921#ifdef OPENSSL_NO_DEPRECATED_3_0
6922 if (tst >= 8 && tst <= 11)
6923 return 1;
6924#endif
d0191fe0 6925
61fb5923 6926 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6927
6928 /* Which tests the ticket key callback should request renewal for */
a76ce286 6929 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6930 tick_key_renew = 1;
d0191fe0 6931 else
61fb5923
MC		 6932 tick_key_renew = 0;
6933
6934 /* Which tests the decrypt ticket callback should request renewal for */
6935 switch (tst) {
6936 case 0:
6937 case 1:
6938 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6939 break;
6940
6941 case 2:
6942 case 3:
6943 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6944 break;
6945
6946 case 4:
6947 case 5:
6948 tick_dec_ret = SSL_TICKET_RETURN_USE;
6949 break;
6950
6951 case 6:
6952 case 7:
6953 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6954 break;
6955
6956 default:
6957 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6958 }
d0191fe0 6959
5e30f2fd 6960 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 6961 TLS_client_method(),
6962 TLS1_VERSION,
61fb5923
MC		 6963 ((tst % 2) == 0) ? TLS1_2_VERSION
6964 : TLS1_3_VERSION,
d0191fe0
MC		 6965 &sctx, &cctx, cert, privkey)))
6966 goto end;
6967
61fb5923
MC		 6968 /*
6969 * We only want sessions to resume from tickets - not the session cache. So
6970 * switch the cache off.
6971 */
6972 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6973 goto end;
6974
d0191fe0
MC		 6975 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6976 NULL)))
6977 goto end;
6978
a76ce286
P		 6979 if (tst >= 12) {
6980 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6981 goto end;
6982#ifndef OPENSSL_NO_DEPRECATED_3_0
6983 } else if (tst >= 8) {
6984 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6985 goto end;
6986#endif
6987 }
d0191fe0
MC		 6988
6989 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6990 NULL, NULL))
6991 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6992 SSL_ERROR_NONE)))
6993 goto end;
6994
61fb5923
MC		 6995 /*
6996 * The decrypt ticket key callback in TLSv1.2 should be called even though
6997 * we have no ticket yet, because it gets called with a status of
6998 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6999 * actually send any ticket data). This does not happen in TLSv1.3 because
7000 * it is not valid to send empty ticket data in TLSv1.3.
7001 */
d0191fe0 7002 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7003 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7004 goto end;
7005
7006 gen_tick_called = dec_tick_called = 0;
7007
7008 clntsess = SSL_get1_session(clientssl);
7009 SSL_shutdown(clientssl);
7010 SSL_shutdown(serverssl);
7011 SSL_free(serverssl);
7012 SSL_free(clientssl);
7013 serverssl = clientssl = NULL;
7014
7015 /* Now do a resumption */
7016 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7017 NULL))
7018 || !TEST_true(SSL_set_session(clientssl, clntsess))
7019 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7020 SSL_ERROR_NONE)))
d0191fe0
MC		 7021 goto end;
7022
61fb5923
MC		 7023 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7024 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7025 if (!TEST_false(SSL_session_reused(clientssl)))
7026 goto end;
7027 } else {
7028 if (!TEST_true(SSL_session_reused(clientssl)))
7029 goto end;
7030 }
7031
d0191fe0 7032 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7033 (tick_key_renew
7034 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7035 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7036 ? 1 : 0)
d0191fe0
MC		 7037 || !TEST_int_eq(dec_tick_called, 1))
7038 goto end;
7039
7040 testresult = 1;
7041
7042 end:
7043 SSL_SESSION_free(clntsess);
7044 SSL_free(serverssl);
7045 SSL_free(clientssl);
7046 SSL_CTX_free(sctx);
7047 SSL_CTX_free(cctx);
7048
7049 return testresult;
7050}
7051
e638112e
DB		 7052/*
7053 * Test incorrect shutdown.
7054 * Test 0: client does not shutdown properly,
7055 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7056 * server should get SSL_ERROR_SSL
7057 * Test 1: client does not shutdown properly,
7058 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7059 * server should get SSL_ERROR_ZERO_RETURN
7060 */
7061static int test_incorrect_shutdown(int tst)
7062{
7063 SSL_CTX *cctx = NULL, *sctx = NULL;
7064 SSL *clientssl = NULL, *serverssl = NULL;
7065 int testresult = 0;
7066 char buf[80];
7067 BIO *c2s;
7068
7069 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7070 TLS_client_method(), 0, 0,
7071 &sctx, &cctx, cert, privkey)))
7072 goto end;
7073
7074 if (tst == 1)
7075 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7076
7077 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7078 NULL, NULL)))
7079 goto end;
7080
7081 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7082 SSL_ERROR_NONE)))
7083 goto end;
7084
7085 c2s = SSL_get_rbio(serverssl);
7086 BIO_set_mem_eof_return(c2s, 0);
7087
7088 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7089 goto end;
7090
7091 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7092 goto end;
7093 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7094 goto end;
7095
7096 testresult = 1;
7097
7098 end:
7099 SSL_free(serverssl);
7100 SSL_free(clientssl);
7101 SSL_CTX_free(sctx);
7102 SSL_CTX_free(cctx);
7103
7104 return testresult;
7105}
7106
c748834f
MC		 7107/*
7108 * Test bi-directional shutdown.
7109 * Test 0: TLSv1.2
7110 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7111 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7112 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7113 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7114 * sends key update, client reads it
57d7b988
MC		 7115 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7116 * sends CertificateRequest, client reads and ignores it
7117 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7118 * doesn't read it
7119 */
7120static int test_shutdown(int tst)
7121{
7122 SSL_CTX *cctx = NULL, *sctx = NULL;
7123 SSL *clientssl = NULL, *serverssl = NULL;
7124 int testresult = 0;
7125 char msg[] = "A test message";
7126 char buf[80];
7127 size_t written, readbytes;
80eff008 7128 SSL_SESSION *sess;
c748834f
MC		 7129
7130#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7131 if (tst <= 1)
c748834f
MC		 7132 return 1;
7133#endif
a763ca11 7134#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 7135 if (tst >= 2)
c748834f
MC		 7136 return 1;
7137#endif
7138
5e30f2fd 7139 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7140 TLS_client_method(),
7141 TLS1_VERSION,
7142 (tst <= 1) ? TLS1_2_VERSION
7143 : TLS1_3_VERSION,
57d7b988
MC		 7144 &sctx, &cctx, cert, privkey)))
7145 goto end;
7146
7147 if (tst == 5)
7148 SSL_CTX_set_post_handshake_auth(cctx, 1);
7149
7150 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7151 NULL, NULL)))
7152 goto end;
7153
7154 if (tst == 3) {
7155 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7156 SSL_ERROR_NONE, 1))
80eff008
KR		 7157 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7158 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7159 goto end;
7160 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7161 SSL_ERROR_NONE))
7162 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7163 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7164 goto end;
7165 }
7166
7167 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7168 goto end;
7169
7170 if (tst >= 4) {
7171 /*
7172 * Reading on the server after the client has sent close_notify should
7173 * fail and provide SSL_ERROR_ZERO_RETURN
7174 */
7175 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7176 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7177 SSL_ERROR_ZERO_RETURN)
7178 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7179 SSL_RECEIVED_SHUTDOWN)
7180 /*
7181 * Even though we're shutdown on receive we should still be
7182 * able to write.
7183 */
80eff008
KR		 7184 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7185 goto end;
57d7b988
MC		 7186 if (tst == 4
7187 && !TEST_true(SSL_key_update(serverssl,
7188 SSL_KEY_UPDATE_REQUESTED)))
7189 goto end;
7190 if (tst == 5) {
7191 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7192 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7193 goto end;
7194 }
7195 if ((tst == 4 || tst == 5)
7196 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7197 goto end;
7198 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7199 goto end;
57d7b988 7200 if (tst == 4 || tst == 5) {
80eff008 7201 /* Should still be able to read data from server */
c748834f 7202 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7203 &readbytes))
7204 || !TEST_size_t_eq(readbytes, sizeof(msg))
7205 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7206 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7207 &readbytes))
c748834f
MC		 7208 || !TEST_size_t_eq(readbytes, sizeof(msg))
7209 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7210 goto end;
7211 }
7212 }
7213
7214 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7215 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7216 goto end;
7217
7218 if (tst < 4) {
7219 /*
7220 * For these tests the client has sent close_notify but it has not yet
7221 * been received by the server. The server has not sent close_notify
7222 * yet.
7223 */
7224 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7225 /*
7226 * Writing on the server after sending close_notify shouldn't
7227 * be possible.
7228 */
7229 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7230 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7231 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7232 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7233 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7234 goto end;
57d7b988 7235 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7236 /*
7237 * In this test the client has sent close_notify and it has been
7238 * received by the server which has responded with a close_notify. The
358ffa05 7239 * client needs to read the close_notify sent by the server.
c748834f 7240 */
80eff008
KR		 7241 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7242 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7243 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7244 goto end;
358ffa05
MC		 7245 } else {
7246 /*
57d7b988 7247 * tst == 6
358ffa05
MC		 7248 *
7249 * The client has sent close_notify and is expecting a close_notify
7250 * back, but instead there is application data first. The shutdown
7251 * should fail with a fatal error.
7252 */
7253 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7254 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7255 goto end;
c748834f
MC		 7256 }
7257
7258 testresult = 1;
7259
7260 end:
7261 SSL_free(serverssl);
7262 SSL_free(clientssl);
7263 SSL_CTX_free(sctx);
7264 SSL_CTX_free(cctx);
7265
7266 return testresult;
7267}
7268
a763ca11 7269#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 7270static int cert_cb_cnt;
7271
7272static int cert_cb(SSL *s, void *arg)
7273{
7274 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7275 BIO *in = NULL;
7276 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7277 X509 *x509 = NULL, *rootx = NULL;
7278 STACK_OF(X509) *chain = NULL;
7279 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7280 int ret = 0;
cd6fe29f
MC		 7281
7282 if (cert_cb_cnt == 0) {
7283 /* Suspend the handshake */
7284 cert_cb_cnt++;
7285 return -1;
7286 } else if (cert_cb_cnt == 1) {
7287 /*
7288 * Update the SSL_CTX, set the certificate and private key and then
7289 * continue the handshake normally.
7290 */
7291 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7292 return 0;
7293
7294 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7295 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7296 SSL_FILETYPE_PEM))
7297 || !TEST_true(SSL_check_private_key(s)))
7298 return 0;
7299 cert_cb_cnt++;
7300 return 1;
7cb8fb07
BK		 7301 } else if (cert_cb_cnt == 3) {
7302 int rv;
1a2a3a42
MC		 7303
7304 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7305 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7306 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7307 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7308 goto out;
7309 chain = sk_X509_new_null();
7310 if (!TEST_ptr(chain))
7311 goto out;
7cb8fb07 7312 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7313 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
d8652be0 7314 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 7315 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 7316 || !TEST_true(sk_X509_push(chain, rootx)))
7317 goto out;
7318 rootx = NULL;
7319 BIO_free(in);
7320 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7321 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
d8652be0 7322 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 7323 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 7324 goto out;
7325 BIO_free(in);
7326 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7327 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 7328 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7329 NULL, NULL,
7330 libctx, NULL)))
7cb8fb07 7331 goto out;
1a2a3a42 7332 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 7333 /*
7334 * If the cert doesn't show as valid here (e.g., because we don't
7335 * have any shared sigalgs), then we will not set it, and there will
7336 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7337 * will cause tls_choose_sigalgs() to fail the connection.
7338 */
1a2a3a42
MC		 7339 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7340 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 7341 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7342 goto out;
7343 }
1a2a3a42
MC		 7344
7345 ret = 1;
cd6fe29f
MC		 7346 }
7347
7348 /* Abort the handshake */
7cb8fb07 7349 out:
1a2a3a42
MC		 7350 OPENSSL_free(ecdsacert);
7351 OPENSSL_free(ecdsakey);
7352 OPENSSL_free(rootfile);
7cb8fb07
BK		 7353 BIO_free(in);
7354 EVP_PKEY_free(pkey);
7355 X509_free(x509);
1a2a3a42
MC		 7356 X509_free(rootx);
7357 sk_X509_pop_free(chain, X509_free);
7358 return ret;
cd6fe29f
MC		 7359}
7360
7361/*
7362 * Test the certificate callback.
7363 * Test 0: Callback fails
7364 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7365 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 7366 * Test 3: Success - Call SSL_check_chain from the callback
7367 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7368 * chain
7369 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 7370 */
7371static int test_cert_cb_int(int prot, int tst)
7372{
7373 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7374 SSL *clientssl = NULL, *serverssl = NULL;
7375 int testresult = 0, ret;
7376
1a2a3a42
MC		 7377#ifdef OPENSSL_NO_EC
7378 /* We use an EC cert in these tests, so we skip in a no-ec build */
7379 if (tst >= 3)
7380 return 1;
7381#endif
7382
5e30f2fd 7383 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 7384 TLS_client_method(),
7385 TLS1_VERSION,
7386 prot,
7387 &sctx, &cctx, NULL, NULL)))
7388 goto end;
7389
7390 if (tst == 0)
7391 cert_cb_cnt = -1;
1a2a3a42 7392 else if (tst >= 3)
7cb8fb07 7393 cert_cb_cnt = 3;
cd6fe29f
MC		 7394 else
7395 cert_cb_cnt = 0;
1a2a3a42 7396
cd6fe29f
MC		 7397 if (tst == 2)
7398 snictx = SSL_CTX_new(TLS_server_method());
7399 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7400
7401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7402 NULL, NULL)))
7403 goto end;
7404
1a2a3a42
MC		 7405 if (tst == 4) {
7406 /*
7407 * We cause SSL_check_chain() to fail by specifying sig_algs that
7408 * the chain doesn't meet (the root uses an RSA cert)
7409 */
7410 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7411 "ecdsa_secp256r1_sha256")))
7412 goto end;
7413 } else if (tst == 5) {
7414 /*
7415 * We cause SSL_check_chain() to fail by specifying sig_algs that
7416 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7417 */
7418 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7419 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7420 goto end;
7421 }
7422
cd6fe29f 7423 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 7424 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 7425 || (tst > 0
7426 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 7427 goto end;
7428 }
7429
7430 testresult = 1;
7431
7432 end:
7433 SSL_free(serverssl);
7434 SSL_free(clientssl);
7435 SSL_CTX_free(sctx);
7436 SSL_CTX_free(cctx);
7437 SSL_CTX_free(snictx);
7438
7439 return testresult;
7440}
7f1d923a 7441#endif
cd6fe29f
MC		 7442
7443static int test_cert_cb(int tst)
7444{
7445 int testresult = 1;
7446
7447#ifndef OPENSSL_NO_TLS1_2
7448 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7449#endif
a763ca11 7450#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 7451 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7452#endif
7453
7454 return testresult;
7455}
7456
6e46c065
MC		 7457static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7458{
8c2bfd25 7459 X509 *xcert;
6e46c065
MC		 7460 EVP_PKEY *privpkey;
7461 BIO *in = NULL;
6725682d 7462 BIO *priv_in = NULL;
6e46c065 7463
8c2bfd25
TS		 7464 /* Check that SSL_get0_peer_certificate() returns something sensible */
7465 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 7466 return 0;
6e46c065
MC		 7467
7468 in = BIO_new_file(cert, "r");
7469 if (!TEST_ptr(in))
7470 return 0;
7471
d8652be0 7472 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 7473 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7474 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 7475 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7476 NULL, NULL,
7477 libctx, NULL)))
6725682d 7478 goto err;
6e46c065
MC		 7479
7480 *x509 = xcert;
7481 *pkey = privpkey;
7482
6725682d
SL		 7483 BIO_free(in);
7484 BIO_free(priv_in);
6e46c065 7485 return 1;
6725682d
SL		 7486err:
7487 X509_free(xcert);
7488 BIO_free(in);
7489 BIO_free(priv_in);
7490 return 0;
6e46c065
MC		 7491}
7492
7493static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7494{
7495 return 1;
7496}
7497
7498static int test_client_cert_cb(int tst)
7499{
7500 SSL_CTX *cctx = NULL, *sctx = NULL;
7501 SSL *clientssl = NULL, *serverssl = NULL;
7502 int testresult = 0;
7503
7504#ifdef OPENSSL_NO_TLS1_2
7505 if (tst == 0)
7506 return 1;
7507#endif
a763ca11 7508#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 7509 if (tst == 1)
7510 return 1;
7511#endif
7512
5e30f2fd 7513 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 7514 TLS_client_method(),
7515 TLS1_VERSION,
7516 tst == 0 ? TLS1_2_VERSION
7517 : TLS1_3_VERSION,
7518 &sctx, &cctx, cert, privkey)))
7519 goto end;
7520
7521 /*
7522 * Test that setting a client_cert_cb results in a client certificate being
7523 * sent.
7524 */
7525 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7526 SSL_CTX_set_verify(sctx,
7527 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7528 verify_cb);
fb8c8359
MC		 7529
7530 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7531 NULL, NULL))
7532 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7533 SSL_ERROR_NONE)))
7534 goto end;
7535
7536 testresult = 1;
7537
7538 end:
7539 SSL_free(serverssl);
7540 SSL_free(clientssl);
7541 SSL_CTX_free(sctx);
7542 SSL_CTX_free(cctx);
7543
7544 return testresult;
7545}
7546
a763ca11 7547#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 7548/*
7549 * Test setting certificate authorities on both client and server.
7550 *
7551 * Test 0: SSL_CTX_set0_CA_list() only
7552 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7553 * Test 2: Only SSL_CTX_set_client_CA_list()
7554 */
7555static int test_ca_names_int(int prot, int tst)
7556{
7557 SSL_CTX *cctx = NULL, *sctx = NULL;
7558 SSL *clientssl = NULL, *serverssl = NULL;
7559 int testresult = 0;
7560 size_t i;
7561 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7562 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7563 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7564 const STACK_OF(X509_NAME) *sktmp = NULL;
7565
7566 for (i = 0; i < OSSL_NELEM(name); i++) {
7567 name[i] = X509_NAME_new();
7568 if (!TEST_ptr(name[i])
7569 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7570 MBSTRING_ASC,
7571 (unsigned char *)
7572 strnames[i],
7573 -1, -1, 0)))
7574 goto end;
7575 }
7576
5e30f2fd 7577 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 7578 TLS_client_method(),
7579 TLS1_VERSION,
7580 prot,
7581 &sctx, &cctx, cert, privkey)))
7582 goto end;
7583
7584 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7585
7586 if (tst == 0 || tst == 1) {
7587 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7588 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7589 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7590 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7591 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7592 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7593 goto end;
7594
7595 SSL_CTX_set0_CA_list(sctx, sk1);
7596 SSL_CTX_set0_CA_list(cctx, sk2);
7597 sk1 = sk2 = NULL;
7598 }
7599 if (tst == 1 || tst == 2) {
7600 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7601 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7602 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7603 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7604 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7605 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7606 goto end;
7607
7608 SSL_CTX_set_client_CA_list(sctx, sk1);
7609 SSL_CTX_set_client_CA_list(cctx, sk2);
7610 sk1 = sk2 = NULL;
7611 }
7612
6e46c065
MC		 7613 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7614 NULL, NULL))
7615 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7616 SSL_ERROR_NONE)))
7617 goto end;
7618
fb8c8359
MC		 7619 /*
7620 * We only expect certificate authorities to have been sent to the server
7621 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7622 */
7623 sktmp = SSL_get0_peer_CA_list(serverssl);
7624 if (prot == TLS1_3_VERSION
7625 && (tst == 0 || tst == 1)) {
7626 if (!TEST_ptr(sktmp)
7627 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7628 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7629 name[0]), 0)
7630 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7631 name[1]), 0))
7632 goto end;
7633 } else if (!TEST_ptr_null(sktmp)) {
7634 goto end;
7635 }
7636
7637 /*
7638 * In all tests we expect certificate authorities to have been sent to the
7639 * client. However, SSL_set_client_CA_list() should override
7640 * SSL_set0_CA_list()
7641 */
7642 sktmp = SSL_get0_peer_CA_list(clientssl);
7643 if (!TEST_ptr(sktmp)
7644 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7645 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7646 name[tst == 0 ? 0 : 2]), 0)
7647 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7648 name[tst == 0 ? 1 : 3]), 0))
7649 goto end;
7650
6e46c065
MC		 7651 testresult = 1;
7652
7653 end:
7654 SSL_free(serverssl);
7655 SSL_free(clientssl);
7656 SSL_CTX_free(sctx);
7657 SSL_CTX_free(cctx);
fb8c8359
MC		 7658 for (i = 0; i < OSSL_NELEM(name); i++)
7659 X509_NAME_free(name[i]);
7660 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7661 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7662
7663 return testresult;
7664}
7665#endif
7666
7667static int test_ca_names(int tst)
7668{
7669 int testresult = 1;
7670
7671#ifndef OPENSSL_NO_TLS1_2
7672 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7673#endif
a763ca11 7674#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 7675 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7676#endif
6e46c065
MC		 7677
7678 return testresult;
7679}
7680
0d2bfe52
SL		 7681#ifndef OPENSSL_NO_TLS1_2
7682static const char *multiblock_cipherlist_data[]=
7683{
7684 "AES128-SHA",
7685 "AES128-SHA256",
7686 "AES256-SHA",
7687 "AES256-SHA256",
7688};
7689
7690/* Reduce the fragment size - so the multiblock test buffer can be small */
7691# define MULTIBLOCK_FRAGSIZE 512
7692
7693static int test_multiblock_write(int test_index)
7694{
7695 static const char *fetchable_ciphers[]=
7696 {
7697 "AES-128-CBC-HMAC-SHA1",
7698 "AES-128-CBC-HMAC-SHA256",
7699 "AES-256-CBC-HMAC-SHA1",
7700 "AES-256-CBC-HMAC-SHA256"
7701 };
7702 const char *cipherlist = multiblock_cipherlist_data[test_index];
7703 const SSL_METHOD *smeth = TLS_server_method();
7704 const SSL_METHOD *cmeth = TLS_client_method();
7705 int min_version = TLS1_VERSION;
7706 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7707 SSL_CTX *cctx = NULL, *sctx = NULL;
7708 SSL *clientssl = NULL, *serverssl = NULL;
7709 int testresult = 0;
7710
7711 /*
7712 * Choose a buffer large enough to perform a multi-block operation
7713 * i.e: write_len >= 4 * frag_size
7714 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7715 */
7716 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7717 unsigned char buf[sizeof(msg)], *p = buf;
7718 size_t readbytes, written, len;
7719 EVP_CIPHER *ciph = NULL;
7720
7721 /*
7722 * Check if the cipher exists before attempting to use it since it only has
7723 * a hardware specific implementation.
7724 */
7725 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7726 if (ciph == NULL) {
7727 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7728 return 1;
7729 }
7730 EVP_CIPHER_free(ciph);
7731
7732 /* Set up a buffer with some data that will be sent to the client */
7733 RAND_bytes(msg, sizeof(msg));
7734
5e30f2fd
MC		 7735 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7736 max_version, &sctx, &cctx, cert,
7737 privkey)))
0d2bfe52
SL		 7738 goto end;
7739
7740 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7741 goto end;
7742
7743 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7744 NULL, NULL)))
7745 goto end;
7746
7747 /* settings to force it to use AES-CBC-HMAC_SHA */
7748 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7749 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7750 goto end;
7751
7752 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7753 goto end;
7754
7755 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7756 || !TEST_size_t_eq(written, sizeof(msg)))
7757 goto end;
7758
7759 len = written;
7760 while (len > 0) {
7761 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7762 goto end;
7763 p += readbytes;
7764 len -= readbytes;
7765 }
7766 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7767 goto end;
7768
7769 testresult = 1;
7770end:
7771 SSL_free(serverssl);
7772 SSL_free(clientssl);
7773 SSL_CTX_free(sctx);
7774 SSL_CTX_free(cctx);
7775
7776 return testresult;
7777}
7778#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7779
49ef3d07
MC		 7780/*
7781 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7782 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7783 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7784 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7785 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7786 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7787 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7788 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7789 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7790 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7791 */
7792static int test_servername(int tst)
7793{
7794 SSL_CTX *cctx = NULL, *sctx = NULL;
7795 SSL *clientssl = NULL, *serverssl = NULL;
7796 int testresult = 0;
7797 SSL_SESSION *sess = NULL;
7798 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7799
7800#ifdef OPENSSL_NO_TLS1_2
7801 if (tst <= 4)
7802 return 1;
7803#endif
a763ca11 7804#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 7805 if (tst >= 5)
7806 return 1;
7807#endif
7808
5e30f2fd 7809 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 7810 TLS_client_method(),
7811 TLS1_VERSION,
7812 (tst <= 4) ? TLS1_2_VERSION
7813 : TLS1_3_VERSION,
7814 &sctx, &cctx, cert, privkey))
7815 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7816 NULL, NULL)))
7817 goto end;
7818
7819 if (tst != 1 && tst != 6) {
7820 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7821 hostname_cb)))
7822 goto end;
7823 }
7824
7825 if (tst != 3 && tst != 8) {
7826 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7827 goto end;
7828 sexpectedhost = cexpectedhost = "goodhost";
7829 }
7830
7831 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7832 goto end;
7833
7834 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7835 cexpectedhost)
7836 || !TEST_str_eq(SSL_get_servername(serverssl,
7837 TLSEXT_NAMETYPE_host_name),
7838 sexpectedhost))
7839 goto end;
7840
7841 /* Now repeat with a resumption handshake */
7842
7843 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7844 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7845 || !TEST_true(SSL_SESSION_is_resumable(sess))
7846 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7847 goto end;
7848
7849 SSL_free(clientssl);
7850 SSL_free(serverssl);
7851 clientssl = serverssl = NULL;
7852
7853 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7854 NULL)))
7855 goto end;
7856
7857 if (!TEST_true(SSL_set_session(clientssl, sess)))
7858 goto end;
7859
7860 sexpectedhost = cexpectedhost = "goodhost";
7861 if (tst == 2 || tst == 7) {
7862 /* Set an inconsistent hostname */
7863 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7864 goto end;
7865 /*
7866 * In TLSv1.2 we expect the hostname from the original handshake, in
7867 * TLSv1.3 we expect the hostname from this handshake
7868 */
7869 if (tst == 7)
7870 sexpectedhost = cexpectedhost = "altgoodhost";
7871
7872 if (!TEST_str_eq(SSL_get_servername(clientssl,
7873 TLSEXT_NAMETYPE_host_name),
7874 "altgoodhost"))
7875 goto end;
7876 } else if (tst == 4 || tst == 9) {
7877 /*
7878 * A TLSv1.3 session does not associate a session with a servername,
7879 * but a TLSv1.2 session does.
7880 */
7881 if (tst == 9)
7882 sexpectedhost = cexpectedhost = NULL;
7883
7884 if (!TEST_str_eq(SSL_get_servername(clientssl,
7885 TLSEXT_NAMETYPE_host_name),
7886 cexpectedhost))
7887 goto end;
7888 } else {
7889 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7890 goto end;
7891 /*
7892 * In a TLSv1.2 resumption where the hostname was not acknowledged
7893 * we expect the hostname on the server to be empty. On the client we
7894 * return what was requested in this case.
7895 *
7896 * Similarly if the client didn't set a hostname on an original TLSv1.2
7897 * session but is now, the server hostname will be empty, but the client
7898 * is as we set it.
7899 */
7900 if (tst == 1 || tst == 3)
7901 sexpectedhost = NULL;
7902
7903 if (!TEST_str_eq(SSL_get_servername(clientssl,
7904 TLSEXT_NAMETYPE_host_name),
7905 "goodhost"))
7906 goto end;
7907 }
7908
7909 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7910 goto end;
7911
7912 if (!TEST_true(SSL_session_reused(clientssl))
7913 || !TEST_true(SSL_session_reused(serverssl))
7914 || !TEST_str_eq(SSL_get_servername(clientssl,
7915 TLSEXT_NAMETYPE_host_name),
7916 cexpectedhost)
7917 || !TEST_str_eq(SSL_get_servername(serverssl,
7918 TLSEXT_NAMETYPE_host_name),
7919 sexpectedhost))
7920 goto end;
7921
7922 testresult = 1;
7923
7924 end:
7925 SSL_SESSION_free(sess);
7926 SSL_free(serverssl);
7927 SSL_free(clientssl);
7928 SSL_CTX_free(sctx);
7929 SSL_CTX_free(cctx);
7930
7931 return testresult;
7932}
7933
b1fdbc68 7934#if !defined(OPENSSL_NO_EC) \
a763ca11 7935 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 7936/*
7937 * Test that if signature algorithms are not available, then we do not offer or
7938 * accept them.
7939 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7940 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7941 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7942 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7943 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7944 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7945 */
7946static int test_sigalgs_available(int idx)
7947{
7948 SSL_CTX *cctx = NULL, *sctx = NULL;
7949 SSL *clientssl = NULL, *serverssl = NULL;
7950 int testresult = 0;
b4250010
DMSP		 7951 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
7952 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 7953 OSSL_PROVIDER *filterprov = NULL;
7954 int sig, hash;
7955
7956 if (!TEST_ptr(tmpctx))
7957 goto end;
7958
7959 if (idx != 0 && idx != 3) {
7960 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
7961 filter_provider_init)))
7962 goto end;
7963
7964 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
7965 if (!TEST_ptr(filterprov))
7966 goto end;
7967
7968 if (idx < 3) {
7969 /*
7970 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
7971 * or accepted for the peer that uses this libctx. Note that libssl
7972 * *requires* SHA2-256 to be available so we cannot disable that. We
7973 * also need SHA1 for our certificate.
7974 */
7975 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
7976 "SHA2-256:SHA1")))
7977 goto end;
7978 } else {
7979 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
7980 "ECDSA"))
7981 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
7982 "EC:X25519:X448")))
7983 goto end;
7984 }
7985
7986 if (idx == 1 || idx == 4)
7987 clientctx = tmpctx;
7988 else
7989 serverctx = tmpctx;
7990 }
7991
d8652be0
MC		 7992 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
7993 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 7994 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
7995 goto end;
b3842539
MC		 7996
7997 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7998 TLS_client_method(),
7999 TLS1_VERSION,
8000 0,
8001 &sctx, &cctx, cert, privkey)))
8002 goto end;
8003
b1fdbc68
MC		 8004 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8005 if (idx < 4) {
8006 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8007 "ECDHE-RSA-AES128-GCM-SHA256")))
8008 goto end;
8009 } else {
8010 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8011 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8012 goto end;
8013 }
8014
b3842539
MC		 8015 if (idx < 3) {
8016 if (!SSL_CTX_set1_sigalgs_list(cctx,
8017 "rsa_pss_rsae_sha384"
8018 ":rsa_pss_rsae_sha256")
8019 || !SSL_CTX_set1_sigalgs_list(sctx,
8020 "rsa_pss_rsae_sha384"
8021 ":rsa_pss_rsae_sha256"))
8022 goto end;
8023 } else {
8024 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8025 || !SSL_CTX_set1_sigalgs_list(sctx,
8026 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8027 goto end;
8028 }
8029
8030 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8031 SSL_FILETYPE_PEM), 1)
8032 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8033 privkey2,
8034 SSL_FILETYPE_PEM), 1)
8035 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8036 goto end;
8037
8038 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8039 NULL, NULL)))
8040 goto end;
8041
8042 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8043 goto end;
8044
8045 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8046 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8047 NULL, NULL),
8048 (idx == 0 || idx == 3) ? 2 : 1))
8049 goto end;
8050
8051 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8052 goto end;
8053
8054 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8055 : NID_rsassaPss))
8056 goto end;
8057
b0001d0c 8058 testresult = filter_provider_check_clean_finish();
b3842539
MC		 8059
8060 end:
8061 SSL_free(serverssl);
8062 SSL_free(clientssl);
8063 SSL_CTX_free(sctx);
8064 SSL_CTX_free(cctx);
8065 OSSL_PROVIDER_unload(filterprov);
b4250010 8066 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 8067
8068 return testresult;
8069}
b1fdbc68
MC		 8070#endif /*
8071 * !defined(OPENSSL_NO_EC) \
a763ca11 8072 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 8073 */
b3842539 8074
0c13cdf8 8075#ifndef OPENSSL_NO_TLS1_3
a763ca11 8076/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 8077static int test_pluggable_group(int idx)
0c13cdf8
MC		 8078{
8079 SSL_CTX *cctx = NULL, *sctx = NULL;
8080 SSL *clientssl = NULL, *serverssl = NULL;
8081 int testresult = 0;
8082 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 8083 /* Check that we are not impacted by a provider without any groups */
8084 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 8085 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 8086
5ae54dba 8087 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 8088 goto end;
8089
5ae54dba
MC		 8090 if (legacyprov == NULL) {
8091 /*
8092 * In this case we assume we've been built with "no-legacy" and skip
8093 * this test (there is no OPENSSL_NO_LEGACY)
8094 */
8095 testresult = 1;
8096 goto end;
8097 }
8098
0c13cdf8
MC		 8099 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8100 TLS_client_method(),
8101 TLS1_3_VERSION,
8102 TLS1_3_VERSION,
8103 &sctx, &cctx, cert, privkey))
8104 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8105 NULL, NULL)))
8106 goto end;
8107
c8e3a4c6
NT		 8108 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8109 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 8110 goto end;
8111
8112 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8113 goto end;
8114
becbacd7
MB		 8115 if (!TEST_str_eq(group_name,
8116 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8117 goto end;
8118
0c13cdf8
MC		 8119 testresult = 1;
8120
8121 end:
8122 SSL_free(serverssl);
8123 SSL_free(clientssl);
8124 SSL_CTX_free(sctx);
8125 SSL_CTX_free(cctx);
8126 OSSL_PROVIDER_unload(tlsprov);
146aebc6 8127 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 8128
8129 return testresult;
8130}
8131#endif
b3842539 8132
49a36a52
MC		 8133#ifndef OPENSSL_NO_TLS1_2
8134static int test_ssl_dup(void)
8135{
8136 SSL_CTX *cctx = NULL, *sctx = NULL;
8137 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8138 int testresult = 0;
8139 BIO *rbio = NULL, *wbio = NULL;
8140
8141 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8142 TLS_client_method(),
8143 0,
8144 0,
8145 &sctx, &cctx, cert, privkey)))
8146 goto end;
8147
8148 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8149 NULL, NULL)))
8150 goto end;
8151
8152 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8153 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8154 goto end;
8155
8156 client2ssl = SSL_dup(clientssl);
8157 rbio = SSL_get_rbio(clientssl);
8158 if (!TEST_ptr(rbio)
8159 || !TEST_true(BIO_up_ref(rbio)))
8160 goto end;
8161 SSL_set0_rbio(client2ssl, rbio);
8162 rbio = NULL;
8163
8164 wbio = SSL_get_wbio(clientssl);
8165 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8166 goto end;
8167 SSL_set0_wbio(client2ssl, wbio);
8168 rbio = NULL;
8169
8170 if (!TEST_ptr(client2ssl)
8171 /* Handshake not started so pointers should be different */
8172 || !TEST_ptr_ne(clientssl, client2ssl))
8173 goto end;
8174
8175 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8176 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8177 goto end;
8178
8179 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8180 goto end;
8181
8182 SSL_free(clientssl);
8183 clientssl = SSL_dup(client2ssl);
8184 if (!TEST_ptr(clientssl)
8185 /* Handshake has finished so pointers should be the same */
8186 || !TEST_ptr_eq(clientssl, client2ssl))
8187 goto end;
8188
8189 testresult = 1;
8190
8191 end:
8192 SSL_free(serverssl);
8193 SSL_free(clientssl);
8194 SSL_free(client2ssl);
8195 SSL_CTX_free(sctx);
8196 SSL_CTX_free(cctx);
8197
8198 return testresult;
8199}
33c39a06
MC		 8200
8201# ifndef OPENSSL_NO_DH
8202
8203static EVP_PKEY *tmp_dh_params = NULL;
8204
8205/* Helper function for the test_set_tmp_dh() tests */
8206static EVP_PKEY *get_tmp_dh_params(void)
8207{
8208 if (tmp_dh_params == NULL) {
8209 BIGNUM *p = NULL;
8210 OSSL_PARAM_BLD *tmpl = NULL;
8211 EVP_PKEY_CTX *pctx = NULL;
8212 OSSL_PARAM *params = NULL;
8213 EVP_PKEY *dhpkey = NULL;
8214
8215 p = BN_get_rfc3526_prime_2048(NULL);
8216 if (!TEST_ptr(p))
8217 goto end;
8218
8219 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8220 if (!TEST_ptr(pctx)
2db985b7 8221 || !TEST_true(EVP_PKEY_fromdata_init(pctx)))
33c39a06
MC		 8222 goto end;
8223
8224 tmpl = OSSL_PARAM_BLD_new();
8225 if (!TEST_ptr(tmpl)
8226 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8227 OSSL_PKEY_PARAM_FFC_P,
8228 p))
8229 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8230 OSSL_PKEY_PARAM_FFC_G,
8231 2)))
8232 goto end;
8233
8234 params = OSSL_PARAM_BLD_to_param(tmpl);
8235 if (!TEST_ptr(params)
2db985b7
SL		 8236 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey,
8237 EVP_PKEY_KEY_PARAMETERS, params)))
33c39a06
MC		 8238 goto end;
8239
8240 tmp_dh_params = dhpkey;
8241 end:
8242 BN_free(p);
8243 EVP_PKEY_CTX_free(pctx);
8244 OSSL_PARAM_BLD_free(tmpl);
8245 OSSL_PARAM_BLD_free_params(params);
8246 }
8247
8248 if (!EVP_PKEY_up_ref(tmp_dh_params))
8249 return NULL;
8250
8251 return tmp_dh_params;
8252}
8253
39f3427d 8254# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 8255/* Callback used by test_set_tmp_dh() */
8256static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8257{
8258 EVP_PKEY *dhpkey = get_tmp_dh_params();
8259 DH *ret = NULL;
8260
8261 if (!TEST_ptr(dhpkey))
8262 return NULL;
8263
8264 ret = EVP_PKEY_get0_DH(dhpkey);
8265
8266 EVP_PKEY_free(dhpkey);
8267
8268 return ret;
8269}
8270# endif
8271
8272/*
8273 * Test the various methods for setting temporary DH parameters
8274 *
8275 * Test 0: Default (no auto) setting
8276 * Test 1: Explicit SSL_CTX auto off
8277 * Test 2: Explicit SSL auto off
8278 * Test 3: Explicit SSL_CTX auto on
8279 * Test 4: Explicit SSL auto on
8280 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8281 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8282 *
8283 * The following are testing deprecated APIs, so we only run them if available
8284 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8285 * Test 8: Explicit SSL auto off, custom DH params via DH
8286 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8287 * Test 10: Explicit SSL auto off, custom DH params via callback
8288 */
8289static int test_set_tmp_dh(int idx)
8290{
8291 SSL_CTX *cctx = NULL, *sctx = NULL;
8292 SSL *clientssl = NULL, *serverssl = NULL;
8293 int testresult = 0;
8294 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8295 int expected = (idx <= 2) ? 0 : 1;
8296 EVP_PKEY *dhpkey = NULL;
8297# ifndef OPENSSL_NO_DEPRECATED_3_0
8298 DH *dh = NULL;
8299# else
8300
8301 if (idx >= 7)
8302 return 1;
8303# endif
8304
8305 if (idx >= 5 && idx <= 8) {
8306 dhpkey = get_tmp_dh_params();
8307 if (!TEST_ptr(dhpkey))
8308 goto end;
8309 }
8310# ifndef OPENSSL_NO_DEPRECATED_3_0
8311 if (idx == 7 || idx == 8) {
8312 dh = EVP_PKEY_get0_DH(dhpkey);
8313 if (!TEST_ptr(dh))
8314 goto end;
8315 }
8316# endif
8317
8318 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8319 TLS_client_method(),
8320 0,
8321 0,
8322 &sctx, &cctx, cert, privkey)))
8323 goto end;
8324
8325 if ((idx & 1) == 1) {
8326 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8327 goto end;
8328 }
8329
8330 if (idx == 5) {
8331 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8332 goto end;
8333 dhpkey = NULL;
8334 }
8335# ifndef OPENSSL_NO_DEPRECATED_3_0
8336 else if (idx == 7) {
8337 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8338 goto end;
8339 } else if (idx == 9) {
8340 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8341 }
8342# endif
8343
8344 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8345 NULL, NULL)))
8346 goto end;
8347
8348 if ((idx & 1) == 0 && idx != 0) {
8349 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8350 goto end;
8351 }
8352 if (idx == 6) {
8353 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8354 goto end;
8355 dhpkey = NULL;
8356 }
8357# ifndef OPENSSL_NO_DEPRECATED_3_0
8358 else if (idx == 8) {
8359 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8360 goto end;
8361 } else if (idx == 10) {
8362 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8363 }
8364# endif
8365
8366 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8367 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8368 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8369 goto end;
8370
8371 /*
8372 * If autoon then we should succeed. Otherwise we expect failure because
8373 * there are no parameters
8374 */
8375 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8376 SSL_ERROR_NONE), expected))
8377 goto end;
8378
8379 testresult = 1;
8380
8381 end:
8382 SSL_free(serverssl);
8383 SSL_free(clientssl);
8384 SSL_CTX_free(sctx);
8385 SSL_CTX_free(cctx);
8386 EVP_PKEY_free(dhpkey);
8387
8388 return testresult;
8389}
3105d846
MC		 8390
8391/*
8392 * Test the auto DH keys are appropriately sized
8393 */
8394static int test_dh_auto(int idx)
8395{
8396 SSL_CTX *cctx = NULL, *sctx = NULL;
8397 SSL *clientssl = NULL, *serverssl = NULL;
8398 int testresult = 0;
8399 EVP_PKEY *tmpkey = NULL;
8400 char *thiscert = NULL, *thiskey = NULL;
8401 size_t expdhsize = 0;
8402 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8403
8404 switch (idx) {
8405 case 0:
8406 /* The FIPS provider doesn't support this DH size - so we ignore it */
8407 if (is_fips)
8408 return 1;
8409 thiscert = cert1024;
8410 thiskey = privkey1024;
8411 expdhsize = 1024;
8412 break;
8413 case 1:
8414 /* 2048 bit prime */
8415 thiscert = cert;
8416 thiskey = privkey;
8417 expdhsize = 2048;
8418 break;
8419 case 2:
8420 thiscert = cert3072;
8421 thiskey = privkey3072;
8422 expdhsize = 3072;
8423 break;
8424 case 3:
8425 thiscert = cert4096;
8426 thiskey = privkey4096;
8427 expdhsize = 4096;
8428 break;
8429 case 4:
8430 thiscert = cert8192;
8431 thiskey = privkey8192;
8432 expdhsize = 8192;
8433 break;
8434 /* No certificate cases */
8435 case 5:
8436 /* The FIPS provider doesn't support this DH size - so we ignore it */
8437 if (is_fips)
8438 return 1;
8439 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8440 expdhsize = 1024;
8441 break;
8442 case 6:
8443 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8444 expdhsize = 3072;
8445 break;
8446 default:
8447 TEST_error("Invalid text index");
8448 goto end;
8449 }
8450
8451 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8452 TLS_client_method(),
8453 0,
8454 0,
8455 &sctx, &cctx, thiscert, thiskey)))
8456 goto end;
8457
8458 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8459 NULL, NULL)))
8460 goto end;
8461
8462 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8463 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8464 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8465 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8466 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8467 goto end;
8468
8469 /*
8470 * Send the server's first flight. At this point the server has created the
8471 * temporary DH key but hasn't finished using it yet. Once used it is
8472 * removed, so we cannot test it.
8473 */
8474 if (!TEST_int_le(SSL_connect(clientssl), 0)
8475 || !TEST_int_le(SSL_accept(serverssl), 0))
8476 goto end;
8477
8478 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8479 goto end;
8480 if (!TEST_size_t_eq(EVP_PKEY_bits(tmpkey), expdhsize))
8481 goto end;
8482
8483 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8484 goto end;
8485
8486 testresult = 1;
8487
8488 end:
8489 SSL_free(serverssl);
8490 SSL_free(clientssl);
8491 SSL_CTX_free(sctx);
8492 SSL_CTX_free(cctx);
8493 EVP_PKEY_free(tmpkey);
8494
8495 return testresult;
8496
8497}
33c39a06
MC		 8498# endif /* OPENSSL_NO_DH */
8499#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 8500
a763ca11 8501#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 8502/*
8503 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
8504 * that it works even without a certificate configured for the original
8505 * SSL_CTX
8506 */
8507static int test_sni_tls13(void)
8508{
8509 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
8510 SSL *clientssl = NULL, *serverssl = NULL;
8511 int testresult = 0;
8512
8513 /* Reset callback counter */
8514 snicb = 0;
8515
8516 /* Create an initial SSL_CTX with no certificate configured */
8517 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8518 if (!TEST_ptr(sctx))
8519 goto end;
8520 /* Require TLSv1.3 as a minimum */
8521 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8522 TLS_client_method(), TLS1_3_VERSION, 0,
8523 &sctx2, &cctx, cert, privkey)))
8524 goto end;
8525
8526 /* Set up SNI */
8527 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
8528 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
8529 goto end;
8530
8531 /*
8532 * Connection should still succeed because the final SSL_CTX has the right
8533 * certificates configured.
8534 */
8535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8536 &clientssl, NULL, NULL))
8537 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8538 SSL_ERROR_NONE)))
8539 goto end;
8540
8541 /* We should have had the SNI callback called exactly once */
8542 if (!TEST_int_eq(snicb, 1))
8543 goto end;
8544
8545 testresult = 1;
8546
8547end:
8548 SSL_free(serverssl);
8549 SSL_free(clientssl);
8550 SSL_CTX_free(sctx2);
8551 SSL_CTX_free(sctx);
8552 SSL_CTX_free(cctx);
8553 return testresult;
8554}
8555#endif
8556
5e30f2fd 8557OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 8558
ad887416 8559int setup_tests(void)
2cb4b5f6 8560{
5e30f2fd
MC		 8561 char *modulename;
8562 char *configfile;
8563
b4250010 8564 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 8565 if (!TEST_ptr(libctx))
8566 return 0;
8567
8568 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8569
8570 /*
8571 * Verify that the default and fips providers in the default libctx are not
8572 * available
8573 */
8574 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8575 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8576 return 0;
8577
8d242823
MC		 8578 if (!test_skip_common_options()) {
8579 TEST_error("Error parsing test options\n");
8580 return 0;
8581 }
8582
1a2a3a42
MC		 8583 if (!TEST_ptr(certsdir = test_get_argument(0))
8584 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 8585 || !TEST_ptr(tmpfilename = test_get_argument(2))
8586 || !TEST_ptr(modulename = test_get_argument(3))
8587 || !TEST_ptr(configfile = test_get_argument(4)))
8588 return 0;
8589
b4250010 8590 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 8591 return 0;
8592
8593 /* Check we have the expected provider available */
8594 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8595 return 0;
8596
8597 /* Check the default provider is not available */
8598 if (strcmp(modulename, "default") != 0
8599 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 8600 return 0;
2cb4b5f6 8601
4f6c7044
MC		 8602 if (strcmp(modulename, "fips") == 0)
8603 is_fips = 1;
8604
0c13cdf8
MC		 8605 /*
8606 * We add, but don't load the test "tls-provider". We'll load it when we
8607 * need it.
8608 */
8609 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8610 tls_provider_init)))
8611 return 0;
8612
8613
f297e4ec
RS		 8614 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8615#ifdef OPENSSL_NO_CRYPTO_MDEBUG
8616 TEST_error("not supported in this build");
8617 return 0;
8618#else
8619 int i, mcount, rcount, fcount;
8620
8621 for (i = 0; i < 4; i++)
8622 test_export_key_mat(i);
8623 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8624 test_printf_stdout("malloc %d realloc %d free %d\n",
8625 mcount, rcount, fcount);
8626 return 1;
8627#endif
8628 }
8629
1a2a3a42
MC		 8630 cert = test_mk_file_path(certsdir, "servercert.pem");
8631 if (cert == NULL)
b3842539 8632 goto err;
1a2a3a42
MC		 8633
8634 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 8635 if (privkey == NULL)
8636 goto err;
8637
8638 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8639 if (cert2 == NULL)
8640 goto err;
8641
8642 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8643 if (privkey2 == NULL)
8644 goto err;
1a2a3a42 8645
3105d846
MC		 8646 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
8647 if (cert1024 == NULL)
8648 goto err;
8649
8650 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
8651 if (privkey1024 == NULL)
8652 goto err;
8653
8654 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
8655 if (cert3072 == NULL)
8656 goto err;
8657
8658 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
8659 if (privkey3072 == NULL)
8660 goto err;
8661
8662 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
8663 if (cert4096 == NULL)
8664 goto err;
8665
8666 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
8667 if (privkey4096 == NULL)
8668 goto err;
8669
8670 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
8671 if (cert8192 == NULL)
8672 goto err;
8673
8674 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
8675 if (privkey8192 == NULL)
8676 goto err;
8677
da4db160 8678#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 8679# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
da4db160
VF		 8680 ADD_ALL_TESTS(test_ktls, 32);
8681 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
c8e3a4c6 8682# endif
fe5d9450 8683#endif
84d5549e 8684 ADD_TEST(test_large_message_tls);
7856332e 8685 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 8686#ifndef OPENSSL_NO_DTLS
84d5549e 8687 ADD_TEST(test_large_message_dtls);
55386bef 8688#endif
163b8016 8689 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 8690#ifndef OPENSSL_NO_OCSP
c887104f 8691 ADD_TEST(test_tlsext_status_type);
8f8c11d8 8692#endif
eaa776da
MC		 8693 ADD_TEST(test_session_with_only_int_cache);
8694 ADD_TEST(test_session_with_only_ext_cache);
8695 ADD_TEST(test_session_with_both_cache);
90fc2c26 8696 ADD_TEST(test_session_wo_ca_names);
a763ca11 8697#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 8698 ADD_ALL_TESTS(test_stateful_tickets, 3);
8699 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 8700 ADD_TEST(test_psk_tickets);
f0049b86 8701 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 8702#endif
7fb4c820 8703 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 8704 ADD_TEST(test_ssl_bio_pop_next_bio);
8705 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8706 ADD_TEST(test_ssl_bio_change_rbio);
8707 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 8708#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 8709 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 8710 ADD_TEST(test_keylog);
c423ecaa 8711#endif
a763ca11 8712#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 8713 ADD_TEST(test_keylog_no_master_key);
8714#endif
0c3eb279 8715 ADD_TEST(test_client_cert_verify_cb);
e9ee6536 8716#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 8717 ADD_TEST(test_client_hello_cb);
088dfa13 8718 ADD_TEST(test_no_ems);
3cd14e5e 8719 ADD_TEST(test_ccs_change_cipher);
5f982038 8720#endif
a763ca11 8721#ifndef OSSL_NO_USABLE_TLS1_3
02a3ed5a 8722 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 8723 /*
8724 * We don't do replay tests for external PSK. Replay protection isn't used
8725 * in that scenario.
8726 */
8727 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 8728 ADD_ALL_TESTS(test_early_data_skip, 3);
8729 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 8730 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 8731 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 8732 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 8733 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 8734 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 8735 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 8736# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 8737 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 8738# endif
e9ee6536 8739#endif
a763ca11 8740#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 8741 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 8742 ADD_TEST(test_ciphersuite_change);
5bf2eade 8743 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8744# ifdef OPENSSL_NO_PSK
c2b290c3 8745 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 8746# else
0d8da779 8747 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 8748# endif /* OPENSSL_NO_PSK */
8749# ifndef OPENSSL_NO_TLS1_2
8750 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 8751 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 8752# else
8753 /* Test with only TLSv1.3 versions */
8754 ADD_ALL_TESTS(test_key_exchange, 12);
8755# endif
bb01ef3f 8756 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 8757 ADD_TEST(test_stateless);
9d75dce3 8758 ADD_TEST(test_pha_key_update);
a273157a 8759#else
bb01ef3f 8760 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 8761#endif
16afd71c 8762 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 8763 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 8764#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 8765 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 8766 ADD_TEST(test_key_update);
a77b4dba 8767 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 8768#endif
e11b6aa4 8769 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 8770 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 8771#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8772 ADD_ALL_TESTS(test_srp, 6);
8773#endif
5718fe45 8774 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 8775 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 8776 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 8777 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 8778 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 8779 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 8780 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 8781 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 8782 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 8783#ifndef OPENSSL_NO_TLS1_2
8784 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8785#endif
49ef3d07 8786 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 8787#if !defined(OPENSSL_NO_EC) \
a763ca11 8788 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 8789 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 8790#endif
8791#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 8792 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 8793#endif
8794#ifndef OPENSSL_NO_TLS1_2
8795 ADD_TEST(test_ssl_dup);
33c39a06
MC		 8796# ifndef OPENSSL_NO_DH
8797 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 8798 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 8799# endif
6582661f 8800#endif
a763ca11 8801#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 8802 ADD_TEST(test_sni_tls13);
b3842539 8803#endif
ad887416 8804 return 1;
b3842539
MC		 8805
8806 err:
8807 OPENSSL_free(cert);
8808 OPENSSL_free(privkey);
8809 OPENSSL_free(cert2);
8810 OPENSSL_free(privkey2);
8811 return 0;
ad887416 8812}
2cb4b5f6 8813
ad887416
P		 8814void cleanup_tests(void)
8815{
8778f0eb 8816# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 8817 EVP_PKEY_free(tmp_dh_params);
8818#endif
1a2a3a42
MC		 8819 OPENSSL_free(cert);
8820 OPENSSL_free(privkey);
b3842539
MC		 8821 OPENSSL_free(cert2);
8822 OPENSSL_free(privkey2);
3105d846
MC		 8823 OPENSSL_free(cert1024);
8824 OPENSSL_free(privkey1024);
8825 OPENSSL_free(cert3072);
8826 OPENSSL_free(privkey3072);
8827 OPENSSL_free(cert4096);
8828 OPENSSL_free(privkey4096);
8829 OPENSSL_free(cert8192);
8830 OPENSSL_free(privkey8192);
fa454945 8831 bio_s_mempacket_test_free();
a77b4dba 8832 bio_s_always_retry_free();
5e30f2fd 8833 OSSL_PROVIDER_unload(defctxnull);
b4250010 8834 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 8835}
A mirror of the official openssl repository