]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add a test for the new early data callback
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
76fd7a1d
MC		 17#include <openssl/srp.h>
18#include <openssl/txt_db.h>
d0191fe0 19#include <openssl/aes.h>
2cb4b5f6
MC		 20
21#include "ssltestlib.h"
c887104f 22#include "testutil.h"
f297e4ec 23#include "testutil/output.h"
176db6dc 24#include "internal/nelem.h"
ca0413ae 25#include "../ssl/ssl_locl.h"
2cb4b5f6
MC		 26
27static char *cert = NULL;
28static char *privkey = NULL;
76fd7a1d
MC		 29static char *srpvfile = NULL;
30static char *tmpfilename = NULL;
2cb4b5f6 31
cffe973c 32#define LOG_BUFFER_SIZE 2048
6acdd3e5 33static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 34static size_t server_log_buffer_index = 0;
6acdd3e5 35static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 36static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 37static int error_writing_log = 0;
38
8f8c11d8 39#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 40static const unsigned char orespder[] = "Dummy OCSP Response";
41static int ocsp_server_called = 0;
42static int ocsp_client_called = 0;
43
44static int cdummyarg = 1;
45static X509 *ocspcert = NULL;
8f8c11d8 46#endif
ba881d3b 47
84d5549e 48#define NUM_EXTRA_CERTS 40
cf72c757 49#define CLIENT_VERSION_LEN 2
84d5549e 50
f1a5939f
CB		 51/*
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
54 */
55struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
cffe973c 58 unsigned int client_early_secret_count;
f1a5939f
CB		 59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
01a2a654 63 unsigned int early_exporter_secret_count;
6329ce8f 64 unsigned int exporter_secret_count;
f1a5939f
CB		 65};
66
16afd71c
MC		 67
68static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
72};
73
74static unsigned char serverinfov2[] = {
75 0x00, 0x00, 0x00,
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
80};
81
710756a9
RS		 82static void client_keylog_callback(const SSL *ssl, const char *line)
83{
6acdd3e5
CB		 84 int line_length = strlen(line);
85
86 /* If the log doesn't fit, error out. */
710756a9
RS		 87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
6acdd3e5
CB		 89 error_writing_log = 1;
90 return;
91 }
92
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
710756a9 95 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 96}
97
710756a9
RS		 98static void server_keylog_callback(const SSL *ssl, const char *line)
99{
6acdd3e5
CB		 100 int line_length = strlen(line);
101
102 /* If the log doesn't fit, error out. */
710756a9 103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 104 TEST_info("Server log too full");
6acdd3e5
CB		 105 error_writing_log = 1;
106 return;
107 }
108
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
710756a9 111 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 112}
113
114static int compare_hex_encoded_buffer(const char *hex_encoded,
115 size_t hex_length,
116 const uint8_t *raw,
710756a9
RS		 117 size_t raw_length)
118{
119 size_t i, j;
120 char hexed[3];
6acdd3e5 121
710756a9 122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 123 return 1;
6acdd3e5 124
710756a9 125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 126 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 129 return 1;
6acdd3e5
CB		 130 }
131
132 return 0;
133}
134
135static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 136 const SSL_SESSION *session,
710756a9
RS		 137 struct sslapitest_log_counts *expected)
138{
6acdd3e5
CB		 139 char *token = NULL;
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
cffe973c 146 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
01a2a654 151 unsigned int early_exporter_secret_count = 0;
6329ce8f 152 unsigned int exporter_secret_count = 0;
6acdd3e5 153
710756a9
RS		 154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
6acdd3e5 156 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 157 /*
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 159 * hex-encoded encrypted secret, then the hex-encoded pre-master
160 * secret.
161 */
710756a9 162 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 163 return 0;
710756a9 164 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 165 return 0;
710756a9 166 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 167 return 0;
f1a5939f
CB		 168 /*
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
172 */
173 rsa_key_exchange_count++;
6acdd3e5 174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 175 /*
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 177 * client random, then the hex-encoded master secret.
178 */
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
181 SSL3_RANDOM_SIZE);
710756a9 182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 183 return 0;
6acdd3e5 184
710756a9 185 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 186 return 0;
710756a9 187 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 188 return 0;
710756a9
RS		 189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
f1a5939f 192 return 0;
6acdd3e5 193
710756a9 194 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 195 return 0;
6acdd3e5
CB		 196 master_key_size = SSL_SESSION_get_master_key(session,
197 actual_master_key,
198 master_key_size);
710756a9 199 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 200 return 0;
710756a9
RS		 201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
202 actual_master_key,
203 master_key_size)))
f1a5939f 204 return 0;
f1a5939f 205 master_secret_count++;
cffe973c
PW		 206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 212 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 213 /*
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
218 */
cffe973c
PW		 219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
01a2a654
PW		 229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
6329ce8f
PW		 231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
f1a5939f
CB		 233
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
236 SSL3_RANDOM_SIZE);
710756a9 237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 238 return 0;
f1a5939f 239
710756a9 240 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 241 return 0;
710756a9 242 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 243 return 0;
710756a9
RS		 244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
f1a5939f 247 return 0;
6acdd3e5 248
710756a9 249 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 250 return 0;
f1a5939f
CB		 251
252 /*
253 * TODO(TLS1.3): test that application traffic secrets are what
254 * we expect */
6acdd3e5 255 } else {
710756a9 256 TEST_info("Unexpected token %s\n", token);
f1a5939f 257 return 0;
6acdd3e5 258 }
6acdd3e5
CB		 259 }
260
710756a9
RS		 261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
cffe973c
PW		 266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
710756a9
RS		 268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 275 expected->server_application_secret_count)
01a2a654
PW		 276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
6329ce8f
PW		 278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
710756a9
RS		 280 return 0;
281 return 1;
6acdd3e5
CB		 282}
283
c423ecaa 284#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 285static int test_keylog(void)
286{
6acdd3e5
CB		 287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
289 int testresult = 0;
f1a5939f 290 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 291
292 /* Clean up logging space */
710756a9
RS		 293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
298
710756a9
RS		 299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
300 TLS_client_method(),
7d7f6834 301 TLS1_VERSION, TLS_MAX_VERSION,
710756a9 302 &sctx, &cctx, cert, privkey)))
6acdd3e5 303 return 0;
6acdd3e5
CB		 304
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
308
f0deb4d3 309 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 311 goto end;
f0deb4d3 312
cf10df81
RS		 313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 315 goto end;
6acdd3e5 316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
6acdd3e5 319 goto end;
710756a9 320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
6acdd3e5 323 goto end;
6acdd3e5 324
710756a9
RS		 325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
329 SSL_ERROR_NONE))
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 333 goto end;
6acdd3e5 334
f1a5939f
CB		 335 /*
336 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 337 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
6acdd3e5 340 */
f1a5939f
CB		 341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
710756a9
RS		 343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
6acdd3e5 345 goto end;
f1a5939f
CB		 346
347 expected.rsa_key_exchange_count = 0;
710756a9
RS		 348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
6acdd3e5 350 goto end;
6acdd3e5
CB		 351
352 testresult = 1;
353
354end:
355 SSL_free(serverssl);
356 SSL_free(clientssl);
357 SSL_CTX_free(sctx);
358 SSL_CTX_free(cctx);
359
360 return testresult;
361}
c423ecaa 362#endif
6acdd3e5
CB		 363
364#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 365static int test_keylog_no_master_key(void)
366{
6acdd3e5
CB		 367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 369 SSL_SESSION *sess = NULL;
6acdd3e5 370 int testresult = 0;
f1a5939f 371 struct sslapitest_log_counts expected = {0};
cffe973c
PW		 372 unsigned char buf[1];
373 size_t readbytes, written;
6acdd3e5
CB		 374
375 /* Clean up logging space */
710756a9
RS		 376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
381
7d7f6834
RL		 382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
cffe973c
PW		 384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 386 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 387 return 0;
6acdd3e5 388
cf10df81
RS		 389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 391 goto end;
6acdd3e5
CB		 392
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
6acdd3e5 396 goto end;
6acdd3e5 397
710756a9 398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
6acdd3e5 401 goto end;
6acdd3e5 402
710756a9
RS		 403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
407 SSL_ERROR_NONE))
408 || !TEST_false(error_writing_log))
6acdd3e5 409 goto end;
6acdd3e5 410
f1a5939f
CB		 411 /*
412 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 414 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 415 */
f1a5939f
CB		 416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
6329ce8f 420 expected.exporter_secret_count = 1;
710756a9
RS		 421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
425 &expected)))
6acdd3e5 426 goto end;
6acdd3e5 427
cffe973c
PW		 428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
432 SSL_free(serverssl);
433 SSL_free(clientssl);
434 serverssl = clientssl = NULL;
435
436 /* Reset key log */
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
441
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
448 &readbytes),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
453 SSL_ERROR_NONE))
454 || !TEST_true(SSL_session_reused(clientssl)))
455 goto end;
456
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
01a2a654 459 expected.early_exporter_secret_count = 1;
cffe973c
PW		 460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
464 &expected)))
465 goto end;
466
6acdd3e5
CB		 467 testresult = 1;
468
469end:
cffe973c 470 SSL_SESSION_free(sess);
6acdd3e5
CB		 471 SSL_free(serverssl);
472 SSL_free(clientssl);
473 SSL_CTX_free(sctx);
474 SSL_CTX_free(cctx);
475
476 return testresult;
477}
478#endif
479
e9ee6536 480#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 481static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 482{
483 int *ctr = arg;
484 const unsigned char *p;
8ea404fb 485 int *exts;
2afaee51
BK		 486 /* We only configure two ciphers, but the SCSV is added automatically. */
487#ifdef OPENSSL_NO_EC
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
489#else
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
491 0x2c, 0x00, 0xff};
492#endif
8ea404fb
BK		 493 const int expected_extensions[] = {
494#ifndef OPENSSL_NO_EC
495 11, 10,
496#endif
10ed1b72 497 35, 22, 23, 13};
2afaee51
BK		 498 size_t len;
499
500 /* Make sure we can defer processing and get called back. */
501 if ((*ctr)++ == 0)
f1b97da1 502 return SSL_CLIENT_HELLO_RETRY;
2afaee51 503
a9c0d8be 504 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 506 || !TEST_size_t_eq(
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 508 || !TEST_int_eq(*p, 0))
f1b97da1 509 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 511 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 514 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 515 OPENSSL_free(exts);
f1b97da1 516 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 517 }
518 OPENSSL_free(exts);
f1b97da1 519 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 520}
521
a9c0d8be 522static int test_client_hello_cb(void)
710756a9 523{
2afaee51
BK		 524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
527
7d7f6834
RL		 528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
2afaee51 531 goto end;
a9c0d8be 532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 533
2afaee51
BK		 534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 536
710756a9
RS		 537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 543 /*
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
546 * */
a9c0d8be
DB		 547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
550 SSL_ERROR_NONE)))
2afaee51 551 goto end;
2afaee51
BK		 552
553 testresult = 1;
554
555end:
556 SSL_free(serverssl);
557 SSL_free(clientssl);
558 SSL_CTX_free(sctx);
559 SSL_CTX_free(cctx);
560
561 return testresult;
562}
e9ee6536 563#endif
2afaee51 564
84d5549e 565static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
568 int read_ahead)
84d5549e
MC		 569{
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
572 int testresult = 0;
573 int i;
710756a9 574 BIO *certbio = NULL;
84d5549e
MC		 575 X509 *chaincert = NULL;
576 int certlen;
577
710756a9 578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 579 goto end;
84d5549e 580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 581 BIO_free(certbio);
582 certbio = NULL;
710756a9 583 if (!TEST_ptr(chaincert))
fa454945 584 goto end;
84d5549e 585
7d7f6834
RL		 586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
84d5549e 588 goto end;
84d5549e 589
710756a9 590 if (read_ahead) {
7856332e
MC		 591 /*
592 * Test that read_ahead works correctly when dealing with large
593 * records
594 */
595 SSL_CTX_set_read_ahead(cctx, 1);
596 }
597
84d5549e
MC		 598 /*
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
84d5549e
MC		 604 */
605 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 609 if (!X509_up_ref(chaincert))
84d5549e 610 goto end;
84d5549e 611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 612 X509_free(chaincert);
613 goto end;
614 }
615 }
616
710756a9
RS		 617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
618 NULL, NULL))
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
620 SSL_ERROR_NONE)))
84d5549e 621 goto end;
84d5549e 622
4bf08600
MC		 623 /*
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
626 */
710756a9 627 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 628 goto end;
84d5549e 629
4bf08600 630 testresult = 1;
84d5549e
MC		 631 end:
632 X509_free(chaincert);
633 SSL_free(serverssl);
634 SSL_free(clientssl);
635 SSL_CTX_free(sctx);
636 SSL_CTX_free(cctx);
637
638 return testresult;
639}
640
641static int test_large_message_tls(void)
642{
7856332e 643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 644 TLS1_VERSION, TLS_MAX_VERSION,
7856332e
MC		 645 0);
646}
647
648static int test_large_message_tls_read_ahead(void)
649{
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 651 TLS1_VERSION, TLS_MAX_VERSION,
7856332e 652 1);
84d5549e
MC		 653}
654
55386bef 655#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 656static int test_large_message_dtls(void)
657{
7856332e
MC		 658 /*
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
660 * read_ahead is set.
661 */
84d5549e 662 return execute_test_large_message(DTLS_server_method(),
7d7f6834
RL		 663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
665 0);
84d5549e 666}
55386bef 667#endif
84d5549e 668
8f8c11d8 669#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 670static int ocsp_server_cb(SSL *s, void *arg)
671{
672 int *argi = (int *)arg;
710756a9 673 unsigned char *copy = NULL;
ba881d3b
MC		 674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
676
677 if (*argi == 2) {
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
682
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
688 }
689
710756a9 690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 691 return SSL_TLSEXT_ERR_ALERT_FATAL;
692
710756a9 693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 694 ocsp_server_called = 1;
ba881d3b
MC		 695 return SSL_TLSEXT_ERR_OK;
696}
697
698static int ocsp_client_cb(SSL *s, void *arg)
699{
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
702 size_t len;
703
704 if (*argi != 1 && *argi != 2)
705 return 0;
706
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 708 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 709 return 0;
710
711 ocsp_client_called = 1;
ba881d3b
MC		 712 return 1;
713}
714
2cb4b5f6
MC		 715static int test_tlsext_status_type(void)
716{
ba881d3b
MC		 717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 719 int testresult = 0;
ba881d3b
MC		 720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
722 BIO *certbio = NULL;
2cb4b5f6 723
7d7f6834
RL		 724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
ba881d3b 727 return 0;
2cb4b5f6 728
710756a9 729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 730 goto end;
2cb4b5f6 731
ba881d3b 732 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 733
ba881d3b 734 clientssl = SSL_new(cctx);
710756a9
RS		 735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 740 goto end;
2cb4b5f6 741
ba881d3b
MC		 742 SSL_free(clientssl);
743 clientssl = NULL;
2cb4b5f6 744
710756a9
RS		 745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 747 goto end;
2cb4b5f6 748
ba881d3b 749 clientssl = SSL_new(cctx);
710756a9 750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 751 goto end;
ba881d3b
MC		 752 SSL_free(clientssl);
753 clientssl = NULL;
754
755 /*
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
758 */
ba881d3b
MC		 759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
766 SSL_ERROR_NONE))
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
ba881d3b 769 goto end;
ba881d3b
MC		 770 SSL_free(serverssl);
771 SSL_free(clientssl);
772 serverssl = NULL;
773 clientssl = NULL;
774
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
778 cdummyarg = 0;
710756a9
RS		 779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
783 SSL_ERROR_NONE))
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
ba881d3b 786 goto end;
ba881d3b
MC		 787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 serverssl = NULL;
790 clientssl = NULL;
791
792 /*
793 * This time we'll get the client to send an OCSP_RESPID that it will
794 * accept.
795 */
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
798 cdummyarg = 2;
710756a9
RS		 799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
ba881d3b 801 goto end;
ba881d3b
MC		 802
803 /*
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 805 * specific one. We'll use the server cert.
ba881d3b 806 */
710756a9
RS		 807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
811 NULL, NULL, NULL))
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 814 goto end;
ba881d3b
MC		 815 id = NULL;
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
818 ids = NULL;
819
820 BIO_free(certbio);
821 certbio = NULL;
822
710756a9
RS		 823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
824 SSL_ERROR_NONE))
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
ba881d3b 827 goto end;
ba881d3b 828
2cb4b5f6
MC		 829 testresult = 1;
830
831 end:
ba881d3b
MC		 832 SSL_free(serverssl);
833 SSL_free(clientssl);
834 SSL_CTX_free(sctx);
835 SSL_CTX_free(cctx);
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
838 BIO_free(certbio);
839 X509_free(ocspcert);
840 ocspcert = NULL;
2cb4b5f6
MC		 841
842 return testresult;
843}
8f8c11d8 844#endif
2cb4b5f6 845
bf208d95 846#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 847static int new_called, remove_called, get_called;
eaa776da 848
eaa776da
MC		 849static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
850{
851 new_called++;
c0537ebd
MC		 852 /*
853 * sess has been up-refed for us, but we don't actually need it so free it
854 * immediately.
855 */
856 SSL_SESSION_free(sess);
eaa776da
MC		 857 return 1;
858}
859
860static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
861{
862 remove_called++;
863}
864
7a301f08
MC		 865static SSL_SESSION *get_sess_val = NULL;
866
867static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
868 int *copy)
869{
0afca811 870 get_called++;
7a301f08
MC		 871 *copy = 1;
872 return get_sess_val;
873}
874
7a301f08
MC		 875static int execute_test_session(int maxprot, int use_int_cache,
876 int use_ext_cache)
2cb4b5f6
MC		 877{
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 881# ifndef OPENSSL_NO_TLS1_1
eaa776da 882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 883# endif
2cb4b5f6 884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 885 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 886
7e885b7b
P		 887 new_called = remove_called = 0;
888
36ff232c
MC		 889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot == TLS1_3_VERSION)
891 numnewsesstick = 2;
892
7d7f6834
RL		 893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION, TLS_MAX_VERSION,
895 &sctx, &cctx, cert, privkey)))
2cb4b5f6 896 return 0;
2cb4b5f6 897
7a301f08
MC		 898 /*
899 * Only allow the max protocol version so we can force a connection failure
900 * later
901 */
902 SSL_CTX_set_min_proto_version(cctx, maxprot);
903 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 904
905 /* Set up session cache */
7e885b7b 906 if (use_ext_cache) {
eaa776da
MC		 907 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
908 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
909 }
7e885b7b 910 if (use_int_cache) {
eaa776da
MC		 911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
913 } else {
914 SSL_CTX_set_session_cache_mode(cctx,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
917 }
2cb4b5f6 918
710756a9
RS		 919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
920 NULL, NULL))
921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
922 SSL_ERROR_NONE))
923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 924 goto end;
2cb4b5f6 925
710756a9 926 /* Should fail because it should already be in the cache */
7e885b7b 927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 928 goto end;
7a301f08 929 if (use_ext_cache
36ff232c
MC		 930 && (!TEST_int_eq(new_called, numnewsesstick)
931
932 || !TEST_int_eq(remove_called, 0)))
b4982125 933 goto end;
b4982125 934
c0537ebd
MC		 935 new_called = remove_called = 0;
936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
937 &clientssl2, NULL, NULL))
938 || !TEST_true(SSL_set_session(clientssl2, sess1))
939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
940 SSL_ERROR_NONE))
941 || !TEST_true(SSL_session_reused(clientssl2)))
942 goto end;
943
7a301f08
MC		 944 if (maxprot == TLS1_3_VERSION) {
945 /*
946 * In TLSv1.3 we should have created a new session even though we have
36ff232c 947 * resumed.
7a301f08
MC		 948 */
949 if (use_ext_cache
950 && (!TEST_int_eq(new_called, 1)
36ff232c 951 || !TEST_int_eq(remove_called, 0)))
7a301f08
MC		 952 goto end;
953 } else {
954 /*
955 * In TLSv1.2 we expect to have resumed so no sessions added or
956 * removed.
957 */
958 if (use_ext_cache
959 && (!TEST_int_eq(new_called, 0)
960 || !TEST_int_eq(remove_called, 0)))
961 goto end;
962 }
c0537ebd
MC		 963
964 SSL_SESSION_free(sess1);
965 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
966 goto end;
967 shutdown_ssl_connection(serverssl2, clientssl2);
968 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 969
970 new_called = remove_called = 0;
710756a9
RS		 971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
972 &clientssl2, NULL, NULL))
973 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
974 SSL_ERROR_NONE)))
2cb4b5f6 975 goto end;
2cb4b5f6 976
710756a9 977 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 978 goto end;
2cb4b5f6 979
7a301f08 980 if (use_ext_cache
36ff232c
MC		 981 && (!TEST_int_eq(new_called, numnewsesstick)
982 || !TEST_int_eq(remove_called, 0)))
eaa776da 983 goto end;
eaa776da 984
c0537ebd 985 new_called = remove_called = 0;
2cb4b5f6 986 /*
710756a9
RS		 987 * This should clear sess2 from the cache because it is a "bad" session.
988 * See SSL_set_session() documentation.
2cb4b5f6 989 */
710756a9 990 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 991 goto end;
7a301f08
MC		 992 if (use_ext_cache
993 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 994 goto end;
710756a9 995 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 996 goto end;
2cb4b5f6 997
7e885b7b 998 if (use_int_cache) {
710756a9
RS		 999 /* Should succeeded because it should not already be in the cache */
1000 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1001 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1002 goto end;
eaa776da
MC		 1003 }
1004
c0537ebd 1005 new_called = remove_called = 0;
eaa776da 1006 /* This shouldn't be in the cache so should fail */
710756a9 1007 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1008 goto end;
2cb4b5f6 1009
7a301f08
MC		 1010 if (use_ext_cache
1011 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1012 goto end;
2cb4b5f6 1013
bf208d95 1014# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1015 new_called = remove_called = 0;
eaa776da
MC		 1016 /* Force a connection failure */
1017 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1018 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1019 &clientssl3, NULL, NULL))
1020 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1021 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1022 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1023 SSL_ERROR_NONE)))
eaa776da 1024 goto end;
b4982125 1025
eaa776da 1026 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1027 if (use_ext_cache
1028 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1029 goto end;
2cb4b5f6 1030
710756a9 1031 /* Should succeed because it should not already be in the cache */
7e885b7b 1032 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1033 goto end;
bf208d95 1034# endif
eaa776da 1035
7a301f08
MC		 1036 /* Now do some tests for server side caching */
1037 if (use_ext_cache) {
1038 SSL_CTX_sess_set_new_cb(cctx, NULL);
1039 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1040 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1041 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1042 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1043 get_sess_val = NULL;
1044 }
1045
1046 SSL_CTX_set_session_cache_mode(cctx, 0);
1047 /* Internal caching is the default on the server side */
1048 if (!use_int_cache)
1049 SSL_CTX_set_session_cache_mode(sctx,
1050 SSL_SESS_CACHE_SERVER
1051 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1052
1053 SSL_free(serverssl1);
1054 SSL_free(clientssl1);
1055 serverssl1 = clientssl1 = NULL;
1056 SSL_free(serverssl2);
1057 SSL_free(clientssl2);
1058 serverssl2 = clientssl2 = NULL;
1059 SSL_SESSION_free(sess1);
1060 sess1 = NULL;
1061 SSL_SESSION_free(sess2);
1062 sess2 = NULL;
1063
1064 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1065 if (maxprot == TLS1_2_VERSION)
1066 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1067 new_called = remove_called = get_called = 0;
7a301f08
MC		 1068 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1069 NULL, NULL))
1070 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1071 SSL_ERROR_NONE))
1072 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1073 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1074 goto end;
1075
ee94ec2e
MC		 1076 if (use_int_cache) {
1077 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1078 /*
1079 * In TLSv1.3 it should not have been added to the internal cache,
1080 * except in the case where we also have an external cache (in that
1081 * case it gets added to the cache in order to generate remove
1082 * events after timeout).
1083 */
1084 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1085 goto end;
1086 } else {
1087 /* Should fail because it should already be in the cache */
1088 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1089 goto end;
1090 }
1091 }
7a301f08
MC		 1092
1093 if (use_ext_cache) {
1094 SSL_SESSION *tmp = sess2;
1095
36ff232c 1096 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1097 || !TEST_int_eq(remove_called, 0)
1098 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1099 goto end;
1100 /*
1101 * Delete the session from the internal cache to force a lookup from
1102 * the external cache. We take a copy first because
1103 * SSL_CTX_remove_session() also marks the session as non-resumable.
1104 */
ee94ec2e 1105 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1106 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1107 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1108 goto end;
1109 SSL_SESSION_free(sess2);
1110 }
7a301f08
MC		 1111 sess2 = tmp;
1112 }
1113
0afca811 1114 new_called = remove_called = get_called = 0;
7a301f08
MC		 1115 get_sess_val = sess2;
1116 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1117 &clientssl2, NULL, NULL))
1118 || !TEST_true(SSL_set_session(clientssl2, sess1))
1119 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1120 SSL_ERROR_NONE))
1121 || !TEST_true(SSL_session_reused(clientssl2)))
1122 goto end;
1123
0afca811 1124 if (use_ext_cache) {
32305f88 1125 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1126 goto end;
1127
1128 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1129 if (!TEST_int_eq(new_called, 1)
1130 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1131 goto end;
1132 } else {
32305f88
MC		 1133 if (!TEST_int_eq(new_called, 0)
1134 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1135 goto end;
1136 }
1137 }
7a301f08 1138
2cb4b5f6 1139 testresult = 1;
eaa776da 1140
2cb4b5f6
MC		 1141 end:
1142 SSL_free(serverssl1);
1143 SSL_free(clientssl1);
1144 SSL_free(serverssl2);
1145 SSL_free(clientssl2);
bf208d95 1146# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1147 SSL_free(serverssl3);
1148 SSL_free(clientssl3);
bf208d95 1149# endif
2cb4b5f6
MC		 1150 SSL_SESSION_free(sess1);
1151 SSL_SESSION_free(sess2);
1152 SSL_CTX_free(sctx);
1153 SSL_CTX_free(cctx);
1154
1155 return testresult;
1156}
bf208d95 1157#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1158
7fb4c820
MC		 1159static int test_session_with_only_int_cache(void)
1160{
7a301f08
MC		 1161#ifndef OPENSSL_NO_TLS1_3
1162 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1163 return 0;
1164#endif
1165
1166#ifndef OPENSSL_NO_TLS1_2
1167 return execute_test_session(TLS1_2_VERSION, 1, 0);
1168#else
1169 return 1;
1170#endif
eaa776da
MC		 1171}
1172
7fb4c820
MC		 1173static int test_session_with_only_ext_cache(void)
1174{
7a301f08
MC		 1175#ifndef OPENSSL_NO_TLS1_3
1176 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1177 return 0;
1178#endif
1179
1180#ifndef OPENSSL_NO_TLS1_2
1181 return execute_test_session(TLS1_2_VERSION, 0, 1);
1182#else
1183 return 1;
1184#endif
eaa776da
MC		 1185}
1186
7fb4c820
MC		 1187static int test_session_with_both_cache(void)
1188{
7a301f08
MC		 1189#ifndef OPENSSL_NO_TLS1_3
1190 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1191 return 0;
1192#endif
1193
1194#ifndef OPENSSL_NO_TLS1_2
1195 return execute_test_session(TLS1_2_VERSION, 1, 1);
1196#else
1197 return 1;
1198#endif
eaa776da
MC		 1199}
1200
04225915 1201#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1202static SSL_SESSION *sesscache[6];
1203static int do_cache;
36ff232c
MC		 1204
1205static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1206{
c22365b3
MC		 1207 if (do_cache) {
1208 sesscache[new_called] = sess;
1209 } else {
1210 /* We don't need the reference to the session, so free it */
1211 SSL_SESSION_free(sess);
1212 }
1213 new_called++;
1214
1215 return 1;
1216}
1217
1218static int post_handshake_verify(SSL *sssl, SSL *cssl)
1219{
1220 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1221 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1222 return 0;
1223
1224 /* Start handshake on the server and client */
1225 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1226 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1227 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1228 || !TEST_true(create_ssl_connection(sssl, cssl,
1229 SSL_ERROR_NONE)))
1230 return 0;
36ff232c
MC		 1231
1232 return 1;
1233}
1234
1235static int test_tickets(int idx)
1236{
1237 SSL_CTX *sctx = NULL, *cctx = NULL;
1238 SSL *serverssl = NULL, *clientssl = NULL;
1239 int testresult = 0, i;
1240 size_t j;
1241
1242 /* idx is the test number, but also the number of tickets we want */
1243
1244 new_called = 0;
c22365b3 1245 do_cache = 1;
36ff232c
MC		 1246
1247 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1248 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1249 &cctx, cert, privkey))
1250 || !TEST_true(SSL_CTX_set_num_tickets(sctx, idx)))
1251 goto end;
1252
1253 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1254 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1255 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
1256
1257 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1258 &clientssl, NULL, NULL)))
1259 goto end;
1260
1261 SSL_force_post_handshake_auth(clientssl);
1262
1263 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1264 SSL_ERROR_NONE))
1265 /* Check we got the number of tickets we were expecting */
1266 || !TEST_int_eq(idx, new_called))
1267 goto end;
1268
1269 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1270 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1271 || !TEST_int_eq(idx * 2, new_called))
1272 goto end;
1273
36ff232c
MC		 1274 SSL_shutdown(clientssl);
1275 SSL_shutdown(serverssl);
1276 SSL_free(serverssl);
1277 SSL_free(clientssl);
1278 serverssl = clientssl = NULL;
1279
c22365b3
MC		 1280 /* Stop caching sessions - just count them */
1281 do_cache = 0;
1282
36ff232c 1283 /* Test that we can resume with all the tickets we got given */
c22365b3
MC		 1284 for (i = 0; i < idx * 2; i++) {
1285 new_called = 0;
36ff232c
MC		 1286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1287 &clientssl, NULL, NULL))
c22365b3
MC		 1288 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1289 goto end;
1290
1291 SSL_force_post_handshake_auth(clientssl);
1292
1293 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
36ff232c 1294 SSL_ERROR_NONE))
c22365b3
MC		 1295 || !TEST_true(SSL_session_reused(clientssl))
1296 /* Following a resumption we only get 1 ticket */
1297 || !TEST_int_eq(new_called, 1))
1298 goto end;
1299
1300 new_called = 0;
1301 /* After a post-handshake authentication we should get 1 new ticket */
1302 if (!post_handshake_verify(serverssl, clientssl)
1303 || !TEST_int_eq(new_called, 1))
36ff232c
MC		 1304 goto end;
1305
1306 SSL_shutdown(clientssl);
1307 SSL_shutdown(serverssl);
1308 SSL_free(serverssl);
1309 SSL_free(clientssl);
1310 serverssl = clientssl = NULL;
1311 SSL_SESSION_free(sesscache[i]);
1312 sesscache[i] = NULL;
1313 }
1314
1315 testresult = 1;
1316
1317 end:
1318 SSL_free(serverssl);
1319 SSL_free(clientssl);
c22365b3 1320 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 1321 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 1322 sesscache[j] = NULL;
1323 }
36ff232c
MC		 1324 SSL_CTX_free(sctx);
1325 SSL_CTX_free(cctx);
1326
1327 return testresult;
1328}
04225915 1329#endif
36ff232c 1330
7d4488bb
MC		 1331#define USE_NULL 0
1332#define USE_BIO_1 1
1333#define USE_BIO_2 2
1334#define USE_DEFAULT 3
1335
1336#define CONNTYPE_CONNECTION_SUCCESS 0
1337#define CONNTYPE_CONNECTION_FAIL 1
1338#define CONNTYPE_NO_CONNECTION 2
1339
1340#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1341#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1342#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1343# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1344#else
1345# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1346#endif
1347
7d4488bb
MC		 1348#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1349 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1350 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1351
1352static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1353{
1354 switch (type) {
1355 case USE_NULL:
1356 *res = NULL;
1357 break;
1358 case USE_BIO_1:
1359 *res = bio1;
1360 break;
1361 case USE_BIO_2:
1362 *res = bio2;
1363 break;
1364 }
1365}
1366
7d4488bb
MC		 1367
1368/*
1369 * Tests calls to SSL_set_bio() under various conditions.
1370 *
1371 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1372 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1373 * then do more tests where we create a successful connection first using our
1374 * standard connection setup functions, and then call SSL_set_bio() with
1375 * various combinations of valid BIOs or NULL. We then repeat these tests
1376 * following a failed connection. In this last case we are looking to check that
1377 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1378 */
7fb4c820
MC		 1379static int test_ssl_set_bio(int idx)
1380{
7d4488bb 1381 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 1382 BIO *bio1 = NULL;
1383 BIO *bio2 = NULL;
0fae8150 1384 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 1385 SSL *serverssl = NULL, *clientssl = NULL;
1386 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 1387 int testresult = 0;
1388
7d4488bb
MC		 1389 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1390 initrbio = idx % 3;
1391 idx /= 3;
1392 initwbio = idx % 3;
1393 idx /= 3;
1394 newrbio = idx % 3;
1395 idx /= 3;
1396 newwbio = idx % 3;
1397 conntype = CONNTYPE_NO_CONNECTION;
1398 } else {
1399 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1400 initrbio = initwbio = USE_DEFAULT;
1401 newrbio = idx % 2;
1402 idx /= 2;
1403 newwbio = idx % 2;
1404 idx /= 2;
1405 conntype = idx % 2;
1406 }
710756a9 1407
7d4488bb
MC		 1408 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1409 TLS1_VERSION, TLS_MAX_VERSION,
1410 &sctx, &cctx, cert, privkey)))
1411 goto end;
1412
1413 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1414 /*
1415 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1416 * because we reduced the number of tests in the definition of
1417 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1418 * mismatched protocol versions we will force a connection failure.
1419 */
1420 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1421 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1422 }
1423
1424 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1425 NULL, NULL)))
710756a9 1426 goto end;
7fb4c820 1427
710756a9
RS		 1428 if (initrbio == USE_BIO_1
1429 || initwbio == USE_BIO_1
1430 || newrbio == USE_BIO_1
7fb4c820 1431 || newwbio == USE_BIO_1) {
710756a9 1432 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1433 goto end;
7fb4c820
MC		 1434 }
1435
710756a9
RS		 1436 if (initrbio == USE_BIO_2
1437 || initwbio == USE_BIO_2
1438 || newrbio == USE_BIO_2
7fb4c820 1439 || newwbio == USE_BIO_2) {
710756a9 1440 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1441 goto end;
7fb4c820
MC		 1442 }
1443
7d4488bb
MC		 1444 if (initrbio != USE_DEFAULT) {
1445 setupbio(&irbio, bio1, bio2, initrbio);
1446 setupbio(&iwbio, bio1, bio2, initwbio);
1447 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 1448
7d4488bb
MC		 1449 /*
1450 * We want to maintain our own refs to these BIO, so do an up ref for
1451 * each BIO that will have ownership transferred in the SSL_set_bio()
1452 * call
1453 */
1454 if (irbio != NULL)
1455 BIO_up_ref(irbio);
1456 if (iwbio != NULL && iwbio != irbio)
1457 BIO_up_ref(iwbio);
1458 }
7fb4c820 1459
7d4488bb
MC		 1460 if (conntype != CONNTYPE_NO_CONNECTION
1461 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1462 SSL_ERROR_NONE)
1463 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1464 goto end;
7fb4c820
MC		 1465
1466 setupbio(&nrbio, bio1, bio2, newrbio);
1467 setupbio(&nwbio, bio1, bio2, newwbio);
1468
1469 /*
1470 * We will (maybe) transfer ownership again so do more up refs.
1471 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1472 * already been set!
1473 */
710756a9
RS		 1474 if (nrbio != NULL
1475 && nrbio != irbio
1476 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1477 BIO_up_ref(nrbio);
710756a9
RS		 1478 if (nwbio != NULL
1479 && nwbio != nrbio
1480 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1481 BIO_up_ref(nwbio);
1482
7d4488bb 1483 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 1484
1485 testresult = 1;
1486
1487 end:
7fb4c820
MC		 1488 BIO_free(bio1);
1489 BIO_free(bio2);
710756a9 1490
7fb4c820
MC		 1491 /*
1492 * This test is checking that the ref counting for SSL_set_bio is correct.
1493 * If we get here and we did too many frees then we will fail in the above
1494 * functions. If we haven't done enough then this will only be detected in
1495 * a crypto-mdebug build
1496 */
7d4488bb
MC		 1497 SSL_free(serverssl);
1498 SSL_free(clientssl);
1499 SSL_CTX_free(sctx);
1500 SSL_CTX_free(cctx);
7fb4c820
MC		 1501 return testresult;
1502}
1503
7e885b7b 1504typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1505
7e885b7b 1506static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1507{
1508 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1509 SSL_CTX *ctx;
9a716987
MC		 1510 SSL *ssl = NULL;
1511 int testresult = 0;
1512
710756a9
RS		 1513 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1514 || !TEST_ptr(ssl = SSL_new(ctx))
1515 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1516 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1517 goto end;
9a716987
MC		 1518
1519 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1520
1521 /*
1522 * If anything goes wrong here then we could leak memory, so this will
1523 * be caught in a crypto-mdebug build
1524 */
1525 BIO_push(sslbio, membio1);
1526
69687aa8 1527 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1528 if (change_bio != NO_BIO_CHANGE) {
710756a9 1529 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1530 goto end;
7e885b7b 1531 if (change_bio == CHANGE_RBIO)
65e2d672 1532 SSL_set0_rbio(ssl, membio2);
9a716987 1533 else
65e2d672 1534 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1535 }
1536 ssl = NULL;
1537
7e885b7b 1538 if (pop_ssl)
9a716987
MC		 1539 BIO_pop(sslbio);
1540 else
1541 BIO_pop(membio1);
1542
1543 testresult = 1;
1544 end:
1545 BIO_free(membio1);
1546 BIO_free(sslbio);
1547 SSL_free(ssl);
1548 SSL_CTX_free(ctx);
1549
1550 return testresult;
1551}
1552
1553static int test_ssl_bio_pop_next_bio(void)
1554{
7e885b7b 1555 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1556}
1557
1558static int test_ssl_bio_pop_ssl_bio(void)
1559{
7e885b7b 1560 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1561}
1562
1563static int test_ssl_bio_change_rbio(void)
1564{
7e885b7b 1565 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1566}
1567
1568static int test_ssl_bio_change_wbio(void)
1569{
7e885b7b 1570 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1571}
1572
c423ecaa 1573#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1574typedef struct {
1575 /* The list of sig algs */
1576 const int *list;
1577 /* The length of the list */
1578 size_t listlen;
1579 /* A sigalgs list in string format */
1580 const char *liststr;
1581 /* Whether setting the list should succeed */
1582 int valid;
1583 /* Whether creating a connection with the list should succeed */
1584 int connsuccess;
1585} sigalgs_list;
1586
1587static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1588# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1589static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1590static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1591# endif
f1b25aae
MC		 1592static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1593static const int invalidlist2[] = {NID_sha256, NID_undef};
1594static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1595static const int invalidlist4[] = {NID_sha256};
1596static const sigalgs_list testsigalgs[] = {
1597 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1598# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1599 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1600 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1601# endif
f1b25aae 1602 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1603# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1604 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1605 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1606# endif
f1b25aae
MC		 1607 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1608 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1609 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1610 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1611 {NULL, 0, "RSA", 0, 0},
1612 {NULL, 0, "SHA256", 0, 0},
1613 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1614 {NULL, 0, "Invalid", 0, 0}
1615};
f1b25aae
MC		 1616
1617static int test_set_sigalgs(int idx)
1618{
1619 SSL_CTX *cctx = NULL, *sctx = NULL;
1620 SSL *clientssl = NULL, *serverssl = NULL;
1621 int testresult = 0;
1622 const sigalgs_list *curr;
1623 int testctx;
1624
1625 /* Should never happen */
710756a9 1626 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1627 return 0;
1628
1629 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1630 curr = testctx ? &testsigalgs[idx]
1631 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1632
7d7f6834
RL		 1633 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1634 TLS1_VERSION, TLS_MAX_VERSION,
1635 &sctx, &cctx, cert, privkey)))
f1b25aae 1636 return 0;
f1b25aae 1637
d2e491f2
MC		 1638 /*
1639 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1640 * for TLSv1.2 for now until we add a new API.
1641 */
1642 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1643
f1b25aae
MC		 1644 if (testctx) {
1645 int ret;
710756a9 1646
f1b25aae
MC		 1647 if (curr->list != NULL)
1648 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1649 else
1650 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1651
1652 if (!ret) {
1653 if (curr->valid)
710756a9 1654 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1655 else
1656 testresult = 1;
1657 goto end;
1658 }
1659 if (!curr->valid) {
710756a9 1660 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1661 goto end;
1662 }
1663 }
1664
710756a9
RS		 1665 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1666 &clientssl, NULL, NULL)))
f1b25aae 1667 goto end;
f1b25aae
MC		 1668
1669 if (!testctx) {
1670 int ret;
1671
1672 if (curr->list != NULL)
1673 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1674 else
1675 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1676 if (!ret) {
1677 if (curr->valid)
710756a9 1678 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1679 else
1680 testresult = 1;
1681 goto end;
1682 }
710756a9 1683 if (!curr->valid)
f1b25aae 1684 goto end;
f1b25aae
MC		 1685 }
1686
710756a9
RS		 1687 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1688 SSL_ERROR_NONE),
1689 curr->connsuccess))
f1b25aae 1690 goto end;
f1b25aae
MC		 1691
1692 testresult = 1;
1693
1694 end:
1695 SSL_free(serverssl);
1696 SSL_free(clientssl);
1697 SSL_CTX_free(sctx);
1698 SSL_CTX_free(cctx);
1699
1700 return testresult;
1701}
c423ecaa 1702#endif
f1b25aae 1703
fff202e5
MC		 1704#ifndef OPENSSL_NO_TLS1_3
1705
57dee9bb
MC		 1706static SSL_SESSION *clientpsk = NULL;
1707static SSL_SESSION *serverpsk = NULL;
02a3ed5a
MC		 1708static const char *pskid = "Identity";
1709static const char *srvid;
1710
1711static int use_session_cb_cnt = 0;
1712static int find_session_cb_cnt = 0;
532f9578
MC		 1713static int psk_client_cb_cnt = 0;
1714static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 1715
1716static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1717 size_t *idlen, SSL_SESSION **sess)
1718{
1719 switch (++use_session_cb_cnt) {
1720 case 1:
1721 /* The first call should always have a NULL md */
1722 if (md != NULL)
1723 return 0;
1724 break;
1725
1726 case 2:
1727 /* The second call should always have an md */
1728 if (md == NULL)
1729 return 0;
1730 break;
1731
1732 default:
1733 /* We should only be called a maximum of twice */
1734 return 0;
1735 }
1736
57dee9bb
MC		 1737 if (clientpsk != NULL)
1738 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1739
57dee9bb 1740 *sess = clientpsk;
02a3ed5a
MC		 1741 *id = (const unsigned char *)pskid;
1742 *idlen = strlen(pskid);
1743
1744 return 1;
1745}
1746
c2b290c3 1747#ifndef OPENSSL_NO_PSK
532f9578
MC		 1748static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1749 unsigned int max_id_len,
1750 unsigned char *psk,
1751 unsigned int max_psk_len)
1752{
1753 unsigned int psklen = 0;
1754
1755 psk_client_cb_cnt++;
1756
1757 if (strlen(pskid) + 1 > max_id_len)
1758 return 0;
1759
1760 /* We should only ever be called a maximum of twice per connection */
1761 if (psk_client_cb_cnt > 2)
1762 return 0;
1763
1764 if (clientpsk == NULL)
1765 return 0;
1766
1767 /* We'll reuse the PSK we set up for TLSv1.3 */
1768 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1769 return 0;
1770 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1771 strncpy(id, pskid, max_id_len);
1772
1773 return psklen;
1774}
c2b290c3 1775#endif /* OPENSSL_NO_PSK */
532f9578 1776
02a3ed5a
MC		 1777static int find_session_cb(SSL *ssl, const unsigned char *identity,
1778 size_t identity_len, SSL_SESSION **sess)
1779{
1780 find_session_cb_cnt++;
1781
1782 /* We should only ever be called a maximum of twice per connection */
1783 if (find_session_cb_cnt > 2)
1784 return 0;
1785
57dee9bb 1786 if (serverpsk == NULL)
02a3ed5a
MC		 1787 return 0;
1788
1789 /* Identity should match that set by the client */
1790 if (strlen(srvid) != identity_len
1791 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1792 /* No PSK found, continue but without a PSK */
1793 *sess = NULL;
1794 return 1;
1795 }
1796
57dee9bb
MC		 1797 SSL_SESSION_up_ref(serverpsk);
1798 *sess = serverpsk;
02a3ed5a
MC		 1799
1800 return 1;
1801}
1802
c2b290c3 1803#ifndef OPENSSL_NO_PSK
532f9578
MC		 1804static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1805 unsigned char *psk, unsigned int max_psk_len)
1806{
1807 unsigned int psklen = 0;
1808
1809 psk_server_cb_cnt++;
1810
1811 /* We should only ever be called a maximum of twice per connection */
1812 if (find_session_cb_cnt > 2)
1813 return 0;
1814
1815 if (serverpsk == NULL)
1816 return 0;
1817
1818 /* Identity should match that set by the client */
1819 if (strcmp(srvid, identity) != 0) {
1820 return 0;
1821 }
1822
1823 /* We'll reuse the PSK we set up for TLSv1.3 */
1824 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1825 return 0;
1826 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1827
1828 return psklen;
1829}
c2b290c3 1830#endif /* OPENSSL_NO_PSK */
532f9578 1831
5f982038
MC		 1832#define MSG1 "Hello"
1833#define MSG2 "World."
1834#define MSG3 "This"
1835#define MSG4 "is"
1836#define MSG5 "a"
90049cea
MC		 1837#define MSG6 "test"
1838#define MSG7 "message."
5f982038 1839
02a3ed5a 1840#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 1841#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 1842
5f982038
MC		 1843/*
1844 * Helper method to setup objects for early data test. Caller frees objects on
1845 * error.
1846 */
1847static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 1848 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 1849{
5a421415
MC		 1850 if (*sctx == NULL
1851 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1852 TLS_client_method(),
1853 TLS1_VERSION, TLS_MAX_VERSION,
1854 sctx, cctx, cert, privkey)))
1855 return 0;
1856
1857 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 1858 return 0;
5f982038 1859
02a3ed5a
MC		 1860 if (idx == 1) {
1861 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 1862 SSL_CTX_set_read_ahead(*cctx, 1);
1863 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 1864 } else if (idx == 2) {
1865 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1866 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1867 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1868 use_session_cb_cnt = 0;
1869 find_session_cb_cnt = 0;
1870 srvid = pskid;
3cb47b4e
MC		 1871 }
1872
710756a9 1873 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 1874 NULL, NULL)))
1875 return 0;
1876
141e4709
MC		 1877 /*
1878 * For one of the run throughs (doesn't matter which one), we'll try sending
1879 * some SNI data in the initial ClientHello. This will be ignored (because
1880 * there is no SNI cb set up by the server), so it should not impact
1881 * early_data.
1882 */
1883 if (idx == 1
1884 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1885 return 0;
1886
02a3ed5a
MC		 1887 if (idx == 2) {
1888 /* Create the PSK */
1889 const SSL_CIPHER *cipher = NULL;
1890 const unsigned char key[] = {
1891 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1892 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1893 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1894 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1895 0x2c, 0x2d, 0x2e, 0x2f
1896 };
1897
1898 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 1899 clientpsk = SSL_SESSION_new();
1900 if (!TEST_ptr(clientpsk)
02a3ed5a 1901 || !TEST_ptr(cipher)
57dee9bb 1902 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
02a3ed5a 1903 sizeof(key)))
57dee9bb 1904 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
02a3ed5a 1905 || !TEST_true(
57dee9bb 1906 SSL_SESSION_set_protocol_version(clientpsk,
02a3ed5a
MC		 1907 TLS1_3_VERSION))
1908 /*
1909 * We just choose an arbitrary value for max_early_data which
1910 * should be big enough for testing purposes.
1911 */
57dee9bb
MC		 1912 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1913 0x100))
1914 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1915 SSL_SESSION_free(clientpsk);
1916 clientpsk = NULL;
02a3ed5a
MC		 1917 return 0;
1918 }
57dee9bb 1919 serverpsk = clientpsk;
02a3ed5a 1920
c20e3b28
MC		 1921 if (sess != NULL) {
1922 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1923 SSL_SESSION_free(clientpsk);
1924 SSL_SESSION_free(serverpsk);
1925 clientpsk = serverpsk = NULL;
1926 return 0;
1927 }
57dee9bb 1928 *sess = clientpsk;
c20e3b28 1929 }
02a3ed5a
MC		 1930 return 1;
1931 }
1932
1933 if (sess == NULL)
1934 return 1;
1935
1936 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1937 SSL_ERROR_NONE)))
5f982038 1938 return 0;
5f982038
MC		 1939
1940 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 1941 SSL_shutdown(*clientssl);
1942 SSL_shutdown(*serverssl);
5f982038
MC		 1943 SSL_free(*serverssl);
1944 SSL_free(*clientssl);
1945 *serverssl = *clientssl = NULL;
1946
710756a9
RS		 1947 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1948 clientssl, NULL, NULL))
1949 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 1950 return 0;
5f982038
MC		 1951
1952 return 1;
1953}
1954
3cb47b4e 1955static int test_early_data_read_write(int idx)
5f982038
MC		 1956{
1957 SSL_CTX *cctx = NULL, *sctx = NULL;
1958 SSL *clientssl = NULL, *serverssl = NULL;
1959 int testresult = 0;
1960 SSL_SESSION *sess = NULL;
9b5c865d
MC		 1961 unsigned char buf[20], data[1024];
1962 size_t readbytes, written, eoedlen, rawread, rawwritten;
1963 BIO *rbio;
5f982038 1964
710756a9
RS		 1965 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1966 &serverssl, &sess, idx)))
5f982038
MC		 1967 goto end;
1968
1969 /* Write and read some early data */
710756a9
RS		 1970 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1971 &written))
1972 || !TEST_size_t_eq(written, strlen(MSG1))
1973 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1974 sizeof(buf), &readbytes),
1975 SSL_READ_EARLY_DATA_SUCCESS)
1976 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1977 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1978 SSL_EARLY_DATA_ACCEPTED))
5f982038 1979 goto end;
5f982038
MC		 1980
1981 /*
09f28874 1982 * Server should be able to write data, and client should be able to
5f982038
MC		 1983 * read it.
1984 */
710756a9
RS		 1985 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1986 &written))
1987 || !TEST_size_t_eq(written, strlen(MSG2))
1988 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1989 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1990 goto end;
5f982038
MC		 1991
1992 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 1993 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1994 &written))
1995 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 1996 goto end;
5f982038 1997
09f28874 1998 /* Server should still be able read early data after writing data */
710756a9
RS		 1999 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2000 &readbytes),
2001 SSL_READ_EARLY_DATA_SUCCESS)
2002 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2003 goto end;
5f982038 2004
09f28874 2005 /* Write more data from server and read it from client */
710756a9
RS		 2006 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2007 &written))
2008 || !TEST_size_t_eq(written, strlen(MSG4))
2009 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2010 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2011 goto end;
5f982038
MC		 2012
2013 /*
2014 * If client writes normal data it should mean writing early data is no
2015 * longer possible.
2016 */
710756a9
RS		 2017 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2018 || !TEST_size_t_eq(written, strlen(MSG5))
2019 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2020 SSL_EARLY_DATA_ACCEPTED))
5f982038 2021 goto end;
5f982038 2022
9b5c865d
MC		 2023 /*
2024 * At this point the client has written EndOfEarlyData, ClientFinished and
2025 * normal (fully protected) data. We are going to cause a delay between the
2026 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2027 * in the read BIO, and then just put back the EndOfEarlyData message.
2028 */
2029 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2030 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2031 || !TEST_size_t_lt(rawread, sizeof(data))
2032 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2033 goto end;
710756a9 2034
9b5c865d
MC		 2035 /* Record length is in the 4th and 5th bytes of the record header */
2036 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2037 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2038 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2039 goto end;
9b5c865d 2040
5f982038 2041 /* Server should be told that there is no more early data */
710756a9
RS		 2042 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2043 &readbytes),
2044 SSL_READ_EARLY_DATA_FINISH)
2045 || !TEST_size_t_eq(readbytes, 0))
5f982038 2046 goto end;
5f982038 2047
9b5c865d
MC		 2048 /*
2049 * Server has not finished init yet, so should still be able to write early
2050 * data.
2051 */
710756a9
RS		 2052 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2053 &written))
2054 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2055 goto end;
9b5c865d 2056
f8a303fa 2057 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2058 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2059 &rawwritten))
2060 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2061 goto end;
f8a303fa 2062
5f982038 2063 /* Server should be able to read normal data */
710756a9
RS		 2064 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2065 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2066 goto end;
5f982038 2067
09f28874 2068 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2069 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2070 &written)))
5f982038 2071 goto end;
5f982038 2072 ERR_clear_error();
710756a9
RS		 2073 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2074 &readbytes),
2075 SSL_READ_EARLY_DATA_ERROR))
5f982038 2076 goto end;
5f982038
MC		 2077 ERR_clear_error();
2078
9b5c865d 2079 /* Client should be able to read the data sent by the server */
710756a9
RS		 2080 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2081 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2082 goto end;
710756a9 2083
f8a303fa 2084 /*
36ff232c
MC		 2085 * Make sure we process the two NewSessionTickets. These arrive
2086 * post-handshake. We attempt reads which we do not expect to return any
2087 * data.
f8a303fa 2088 */
36ff232c
MC		 2089 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2090 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2091 &readbytes)))
f8a303fa 2092 goto end;
5f982038 2093
90049cea 2094 /* Server should be able to write normal data */
710756a9
RS		 2095 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2096 || !TEST_size_t_eq(written, strlen(MSG7))
2097 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2098 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2099 goto end;
90049cea 2100
c20e3b28 2101 SSL_SESSION_free(sess);
5f982038 2102 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2103 use_session_cb_cnt = 0;
2104 find_session_cb_cnt = 0;
5f982038
MC		 2105
2106 SSL_shutdown(clientssl);
2107 SSL_shutdown(serverssl);
5f982038
MC		 2108 SSL_free(serverssl);
2109 SSL_free(clientssl);
2110 serverssl = clientssl = NULL;
710756a9
RS		 2111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2112 &clientssl, NULL, NULL))
2113 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2114 goto end;
5f982038
MC		 2115
2116 /* Write and read some early data */
710756a9
RS		 2117 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2118 &written))
2119 || !TEST_size_t_eq(written, strlen(MSG1))
2120 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2121 &readbytes),
2122 SSL_READ_EARLY_DATA_SUCCESS)
2123 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2124 goto end;
5f982038 2125
710756a9
RS		 2126 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2127 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2128 goto end;
5f982038 2129
09f28874 2130 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2131 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2132 &written)))
5f982038 2133 goto end;
5f982038 2134 ERR_clear_error();
710756a9
RS		 2135 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2136 &readbytes),
2137 SSL_READ_EARLY_DATA_ERROR))
5f982038 2138 goto end;
5f982038
MC		 2139 ERR_clear_error();
2140
2141 /* Client and server should be able to write/read normal data */
710756a9
RS		 2142 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2143 || !TEST_size_t_eq(written, strlen(MSG5))
2144 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2145 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2146 goto end;
5f982038
MC		 2147
2148 testresult = 1;
2149
2150 end:
c20e3b28 2151 SSL_SESSION_free(sess);
57dee9bb
MC		 2152 SSL_SESSION_free(clientpsk);
2153 SSL_SESSION_free(serverpsk);
2154 clientpsk = serverpsk = NULL;
5f982038
MC		 2155 SSL_free(serverssl);
2156 SSL_free(clientssl);
2157 SSL_CTX_free(sctx);
2158 SSL_CTX_free(cctx);
5f982038
MC		 2159 return testresult;
2160}
2161
5a421415
MC		 2162static int allow_ed_cb_called = 0;
2163
2164static int allow_early_data_cb(SSL *s, void *arg)
2165{
2166 int *usecb = (int *)arg;
2167
2168 allow_ed_cb_called++;
2169
2170 if (*usecb == 1)
2171 return 0;
2172
2173 return 1;
2174}
2175
2176/*
2177 * idx == 0: Standard early_data setup
2178 * idx == 1: early_data setup using read_ahead
2179 * usecb == 0: Don't use a custom early data callback
2180 * usecb == 1: Use a custom early data callback and reject the early data
2181 * usecb == 2: Use a custom early data callback and accept the early data
2182 */
2183static int test_early_data_replay_int(int idx, int usecb)
78fb5374
MC		 2184{
2185 SSL_CTX *cctx = NULL, *sctx = NULL;
2186 SSL *clientssl = NULL, *serverssl = NULL;
2187 int testresult = 0;
2188 SSL_SESSION *sess = NULL;
5a421415
MC		 2189 size_t readbytes, written;
2190 unsigned char buf[20];
2191
2192 allow_ed_cb_called = 0;
2193
2194 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2195 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2196 &cctx, cert, privkey)))
2197 return 0;
2198
2199 if (usecb > 0) {
2200 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2201 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2202 }
78fb5374
MC		 2203
2204 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2205 &serverssl, &sess, idx)))
2206 goto end;
2207
2208 /*
2209 * The server is configured to accept early data. Create a connection to
2210 * "use up" the ticket
2211 */
2212 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2213 || !TEST_true(SSL_session_reused(clientssl)))
2214 goto end;
2215
2216 SSL_shutdown(clientssl);
2217 SSL_shutdown(serverssl);
2218 SSL_free(serverssl);
2219 SSL_free(clientssl);
2220 serverssl = clientssl = NULL;
2221
2222 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2223 &clientssl, NULL, NULL))
5a421415
MC		 2224 || !TEST_true(SSL_set_session(clientssl, sess)))
2225 goto end;
2226
2227 /* Write and read some early data */
2228 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2229 &written))
2230 || !TEST_size_t_eq(written, strlen(MSG1)))
2231 goto end;
2232
2233 if (usecb <= 1) {
2234 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2235 &readbytes),
2236 SSL_READ_EARLY_DATA_FINISH)
2237 /*
2238 * The ticket was reused, so the we should have rejected the
2239 * early data
2240 */
2241 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2242 SSL_EARLY_DATA_REJECTED))
2243 goto end;
2244 } else {
2245 /* In this case the callback decides to accept the early data */
2246 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2247 &readbytes),
2248 SSL_READ_EARLY_DATA_SUCCESS)
2249 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2250 /*
2251 * Server will have sent its flight so client can now send
2252 * end of early data and complete its half of the handshake
2253 */
2254 || !TEST_int_gt(SSL_connect(clientssl), 0)
2255 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2256 &readbytes),
2257 SSL_READ_EARLY_DATA_FINISH)
2258 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2259 SSL_EARLY_DATA_ACCEPTED))
2260 goto end;
2261 }
2262
2263 /* Complete the connection */
2264 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2265 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2266 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 2267 goto end;
2268
2269 testresult = 1;
2270
2271 end:
c20e3b28 2272 SSL_SESSION_free(sess);
78fb5374
MC		 2273 SSL_SESSION_free(clientpsk);
2274 SSL_SESSION_free(serverpsk);
2275 clientpsk = serverpsk = NULL;
2276 SSL_free(serverssl);
2277 SSL_free(clientssl);
2278 SSL_CTX_free(sctx);
2279 SSL_CTX_free(cctx);
2280 return testresult;
2281}
2282
5a421415
MC		 2283static int test_early_data_replay(int idx)
2284{
2285 int ret;
2286
2287 ret = test_early_data_replay_int(idx, 0);
2288 ret &= test_early_data_replay_int(idx, 1);
2289 ret &= test_early_data_replay_int(idx, 2);
2290
2291 return ret;
2292}
2293
710756a9 2294/*
6b84e6bf
MC		 2295 * Helper function to test that a server attempting to read early data can
2296 * handle a connection from a client where the early data should be skipped.
710756a9 2297 */
6b84e6bf 2298static int early_data_skip_helper(int hrr, int idx)
5f982038
MC		 2299{
2300 SSL_CTX *cctx = NULL, *sctx = NULL;
2301 SSL *clientssl = NULL, *serverssl = NULL;
2302 int testresult = 0;
018fcbec 2303 SSL_SESSION *sess = NULL;
5f982038
MC		 2304 unsigned char buf[20];
2305 size_t readbytes, written;
2306
710756a9
RS		 2307 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2308 &serverssl, &sess, idx)))
5f982038
MC		 2309 goto end;
2310
6b84e6bf
MC		 2311 if (hrr) {
2312 /* Force an HRR to occur */
2313 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2314 goto end;
02a3ed5a
MC		 2315 } else if (idx == 2) {
2316 /*
2317 * We force early_data rejection by ensuring the PSK identity is
2318 * unrecognised
2319 */
2320 srvid = "Dummy Identity";
6b84e6bf
MC		 2321 } else {
2322 /*
2323 * Deliberately corrupt the creation time. We take 20 seconds off the
2324 * time. It could be any value as long as it is not within tolerance.
2325 * This should mean the ticket is rejected.
2326 */
5d99881e 2327 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 2328 goto end;
2329 }
5f982038
MC		 2330
2331 /* Write some early data */
710756a9
RS		 2332 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2333 &written))
2334 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 2335 goto end;
5f982038
MC		 2336
2337 /* Server should reject the early data and skip over it */
710756a9
RS		 2338 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2339 &readbytes),
2340 SSL_READ_EARLY_DATA_FINISH)
2341 || !TEST_size_t_eq(readbytes, 0)
2342 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2343 SSL_EARLY_DATA_REJECTED))
5f982038 2344 goto end;
5f982038 2345
6b84e6bf
MC		 2346 if (hrr) {
2347 /*
2348 * Finish off the handshake. We perform the same writes and reads as
2349 * further down but we expect them to fail due to the incomplete
2350 * handshake.
2351 */
2352 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2353 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2354 &readbytes)))
2355 goto end;
2356 }
2357
710756a9
RS		 2358 /* Should be able to send normal data despite rejection of early data */
2359 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2360 || !TEST_size_t_eq(written, strlen(MSG2))
2361 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2362 SSL_EARLY_DATA_REJECTED)
2363 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2364 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2365 goto end;
5f982038
MC		 2366
2367 testresult = 1;
2368
2369 end:
c20e3b28 2370 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2371 SSL_SESSION_free(serverpsk);
2372 clientpsk = serverpsk = NULL;
5f982038
MC		 2373 SSL_SESSION_free(sess);
2374 SSL_free(serverssl);
2375 SSL_free(clientssl);
2376 SSL_CTX_free(sctx);
2377 SSL_CTX_free(cctx);
5f982038
MC		 2378 return testresult;
2379}
2380
6b84e6bf
MC		 2381/*
2382 * Test that a server attempting to read early data can handle a connection
2383 * from a client where the early data is not acceptable.
2384 */
2385static int test_early_data_skip(int idx)
2386{
2387 return early_data_skip_helper(0, idx);
2388}
2389
2390/*
2391 * Test that a server attempting to read early data can handle a connection
2392 * from a client where an HRR occurs.
2393 */
2394static int test_early_data_skip_hrr(int idx)
2395{
2396 return early_data_skip_helper(1, idx);
2397}
2398
710756a9
RS		 2399/*
2400 * Test that a server attempting to read early data can handle a connection
2401 * from a client that doesn't send any.
2402 */
3cb47b4e 2403static int test_early_data_not_sent(int idx)
5f982038
MC		 2404{
2405 SSL_CTX *cctx = NULL, *sctx = NULL;
2406 SSL *clientssl = NULL, *serverssl = NULL;
2407 int testresult = 0;
018fcbec 2408 SSL_SESSION *sess = NULL;
5f982038
MC		 2409 unsigned char buf[20];
2410 size_t readbytes, written;
2411
710756a9
RS		 2412 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2413 &serverssl, &sess, idx)))
5f982038
MC		 2414 goto end;
2415
2416 /* Write some data - should block due to handshake with server */
2417 SSL_set_connect_state(clientssl);
710756a9 2418 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2419 goto end;
5f982038
MC		 2420
2421 /* Server should detect that early data has not been sent */
710756a9
RS		 2422 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2423 &readbytes),
2424 SSL_READ_EARLY_DATA_FINISH)
2425 || !TEST_size_t_eq(readbytes, 0)
2426 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2427 SSL_EARLY_DATA_NOT_SENT)
2428 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2429 SSL_EARLY_DATA_NOT_SENT))
5f982038 2430 goto end;
5f982038
MC		 2431
2432 /* Continue writing the message we started earlier */
710756a9
RS		 2433 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2434 || !TEST_size_t_eq(written, strlen(MSG1))
2435 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2436 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2437 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2438 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2439 goto end;
5f982038 2440
710756a9
RS		 2441 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2442 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2443 goto end;
5f982038
MC		 2444
2445 testresult = 1;
2446
2447 end:
5f982038 2448 SSL_SESSION_free(sess);
c20e3b28 2449 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2450 SSL_SESSION_free(serverpsk);
2451 clientpsk = serverpsk = NULL;
5f982038
MC		 2452 SSL_free(serverssl);
2453 SSL_free(clientssl);
2454 SSL_CTX_free(sctx);
2455 SSL_CTX_free(cctx);
5f982038
MC		 2456 return testresult;
2457}
2458
976e5323
MC		 2459static int hostname_cb(SSL *s, int *al, void *arg)
2460{
2461 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2462
281bf233 2463 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2464 return SSL_TLSEXT_ERR_OK;
2465
2466 return SSL_TLSEXT_ERR_NOACK;
2467}
2468
2469static const char *servalpn;
2470
c7558d5b
PY		 2471static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2472 unsigned char *outlen, const unsigned char *in,
2473 unsigned int inlen, void *arg)
976e5323 2474{
c7558d5b 2475 unsigned int protlen = 0;
976e5323
MC		 2476 const unsigned char *prot;
2477
c7558d5b
PY		 2478 for (prot = in; prot < in + inlen; prot += protlen) {
2479 protlen = *prot++;
5d99881e 2480 if (in + inlen < prot + protlen)
976e5323
MC		 2481 return SSL_TLSEXT_ERR_NOACK;
2482
2483 if (protlen == strlen(servalpn)
0bd42fde 2484 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2485 *out = prot;
2486 *outlen = protlen;
2487 return SSL_TLSEXT_ERR_OK;
2488 }
2489 }
2490
2491 return SSL_TLSEXT_ERR_NOACK;
2492}
2493
57dee9bb 2494/* Test that a PSK can be used to send early_data */
976e5323
MC		 2495static int test_early_data_psk(int idx)
2496{
2497 SSL_CTX *cctx = NULL, *sctx = NULL;
2498 SSL *clientssl = NULL, *serverssl = NULL;
2499 int testresult = 0;
2500 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2501 unsigned char alpnlist[] = {
2502 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2503 'l', 'p', 'n'
2504 };
2505#define GOODALPNLEN 9
2506#define BADALPNLEN 8
2507#define GOODALPN (alpnlist)
2508#define BADALPN (alpnlist + GOODALPNLEN)
2509 int err = 0;
976e5323
MC		 2510 unsigned char buf[20];
2511 size_t readbytes, written;
57dee9bb 2512 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2513 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2514
2515 /* We always set this up with a final parameter of "2" for PSK */
2516 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2517 &serverssl, &sess, 2)))
2518 goto end;
2519
976e5323
MC		 2520 servalpn = "goodalpn";
2521
57dee9bb
MC		 2522 /*
2523 * Note: There is no test for inconsistent SNI with late client detection.
2524 * This is because servers do not acknowledge SNI even if they are using
2525 * it in a resumption handshake - so it is not actually possible for a
2526 * client to detect a problem.
2527 */
976e5323
MC		 2528 switch (idx) {
2529 case 0:
57dee9bb 2530 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2531 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2532 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2533 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2534 goto end;
2535 break;
2536
2537 case 1:
57dee9bb 2538 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2539 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2540 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2541 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2542 GOODALPNLEN))
2543 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2544 BADALPNLEN)))
976e5323
MC		 2545 goto end;
2546 break;
2547
2548 case 2:
2549 /*
2550 * Set invalid protocol version. Technically this affects PSKs without
2551 * early_data too, but we test it here because it is similar to the
2552 * SNI/ALPN consistency tests.
2553 */
2554 err = SSL_R_BAD_PSK;
2555 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2556 goto end;
2557 break;
2558
2559 case 3:
2560 /*
2561 * Set inconsistent SNI (server detected). In this case the connection
2562 * will succeed but reject early_data.
2563 */
281bf233
MC		 2564 SSL_SESSION_free(serverpsk);
2565 serverpsk = SSL_SESSION_dup(clientpsk);
2566 if (!TEST_ptr(serverpsk)
2567 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2568 goto end;
976e5323
MC		 2569 edstatus = SSL_EARLY_DATA_REJECTED;
2570 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2571 /* Fall through */
2572 case 4:
2573 /* Set consistent SNI */
976e5323
MC		 2574 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2575 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2576 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2577 hostname_cb)))
2578 goto end;
2579 break;
2580
2581 case 5:
2582 /*
2583 * Set inconsistent ALPN (server detected). In this case the connection
2584 * will succeed but reject early_data.
2585 */
2586 servalpn = "badalpn";
2587 edstatus = SSL_EARLY_DATA_REJECTED;
2588 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2589 /* Fall through */
2590 case 6:
976e5323 2591 /*
57dee9bb 2592 * Set consistent ALPN.
976e5323
MC		 2593 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2594 * accepts a list of protos (each one length prefixed).
2595 * SSL_set1_alpn_selected accepts a single protocol (not length
2596 * prefixed)
2597 */
57dee9bb
MC		 2598 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2599 GOODALPNLEN - 1))
2600 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2601 GOODALPNLEN)))
976e5323
MC		 2602 goto end;
2603
2604 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2605 break;
2606
57dee9bb
MC		 2607 case 7:
2608 /* Set inconsistent ALPN (late client detection) */
2609 SSL_SESSION_free(serverpsk);
2610 serverpsk = SSL_SESSION_dup(clientpsk);
2611 if (!TEST_ptr(serverpsk)
2612 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2613 BADALPN + 1,
2614 BADALPNLEN - 1))
2615 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2616 GOODALPN + 1,
2617 GOODALPNLEN - 1))
2618 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2619 sizeof(alpnlist))))
2620 goto end;
2621 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2622 edstatus = SSL_EARLY_DATA_ACCEPTED;
2623 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2624 /* SSL_connect() call should fail */
2625 connectres = -1;
2626 break;
2627
976e5323
MC		 2628 default:
2629 TEST_error("Bad test index");
2630 goto end;
2631 }
2632
2633 SSL_set_connect_state(clientssl);
2634 if (err != 0) {
2635 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2636 &written))
2637 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2638 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2639 goto end;
2640 } else {
2641 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2642 &written)))
2643 goto end;
2644
2645 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2646 &readbytes), readearlyres)
976e5323
MC		 2647 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2648 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2649 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2650 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2651 goto end;
2652 }
2653
2654 testresult = 1;
2655
2656 end:
c20e3b28 2657 SSL_SESSION_free(sess);
57dee9bb
MC		 2658 SSL_SESSION_free(clientpsk);
2659 SSL_SESSION_free(serverpsk);
2660 clientpsk = serverpsk = NULL;
976e5323
MC		 2661 SSL_free(serverssl);
2662 SSL_free(clientssl);
2663 SSL_CTX_free(sctx);
2664 SSL_CTX_free(cctx);
2665 return testresult;
2666}
2667
710756a9
RS		 2668/*
2669 * Test that a server that doesn't try to read early data can handle a
2670 * client sending some.
2671 */
3cb47b4e 2672static int test_early_data_not_expected(int idx)
5f982038
MC		 2673{
2674 SSL_CTX *cctx = NULL, *sctx = NULL;
2675 SSL *clientssl = NULL, *serverssl = NULL;
2676 int testresult = 0;
018fcbec 2677 SSL_SESSION *sess = NULL;
5f982038
MC		 2678 unsigned char buf[20];
2679 size_t readbytes, written;
2680
710756a9
RS		 2681 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2682 &serverssl, &sess, idx)))
5f982038
MC		 2683 goto end;
2684
2685 /* Write some early data */
710756a9
RS		 2686 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2687 &written)))
5f982038 2688 goto end;
5f982038
MC		 2689
2690 /*
2691 * Server should skip over early data and then block waiting for client to
2692 * continue handshake
2693 */
710756a9
RS		 2694 if (!TEST_int_le(SSL_accept(serverssl), 0)
2695 || !TEST_int_gt(SSL_connect(clientssl), 0)
2696 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2697 SSL_EARLY_DATA_REJECTED)
2698 || !TEST_int_gt(SSL_accept(serverssl), 0)
2699 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2700 SSL_EARLY_DATA_REJECTED))
5f982038 2701 goto end;
5f982038
MC		 2702
2703 /* Send some normal data from client to server */
710756a9
RS		 2704 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2705 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2706 goto end;
5f982038 2707
710756a9
RS		 2708 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2709 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2710 goto end;
5f982038
MC		 2711
2712 testresult = 1;
2713
2714 end:
5f982038 2715 SSL_SESSION_free(sess);
c20e3b28 2716 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2717 SSL_SESSION_free(serverpsk);
2718 clientpsk = serverpsk = NULL;
5f982038
MC		 2719 SSL_free(serverssl);
2720 SSL_free(clientssl);
2721 SSL_CTX_free(sctx);
2722 SSL_CTX_free(cctx);
5f982038
MC		 2723 return testresult;
2724}
2725
2726
2727# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 2728/*
2729 * Test that a server attempting to read early data can handle a connection
2730 * from a TLSv1.2 client.
2731 */
3cb47b4e 2732static int test_early_data_tls1_2(int idx)
5f982038
MC		 2733{
2734 SSL_CTX *cctx = NULL, *sctx = NULL;
2735 SSL *clientssl = NULL, *serverssl = NULL;
2736 int testresult = 0;
2737 unsigned char buf[20];
2738 size_t readbytes, written;
2739
02a3ed5a
MC		 2740 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2741 &serverssl, NULL, idx)))
5f982038 2742 goto end;
5f982038
MC		 2743
2744 /* Write some data - should block due to handshake with server */
2745 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2746 SSL_set_connect_state(clientssl);
710756a9 2747 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2748 goto end;
5f982038
MC		 2749
2750 /*
2751 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 2752 * messages from client after ServerDone. Then SSL_read_early_data should
2753 * finish and detect that early data has not been sent
5f982038 2754 */
710756a9
RS		 2755 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2756 &readbytes),
2757 SSL_READ_EARLY_DATA_ERROR))
5f982038 2758 goto end;
5f982038
MC		 2759
2760 /*
2761 * Continue writing the message we started earlier. Will still block waiting
2762 * for the CCS/Finished from server
2763 */
710756a9
RS		 2764 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2765 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2766 &readbytes),
2767 SSL_READ_EARLY_DATA_FINISH)
2768 || !TEST_size_t_eq(readbytes, 0)
2769 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2770 SSL_EARLY_DATA_NOT_SENT))
5f982038 2771 goto end;
5f982038
MC		 2772
2773 /* Continue writing the message we started earlier */
710756a9
RS		 2774 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2775 || !TEST_size_t_eq(written, strlen(MSG1))
2776 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2777 SSL_EARLY_DATA_NOT_SENT)
2778 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2779 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2780 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2781 || !TEST_size_t_eq(written, strlen(MSG2))
2782 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2783 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2784 goto end;
5f982038
MC		 2785
2786 testresult = 1;
2787
2788 end:
57dee9bb
MC		 2789 SSL_SESSION_free(clientpsk);
2790 SSL_SESSION_free(serverpsk);
2791 clientpsk = serverpsk = NULL;
5f982038
MC		 2792 SSL_free(serverssl);
2793 SSL_free(clientssl);
2794 SSL_CTX_free(sctx);
2795 SSL_CTX_free(cctx);
2796
2797 return testresult;
2798}
ca0413ae
MC		 2799# endif /* OPENSSL_NO_TLS1_2 */
2800
034cb87b
MC		 2801/*
2802 * Test configuring the TLSv1.3 ciphersuites
2803 *
2804 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2805 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2806 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2807 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2808 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2809 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2810 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2811 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2812 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2813 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2814 */
2815static int test_set_ciphersuite(int idx)
2816{
2817 SSL_CTX *cctx = NULL, *sctx = NULL;
2818 SSL *clientssl = NULL, *serverssl = NULL;
2819 int testresult = 0;
2820
2821 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2822 TLS1_VERSION, TLS_MAX_VERSION,
2823 &sctx, &cctx, cert, privkey))
2824 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2825 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2826 goto end;
2827
2828 if (idx >=4 && idx <= 7) {
2829 /* SSL_CTX explicit cipher list */
2830 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2831 goto end;
2832 }
2833
2834 if (idx == 0 || idx == 4) {
2835 /* Default ciphersuite */
2836 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2837 "TLS_AES_128_GCM_SHA256")))
2838 goto end;
2839 } else if (idx == 1 || idx == 5) {
2840 /* Non default ciphersuite */
2841 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2842 "TLS_AES_128_CCM_SHA256")))
2843 goto end;
2844 }
2845
2846 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2847 &clientssl, NULL, NULL)))
2848 goto end;
2849
2850 if (idx == 8 || idx == 9) {
2851 /* SSL explicit cipher list */
2852 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2853 goto end;
2854 }
2855
2856 if (idx == 2 || idx == 6 || idx == 8) {
2857 /* Default ciphersuite */
2858 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2859 "TLS_AES_128_GCM_SHA256")))
2860 goto end;
2861 } else if (idx == 3 || idx == 7 || idx == 9) {
2862 /* Non default ciphersuite */
2863 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2864 "TLS_AES_128_CCM_SHA256")))
2865 goto end;
2866 }
2867
2868 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2869 goto end;
2870
2871 testresult = 1;
2872
2873 end:
2874 SSL_free(serverssl);
2875 SSL_free(clientssl);
2876 SSL_CTX_free(sctx);
2877 SSL_CTX_free(cctx);
2878
2879 return testresult;
2880}
2881
ca0413ae
MC		 2882static int test_ciphersuite_change(void)
2883{
2884 SSL_CTX *cctx = NULL, *sctx = NULL;
2885 SSL *clientssl = NULL, *serverssl = NULL;
2886 SSL_SESSION *clntsess = NULL;
2887 int testresult = 0;
2888 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2889
2890 /* Create a session based on SHA-256 */
7d7f6834
RL		 2891 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2892 TLS1_VERSION, TLS_MAX_VERSION,
2893 &sctx, &cctx, cert, privkey))
f865b081
MC		 2894 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2895 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 2896 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2897 &clientssl, NULL, NULL))
2898 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2899 SSL_ERROR_NONE)))
2900 goto end;
2901
2902 clntsess = SSL_get1_session(clientssl);
2903 /* Save for later */
2904 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2905 SSL_shutdown(clientssl);
2906 SSL_shutdown(serverssl);
2907 SSL_free(serverssl);
2908 SSL_free(clientssl);
2909 serverssl = clientssl = NULL;
2910
71cff963 2911# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 2912 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 2913 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2914 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 2915 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2916 NULL, NULL))
2917 || !TEST_true(SSL_set_session(clientssl, clntsess))
2918 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2919 SSL_ERROR_NONE))
2920 || !TEST_true(SSL_session_reused(clientssl)))
2921 goto end;
2922
2923 SSL_SESSION_free(clntsess);
2924 clntsess = SSL_get1_session(clientssl);
2925 SSL_shutdown(clientssl);
2926 SSL_shutdown(serverssl);
2927 SSL_free(serverssl);
2928 SSL_free(clientssl);
2929 serverssl = clientssl = NULL;
71cff963 2930# endif
ca0413ae
MC		 2931
2932 /*
2933 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 2934 * succeeds but does not resume.
ca0413ae 2935 */
f865b081 2936 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2937 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2938 NULL, NULL))
2939 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 2940 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 2941 SSL_ERROR_SSL))
0de6d66d 2942 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 2943 goto end;
2944
2945 SSL_SESSION_free(clntsess);
2946 clntsess = NULL;
2947 SSL_shutdown(clientssl);
2948 SSL_shutdown(serverssl);
2949 SSL_free(serverssl);
2950 SSL_free(clientssl);
2951 serverssl = clientssl = NULL;
2952
2953 /* Create a session based on SHA384 */
f865b081 2954 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2955 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2956 &clientssl, NULL, NULL))
2957 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2958 SSL_ERROR_NONE)))
2959 goto end;
2960
2961 clntsess = SSL_get1_session(clientssl);
2962 SSL_shutdown(clientssl);
2963 SSL_shutdown(serverssl);
2964 SSL_free(serverssl);
2965 SSL_free(clientssl);
2966 serverssl = clientssl = NULL;
2967
f865b081
MC		 2968 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2969 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2970 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2971 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2972 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2973 NULL, NULL))
2974 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 2975 /*
2976 * We use SSL_ERROR_WANT_READ below so that we can pause the
2977 * connection after the initial ClientHello has been sent to
2978 * enable us to make some session changes.
2979 */
ca0413ae
MC		 2980 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2981 SSL_ERROR_WANT_READ)))
2982 goto end;
2983
2984 /* Trick the client into thinking this session is for a different digest */
2985 clntsess->cipher = aes_128_gcm_sha256;
2986 clntsess->cipher_id = clntsess->cipher->id;
2987
2988 /*
3b0e88d3
MC		 2989 * Continue the previously started connection. Server has selected a SHA-384
2990 * ciphersuite, but client thinks the session is for SHA-256, so it should
2991 * bail out.
ca0413ae
MC		 2992 */
2993 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2994 SSL_ERROR_SSL))
2995 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2996 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2997 goto end;
2998
2999 testresult = 1;
3000
3001 end:
3002 SSL_SESSION_free(clntsess);
3003 SSL_free(serverssl);
3004 SSL_free(clientssl);
3005 SSL_CTX_free(sctx);
3006 SSL_CTX_free(cctx);
3007
3008 return testresult;
3009}
3010
0d8da779
MC		 3011/*
3012 * Test TLSv1.3 PSKs
3013 * Test 0 = Test new style callbacks
3014 * Test 1 = Test both new and old style callbacks
3015 * Test 2 = Test old style callbacks
3016 * Test 3 = Test old style callbacks with no certificate
3017 */
532f9578 3018static int test_tls13_psk(int idx)
ca8c71ba
MC		 3019{
3020 SSL_CTX *sctx = NULL, *cctx = NULL;
3021 SSL *serverssl = NULL, *clientssl = NULL;
3022 const SSL_CIPHER *cipher = NULL;
3023 const unsigned char key[] = {
3024 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3025 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 3026 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3027 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 3028 };
3029 int testresult = 0;
3030
7d7f6834
RL		 3031 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3032 TLS1_VERSION, TLS_MAX_VERSION,
0d8da779
MC		 3033 &sctx, &cctx, idx == 3 ? NULL : cert,
3034 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 3035 goto end;
3036
0d8da779
MC		 3037 if (idx != 3) {
3038 /*
3039 * We use a ciphersuite with SHA256 to ease testing old style PSK
3040 * callbacks which will always default to SHA256. This should not be
3041 * necessary if we have no cert/priv key. In that case the server should
3042 * prefer SHA256 automatically.
3043 */
3044 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3045 "TLS_AES_128_GCM_SHA256")))
3046 goto end;
3047 }
532f9578
MC		 3048
3049 /*
3050 * Test 0: New style callbacks only
3051 * Test 1: New and old style callbacks (only the new ones should be used)
3052 * Test 2: Old style callbacks only
3053 */
3054 if (idx == 0 || idx == 1) {
3055 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3056 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3057 }
c2b290c3 3058#ifndef OPENSSL_NO_PSK
0d8da779 3059 if (idx >= 1) {
532f9578
MC		 3060 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3061 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3062 }
c2b290c3 3063#endif
ca8c71ba 3064 srvid = pskid;
02a3ed5a
MC		 3065 use_session_cb_cnt = 0;
3066 find_session_cb_cnt = 0;
532f9578
MC		 3067 psk_client_cb_cnt = 0;
3068 psk_server_cb_cnt = 0;
ca8c71ba 3069
0d8da779
MC		 3070 if (idx != 3) {
3071 /*
3072 * Check we can create a connection if callback decides not to send a
3073 * PSK
3074 */
3075 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3076 NULL, NULL))
3077 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3078 SSL_ERROR_NONE))
3079 || !TEST_false(SSL_session_reused(clientssl))
3080 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3081 goto end;
532f9578 3082
0d8da779
MC		 3083 if (idx == 0 || idx == 1) {
3084 if (!TEST_true(use_session_cb_cnt == 1)
3085 || !TEST_true(find_session_cb_cnt == 0)
3086 /*
3087 * If no old style callback then below should be 0
3088 * otherwise 1
3089 */
3090 || !TEST_true(psk_client_cb_cnt == idx)
3091 || !TEST_true(psk_server_cb_cnt == 0))
3092 goto end;
3093 } else {
3094 if (!TEST_true(use_session_cb_cnt == 0)
3095 || !TEST_true(find_session_cb_cnt == 0)
3096 || !TEST_true(psk_client_cb_cnt == 1)
3097 || !TEST_true(psk_server_cb_cnt == 0))
3098 goto end;
3099 }
3100
3101 shutdown_ssl_connection(serverssl, clientssl);
3102 serverssl = clientssl = NULL;
3103 use_session_cb_cnt = psk_client_cb_cnt = 0;
3104 }
ca8c71ba
MC		 3105
3106 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3107 NULL, NULL)))
3108 goto end;
3109
3110 /* Create the PSK */
532f9578 3111 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 3112 clientpsk = SSL_SESSION_new();
3113 if (!TEST_ptr(clientpsk)
ca8c71ba 3114 || !TEST_ptr(cipher)
57dee9bb
MC		 3115 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3116 sizeof(key)))
3117 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3118 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3119 TLS1_3_VERSION))
3120 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 3121 goto end;
57dee9bb 3122 serverpsk = clientpsk;
ca8c71ba
MC		 3123
3124 /* Check we can create a connection and the PSK is used */
3125 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3126 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3127 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3128 goto end;
3129
532f9578
MC		 3130 if (idx == 0 || idx == 1) {
3131 if (!TEST_true(use_session_cb_cnt == 1)
3132 || !TEST_true(find_session_cb_cnt == 1)
3133 || !TEST_true(psk_client_cb_cnt == 0)
3134 || !TEST_true(psk_server_cb_cnt == 0))
3135 goto end;
3136 } else {
3137 if (!TEST_true(use_session_cb_cnt == 0)
3138 || !TEST_true(find_session_cb_cnt == 0)
3139 || !TEST_true(psk_client_cb_cnt == 1)
3140 || !TEST_true(psk_server_cb_cnt == 1))
3141 goto end;
3142 }
3143
ca8c71ba
MC		 3144 shutdown_ssl_connection(serverssl, clientssl);
3145 serverssl = clientssl = NULL;
3146 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3147 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 3148
3149 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3150 NULL, NULL)))
3151 goto end;
3152
3153 /* Force an HRR */
3154 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3155 goto end;
3156
3157 /*
3158 * Check we can create a connection, the PSK is used and the callbacks are
3159 * called twice.
3160 */
3161 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3162 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3163 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3164 goto end;
3165
532f9578
MC		 3166 if (idx == 0 || idx == 1) {
3167 if (!TEST_true(use_session_cb_cnt == 2)
3168 || !TEST_true(find_session_cb_cnt == 2)
3169 || !TEST_true(psk_client_cb_cnt == 0)
3170 || !TEST_true(psk_server_cb_cnt == 0))
3171 goto end;
3172 } else {
3173 if (!TEST_true(use_session_cb_cnt == 0)
3174 || !TEST_true(find_session_cb_cnt == 0)
3175 || !TEST_true(psk_client_cb_cnt == 2)
3176 || !TEST_true(psk_server_cb_cnt == 2))
3177 goto end;
3178 }
3179
ca8c71ba
MC		 3180 shutdown_ssl_connection(serverssl, clientssl);
3181 serverssl = clientssl = NULL;
3182 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3183 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 3184
0d8da779
MC		 3185 if (idx != 3) {
3186 /*
3187 * Check that if the server rejects the PSK we can still connect, but with
3188 * a full handshake
3189 */
3190 srvid = "Dummy Identity";
3191 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3192 NULL, NULL))
3193 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3194 SSL_ERROR_NONE))
3195 || !TEST_false(SSL_session_reused(clientssl))
3196 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3197 goto end;
532f9578 3198
0d8da779
MC		 3199 if (idx == 0 || idx == 1) {
3200 if (!TEST_true(use_session_cb_cnt == 1)
3201 || !TEST_true(find_session_cb_cnt == 1)
3202 || !TEST_true(psk_client_cb_cnt == 0)
3203 /*
3204 * If no old style callback then below should be 0
3205 * otherwise 1
3206 */
3207 || !TEST_true(psk_server_cb_cnt == idx))
3208 goto end;
3209 } else {
3210 if (!TEST_true(use_session_cb_cnt == 0)
3211 || !TEST_true(find_session_cb_cnt == 0)
3212 || !TEST_true(psk_client_cb_cnt == 1)
3213 || !TEST_true(psk_server_cb_cnt == 1))
3214 goto end;
3215 }
3216
3217 shutdown_ssl_connection(serverssl, clientssl);
3218 serverssl = clientssl = NULL;
3219 }
ca8c71ba
MC		 3220 testresult = 1;
3221
3222 end:
57dee9bb
MC		 3223 SSL_SESSION_free(clientpsk);
3224 SSL_SESSION_free(serverpsk);
3225 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 3226 SSL_free(serverssl);
3227 SSL_free(clientssl);
3228 SSL_CTX_free(sctx);
3229 SSL_CTX_free(cctx);
3230 return testresult;
3231}
3232
c7b8ff25
MC		 3233static unsigned char cookie_magic_value[] = "cookie magic";
3234
3235static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3236 unsigned int *cookie_len)
3237{
3238 /*
3239 * Not suitable as a real cookie generation function but good enough for
3240 * testing!
3241 */
97ea1e7f
MC		 3242 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3243 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 3244
3245 return 1;
3246}
3247
3248static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3249 unsigned int cookie_len)
3250{
97ea1e7f 3251 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 3252 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3253 return 1;
3254
3255 return 0;
3256}
3257
3fa2812f
BS		 3258static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3259 size_t *cookie_len)
3260{
3261 unsigned int temp;
3262 int res = generate_cookie_callback(ssl, cookie, &temp);
3263 *cookie_len = temp;
3264 return res;
3265}
3266
3267static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3268 size_t cookie_len)
3269{
3270 return verify_cookie_callback(ssl, cookie, cookie_len);
3271}
3272
c7b8ff25
MC		 3273static int test_stateless(void)
3274{
3275 SSL_CTX *sctx = NULL, *cctx = NULL;
3276 SSL *serverssl = NULL, *clientssl = NULL;
3277 int testresult = 0;
3278
7d7f6834
RL		 3279 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3280 TLS1_VERSION, TLS_MAX_VERSION,
3281 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 3282 goto end;
3283
e440f513
MC		 3284 /* The arrival of CCS messages can confuse the test */
3285 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3286
3287 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3288 NULL, NULL))
3289 /* Send the first ClientHello */
3290 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3291 SSL_ERROR_WANT_READ))
3292 /*
3293 * This should fail with a -1 return because we have no callbacks
3294 * set up
3295 */
3296 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3297 goto end;
3298
3299 /* Fatal error so abandon the connection from this client */
3300 SSL_free(clientssl);
3301 clientssl = NULL;
3302
c7b8ff25 3303 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 3304 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3305 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 3306
e440f513
MC		 3307 /*
3308 * Create a new connection from the client (we can reuse the server SSL
3309 * object).
3310 */
c7b8ff25
MC		 3311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3312 NULL, NULL))
3313 /* Send the first ClientHello */
3314 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3315 SSL_ERROR_WANT_READ))
3316 /* This should fail because there is no cookie */
e440f513 3317 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 3318 goto end;
3319
3320 /* Abandon the connection from this client */
3321 SSL_free(clientssl);
3322 clientssl = NULL;
3323
3324 /*
3325 * Now create a connection from a new client but with the same server SSL
3326 * object
3327 */
3328 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3329 NULL, NULL))
3330 /* Send the first ClientHello */
3331 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3332 SSL_ERROR_WANT_READ))
3333 /* This should fail because there is no cookie */
e440f513 3334 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 3335 /* Send the second ClientHello */
3336 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3337 SSL_ERROR_WANT_READ))
3338 /* This should succeed because a cookie is now present */
e440f513 3339 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 3340 /* Complete the connection */
3341 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3342 SSL_ERROR_NONE)))
3343 goto end;
3344
3345 shutdown_ssl_connection(serverssl, clientssl);
3346 serverssl = clientssl = NULL;
3347 testresult = 1;
3348
3349 end:
3350 SSL_free(serverssl);
3351 SSL_free(clientssl);
3352 SSL_CTX_free(sctx);
3353 SSL_CTX_free(cctx);
3354 return testresult;
3355
3356}
ca0413ae 3357#endif /* OPENSSL_NO_TLS1_3 */
5f982038 3358
a37008d9
MC		 3359static int clntaddoldcb = 0;
3360static int clntparseoldcb = 0;
3361static int srvaddoldcb = 0;
3362static int srvparseoldcb = 0;
3363static int clntaddnewcb = 0;
3364static int clntparsenewcb = 0;
3365static int srvaddnewcb = 0;
3366static int srvparsenewcb = 0;
bb01ef3f 3367static int snicb = 0;
a37008d9
MC		 3368
3369#define TEST_EXT_TYPE1 0xff00
3370
3371static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3372 size_t *outlen, int *al, void *add_arg)
3373{
3374 int *server = (int *)add_arg;
3375 unsigned char *data;
3376
3377 if (SSL_is_server(s))
3378 srvaddoldcb++;
3379 else
3380 clntaddoldcb++;
3381
710756a9
RS		 3382 if (*server != SSL_is_server(s)
3383 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3384 return -1;
3385
3386 *data = 1;
3387 *out = data;
3388 *outlen = sizeof(char);
a37008d9
MC		 3389 return 1;
3390}
3391
3392static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3393 void *add_arg)
3394{
3395 OPENSSL_free((unsigned char *)out);
3396}
3397
3398static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3399 size_t inlen, int *al, void *parse_arg)
3400{
3401 int *server = (int *)parse_arg;
3402
3403 if (SSL_is_server(s))
3404 srvparseoldcb++;
3405 else
3406 clntparseoldcb++;
3407
710756a9
RS		 3408 if (*server != SSL_is_server(s)
3409 || inlen != sizeof(char)
3410 || *in != 1)
a37008d9
MC		 3411 return -1;
3412
3413 return 1;
3414}
3415
3416static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3417 const unsigned char **out, size_t *outlen, X509 *x,
3418 size_t chainidx, int *al, void *add_arg)
3419{
3420 int *server = (int *)add_arg;
3421 unsigned char *data;
3422
3423 if (SSL_is_server(s))
3424 srvaddnewcb++;
3425 else
3426 clntaddnewcb++;
3427
710756a9
RS		 3428 if (*server != SSL_is_server(s)
3429 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3430 return -1;
3431
3432 *data = 1;
3433 *out = data;
710756a9 3434 *outlen = sizeof(*data);
a37008d9
MC		 3435 return 1;
3436}
3437
3438static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3439 const unsigned char *out, void *add_arg)
3440{
3441 OPENSSL_free((unsigned char *)out);
3442}
3443
3444static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3445 const unsigned char *in, size_t inlen, X509 *x,
3446 size_t chainidx, int *al, void *parse_arg)
3447{
3448 int *server = (int *)parse_arg;
3449
3450 if (SSL_is_server(s))
3451 srvparsenewcb++;
3452 else
3453 clntparsenewcb++;
3454
710756a9
RS		 3455 if (*server != SSL_is_server(s)
3456 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 3457 return -1;
3458
3459 return 1;
3460}
bb01ef3f
MC		 3461
3462static int sni_cb(SSL *s, int *al, void *arg)
3463{
3464 SSL_CTX *ctx = (SSL_CTX *)arg;
3465
3466 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3467 *al = SSL_AD_INTERNAL_ERROR;
3468 return SSL_TLSEXT_ERR_ALERT_FATAL;
3469 }
3470 snicb++;
3471 return SSL_TLSEXT_ERR_OK;
3472}
3473
a37008d9
MC		 3474/*
3475 * Custom call back tests.
3476 * Test 0: Old style callbacks in TLSv1.2
3477 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 3478 * Test 2: New style callbacks in TLSv1.2 with SNI
3479 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3480 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 3481 */
710756a9
RS		 3482static int test_custom_exts(int tst)
3483{
bb01ef3f 3484 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 3485 SSL *clientssl = NULL, *serverssl = NULL;
3486 int testresult = 0;
3487 static int server = 1;
3488 static int client = 0;
3489 SSL_SESSION *sess = NULL;
3490 unsigned int context;
3491
c423ecaa
MC		 3492#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3493 /* Skip tests for TLSv1.2 and below in this case */
3494 if (tst < 3)
3495 return 1;
3496#endif
3497
a37008d9
MC		 3498 /* Reset callback counters */
3499 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3500 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 3501 snicb = 0;
a37008d9 3502
7d7f6834
RL		 3503 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3504 TLS1_VERSION, TLS_MAX_VERSION,
3505 &sctx, &cctx, cert, privkey)))
710756a9 3506 goto end;
a37008d9 3507
bb01ef3f 3508 if (tst == 2
7d7f6834
RL		 3509 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3510 TLS1_VERSION, TLS_MAX_VERSION,
3511 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 3512 goto end;
3513
3514
3515 if (tst < 3) {
a37008d9
MC		 3516 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3517 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 3518 if (sctx2 != NULL)
3519 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 3520 }
3521
bb01ef3f 3522 if (tst == 4) {
710756a9
RS		 3523 context = SSL_EXT_CLIENT_HELLO
3524 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3525 | SSL_EXT_TLS1_3_SERVER_HELLO
3526 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3527 | SSL_EXT_TLS1_3_CERTIFICATE
3528 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3529 } else {
710756a9
RS		 3530 context = SSL_EXT_CLIENT_HELLO
3531 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3532 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3533 }
3534
3535 /* Create a client side custom extension */
3536 if (tst == 0) {
710756a9
RS		 3537 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3538 old_add_cb, old_free_cb,
3539 &client, old_parse_cb,
3540 &client)))
3541 goto end;
a37008d9 3542 } else {
710756a9
RS		 3543 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3544 new_add_cb, new_free_cb,
3545 &client, new_parse_cb, &client)))
3546 goto end;
a37008d9
MC		 3547 }
3548
3549 /* Should not be able to add duplicates */
710756a9
RS		 3550 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3551 old_add_cb, old_free_cb,
3552 &client, old_parse_cb,
3553 &client))
3554 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3555 context, new_add_cb,
3556 new_free_cb, &client,
3557 new_parse_cb, &client)))
3558 goto end;
a37008d9
MC		 3559
3560 /* Create a server side custom extension */
3561 if (tst == 0) {
710756a9
RS		 3562 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3563 old_add_cb, old_free_cb,
3564 &server, old_parse_cb,
3565 &server)))
3566 goto end;
a37008d9 3567 } else {
710756a9
RS		 3568 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3569 new_add_cb, new_free_cb,
3570 &server, new_parse_cb, &server)))
3571 goto end;
bb01ef3f
MC		 3572 if (sctx2 != NULL
3573 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3574 context, new_add_cb,
3575 new_free_cb, &server,
3576 new_parse_cb, &server)))
3577 goto end;
a37008d9
MC		 3578 }
3579
3580 /* Should not be able to add duplicates */
710756a9
RS		 3581 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3582 old_add_cb, old_free_cb,
3583 &server, old_parse_cb,
3584 &server))
3585 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3586 context, new_add_cb,
3587 new_free_cb, &server,
3588 new_parse_cb, &server)))
a37008d9 3589 goto end;
a37008d9 3590
bb01ef3f
MC		 3591 if (tst == 2) {
3592 /* Set up SNI */
3593 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3594 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3595 goto end;
3596 }
3597
710756a9
RS		 3598 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3599 &clientssl, NULL, NULL))
3600 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3601 SSL_ERROR_NONE)))
a37008d9 3602 goto end;
a37008d9
MC		 3603
3604 if (tst == 0) {
710756a9
RS		 3605 if (clntaddoldcb != 1
3606 || clntparseoldcb != 1
3607 || srvaddoldcb != 1
3608 || srvparseoldcb != 1)
a37008d9 3609 goto end;
bb01ef3f 3610 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3611 if (clntaddnewcb != 1
3612 || clntparsenewcb != 1
3613 || srvaddnewcb != 1
bb01ef3f
MC		 3614 || srvparsenewcb != 1
3615 || (tst != 2 && snicb != 0)
3616 || (tst == 2 && snicb != 1))
a37008d9 3617 goto end;
a37008d9 3618 } else {
36ff232c 3619 /* In this case there 2 NewSessionTicket messages created */
710756a9 3620 if (clntaddnewcb != 1
36ff232c
MC		 3621 || clntparsenewcb != 5
3622 || srvaddnewcb != 5
710756a9 3623 || srvparsenewcb != 1)
a37008d9 3624 goto end;
a37008d9
MC		 3625 }
3626
3627 sess = SSL_get1_session(clientssl);
a37008d9
MC		 3628 SSL_shutdown(clientssl);
3629 SSL_shutdown(serverssl);
a37008d9
MC		 3630 SSL_free(serverssl);
3631 SSL_free(clientssl);
3632 serverssl = clientssl = NULL;
3633
bb01ef3f
MC		 3634 if (tst == 3) {
3635 /* We don't bother with the resumption aspects for this test */
3636 testresult = 1;
3637 goto end;
3638 }
3639
710756a9
RS		 3640 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3641 NULL, NULL))
3642 || !TEST_true(SSL_set_session(clientssl, sess))
3643 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3644 SSL_ERROR_NONE)))
a37008d9 3645 goto end;
a37008d9
MC		 3646
3647 /*
3648 * For a resumed session we expect to add the ClientHello extension. For the
3649 * old style callbacks we ignore it on the server side because they set
3650 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3651 * them.
3652 */
3653 if (tst == 0) {
710756a9
RS		 3654 if (clntaddoldcb != 2
3655 || clntparseoldcb != 1
3656 || srvaddoldcb != 1
3657 || srvparseoldcb != 1)
a37008d9 3658 goto end;
bb01ef3f 3659 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3660 if (clntaddnewcb != 2
3661 || clntparsenewcb != 2
3662 || srvaddnewcb != 2
3663 || srvparsenewcb != 2)
a37008d9 3664 goto end;
a37008d9 3665 } else {
36ff232c
MC		 3666 /*
3667 * No Certificate message extensions in the resumption handshake,
3668 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3669 */
710756a9 3670 if (clntaddnewcb != 2
36ff232c
MC		 3671 || clntparsenewcb != 8
3672 || srvaddnewcb != 8
710756a9 3673 || srvparsenewcb != 2)
a37008d9 3674 goto end;
a37008d9
MC		 3675 }
3676
3677 testresult = 1;
3678
3679end:
3680 SSL_SESSION_free(sess);
3681 SSL_free(serverssl);
3682 SSL_free(clientssl);
bb01ef3f 3683 SSL_CTX_free(sctx2);
a37008d9
MC		 3684 SSL_CTX_free(sctx);
3685 SSL_CTX_free(cctx);
a37008d9
MC		 3686 return testresult;
3687}
3688
16afd71c
MC		 3689/*
3690 * Test loading of serverinfo data in various formats. test_sslmessages actually
3691 * tests to make sure the extensions appear in the handshake
3692 */
3693static int test_serverinfo(int tst)
3694{
3695 unsigned int version;
3696 unsigned char *sibuf;
3697 size_t sibuflen;
3698 int ret, expected, testresult = 0;
3699 SSL_CTX *ctx;
3700
3701 ctx = SSL_CTX_new(TLS_method());
3702 if (!TEST_ptr(ctx))
3703 goto end;
3704
3705 if ((tst & 0x01) == 0x01)
3706 version = SSL_SERVERINFOV2;
3707 else
3708 version = SSL_SERVERINFOV1;
3709
3710 if ((tst & 0x02) == 0x02) {
3711 sibuf = serverinfov2;
3712 sibuflen = sizeof(serverinfov2);
3713 expected = (version == SSL_SERVERINFOV2);
3714 } else {
3715 sibuf = serverinfov1;
3716 sibuflen = sizeof(serverinfov1);
3717 expected = (version == SSL_SERVERINFOV1);
3718 }
3719
3720 if ((tst & 0x04) == 0x04) {
3721 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3722 } else {
3723 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3724
3725 /*
3726 * The version variable is irrelevant in this case - it's what is in the
3727 * buffer that matters
3728 */
3729 if ((tst & 0x02) == 0x02)
3730 expected = 0;
3731 else
3732 expected = 1;
3733 }
3734
3735 if (!TEST_true(ret == expected))
3736 goto end;
3737
3738 testresult = 1;
3739
3740 end:
3741 SSL_CTX_free(ctx);
3742
3743 return testresult;
3744}
3745
2197d1df
MC		 3746/*
3747 * Test that SSL_export_keying_material() produces expected results. There are
3748 * no test vectors so all we do is test that both sides of the communication
3749 * produce the same results for different protocol versions.
3750 */
3751static int test_export_key_mat(int tst)
3752{
a599574b 3753 int testresult = 0;
2197d1df
MC		 3754 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3755 SSL *clientssl = NULL, *serverssl = NULL;
3756 const char label[] = "test label";
3757 const unsigned char context[] = "context";
3758 const unsigned char *emptycontext = NULL;
3759 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3760 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 3761 const int protocols[] = {
3762 TLS1_VERSION,
3763 TLS1_1_VERSION,
3764 TLS1_2_VERSION,
3765 TLS1_3_VERSION
3766 };
2197d1df
MC		 3767
3768#ifdef OPENSSL_NO_TLS1
3769 if (tst == 0)
3770 return 1;
3771#endif
3772#ifdef OPENSSL_NO_TLS1_1
3773 if (tst == 1)
3774 return 1;
3775#endif
3776#ifdef OPENSSL_NO_TLS1_2
3777 if (tst == 2)
3778 return 1;
3779#endif
3780#ifdef OPENSSL_NO_TLS1_3
3781 if (tst == 3)
3782 return 1;
3783#endif
7d7f6834
RL		 3784 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3785 TLS1_VERSION, TLS_MAX_VERSION,
3786 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 3787 goto end;
3788
a599574b
MC		 3789 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3790 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3791 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 3792
3793 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3794 NULL))
3795 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3796 SSL_ERROR_NONE)))
3797 goto end;
3798
3799 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3800 sizeof(ckeymat1), label,
3801 sizeof(label) - 1, context,
3802 sizeof(context) - 1, 1), 1)
3803 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3804 sizeof(ckeymat2), label,
3805 sizeof(label) - 1,
3806 emptycontext,
3807 0, 1), 1)
3808 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3809 sizeof(ckeymat3), label,
3810 sizeof(label) - 1,
3811 NULL, 0, 0), 1)
3812 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3813 sizeof(skeymat1), label,
3814 sizeof(label) - 1,
3815 context,
3816 sizeof(context) -1, 1),
3817 1)
3818 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3819 sizeof(skeymat2), label,
3820 sizeof(label) - 1,
3821 emptycontext,
3822 0, 1), 1)
3823 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3824 sizeof(skeymat3), label,
3825 sizeof(label) - 1,
3826 NULL, 0, 0), 1)
3827 /*
3828 * Check that both sides created the same key material with the
3829 * same context.
3830 */
3831 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3832 sizeof(skeymat1))
3833 /*
3834 * Check that both sides created the same key material with an
3835 * empty context.
3836 */
3837 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3838 sizeof(skeymat2))
3839 /*
3840 * Check that both sides created the same key material without a
3841 * context.
3842 */
3843 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3844 sizeof(skeymat3))
3845 /* Different contexts should produce different results */
3846 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3847 sizeof(ckeymat2)))
3848 goto end;
3849
3850 /*
3851 * Check that an empty context and no context produce different results in
3852 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3853 */
3854 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3855 sizeof(ckeymat3)))
3856 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3857 sizeof(ckeymat3))))
3858 goto end;
3859
3860 testresult = 1;
3861
3862 end:
3863 SSL_free(serverssl);
3864 SSL_free(clientssl);
3865 SSL_CTX_free(sctx2);
3866 SSL_CTX_free(sctx);
3867 SSL_CTX_free(cctx);
3868
3869 return testresult;
3870}
3871
b38ede80
TT		 3872#ifndef OPENSSL_NO_TLS1_3
3873/*
3874 * Test that SSL_export_keying_material_early() produces expected
3875 * results. There are no test vectors so all we do is test that both
3876 * sides of the communication produce the same results for different
3877 * protocol versions.
3878 */
3879static int test_export_key_mat_early(int idx)
3880{
3881 static const char label[] = "test label";
3882 static const unsigned char context[] = "context";
3883 int testresult = 0;
3884 SSL_CTX *cctx = NULL, *sctx = NULL;
3885 SSL *clientssl = NULL, *serverssl = NULL;
3886 SSL_SESSION *sess = NULL;
3887 const unsigned char *emptycontext = NULL;
3888 unsigned char ckeymat1[80], ckeymat2[80];
3889 unsigned char skeymat1[80], skeymat2[80];
3890 unsigned char buf[1];
3891 size_t readbytes, written;
3892
3893 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3894 &sess, idx)))
3895 goto end;
3896
3897 /* Here writing 0 length early data is enough. */
3898 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3899 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3900 &readbytes),
3901 SSL_READ_EARLY_DATA_ERROR)
3902 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3903 SSL_EARLY_DATA_ACCEPTED))
3904 goto end;
3905
3906 if (!TEST_int_eq(SSL_export_keying_material_early(
3907 clientssl, ckeymat1, sizeof(ckeymat1), label,
3908 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3909 || !TEST_int_eq(SSL_export_keying_material_early(
3910 clientssl, ckeymat2, sizeof(ckeymat2), label,
3911 sizeof(label) - 1, emptycontext, 0), 1)
3912 || !TEST_int_eq(SSL_export_keying_material_early(
3913 serverssl, skeymat1, sizeof(skeymat1), label,
3914 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3915 || !TEST_int_eq(SSL_export_keying_material_early(
3916 serverssl, skeymat2, sizeof(skeymat2), label,
3917 sizeof(label) - 1, emptycontext, 0), 1)
3918 /*
3919 * Check that both sides created the same key material with the
3920 * same context.
3921 */
3922 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3923 sizeof(skeymat1))
3924 /*
3925 * Check that both sides created the same key material with an
3926 * empty context.
3927 */
3928 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3929 sizeof(skeymat2))
3930 /* Different contexts should produce different results */
3931 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3932 sizeof(ckeymat2)))
3933 goto end;
3934
3935 testresult = 1;
3936
3937 end:
c20e3b28 3938 SSL_SESSION_free(sess);
b38ede80
TT		 3939 SSL_SESSION_free(clientpsk);
3940 SSL_SESSION_free(serverpsk);
34ff74eb 3941 clientpsk = serverpsk = NULL;
b38ede80
TT		 3942 SSL_free(serverssl);
3943 SSL_free(clientssl);
3944 SSL_CTX_free(sctx);
3945 SSL_CTX_free(cctx);
3946
3947 return testresult;
3948}
3949#endif /* OPENSSL_NO_TLS1_3 */
3950
e11b6aa4
MC		 3951static int test_ssl_clear(int idx)
3952{
3953 SSL_CTX *cctx = NULL, *sctx = NULL;
3954 SSL *clientssl = NULL, *serverssl = NULL;
3955 int testresult = 0;
3956
3957#ifdef OPENSSL_NO_TLS1_2
3958 if (idx == 1)
3959 return 1;
3960#endif
3961
3962 /* Create an initial connection */
7d7f6834
RL		 3963 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3964 TLS1_VERSION, TLS_MAX_VERSION,
3965 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 3966 || (idx == 1
3967 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3968 TLS1_2_VERSION)))
3969 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3970 &clientssl, NULL, NULL))
3971 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3972 SSL_ERROR_NONE)))
3973 goto end;
3974
3975 SSL_shutdown(clientssl);
3976 SSL_shutdown(serverssl);
3977 SSL_free(serverssl);
3978 serverssl = NULL;
3979
3980 /* Clear clientssl - we're going to reuse the object */
3981 if (!TEST_true(SSL_clear(clientssl)))
3982 goto end;
3983
3984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3985 NULL, NULL))
3986 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3987 SSL_ERROR_NONE))
3988 || !TEST_true(SSL_session_reused(clientssl)))
3989 goto end;
3990
3991 SSL_shutdown(clientssl);
3992 SSL_shutdown(serverssl);
3993
3994 testresult = 1;
3995
3996 end:
3997 SSL_free(serverssl);
3998 SSL_free(clientssl);
3999 SSL_CTX_free(sctx);
4000 SSL_CTX_free(cctx);
4001
4002 return testresult;
4003}
4004
cf72c757
F		 4005/* Parse CH and retrieve any MFL extension value if present */
4006static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4007{
4008 long len;
4009 unsigned char *data;
4010 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4011 unsigned int MFL_code = 0, type = 0;
4012
4013 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4014 goto end;
4015
4016 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4017 /* Skip the record header */
4018 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4019 /* Skip the handshake message header */
4020 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4021 /* Skip client version and random */
4022 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4023 + SSL3_RANDOM_SIZE))
4024 /* Skip session id */
4025 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4026 /* Skip ciphers */
4027 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4028 /* Skip compression */
4029 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4030 /* Extensions len */
4031 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4032 goto end;
4033
4034 /* Loop through all extensions */
4035 while (PACKET_remaining(&pkt2)) {
4036 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4037 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4038 goto end;
4039
4040 if (type == TLSEXT_TYPE_max_fragment_length) {
4041 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4042 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4043 goto end;
4044
4045 *mfl_codemfl_code = MFL_code;
4046 return 1;
4047 }
4048 }
4049
4050 end:
4051 return 0;
4052}
4053
4054/* Maximum-Fragment-Length TLS extension mode to test */
4055static const unsigned char max_fragment_len_test[] = {
4056 TLSEXT_max_fragment_length_512,
4057 TLSEXT_max_fragment_length_1024,
4058 TLSEXT_max_fragment_length_2048,
4059 TLSEXT_max_fragment_length_4096
4060};
4061
4062static int test_max_fragment_len_ext(int idx_tst)
4063{
4064 SSL_CTX *ctx;
4065 SSL *con = NULL;
4066 int testresult = 0, MFL_mode = 0;
4067 BIO *rbio, *wbio;
4068
4069 ctx = SSL_CTX_new(TLS_method());
4070 if (!TEST_ptr(ctx))
4071 goto end;
4072
4073 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4074 ctx, max_fragment_len_test[idx_tst])))
4075 goto end;
4076
4077 con = SSL_new(ctx);
4078 if (!TEST_ptr(con))
4079 goto end;
4080
4081 rbio = BIO_new(BIO_s_mem());
4082 wbio = BIO_new(BIO_s_mem());
4083 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4084 BIO_free(rbio);
4085 BIO_free(wbio);
4086 goto end;
4087 }
4088
4089 SSL_set_bio(con, rbio, wbio);
4090 SSL_set_connect_state(con);
4091
4092 if (!TEST_int_le(SSL_connect(con), 0)) {
4093 /* This shouldn't succeed because we don't have a server! */
4094 goto end;
4095 }
4096
4097 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4098 /* no MFL in client hello */
4099 goto end;
4100 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4101 goto end;
4102
4103 testresult = 1;
4104
4105end:
4106 SSL_free(con);
4107 SSL_CTX_free(ctx);
4108
4109 return testresult;
4110}
4111
9d75dce3
TS		 4112#ifndef OPENSSL_NO_TLS1_3
4113static int test_pha_key_update(void)
4114{
4115 SSL_CTX *cctx = NULL, *sctx = NULL;
4116 SSL *clientssl = NULL, *serverssl = NULL;
4117 int testresult = 0;
4118
7d7f6834
RL		 4119 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4120 TLS1_VERSION, TLS_MAX_VERSION,
9d75dce3
TS		 4121 &sctx, &cctx, cert, privkey)))
4122 return 0;
4123
4124 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4125 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4126 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4127 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4128 goto end;
4129
4130
4131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4132 NULL, NULL)))
4133 goto end;
4134
4135 SSL_force_post_handshake_auth(clientssl);
4136
4137 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4138 SSL_ERROR_NONE)))
4139 goto end;
4140
4141 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4142 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4143 goto end;
4144
4145 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4146 goto end;
4147
4148 /* Start handshake on the server */
4149 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4150 goto end;
4151
4152 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4153 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4154 SSL_ERROR_NONE)))
4155 goto end;
4156
4157 SSL_shutdown(clientssl);
4158 SSL_shutdown(serverssl);
4159
4160 testresult = 1;
4161
4162 end:
4163 SSL_free(serverssl);
4164 SSL_free(clientssl);
4165 SSL_CTX_free(sctx);
4166 SSL_CTX_free(cctx);
4167 return testresult;
4168}
4169#endif
4170
76fd7a1d
MC		 4171#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4172
4173static SRP_VBASE *vbase = NULL;
4174
4175static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4176{
4177 int ret = SSL3_AL_FATAL;
4178 char *username;
4179 SRP_user_pwd *user = NULL;
4180
4181 username = SSL_get_srp_username(s);
4182 if (username == NULL) {
4183 *ad = SSL_AD_INTERNAL_ERROR;
4184 goto err;
4185 }
4186
4187 user = SRP_VBASE_get1_by_user(vbase, username);
4188 if (user == NULL) {
4189 *ad = SSL_AD_INTERNAL_ERROR;
4190 goto err;
4191 }
4192
4193 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4194 user->info) <= 0) {
4195 *ad = SSL_AD_INTERNAL_ERROR;
4196 goto err;
4197 }
4198
4199 ret = 0;
4200
4201 err:
4202 SRP_user_pwd_free(user);
4203 return ret;
4204}
4205
4206static int create_new_vfile(char *userid, char *password, const char *filename)
4207{
4208 char *gNid = NULL;
4209 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4210 TXT_DB *db = NULL;
4211 int ret = 0;
4212 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4213 size_t i;
4214
4215 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4216 goto end;
4217
4218 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4219 &row[DB_srpverifier], NULL, NULL);
4220 if (!TEST_ptr(gNid))
4221 goto end;
4222
4223 /*
4224 * The only way to create an empty TXT_DB is to provide a BIO with no data
4225 * in it!
4226 */
4227 db = TXT_DB_read(dummy, DB_NUMBER);
4228 if (!TEST_ptr(db))
4229 goto end;
4230
4231 out = BIO_new_file(filename, "w");
4232 if (!TEST_ptr(out))
4233 goto end;
4234
4235 row[DB_srpid] = OPENSSL_strdup(userid);
4236 row[DB_srptype] = OPENSSL_strdup("V");
4237 row[DB_srpgN] = OPENSSL_strdup(gNid);
4238
4239 if (!TEST_ptr(row[DB_srpid])
4240 || !TEST_ptr(row[DB_srptype])
4241 || !TEST_ptr(row[DB_srpgN])
4242 || !TEST_true(TXT_DB_insert(db, row)))
4243 goto end;
4244
4245 row = NULL;
4246
4247 if (!TXT_DB_write(out, db))
4248 goto end;
4249
4250 ret = 1;
4251 end:
4252 if (row != NULL) {
4253 for (i = 0; i < DB_NUMBER; i++)
4254 OPENSSL_free(row[i]);
4255 }
4256 OPENSSL_free(row);
4257 BIO_free(dummy);
4258 BIO_free(out);
4259 TXT_DB_free(db);
4260
4261 return ret;
4262}
4263
4264static int create_new_vbase(char *userid, char *password)
4265{
4266 BIGNUM *verifier = NULL, *salt = NULL;
4267 const SRP_gN *lgN = NULL;
4268 SRP_user_pwd *user_pwd = NULL;
4269 int ret = 0;
4270
4271 lgN = SRP_get_default_gN(NULL);
4272 if (!TEST_ptr(lgN))
4273 goto end;
4274
4275 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4276 lgN->N, lgN->g)))
4277 goto end;
4278
4279 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4280 if (!TEST_ptr(user_pwd))
4281 goto end;
4282
4283 user_pwd->N = lgN->N;
4284 user_pwd->g = lgN->g;
4285 user_pwd->id = OPENSSL_strdup(userid);
4286 if (!TEST_ptr(user_pwd->id))
4287 goto end;
4288
4289 user_pwd->v = verifier;
4290 user_pwd->s = salt;
4291 verifier = salt = NULL;
4292
4293 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4294 goto end;
4295 user_pwd = NULL;
4296
4297 ret = 1;
4298end:
4299 SRP_user_pwd_free(user_pwd);
4300 BN_free(salt);
4301 BN_free(verifier);
4302
4303 return ret;
4304}
4305
4306/*
4307 * SRP tests
4308 *
4309 * Test 0: Simple successful SRP connection, new vbase
4310 * Test 1: Connection failure due to bad password, new vbase
4311 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4312 * Test 3: Connection failure due to bad password, vbase loaded from existing
4313 * file
4314 * Test 4: Simple successful SRP connection, vbase loaded from new file
4315 * Test 5: Connection failure due to bad password, vbase loaded from new file
4316 */
4317static int test_srp(int tst)
4318{
4319 char *userid = "test", *password = "password", *tstsrpfile;
4320 SSL_CTX *cctx = NULL, *sctx = NULL;
4321 SSL *clientssl = NULL, *serverssl = NULL;
4322 int ret, testresult = 0;
4323
4324 vbase = SRP_VBASE_new(NULL);
4325 if (!TEST_ptr(vbase))
4326 goto end;
4327
4328 if (tst == 0 || tst == 1) {
4329 if (!TEST_true(create_new_vbase(userid, password)))
4330 goto end;
4331 } else {
4332 if (tst == 4 || tst == 5) {
4333 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4334 goto end;
4335 tstsrpfile = tmpfilename;
4336 } else {
4337 tstsrpfile = srpvfile;
4338 }
4339 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4340 goto end;
4341 }
4342
4343 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4344 TLS1_VERSION, TLS_MAX_VERSION,
4345 &sctx, &cctx, cert, privkey)))
4346 goto end;
4347
4348 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4349 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4350 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4351 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4352 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4353 goto end;
4354
4355 if (tst % 2 == 1) {
4356 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4357 goto end;
4358 } else {
4359 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4360 goto end;
4361 }
4362
4363 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4364 NULL, NULL)))
4365 goto end;
4366
4367 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4368 if (ret) {
4369 if (!TEST_true(tst % 2 == 0))
4370 goto end;
4371 } else {
4372 if (!TEST_true(tst % 2 == 1))
4373 goto end;
4374 }
4375
4376 testresult = 1;
4377
4378 end:
4379 SRP_VBASE_free(vbase);
4380 vbase = NULL;
4381 SSL_free(serverssl);
4382 SSL_free(clientssl);
4383 SSL_CTX_free(sctx);
4384 SSL_CTX_free(cctx);
4385
4386 return testresult;
4387}
4388#endif
4389
5718fe45
MC		 4390static int info_cb_failed = 0;
4391static int info_cb_offset = 0;
4392static int info_cb_this_state = -1;
4393
4394static struct info_cb_states_st {
4395 int where;
4396 const char *statestr;
4397} info_cb_states[][60] = {
4398 {
4399 /* TLSv1.2 server followed by resumption */
4400 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4401 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4402 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4403 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4404 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4405 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4406 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4407 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4408 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4409 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4410 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4411 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4412 {SSL_CB_EXIT, NULL}, {0, NULL},
4413 }, {
4414 /* TLSv1.2 client followed by resumption */
4415 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4416 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4417 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4418 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4419 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4420 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4421 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4422 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4423 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4424 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4425 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4426 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4427 }, {
4428 /* TLSv1.3 server followed by resumption */
4429 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4430 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4431 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4432 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4433 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4434 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4435 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5718fe45 4436 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
36ff232c
MC		 4437 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4438 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4439 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4440 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4441 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4442 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4443 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4444 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4445 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 4446 }, {
4447 /* TLSv1.3 client followed by resumption */
4448 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4449 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4450 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4451 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4452 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4453 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4454 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4455 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
36ff232c
MC		 4456 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4457 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4458 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 4459 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4460 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4461 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4462 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4463 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4464 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4465 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4466 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4467 }, {
4468 /* TLSv1.3 server, early_data */
4469 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4470 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4471 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4472 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4473 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4474 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4475 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4476 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4477 {SSL_CB_EXIT, NULL}, {0, NULL},
4478 }, {
4479 /* TLSv1.3 client, early_data */
4480 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4481 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4482 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4483 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4484 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4485 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4486 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4487 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4488 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4489 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4490 }, {
4491 {0, NULL},
4492 }
4493};
4494
4495static void sslapi_info_callback(const SSL *s, int where, int ret)
4496{
4497 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4498
4499 /* We do not ever expect a connection to fail in this test */
4500 if (!TEST_false(ret == 0)) {
4501 info_cb_failed = 1;
4502 return;
4503 }
4504
4505 /*
4506 * Do some sanity checks. We never expect these things to happen in this
4507 * test
4508 */
4509 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4510 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4511 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4512 info_cb_failed = 1;
4513 return;
4514 }
4515
4516 /* Now check we're in the right state */
4517 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4518 info_cb_failed = 1;
4519 return;
4520 }
4521 if ((where & SSL_CB_LOOP) != 0
4522 && !TEST_int_eq(strcmp(SSL_state_string(s),
4523 state[info_cb_this_state].statestr), 0)) {
4524 info_cb_failed = 1;
4525 return;
4526 }
033c181b
MC		 4527
4528 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4529 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4530 info_cb_failed = 1;
4531 return;
4532 }
5718fe45
MC		 4533}
4534
4535/*
4536 * Test the info callback gets called when we expect it to.
4537 *
4538 * Test 0: TLSv1.2, server
4539 * Test 1: TLSv1.2, client
4540 * Test 2: TLSv1.3, server
4541 * Test 3: TLSv1.3, client
4542 * Test 4: TLSv1.3, server, early_data
4543 * Test 5: TLSv1.3, client, early_data
4544 */
4545static int test_info_callback(int tst)
4546{
4547 SSL_CTX *cctx = NULL, *sctx = NULL;
4548 SSL *clientssl = NULL, *serverssl = NULL;
4549 SSL_SESSION *clntsess = NULL;
4550 int testresult = 0;
4551 int tlsvers;
4552
4553 if (tst < 2) {
1aac20f5
MC		 4554/* We need either ECDHE or DHE for the TLSv1.2 test to work */
4555#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
4556 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 4557 tlsvers = TLS1_2_VERSION;
4558#else
4559 return 1;
4560#endif
4561 } else {
4562#ifndef OPENSSL_NO_TLS1_3
4563 tlsvers = TLS1_3_VERSION;
4564#else
4565 return 1;
4566#endif
4567 }
4568
4569 /* Reset globals */
4570 info_cb_failed = 0;
4571 info_cb_this_state = -1;
4572 info_cb_offset = tst;
4573
6e07834c 4574#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 4575 if (tst >= 4) {
4576 SSL_SESSION *sess = NULL;
4577 size_t written, readbytes;
4578 unsigned char buf[80];
4579
4580 /* early_data tests */
4581 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4582 &serverssl, &sess, 0)))
4583 goto end;
4584
4585 /* We don't actually need this reference */
4586 SSL_SESSION_free(sess);
4587
4588 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4589 sslapi_info_callback);
4590
4591 /* Write and read some early data and then complete the connection */
4592 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4593 &written))
4594 || !TEST_size_t_eq(written, strlen(MSG1))
4595 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4596 sizeof(buf), &readbytes),
4597 SSL_READ_EARLY_DATA_SUCCESS)
4598 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4599 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4600 SSL_EARLY_DATA_ACCEPTED)
4601 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4602 SSL_ERROR_NONE))
4603 || !TEST_false(info_cb_failed))
4604 goto end;
4605
4606 testresult = 1;
4607 goto end;
4608 }
6e07834c 4609#endif
5718fe45
MC		 4610
4611 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4612 TLS_client_method(),
4613 tlsvers, tlsvers, &sctx, &cctx, cert,
4614 privkey)))
4615 goto end;
4616
4617 /*
4618 * For even numbered tests we check the server callbacks. For odd numbers we
4619 * check the client.
4620 */
4621 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4622 sslapi_info_callback);
4623
4624 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4625 &clientssl, NULL, NULL))
4626 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4627 SSL_ERROR_NONE))
4628 || !TEST_false(info_cb_failed))
4629 goto end;
4630
4631
4632
4633 clntsess = SSL_get1_session(clientssl);
4634 SSL_shutdown(clientssl);
4635 SSL_shutdown(serverssl);
4636 SSL_free(serverssl);
4637 SSL_free(clientssl);
4638 serverssl = clientssl = NULL;
4639
4640 /* Now do a resumption */
4641 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4642 NULL))
4643 || !TEST_true(SSL_set_session(clientssl, clntsess))
4644 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4645 SSL_ERROR_NONE))
4646 || !TEST_true(SSL_session_reused(clientssl))
4647 || !TEST_false(info_cb_failed))
4648 goto end;
4649
4650 testresult = 1;
4651
4652 end:
4653 SSL_free(serverssl);
4654 SSL_free(clientssl);
4655 SSL_SESSION_free(clntsess);
4656 SSL_CTX_free(sctx);
4657 SSL_CTX_free(cctx);
4658 return testresult;
4659}
4660
4a432af8
MC		 4661static int test_ssl_pending(int tst)
4662{
4663 SSL_CTX *cctx = NULL, *sctx = NULL;
4664 SSL *clientssl = NULL, *serverssl = NULL;
4665 int testresult = 0;
4666 char msg[] = "A test message";
4667 char buf[5];
4668 size_t written, readbytes;
4669
4670 if (tst == 0) {
4671 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4672 TLS_client_method(),
4673 TLS1_VERSION, TLS_MAX_VERSION,
4674 &sctx, &cctx, cert, privkey)))
4675 goto end;
4676 } else {
4677#ifndef OPENSSL_NO_DTLS
4678 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4679 DTLS_client_method(),
4680 DTLS1_VERSION, DTLS_MAX_VERSION,
4681 &sctx, &cctx, cert, privkey)))
4682 goto end;
4683#else
4684 return 1;
4685#endif
4686 }
4687
4688 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4689 NULL, NULL))
4690 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4691 SSL_ERROR_NONE)))
4692 goto end;
4693
e8251092
MC		 4694 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4695 || !TEST_false(SSL_has_pending(clientssl))
4696 || !TEST_int_eq(SSL_pending(serverssl), 0)
4697 || !TEST_false(SSL_has_pending(serverssl))
4698 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 4699 || !TEST_size_t_eq(written, sizeof(msg))
4700 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4701 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 4702 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4703 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 4704 goto end;
4705
4706 testresult = 1;
4707
4708 end:
4709 SSL_free(serverssl);
4710 SSL_free(clientssl);
4711 SSL_CTX_free(sctx);
4712 SSL_CTX_free(cctx);
4713
4714 return testresult;
4715}
4716
e401389a
MC		 4717static struct {
4718 unsigned int maxprot;
4719 const char *clntciphers;
4720 const char *clnttls13ciphers;
4721 const char *srvrciphers;
4722 const char *srvrtls13ciphers;
4723 const char *shared;
4724} shared_ciphers_data[] = {
60155b9a
MC		 4725/*
4726 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4727 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4728 */
4729#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 4730 {
4731 TLS1_2_VERSION,
4732 "AES128-SHA:AES256-SHA",
4733 NULL,
4734 "AES256-SHA:DHE-RSA-AES128-SHA",
4735 NULL,
4736 "AES256-SHA"
4737 },
4738 {
4739 TLS1_2_VERSION,
4740 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4741 NULL,
4742 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4743 NULL,
4744 "AES128-SHA:AES256-SHA"
4745 },
4746 {
4747 TLS1_2_VERSION,
4748 "AES128-SHA:AES256-SHA",
4749 NULL,
4750 "AES128-SHA:DHE-RSA-AES128-SHA",
4751 NULL,
4752 "AES128-SHA"
4753 },
60155b9a
MC		 4754#endif
4755/*
4756 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4757 * enabled.
4758 */
4759#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4760 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 4761 {
4762 TLS1_3_VERSION,
4763 "AES128-SHA:AES256-SHA",
4764 NULL,
4765 "AES256-SHA:AES128-SHA256",
4766 NULL,
4767 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4768 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4769 },
60155b9a
MC		 4770#endif
4771#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 4772 {
4773 TLS1_3_VERSION,
4774 "AES128-SHA",
4775 "TLS_AES_256_GCM_SHA384",
4776 "AES256-SHA",
4777 "TLS_AES_256_GCM_SHA384",
4778 "TLS_AES_256_GCM_SHA384"
4779 },
4780#endif
4781};
4782
4783static int test_ssl_get_shared_ciphers(int tst)
4784{
4785 SSL_CTX *cctx = NULL, *sctx = NULL;
4786 SSL *clientssl = NULL, *serverssl = NULL;
4787 int testresult = 0;
4788 char buf[1024];
4789
4790 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4791 TLS_client_method(),
4792 TLS1_VERSION,
4793 shared_ciphers_data[tst].maxprot,
4794 &sctx, &cctx, cert, privkey)))
4795 goto end;
4796
4797 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4798 shared_ciphers_data[tst].clntciphers))
4799 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
4800 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4801 shared_ciphers_data[tst].clnttls13ciphers)))
4802 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
4803 shared_ciphers_data[tst].srvrciphers))
4804 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
4805 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4806 shared_ciphers_data[tst].srvrtls13ciphers))))
4807 goto end;
4808
4809
4810 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4811 NULL, NULL))
4812 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4813 SSL_ERROR_NONE)))
4814 goto end;
4815
4816 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
4817 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
4818 TEST_info("Shared ciphers are: %s\n", buf);
4819 goto end;
4820 }
4821
4822 testresult = 1;
4823
4824 end:
4825 SSL_free(serverssl);
4826 SSL_free(clientssl);
4827 SSL_CTX_free(sctx);
4828 SSL_CTX_free(cctx);
4829
4830 return testresult;
4831}
4832
d0191fe0 4833static const char *appdata = "Hello World";
61fb5923
MC		 4834static int gen_tick_called, dec_tick_called, tick_key_cb_called;
4835static int tick_key_renew = 0;
4836static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 4837
4838static int gen_tick_cb(SSL *s, void *arg)
4839{
4840 gen_tick_called = 1;
4841
4842 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
4843 strlen(appdata));
4844}
4845
4846static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
4847 const unsigned char *keyname,
4848 size_t keyname_length,
61fb5923
MC		 4849 SSL_TICKET_STATUS status,
4850 void *arg)
d0191fe0
MC		 4851{
4852 void *tickdata;
4853 size_t tickdlen;
4854
4855 dec_tick_called = 1;
4856
61fb5923
MC		 4857 if (status == SSL_TICKET_EMPTY)
4858 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 4859
61fb5923
MC		 4860 if (!TEST_true(status == SSL_TICKET_SUCCESS
4861 || status == SSL_TICKET_SUCCESS_RENEW))
4862 return SSL_TICKET_RETURN_ABORT;
4863
4864 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
4865 &tickdlen))
d0191fe0
MC		 4866 || !TEST_size_t_eq(tickdlen, strlen(appdata))
4867 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 4868 return SSL_TICKET_RETURN_ABORT;
d0191fe0 4869
61fb5923
MC		 4870 if (tick_key_cb_called) {
4871 /* Don't change what the ticket key callback wanted to do */
4872 switch (status) {
4873 case SSL_TICKET_NO_DECRYPT:
4874 return SSL_TICKET_RETURN_IGNORE_RENEW;
4875
4876 case SSL_TICKET_SUCCESS:
4877 return SSL_TICKET_RETURN_USE;
d0191fe0 4878
61fb5923
MC		 4879 case SSL_TICKET_SUCCESS_RENEW:
4880 return SSL_TICKET_RETURN_USE_RENEW;
4881
4882 default:
4883 return SSL_TICKET_RETURN_ABORT;
4884 }
4885 }
4886 return tick_dec_ret;
4887
4888}
d0191fe0
MC		 4889
4890static int tick_key_cb(SSL *s, unsigned char key_name[16],
4891 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
4892 HMAC_CTX *hctx, int enc)
4893{
4894 const unsigned char tick_aes_key[16] = "0123456789abcdef";
4895 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
4896
61fb5923 4897 tick_key_cb_called = 1;
d0191fe0
MC		 4898 memset(iv, 0, AES_BLOCK_SIZE);
4899 memset(key_name, 0, 16);
4900 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
4901 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
4902 EVP_sha256(), NULL))
4903 return -1;
4904
61fb5923 4905 return tick_key_renew ? 2 : 1;
d0191fe0
MC		 4906}
4907
4908/*
4909 * Test the various ticket callbacks
61fb5923
MC		 4910 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4911 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4912 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4913 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4914 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4915 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4916 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4917 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4918 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4919 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4920 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4921 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 4922 */
4923static int test_ticket_callbacks(int tst)
4924{
4925 SSL_CTX *cctx = NULL, *sctx = NULL;
4926 SSL *clientssl = NULL, *serverssl = NULL;
4927 SSL_SESSION *clntsess = NULL;
4928 int testresult = 0;
4929
4930#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 4931 if (tst % 2 == 0)
d0191fe0
MC		 4932 return 1;
4933#endif
4934#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 4935 if (tst % 2 == 1)
d0191fe0
MC		 4936 return 1;
4937#endif
4938
61fb5923 4939 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 4940
4941 /* Which tests the ticket key callback should request renewal for */
61fb5923
MC		 4942 if (tst == 10 || tst == 11)
4943 tick_key_renew = 1;
d0191fe0 4944 else
61fb5923
MC		 4945 tick_key_renew = 0;
4946
4947 /* Which tests the decrypt ticket callback should request renewal for */
4948 switch (tst) {
4949 case 0:
4950 case 1:
4951 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
4952 break;
4953
4954 case 2:
4955 case 3:
4956 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
4957 break;
4958
4959 case 4:
4960 case 5:
4961 tick_dec_ret = SSL_TICKET_RETURN_USE;
4962 break;
4963
4964 case 6:
4965 case 7:
4966 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
4967 break;
4968
4969 default:
4970 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4971 }
d0191fe0
MC		 4972
4973 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4974 TLS_client_method(),
4975 TLS1_VERSION,
61fb5923
MC		 4976 ((tst % 2) == 0) ? TLS1_2_VERSION
4977 : TLS1_3_VERSION,
d0191fe0
MC		 4978 &sctx, &cctx, cert, privkey)))
4979 goto end;
4980
61fb5923
MC		 4981 /*
4982 * We only want sessions to resume from tickets - not the session cache. So
4983 * switch the cache off.
4984 */
4985 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
4986 goto end;
4987
d0191fe0
MC		 4988 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
4989 NULL)))
4990 goto end;
4991
61fb5923 4992 if (tst >= 8
d0191fe0
MC		 4993 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
4994 goto end;
4995
4996 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4997 NULL, NULL))
4998 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4999 SSL_ERROR_NONE)))
5000 goto end;
5001
61fb5923
MC		 5002 /*
5003 * The decrypt ticket key callback in TLSv1.2 should be called even though
5004 * we have no ticket yet, because it gets called with a status of
5005 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5006 * actually send any ticket data). This does not happen in TLSv1.3 because
5007 * it is not valid to send empty ticket data in TLSv1.3.
5008 */
d0191fe0 5009 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 5010 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 5011 goto end;
5012
5013 gen_tick_called = dec_tick_called = 0;
5014
5015 clntsess = SSL_get1_session(clientssl);
5016 SSL_shutdown(clientssl);
5017 SSL_shutdown(serverssl);
5018 SSL_free(serverssl);
5019 SSL_free(clientssl);
5020 serverssl = clientssl = NULL;
5021
5022 /* Now do a resumption */
5023 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5024 NULL))
5025 || !TEST_true(SSL_set_session(clientssl, clntsess))
5026 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 5027 SSL_ERROR_NONE)))
d0191fe0
MC		 5028 goto end;
5029
61fb5923
MC		 5030 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5031 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5032 if (!TEST_false(SSL_session_reused(clientssl)))
5033 goto end;
5034 } else {
5035 if (!TEST_true(SSL_session_reused(clientssl)))
5036 goto end;
5037 }
5038
d0191fe0 5039 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 5040 (tick_key_renew
5041 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5042 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5043 ? 1 : 0)
d0191fe0
MC		 5044 || !TEST_int_eq(dec_tick_called, 1))
5045 goto end;
5046
5047 testresult = 1;
5048
5049 end:
5050 SSL_SESSION_free(clntsess);
5051 SSL_free(serverssl);
5052 SSL_free(clientssl);
5053 SSL_CTX_free(sctx);
5054 SSL_CTX_free(cctx);
5055
5056 return testresult;
5057}
5058
c748834f
MC		 5059/*
5060 * Test bi-directional shutdown.
5061 * Test 0: TLSv1.2
5062 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5063 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5064 * Test 3: TLSv1.3, pending NewSessionTicket messages
5065 * Test 4: TLSv1.3, server continues to read/write after client shutdown, client
5066 * reads it
5067 * Test 5: TLSv1.3, server continues to read/write after client shutdown, client
5068 * doesn't read it
5069 */
5070static int test_shutdown(int tst)
5071{
5072 SSL_CTX *cctx = NULL, *sctx = NULL;
5073 SSL *clientssl = NULL, *serverssl = NULL;
5074 int testresult = 0;
5075 char msg[] = "A test message";
5076 char buf[80];
5077 size_t written, readbytes;
5078
5079#ifdef OPENSSL_NO_TLS1_2
5080 if (tst == 0)
5081 return 1;
5082#endif
5083#ifdef OPENSSL_NO_TLS1_3
5084 if (tst != 0)
5085 return 1;
5086#endif
5087
5088 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5089 TLS_client_method(),
5090 TLS1_VERSION,
5091 (tst <= 1) ? TLS1_2_VERSION
5092 : TLS1_3_VERSION,
5093 &sctx, &cctx, cert, privkey))
5094 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5095 NULL, NULL)))
5096 goto end;
5097
5098 if (tst == 3) {
5099 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5100 SSL_ERROR_NONE)))
5101 goto end;
5102 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5103 SSL_ERROR_NONE))) {
5104 goto end;
5105 }
5106
5107 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5108 goto end;
5109
5110 if (tst >= 4) {
5111 /*
5112 * Reading on the server after the client has sent close_notify should
5113 * fail and provide SSL_ERROR_ZERO_RETURN
5114 */
5115 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5116 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5117 SSL_ERROR_ZERO_RETURN)
5118 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5119 SSL_RECEIVED_SHUTDOWN)
5120 /*
5121 * Even though we're shutdown on receive we should still be
5122 * able to write.
5123 */
5124 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))
5125 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5126 goto end;
5127 if (tst == 4) {
5128 /* Should still be able to read data from server */
5129 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5130 &readbytes))
5131 || !TEST_size_t_eq(readbytes, sizeof(msg))
5132 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5133 goto end;
5134 }
5135 }
5136
5137 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 5138 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 5139 goto end;
5140
5141 if (tst < 4) {
5142 /*
5143 * For these tests the client has sent close_notify but it has not yet
5144 * been received by the server. The server has not sent close_notify
5145 * yet.
5146 */
5147 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 5148 /*
5149 * Writing on the server after sending close_notify shouldn't
5150 * be possible.
5151 */
5152 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f
MC		 5153 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5154 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5155 goto end;
358ffa05 5156 } else if (tst == 4) {
c748834f
MC		 5157 /*
5158 * In this test the client has sent close_notify and it has been
5159 * received by the server which has responded with a close_notify. The
358ffa05 5160 * client needs to read the close_notify sent by the server.
c748834f 5161 */
c748834f
MC		 5162 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
5163 goto end;
358ffa05
MC		 5164 } else {
5165 /*
5166 * tst == 5
5167 *
5168 * The client has sent close_notify and is expecting a close_notify
5169 * back, but instead there is application data first. The shutdown
5170 * should fail with a fatal error.
5171 */
5172 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5173 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5174 goto end;
c748834f
MC		 5175 }
5176
5177 testresult = 1;
5178
5179 end:
5180 SSL_free(serverssl);
5181 SSL_free(clientssl);
5182 SSL_CTX_free(sctx);
5183 SSL_CTX_free(cctx);
5184
5185 return testresult;
5186}
5187
ad887416 5188int setup_tests(void)
2cb4b5f6 5189{
ad887416 5190 if (!TEST_ptr(cert = test_get_argument(0))
76fd7a1d
MC		 5191 || !TEST_ptr(privkey = test_get_argument(1))
5192 || !TEST_ptr(srpvfile = test_get_argument(2))
5193 || !TEST_ptr(tmpfilename = test_get_argument(3)))
710756a9 5194 return 0;
2cb4b5f6 5195
f297e4ec
RS		 5196 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
5197#ifdef OPENSSL_NO_CRYPTO_MDEBUG
5198 TEST_error("not supported in this build");
5199 return 0;
5200#else
5201 int i, mcount, rcount, fcount;
5202
5203 for (i = 0; i < 4; i++)
5204 test_export_key_mat(i);
5205 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
5206 test_printf_stdout("malloc %d realloc %d free %d\n",
5207 mcount, rcount, fcount);
5208 return 1;
5209#endif
5210 }
5211
84d5549e 5212 ADD_TEST(test_large_message_tls);
7856332e 5213 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 5214#ifndef OPENSSL_NO_DTLS
84d5549e 5215 ADD_TEST(test_large_message_dtls);
55386bef 5216#endif
8f8c11d8 5217#ifndef OPENSSL_NO_OCSP
c887104f 5218 ADD_TEST(test_tlsext_status_type);
8f8c11d8 5219#endif
eaa776da
MC		 5220 ADD_TEST(test_session_with_only_int_cache);
5221 ADD_TEST(test_session_with_only_ext_cache);
5222 ADD_TEST(test_session_with_both_cache);
36ff232c
MC		 5223#ifndef OPENSSL_NO_TLS1_3
5224 ADD_ALL_TESTS(test_tickets, 3);
5225#endif
7fb4c820 5226 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 5227 ADD_TEST(test_ssl_bio_pop_next_bio);
5228 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5229 ADD_TEST(test_ssl_bio_change_rbio);
5230 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 5231#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 5232 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 5233 ADD_TEST(test_keylog);
c423ecaa 5234#endif
6acdd3e5
CB		 5235#ifndef OPENSSL_NO_TLS1_3
5236 ADD_TEST(test_keylog_no_master_key);
5237#endif
e9ee6536 5238#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 5239 ADD_TEST(test_client_hello_cb);
5f982038
MC		 5240#endif
5241#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 5242 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 5243 /*
5244 * We don't do replay tests for external PSK. Replay protection isn't used
5245 * in that scenario.
5246 */
5247 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 5248 ADD_ALL_TESTS(test_early_data_skip, 3);
5249 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
5250 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 5251 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 5252 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 5253# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 5254 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 5255# endif
e9ee6536 5256#endif
a273157a 5257#ifndef OPENSSL_NO_TLS1_3
034cb87b 5258 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 5259 ADD_TEST(test_ciphersuite_change);
c2b290c3
MC		 5260#ifdef OPENSSL_NO_PSK
5261 ADD_ALL_TESTS(test_tls13_psk, 1);
5262#else
0d8da779 5263 ADD_ALL_TESTS(test_tls13_psk, 4);
c2b290c3 5264#endif /* OPENSSL_NO_PSK */
bb01ef3f 5265 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 5266 ADD_TEST(test_stateless);
9d75dce3 5267 ADD_TEST(test_pha_key_update);
a273157a 5268#else
bb01ef3f 5269 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 5270#endif
16afd71c 5271 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 5272 ADD_ALL_TESTS(test_export_key_mat, 4);
b38ede80
TT		 5273#ifndef OPENSSL_NO_TLS1_3
5274 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5275#endif
e11b6aa4 5276 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 5277 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 5278#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5279 ADD_ALL_TESTS(test_srp, 6);
5280#endif
5718fe45 5281 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 5282 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 5283 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
61fb5923 5284 ADD_ALL_TESTS(test_ticket_callbacks, 12);
c748834f 5285 ADD_ALL_TESTS(test_shutdown, 6);
ad887416
P		 5286 return 1;
5287}
2cb4b5f6 5288
ad887416
P		 5289void cleanup_tests(void)
5290{
fa454945 5291 bio_s_mempacket_test_free();
2cb4b5f6 5292}
A mirror of the official openssl repository