]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Improve error handling in pk7_doit
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
2cb4b5f6
MC		 17
18#include "ssltestlib.h"
c887104f 19#include "testutil.h"
176db6dc 20#include "internal/nelem.h"
ca0413ae 21#include "../ssl/ssl_locl.h"
2cb4b5f6
MC		 22
23static char *cert = NULL;
24static char *privkey = NULL;
25
6acdd3e5
CB		 26#define LOG_BUFFER_SIZE 1024
27static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 28static size_t server_log_buffer_index = 0;
6acdd3e5 29static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 30static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 31static int error_writing_log = 0;
32
8f8c11d8 33#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 34static const unsigned char orespder[] = "Dummy OCSP Response";
35static int ocsp_server_called = 0;
36static int ocsp_client_called = 0;
37
38static int cdummyarg = 1;
39static X509 *ocspcert = NULL;
8f8c11d8 40#endif
ba881d3b 41
84d5549e 42#define NUM_EXTRA_CERTS 40
cf72c757 43#define CLIENT_VERSION_LEN 2
84d5549e 44
f1a5939f
CB		 45/*
46 * This structure is used to validate that the correct number of log messages
47 * of various types are emitted when emitting secret logs.
48 */
49struct sslapitest_log_counts {
50 unsigned int rsa_key_exchange_count;
51 unsigned int master_secret_count;
52 unsigned int client_handshake_secret_count;
53 unsigned int server_handshake_secret_count;
54 unsigned int client_application_secret_count;
55 unsigned int server_application_secret_count;
56};
57
16afd71c
MC		 58
59static unsigned char serverinfov1[] = {
60 0xff, 0xff, /* Dummy extension type */
61 0x00, 0x01, /* Extension length is 1 byte */
62 0xff /* Dummy extension data */
63};
64
65static unsigned char serverinfov2[] = {
66 0x00, 0x00, 0x00,
67 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
68 0xff, 0xff, /* Dummy extension type */
69 0x00, 0x01, /* Extension length is 1 byte */
70 0xff /* Dummy extension data */
71};
72
710756a9
RS		 73static void client_keylog_callback(const SSL *ssl, const char *line)
74{
6acdd3e5
CB		 75 int line_length = strlen(line);
76
77 /* If the log doesn't fit, error out. */
710756a9
RS		 78 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
79 TEST_info("Client log too full");
6acdd3e5
CB		 80 error_writing_log = 1;
81 return;
82 }
83
84 strcat(client_log_buffer, line);
85 client_log_buffer_index += line_length;
710756a9 86 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 87}
88
710756a9
RS		 89static void server_keylog_callback(const SSL *ssl, const char *line)
90{
6acdd3e5
CB		 91 int line_length = strlen(line);
92
93 /* If the log doesn't fit, error out. */
710756a9 94 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 95 TEST_info("Server log too full");
6acdd3e5
CB		 96 error_writing_log = 1;
97 return;
98 }
99
100 strcat(server_log_buffer, line);
101 server_log_buffer_index += line_length;
710756a9 102 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 103}
104
105static int compare_hex_encoded_buffer(const char *hex_encoded,
106 size_t hex_length,
107 const uint8_t *raw,
710756a9
RS		 108 size_t raw_length)
109{
110 size_t i, j;
111 char hexed[3];
6acdd3e5 112
710756a9 113 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 114 return 1;
6acdd3e5 115
710756a9 116 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 117 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 118 if (!TEST_int_eq(hexed[0], hex_encoded[j])
119 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 120 return 1;
6acdd3e5
CB		 121 }
122
123 return 0;
124}
125
126static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 127 const SSL_SESSION *session,
710756a9
RS		 128 struct sslapitest_log_counts *expected)
129{
6acdd3e5
CB		 130 char *token = NULL;
131 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
132 size_t client_random_size = SSL3_RANDOM_SIZE;
133 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
134 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 135 unsigned int rsa_key_exchange_count = 0;
136 unsigned int master_secret_count = 0;
137 unsigned int client_handshake_secret_count = 0;
138 unsigned int server_handshake_secret_count = 0;
139 unsigned int client_application_secret_count = 0;
140 unsigned int server_application_secret_count = 0;
6acdd3e5 141
710756a9
RS		 142 for (token = strtok(buffer, " \n"); token != NULL;
143 token = strtok(NULL, " \n")) {
6acdd3e5 144 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 145 /*
146 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 147 * hex-encoded encrypted secret, then the hex-encoded pre-master
148 * secret.
149 */
710756a9 150 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 151 return 0;
710756a9 152 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 153 return 0;
710756a9 154 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 155 return 0;
f1a5939f
CB		 156 /*
157 * We can't sensibly check the log because the premaster secret is
158 * transient, and OpenSSL doesn't keep hold of it once the master
159 * secret is generated.
160 */
161 rsa_key_exchange_count++;
6acdd3e5 162 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 163 /*
164 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 165 * client random, then the hex-encoded master secret.
166 */
167 client_random_size = SSL_get_client_random(ssl,
168 actual_client_random,
169 SSL3_RANDOM_SIZE);
710756a9 170 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 171 return 0;
6acdd3e5 172
710756a9 173 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 174 return 0;
710756a9 175 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 176 return 0;
710756a9
RS		 177 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
178 actual_client_random,
179 client_random_size)))
f1a5939f 180 return 0;
6acdd3e5 181
710756a9 182 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 183 return 0;
6acdd3e5
CB		 184 master_key_size = SSL_SESSION_get_master_key(session,
185 actual_master_key,
186 master_key_size);
710756a9 187 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 188 return 0;
710756a9
RS		 189 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
190 actual_master_key,
191 master_key_size)))
f1a5939f 192 return 0;
f1a5939f 193 master_secret_count++;
710756a9
RS		 194 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
196 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
197 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
f1a5939f
CB		 198 /*
199 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
200 * client random, and then the hex-encoded secret. In this case,
201 * we treat all of these secrets identically and then just
202 * distinguish between them when counting what we saw.
203 */
204 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
205 client_handshake_secret_count++;
206 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
207 server_handshake_secret_count++;
208 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
209 client_application_secret_count++;
210 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
211 server_application_secret_count++;
212
213 client_random_size = SSL_get_client_random(ssl,
214 actual_client_random,
215 SSL3_RANDOM_SIZE);
710756a9 216 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 217 return 0;
f1a5939f 218
710756a9 219 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 220 return 0;
710756a9 221 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 222 return 0;
710756a9
RS		 223 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
224 actual_client_random,
225 client_random_size)))
f1a5939f 226 return 0;
6acdd3e5 227
710756a9 228 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 229 return 0;
f1a5939f
CB		 230
231 /*
232 * TODO(TLS1.3): test that application traffic secrets are what
233 * we expect */
6acdd3e5 234 } else {
710756a9 235 TEST_info("Unexpected token %s\n", token);
f1a5939f 236 return 0;
6acdd3e5 237 }
6acdd3e5
CB		 238 }
239
710756a9
RS		 240 /* Got what we expected? */
241 if (!TEST_size_t_eq(rsa_key_exchange_count,
242 expected->rsa_key_exchange_count)
243 || !TEST_size_t_eq(master_secret_count,
244 expected->master_secret_count)
245 || !TEST_size_t_eq(client_handshake_secret_count,
246 expected->client_handshake_secret_count)
247 || !TEST_size_t_eq(server_handshake_secret_count,
248 expected->server_handshake_secret_count)
249 || !TEST_size_t_eq(client_application_secret_count,
250 expected->client_application_secret_count)
251 || !TEST_size_t_eq(server_application_secret_count,
252 expected->server_application_secret_count))
253 return 0;
254 return 1;
6acdd3e5
CB		 255}
256
c423ecaa 257#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 258static int test_keylog(void)
259{
6acdd3e5
CB		 260 SSL_CTX *cctx = NULL, *sctx = NULL;
261 SSL *clientssl = NULL, *serverssl = NULL;
262 int testresult = 0;
f1a5939f 263 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 264
265 /* Clean up logging space */
710756a9
RS		 266 memset(client_log_buffer, 0, sizeof(client_log_buffer));
267 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 268 client_log_buffer_index = 0;
269 server_log_buffer_index = 0;
270 error_writing_log = 0;
271
710756a9
RS		 272 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
273 TLS_client_method(),
274 &sctx, &cctx, cert, privkey)))
6acdd3e5 275 return 0;
6acdd3e5
CB		 276
277 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
278 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
279 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
280
f0deb4d3 281 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 282 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 283 goto end;
f0deb4d3 284
cf10df81
RS		 285 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
286 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 287 goto end;
6acdd3e5 288 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 289 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
290 == client_keylog_callback))
6acdd3e5 291 goto end;
710756a9 292 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 293 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
294 == server_keylog_callback))
6acdd3e5 295 goto end;
6acdd3e5 296
710756a9
RS		 297 /* Now do a handshake and check that the logs have been written to. */
298 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
299 &clientssl, NULL, NULL))
300 || !TEST_true(create_ssl_connection(serverssl, clientssl,
301 SSL_ERROR_NONE))
302 || !TEST_false(error_writing_log)
303 || !TEST_int_gt(client_log_buffer_index, 0)
304 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 305 goto end;
6acdd3e5 306
f1a5939f
CB		 307 /*
308 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 309 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 310 * data we expect. For both client and server, we expect to see one master
311 * secret. The client should also see a RSA key exchange.
6acdd3e5 312 */
f1a5939f
CB		 313 expected.rsa_key_exchange_count = 1;
314 expected.master_secret_count = 1;
710756a9
RS		 315 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
316 SSL_get_session(clientssl), &expected)))
6acdd3e5 317 goto end;
f1a5939f
CB		 318
319 expected.rsa_key_exchange_count = 0;
710756a9
RS		 320 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
321 SSL_get_session(serverssl), &expected)))
6acdd3e5 322 goto end;
6acdd3e5
CB		 323
324 testresult = 1;
325
326end:
327 SSL_free(serverssl);
328 SSL_free(clientssl);
329 SSL_CTX_free(sctx);
330 SSL_CTX_free(cctx);
331
332 return testresult;
333}
c423ecaa 334#endif
6acdd3e5
CB		 335
336#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 337static int test_keylog_no_master_key(void)
338{
6acdd3e5
CB		 339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
341 int testresult = 0;
f1a5939f 342 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 343
344 /* Clean up logging space */
710756a9
RS		 345 memset(client_log_buffer, 0, sizeof(client_log_buffer));
346 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 347 client_log_buffer_index = 0;
348 server_log_buffer_index = 0;
349 error_writing_log = 0;
350
710756a9
RS		 351 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
352 TLS_client_method(), &sctx,
353 &cctx, cert, privkey)))
6acdd3e5 354 return 0;
6acdd3e5 355
cf10df81
RS		 356 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
357 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 358 goto end;
6acdd3e5
CB		 359
360 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 361 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
362 == client_keylog_callback))
6acdd3e5 363 goto end;
6acdd3e5 364
710756a9 365 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 366 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
367 == server_keylog_callback))
6acdd3e5 368 goto end;
6acdd3e5 369
710756a9
RS		 370 /* Now do a handshake and check that the logs have been written to. */
371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
372 &clientssl, NULL, NULL))
373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
374 SSL_ERROR_NONE))
375 || !TEST_false(error_writing_log))
6acdd3e5 376 goto end;
6acdd3e5 377
f1a5939f
CB		 378 /*
379 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 380 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 381 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 382 */
f1a5939f
CB		 383 expected.client_handshake_secret_count = 1;
384 expected.server_handshake_secret_count = 1;
385 expected.client_application_secret_count = 1;
386 expected.server_application_secret_count = 1;
710756a9
RS		 387 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
388 SSL_get_session(clientssl), &expected))
389 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
390 SSL_get_session(serverssl),
391 &expected)))
6acdd3e5 392 goto end;
6acdd3e5
CB		 393
394 testresult = 1;
395
396end:
397 SSL_free(serverssl);
398 SSL_free(clientssl);
399 SSL_CTX_free(sctx);
400 SSL_CTX_free(cctx);
401
402 return testresult;
403}
404#endif
405
e9ee6536 406#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 407static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 408{
409 int *ctr = arg;
410 const unsigned char *p;
8ea404fb 411 int *exts;
2afaee51
BK		 412 /* We only configure two ciphers, but the SCSV is added automatically. */
413#ifdef OPENSSL_NO_EC
414 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
415#else
416 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
417 0x2c, 0x00, 0xff};
418#endif
8ea404fb
BK		 419 const int expected_extensions[] = {
420#ifndef OPENSSL_NO_EC
421 11, 10,
422#endif
10ed1b72 423 35, 22, 23, 13};
2afaee51
BK		 424 size_t len;
425
426 /* Make sure we can defer processing and get called back. */
427 if ((*ctr)++ == 0)
f1b97da1 428 return SSL_CLIENT_HELLO_RETRY;
2afaee51 429
a9c0d8be 430 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 431 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 432 || !TEST_size_t_eq(
433 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 434 || !TEST_int_eq(*p, 0))
f1b97da1 435 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 436 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 437 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 438 if (len != OSSL_NELEM(expected_extensions) ||
439 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 440 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 441 OPENSSL_free(exts);
f1b97da1 442 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 443 }
444 OPENSSL_free(exts);
f1b97da1 445 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 446}
447
a9c0d8be 448static int test_client_hello_cb(void)
710756a9 449{
2afaee51
BK		 450 SSL_CTX *cctx = NULL, *sctx = NULL;
451 SSL *clientssl = NULL, *serverssl = NULL;
452 int testctr = 0, testresult = 0;
453
710756a9
RS		 454 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
455 TLS_client_method(), &sctx,
456 &cctx, cert, privkey)))
2afaee51 457 goto end;
a9c0d8be 458 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 459
2afaee51
BK		 460 /* The gimpy cipher list we configure can't do TLS 1.3. */
461 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 462
710756a9
RS		 463 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
464 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
465 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
466 &clientssl, NULL, NULL))
467 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 468 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 469 /*
470 * Passing a -1 literal is a hack since
471 * the real value was lost.
472 * */
a9c0d8be
DB		 473 || !TEST_int_eq(SSL_get_error(serverssl, -1),
474 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
476 SSL_ERROR_NONE)))
2afaee51 477 goto end;
2afaee51
BK		 478
479 testresult = 1;
480
481end:
482 SSL_free(serverssl);
483 SSL_free(clientssl);
484 SSL_CTX_free(sctx);
485 SSL_CTX_free(cctx);
486
487 return testresult;
488}
e9ee6536 489#endif
2afaee51 490
84d5549e 491static int execute_test_large_message(const SSL_METHOD *smeth,
7856332e 492 const SSL_METHOD *cmeth, int read_ahead)
84d5549e
MC		 493{
494 SSL_CTX *cctx = NULL, *sctx = NULL;
495 SSL *clientssl = NULL, *serverssl = NULL;
496 int testresult = 0;
497 int i;
710756a9 498 BIO *certbio = NULL;
84d5549e
MC		 499 X509 *chaincert = NULL;
500 int certlen;
501
710756a9 502 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 503 goto end;
84d5549e 504 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 505 BIO_free(certbio);
506 certbio = NULL;
710756a9 507 if (!TEST_ptr(chaincert))
fa454945 508 goto end;
84d5549e 509
710756a9
RS		 510 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
511 &cctx, cert, privkey)))
84d5549e 512 goto end;
84d5549e 513
710756a9 514 if (read_ahead) {
7856332e
MC		 515 /*
516 * Test that read_ahead works correctly when dealing with large
517 * records
518 */
519 SSL_CTX_set_read_ahead(cctx, 1);
520 }
521
84d5549e
MC		 522 /*
523 * We assume the supplied certificate is big enough so that if we add
524 * NUM_EXTRA_CERTS it will make the overall message large enough. The
525 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 526 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
527 * test we need to have a message larger than that.
84d5549e
MC		 528 */
529 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 530 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
531 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 532 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 533 if (!X509_up_ref(chaincert))
84d5549e 534 goto end;
84d5549e 535 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 536 X509_free(chaincert);
537 goto end;
538 }
539 }
540
710756a9
RS		 541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
542 NULL, NULL))
543 || !TEST_true(create_ssl_connection(serverssl, clientssl,
544 SSL_ERROR_NONE)))
84d5549e 545 goto end;
84d5549e 546
4bf08600
MC		 547 /*
548 * Calling SSL_clear() first is not required but this tests that SSL_clear()
549 * doesn't leak (when using enable-crypto-mdebug).
550 */
710756a9 551 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 552 goto end;
84d5549e 553
4bf08600 554 testresult = 1;
84d5549e
MC		 555 end:
556 X509_free(chaincert);
557 SSL_free(serverssl);
558 SSL_free(clientssl);
559 SSL_CTX_free(sctx);
560 SSL_CTX_free(cctx);
561
562 return testresult;
563}
564
565static int test_large_message_tls(void)
566{
7856332e
MC		 567 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
568 0);
569}
570
571static int test_large_message_tls_read_ahead(void)
572{
573 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
574 1);
84d5549e
MC		 575}
576
55386bef 577#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 578static int test_large_message_dtls(void)
579{
7856332e
MC		 580 /*
581 * read_ahead is not relevant to DTLS because DTLS always acts as if
582 * read_ahead is set.
583 */
84d5549e 584 return execute_test_large_message(DTLS_server_method(),
7856332e 585 DTLS_client_method(), 0);
84d5549e 586}
55386bef 587#endif
84d5549e 588
8f8c11d8 589#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 590static int ocsp_server_cb(SSL *s, void *arg)
591{
592 int *argi = (int *)arg;
710756a9 593 unsigned char *copy = NULL;
ba881d3b
MC		 594 STACK_OF(OCSP_RESPID) *ids = NULL;
595 OCSP_RESPID *id = NULL;
596
597 if (*argi == 2) {
598 /* In this test we are expecting exactly 1 OCSP_RESPID */
599 SSL_get_tlsext_status_ids(s, &ids);
600 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
601 return SSL_TLSEXT_ERR_ALERT_FATAL;
602
603 id = sk_OCSP_RESPID_value(ids, 0);
604 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
605 return SSL_TLSEXT_ERR_ALERT_FATAL;
606 } else if (*argi != 1) {
607 return SSL_TLSEXT_ERR_ALERT_FATAL;
608 }
609
710756a9 610 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 611 return SSL_TLSEXT_ERR_ALERT_FATAL;
612
710756a9 613 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 614 ocsp_server_called = 1;
ba881d3b
MC		 615 return SSL_TLSEXT_ERR_OK;
616}
617
618static int ocsp_client_cb(SSL *s, void *arg)
619{
620 int *argi = (int *)arg;
621 const unsigned char *respderin;
622 size_t len;
623
624 if (*argi != 1 && *argi != 2)
625 return 0;
626
627 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 628 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 629 return 0;
630
631 ocsp_client_called = 1;
ba881d3b
MC		 632 return 1;
633}
634
2cb4b5f6
MC		 635static int test_tlsext_status_type(void)
636{
ba881d3b
MC		 637 SSL_CTX *cctx = NULL, *sctx = NULL;
638 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 639 int testresult = 0;
ba881d3b
MC		 640 STACK_OF(OCSP_RESPID) *ids = NULL;
641 OCSP_RESPID *id = NULL;
642 BIO *certbio = NULL;
2cb4b5f6 643
ba881d3b 644 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
710756a9 645 &cctx, cert, privkey))
ba881d3b 646 return 0;
2cb4b5f6 647
710756a9 648 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 649 goto end;
2cb4b5f6 650
ba881d3b 651 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 652
ba881d3b 653 clientssl = SSL_new(cctx);
710756a9
RS		 654 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
655 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
656 TLSEXT_STATUSTYPE_ocsp))
657 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
658 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 659 goto end;
2cb4b5f6 660
ba881d3b
MC		 661 SSL_free(clientssl);
662 clientssl = NULL;
2cb4b5f6 663
710756a9
RS		 664 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
665 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 666 goto end;
2cb4b5f6 667
ba881d3b 668 clientssl = SSL_new(cctx);
710756a9 669 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 670 goto end;
ba881d3b
MC		 671 SSL_free(clientssl);
672 clientssl = NULL;
673
674 /*
675 * Now actually do a handshake and check OCSP information is exchanged and
676 * the callbacks get called
677 */
ba881d3b
MC		 678 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
679 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
680 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
681 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
683 &clientssl, NULL, NULL))
684 || !TEST_true(create_ssl_connection(serverssl, clientssl,
685 SSL_ERROR_NONE))
686 || !TEST_true(ocsp_client_called)
687 || !TEST_true(ocsp_server_called))
ba881d3b 688 goto end;
ba881d3b
MC		 689 SSL_free(serverssl);
690 SSL_free(clientssl);
691 serverssl = NULL;
692 clientssl = NULL;
693
694 /* Try again but this time force the server side callback to fail */
695 ocsp_client_called = 0;
696 ocsp_server_called = 0;
697 cdummyarg = 0;
710756a9
RS		 698 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
699 &clientssl, NULL, NULL))
700 /* This should fail because the callback will fail */
701 || !TEST_false(create_ssl_connection(serverssl, clientssl,
702 SSL_ERROR_NONE))
703 || !TEST_false(ocsp_client_called)
704 || !TEST_false(ocsp_server_called))
ba881d3b 705 goto end;
ba881d3b
MC		 706 SSL_free(serverssl);
707 SSL_free(clientssl);
708 serverssl = NULL;
709 clientssl = NULL;
710
711 /*
712 * This time we'll get the client to send an OCSP_RESPID that it will
713 * accept.
714 */
715 ocsp_client_called = 0;
716 ocsp_server_called = 0;
717 cdummyarg = 2;
710756a9
RS		 718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
719 &clientssl, NULL, NULL)))
ba881d3b 720 goto end;
ba881d3b
MC		 721
722 /*
723 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 724 * specific one. We'll use the server cert.
ba881d3b 725 */
710756a9
RS		 726 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
727 || !TEST_ptr(id = OCSP_RESPID_new())
728 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
729 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
730 NULL, NULL, NULL))
731 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
732 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 733 goto end;
ba881d3b
MC		 734 id = NULL;
735 SSL_set_tlsext_status_ids(clientssl, ids);
736 /* Control has been transferred */
737 ids = NULL;
738
739 BIO_free(certbio);
740 certbio = NULL;
741
710756a9
RS		 742 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
743 SSL_ERROR_NONE))
744 || !TEST_true(ocsp_client_called)
745 || !TEST_true(ocsp_server_called))
ba881d3b 746 goto end;
ba881d3b 747
2cb4b5f6
MC		 748 testresult = 1;
749
750 end:
ba881d3b
MC		 751 SSL_free(serverssl);
752 SSL_free(clientssl);
753 SSL_CTX_free(sctx);
754 SSL_CTX_free(cctx);
755 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
756 OCSP_RESPID_free(id);
757 BIO_free(certbio);
758 X509_free(ocspcert);
759 ocspcert = NULL;
2cb4b5f6
MC		 760
761 return testresult;
762}
8f8c11d8 763#endif
2cb4b5f6 764
bf208d95 765#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 766static int new_called, remove_called, get_called;
eaa776da 767
eaa776da
MC		 768static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
769{
770 new_called++;
c0537ebd
MC		 771 /*
772 * sess has been up-refed for us, but we don't actually need it so free it
773 * immediately.
774 */
775 SSL_SESSION_free(sess);
eaa776da
MC		 776 return 1;
777}
778
779static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
780{
781 remove_called++;
782}
783
7a301f08
MC		 784static SSL_SESSION *get_sess_val = NULL;
785
786static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
787 int *copy)
788{
0afca811 789 get_called++;
7a301f08
MC		 790 *copy = 1;
791 return get_sess_val;
792}
793
7a301f08
MC		 794static int execute_test_session(int maxprot, int use_int_cache,
795 int use_ext_cache)
2cb4b5f6
MC		 796{
797 SSL_CTX *sctx = NULL, *cctx = NULL;
798 SSL *serverssl1 = NULL, *clientssl1 = NULL;
799 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 800# ifndef OPENSSL_NO_TLS1_1
eaa776da 801 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 802# endif
2cb4b5f6
MC		 803 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
804 int testresult = 0;
805
7e885b7b
P		 806 new_called = remove_called = 0;
807
710756a9
RS		 808 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
809 TLS_client_method(), &sctx,
810 &cctx, cert, privkey)))
2cb4b5f6 811 return 0;
2cb4b5f6 812
7a301f08
MC		 813 /*
814 * Only allow the max protocol version so we can force a connection failure
815 * later
816 */
817 SSL_CTX_set_min_proto_version(cctx, maxprot);
818 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 819
820 /* Set up session cache */
7e885b7b 821 if (use_ext_cache) {
eaa776da
MC		 822 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
823 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
824 }
7e885b7b 825 if (use_int_cache) {
eaa776da
MC		 826 /* Also covers instance where both are set */
827 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
828 } else {
829 SSL_CTX_set_session_cache_mode(cctx,
830 SSL_SESS_CACHE_CLIENT
831 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
832 }
2cb4b5f6 833
710756a9
RS		 834 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
835 NULL, NULL))
836 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
837 SSL_ERROR_NONE))
838 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 839 goto end;
2cb4b5f6 840
710756a9 841 /* Should fail because it should already be in the cache */
7e885b7b 842 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 843 goto end;
7a301f08
MC		 844 if (use_ext_cache
845 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
b4982125 846 goto end;
b4982125 847
c0537ebd
MC		 848 new_called = remove_called = 0;
849 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
850 &clientssl2, NULL, NULL))
851 || !TEST_true(SSL_set_session(clientssl2, sess1))
852 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
853 SSL_ERROR_NONE))
854 || !TEST_true(SSL_session_reused(clientssl2)))
855 goto end;
856
7a301f08
MC		 857 if (maxprot == TLS1_3_VERSION) {
858 /*
859 * In TLSv1.3 we should have created a new session even though we have
860 * resumed. The original session should also have been removed.
861 */
862 if (use_ext_cache
863 && (!TEST_int_eq(new_called, 1)
864 || !TEST_int_eq(remove_called, 1)))
865 goto end;
866 } else {
867 /*
868 * In TLSv1.2 we expect to have resumed so no sessions added or
869 * removed.
870 */
871 if (use_ext_cache
872 && (!TEST_int_eq(new_called, 0)
873 || !TEST_int_eq(remove_called, 0)))
874 goto end;
875 }
c0537ebd
MC		 876
877 SSL_SESSION_free(sess1);
878 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
879 goto end;
880 shutdown_ssl_connection(serverssl2, clientssl2);
881 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 882
883 new_called = remove_called = 0;
710756a9
RS		 884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
885 &clientssl2, NULL, NULL))
886 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
887 SSL_ERROR_NONE)))
2cb4b5f6 888 goto end;
2cb4b5f6 889
710756a9 890 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 891 goto end;
2cb4b5f6 892
7a301f08
MC		 893 if (use_ext_cache
894 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
eaa776da 895 goto end;
eaa776da 896
c0537ebd 897 new_called = remove_called = 0;
2cb4b5f6 898 /*
710756a9
RS		 899 * This should clear sess2 from the cache because it is a "bad" session.
900 * See SSL_set_session() documentation.
2cb4b5f6 901 */
710756a9 902 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 903 goto end;
7a301f08
MC		 904 if (use_ext_cache
905 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 906 goto end;
710756a9 907 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 908 goto end;
2cb4b5f6 909
7e885b7b 910 if (use_int_cache) {
710756a9
RS		 911 /* Should succeeded because it should not already be in the cache */
912 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
913 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 914 goto end;
eaa776da
MC		 915 }
916
c0537ebd 917 new_called = remove_called = 0;
eaa776da 918 /* This shouldn't be in the cache so should fail */
710756a9 919 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 920 goto end;
2cb4b5f6 921
7a301f08
MC		 922 if (use_ext_cache
923 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 924 goto end;
2cb4b5f6 925
bf208d95 926# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 927 new_called = remove_called = 0;
eaa776da
MC		 928 /* Force a connection failure */
929 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
931 &clientssl3, NULL, NULL))
932 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 933 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 934 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
935 SSL_ERROR_NONE)))
eaa776da 936 goto end;
b4982125 937
eaa776da 938 /* We should have automatically removed the session from the cache */
7a301f08
MC		 939 if (use_ext_cache
940 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 941 goto end;
2cb4b5f6 942
710756a9 943 /* Should succeed because it should not already be in the cache */
7e885b7b 944 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 945 goto end;
bf208d95 946# endif
eaa776da 947
7a301f08
MC		 948 /* Now do some tests for server side caching */
949 if (use_ext_cache) {
950 SSL_CTX_sess_set_new_cb(cctx, NULL);
951 SSL_CTX_sess_set_remove_cb(cctx, NULL);
952 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
953 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
954 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
955 get_sess_val = NULL;
956 }
957
958 SSL_CTX_set_session_cache_mode(cctx, 0);
959 /* Internal caching is the default on the server side */
960 if (!use_int_cache)
961 SSL_CTX_set_session_cache_mode(sctx,
962 SSL_SESS_CACHE_SERVER
963 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
964
965 SSL_free(serverssl1);
966 SSL_free(clientssl1);
967 serverssl1 = clientssl1 = NULL;
968 SSL_free(serverssl2);
969 SSL_free(clientssl2);
970 serverssl2 = clientssl2 = NULL;
971 SSL_SESSION_free(sess1);
972 sess1 = NULL;
973 SSL_SESSION_free(sess2);
974 sess2 = NULL;
975
976 SSL_CTX_set_max_proto_version(sctx, maxprot);
977 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 978 new_called = remove_called = get_called = 0;
7a301f08
MC		 979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
980 NULL, NULL))
981 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
982 SSL_ERROR_NONE))
983 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
984 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
985 goto end;
986
987 /* Should fail because it should already be in the cache */
988 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
989 goto end;
990
991 if (use_ext_cache) {
992 SSL_SESSION *tmp = sess2;
993
0afca811
KY		 994 if (!TEST_int_eq(new_called, 1)
995 || !TEST_int_eq(remove_called, 0)
996 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 997 goto end;
998 /*
999 * Delete the session from the internal cache to force a lookup from
1000 * the external cache. We take a copy first because
1001 * SSL_CTX_remove_session() also marks the session as non-resumable.
1002 */
3cb6a4d6
BK		 1003 if (use_int_cache) {
1004 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1005 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1006 goto end;
1007 SSL_SESSION_free(sess2);
1008 }
7a301f08
MC		 1009 sess2 = tmp;
1010 }
1011
0afca811 1012 new_called = remove_called = get_called = 0;
7a301f08
MC		 1013 get_sess_val = sess2;
1014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1015 &clientssl2, NULL, NULL))
1016 || !TEST_true(SSL_set_session(clientssl2, sess1))
1017 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1018 SSL_ERROR_NONE))
1019 || !TEST_true(SSL_session_reused(clientssl2)))
1020 goto end;
1021
0afca811
KY		 1022 if (use_ext_cache) {
1023 if (!TEST_int_eq(new_called, 0)
1024 || !TEST_int_eq(remove_called, 0))
1025 goto end;
1026
1027 if (maxprot == TLS1_3_VERSION) {
1028 if (!TEST_int_eq(get_called, 0))
1029 goto end;
1030 } else {
1031 if (!TEST_int_eq(get_called, 1))
1032 goto end;
1033 }
1034 }
7a301f08 1035
2cb4b5f6 1036 testresult = 1;
eaa776da 1037
2cb4b5f6
MC		 1038 end:
1039 SSL_free(serverssl1);
1040 SSL_free(clientssl1);
1041 SSL_free(serverssl2);
1042 SSL_free(clientssl2);
bf208d95 1043# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1044 SSL_free(serverssl3);
1045 SSL_free(clientssl3);
bf208d95 1046# endif
2cb4b5f6
MC		 1047 SSL_SESSION_free(sess1);
1048 SSL_SESSION_free(sess2);
1049 SSL_CTX_free(sctx);
1050 SSL_CTX_free(cctx);
1051
1052 return testresult;
1053}
bf208d95 1054#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1055
7fb4c820
MC		 1056static int test_session_with_only_int_cache(void)
1057{
7a301f08
MC		 1058#ifndef OPENSSL_NO_TLS1_3
1059 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1060 return 0;
1061#endif
1062
1063#ifndef OPENSSL_NO_TLS1_2
1064 return execute_test_session(TLS1_2_VERSION, 1, 0);
1065#else
1066 return 1;
1067#endif
eaa776da
MC		 1068}
1069
7fb4c820
MC		 1070static int test_session_with_only_ext_cache(void)
1071{
7a301f08
MC		 1072#ifndef OPENSSL_NO_TLS1_3
1073 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1074 return 0;
1075#endif
1076
1077#ifndef OPENSSL_NO_TLS1_2
1078 return execute_test_session(TLS1_2_VERSION, 0, 1);
1079#else
1080 return 1;
1081#endif
eaa776da
MC		 1082}
1083
7fb4c820
MC		 1084static int test_session_with_both_cache(void)
1085{
7a301f08
MC		 1086#ifndef OPENSSL_NO_TLS1_3
1087 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1088 return 0;
1089#endif
1090
1091#ifndef OPENSSL_NO_TLS1_2
1092 return execute_test_session(TLS1_2_VERSION, 1, 1);
1093#else
1094 return 1;
1095#endif
eaa776da
MC		 1096}
1097
7fb4c820
MC		 1098#define USE_NULL 0
1099#define USE_BIO_1 1
1100#define USE_BIO_2 2
1101
1102#define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1103
1104static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1105{
1106 switch (type) {
1107 case USE_NULL:
1108 *res = NULL;
1109 break;
1110 case USE_BIO_1:
1111 *res = bio1;
1112 break;
1113 case USE_BIO_2:
1114 *res = bio2;
1115 break;
1116 }
1117}
1118
1119static int test_ssl_set_bio(int idx)
1120{
710756a9 1121 SSL_CTX *ctx;
7fb4c820
MC		 1122 BIO *bio1 = NULL;
1123 BIO *bio2 = NULL;
0fae8150 1124 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7fb4c820
MC		 1125 SSL *ssl = NULL;
1126 int initrbio, initwbio, newrbio, newwbio;
1127 int testresult = 0;
1128
7fb4c820
MC		 1129 initrbio = idx % 3;
1130 idx /= 3;
1131 initwbio = idx % 3;
1132 idx /= 3;
1133 newrbio = idx % 3;
1134 idx /= 3;
1135 newwbio = idx;
710756a9
RS		 1136 if (!TEST_int_le(newwbio, 2))
1137 return 0;
1138
1139 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1140 || !TEST_ptr(ssl = SSL_new(ctx)))
1141 goto end;
7fb4c820 1142
710756a9
RS		 1143 if (initrbio == USE_BIO_1
1144 || initwbio == USE_BIO_1
1145 || newrbio == USE_BIO_1
7fb4c820 1146 || newwbio == USE_BIO_1) {
710756a9 1147 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1148 goto end;
7fb4c820
MC		 1149 }
1150
710756a9
RS		 1151 if (initrbio == USE_BIO_2
1152 || initwbio == USE_BIO_2
1153 || newrbio == USE_BIO_2
7fb4c820 1154 || newwbio == USE_BIO_2) {
710756a9 1155 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1156 goto end;
7fb4c820
MC		 1157 }
1158
1159 setupbio(&irbio, bio1, bio2, initrbio);
1160 setupbio(&iwbio, bio1, bio2, initwbio);
1161
1162 /*
1163 * We want to maintain our own refs to these BIO, so do an up ref for each
69687aa8 1164 * BIO that will have ownership transferred in the SSL_set_bio() call
7fb4c820
MC		 1165 */
1166 if (irbio != NULL)
1167 BIO_up_ref(irbio);
1168 if (iwbio != NULL && iwbio != irbio)
1169 BIO_up_ref(iwbio);
1170
1171 SSL_set_bio(ssl, irbio, iwbio);
1172
1173 setupbio(&nrbio, bio1, bio2, newrbio);
1174 setupbio(&nwbio, bio1, bio2, newwbio);
1175
1176 /*
1177 * We will (maybe) transfer ownership again so do more up refs.
1178 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1179 * already been set!
1180 */
710756a9
RS		 1181 if (nrbio != NULL
1182 && nrbio != irbio
1183 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1184 BIO_up_ref(nrbio);
710756a9
RS		 1185 if (nwbio != NULL
1186 && nwbio != nrbio
1187 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1188 BIO_up_ref(nwbio);
1189
1190 SSL_set_bio(ssl, nrbio, nwbio);
1191
1192 testresult = 1;
1193
1194 end:
1195 SSL_free(ssl);
1196 BIO_free(bio1);
1197 BIO_free(bio2);
710756a9 1198
7fb4c820
MC		 1199 /*
1200 * This test is checking that the ref counting for SSL_set_bio is correct.
1201 * If we get here and we did too many frees then we will fail in the above
1202 * functions. If we haven't done enough then this will only be detected in
1203 * a crypto-mdebug build
1204 */
1205 SSL_CTX_free(ctx);
7fb4c820
MC		 1206 return testresult;
1207}
1208
7e885b7b 1209typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1210
7e885b7b 1211static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1212{
1213 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1214 SSL_CTX *ctx;
9a716987
MC		 1215 SSL *ssl = NULL;
1216 int testresult = 0;
1217
710756a9
RS		 1218 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1219 || !TEST_ptr(ssl = SSL_new(ctx))
1220 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1221 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1222 goto end;
9a716987
MC		 1223
1224 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1225
1226 /*
1227 * If anything goes wrong here then we could leak memory, so this will
1228 * be caught in a crypto-mdebug build
1229 */
1230 BIO_push(sslbio, membio1);
1231
69687aa8 1232 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1233 if (change_bio != NO_BIO_CHANGE) {
710756a9 1234 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1235 goto end;
7e885b7b 1236 if (change_bio == CHANGE_RBIO)
65e2d672 1237 SSL_set0_rbio(ssl, membio2);
9a716987 1238 else
65e2d672 1239 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1240 }
1241 ssl = NULL;
1242
7e885b7b 1243 if (pop_ssl)
9a716987
MC		 1244 BIO_pop(sslbio);
1245 else
1246 BIO_pop(membio1);
1247
1248 testresult = 1;
1249 end:
1250 BIO_free(membio1);
1251 BIO_free(sslbio);
1252 SSL_free(ssl);
1253 SSL_CTX_free(ctx);
1254
1255 return testresult;
1256}
1257
1258static int test_ssl_bio_pop_next_bio(void)
1259{
7e885b7b 1260 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1261}
1262
1263static int test_ssl_bio_pop_ssl_bio(void)
1264{
7e885b7b 1265 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1266}
1267
1268static int test_ssl_bio_change_rbio(void)
1269{
7e885b7b 1270 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1271}
1272
1273static int test_ssl_bio_change_wbio(void)
1274{
7e885b7b 1275 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1276}
1277
c423ecaa 1278#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1279typedef struct {
1280 /* The list of sig algs */
1281 const int *list;
1282 /* The length of the list */
1283 size_t listlen;
1284 /* A sigalgs list in string format */
1285 const char *liststr;
1286 /* Whether setting the list should succeed */
1287 int valid;
1288 /* Whether creating a connection with the list should succeed */
1289 int connsuccess;
1290} sigalgs_list;
1291
1292static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1293# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1294static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1295static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1296# endif
f1b25aae
MC		 1297static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1298static const int invalidlist2[] = {NID_sha256, NID_undef};
1299static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1300static const int invalidlist4[] = {NID_sha256};
1301static const sigalgs_list testsigalgs[] = {
1302 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1303# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1304 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1305 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1306# endif
f1b25aae 1307 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1308# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1309 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1310 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1311# endif
f1b25aae
MC		 1312 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1313 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1314 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1315 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1316 {NULL, 0, "RSA", 0, 0},
1317 {NULL, 0, "SHA256", 0, 0},
1318 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1319 {NULL, 0, "Invalid", 0, 0}
1320};
f1b25aae
MC		 1321
1322static int test_set_sigalgs(int idx)
1323{
1324 SSL_CTX *cctx = NULL, *sctx = NULL;
1325 SSL *clientssl = NULL, *serverssl = NULL;
1326 int testresult = 0;
1327 const sigalgs_list *curr;
1328 int testctx;
1329
1330 /* Should never happen */
710756a9 1331 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1332 return 0;
1333
1334 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1335 curr = testctx ? &testsigalgs[idx]
1336 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1337
710756a9
RS		 1338 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1339 TLS_client_method(), &sctx,
1340 &cctx, cert, privkey)))
f1b25aae 1341 return 0;
f1b25aae 1342
d2e491f2
MC		 1343 /*
1344 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1345 * for TLSv1.2 for now until we add a new API.
1346 */
1347 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1348
f1b25aae
MC		 1349 if (testctx) {
1350 int ret;
710756a9 1351
f1b25aae
MC		 1352 if (curr->list != NULL)
1353 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1354 else
1355 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1356
1357 if (!ret) {
1358 if (curr->valid)
710756a9 1359 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1360 else
1361 testresult = 1;
1362 goto end;
1363 }
1364 if (!curr->valid) {
710756a9 1365 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1366 goto end;
1367 }
1368 }
1369
710756a9
RS		 1370 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1371 &clientssl, NULL, NULL)))
f1b25aae 1372 goto end;
f1b25aae
MC		 1373
1374 if (!testctx) {
1375 int ret;
1376
1377 if (curr->list != NULL)
1378 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1379 else
1380 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1381 if (!ret) {
1382 if (curr->valid)
710756a9 1383 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1384 else
1385 testresult = 1;
1386 goto end;
1387 }
710756a9 1388 if (!curr->valid)
f1b25aae 1389 goto end;
f1b25aae
MC		 1390 }
1391
710756a9
RS		 1392 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1393 SSL_ERROR_NONE),
1394 curr->connsuccess))
f1b25aae 1395 goto end;
f1b25aae
MC		 1396
1397 testresult = 1;
1398
1399 end:
1400 SSL_free(serverssl);
1401 SSL_free(clientssl);
1402 SSL_CTX_free(sctx);
1403 SSL_CTX_free(cctx);
1404
1405 return testresult;
1406}
c423ecaa 1407#endif
f1b25aae 1408
fff202e5
MC		 1409#ifndef OPENSSL_NO_TLS1_3
1410
57dee9bb
MC		 1411static SSL_SESSION *clientpsk = NULL;
1412static SSL_SESSION *serverpsk = NULL;
02a3ed5a
MC		 1413static const char *pskid = "Identity";
1414static const char *srvid;
1415
1416static int use_session_cb_cnt = 0;
1417static int find_session_cb_cnt = 0;
532f9578
MC		 1418static int psk_client_cb_cnt = 0;
1419static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 1420
1421static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1422 size_t *idlen, SSL_SESSION **sess)
1423{
1424 switch (++use_session_cb_cnt) {
1425 case 1:
1426 /* The first call should always have a NULL md */
1427 if (md != NULL)
1428 return 0;
1429 break;
1430
1431 case 2:
1432 /* The second call should always have an md */
1433 if (md == NULL)
1434 return 0;
1435 break;
1436
1437 default:
1438 /* We should only be called a maximum of twice */
1439 return 0;
1440 }
1441
57dee9bb
MC		 1442 if (clientpsk != NULL)
1443 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1444
57dee9bb 1445 *sess = clientpsk;
02a3ed5a
MC		 1446 *id = (const unsigned char *)pskid;
1447 *idlen = strlen(pskid);
1448
1449 return 1;
1450}
1451
532f9578
MC		 1452static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1453 unsigned int max_id_len,
1454 unsigned char *psk,
1455 unsigned int max_psk_len)
1456{
1457 unsigned int psklen = 0;
1458
1459 psk_client_cb_cnt++;
1460
1461 if (strlen(pskid) + 1 > max_id_len)
1462 return 0;
1463
1464 /* We should only ever be called a maximum of twice per connection */
1465 if (psk_client_cb_cnt > 2)
1466 return 0;
1467
1468 if (clientpsk == NULL)
1469 return 0;
1470
1471 /* We'll reuse the PSK we set up for TLSv1.3 */
1472 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1473 return 0;
1474 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1475 strncpy(id, pskid, max_id_len);
1476
1477 return psklen;
1478}
1479
02a3ed5a
MC		 1480static int find_session_cb(SSL *ssl, const unsigned char *identity,
1481 size_t identity_len, SSL_SESSION **sess)
1482{
1483 find_session_cb_cnt++;
1484
1485 /* We should only ever be called a maximum of twice per connection */
1486 if (find_session_cb_cnt > 2)
1487 return 0;
1488
57dee9bb 1489 if (serverpsk == NULL)
02a3ed5a
MC		 1490 return 0;
1491
1492 /* Identity should match that set by the client */
1493 if (strlen(srvid) != identity_len
1494 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1495 /* No PSK found, continue but without a PSK */
1496 *sess = NULL;
1497 return 1;
1498 }
1499
57dee9bb
MC		 1500 SSL_SESSION_up_ref(serverpsk);
1501 *sess = serverpsk;
02a3ed5a
MC		 1502
1503 return 1;
1504}
1505
532f9578
MC		 1506static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1507 unsigned char *psk, unsigned int max_psk_len)
1508{
1509 unsigned int psklen = 0;
1510
1511 psk_server_cb_cnt++;
1512
1513 /* We should only ever be called a maximum of twice per connection */
1514 if (find_session_cb_cnt > 2)
1515 return 0;
1516
1517 if (serverpsk == NULL)
1518 return 0;
1519
1520 /* Identity should match that set by the client */
1521 if (strcmp(srvid, identity) != 0) {
1522 return 0;
1523 }
1524
1525 /* We'll reuse the PSK we set up for TLSv1.3 */
1526 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1527 return 0;
1528 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1529
1530 return psklen;
1531}
1532
5f982038
MC		 1533#define MSG1 "Hello"
1534#define MSG2 "World."
1535#define MSG3 "This"
1536#define MSG4 "is"
1537#define MSG5 "a"
90049cea
MC		 1538#define MSG6 "test"
1539#define MSG7 "message."
5f982038 1540
02a3ed5a 1541#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 1542#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 1543
5f982038
MC		 1544/*
1545 * Helper method to setup objects for early data test. Caller frees objects on
1546 * error.
1547 */
1548static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 1549 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 1550{
710756a9
RS		 1551 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1552 TLS_client_method(), sctx,
c39e4048
BK		 1553 cctx, cert, privkey))
1554 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
1555 SSL3_RT_MAX_PLAIN_LENGTH))
1556 || !TEST_true(SSL_CTX_set_max_early_data(*cctx,
1557 SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 1558 return 0;
5f982038 1559
02a3ed5a
MC		 1560 if (idx == 1) {
1561 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 1562 SSL_CTX_set_read_ahead(*cctx, 1);
1563 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 1564 } else if (idx == 2) {
1565 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1566 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1567 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1568 use_session_cb_cnt = 0;
1569 find_session_cb_cnt = 0;
1570 srvid = pskid;
3cb47b4e
MC		 1571 }
1572
710756a9 1573 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 1574 NULL, NULL)))
1575 return 0;
1576
141e4709
MC		 1577 /*
1578 * For one of the run throughs (doesn't matter which one), we'll try sending
1579 * some SNI data in the initial ClientHello. This will be ignored (because
1580 * there is no SNI cb set up by the server), so it should not impact
1581 * early_data.
1582 */
1583 if (idx == 1
1584 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1585 return 0;
1586
02a3ed5a
MC		 1587 if (idx == 2) {
1588 /* Create the PSK */
1589 const SSL_CIPHER *cipher = NULL;
1590 const unsigned char key[] = {
1591 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1592 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1593 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1594 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1595 0x2c, 0x2d, 0x2e, 0x2f
1596 };
1597
1598 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 1599 clientpsk = SSL_SESSION_new();
1600 if (!TEST_ptr(clientpsk)
02a3ed5a 1601 || !TEST_ptr(cipher)
57dee9bb 1602 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
02a3ed5a 1603 sizeof(key)))
57dee9bb 1604 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
02a3ed5a 1605 || !TEST_true(
57dee9bb 1606 SSL_SESSION_set_protocol_version(clientpsk,
02a3ed5a
MC		 1607 TLS1_3_VERSION))
1608 /*
1609 * We just choose an arbitrary value for max_early_data which
1610 * should be big enough for testing purposes.
1611 */
57dee9bb
MC		 1612 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1613 0x100))
1614 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1615 SSL_SESSION_free(clientpsk);
1616 clientpsk = NULL;
02a3ed5a
MC		 1617 return 0;
1618 }
57dee9bb 1619 serverpsk = clientpsk;
02a3ed5a
MC		 1620
1621 if (sess != NULL)
57dee9bb 1622 *sess = clientpsk;
02a3ed5a
MC		 1623 return 1;
1624 }
1625
1626 if (sess == NULL)
1627 return 1;
1628
1629 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1630 SSL_ERROR_NONE)))
5f982038 1631 return 0;
5f982038
MC		 1632
1633 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 1634 SSL_shutdown(*clientssl);
1635 SSL_shutdown(*serverssl);
5f982038
MC		 1636 SSL_free(*serverssl);
1637 SSL_free(*clientssl);
1638 *serverssl = *clientssl = NULL;
1639
710756a9
RS		 1640 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1641 clientssl, NULL, NULL))
1642 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 1643 return 0;
5f982038
MC		 1644
1645 return 1;
1646}
1647
3cb47b4e 1648static int test_early_data_read_write(int idx)
5f982038
MC		 1649{
1650 SSL_CTX *cctx = NULL, *sctx = NULL;
1651 SSL *clientssl = NULL, *serverssl = NULL;
1652 int testresult = 0;
1653 SSL_SESSION *sess = NULL;
9b5c865d
MC		 1654 unsigned char buf[20], data[1024];
1655 size_t readbytes, written, eoedlen, rawread, rawwritten;
1656 BIO *rbio;
5f982038 1657
710756a9
RS		 1658 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1659 &serverssl, &sess, idx)))
5f982038
MC		 1660 goto end;
1661
1662 /* Write and read some early data */
710756a9
RS		 1663 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1664 &written))
1665 || !TEST_size_t_eq(written, strlen(MSG1))
1666 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1667 sizeof(buf), &readbytes),
1668 SSL_READ_EARLY_DATA_SUCCESS)
1669 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1670 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1671 SSL_EARLY_DATA_ACCEPTED))
5f982038 1672 goto end;
5f982038
MC		 1673
1674 /*
09f28874 1675 * Server should be able to write data, and client should be able to
5f982038
MC		 1676 * read it.
1677 */
710756a9
RS		 1678 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1679 &written))
1680 || !TEST_size_t_eq(written, strlen(MSG2))
1681 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1682 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1683 goto end;
5f982038
MC		 1684
1685 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 1686 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1687 &written))
1688 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 1689 goto end;
5f982038 1690
09f28874 1691 /* Server should still be able read early data after writing data */
710756a9
RS		 1692 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1693 &readbytes),
1694 SSL_READ_EARLY_DATA_SUCCESS)
1695 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 1696 goto end;
5f982038 1697
09f28874 1698 /* Write more data from server and read it from client */
710756a9
RS		 1699 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1700 &written))
1701 || !TEST_size_t_eq(written, strlen(MSG4))
1702 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1703 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 1704 goto end;
5f982038
MC		 1705
1706 /*
1707 * If client writes normal data it should mean writing early data is no
1708 * longer possible.
1709 */
710756a9
RS		 1710 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1711 || !TEST_size_t_eq(written, strlen(MSG5))
1712 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1713 SSL_EARLY_DATA_ACCEPTED))
5f982038 1714 goto end;
5f982038 1715
9b5c865d
MC		 1716 /*
1717 * At this point the client has written EndOfEarlyData, ClientFinished and
1718 * normal (fully protected) data. We are going to cause a delay between the
1719 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1720 * in the read BIO, and then just put back the EndOfEarlyData message.
1721 */
1722 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 1723 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1724 || !TEST_size_t_lt(rawread, sizeof(data))
1725 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 1726 goto end;
710756a9 1727
9b5c865d
MC		 1728 /* Record length is in the 4th and 5th bytes of the record header */
1729 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 1730 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1731 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 1732 goto end;
9b5c865d 1733
5f982038 1734 /* Server should be told that there is no more early data */
710756a9
RS		 1735 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1736 &readbytes),
1737 SSL_READ_EARLY_DATA_FINISH)
1738 || !TEST_size_t_eq(readbytes, 0))
5f982038 1739 goto end;
5f982038 1740
9b5c865d
MC		 1741 /*
1742 * Server has not finished init yet, so should still be able to write early
1743 * data.
1744 */
710756a9
RS		 1745 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1746 &written))
1747 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 1748 goto end;
9b5c865d 1749
f8a303fa 1750 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 1751 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1752 &rawwritten))
1753 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 1754 goto end;
f8a303fa 1755
5f982038 1756 /* Server should be able to read normal data */
710756a9
RS		 1757 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1758 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 1759 goto end;
5f982038 1760
09f28874 1761 /* Client and server should not be able to write/read early data now */
710756a9
RS		 1762 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1763 &written)))
5f982038 1764 goto end;
5f982038 1765 ERR_clear_error();
710756a9
RS		 1766 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1767 &readbytes),
1768 SSL_READ_EARLY_DATA_ERROR))
5f982038 1769 goto end;
5f982038
MC		 1770 ERR_clear_error();
1771
9b5c865d 1772 /* Client should be able to read the data sent by the server */
710756a9
RS		 1773 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1774 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 1775 goto end;
710756a9 1776
f8a303fa
MC		 1777 /*
1778 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1779 * We attempt a read which we do not expect to return any data.
1780 */
710756a9 1781 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
f8a303fa 1782 goto end;
5f982038 1783
90049cea 1784 /* Server should be able to write normal data */
710756a9
RS		 1785 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1786 || !TEST_size_t_eq(written, strlen(MSG7))
1787 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1788 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 1789 goto end;
90049cea 1790
02a3ed5a
MC		 1791 /* We keep the PSK session around if using PSK */
1792 if (idx != 2)
1793 SSL_SESSION_free(sess);
5f982038 1794 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 1795 use_session_cb_cnt = 0;
1796 find_session_cb_cnt = 0;
5f982038
MC		 1797
1798 SSL_shutdown(clientssl);
1799 SSL_shutdown(serverssl);
5f982038
MC		 1800 SSL_free(serverssl);
1801 SSL_free(clientssl);
1802 serverssl = clientssl = NULL;
710756a9
RS		 1803 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1804 &clientssl, NULL, NULL))
1805 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 1806 goto end;
5f982038
MC		 1807
1808 /* Write and read some early data */
710756a9
RS		 1809 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1810 &written))
1811 || !TEST_size_t_eq(written, strlen(MSG1))
1812 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1813 &readbytes),
1814 SSL_READ_EARLY_DATA_SUCCESS)
1815 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 1816 goto end;
5f982038 1817
710756a9
RS		 1818 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1819 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 1820 goto end;
5f982038 1821
09f28874 1822 /* Client and server should not be able to write/read early data now */
710756a9
RS		 1823 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1824 &written)))
5f982038 1825 goto end;
5f982038 1826 ERR_clear_error();
710756a9
RS		 1827 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1828 &readbytes),
1829 SSL_READ_EARLY_DATA_ERROR))
5f982038 1830 goto end;
5f982038
MC		 1831 ERR_clear_error();
1832
1833 /* Client and server should be able to write/read normal data */
710756a9
RS		 1834 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1835 || !TEST_size_t_eq(written, strlen(MSG5))
1836 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1837 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 1838 goto end;
5f982038
MC		 1839
1840 testresult = 1;
1841
1842 end:
57dee9bb
MC		 1843 if (sess != clientpsk)
1844 SSL_SESSION_free(sess);
1845 SSL_SESSION_free(clientpsk);
1846 SSL_SESSION_free(serverpsk);
1847 clientpsk = serverpsk = NULL;
5f982038
MC		 1848 SSL_free(serverssl);
1849 SSL_free(clientssl);
1850 SSL_CTX_free(sctx);
1851 SSL_CTX_free(cctx);
5f982038
MC		 1852 return testresult;
1853}
1854
710756a9 1855/*
6b84e6bf
MC		 1856 * Helper function to test that a server attempting to read early data can
1857 * handle a connection from a client where the early data should be skipped.
710756a9 1858 */
6b84e6bf 1859static int early_data_skip_helper(int hrr, int idx)
5f982038
MC		 1860{
1861 SSL_CTX *cctx = NULL, *sctx = NULL;
1862 SSL *clientssl = NULL, *serverssl = NULL;
1863 int testresult = 0;
018fcbec 1864 SSL_SESSION *sess = NULL;
5f982038
MC		 1865 unsigned char buf[20];
1866 size_t readbytes, written;
1867
710756a9
RS		 1868 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1869 &serverssl, &sess, idx)))
5f982038
MC		 1870 goto end;
1871
6b84e6bf
MC		 1872 if (hrr) {
1873 /* Force an HRR to occur */
1874 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1875 goto end;
02a3ed5a
MC		 1876 } else if (idx == 2) {
1877 /*
1878 * We force early_data rejection by ensuring the PSK identity is
1879 * unrecognised
1880 */
1881 srvid = "Dummy Identity";
6b84e6bf
MC		 1882 } else {
1883 /*
1884 * Deliberately corrupt the creation time. We take 20 seconds off the
1885 * time. It could be any value as long as it is not within tolerance.
1886 * This should mean the ticket is rejected.
1887 */
5d99881e 1888 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 1889 goto end;
1890 }
5f982038
MC		 1891
1892 /* Write some early data */
710756a9
RS		 1893 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1894 &written))
1895 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 1896 goto end;
5f982038
MC		 1897
1898 /* Server should reject the early data and skip over it */
710756a9
RS		 1899 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1900 &readbytes),
1901 SSL_READ_EARLY_DATA_FINISH)
1902 || !TEST_size_t_eq(readbytes, 0)
1903 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1904 SSL_EARLY_DATA_REJECTED))
5f982038 1905 goto end;
5f982038 1906
6b84e6bf
MC		 1907 if (hrr) {
1908 /*
1909 * Finish off the handshake. We perform the same writes and reads as
1910 * further down but we expect them to fail due to the incomplete
1911 * handshake.
1912 */
1913 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1914 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1915 &readbytes)))
1916 goto end;
1917 }
1918
710756a9
RS		 1919 /* Should be able to send normal data despite rejection of early data */
1920 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1921 || !TEST_size_t_eq(written, strlen(MSG2))
1922 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1923 SSL_EARLY_DATA_REJECTED)
1924 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1925 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1926 goto end;
5f982038
MC		 1927
1928 testresult = 1;
1929
1930 end:
57dee9bb
MC		 1931 if (sess != clientpsk)
1932 SSL_SESSION_free(clientpsk);
1933 SSL_SESSION_free(serverpsk);
1934 clientpsk = serverpsk = NULL;
5f982038
MC		 1935 SSL_SESSION_free(sess);
1936 SSL_free(serverssl);
1937 SSL_free(clientssl);
1938 SSL_CTX_free(sctx);
1939 SSL_CTX_free(cctx);
5f982038
MC		 1940 return testresult;
1941}
1942
6b84e6bf
MC		 1943/*
1944 * Test that a server attempting to read early data can handle a connection
1945 * from a client where the early data is not acceptable.
1946 */
1947static int test_early_data_skip(int idx)
1948{
1949 return early_data_skip_helper(0, idx);
1950}
1951
1952/*
1953 * Test that a server attempting to read early data can handle a connection
1954 * from a client where an HRR occurs.
1955 */
1956static int test_early_data_skip_hrr(int idx)
1957{
1958 return early_data_skip_helper(1, idx);
1959}
1960
710756a9
RS		 1961/*
1962 * Test that a server attempting to read early data can handle a connection
1963 * from a client that doesn't send any.
1964 */
3cb47b4e 1965static int test_early_data_not_sent(int idx)
5f982038
MC		 1966{
1967 SSL_CTX *cctx = NULL, *sctx = NULL;
1968 SSL *clientssl = NULL, *serverssl = NULL;
1969 int testresult = 0;
018fcbec 1970 SSL_SESSION *sess = NULL;
5f982038
MC		 1971 unsigned char buf[20];
1972 size_t readbytes, written;
1973
710756a9
RS		 1974 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1975 &serverssl, &sess, idx)))
5f982038
MC		 1976 goto end;
1977
1978 /* Write some data - should block due to handshake with server */
1979 SSL_set_connect_state(clientssl);
710756a9 1980 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 1981 goto end;
5f982038
MC		 1982
1983 /* Server should detect that early data has not been sent */
710756a9
RS		 1984 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1985 &readbytes),
1986 SSL_READ_EARLY_DATA_FINISH)
1987 || !TEST_size_t_eq(readbytes, 0)
1988 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1989 SSL_EARLY_DATA_NOT_SENT)
1990 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1991 SSL_EARLY_DATA_NOT_SENT))
5f982038 1992 goto end;
5f982038
MC		 1993
1994 /* Continue writing the message we started earlier */
710756a9
RS		 1995 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1996 || !TEST_size_t_eq(written, strlen(MSG1))
1997 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1998 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1999 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2000 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2001 goto end;
5f982038 2002
3cb47b4e
MC		 2003 /*
2004 * Should block due to the NewSessionTicket arrival unless we're using
2005 * read_ahead
2006 */
02a3ed5a 2007 if (idx != 1) {
710756a9 2008 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
3cb47b4e 2009 goto end;
5f982038
MC		 2010 }
2011
710756a9
RS		 2012 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2013 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2014 goto end;
5f982038
MC		 2015
2016 testresult = 1;
2017
2018 end:
57dee9bb 2019 /* If using PSK then clientpsk and sess are the same */
5f982038 2020 SSL_SESSION_free(sess);
57dee9bb
MC		 2021 SSL_SESSION_free(serverpsk);
2022 clientpsk = serverpsk = NULL;
5f982038
MC		 2023 SSL_free(serverssl);
2024 SSL_free(clientssl);
2025 SSL_CTX_free(sctx);
2026 SSL_CTX_free(cctx);
5f982038
MC		 2027 return testresult;
2028}
2029
976e5323
MC		 2030static int hostname_cb(SSL *s, int *al, void *arg)
2031{
2032 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2033
281bf233 2034 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2035 return SSL_TLSEXT_ERR_OK;
2036
2037 return SSL_TLSEXT_ERR_NOACK;
2038}
2039
2040static const char *servalpn;
2041
c7558d5b
PY		 2042static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2043 unsigned char *outlen, const unsigned char *in,
2044 unsigned int inlen, void *arg)
976e5323 2045{
c7558d5b 2046 unsigned int protlen = 0;
976e5323
MC		 2047 const unsigned char *prot;
2048
c7558d5b
PY		 2049 for (prot = in; prot < in + inlen; prot += protlen) {
2050 protlen = *prot++;
5d99881e 2051 if (in + inlen < prot + protlen)
976e5323
MC		 2052 return SSL_TLSEXT_ERR_NOACK;
2053
2054 if (protlen == strlen(servalpn)
0bd42fde 2055 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2056 *out = prot;
2057 *outlen = protlen;
2058 return SSL_TLSEXT_ERR_OK;
2059 }
2060 }
2061
2062 return SSL_TLSEXT_ERR_NOACK;
2063}
2064
57dee9bb 2065/* Test that a PSK can be used to send early_data */
976e5323
MC		 2066static int test_early_data_psk(int idx)
2067{
2068 SSL_CTX *cctx = NULL, *sctx = NULL;
2069 SSL *clientssl = NULL, *serverssl = NULL;
2070 int testresult = 0;
2071 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2072 unsigned char alpnlist[] = {
2073 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2074 'l', 'p', 'n'
2075 };
2076#define GOODALPNLEN 9
2077#define BADALPNLEN 8
2078#define GOODALPN (alpnlist)
2079#define BADALPN (alpnlist + GOODALPNLEN)
2080 int err = 0;
976e5323
MC		 2081 unsigned char buf[20];
2082 size_t readbytes, written;
57dee9bb 2083 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2084 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2085
2086 /* We always set this up with a final parameter of "2" for PSK */
2087 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2088 &serverssl, &sess, 2)))
2089 goto end;
2090
976e5323
MC		 2091 servalpn = "goodalpn";
2092
57dee9bb
MC		 2093 /*
2094 * Note: There is no test for inconsistent SNI with late client detection.
2095 * This is because servers do not acknowledge SNI even if they are using
2096 * it in a resumption handshake - so it is not actually possible for a
2097 * client to detect a problem.
2098 */
976e5323
MC		 2099 switch (idx) {
2100 case 0:
57dee9bb 2101 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2102 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2103 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2104 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2105 goto end;
2106 break;
2107
2108 case 1:
57dee9bb 2109 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2110 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2111 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2112 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2113 GOODALPNLEN))
2114 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2115 BADALPNLEN)))
976e5323
MC		 2116 goto end;
2117 break;
2118
2119 case 2:
2120 /*
2121 * Set invalid protocol version. Technically this affects PSKs without
2122 * early_data too, but we test it here because it is similar to the
2123 * SNI/ALPN consistency tests.
2124 */
2125 err = SSL_R_BAD_PSK;
2126 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2127 goto end;
2128 break;
2129
2130 case 3:
2131 /*
2132 * Set inconsistent SNI (server detected). In this case the connection
2133 * will succeed but reject early_data.
2134 */
281bf233
MC		 2135 SSL_SESSION_free(serverpsk);
2136 serverpsk = SSL_SESSION_dup(clientpsk);
2137 if (!TEST_ptr(serverpsk)
2138 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2139 goto end;
976e5323
MC		 2140 edstatus = SSL_EARLY_DATA_REJECTED;
2141 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2142 /* Fall through */
2143 case 4:
2144 /* Set consistent SNI */
976e5323
MC		 2145 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2146 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2147 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2148 hostname_cb)))
2149 goto end;
2150 break;
2151
2152 case 5:
2153 /*
2154 * Set inconsistent ALPN (server detected). In this case the connection
2155 * will succeed but reject early_data.
2156 */
2157 servalpn = "badalpn";
2158 edstatus = SSL_EARLY_DATA_REJECTED;
2159 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2160 /* Fall through */
2161 case 6:
976e5323 2162 /*
57dee9bb 2163 * Set consistent ALPN.
976e5323
MC		 2164 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2165 * accepts a list of protos (each one length prefixed).
2166 * SSL_set1_alpn_selected accepts a single protocol (not length
2167 * prefixed)
2168 */
57dee9bb
MC		 2169 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2170 GOODALPNLEN - 1))
2171 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2172 GOODALPNLEN)))
976e5323
MC		 2173 goto end;
2174
2175 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2176 break;
2177
57dee9bb
MC		 2178 case 7:
2179 /* Set inconsistent ALPN (late client detection) */
2180 SSL_SESSION_free(serverpsk);
2181 serverpsk = SSL_SESSION_dup(clientpsk);
2182 if (!TEST_ptr(serverpsk)
2183 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2184 BADALPN + 1,
2185 BADALPNLEN - 1))
2186 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2187 GOODALPN + 1,
2188 GOODALPNLEN - 1))
2189 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2190 sizeof(alpnlist))))
2191 goto end;
2192 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2193 edstatus = SSL_EARLY_DATA_ACCEPTED;
2194 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2195 /* SSL_connect() call should fail */
2196 connectres = -1;
2197 break;
2198
976e5323
MC		 2199 default:
2200 TEST_error("Bad test index");
2201 goto end;
2202 }
2203
2204 SSL_set_connect_state(clientssl);
2205 if (err != 0) {
2206 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2207 &written))
2208 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2209 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2210 goto end;
2211 } else {
2212 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2213 &written)))
2214 goto end;
2215
2216 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2217 &readbytes), readearlyres)
976e5323
MC		 2218 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2219 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2220 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2221 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2222 goto end;
2223 }
2224
2225 testresult = 1;
2226
2227 end:
57dee9bb
MC		 2228 SSL_SESSION_free(clientpsk);
2229 SSL_SESSION_free(serverpsk);
2230 clientpsk = serverpsk = NULL;
976e5323
MC		 2231 SSL_free(serverssl);
2232 SSL_free(clientssl);
2233 SSL_CTX_free(sctx);
2234 SSL_CTX_free(cctx);
2235 return testresult;
2236}
2237
710756a9
RS		 2238/*
2239 * Test that a server that doesn't try to read early data can handle a
2240 * client sending some.
2241 */
3cb47b4e 2242static int test_early_data_not_expected(int idx)
5f982038
MC		 2243{
2244 SSL_CTX *cctx = NULL, *sctx = NULL;
2245 SSL *clientssl = NULL, *serverssl = NULL;
2246 int testresult = 0;
018fcbec 2247 SSL_SESSION *sess = NULL;
5f982038
MC		 2248 unsigned char buf[20];
2249 size_t readbytes, written;
2250
710756a9
RS		 2251 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2252 &serverssl, &sess, idx)))
5f982038
MC		 2253 goto end;
2254
2255 /* Write some early data */
710756a9
RS		 2256 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2257 &written)))
5f982038 2258 goto end;
5f982038
MC		 2259
2260 /*
2261 * Server should skip over early data and then block waiting for client to
2262 * continue handshake
2263 */
710756a9
RS		 2264 if (!TEST_int_le(SSL_accept(serverssl), 0)
2265 || !TEST_int_gt(SSL_connect(clientssl), 0)
2266 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2267 SSL_EARLY_DATA_REJECTED)
2268 || !TEST_int_gt(SSL_accept(serverssl), 0)
2269 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2270 SSL_EARLY_DATA_REJECTED))
5f982038 2271 goto end;
5f982038
MC		 2272
2273 /* Send some normal data from client to server */
710756a9
RS		 2274 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2275 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2276 goto end;
5f982038 2277
710756a9
RS		 2278 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2279 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2280 goto end;
5f982038
MC		 2281
2282 testresult = 1;
2283
2284 end:
57dee9bb 2285 /* If using PSK then clientpsk and sess are the same */
5f982038 2286 SSL_SESSION_free(sess);
57dee9bb
MC		 2287 SSL_SESSION_free(serverpsk);
2288 clientpsk = serverpsk = NULL;
5f982038
MC		 2289 SSL_free(serverssl);
2290 SSL_free(clientssl);
2291 SSL_CTX_free(sctx);
2292 SSL_CTX_free(cctx);
5f982038
MC		 2293 return testresult;
2294}
2295
2296
2297# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 2298/*
2299 * Test that a server attempting to read early data can handle a connection
2300 * from a TLSv1.2 client.
2301 */
3cb47b4e 2302static int test_early_data_tls1_2(int idx)
5f982038
MC		 2303{
2304 SSL_CTX *cctx = NULL, *sctx = NULL;
2305 SSL *clientssl = NULL, *serverssl = NULL;
2306 int testresult = 0;
2307 unsigned char buf[20];
2308 size_t readbytes, written;
2309
02a3ed5a
MC		 2310 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2311 &serverssl, NULL, idx)))
5f982038 2312 goto end;
5f982038
MC		 2313
2314 /* Write some data - should block due to handshake with server */
2315 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2316 SSL_set_connect_state(clientssl);
710756a9 2317 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2318 goto end;
5f982038
MC		 2319
2320 /*
2321 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 2322 * messages from client after ServerDone. Then SSL_read_early_data should
2323 * finish and detect that early data has not been sent
5f982038 2324 */
710756a9
RS		 2325 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2326 &readbytes),
2327 SSL_READ_EARLY_DATA_ERROR))
5f982038 2328 goto end;
5f982038
MC		 2329
2330 /*
2331 * Continue writing the message we started earlier. Will still block waiting
2332 * for the CCS/Finished from server
2333 */
710756a9
RS		 2334 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2335 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2336 &readbytes),
2337 SSL_READ_EARLY_DATA_FINISH)
2338 || !TEST_size_t_eq(readbytes, 0)
2339 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2340 SSL_EARLY_DATA_NOT_SENT))
5f982038 2341 goto end;
5f982038
MC		 2342
2343 /* Continue writing the message we started earlier */
710756a9
RS		 2344 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2345 || !TEST_size_t_eq(written, strlen(MSG1))
2346 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2347 SSL_EARLY_DATA_NOT_SENT)
2348 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2349 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2350 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2351 || !TEST_size_t_eq(written, strlen(MSG2))
2352 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2353 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2354 goto end;
5f982038
MC		 2355
2356 testresult = 1;
2357
2358 end:
57dee9bb
MC		 2359 /* If using PSK then clientpsk and sess are the same */
2360 SSL_SESSION_free(clientpsk);
2361 SSL_SESSION_free(serverpsk);
2362 clientpsk = serverpsk = NULL;
5f982038
MC		 2363 SSL_free(serverssl);
2364 SSL_free(clientssl);
2365 SSL_CTX_free(sctx);
2366 SSL_CTX_free(cctx);
2367
2368 return testresult;
2369}
ca0413ae
MC		 2370# endif /* OPENSSL_NO_TLS1_2 */
2371
2372static int test_ciphersuite_change(void)
2373{
2374 SSL_CTX *cctx = NULL, *sctx = NULL;
2375 SSL *clientssl = NULL, *serverssl = NULL;
2376 SSL_SESSION *clntsess = NULL;
2377 int testresult = 0;
2378 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2379
2380 /* Create a session based on SHA-256 */
2381 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2382 TLS_client_method(), &sctx,
2383 &cctx, cert, privkey))
2384 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
2385 "TLS13-AES-128-GCM-SHA256"))
2386 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2387 &clientssl, NULL, NULL))
2388 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2389 SSL_ERROR_NONE)))
2390 goto end;
2391
2392 clntsess = SSL_get1_session(clientssl);
2393 /* Save for later */
2394 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2395 SSL_shutdown(clientssl);
2396 SSL_shutdown(serverssl);
2397 SSL_free(serverssl);
2398 SSL_free(clientssl);
2399 serverssl = clientssl = NULL;
2400
71cff963 2401# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae
MC		 2402 /* Check we can resume a session with a different SHA-256 ciphersuite */
2403 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2404 "TLS13-CHACHA20-POLY1305-SHA256"))
2405 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2406 NULL, NULL))
2407 || !TEST_true(SSL_set_session(clientssl, clntsess))
2408 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2409 SSL_ERROR_NONE))
2410 || !TEST_true(SSL_session_reused(clientssl)))
2411 goto end;
2412
2413 SSL_SESSION_free(clntsess);
2414 clntsess = SSL_get1_session(clientssl);
2415 SSL_shutdown(clientssl);
2416 SSL_shutdown(serverssl);
2417 SSL_free(serverssl);
2418 SSL_free(clientssl);
2419 serverssl = clientssl = NULL;
71cff963 2420# endif
ca0413ae
MC		 2421
2422 /*
2423 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 2424 * succeeds but does not resume.
ca0413ae
MC		 2425 */
2426 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2427 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2428 NULL, NULL))
2429 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 2430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 2431 SSL_ERROR_SSL))
0de6d66d 2432 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 2433 goto end;
2434
2435 SSL_SESSION_free(clntsess);
2436 clntsess = NULL;
2437 SSL_shutdown(clientssl);
2438 SSL_shutdown(serverssl);
2439 SSL_free(serverssl);
2440 SSL_free(clientssl);
2441 serverssl = clientssl = NULL;
2442
2443 /* Create a session based on SHA384 */
2444 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2445 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2446 &clientssl, NULL, NULL))
2447 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2448 SSL_ERROR_NONE)))
2449 goto end;
2450
2451 clntsess = SSL_get1_session(clientssl);
2452 SSL_shutdown(clientssl);
2453 SSL_shutdown(serverssl);
2454 SSL_free(serverssl);
2455 SSL_free(clientssl);
2456 serverssl = clientssl = NULL;
2457
2458 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2459 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
0de6d66d
MC		 2460 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
2461 "TLS13-AES-256-GCM-SHA384"))
ca0413ae
MC		 2462 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2463 NULL, NULL))
2464 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 2465 /*
2466 * We use SSL_ERROR_WANT_READ below so that we can pause the
2467 * connection after the initial ClientHello has been sent to
2468 * enable us to make some session changes.
2469 */
ca0413ae
MC		 2470 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2471 SSL_ERROR_WANT_READ)))
2472 goto end;
2473
2474 /* Trick the client into thinking this session is for a different digest */
2475 clntsess->cipher = aes_128_gcm_sha256;
2476 clntsess->cipher_id = clntsess->cipher->id;
2477
2478 /*
3b0e88d3
MC		 2479 * Continue the previously started connection. Server has selected a SHA-384
2480 * ciphersuite, but client thinks the session is for SHA-256, so it should
2481 * bail out.
ca0413ae
MC		 2482 */
2483 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2484 SSL_ERROR_SSL))
2485 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2486 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2487 goto end;
2488
2489 testresult = 1;
2490
2491 end:
2492 SSL_SESSION_free(clntsess);
2493 SSL_free(serverssl);
2494 SSL_free(clientssl);
2495 SSL_CTX_free(sctx);
2496 SSL_CTX_free(cctx);
2497
2498 return testresult;
2499}
2500
532f9578 2501static int test_tls13_psk(int idx)
ca8c71ba
MC		 2502{
2503 SSL_CTX *sctx = NULL, *cctx = NULL;
2504 SSL *serverssl = NULL, *clientssl = NULL;
2505 const SSL_CIPHER *cipher = NULL;
2506 const unsigned char key[] = {
2507 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2508 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 2509 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2510 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 2511 };
2512 int testresult = 0;
2513
2514 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2515 TLS_client_method(), &sctx,
2516 &cctx, cert, privkey)))
2517 goto end;
2518
532f9578
MC		 2519 /*
2520 * We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
2521 * which will always default to SHA256
2522 */
2523 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-128-GCM-SHA256")))
2524 goto end;
2525
2526 /*
2527 * Test 0: New style callbacks only
2528 * Test 1: New and old style callbacks (only the new ones should be used)
2529 * Test 2: Old style callbacks only
2530 */
2531 if (idx == 0 || idx == 1) {
2532 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2533 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2534 }
2535 if (idx == 1 || idx == 2) {
2536 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2537 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2538 }
ca8c71ba 2539 srvid = pskid;
02a3ed5a
MC		 2540 use_session_cb_cnt = 0;
2541 find_session_cb_cnt = 0;
532f9578
MC		 2542 psk_client_cb_cnt = 0;
2543 psk_server_cb_cnt = 0;
ca8c71ba
MC		 2544
2545 /* Check we can create a connection if callback decides not to send a PSK */
2546 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2547 NULL, NULL))
2548 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2549 SSL_ERROR_NONE))
2550 || !TEST_false(SSL_session_reused(clientssl))
532f9578 2551 || !TEST_false(SSL_session_reused(serverssl)))
ca8c71ba
MC		 2552 goto end;
2553
532f9578
MC		 2554 if (idx == 0 || idx == 1) {
2555 if (!TEST_true(use_session_cb_cnt == 1)
2556 || !TEST_true(find_session_cb_cnt == 0)
2557 /*
2558 * If no old style callback then below should be 0
2559 * otherwise 1
2560 */
2561 || !TEST_true(psk_client_cb_cnt == idx)
2562 || !TEST_true(psk_server_cb_cnt == 0))
2563 goto end;
2564 } else {
2565 if (!TEST_true(use_session_cb_cnt == 0)
2566 || !TEST_true(find_session_cb_cnt == 0)
2567 || !TEST_true(psk_client_cb_cnt == 1)
2568 || !TEST_true(psk_server_cb_cnt == 0))
2569 goto end;
2570 }
2571
ca8c71ba
MC		 2572 shutdown_ssl_connection(serverssl, clientssl);
2573 serverssl = clientssl = NULL;
532f9578 2574 use_session_cb_cnt = psk_client_cb_cnt = 0;
ca8c71ba
MC		 2575
2576 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2577 NULL, NULL)))
2578 goto end;
2579
2580 /* Create the PSK */
532f9578 2581 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 2582 clientpsk = SSL_SESSION_new();
2583 if (!TEST_ptr(clientpsk)
ca8c71ba 2584 || !TEST_ptr(cipher)
57dee9bb
MC		 2585 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2586 sizeof(key)))
2587 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2588 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2589 TLS1_3_VERSION))
2590 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 2591 goto end;
57dee9bb 2592 serverpsk = clientpsk;
ca8c71ba
MC		 2593
2594 /* Check we can create a connection and the PSK is used */
2595 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2596 || !TEST_true(SSL_session_reused(clientssl))
532f9578 2597 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 2598 goto end;
2599
532f9578
MC		 2600 if (idx == 0 || idx == 1) {
2601 if (!TEST_true(use_session_cb_cnt == 1)
2602 || !TEST_true(find_session_cb_cnt == 1)
2603 || !TEST_true(psk_client_cb_cnt == 0)
2604 || !TEST_true(psk_server_cb_cnt == 0))
2605 goto end;
2606 } else {
2607 if (!TEST_true(use_session_cb_cnt == 0)
2608 || !TEST_true(find_session_cb_cnt == 0)
2609 || !TEST_true(psk_client_cb_cnt == 1)
2610 || !TEST_true(psk_server_cb_cnt == 1))
2611 goto end;
2612 }
2613
ca8c71ba
MC		 2614 shutdown_ssl_connection(serverssl, clientssl);
2615 serverssl = clientssl = NULL;
2616 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 2617 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 2618
2619 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2620 NULL, NULL)))
2621 goto end;
2622
2623 /* Force an HRR */
2624 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2625 goto end;
2626
2627 /*
2628 * Check we can create a connection, the PSK is used and the callbacks are
2629 * called twice.
2630 */
2631 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2632 || !TEST_true(SSL_session_reused(clientssl))
532f9578 2633 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 2634 goto end;
2635
532f9578
MC		 2636 if (idx == 0 || idx == 1) {
2637 if (!TEST_true(use_session_cb_cnt == 2)
2638 || !TEST_true(find_session_cb_cnt == 2)
2639 || !TEST_true(psk_client_cb_cnt == 0)
2640 || !TEST_true(psk_server_cb_cnt == 0))
2641 goto end;
2642 } else {
2643 if (!TEST_true(use_session_cb_cnt == 0)
2644 || !TEST_true(find_session_cb_cnt == 0)
2645 || !TEST_true(psk_client_cb_cnt == 2)
2646 || !TEST_true(psk_server_cb_cnt == 2))
2647 goto end;
2648 }
2649
ca8c71ba
MC		 2650 shutdown_ssl_connection(serverssl, clientssl);
2651 serverssl = clientssl = NULL;
2652 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 2653 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 2654
2655 /*
2656 * Check that if the server rejects the PSK we can still connect, but with
2657 * a full handshake
2658 */
2659 srvid = "Dummy Identity";
2660 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2661 NULL, NULL))
2662 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2663 SSL_ERROR_NONE))
2664 || !TEST_false(SSL_session_reused(clientssl))
532f9578 2665 || !TEST_false(SSL_session_reused(serverssl)))
ca8c71ba
MC		 2666 goto end;
2667
532f9578
MC		 2668 if (idx == 0 || idx == 1) {
2669 if (!TEST_true(use_session_cb_cnt == 1)
2670 || !TEST_true(find_session_cb_cnt == 1)
2671 || !TEST_true(psk_client_cb_cnt == 0)
2672 /*
2673 * If no old style callback then below should be 0
2674 * otherwise 1
2675 */
2676 || !TEST_true(psk_server_cb_cnt == idx))
2677 goto end;
2678 } else {
2679 if (!TEST_true(use_session_cb_cnt == 0)
2680 || !TEST_true(find_session_cb_cnt == 0)
2681 || !TEST_true(psk_client_cb_cnt == 1)
2682 || !TEST_true(psk_server_cb_cnt == 1))
2683 goto end;
2684 }
2685
ca8c71ba
MC		 2686 shutdown_ssl_connection(serverssl, clientssl);
2687 serverssl = clientssl = NULL;
2688 testresult = 1;
2689
2690 end:
57dee9bb
MC		 2691 SSL_SESSION_free(clientpsk);
2692 SSL_SESSION_free(serverpsk);
2693 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 2694 SSL_free(serverssl);
2695 SSL_free(clientssl);
2696 SSL_CTX_free(sctx);
2697 SSL_CTX_free(cctx);
2698 return testresult;
2699}
2700
c7b8ff25
MC		 2701static unsigned char cookie_magic_value[] = "cookie magic";
2702
2703static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2704 unsigned int *cookie_len)
2705{
2706 /*
2707 * Not suitable as a real cookie generation function but good enough for
2708 * testing!
2709 */
97ea1e7f
MC		 2710 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2711 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 2712
2713 return 1;
2714}
2715
2716static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2717 unsigned int cookie_len)
2718{
97ea1e7f 2719 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 2720 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2721 return 1;
2722
2723 return 0;
2724}
2725
2726static int test_stateless(void)
2727{
2728 SSL_CTX *sctx = NULL, *cctx = NULL;
2729 SSL *serverssl = NULL, *clientssl = NULL;
2730 int testresult = 0;
2731
2732 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2733 TLS_client_method(), &sctx,
2734 &cctx, cert, privkey)))
2735 goto end;
2736
e440f513
MC		 2737 /* The arrival of CCS messages can confuse the test */
2738 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2739
2740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2741 NULL, NULL))
2742 /* Send the first ClientHello */
2743 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2744 SSL_ERROR_WANT_READ))
2745 /*
2746 * This should fail with a -1 return because we have no callbacks
2747 * set up
2748 */
2749 || !TEST_int_eq(SSL_stateless(serverssl), -1))
2750 goto end;
2751
2752 /* Fatal error so abandon the connection from this client */
2753 SSL_free(clientssl);
2754 clientssl = NULL;
2755
c7b8ff25
MC		 2756 /* Set up the cookie generation and verification callbacks */
2757 SSL_CTX_set_cookie_generate_cb(sctx, generate_cookie_callback);
2758 SSL_CTX_set_cookie_verify_cb(sctx, verify_cookie_callback);
2759
e440f513
MC		 2760 /*
2761 * Create a new connection from the client (we can reuse the server SSL
2762 * object).
2763 */
c7b8ff25
MC		 2764 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2765 NULL, NULL))
2766 /* Send the first ClientHello */
2767 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2768 SSL_ERROR_WANT_READ))
2769 /* This should fail because there is no cookie */
e440f513 2770 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 2771 goto end;
2772
2773 /* Abandon the connection from this client */
2774 SSL_free(clientssl);
2775 clientssl = NULL;
2776
2777 /*
2778 * Now create a connection from a new client but with the same server SSL
2779 * object
2780 */
2781 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2782 NULL, NULL))
2783 /* Send the first ClientHello */
2784 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2785 SSL_ERROR_WANT_READ))
2786 /* This should fail because there is no cookie */
e440f513 2787 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 2788 /* Send the second ClientHello */
2789 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2790 SSL_ERROR_WANT_READ))
2791 /* This should succeed because a cookie is now present */
e440f513 2792 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 2793 /* Complete the connection */
2794 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2795 SSL_ERROR_NONE)))
2796 goto end;
2797
2798 shutdown_ssl_connection(serverssl, clientssl);
2799 serverssl = clientssl = NULL;
2800 testresult = 1;
2801
2802 end:
2803 SSL_free(serverssl);
2804 SSL_free(clientssl);
2805 SSL_CTX_free(sctx);
2806 SSL_CTX_free(cctx);
2807 return testresult;
2808
2809}
ca0413ae 2810#endif /* OPENSSL_NO_TLS1_3 */
5f982038 2811
a37008d9
MC		 2812static int clntaddoldcb = 0;
2813static int clntparseoldcb = 0;
2814static int srvaddoldcb = 0;
2815static int srvparseoldcb = 0;
2816static int clntaddnewcb = 0;
2817static int clntparsenewcb = 0;
2818static int srvaddnewcb = 0;
2819static int srvparsenewcb = 0;
bb01ef3f 2820static int snicb = 0;
a37008d9
MC		 2821
2822#define TEST_EXT_TYPE1 0xff00
2823
2824static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2825 size_t *outlen, int *al, void *add_arg)
2826{
2827 int *server = (int *)add_arg;
2828 unsigned char *data;
2829
2830 if (SSL_is_server(s))
2831 srvaddoldcb++;
2832 else
2833 clntaddoldcb++;
2834
710756a9
RS		 2835 if (*server != SSL_is_server(s)
2836 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 2837 return -1;
2838
2839 *data = 1;
2840 *out = data;
2841 *outlen = sizeof(char);
a37008d9
MC		 2842 return 1;
2843}
2844
2845static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2846 void *add_arg)
2847{
2848 OPENSSL_free((unsigned char *)out);
2849}
2850
2851static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2852 size_t inlen, int *al, void *parse_arg)
2853{
2854 int *server = (int *)parse_arg;
2855
2856 if (SSL_is_server(s))
2857 srvparseoldcb++;
2858 else
2859 clntparseoldcb++;
2860
710756a9
RS		 2861 if (*server != SSL_is_server(s)
2862 || inlen != sizeof(char)
2863 || *in != 1)
a37008d9
MC		 2864 return -1;
2865
2866 return 1;
2867}
2868
2869static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2870 const unsigned char **out, size_t *outlen, X509 *x,
2871 size_t chainidx, int *al, void *add_arg)
2872{
2873 int *server = (int *)add_arg;
2874 unsigned char *data;
2875
2876 if (SSL_is_server(s))
2877 srvaddnewcb++;
2878 else
2879 clntaddnewcb++;
2880
710756a9
RS		 2881 if (*server != SSL_is_server(s)
2882 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 2883 return -1;
2884
2885 *data = 1;
2886 *out = data;
710756a9 2887 *outlen = sizeof(*data);
a37008d9
MC		 2888 return 1;
2889}
2890
2891static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2892 const unsigned char *out, void *add_arg)
2893{
2894 OPENSSL_free((unsigned char *)out);
2895}
2896
2897static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2898 const unsigned char *in, size_t inlen, X509 *x,
2899 size_t chainidx, int *al, void *parse_arg)
2900{
2901 int *server = (int *)parse_arg;
2902
2903 if (SSL_is_server(s))
2904 srvparsenewcb++;
2905 else
2906 clntparsenewcb++;
2907
710756a9
RS		 2908 if (*server != SSL_is_server(s)
2909 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 2910 return -1;
2911
2912 return 1;
2913}
bb01ef3f
MC		 2914
2915static int sni_cb(SSL *s, int *al, void *arg)
2916{
2917 SSL_CTX *ctx = (SSL_CTX *)arg;
2918
2919 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2920 *al = SSL_AD_INTERNAL_ERROR;
2921 return SSL_TLSEXT_ERR_ALERT_FATAL;
2922 }
2923 snicb++;
2924 return SSL_TLSEXT_ERR_OK;
2925}
2926
a37008d9
MC		 2927/*
2928 * Custom call back tests.
2929 * Test 0: Old style callbacks in TLSv1.2
2930 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 2931 * Test 2: New style callbacks in TLSv1.2 with SNI
2932 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2933 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 2934 */
710756a9
RS		 2935static int test_custom_exts(int tst)
2936{
bb01ef3f 2937 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 2938 SSL *clientssl = NULL, *serverssl = NULL;
2939 int testresult = 0;
2940 static int server = 1;
2941 static int client = 0;
2942 SSL_SESSION *sess = NULL;
2943 unsigned int context;
2944
c423ecaa
MC		 2945#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
2946 /* Skip tests for TLSv1.2 and below in this case */
2947 if (tst < 3)
2948 return 1;
2949#endif
2950
a37008d9
MC		 2951 /* Reset callback counters */
2952 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2953 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 2954 snicb = 0;
a37008d9 2955
710756a9
RS		 2956 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2957 TLS_client_method(), &sctx,
2958 &cctx, cert, privkey)))
2959 goto end;
a37008d9 2960
bb01ef3f
MC		 2961 if (tst == 2
2962 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2963 NULL, cert, privkey)))
2964 goto end;
2965
2966
2967 if (tst < 3) {
a37008d9
MC		 2968 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2969 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 2970 if (sctx2 != NULL)
2971 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 2972 }
2973
bb01ef3f 2974 if (tst == 4) {
710756a9
RS		 2975 context = SSL_EXT_CLIENT_HELLO
2976 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 2977 | SSL_EXT_TLS1_3_SERVER_HELLO
2978 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2979 | SSL_EXT_TLS1_3_CERTIFICATE
2980 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2981 } else {
710756a9
RS		 2982 context = SSL_EXT_CLIENT_HELLO
2983 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 2984 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2985 }
2986
2987 /* Create a client side custom extension */
2988 if (tst == 0) {
710756a9
RS		 2989 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2990 old_add_cb, old_free_cb,
2991 &client, old_parse_cb,
2992 &client)))
2993 goto end;
a37008d9 2994 } else {
710756a9
RS		 2995 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2996 new_add_cb, new_free_cb,
2997 &client, new_parse_cb, &client)))
2998 goto end;
a37008d9
MC		 2999 }
3000
3001 /* Should not be able to add duplicates */
710756a9
RS		 3002 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3003 old_add_cb, old_free_cb,
3004 &client, old_parse_cb,
3005 &client))
3006 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3007 context, new_add_cb,
3008 new_free_cb, &client,
3009 new_parse_cb, &client)))
3010 goto end;
a37008d9
MC		 3011
3012 /* Create a server side custom extension */
3013 if (tst == 0) {
710756a9
RS		 3014 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3015 old_add_cb, old_free_cb,
3016 &server, old_parse_cb,
3017 &server)))
3018 goto end;
a37008d9 3019 } else {
710756a9
RS		 3020 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3021 new_add_cb, new_free_cb,
3022 &server, new_parse_cb, &server)))
3023 goto end;
bb01ef3f
MC		 3024 if (sctx2 != NULL
3025 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3026 context, new_add_cb,
3027 new_free_cb, &server,
3028 new_parse_cb, &server)))
3029 goto end;
a37008d9
MC		 3030 }
3031
3032 /* Should not be able to add duplicates */
710756a9
RS		 3033 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3034 old_add_cb, old_free_cb,
3035 &server, old_parse_cb,
3036 &server))
3037 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3038 context, new_add_cb,
3039 new_free_cb, &server,
3040 new_parse_cb, &server)))
a37008d9 3041 goto end;
a37008d9 3042
bb01ef3f
MC		 3043 if (tst == 2) {
3044 /* Set up SNI */
3045 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3046 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3047 goto end;
3048 }
3049
710756a9
RS		 3050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3051 &clientssl, NULL, NULL))
3052 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3053 SSL_ERROR_NONE)))
a37008d9 3054 goto end;
a37008d9
MC		 3055
3056 if (tst == 0) {
710756a9
RS		 3057 if (clntaddoldcb != 1
3058 || clntparseoldcb != 1
3059 || srvaddoldcb != 1
3060 || srvparseoldcb != 1)
a37008d9 3061 goto end;
bb01ef3f 3062 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3063 if (clntaddnewcb != 1
3064 || clntparsenewcb != 1
3065 || srvaddnewcb != 1
bb01ef3f
MC		 3066 || srvparsenewcb != 1
3067 || (tst != 2 && snicb != 0)
3068 || (tst == 2 && snicb != 1))
a37008d9 3069 goto end;
a37008d9 3070 } else {
710756a9
RS		 3071 if (clntaddnewcb != 1
3072 || clntparsenewcb != 4
3073 || srvaddnewcb != 4
3074 || srvparsenewcb != 1)
a37008d9 3075 goto end;
a37008d9
MC		 3076 }
3077
3078 sess = SSL_get1_session(clientssl);
a37008d9
MC		 3079 SSL_shutdown(clientssl);
3080 SSL_shutdown(serverssl);
a37008d9
MC		 3081 SSL_free(serverssl);
3082 SSL_free(clientssl);
3083 serverssl = clientssl = NULL;
3084
bb01ef3f
MC		 3085 if (tst == 3) {
3086 /* We don't bother with the resumption aspects for this test */
3087 testresult = 1;
3088 goto end;
3089 }
3090
710756a9
RS		 3091 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3092 NULL, NULL))
3093 || !TEST_true(SSL_set_session(clientssl, sess))
3094 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3095 SSL_ERROR_NONE)))
a37008d9 3096 goto end;
a37008d9
MC		 3097
3098 /*
3099 * For a resumed session we expect to add the ClientHello extension. For the
3100 * old style callbacks we ignore it on the server side because they set
3101 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3102 * them.
3103 */
3104 if (tst == 0) {
710756a9
RS		 3105 if (clntaddoldcb != 2
3106 || clntparseoldcb != 1
3107 || srvaddoldcb != 1
3108 || srvparseoldcb != 1)
a37008d9 3109 goto end;
bb01ef3f 3110 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3111 if (clntaddnewcb != 2
3112 || clntparsenewcb != 2
3113 || srvaddnewcb != 2
3114 || srvparsenewcb != 2)
a37008d9 3115 goto end;
a37008d9
MC		 3116 } else {
3117 /* No Certificate message extensions in the resumption handshake */
710756a9
RS		 3118 if (clntaddnewcb != 2
3119 || clntparsenewcb != 7
3120 || srvaddnewcb != 7
3121 || srvparsenewcb != 2)
a37008d9 3122 goto end;
a37008d9
MC		 3123 }
3124
3125 testresult = 1;
3126
3127end:
3128 SSL_SESSION_free(sess);
3129 SSL_free(serverssl);
3130 SSL_free(clientssl);
bb01ef3f 3131 SSL_CTX_free(sctx2);
a37008d9
MC		 3132 SSL_CTX_free(sctx);
3133 SSL_CTX_free(cctx);
a37008d9
MC		 3134 return testresult;
3135}
3136
16afd71c
MC		 3137/*
3138 * Test loading of serverinfo data in various formats. test_sslmessages actually
3139 * tests to make sure the extensions appear in the handshake
3140 */
3141static int test_serverinfo(int tst)
3142{
3143 unsigned int version;
3144 unsigned char *sibuf;
3145 size_t sibuflen;
3146 int ret, expected, testresult = 0;
3147 SSL_CTX *ctx;
3148
3149 ctx = SSL_CTX_new(TLS_method());
3150 if (!TEST_ptr(ctx))
3151 goto end;
3152
3153 if ((tst & 0x01) == 0x01)
3154 version = SSL_SERVERINFOV2;
3155 else
3156 version = SSL_SERVERINFOV1;
3157
3158 if ((tst & 0x02) == 0x02) {
3159 sibuf = serverinfov2;
3160 sibuflen = sizeof(serverinfov2);
3161 expected = (version == SSL_SERVERINFOV2);
3162 } else {
3163 sibuf = serverinfov1;
3164 sibuflen = sizeof(serverinfov1);
3165 expected = (version == SSL_SERVERINFOV1);
3166 }
3167
3168 if ((tst & 0x04) == 0x04) {
3169 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3170 } else {
3171 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3172
3173 /*
3174 * The version variable is irrelevant in this case - it's what is in the
3175 * buffer that matters
3176 */
3177 if ((tst & 0x02) == 0x02)
3178 expected = 0;
3179 else
3180 expected = 1;
3181 }
3182
3183 if (!TEST_true(ret == expected))
3184 goto end;
3185
3186 testresult = 1;
3187
3188 end:
3189 SSL_CTX_free(ctx);
3190
3191 return testresult;
3192}
3193
2197d1df
MC		 3194/*
3195 * Test that SSL_export_keying_material() produces expected results. There are
3196 * no test vectors so all we do is test that both sides of the communication
3197 * produce the same results for different protocol versions.
3198 */
3199static int test_export_key_mat(int tst)
3200{
a599574b 3201 int testresult = 0;
2197d1df
MC		 3202 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3203 SSL *clientssl = NULL, *serverssl = NULL;
3204 const char label[] = "test label";
3205 const unsigned char context[] = "context";
3206 const unsigned char *emptycontext = NULL;
3207 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3208 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 3209 const int protocols[] = {
3210 TLS1_VERSION,
3211 TLS1_1_VERSION,
3212 TLS1_2_VERSION,
3213 TLS1_3_VERSION
3214 };
2197d1df
MC		 3215
3216#ifdef OPENSSL_NO_TLS1
3217 if (tst == 0)
3218 return 1;
3219#endif
3220#ifdef OPENSSL_NO_TLS1_1
3221 if (tst == 1)
3222 return 1;
3223#endif
3224#ifdef OPENSSL_NO_TLS1_2
3225 if (tst == 2)
3226 return 1;
3227#endif
3228#ifdef OPENSSL_NO_TLS1_3
3229 if (tst == 3)
3230 return 1;
3231#endif
3232 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3233 TLS_client_method(), &sctx,
3234 &cctx, cert, privkey)))
3235 goto end;
3236
a599574b
MC		 3237 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3238 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3239 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 3240
3241 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3242 NULL))
3243 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3244 SSL_ERROR_NONE)))
3245 goto end;
3246
3247 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3248 sizeof(ckeymat1), label,
3249 sizeof(label) - 1, context,
3250 sizeof(context) - 1, 1), 1)
3251 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3252 sizeof(ckeymat2), label,
3253 sizeof(label) - 1,
3254 emptycontext,
3255 0, 1), 1)
3256 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3257 sizeof(ckeymat3), label,
3258 sizeof(label) - 1,
3259 NULL, 0, 0), 1)
3260 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3261 sizeof(skeymat1), label,
3262 sizeof(label) - 1,
3263 context,
3264 sizeof(context) -1, 1),
3265 1)
3266 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3267 sizeof(skeymat2), label,
3268 sizeof(label) - 1,
3269 emptycontext,
3270 0, 1), 1)
3271 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3272 sizeof(skeymat3), label,
3273 sizeof(label) - 1,
3274 NULL, 0, 0), 1)
3275 /*
3276 * Check that both sides created the same key material with the
3277 * same context.
3278 */
3279 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3280 sizeof(skeymat1))
3281 /*
3282 * Check that both sides created the same key material with an
3283 * empty context.
3284 */
3285 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3286 sizeof(skeymat2))
3287 /*
3288 * Check that both sides created the same key material without a
3289 * context.
3290 */
3291 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3292 sizeof(skeymat3))
3293 /* Different contexts should produce different results */
3294 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3295 sizeof(ckeymat2)))
3296 goto end;
3297
3298 /*
3299 * Check that an empty context and no context produce different results in
3300 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3301 */
3302 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3303 sizeof(ckeymat3)))
3304 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3305 sizeof(ckeymat3))))
3306 goto end;
3307
3308 testresult = 1;
3309
3310 end:
3311 SSL_free(serverssl);
3312 SSL_free(clientssl);
3313 SSL_CTX_free(sctx2);
3314 SSL_CTX_free(sctx);
3315 SSL_CTX_free(cctx);
3316
3317 return testresult;
3318}
3319
b38ede80
TT		 3320#ifndef OPENSSL_NO_TLS1_3
3321/*
3322 * Test that SSL_export_keying_material_early() produces expected
3323 * results. There are no test vectors so all we do is test that both
3324 * sides of the communication produce the same results for different
3325 * protocol versions.
3326 */
3327static int test_export_key_mat_early(int idx)
3328{
3329 static const char label[] = "test label";
3330 static const unsigned char context[] = "context";
3331 int testresult = 0;
3332 SSL_CTX *cctx = NULL, *sctx = NULL;
3333 SSL *clientssl = NULL, *serverssl = NULL;
3334 SSL_SESSION *sess = NULL;
3335 const unsigned char *emptycontext = NULL;
3336 unsigned char ckeymat1[80], ckeymat2[80];
3337 unsigned char skeymat1[80], skeymat2[80];
3338 unsigned char buf[1];
3339 size_t readbytes, written;
3340
3341 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3342 &sess, idx)))
3343 goto end;
3344
3345 /* Here writing 0 length early data is enough. */
3346 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3347 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3348 &readbytes),
3349 SSL_READ_EARLY_DATA_ERROR)
3350 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3351 SSL_EARLY_DATA_ACCEPTED))
3352 goto end;
3353
3354 if (!TEST_int_eq(SSL_export_keying_material_early(
3355 clientssl, ckeymat1, sizeof(ckeymat1), label,
3356 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3357 || !TEST_int_eq(SSL_export_keying_material_early(
3358 clientssl, ckeymat2, sizeof(ckeymat2), label,
3359 sizeof(label) - 1, emptycontext, 0), 1)
3360 || !TEST_int_eq(SSL_export_keying_material_early(
3361 serverssl, skeymat1, sizeof(skeymat1), label,
3362 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3363 || !TEST_int_eq(SSL_export_keying_material_early(
3364 serverssl, skeymat2, sizeof(skeymat2), label,
3365 sizeof(label) - 1, emptycontext, 0), 1)
3366 /*
3367 * Check that both sides created the same key material with the
3368 * same context.
3369 */
3370 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3371 sizeof(skeymat1))
3372 /*
3373 * Check that both sides created the same key material with an
3374 * empty context.
3375 */
3376 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3377 sizeof(skeymat2))
3378 /* Different contexts should produce different results */
3379 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3380 sizeof(ckeymat2)))
3381 goto end;
3382
3383 testresult = 1;
3384
3385 end:
3386 if (sess != clientpsk)
3387 SSL_SESSION_free(sess);
3388 SSL_SESSION_free(clientpsk);
3389 SSL_SESSION_free(serverpsk);
34ff74eb 3390 clientpsk = serverpsk = NULL;
b38ede80
TT		 3391 SSL_free(serverssl);
3392 SSL_free(clientssl);
3393 SSL_CTX_free(sctx);
3394 SSL_CTX_free(cctx);
3395
3396 return testresult;
3397}
3398#endif /* OPENSSL_NO_TLS1_3 */
3399
e11b6aa4
MC		 3400static int test_ssl_clear(int idx)
3401{
3402 SSL_CTX *cctx = NULL, *sctx = NULL;
3403 SSL *clientssl = NULL, *serverssl = NULL;
3404 int testresult = 0;
3405
3406#ifdef OPENSSL_NO_TLS1_2
3407 if (idx == 1)
3408 return 1;
3409#endif
3410
3411 /* Create an initial connection */
3412 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3413 TLS_client_method(), &sctx,
3414 &cctx, cert, privkey))
3415 || (idx == 1
3416 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3417 TLS1_2_VERSION)))
3418 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3419 &clientssl, NULL, NULL))
3420 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3421 SSL_ERROR_NONE)))
3422 goto end;
3423
3424 SSL_shutdown(clientssl);
3425 SSL_shutdown(serverssl);
3426 SSL_free(serverssl);
3427 serverssl = NULL;
3428
3429 /* Clear clientssl - we're going to reuse the object */
3430 if (!TEST_true(SSL_clear(clientssl)))
3431 goto end;
3432
3433 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3434 NULL, NULL))
3435 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3436 SSL_ERROR_NONE))
3437 || !TEST_true(SSL_session_reused(clientssl)))
3438 goto end;
3439
3440 SSL_shutdown(clientssl);
3441 SSL_shutdown(serverssl);
3442
3443 testresult = 1;
3444
3445 end:
3446 SSL_free(serverssl);
3447 SSL_free(clientssl);
3448 SSL_CTX_free(sctx);
3449 SSL_CTX_free(cctx);
3450
3451 return testresult;
3452}
3453
cf72c757
F		 3454/* Parse CH and retrieve any MFL extension value if present */
3455static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3456{
3457 long len;
3458 unsigned char *data;
3459 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3460 unsigned int MFL_code = 0, type = 0;
3461
3462 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3463 goto end;
3464
3465 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3466 /* Skip the record header */
3467 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3468 /* Skip the handshake message header */
3469 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3470 /* Skip client version and random */
3471 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3472 + SSL3_RANDOM_SIZE))
3473 /* Skip session id */
3474 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3475 /* Skip ciphers */
3476 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3477 /* Skip compression */
3478 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3479 /* Extensions len */
3480 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3481 goto end;
3482
3483 /* Loop through all extensions */
3484 while (PACKET_remaining(&pkt2)) {
3485 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3486 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3487 goto end;
3488
3489 if (type == TLSEXT_TYPE_max_fragment_length) {
3490 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3491 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3492 goto end;
3493
3494 *mfl_codemfl_code = MFL_code;
3495 return 1;
3496 }
3497 }
3498
3499 end:
3500 return 0;
3501}
3502
3503/* Maximum-Fragment-Length TLS extension mode to test */
3504static const unsigned char max_fragment_len_test[] = {
3505 TLSEXT_max_fragment_length_512,
3506 TLSEXT_max_fragment_length_1024,
3507 TLSEXT_max_fragment_length_2048,
3508 TLSEXT_max_fragment_length_4096
3509};
3510
3511static int test_max_fragment_len_ext(int idx_tst)
3512{
3513 SSL_CTX *ctx;
3514 SSL *con = NULL;
3515 int testresult = 0, MFL_mode = 0;
3516 BIO *rbio, *wbio;
3517
3518 ctx = SSL_CTX_new(TLS_method());
3519 if (!TEST_ptr(ctx))
3520 goto end;
3521
3522 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3523 ctx, max_fragment_len_test[idx_tst])))
3524 goto end;
3525
3526 con = SSL_new(ctx);
3527 if (!TEST_ptr(con))
3528 goto end;
3529
3530 rbio = BIO_new(BIO_s_mem());
3531 wbio = BIO_new(BIO_s_mem());
3532 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3533 BIO_free(rbio);
3534 BIO_free(wbio);
3535 goto end;
3536 }
3537
3538 SSL_set_bio(con, rbio, wbio);
3539 SSL_set_connect_state(con);
3540
3541 if (!TEST_int_le(SSL_connect(con), 0)) {
3542 /* This shouldn't succeed because we don't have a server! */
3543 goto end;
3544 }
3545
3546 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3547 /* no MFL in client hello */
3548 goto end;
3549 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3550 goto end;
3551
3552 testresult = 1;
3553
3554end:
3555 SSL_free(con);
3556 SSL_CTX_free(ctx);
3557
3558 return testresult;
3559}
3560
9d75dce3
TS		 3561#ifndef OPENSSL_NO_TLS1_3
3562static int test_pha_key_update(void)
3563{
3564 SSL_CTX *cctx = NULL, *sctx = NULL;
3565 SSL *clientssl = NULL, *serverssl = NULL;
3566 int testresult = 0;
3567
3568 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3569 TLS_client_method(),
3570 &sctx, &cctx, cert, privkey)))
3571 return 0;
3572
3573 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3574 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3575 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3576 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3577 goto end;
3578
3579
3580 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3581 NULL, NULL)))
3582 goto end;
3583
3584 SSL_force_post_handshake_auth(clientssl);
3585
3586 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3587 SSL_ERROR_NONE)))
3588 goto end;
3589
3590 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3591 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3592 goto end;
3593
3594 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3595 goto end;
3596
3597 /* Start handshake on the server */
3598 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3599 goto end;
3600
3601 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3602 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3603 SSL_ERROR_NONE)))
3604 goto end;
3605
3606 SSL_shutdown(clientssl);
3607 SSL_shutdown(serverssl);
3608
3609 testresult = 1;
3610
3611 end:
3612 SSL_free(serverssl);
3613 SSL_free(clientssl);
3614 SSL_CTX_free(sctx);
3615 SSL_CTX_free(cctx);
3616 return testresult;
3617}
3618#endif
3619
ad887416 3620int setup_tests(void)
2cb4b5f6 3621{
ad887416
P		 3622 if (!TEST_ptr(cert = test_get_argument(0))
3623 || !TEST_ptr(privkey = test_get_argument(1)))
710756a9 3624 return 0;
2cb4b5f6 3625
84d5549e 3626 ADD_TEST(test_large_message_tls);
7856332e 3627 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 3628#ifndef OPENSSL_NO_DTLS
84d5549e 3629 ADD_TEST(test_large_message_dtls);
55386bef 3630#endif
8f8c11d8 3631#ifndef OPENSSL_NO_OCSP
c887104f 3632 ADD_TEST(test_tlsext_status_type);
8f8c11d8 3633#endif
eaa776da
MC		 3634 ADD_TEST(test_session_with_only_int_cache);
3635 ADD_TEST(test_session_with_only_ext_cache);
3636 ADD_TEST(test_session_with_both_cache);
7fb4c820 3637 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 3638 ADD_TEST(test_ssl_bio_pop_next_bio);
3639 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3640 ADD_TEST(test_ssl_bio_change_rbio);
3641 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 3642#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 3643 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 3644 ADD_TEST(test_keylog);
c423ecaa 3645#endif
6acdd3e5
CB		 3646#ifndef OPENSSL_NO_TLS1_3
3647 ADD_TEST(test_keylog_no_master_key);
3648#endif
e9ee6536 3649#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 3650 ADD_TEST(test_client_hello_cb);
5f982038
MC		 3651#endif
3652#ifndef OPENSSL_NO_TLS1_3
02a3ed5a
MC		 3653 ADD_ALL_TESTS(test_early_data_read_write, 3);
3654 ADD_ALL_TESTS(test_early_data_skip, 3);
3655 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3656 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 3657 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 3658 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 3659# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 3660 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 3661# endif
e9ee6536 3662#endif
a273157a 3663#ifndef OPENSSL_NO_TLS1_3
ca0413ae 3664 ADD_TEST(test_ciphersuite_change);
532f9578 3665 ADD_ALL_TESTS(test_tls13_psk, 3);
bb01ef3f 3666 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 3667 ADD_TEST(test_stateless);
9d75dce3 3668 ADD_TEST(test_pha_key_update);
a273157a 3669#else
bb01ef3f 3670 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 3671#endif
16afd71c 3672 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 3673 ADD_ALL_TESTS(test_export_key_mat, 4);
b38ede80
TT		 3674#ifndef OPENSSL_NO_TLS1_3
3675 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3676#endif
e11b6aa4 3677 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 3678 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
ad887416
P		 3679 return 1;
3680}
2cb4b5f6 3681
ad887416
P		 3682void cleanup_tests(void)
3683{
fa454945 3684 bio_s_mempacket_test_free();
2cb4b5f6 3685}
A mirror of the official openssl repository