]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
pem_password_cb: Clarify the documentation on passphrases
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
4333b89f 2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
2cb4b5f6 36
20f8bc72 37#include "helpers/ssltestlib.h"
c887104f 38#include "testutil.h"
f297e4ec 39#include "testutil/output.h"
176db6dc 40#include "internal/nelem.h"
fe5d9450 41#include "internal/ktls.h"
706457b7 42#include "../ssl/ssl_local.h"
b0001d0c 43#include "filterprov.h"
2cb4b5f6 44
a763ca11
MC		 45#undef OSSL_NO_USABLE_TLS1_3
46#if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
48/*
49 * If we don't have ec or dh then there are no built-in groups that are usable
50 * with TLSv1.3
51 */
52# define OSSL_NO_USABLE_TLS1_3
53#endif
54
0c13cdf8
MC		 55/* Defined in tls-provider.c */
56int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
59 void **provctx);
852c2ed2 60
b4250010 61static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 62static OSSL_PROVIDER *defctxnull = NULL;
63
a763ca11 64#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 65
66static SSL_SESSION *clientpsk = NULL;
67static SSL_SESSION *serverpsk = NULL;
68static const char *pskid = "Identity";
69static const char *srvid;
70
71static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
75
76static int use_session_cb_cnt = 0;
77static int find_session_cb_cnt = 0;
78
79static SSL_SESSION *create_a_psk(SSL *ssl);
80#endif
81
1a2a3a42 82static char *certsdir = NULL;
2cb4b5f6
MC		 83static char *cert = NULL;
84static char *privkey = NULL;
b3842539
MC		 85static char *cert2 = NULL;
86static char *privkey2 = NULL;
3105d846
MC		 87static char *cert1024 = NULL;
88static char *privkey1024 = NULL;
89static char *cert3072 = NULL;
90static char *privkey3072 = NULL;
91static char *cert4096 = NULL;
92static char *privkey4096 = NULL;
93static char *cert8192 = NULL;
94static char *privkey8192 = NULL;
76fd7a1d
MC		 95static char *srpvfile = NULL;
96static char *tmpfilename = NULL;
2cb4b5f6 97
4f6c7044
MC		 98static int is_fips = 0;
99
cffe973c 100#define LOG_BUFFER_SIZE 2048
6acdd3e5 101static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 102static size_t server_log_buffer_index = 0;
6acdd3e5 103static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 104static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 105static int error_writing_log = 0;
106
8f8c11d8 107#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 108static const unsigned char orespder[] = "Dummy OCSP Response";
109static int ocsp_server_called = 0;
110static int ocsp_client_called = 0;
111
112static int cdummyarg = 1;
113static X509 *ocspcert = NULL;
8f8c11d8 114#endif
ba881d3b 115
84d5549e 116#define NUM_EXTRA_CERTS 40
cf72c757 117#define CLIENT_VERSION_LEN 2
84d5549e 118
f1a5939f
CB		 119/*
120 * This structure is used to validate that the correct number of log messages
121 * of various types are emitted when emitting secret logs.
122 */
123struct sslapitest_log_counts {
124 unsigned int rsa_key_exchange_count;
125 unsigned int master_secret_count;
cffe973c 126 unsigned int client_early_secret_count;
f1a5939f
CB		 127 unsigned int client_handshake_secret_count;
128 unsigned int server_handshake_secret_count;
129 unsigned int client_application_secret_count;
130 unsigned int server_application_secret_count;
01a2a654 131 unsigned int early_exporter_secret_count;
6329ce8f 132 unsigned int exporter_secret_count;
f1a5939f
CB		 133};
134
16afd71c
MC		 135
136static unsigned char serverinfov1[] = {
137 0xff, 0xff, /* Dummy extension type */
138 0x00, 0x01, /* Extension length is 1 byte */
139 0xff /* Dummy extension data */
140};
141
142static unsigned char serverinfov2[] = {
143 0x00, 0x00, 0x00,
144 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
145 0xff, 0xff, /* Dummy extension type */
146 0x00, 0x01, /* Extension length is 1 byte */
147 0xff /* Dummy extension data */
148};
149
104a733d
MC		 150static int hostname_cb(SSL *s, int *al, void *arg)
151{
152 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
153
154 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
155 || strcmp(hostname, "altgoodhost") == 0))
156 return SSL_TLSEXT_ERR_OK;
157
158 return SSL_TLSEXT_ERR_NOACK;
159}
160
710756a9
RS		 161static void client_keylog_callback(const SSL *ssl, const char *line)
162{
6acdd3e5
CB		 163 int line_length = strlen(line);
164
165 /* If the log doesn't fit, error out. */
710756a9
RS		 166 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
167 TEST_info("Client log too full");
6acdd3e5
CB		 168 error_writing_log = 1;
169 return;
170 }
171
172 strcat(client_log_buffer, line);
173 client_log_buffer_index += line_length;
710756a9 174 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 175}
176
710756a9
RS		 177static void server_keylog_callback(const SSL *ssl, const char *line)
178{
6acdd3e5
CB		 179 int line_length = strlen(line);
180
181 /* If the log doesn't fit, error out. */
710756a9 182 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 183 TEST_info("Server log too full");
6acdd3e5
CB		 184 error_writing_log = 1;
185 return;
186 }
187
188 strcat(server_log_buffer, line);
189 server_log_buffer_index += line_length;
710756a9 190 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 191}
192
193static int compare_hex_encoded_buffer(const char *hex_encoded,
194 size_t hex_length,
195 const uint8_t *raw,
710756a9
RS		 196 size_t raw_length)
197{
198 size_t i, j;
199 char hexed[3];
6acdd3e5 200
710756a9 201 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 202 return 1;
6acdd3e5 203
710756a9 204 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 205 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 206 if (!TEST_int_eq(hexed[0], hex_encoded[j])
207 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 208 return 1;
6acdd3e5
CB		 209 }
210
211 return 0;
212}
213
214static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 215 const SSL_SESSION *session,
710756a9
RS		 216 struct sslapitest_log_counts *expected)
217{
6acdd3e5
CB		 218 char *token = NULL;
219 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
220 size_t client_random_size = SSL3_RANDOM_SIZE;
221 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
222 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 223 unsigned int rsa_key_exchange_count = 0;
224 unsigned int master_secret_count = 0;
cffe973c 225 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 226 unsigned int client_handshake_secret_count = 0;
227 unsigned int server_handshake_secret_count = 0;
228 unsigned int client_application_secret_count = 0;
229 unsigned int server_application_secret_count = 0;
01a2a654 230 unsigned int early_exporter_secret_count = 0;
6329ce8f 231 unsigned int exporter_secret_count = 0;
6acdd3e5 232
710756a9
RS		 233 for (token = strtok(buffer, " \n"); token != NULL;
234 token = strtok(NULL, " \n")) {
6acdd3e5 235 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 236 /*
237 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 238 * hex-encoded encrypted secret, then the hex-encoded pre-master
239 * secret.
240 */
710756a9 241 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 242 return 0;
710756a9 243 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 244 return 0;
710756a9 245 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 246 return 0;
f1a5939f
CB		 247 /*
248 * We can't sensibly check the log because the premaster secret is
249 * transient, and OpenSSL doesn't keep hold of it once the master
250 * secret is generated.
251 */
252 rsa_key_exchange_count++;
6acdd3e5 253 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 254 /*
255 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 256 * client random, then the hex-encoded master secret.
257 */
258 client_random_size = SSL_get_client_random(ssl,
259 actual_client_random,
260 SSL3_RANDOM_SIZE);
710756a9 261 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 262 return 0;
6acdd3e5 263
710756a9 264 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 265 return 0;
710756a9 266 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 267 return 0;
710756a9
RS		 268 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
269 actual_client_random,
270 client_random_size)))
f1a5939f 271 return 0;
6acdd3e5 272
710756a9 273 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 274 return 0;
6acdd3e5
CB		 275 master_key_size = SSL_SESSION_get_master_key(session,
276 actual_master_key,
277 master_key_size);
710756a9 278 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 279 return 0;
710756a9
RS		 280 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
281 actual_master_key,
282 master_key_size)))
f1a5939f 283 return 0;
f1a5939f 284 master_secret_count++;
cffe973c
PW		 285 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
286 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 287 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 289 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 290 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 291 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 292 /*
293 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
294 * client random, and then the hex-encoded secret. In this case,
295 * we treat all of these secrets identically and then just
296 * distinguish between them when counting what we saw.
297 */
cffe973c
PW		 298 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
299 client_early_secret_count++;
300 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 301 client_handshake_secret_count++;
302 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
303 server_handshake_secret_count++;
304 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
305 client_application_secret_count++;
306 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
307 server_application_secret_count++;
01a2a654
PW		 308 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
309 early_exporter_secret_count++;
6329ce8f
PW		 310 else if (strcmp(token, "EXPORTER_SECRET") == 0)
311 exporter_secret_count++;
f1a5939f
CB		 312
313 client_random_size = SSL_get_client_random(ssl,
314 actual_client_random,
315 SSL3_RANDOM_SIZE);
710756a9 316 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 317 return 0;
f1a5939f 318
710756a9 319 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 320 return 0;
710756a9 321 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 322 return 0;
710756a9
RS		 323 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
324 actual_client_random,
325 client_random_size)))
f1a5939f 326 return 0;
6acdd3e5 327
710756a9 328 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 329 return 0;
6acdd3e5 330 } else {
710756a9 331 TEST_info("Unexpected token %s\n", token);
f1a5939f 332 return 0;
6acdd3e5 333 }
6acdd3e5
CB		 334 }
335
710756a9
RS		 336 /* Got what we expected? */
337 if (!TEST_size_t_eq(rsa_key_exchange_count,
338 expected->rsa_key_exchange_count)
339 || !TEST_size_t_eq(master_secret_count,
340 expected->master_secret_count)
cffe973c
PW		 341 || !TEST_size_t_eq(client_early_secret_count,
342 expected->client_early_secret_count)
710756a9
RS		 343 || !TEST_size_t_eq(client_handshake_secret_count,
344 expected->client_handshake_secret_count)
345 || !TEST_size_t_eq(server_handshake_secret_count,
346 expected->server_handshake_secret_count)
347 || !TEST_size_t_eq(client_application_secret_count,
348 expected->client_application_secret_count)
349 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 350 expected->server_application_secret_count)
01a2a654
PW		 351 || !TEST_size_t_eq(early_exporter_secret_count,
352 expected->early_exporter_secret_count)
6329ce8f
PW		 353 || !TEST_size_t_eq(exporter_secret_count,
354 expected->exporter_secret_count))
710756a9
RS		 355 return 0;
356 return 1;
6acdd3e5
CB		 357}
358
a763ca11 359#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 360static int test_keylog(void)
361{
6acdd3e5
CB		 362 SSL_CTX *cctx = NULL, *sctx = NULL;
363 SSL *clientssl = NULL, *serverssl = NULL;
364 int testresult = 0;
6fc1e624 365 struct sslapitest_log_counts expected;
6acdd3e5
CB		 366
367 /* Clean up logging space */
6fc1e624 368 memset(&expected, 0, sizeof(expected));
710756a9
RS		 369 memset(client_log_buffer, 0, sizeof(client_log_buffer));
370 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 371 client_log_buffer_index = 0;
372 server_log_buffer_index = 0;
373 error_writing_log = 0;
374
5e30f2fd 375 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 376 TLS_client_method(),
5c587fb6 377 TLS1_VERSION, 0,
710756a9 378 &sctx, &cctx, cert, privkey)))
6acdd3e5 379 return 0;
6acdd3e5
CB		 380
381 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
382 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
383 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
384
f0deb4d3 385 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 386 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 387 goto end;
f0deb4d3 388
cf10df81
RS		 389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 391 goto end;
6acdd3e5 392 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 393 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
394 == client_keylog_callback))
6acdd3e5 395 goto end;
710756a9 396 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 397 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
398 == server_keylog_callback))
6acdd3e5 399 goto end;
6acdd3e5 400
710756a9
RS		 401 /* Now do a handshake and check that the logs have been written to. */
402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
403 &clientssl, NULL, NULL))
404 || !TEST_true(create_ssl_connection(serverssl, clientssl,
405 SSL_ERROR_NONE))
406 || !TEST_false(error_writing_log)
407 || !TEST_int_gt(client_log_buffer_index, 0)
408 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 409 goto end;
6acdd3e5 410
f1a5939f
CB		 411 /*
412 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 413 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 414 * data we expect. For both client and server, we expect to see one master
415 * secret. The client should also see a RSA key exchange.
6acdd3e5 416 */
f1a5939f
CB		 417 expected.rsa_key_exchange_count = 1;
418 expected.master_secret_count = 1;
710756a9
RS		 419 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
420 SSL_get_session(clientssl), &expected)))
6acdd3e5 421 goto end;
f1a5939f
CB		 422
423 expected.rsa_key_exchange_count = 0;
710756a9
RS		 424 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
425 SSL_get_session(serverssl), &expected)))
6acdd3e5 426 goto end;
6acdd3e5
CB		 427
428 testresult = 1;
429
430end:
431 SSL_free(serverssl);
432 SSL_free(clientssl);
433 SSL_CTX_free(sctx);
434 SSL_CTX_free(cctx);
435
436 return testresult;
437}
c423ecaa 438#endif
6acdd3e5 439
a763ca11 440#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 441static int test_keylog_no_master_key(void)
442{
6acdd3e5
CB		 443 SSL_CTX *cctx = NULL, *sctx = NULL;
444 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 445 SSL_SESSION *sess = NULL;
6acdd3e5 446 int testresult = 0;
6fc1e624 447 struct sslapitest_log_counts expected;
cffe973c
PW		 448 unsigned char buf[1];
449 size_t readbytes, written;
6acdd3e5
CB		 450
451 /* Clean up logging space */
6fc1e624 452 memset(&expected, 0, sizeof(expected));
710756a9
RS		 453 memset(client_log_buffer, 0, sizeof(client_log_buffer));
454 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 455 client_log_buffer_index = 0;
456 server_log_buffer_index = 0;
457 error_writing_log = 0;
458
5e30f2fd
MC		 459 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
460 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 461 &sctx, &cctx, cert, privkey))
462 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 463 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 464 return 0;
6acdd3e5 465
cf10df81
RS		 466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
467 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 468 goto end;
6acdd3e5
CB		 469
470 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 471 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
472 == client_keylog_callback))
6acdd3e5 473 goto end;
6acdd3e5 474
710756a9 475 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 476 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
477 == server_keylog_callback))
6acdd3e5 478 goto end;
6acdd3e5 479
710756a9
RS		 480 /* Now do a handshake and check that the logs have been written to. */
481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
482 &clientssl, NULL, NULL))
483 || !TEST_true(create_ssl_connection(serverssl, clientssl,
484 SSL_ERROR_NONE))
485 || !TEST_false(error_writing_log))
6acdd3e5 486 goto end;
6acdd3e5 487
f1a5939f
CB		 488 /*
489 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 490 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 491 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 492 */
f1a5939f
CB		 493 expected.client_handshake_secret_count = 1;
494 expected.server_handshake_secret_count = 1;
495 expected.client_application_secret_count = 1;
496 expected.server_application_secret_count = 1;
6329ce8f 497 expected.exporter_secret_count = 1;
710756a9
RS		 498 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
499 SSL_get_session(clientssl), &expected))
500 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
501 SSL_get_session(serverssl),
502 &expected)))
6acdd3e5 503 goto end;
6acdd3e5 504
cffe973c
PW		 505 /* Terminate old session and resume with early data. */
506 sess = SSL_get1_session(clientssl);
507 SSL_shutdown(clientssl);
508 SSL_shutdown(serverssl);
509 SSL_free(serverssl);
510 SSL_free(clientssl);
511 serverssl = clientssl = NULL;
512
513 /* Reset key log */
514 memset(client_log_buffer, 0, sizeof(client_log_buffer));
515 memset(server_log_buffer, 0, sizeof(server_log_buffer));
516 client_log_buffer_index = 0;
517 server_log_buffer_index = 0;
518
519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
520 &clientssl, NULL, NULL))
521 || !TEST_true(SSL_set_session(clientssl, sess))
522 /* Here writing 0 length early data is enough. */
523 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
524 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
525 &readbytes),
526 SSL_READ_EARLY_DATA_ERROR)
527 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
528 SSL_EARLY_DATA_ACCEPTED)
529 || !TEST_true(create_ssl_connection(serverssl, clientssl,
530 SSL_ERROR_NONE))
531 || !TEST_true(SSL_session_reused(clientssl)))
532 goto end;
533
534 /* In addition to the previous entries, expect early secrets. */
535 expected.client_early_secret_count = 1;
01a2a654 536 expected.early_exporter_secret_count = 1;
cffe973c
PW		 537 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
538 SSL_get_session(clientssl), &expected))
539 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
540 SSL_get_session(serverssl),
541 &expected)))
542 goto end;
543
6acdd3e5
CB		 544 testresult = 1;
545
546end:
cffe973c 547 SSL_SESSION_free(sess);
6acdd3e5
CB		 548 SSL_free(serverssl);
549 SSL_free(clientssl);
550 SSL_CTX_free(sctx);
551 SSL_CTX_free(cctx);
552
553 return testresult;
554}
555#endif
556
0c3eb279
DDO		 557static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
558{
559 int res = X509_verify_cert(ctx);
560
561 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
562 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
563 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
564 return res;
565}
566
567static int test_client_cert_verify_cb(void)
568{
569 /* server key, cert, chain, and root */
570 char *skey = test_mk_file_path(certsdir, "leaf.key");
571 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
572 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
573 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
574 char *root = test_mk_file_path(certsdir, "rootCA.pem");
575 X509 *crt1 = NULL, *crt2 = NULL;
576 STACK_OF(X509) *server_chain;
577 SSL_CTX *cctx = NULL, *sctx = NULL;
578 SSL *clientssl = NULL, *serverssl = NULL;
579 int testresult = 0;
580
581 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
582 TLS_client_method(), TLS1_VERSION, 0,
583 &sctx, &cctx, NULL, NULL)))
584 goto end;
585 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
586 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
587 SSL_FILETYPE_PEM), 1)
588 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
589 goto end;
590 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
591 goto end;
592 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
593 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
594 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
595 &clientssl, NULL, NULL)))
596 goto end;
597
598 /* attempt SSL_connect() with incomplete server chain */
599 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
600 SSL_ERROR_WANT_RETRY_VERIFY)))
601 goto end;
602
603 /* application provides intermediate certs needed to verify server cert */
604 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
605 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
606 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
607 goto end;
608 /* add certs in reverse order to demonstrate real chain building */
609 if (!TEST_true(sk_X509_push(server_chain, crt1)))
610 goto end;
611 crt1 = NULL;
612 if (!TEST_true(sk_X509_push(server_chain, crt2)))
613 goto end;
614 crt2 = NULL;
615
616 /* continue SSL_connect(), must now succeed with completed server chain */
617 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
618 SSL_ERROR_NONE)))
619 goto end;
620
621 testresult = 1;
622
623end:
624 X509_free(crt1);
625 X509_free(crt2);
c38048e7
P		 626 if (clientssl != NULL) {
627 SSL_shutdown(clientssl);
628 SSL_free(clientssl);
629 }
630 if (serverssl != NULL) {
631 SSL_shutdown(serverssl);
632 SSL_free(serverssl);
633 }
0c3eb279
DDO		 634 SSL_CTX_free(sctx);
635 SSL_CTX_free(cctx);
636
637 OPENSSL_free(skey);
638 OPENSSL_free(leaf);
639 OPENSSL_free(int2);
640 OPENSSL_free(int1);
641 OPENSSL_free(root);
642
643 return testresult;
644}
645
4e4ae840
SL		 646static int test_ssl_build_cert_chain(void)
647{
648 int ret = 0;
649 SSL_CTX *ssl_ctx = NULL;
650 SSL *ssl = NULL;
651 char *skey = test_mk_file_path(certsdir, "leaf.key");
652 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
653
654 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
655 goto end;
656 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
657 goto end;
658 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
659 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
660 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
661 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
662 goto end;
663 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
664 | SSL_BUILD_CHAIN_FLAG_CHECK)))
665 goto end;
666 ret = 1;
667end:
668 SSL_free(ssl);
669 SSL_CTX_free(ssl_ctx);
670 OPENSSL_free(leaf_chain);
671 OPENSSL_free(skey);
672 return ret;
673}
674
675static int test_ssl_ctx_build_cert_chain(void)
676{
677 int ret = 0;
678 SSL_CTX *ctx = NULL;
679 char *skey = test_mk_file_path(certsdir, "leaf.key");
680 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
681
682 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
683 goto end;
684 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
685 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
686 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
687 SSL_FILETYPE_PEM), 1)
688 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
689 goto end;
690 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
691 | SSL_BUILD_CHAIN_FLAG_CHECK)))
692 goto end;
693 ret = 1;
694end:
695 SSL_CTX_free(ctx);
696 OPENSSL_free(leaf_chain);
697 OPENSSL_free(skey);
698 return ret;
699}
700
e9ee6536 701#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 702static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 703{
704 int *ctr = arg;
705 const unsigned char *p;
8ea404fb 706 int *exts;
2afaee51
BK		 707 /* We only configure two ciphers, but the SCSV is added automatically. */
708#ifdef OPENSSL_NO_EC
709 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
710#else
711 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
712 0x2c, 0x00, 0xff};
713#endif
8ea404fb
BK		 714 const int expected_extensions[] = {
715#ifndef OPENSSL_NO_EC
716 11, 10,
717#endif
10ed1b72 718 35, 22, 23, 13};
2afaee51
BK		 719 size_t len;
720
721 /* Make sure we can defer processing and get called back. */
722 if ((*ctr)++ == 0)
f1b97da1 723 return SSL_CLIENT_HELLO_RETRY;
2afaee51 724
a9c0d8be 725 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 726 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 727 || !TEST_size_t_eq(
728 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 729 || !TEST_int_eq(*p, 0))
f1b97da1 730 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 731 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 732 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 733 if (len != OSSL_NELEM(expected_extensions) ||
734 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 735 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 736 OPENSSL_free(exts);
f1b97da1 737 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 738 }
739 OPENSSL_free(exts);
f1b97da1 740 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 741}
742
a9c0d8be 743static int test_client_hello_cb(void)
710756a9 744{
2afaee51
BK		 745 SSL_CTX *cctx = NULL, *sctx = NULL;
746 SSL *clientssl = NULL, *serverssl = NULL;
747 int testctr = 0, testresult = 0;
748
5e30f2fd
MC		 749 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
750 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 751 &sctx, &cctx, cert, privkey)))
2afaee51 752 goto end;
a9c0d8be 753 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 754
2afaee51
BK		 755 /* The gimpy cipher list we configure can't do TLS 1.3. */
756 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 757
710756a9
RS		 758 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
759 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
760 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
761 &clientssl, NULL, NULL))
762 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 763 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 764 /*
765 * Passing a -1 literal is a hack since
766 * the real value was lost.
767 * */
a9c0d8be
DB		 768 || !TEST_int_eq(SSL_get_error(serverssl, -1),
769 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 770 || !TEST_true(create_ssl_connection(serverssl, clientssl,
771 SSL_ERROR_NONE)))
2afaee51 772 goto end;
2afaee51
BK		 773
774 testresult = 1;
775
088dfa13
TS		 776end:
777 SSL_free(serverssl);
778 SSL_free(clientssl);
779 SSL_CTX_free(sctx);
780 SSL_CTX_free(cctx);
781
782 return testresult;
783}
784
785static int test_no_ems(void)
786{
787 SSL_CTX *cctx = NULL, *sctx = NULL;
788 SSL *clientssl = NULL, *serverssl = NULL;
789 int testresult = 0;
790
5e30f2fd 791 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 792 TLS1_VERSION, TLS1_2_VERSION,
793 &sctx, &cctx, cert, privkey)) {
794 printf("Unable to create SSL_CTX pair\n");
795 goto end;
796 }
797
798 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
799
800 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
801 printf("Unable to create SSL objects\n");
802 goto end;
803 }
804
805 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
806 printf("Creating SSL connection failed\n");
807 goto end;
808 }
809
810 if (SSL_get_extms_support(serverssl)) {
811 printf("Server reports Extended Master Secret support\n");
812 goto end;
813 }
814
815 if (SSL_get_extms_support(clientssl)) {
816 printf("Client reports Extended Master Secret support\n");
817 goto end;
818 }
819 testresult = 1;
820
2afaee51
BK		 821end:
822 SSL_free(serverssl);
823 SSL_free(clientssl);
824 SSL_CTX_free(sctx);
825 SSL_CTX_free(cctx);
826
827 return testresult;
828}
829
3cd14e5e
BK		 830/*
831 * Very focused test to exercise a single case in the server-side state
832 * machine, when the ChangeCipherState message needs to actually change
833 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 834 * encryption to real encryption).
3cd14e5e
BK		 835 */
836static int test_ccs_change_cipher(void)
837{
838 SSL_CTX *cctx = NULL, *sctx = NULL;
839 SSL *clientssl = NULL, *serverssl = NULL;
840 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
841 int testresult = 0;
842 int i;
843 unsigned char buf;
844 size_t readbytes;
845
846 /*
847 * Create a conection so we can resume and potentially (but not) use
848 * a different cipher in the second connection.
849 */
5e30f2fd 850 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 851 TLS_client_method(),
852 TLS1_VERSION, TLS1_2_VERSION,
853 &sctx, &cctx, cert, privkey))
854 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
855 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
856 NULL, NULL))
857 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
858 || !TEST_true(create_ssl_connection(serverssl, clientssl,
859 SSL_ERROR_NONE))
860 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
861 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
862 goto end;
863
864 shutdown_ssl_connection(serverssl, clientssl);
865 serverssl = clientssl = NULL;
866
867 /* Resume, preferring a different cipher. Our server will force the
868 * same cipher to be used as the initial handshake. */
869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
870 NULL, NULL))
871 || !TEST_true(SSL_set_session(clientssl, sess))
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
874 SSL_ERROR_NONE))
875 || !TEST_true(SSL_session_reused(clientssl))
876 || !TEST_true(SSL_session_reused(serverssl))
877 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
878 || !TEST_ptr_eq(sesspre, sesspost)
879 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
880 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
881 goto end;
882 shutdown_ssl_connection(serverssl, clientssl);
883 serverssl = clientssl = NULL;
884
885 /*
886 * Now create a fresh connection and try to renegotiate a different
887 * cipher on it.
888 */
b3e6d666
BK		 889 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
890 NULL, NULL))
3cd14e5e
BK		 891 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
892 || !TEST_true(create_ssl_connection(serverssl, clientssl,
893 SSL_ERROR_NONE))
894 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
895 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
896 || !TEST_true(SSL_renegotiate(clientssl))
897 || !TEST_true(SSL_renegotiate_pending(clientssl)))
898 goto end;
899 /* Actually drive the renegotiation. */
900 for (i = 0; i < 3; i++) {
901 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
902 if (!TEST_ulong_eq(readbytes, 0))
903 goto end;
904 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
905 SSL_ERROR_WANT_READ)) {
906 goto end;
907 }
908 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
909 if (!TEST_ulong_eq(readbytes, 0))
910 goto end;
911 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
912 SSL_ERROR_WANT_READ)) {
913 goto end;
914 }
915 }
916 /* sesspre and sesspost should be different since the cipher changed. */
917 if (!TEST_false(SSL_renegotiate_pending(clientssl))
918 || !TEST_false(SSL_session_reused(clientssl))
919 || !TEST_false(SSL_session_reused(serverssl))
920 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
921 || !TEST_ptr_ne(sesspre, sesspost)
922 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
923 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
924 goto end;
925
926 shutdown_ssl_connection(serverssl, clientssl);
927 serverssl = clientssl = NULL;
928
929 testresult = 1;
930
931end:
932 SSL_free(serverssl);
933 SSL_free(clientssl);
934 SSL_CTX_free(sctx);
935 SSL_CTX_free(cctx);
936 SSL_SESSION_free(sess);
937
938 return testresult;
939}
fb121631 940#endif
3cd14e5e 941
84d5549e 942static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 943 const SSL_METHOD *cmeth,
944 int min_version, int max_version,
945 int read_ahead)
84d5549e
MC		 946{
947 SSL_CTX *cctx = NULL, *sctx = NULL;
948 SSL *clientssl = NULL, *serverssl = NULL;
949 int testresult = 0;
950 int i;
710756a9 951 BIO *certbio = NULL;
84d5549e
MC		 952 X509 *chaincert = NULL;
953 int certlen;
954
710756a9 955 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 956 goto end;
6725682d 957
d8652be0 958 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 959 goto end;
960
961 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
962 goto end;
fa454945
MC		 963 BIO_free(certbio);
964 certbio = NULL;
84d5549e 965
5e30f2fd
MC		 966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
968 privkey)))
84d5549e 969 goto end;
84d5549e 970
8ce390e1
MC		 971#ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
973 /*
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
975 * level 0
976 */
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
980 goto end;
981 }
982#endif
983
710756a9 984 if (read_ahead) {
7856332e
MC		 985 /*
986 * Test that read_ahead works correctly when dealing with large
987 * records
988 */
989 SSL_CTX_set_read_ahead(cctx, 1);
990 }
991
84d5549e
MC		 992 /*
993 * We assume the supplied certificate is big enough so that if we add
994 * NUM_EXTRA_CERTS it will make the overall message large enough. The
995 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 996 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
997 * test we need to have a message larger than that.
84d5549e
MC		 998 */
999 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 1000 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1001 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 1002 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 1003 if (!X509_up_ref(chaincert))
84d5549e 1004 goto end;
84d5549e 1005 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 1006 X509_free(chaincert);
1007 goto end;
1008 }
1009 }
1010
710756a9
RS		 1011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1012 NULL, NULL))
1013 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1014 SSL_ERROR_NONE)))
84d5549e 1015 goto end;
84d5549e 1016
4bf08600
MC		 1017 /*
1018 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1019 * doesn't leak.
4bf08600 1020 */
710756a9 1021 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1022 goto end;
84d5549e 1023
4bf08600 1024 testresult = 1;
84d5549e 1025 end:
6725682d 1026 BIO_free(certbio);
84d5549e
MC		 1027 X509_free(chaincert);
1028 SSL_free(serverssl);
1029 SSL_free(clientssl);
1030 SSL_CTX_free(sctx);
1031 SSL_CTX_free(cctx);
1032
1033 return testresult;
1034}
1035
da4db160 1036#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1037 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1038/* sock must be connected */
1039static int ktls_chk_platform(int sock)
1040{
1041 if (!ktls_enable(sock))
1042 return 0;
1043 return 1;
1044}
1045
e1fdd526 1046static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1047{
1048 static char count = 1;
1049 unsigned char cbuf[16000] = {0};
1050 unsigned char sbuf[16000];
1051 size_t err = 0;
e1fdd526
JB		 1052 char crec_wseq_before[SEQ_NUM_SIZE];
1053 char crec_wseq_after[SEQ_NUM_SIZE];
1054 char crec_rseq_before[SEQ_NUM_SIZE];
1055 char crec_rseq_after[SEQ_NUM_SIZE];
1056 char srec_wseq_before[SEQ_NUM_SIZE];
1057 char srec_wseq_after[SEQ_NUM_SIZE];
1058 char srec_rseq_before[SEQ_NUM_SIZE];
1059 char srec_rseq_after[SEQ_NUM_SIZE];
fe5d9450
BP		 1060
1061 cbuf[0] = count++;
e1fdd526
JB		 1062 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1063 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1064 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1065 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1066
1067 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1068 goto end;
1069
1070 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1071 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1072 goto end;
1073 }
1074 }
1075
1076 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1077 goto end;
1078
1079 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1080 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1081 goto end;
1082 }
1083 }
1084
e1fdd526
JB		 1085 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1086 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1088 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1089
1090 /* verify the payload */
1091 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1092 goto end;
1093
e1fdd526
JB		 1094 /*
1095 * If ktls is used then kernel sequences are used instead of
1096 * OpenSSL sequences
1097 */
1098 if (!BIO_get_ktls_send(clientssl->wbio)) {
1099 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1100 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1101 goto end;
1102 } else {
e1fdd526
JB		 1103 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1104 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1105 goto end;
1106 }
1107
e1fdd526
JB		 1108 if (!BIO_get_ktls_send(serverssl->wbio)) {
1109 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1110 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1111 goto end;
1112 } else {
e1fdd526
JB		 1113 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1114 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1115 goto end;
1116 }
1117
e1fdd526
JB		 1118 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1119 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1120 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1121 goto end;
1122 } else {
e1fdd526
JB		 1123 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1124 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1125 goto end;
1126 }
1127
e1fdd526
JB		 1128 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1129 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1130 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1131 goto end;
1132 } else {
e1fdd526
JB		 1133 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1134 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1135 goto end;
1136 }
fe5d9450
BP		 1137
1138 return 1;
1139end:
1140 return 0;
1141}
1142
a3a54179 1143static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1144 int tls_version, const char *cipher)
fe5d9450
BP		 1145{
1146 SSL_CTX *cctx = NULL, *sctx = NULL;
1147 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1148 int ktls_used = 0, testresult = 0;
1149 int cfd = -1, sfd = -1;
1150 int rx_supported;
fe5d9450
BP		 1151
1152 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1153 goto end;
1154
1155 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1156 if (!ktls_chk_platform(cfd)) {
1157 testresult = TEST_skip("Kernel does not support KTLS");
1158 goto end;
1159 }
fe5d9450 1160
a5d8a2f8
DB		 1161 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1162 testresult = TEST_skip("CHACHA is not supported in FIPS");
1163 goto end;
1164 }
1165
fe5d9450 1166 /* Create a session based on SHA-256 */
5e30f2fd 1167 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1168 TLS_client_method(),
da4db160 1169 tls_version, tls_version,
e1fdd526
JB		 1170 &sctx, &cctx, cert, privkey)))
1171 goto end;
1172
1173 if (tls_version == TLS1_3_VERSION) {
1174 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1175 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1176 goto end;
1177 } else {
1178 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1179 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1180 goto end;
1181 }
1182
1183 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1184 &clientssl, sfd, cfd)))
fe5d9450
BP		 1185 goto end;
1186
a3a54179
MC		 1187 if (cis_ktls) {
1188 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1189 goto end;
1190 }
1191
a3a54179 1192 if (sis_ktls) {
e1fdd526 1193 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1194 goto end;
1195 }
1196
e1fdd526 1197 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1198 goto end;
1199
e1fdd526
JB		 1200 /*
1201 * The running kernel may not support a given cipher suite
1202 * or direction, so just check that KTLS isn't used when it
1203 * isn't enabled.
1204 */
a3a54179 1205 if (!cis_ktls) {
fe5d9450
BP		 1206 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1207 goto end;
1208 } else {
e1fdd526
JB		 1209 if (BIO_get_ktls_send(clientssl->wbio))
1210 ktls_used = 1;
fe5d9450
BP		 1211 }
1212
a3a54179 1213 if (!sis_ktls) {
fe5d9450
BP		 1214 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1215 goto end;
1216 } else {
e1fdd526
JB		 1217 if (BIO_get_ktls_send(serverssl->wbio))
1218 ktls_used = 1;
fe5d9450
BP		 1219 }
1220
a3a54179 1221#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1222 rx_supported = 0;
1223#else
1224 rx_supported = (tls_version != TLS1_3_VERSION);
a3a54179 1225#endif
e1fdd526 1226 if (!cis_ktls || !rx_supported) {
2fab79af
BP		 1227 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1228 goto end;
1229 } else {
e1fdd526
JB		 1230 if (BIO_get_ktls_send(clientssl->rbio))
1231 ktls_used = 1;
2fab79af
BP		 1232 }
1233
e1fdd526 1234 if (!sis_ktls || !rx_supported) {
2fab79af
BP		 1235 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1236 goto end;
1237 } else {
e1fdd526
JB		 1238 if (BIO_get_ktls_send(serverssl->rbio))
1239 ktls_used = 1;
1240 }
1241
1242 if ((cis_ktls || sis_ktls) && !ktls_used) {
1243 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1244 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1245 "TLS 1.2", cipher);
1246 goto end;
2fab79af
BP		 1247 }
1248
e1fdd526 1249 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1250 goto end;
1251
1252 testresult = 1;
1253end:
1254 if (clientssl) {
1255 SSL_shutdown(clientssl);
1256 SSL_free(clientssl);
1257 }
1258 if (serverssl) {
1259 SSL_shutdown(serverssl);
1260 SSL_free(serverssl);
1261 }
1262 SSL_CTX_free(sctx);
1263 SSL_CTX_free(cctx);
1264 serverssl = clientssl = NULL;
e1fdd526
JB		 1265 if (cfd != -1)
1266 close(cfd);
1267 if (sfd != -1)
1268 close(sfd);
fe5d9450
BP		 1269 return testresult;
1270}
1271
7c3a7561
BP		 1272#define SENDFILE_SZ (16 * 4096)
1273#define SENDFILE_CHUNK (4 * 4096)
1274#define min(a,b) ((a) > (b) ? (b) : (a))
1275
e1fdd526 1276static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1277{
1278 SSL_CTX *cctx = NULL, *sctx = NULL;
1279 SSL *clientssl = NULL, *serverssl = NULL;
1280 unsigned char *buf, *buf_dst;
1281 BIO *out = NULL, *in = NULL;
e1fdd526 1282 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1283 ssize_t chunk_size = 0;
1284 off_t chunk_off = 0;
1285 int testresult = 0;
1286 FILE *ffdp;
1287
1288 buf = OPENSSL_zalloc(SENDFILE_SZ);
1289 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1290 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1291 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1292 goto end;
1293
1294 /* Skip this test if the platform does not support ktls */
1295 if (!ktls_chk_platform(sfd)) {
e1fdd526 1296 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1297 goto end;
1298 }
1299
a5d8a2f8
DB		 1300 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1301 testresult = TEST_skip("CHACHA is not supported in FIPS");
1302 goto end;
1303 }
1304
7c3a7561 1305 /* Create a session based on SHA-256 */
5e30f2fd 1306 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1307 TLS_client_method(),
da4db160 1308 tls_version, tls_version,
e1fdd526
JB		 1309 &sctx, &cctx, cert, privkey)))
1310 goto end;
1311
1312 if (tls_version == TLS1_3_VERSION) {
1313 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1314 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1315 goto end;
1316 } else {
1317 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1318 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1319 goto end;
1320 }
1321
1322 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1323 &clientssl, sfd, cfd)))
1324 goto end;
1325
1326 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1327 goto end;
1328
1329 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1330 SSL_ERROR_NONE)))
7c3a7561
BP		 1331 goto end;
1332
e1fdd526
JB		 1333 if (!BIO_get_ktls_send(serverssl->wbio)) {
1334 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1335 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1336 "TLS 1.2", cipher);
1337 goto end;
1338 }
1339
c9007bda 1340 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1341 goto end;
1342
7c3a7561
BP		 1343 out = BIO_new_file(tmpfilename, "wb");
1344 if (!TEST_ptr(out))
1345 goto end;
1346
1347 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1348 goto end;
1349
1350 BIO_free(out);
1351 out = NULL;
1352 in = BIO_new_file(tmpfilename, "rb");
1353 BIO_get_fp(in, &ffdp);
1354 ffd = fileno(ffdp);
1355
1356 while (chunk_off < SENDFILE_SZ) {
1357 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1358 while ((err = SSL_sendfile(serverssl,
1359 ffd,
1360 chunk_off,
1361 chunk_size,
1362 0)) != chunk_size) {
1363 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1364 goto end;
1365 }
1366 while ((err = SSL_read(clientssl,
1367 buf_dst + chunk_off,
1368 chunk_size)) != chunk_size) {
1369 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1370 goto end;
1371 }
1372
1373 /* verify the payload */
1374 if (!TEST_mem_eq(buf_dst + chunk_off,
1375 chunk_size,
1376 buf + chunk_off,
1377 chunk_size))
1378 goto end;
1379
1380 chunk_off += chunk_size;
1381 }
1382
1383 testresult = 1;
1384end:
1385 if (clientssl) {
1386 SSL_shutdown(clientssl);
1387 SSL_free(clientssl);
1388 }
1389 if (serverssl) {
1390 SSL_shutdown(serverssl);
1391 SSL_free(serverssl);
1392 }
1393 SSL_CTX_free(sctx);
1394 SSL_CTX_free(cctx);
1395 serverssl = clientssl = NULL;
1396 BIO_free(out);
1397 BIO_free(in);
e1fdd526
JB		 1398 if (cfd != -1)
1399 close(cfd);
1400 if (sfd != -1)
1401 close(sfd);
7c3a7561
BP		 1402 OPENSSL_free(buf);
1403 OPENSSL_free(buf_dst);
1404 return testresult;
1405}
1406
e1fdd526
JB		 1407static struct ktls_test_cipher {
1408 int tls_version;
1409 const char *cipher;
1410} ktls_test_ciphers[] = {
1411# if !defined(OPENSSL_NO_TLS1_2)
1412# ifdef OPENSSL_KTLS_AES_GCM_128
1413 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1414# endif
1415# ifdef OPENSSL_KTLS_AES_CCM_128
1416 { TLS1_2_VERSION, "AES128-CCM"},
1417# endif
1418# ifdef OPENSSL_KTLS_AES_GCM_256
1419 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1420# endif
11bac1b4
JB		 1421# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1422 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1423# endif
e1fdd526
JB		 1424# endif
1425# if !defined(OSSL_NO_USABLE_TLS1_3)
1426# ifdef OPENSSL_KTLS_AES_GCM_128
1427 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1428# endif
1429# ifdef OPENSSL_KTLS_AES_CCM_128
1430 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1431# endif
1432# ifdef OPENSSL_KTLS_AES_GCM_256
1433 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1434# endif
11bac1b4
JB		 1435# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1436 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1437# endif
e1fdd526
JB		 1438# endif
1439};
1440
1441#define NUM_KTLS_TEST_CIPHERS \
1442 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1443
da4db160
VF		 1444static int test_ktls(int test)
1445{
e1fdd526 1446 struct ktls_test_cipher *cipher;
a3a54179 1447 int cis_ktls, sis_ktls;
da4db160 1448
2cff17fd 1449 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1450 cipher = &ktls_test_ciphers[test / 4];
da4db160 1451
a3a54179
MC		 1452 cis_ktls = (test & 1) != 0;
1453 sis_ktls = (test & 2) != 0;
cd03b5dc 1454
e1fdd526
JB		 1455 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1456 cipher->cipher);
2fab79af
BP		 1457}
1458
e1fdd526 1459static int test_ktls_sendfile(int tst)
fe5d9450 1460{
e1fdd526 1461 struct ktls_test_cipher *cipher;
da4db160 1462
2cff17fd 1463 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1464 cipher = &ktls_test_ciphers[tst];
da4db160 1465
e1fdd526 1466 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
fe5d9450 1467}
fe5d9450
BP		 1468#endif
1469
84d5549e
MC		 1470static int test_large_message_tls(void)
1471{
7856332e 1472 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1473 TLS1_VERSION, 0, 0);
7856332e
MC		 1474}
1475
1476static int test_large_message_tls_read_ahead(void)
1477{
1478 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1479 TLS1_VERSION, 0, 1);
84d5549e
MC		 1480}
1481
55386bef 1482#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1483static int test_large_message_dtls(void)
1484{
8ce390e1
MC		 1485# ifdef OPENSSL_NO_DTLS1_2
1486 /* Not supported in the FIPS provider */
1487 if (is_fips)
1488 return 1;
1489# endif
7856332e
MC		 1490 /*
1491 * read_ahead is not relevant to DTLS because DTLS always acts as if
1492 * read_ahead is set.
1493 */
84d5549e 1494 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1495 DTLS_client_method(),
5c587fb6 1496 DTLS1_VERSION, 0, 0);
84d5549e 1497}
55386bef 1498#endif
84d5549e 1499
163b8016
ME		 1500static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1501 const SSL_METHOD *cmeth,
1502 int min_version, int max_version)
1503{
1504 size_t i;
1505 SSL_CTX *cctx = NULL, *sctx = NULL;
1506 SSL *clientssl = NULL, *serverssl = NULL;
1507 int testresult = 0;
1508 SSL3_RECORD *rr;
1509 void *zbuf;
1510
1511 static unsigned char cbuf[16000];
1512 static unsigned char sbuf[16000];
1513
1514 if (!TEST_true(create_ssl_ctx_pair(libctx,
1515 smeth, cmeth,
1516 min_version, max_version,
1517 &sctx, &cctx, cert,
1518 privkey)))
1519 goto end;
1520
8ce390e1
MC		 1521#ifdef OPENSSL_NO_DTLS1_2
1522 if (smeth == DTLS_server_method()) {
1523# ifdef OPENSSL_NO_DTLS1_2
1524 /* Not supported in the FIPS provider */
1525 if (is_fips) {
1526 testresult = 1;
1527 goto end;
1528 };
1529# endif
1530 /*
1531 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1532 * level 0
1533 */
1534 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1535 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1536 "DEFAULT:@SECLEVEL=0")))
1537 goto end;
1538 }
1539#endif
1540
163b8016
ME		 1541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1542 NULL, NULL)))
1543 goto end;
1544
1545 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1546 goto end;
1547
1548 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1549 SSL_ERROR_NONE)))
1550 goto end;
1551
1552 for (i = 0; i < sizeof(cbuf); i++) {
1553 cbuf[i] = i & 0xff;
1554 }
1555
1556 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1557 goto end;
1558
1559 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1560 goto end;
1561
1562 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1563 goto end;
1564
1565 /*
1566 * Since we called SSL_peek(), we know the data in the record
1567 * layer is a plaintext record. We can gather the pointer to check
1568 * for zeroization after SSL_read().
1569 */
1570 rr = serverssl->rlayer.rrec;
1571 zbuf = &rr->data[rr->off];
1572 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1573 goto end;
1574
1575 /*
1576 * After SSL_peek() the plaintext must still be stored in the
1577 * record.
1578 */
1579 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1580 goto end;
1581
1582 memset(sbuf, 0, sizeof(sbuf));
1583 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1584 goto end;
1585
1586 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1587 goto end;
1588
1589 /* Check if rbuf is cleansed */
1590 memset(cbuf, 0, sizeof(cbuf));
1591 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1592 goto end;
1593
1594 testresult = 1;
1595 end:
1596 SSL_free(serverssl);
1597 SSL_free(clientssl);
1598 SSL_CTX_free(sctx);
1599 SSL_CTX_free(cctx);
1600
1601 return testresult;
1602}
1603
1604static int test_cleanse_plaintext(void)
1605{
1606#if !defined(OPENSSL_NO_TLS1_2)
1607 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1608 TLS_client_method(),
1609 TLS1_2_VERSION,
1610 TLS1_2_VERSION)))
1611 return 0;
1612
1613#endif
1614
a763ca11 1615#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1616 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1617 TLS_client_method(),
1618 TLS1_3_VERSION,
1619 TLS1_3_VERSION)))
1620 return 0;
1621#endif
1622
1623#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1624
163b8016
ME		 1625 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1626 DTLS_client_method(),
1627 DTLS1_VERSION,
1628 0)))
1629 return 0;
1630#endif
1631 return 1;
1632}
1633
8f8c11d8 1634#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1635static int ocsp_server_cb(SSL *s, void *arg)
1636{
1637 int *argi = (int *)arg;
710756a9 1638 unsigned char *copy = NULL;
ba881d3b
MC		 1639 STACK_OF(OCSP_RESPID) *ids = NULL;
1640 OCSP_RESPID *id = NULL;
1641
1642 if (*argi == 2) {
1643 /* In this test we are expecting exactly 1 OCSP_RESPID */
1644 SSL_get_tlsext_status_ids(s, &ids);
1645 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1646 return SSL_TLSEXT_ERR_ALERT_FATAL;
1647
1648 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1649 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1650 return SSL_TLSEXT_ERR_ALERT_FATAL;
1651 } else if (*argi != 1) {
1652 return SSL_TLSEXT_ERR_ALERT_FATAL;
1653 }
1654
710756a9 1655 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1656 return SSL_TLSEXT_ERR_ALERT_FATAL;
1657
711d5a2f
P		 1658 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1659 sizeof(orespder)))) {
1660 OPENSSL_free(copy);
1661 return SSL_TLSEXT_ERR_ALERT_FATAL;
1662 }
ba881d3b 1663 ocsp_server_called = 1;
ba881d3b
MC		 1664 return SSL_TLSEXT_ERR_OK;
1665}
1666
1667static int ocsp_client_cb(SSL *s, void *arg)
1668{
1669 int *argi = (int *)arg;
1670 const unsigned char *respderin;
1671 size_t len;
1672
1673 if (*argi != 1 && *argi != 2)
1674 return 0;
1675
1676 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1677 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1678 return 0;
1679
1680 ocsp_client_called = 1;
ba881d3b
MC		 1681 return 1;
1682}
1683
2cb4b5f6
MC		 1684static int test_tlsext_status_type(void)
1685{
ba881d3b
MC		 1686 SSL_CTX *cctx = NULL, *sctx = NULL;
1687 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1688 int testresult = 0;
ba881d3b
MC		 1689 STACK_OF(OCSP_RESPID) *ids = NULL;
1690 OCSP_RESPID *id = NULL;
1691 BIO *certbio = NULL;
2cb4b5f6 1692
5e30f2fd 1693 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1694 TLS1_VERSION, 0,
7d7f6834 1695 &sctx, &cctx, cert, privkey))
ba881d3b 1696 return 0;
2cb4b5f6 1697
710756a9 1698 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1699 goto end;
2cb4b5f6 1700
ba881d3b 1701 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1702
ba881d3b 1703 clientssl = SSL_new(cctx);
710756a9
RS		 1704 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1705 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1706 TLSEXT_STATUSTYPE_ocsp))
1707 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1708 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1709 goto end;
2cb4b5f6 1710
ba881d3b
MC		 1711 SSL_free(clientssl);
1712 clientssl = NULL;
2cb4b5f6 1713
710756a9
RS		 1714 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1715 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1716 goto end;
2cb4b5f6 1717
ba881d3b 1718 clientssl = SSL_new(cctx);
710756a9 1719 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1720 goto end;
ba881d3b
MC		 1721 SSL_free(clientssl);
1722 clientssl = NULL;
1723
1724 /*
1725 * Now actually do a handshake and check OCSP information is exchanged and
1726 * the callbacks get called
1727 */
ba881d3b
MC		 1728 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1729 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1730 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1731 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1732 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1733 &clientssl, NULL, NULL))
1734 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1735 SSL_ERROR_NONE))
1736 || !TEST_true(ocsp_client_called)
1737 || !TEST_true(ocsp_server_called))
ba881d3b 1738 goto end;
ba881d3b
MC		 1739 SSL_free(serverssl);
1740 SSL_free(clientssl);
1741 serverssl = NULL;
1742 clientssl = NULL;
1743
1744 /* Try again but this time force the server side callback to fail */
1745 ocsp_client_called = 0;
1746 ocsp_server_called = 0;
1747 cdummyarg = 0;
710756a9
RS		 1748 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1749 &clientssl, NULL, NULL))
1750 /* This should fail because the callback will fail */
1751 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1752 SSL_ERROR_NONE))
1753 || !TEST_false(ocsp_client_called)
1754 || !TEST_false(ocsp_server_called))
ba881d3b 1755 goto end;
ba881d3b
MC		 1756 SSL_free(serverssl);
1757 SSL_free(clientssl);
1758 serverssl = NULL;
1759 clientssl = NULL;
1760
1761 /*
1762 * This time we'll get the client to send an OCSP_RESPID that it will
1763 * accept.
1764 */
1765 ocsp_client_called = 0;
1766 ocsp_server_called = 0;
1767 cdummyarg = 2;
710756a9
RS		 1768 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1769 &clientssl, NULL, NULL)))
ba881d3b 1770 goto end;
ba881d3b
MC		 1771
1772 /*
1773 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1774 * specific one. We'll use the server cert.
ba881d3b 1775 */
710756a9
RS		 1776 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1777 || !TEST_ptr(id = OCSP_RESPID_new())
1778 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1779 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1780 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1781 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1782 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1783 goto end;
ba881d3b
MC		 1784 id = NULL;
1785 SSL_set_tlsext_status_ids(clientssl, ids);
1786 /* Control has been transferred */
1787 ids = NULL;
1788
1789 BIO_free(certbio);
1790 certbio = NULL;
1791
710756a9
RS		 1792 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1793 SSL_ERROR_NONE))
1794 || !TEST_true(ocsp_client_called)
1795 || !TEST_true(ocsp_server_called))
ba881d3b 1796 goto end;
ba881d3b 1797
2cb4b5f6
MC		 1798 testresult = 1;
1799
1800 end:
ba881d3b
MC		 1801 SSL_free(serverssl);
1802 SSL_free(clientssl);
1803 SSL_CTX_free(sctx);
1804 SSL_CTX_free(cctx);
1805 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1806 OCSP_RESPID_free(id);
1807 BIO_free(certbio);
1808 X509_free(ocspcert);
1809 ocspcert = NULL;
2cb4b5f6
MC		 1810
1811 return testresult;
1812}
8f8c11d8 1813#endif
2cb4b5f6 1814
a763ca11 1815#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1816static int new_called, remove_called, get_called;
eaa776da 1817
eaa776da
MC		 1818static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1819{
1820 new_called++;
c0537ebd
MC		 1821 /*
1822 * sess has been up-refed for us, but we don't actually need it so free it
1823 * immediately.
1824 */
1825 SSL_SESSION_free(sess);
eaa776da
MC		 1826 return 1;
1827}
1828
1829static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1830{
1831 remove_called++;
1832}
1833
7a301f08
MC		 1834static SSL_SESSION *get_sess_val = NULL;
1835
1836static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1837 int *copy)
1838{
0afca811 1839 get_called++;
7a301f08
MC		 1840 *copy = 1;
1841 return get_sess_val;
1842}
1843
7a301f08 1844static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1845 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1846{
1847 SSL_CTX *sctx = NULL, *cctx = NULL;
1848 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1849 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1850# ifndef OPENSSL_NO_TLS1_1
eaa776da 1851 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1852# endif
2cb4b5f6 1853 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1854 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1855
7e885b7b
P		 1856 new_called = remove_called = 0;
1857
36ff232c
MC		 1858 /* TLSv1.3 sends 2 NewSessionTickets */
1859 if (maxprot == TLS1_3_VERSION)
1860 numnewsesstick = 2;
1861
5e30f2fd
MC		 1862 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1863 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1864 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1865 return 0;
2cb4b5f6 1866
7a301f08
MC		 1867 /*
1868 * Only allow the max protocol version so we can force a connection failure
1869 * later
1870 */
1871 SSL_CTX_set_min_proto_version(cctx, maxprot);
1872 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1873
1874 /* Set up session cache */
7e885b7b 1875 if (use_ext_cache) {
eaa776da
MC		 1876 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1877 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1878 }
7e885b7b 1879 if (use_int_cache) {
eaa776da
MC		 1880 /* Also covers instance where both are set */
1881 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1882 } else {
1883 SSL_CTX_set_session_cache_mode(cctx,
1884 SSL_SESS_CACHE_CLIENT
1885 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1886 }
2cb4b5f6 1887
90fc2c26
NM		 1888 if (s_options) {
1889 SSL_CTX_set_options(sctx, s_options);
1890 }
1891
710756a9
RS		 1892 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1893 NULL, NULL))
1894 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1895 SSL_ERROR_NONE))
1896 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1897 goto end;
2cb4b5f6 1898
710756a9 1899 /* Should fail because it should already be in the cache */
7e885b7b 1900 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1901 goto end;
7a301f08 1902 if (use_ext_cache
36ff232c
MC		 1903 && (!TEST_int_eq(new_called, numnewsesstick)
1904
1905 || !TEST_int_eq(remove_called, 0)))
b4982125 1906 goto end;
b4982125 1907
c0537ebd
MC		 1908 new_called = remove_called = 0;
1909 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1910 &clientssl2, NULL, NULL))
1911 || !TEST_true(SSL_set_session(clientssl2, sess1))
1912 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1913 SSL_ERROR_NONE))
1914 || !TEST_true(SSL_session_reused(clientssl2)))
1915 goto end;
1916
7a301f08
MC		 1917 if (maxprot == TLS1_3_VERSION) {
1918 /*
1919 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1920 * resumed. Since we attempted a resume we should also have removed the
1921 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1922 */
1923 if (use_ext_cache
1924 && (!TEST_int_eq(new_called, 1)
4cb00457 1925 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1926 goto end;
1927 } else {
1928 /*
1929 * In TLSv1.2 we expect to have resumed so no sessions added or
1930 * removed.
1931 */
1932 if (use_ext_cache
1933 && (!TEST_int_eq(new_called, 0)
1934 || !TEST_int_eq(remove_called, 0)))
1935 goto end;
1936 }
c0537ebd
MC		 1937
1938 SSL_SESSION_free(sess1);
1939 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1940 goto end;
1941 shutdown_ssl_connection(serverssl2, clientssl2);
1942 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1943
1944 new_called = remove_called = 0;
710756a9
RS		 1945 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1946 &clientssl2, NULL, NULL))
1947 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1948 SSL_ERROR_NONE)))
2cb4b5f6 1949 goto end;
2cb4b5f6 1950
710756a9 1951 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1952 goto end;
2cb4b5f6 1953
7a301f08 1954 if (use_ext_cache
36ff232c
MC		 1955 && (!TEST_int_eq(new_called, numnewsesstick)
1956 || !TEST_int_eq(remove_called, 0)))
eaa776da 1957 goto end;
eaa776da 1958
c0537ebd 1959 new_called = remove_called = 0;
2cb4b5f6 1960 /*
710756a9
RS		 1961 * This should clear sess2 from the cache because it is a "bad" session.
1962 * See SSL_set_session() documentation.
2cb4b5f6 1963 */
710756a9 1964 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1965 goto end;
7a301f08
MC		 1966 if (use_ext_cache
1967 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1968 goto end;
710756a9 1969 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1970 goto end;
2cb4b5f6 1971
7e885b7b 1972 if (use_int_cache) {
710756a9
RS		 1973 /* Should succeeded because it should not already be in the cache */
1974 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1975 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1976 goto end;
eaa776da
MC		 1977 }
1978
c0537ebd 1979 new_called = remove_called = 0;
eaa776da 1980 /* This shouldn't be in the cache so should fail */
710756a9 1981 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1982 goto end;
2cb4b5f6 1983
7a301f08
MC		 1984 if (use_ext_cache
1985 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1986 goto end;
2cb4b5f6 1987
bf208d95 1988# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1989 new_called = remove_called = 0;
eaa776da
MC		 1990 /* Force a connection failure */
1991 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1992 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1993 &clientssl3, NULL, NULL))
1994 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1995 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1996 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1997 SSL_ERROR_NONE)))
eaa776da 1998 goto end;
b4982125 1999
eaa776da 2000 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2001 if (use_ext_cache
2002 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2003 goto end;
2cb4b5f6 2004
710756a9 2005 /* Should succeed because it should not already be in the cache */
7e885b7b 2006 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2007 goto end;
bf208d95 2008# endif
eaa776da 2009
7a301f08
MC		 2010 /* Now do some tests for server side caching */
2011 if (use_ext_cache) {
2012 SSL_CTX_sess_set_new_cb(cctx, NULL);
2013 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2014 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2015 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2016 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2017 get_sess_val = NULL;
2018 }
2019
2020 SSL_CTX_set_session_cache_mode(cctx, 0);
2021 /* Internal caching is the default on the server side */
2022 if (!use_int_cache)
2023 SSL_CTX_set_session_cache_mode(sctx,
2024 SSL_SESS_CACHE_SERVER
2025 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2026
2027 SSL_free(serverssl1);
2028 SSL_free(clientssl1);
2029 serverssl1 = clientssl1 = NULL;
2030 SSL_free(serverssl2);
2031 SSL_free(clientssl2);
2032 serverssl2 = clientssl2 = NULL;
2033 SSL_SESSION_free(sess1);
2034 sess1 = NULL;
2035 SSL_SESSION_free(sess2);
2036 sess2 = NULL;
2037
2038 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2039 if (maxprot == TLS1_2_VERSION)
2040 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2041 new_called = remove_called = get_called = 0;
7a301f08
MC		 2042 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2043 NULL, NULL))
2044 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2045 SSL_ERROR_NONE))
2046 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2047 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2048 goto end;
2049
ee94ec2e
MC		 2050 if (use_int_cache) {
2051 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2052 /*
2053 * In TLSv1.3 it should not have been added to the internal cache,
2054 * except in the case where we also have an external cache (in that
2055 * case it gets added to the cache in order to generate remove
2056 * events after timeout).
2057 */
2058 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2059 goto end;
2060 } else {
2061 /* Should fail because it should already be in the cache */
2062 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2063 goto end;
2064 }
2065 }
7a301f08
MC		 2066
2067 if (use_ext_cache) {
2068 SSL_SESSION *tmp = sess2;
2069
36ff232c 2070 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2071 || !TEST_int_eq(remove_called, 0)
2072 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2073 goto end;
2074 /*
2075 * Delete the session from the internal cache to force a lookup from
2076 * the external cache. We take a copy first because
2077 * SSL_CTX_remove_session() also marks the session as non-resumable.
2078 */
ee94ec2e 2079 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2080 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2081 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2082 goto end;
2083 SSL_SESSION_free(sess2);
2084 }
7a301f08
MC		 2085 sess2 = tmp;
2086 }
2087
0afca811 2088 new_called = remove_called = get_called = 0;
7a301f08
MC		 2089 get_sess_val = sess2;
2090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2091 &clientssl2, NULL, NULL))
2092 || !TEST_true(SSL_set_session(clientssl2, sess1))
2093 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2094 SSL_ERROR_NONE))
2095 || !TEST_true(SSL_session_reused(clientssl2)))
2096 goto end;
2097
0afca811 2098 if (use_ext_cache) {
32305f88 2099 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2100 goto end;
2101
2102 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2103 if (!TEST_int_eq(new_called, 1)
2104 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2105 goto end;
2106 } else {
32305f88
MC		 2107 if (!TEST_int_eq(new_called, 0)
2108 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2109 goto end;
2110 }
2111 }
7a301f08 2112
2cb4b5f6 2113 testresult = 1;
eaa776da 2114
2cb4b5f6
MC		 2115 end:
2116 SSL_free(serverssl1);
2117 SSL_free(clientssl1);
2118 SSL_free(serverssl2);
2119 SSL_free(clientssl2);
bf208d95 2120# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2121 SSL_free(serverssl3);
2122 SSL_free(clientssl3);
bf208d95 2123# endif
2cb4b5f6
MC		 2124 SSL_SESSION_free(sess1);
2125 SSL_SESSION_free(sess2);
2126 SSL_CTX_free(sctx);
2127 SSL_CTX_free(cctx);
2128
2129 return testresult;
2130}
a763ca11 2131#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2132
7fb4c820
MC		 2133static int test_session_with_only_int_cache(void)
2134{
a763ca11 2135#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2136 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2137 return 0;
2138#endif
2139
2140#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2141 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2142#else
2143 return 1;
2144#endif
eaa776da
MC		 2145}
2146
7fb4c820
MC		 2147static int test_session_with_only_ext_cache(void)
2148{
a763ca11 2149#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2150 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2151 return 0;
2152#endif
2153
2154#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2155 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2156#else
2157 return 1;
2158#endif
eaa776da
MC		 2159}
2160
7fb4c820
MC		 2161static int test_session_with_both_cache(void)
2162{
a763ca11 2163#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2164 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2165 return 0;
2166#endif
2167
2168#ifndef OPENSSL_NO_TLS1_2
2169 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2170#else
2171 return 1;
2172#endif
2173}
2174
2175static int test_session_wo_ca_names(void)
2176{
a763ca11 2177#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2178 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2179 return 0;
2180#endif
2181
2182#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2183 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2184#else
2185 return 1;
2186#endif
eaa776da
MC		 2187}
2188
90fc2c26 2189
a763ca11 2190#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2191static SSL_SESSION *sesscache[6];
2192static int do_cache;
36ff232c
MC		 2193
2194static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2195{
c22365b3
MC		 2196 if (do_cache) {
2197 sesscache[new_called] = sess;
2198 } else {
2199 /* We don't need the reference to the session, so free it */
2200 SSL_SESSION_free(sess);
2201 }
2202 new_called++;
2203
2204 return 1;
2205}
2206
2207static int post_handshake_verify(SSL *sssl, SSL *cssl)
2208{
2209 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2210 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2211 return 0;
2212
2213 /* Start handshake on the server and client */
2214 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2215 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2216 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2217 || !TEST_true(create_ssl_connection(sssl, cssl,
2218 SSL_ERROR_NONE)))
2219 return 0;
36ff232c
MC		 2220
2221 return 1;
2222}
2223
fbe9dafd 2224static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2225 SSL_CTX **cctx)
2226{
2227 int sess_id_ctx = 1;
2228
5e30f2fd
MC		 2229 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2230 TLS_client_method(), TLS1_VERSION, 0,
2231 sctx, cctx, cert, privkey))
03cdf559
MC		 2232 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2233 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2234 (void *)&sess_id_ctx,
2235 sizeof(sess_id_ctx))))
2236 return 0;
2237
2238 if (stateful)
2239 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2240
2241 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2242 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2243 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2244
2245 return 1;
2246}
2247
2248static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2249{
2250 SSL *serverssl = NULL, *clientssl = NULL;
2251 int i;
2252
2253 /* Test that we can resume with all the tickets we got given */
2254 for (i = 0; i < idx * 2; i++) {
2255 new_called = 0;
2256 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2257 &clientssl, NULL, NULL))
2258 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2259 goto end;
2260
32097b33 2261 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2262
2263 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2264 SSL_ERROR_NONE)))
2265 goto end;
2266
2267 /*
2268 * Following a successful resumption we only get 1 ticket. After a
2269 * failed one we should get idx tickets.
2270 */
2271 if (succ) {
2272 if (!TEST_true(SSL_session_reused(clientssl))
2273 || !TEST_int_eq(new_called, 1))
2274 goto end;
2275 } else {
2276 if (!TEST_false(SSL_session_reused(clientssl))
2277 || !TEST_int_eq(new_called, idx))
2278 goto end;
2279 }
2280
2281 new_called = 0;
2282 /* After a post-handshake authentication we should get 1 new ticket */
2283 if (succ
2284 && (!post_handshake_verify(serverssl, clientssl)
2285 || !TEST_int_eq(new_called, 1)))
2286 goto end;
2287
2288 SSL_shutdown(clientssl);
2289 SSL_shutdown(serverssl);
2290 SSL_free(serverssl);
2291 SSL_free(clientssl);
2292 serverssl = clientssl = NULL;
2293 SSL_SESSION_free(sesscache[i]);
2294 sesscache[i] = NULL;
2295 }
2296
2297 return 1;
2298
2299 end:
2300 SSL_free(clientssl);
2301 SSL_free(serverssl);
2302 return 0;
2303}
2304
04d7814a 2305static int test_tickets(int stateful, int idx)
36ff232c
MC		 2306{
2307 SSL_CTX *sctx = NULL, *cctx = NULL;
2308 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2309 int testresult = 0;
36ff232c
MC		 2310 size_t j;
2311
2312 /* idx is the test number, but also the number of tickets we want */
2313
2314 new_called = 0;
c22365b3 2315 do_cache = 1;
36ff232c 2316
fbe9dafd 2317 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2318 goto end;
2319
03cdf559
MC		 2320 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2321 &clientssl, NULL, NULL)))
2322 goto end;
2323
2324 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2325 SSL_ERROR_NONE))
2326 /* Check we got the number of tickets we were expecting */
2327 || !TEST_int_eq(idx, new_called))
2328 goto end;
04d7814a 2329
03cdf559
MC		 2330 SSL_shutdown(clientssl);
2331 SSL_shutdown(serverssl);
2332 SSL_free(serverssl);
2333 SSL_free(clientssl);
2334 SSL_CTX_free(sctx);
2335 SSL_CTX_free(cctx);
2336 clientssl = serverssl = NULL;
2337 sctx = cctx = NULL;
2338
2339 /*
2340 * Now we try to resume with the tickets we previously created. The
2341 * resumption attempt is expected to fail (because we're now using a new
2342 * SSL_CTX). We should see idx number of tickets issued again.
2343 */
2344
2345 /* Stop caching sessions - just count them */
2346 do_cache = 0;
2347
fbe9dafd 2348 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2349 goto end;
2350
2351 if (!check_resumption(idx, sctx, cctx, 0))
2352 goto end;
2353
2354 /* Start again with caching sessions */
2355 new_called = 0;
2356 do_cache = 1;
fbe9dafd
MC		 2357 SSL_CTX_free(sctx);
2358 SSL_CTX_free(cctx);
2359 sctx = cctx = NULL;
03cdf559 2360
fbe9dafd 2361 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2362 goto end;
36ff232c
MC		 2363
2364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2365 &clientssl, NULL, NULL)))
2366 goto end;
2367
32097b33 2368 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2369
2370 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2371 SSL_ERROR_NONE))
2372 /* Check we got the number of tickets we were expecting */
2373 || !TEST_int_eq(idx, new_called))
2374 goto end;
2375
2376 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2377 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2378 || !TEST_int_eq(idx * 2, new_called))
2379 goto end;
2380
36ff232c
MC		 2381 SSL_shutdown(clientssl);
2382 SSL_shutdown(serverssl);
2383 SSL_free(serverssl);
2384 SSL_free(clientssl);
2385 serverssl = clientssl = NULL;
2386
c22365b3
MC		 2387 /* Stop caching sessions - just count them */
2388 do_cache = 0;
2389
03cdf559
MC		 2390 /*
2391 * Check we can resume with all the tickets we created. This time around the
2392 * resumptions should all be successful.
2393 */
2394 if (!check_resumption(idx, sctx, cctx, 1))
2395 goto end;
36ff232c
MC		 2396
2397 testresult = 1;
2398
2399 end:
2400 SSL_free(serverssl);
2401 SSL_free(clientssl);
c22365b3 2402 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2403 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2404 sesscache[j] = NULL;
2405 }
36ff232c
MC		 2406 SSL_CTX_free(sctx);
2407 SSL_CTX_free(cctx);
2408
2409 return testresult;
2410}
04d7814a
MC		 2411
2412static int test_stateless_tickets(int idx)
2413{
2414 return test_tickets(0, idx);
2415}
2416
2417static int test_stateful_tickets(int idx)
2418{
2419 return test_tickets(1, idx);
2420}
8614a4eb
MC		 2421
2422static int test_psk_tickets(void)
2423{
2424 SSL_CTX *sctx = NULL, *cctx = NULL;
2425 SSL *serverssl = NULL, *clientssl = NULL;
2426 int testresult = 0;
2427 int sess_id_ctx = 1;
2428
5e30f2fd
MC		 2429 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2430 TLS_client_method(), TLS1_VERSION, 0,
2431 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2432 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2433 (void *)&sess_id_ctx,
2434 sizeof(sess_id_ctx))))
2435 goto end;
2436
2437 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2438 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2439 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2440 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2441 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2442 use_session_cb_cnt = 0;
2443 find_session_cb_cnt = 0;
2444 srvid = pskid;
2445 new_called = 0;
2446
2447 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2448 NULL, NULL)))
2449 goto end;
2450 clientpsk = serverpsk = create_a_psk(clientssl);
2451 if (!TEST_ptr(clientpsk))
2452 goto end;
2453 SSL_SESSION_up_ref(clientpsk);
2454
2455 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2456 SSL_ERROR_NONE))
2457 || !TEST_int_eq(1, find_session_cb_cnt)
2458 || !TEST_int_eq(1, use_session_cb_cnt)
2459 /* We should always get 1 ticket when using external PSK */
2460 || !TEST_int_eq(1, new_called))
2461 goto end;
2462
2463 testresult = 1;
2464
2465 end:
2466 SSL_free(serverssl);
2467 SSL_free(clientssl);
2468 SSL_CTX_free(sctx);
2469 SSL_CTX_free(cctx);
2470 SSL_SESSION_free(clientpsk);
2471 SSL_SESSION_free(serverpsk);
2472 clientpsk = serverpsk = NULL;
2473
2474 return testresult;
2475}
f0049b86
BK		 2476
2477static int test_extra_tickets(int idx)
2478{
2479 SSL_CTX *sctx = NULL, *cctx = NULL;
2480 SSL *serverssl = NULL, *clientssl = NULL;
2481 BIO *bretry = BIO_new(bio_s_always_retry());
2482 BIO *tmp = NULL;
2483 int testresult = 0;
2484 int stateful = 0;
2485 size_t nbytes;
2486 unsigned char c, buf[1];
2487
2488 new_called = 0;
2489 do_cache = 1;
2490
2491 if (idx >= 3) {
2492 idx -= 3;
2493 stateful = 1;
2494 }
2495
2496 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2497 goto end;
2498 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2499 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2500 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2501
2502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2503 &clientssl, NULL, NULL)))
2504 goto end;
2505
2506 /*
2507 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2508 * incremented by both client and server.
2509 */
2510 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2511 SSL_ERROR_NONE))
2512 /* Check we got the number of tickets we were expecting */
2513 || !TEST_int_eq(idx * 2, new_called)
2514 || !TEST_true(SSL_new_session_ticket(serverssl))
2515 || !TEST_true(SSL_new_session_ticket(serverssl))
2516 || !TEST_int_eq(idx * 2, new_called))
2517 goto end;
2518
2519 /* Now try a (real) write to actually send the tickets */
2520 c = '1';
2521 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2522 || !TEST_size_t_eq(1, nbytes)
2523 || !TEST_int_eq(idx * 2 + 2, new_called)
2524 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2525 || !TEST_int_eq(idx * 2 + 4, new_called)
2526 || !TEST_int_eq(sizeof(buf), nbytes)
2527 || !TEST_int_eq(c, buf[0])
2528 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2529 goto end;
2530
2531 /* Try with only requesting one new ticket, too */
2532 c = '2';
2533 new_called = 0;
2534 if (!TEST_true(SSL_new_session_ticket(serverssl))
2535 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2536 || !TEST_size_t_eq(sizeof(c), nbytes)
2537 || !TEST_int_eq(1, new_called)
2538 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2539 || !TEST_int_eq(2, new_called)
2540 || !TEST_size_t_eq(sizeof(buf), nbytes)
2541 || !TEST_int_eq(c, buf[0]))
2542 goto end;
2543
2544 /* Do it again but use dummy writes to drive the ticket generation */
2545 c = '3';
2546 new_called = 0;
2547 if (!TEST_true(SSL_new_session_ticket(serverssl))
2548 || !TEST_true(SSL_new_session_ticket(serverssl))
2549 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2550 || !TEST_size_t_eq(0, nbytes)
2551 || !TEST_int_eq(2, new_called)
2552 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2553 || !TEST_int_eq(4, new_called))
2554 goto end;
2555
a0bbcb42
BK		 2556 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2557 c = '4';
2558 new_called = 0;
2559 if (!TEST_true(SSL_new_session_ticket(serverssl))
2560 || !TEST_true(SSL_new_session_ticket(serverssl))
2561 || !TEST_true(SSL_do_handshake(serverssl))
2562 || !TEST_int_eq(2, new_called)
2563 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2564 || !TEST_int_eq(4, new_called))
2565 goto end;
2566
f0049b86
BK		 2567 /*
2568 * Use the always-retry BIO to exercise the logic that forces ticket
2569 * generation to wait until a record boundary.
2570 */
a0bbcb42 2571 c = '5';
f0049b86
BK		 2572 new_called = 0;
2573 tmp = SSL_get_wbio(serverssl);
2574 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2575 tmp = NULL;
2576 goto end;
2577 }
2578 SSL_set0_wbio(serverssl, bretry);
2579 bretry = NULL;
2580 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2581 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2582 || !TEST_size_t_eq(nbytes, 0))
2583 goto end;
2584 /* Restore a BIO that will let the write succeed */
2585 SSL_set0_wbio(serverssl, tmp);
2586 tmp = NULL;
a0bbcb42
BK		 2587 /*
2588 * These calls should just queue the request and not send anything
2589 * even if we explicitly try to hit the state machine.
2590 */
f0049b86
BK		 2591 if (!TEST_true(SSL_new_session_ticket(serverssl))
2592 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2593 || !TEST_int_eq(0, new_called)
2594 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2595 || !TEST_int_eq(0, new_called))
2596 goto end;
2597 /* Re-do the write; still no tickets sent */
2598 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2599 || !TEST_size_t_eq(1, nbytes)
2600 || !TEST_int_eq(0, new_called)
2601 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2602 || !TEST_int_eq(0, new_called)
2603 || !TEST_int_eq(sizeof(buf), nbytes)
2604 || !TEST_int_eq(c, buf[0])
2605 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2606 goto end;
a0bbcb42
BK		 2607 /* Even trying to hit the state machine now will still not send tickets */
2608 if (!TEST_true(SSL_do_handshake(serverssl))
2609 || !TEST_int_eq(0, new_called))
2610 goto end;
f0049b86 2611 /* Now the *next* write should send the tickets */
a0bbcb42 2612 c = '6';
f0049b86
BK		 2613 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2614 || !TEST_size_t_eq(1, nbytes)
2615 || !TEST_int_eq(2, new_called)
2616 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2617 || !TEST_int_eq(4, new_called)
2618 || !TEST_int_eq(sizeof(buf), nbytes)
2619 || !TEST_int_eq(c, buf[0])
2620 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2621 goto end;
2622
2623 SSL_shutdown(clientssl);
2624 SSL_shutdown(serverssl);
2625 testresult = 1;
2626
2627 end:
2628 BIO_free(bretry);
2629 BIO_free(tmp);
2630 SSL_free(serverssl);
2631 SSL_free(clientssl);
2632 SSL_CTX_free(sctx);
2633 SSL_CTX_free(cctx);
2634 clientssl = serverssl = NULL;
2635 sctx = cctx = NULL;
2636 return testresult;
2637}
04225915 2638#endif
36ff232c 2639
7d4488bb
MC		 2640#define USE_NULL 0
2641#define USE_BIO_1 1
2642#define USE_BIO_2 2
2643#define USE_DEFAULT 3
2644
2645#define CONNTYPE_CONNECTION_SUCCESS 0
2646#define CONNTYPE_CONNECTION_FAIL 1
2647#define CONNTYPE_NO_CONNECTION 2
2648
2649#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2650#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2651#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2652# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2653#else
2654# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2655#endif
2656
7d4488bb
MC		 2657#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2658 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2659 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2660
2661static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2662{
2663 switch (type) {
2664 case USE_NULL:
2665 *res = NULL;
2666 break;
2667 case USE_BIO_1:
2668 *res = bio1;
2669 break;
2670 case USE_BIO_2:
2671 *res = bio2;
2672 break;
2673 }
2674}
2675
7d4488bb
MC		 2676
2677/*
2678 * Tests calls to SSL_set_bio() under various conditions.
2679 *
2680 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2681 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2682 * then do more tests where we create a successful connection first using our
2683 * standard connection setup functions, and then call SSL_set_bio() with
2684 * various combinations of valid BIOs or NULL. We then repeat these tests
2685 * following a failed connection. In this last case we are looking to check that
2686 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2687 */
7fb4c820
MC		 2688static int test_ssl_set_bio(int idx)
2689{
7d4488bb 2690 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2691 BIO *bio1 = NULL;
2692 BIO *bio2 = NULL;
0fae8150 2693 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2694 SSL *serverssl = NULL, *clientssl = NULL;
2695 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2696 int testresult = 0;
2697
7d4488bb
MC		 2698 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2699 initrbio = idx % 3;
2700 idx /= 3;
2701 initwbio = idx % 3;
2702 idx /= 3;
2703 newrbio = idx % 3;
2704 idx /= 3;
2705 newwbio = idx % 3;
2706 conntype = CONNTYPE_NO_CONNECTION;
2707 } else {
2708 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2709 initrbio = initwbio = USE_DEFAULT;
2710 newrbio = idx % 2;
2711 idx /= 2;
2712 newwbio = idx % 2;
2713 idx /= 2;
2714 conntype = idx % 2;
2715 }
710756a9 2716
5e30f2fd
MC		 2717 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2718 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2719 &sctx, &cctx, cert, privkey)))
2720 goto end;
2721
2722 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2723 /*
2724 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2725 * because we reduced the number of tests in the definition of
2726 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2727 * mismatched protocol versions we will force a connection failure.
2728 */
2729 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2730 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2731 }
2732
2733 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2734 NULL, NULL)))
710756a9 2735 goto end;
7fb4c820 2736
710756a9
RS		 2737 if (initrbio == USE_BIO_1
2738 || initwbio == USE_BIO_1
2739 || newrbio == USE_BIO_1
7fb4c820 2740 || newwbio == USE_BIO_1) {
710756a9 2741 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2742 goto end;
7fb4c820
MC		 2743 }
2744
710756a9
RS		 2745 if (initrbio == USE_BIO_2
2746 || initwbio == USE_BIO_2
2747 || newrbio == USE_BIO_2
7fb4c820 2748 || newwbio == USE_BIO_2) {
710756a9 2749 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2750 goto end;
7fb4c820
MC		 2751 }
2752
7d4488bb
MC		 2753 if (initrbio != USE_DEFAULT) {
2754 setupbio(&irbio, bio1, bio2, initrbio);
2755 setupbio(&iwbio, bio1, bio2, initwbio);
2756 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2757
7d4488bb
MC		 2758 /*
2759 * We want to maintain our own refs to these BIO, so do an up ref for
2760 * each BIO that will have ownership transferred in the SSL_set_bio()
2761 * call
2762 */
2763 if (irbio != NULL)
2764 BIO_up_ref(irbio);
2765 if (iwbio != NULL && iwbio != irbio)
2766 BIO_up_ref(iwbio);
2767 }
7fb4c820 2768
7d4488bb
MC		 2769 if (conntype != CONNTYPE_NO_CONNECTION
2770 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2771 SSL_ERROR_NONE)
2772 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2773 goto end;
7fb4c820
MC		 2774
2775 setupbio(&nrbio, bio1, bio2, newrbio);
2776 setupbio(&nwbio, bio1, bio2, newwbio);
2777
2778 /*
2779 * We will (maybe) transfer ownership again so do more up refs.
2780 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2781 * already been set!
2782 */
710756a9
RS		 2783 if (nrbio != NULL
2784 && nrbio != irbio
2785 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2786 BIO_up_ref(nrbio);
710756a9
RS		 2787 if (nwbio != NULL
2788 && nwbio != nrbio
2789 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2790 BIO_up_ref(nwbio);
2791
7d4488bb 2792 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2793
2794 testresult = 1;
2795
2796 end:
7fb4c820
MC		 2797 BIO_free(bio1);
2798 BIO_free(bio2);
710756a9 2799
7fb4c820
MC		 2800 /*
2801 * This test is checking that the ref counting for SSL_set_bio is correct.
2802 * If we get here and we did too many frees then we will fail in the above
742ccab3 2803 * functions.
7fb4c820 2804 */
7d4488bb
MC		 2805 SSL_free(serverssl);
2806 SSL_free(clientssl);
2807 SSL_CTX_free(sctx);
2808 SSL_CTX_free(cctx);
7fb4c820
MC		 2809 return testresult;
2810}
2811
7e885b7b 2812typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2813
7e885b7b 2814static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2815{
2816 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2817 SSL_CTX *ctx;
9a716987
MC		 2818 SSL *ssl = NULL;
2819 int testresult = 0;
2820
d8652be0 2821 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2822 || !TEST_ptr(ssl = SSL_new(ctx))
2823 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2824 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2825 goto end;
9a716987
MC		 2826
2827 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2828
2829 /*
742ccab3 2830 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2831 */
2832 BIO_push(sslbio, membio1);
2833
69687aa8 2834 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2835 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 2836 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2837 ssl = NULL;
9a716987 2838 goto end;
493e7898 2839 }
7e885b7b 2840 if (change_bio == CHANGE_RBIO)
65e2d672 2841 SSL_set0_rbio(ssl, membio2);
9a716987 2842 else
65e2d672 2843 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2844 }
2845 ssl = NULL;
2846
7e885b7b 2847 if (pop_ssl)
9a716987
MC		 2848 BIO_pop(sslbio);
2849 else
2850 BIO_pop(membio1);
2851
2852 testresult = 1;
2853 end:
2854 BIO_free(membio1);
2855 BIO_free(sslbio);
2856 SSL_free(ssl);
2857 SSL_CTX_free(ctx);
2858
2859 return testresult;
2860}
2861
2862static int test_ssl_bio_pop_next_bio(void)
2863{
7e885b7b 2864 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2865}
2866
2867static int test_ssl_bio_pop_ssl_bio(void)
2868{
7e885b7b 2869 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2870}
2871
2872static int test_ssl_bio_change_rbio(void)
2873{
7e885b7b 2874 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2875}
2876
2877static int test_ssl_bio_change_wbio(void)
2878{
7e885b7b 2879 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2880}
2881
a763ca11 2882#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 2883typedef struct {
2884 /* The list of sig algs */
2885 const int *list;
2886 /* The length of the list */
2887 size_t listlen;
2888 /* A sigalgs list in string format */
2889 const char *liststr;
2890 /* Whether setting the list should succeed */
2891 int valid;
2892 /* Whether creating a connection with the list should succeed */
2893 int connsuccess;
2894} sigalgs_list;
2895
2896static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2897# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2898static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2899static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2900# endif
f1b25aae
MC		 2901static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2902static const int invalidlist2[] = {NID_sha256, NID_undef};
2903static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2904static const int invalidlist4[] = {NID_sha256};
2905static const sigalgs_list testsigalgs[] = {
2906 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2907# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2908 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2909 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2910# endif
f1b25aae 2911 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2912# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2913 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2914 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2915# endif
f1b25aae
MC		 2916 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2917 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2918 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2919 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2920 {NULL, 0, "RSA", 0, 0},
2921 {NULL, 0, "SHA256", 0, 0},
2922 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2923 {NULL, 0, "Invalid", 0, 0}
2924};
f1b25aae
MC		 2925
2926static int test_set_sigalgs(int idx)
2927{
2928 SSL_CTX *cctx = NULL, *sctx = NULL;
2929 SSL *clientssl = NULL, *serverssl = NULL;
2930 int testresult = 0;
2931 const sigalgs_list *curr;
2932 int testctx;
2933
2934 /* Should never happen */
710756a9 2935 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2936 return 0;
2937
2938 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2939 curr = testctx ? &testsigalgs[idx]
2940 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2941
5e30f2fd
MC		 2942 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2943 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2944 &sctx, &cctx, cert, privkey)))
f1b25aae 2945 return 0;
f1b25aae 2946
d2e491f2
MC		 2947 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2948
f1b25aae
MC		 2949 if (testctx) {
2950 int ret;
710756a9 2951
f1b25aae
MC		 2952 if (curr->list != NULL)
2953 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2954 else
2955 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2956
2957 if (!ret) {
2958 if (curr->valid)
710756a9 2959 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2960 else
2961 testresult = 1;
2962 goto end;
2963 }
2964 if (!curr->valid) {
710756a9 2965 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2966 goto end;
2967 }
2968 }
2969
710756a9
RS		 2970 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2971 &clientssl, NULL, NULL)))
f1b25aae 2972 goto end;
f1b25aae
MC		 2973
2974 if (!testctx) {
2975 int ret;
2976
2977 if (curr->list != NULL)
2978 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2979 else
2980 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2981 if (!ret) {
2982 if (curr->valid)
710756a9 2983 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2984 else
2985 testresult = 1;
2986 goto end;
2987 }
710756a9 2988 if (!curr->valid)
f1b25aae 2989 goto end;
f1b25aae
MC		 2990 }
2991
710756a9
RS		 2992 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2993 SSL_ERROR_NONE),
2994 curr->connsuccess))
f1b25aae 2995 goto end;
f1b25aae
MC		 2996
2997 testresult = 1;
2998
2999 end:
3000 SSL_free(serverssl);
3001 SSL_free(clientssl);
3002 SSL_CTX_free(sctx);
3003 SSL_CTX_free(cctx);
3004
3005 return testresult;
3006}
c423ecaa 3007#endif
f1b25aae 3008
a763ca11 3009#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3010static int psk_client_cb_cnt = 0;
3011static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3012
3013static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3014 size_t *idlen, SSL_SESSION **sess)
3015{
3016 switch (++use_session_cb_cnt) {
3017 case 1:
3018 /* The first call should always have a NULL md */
3019 if (md != NULL)
3020 return 0;
3021 break;
3022
3023 case 2:
3024 /* The second call should always have an md */
3025 if (md == NULL)
3026 return 0;
3027 break;
3028
3029 default:
3030 /* We should only be called a maximum of twice */
3031 return 0;
3032 }
3033
57dee9bb
MC		 3034 if (clientpsk != NULL)
3035 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3036
57dee9bb 3037 *sess = clientpsk;
02a3ed5a
MC		 3038 *id = (const unsigned char *)pskid;
3039 *idlen = strlen(pskid);
3040
3041 return 1;
3042}
3043
c2b290c3 3044#ifndef OPENSSL_NO_PSK
532f9578
MC		 3045static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3046 unsigned int max_id_len,
3047 unsigned char *psk,
3048 unsigned int max_psk_len)
3049{
3050 unsigned int psklen = 0;
3051
3052 psk_client_cb_cnt++;
3053
3054 if (strlen(pskid) + 1 > max_id_len)
3055 return 0;
3056
3057 /* We should only ever be called a maximum of twice per connection */
3058 if (psk_client_cb_cnt > 2)
3059 return 0;
3060
3061 if (clientpsk == NULL)
3062 return 0;
3063
3064 /* We'll reuse the PSK we set up for TLSv1.3 */
3065 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3066 return 0;
3067 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3068 strncpy(id, pskid, max_id_len);
3069
3070 return psklen;
3071}
c2b290c3 3072#endif /* OPENSSL_NO_PSK */
532f9578 3073
02a3ed5a
MC		 3074static int find_session_cb(SSL *ssl, const unsigned char *identity,
3075 size_t identity_len, SSL_SESSION **sess)
3076{
3077 find_session_cb_cnt++;
3078
3079 /* We should only ever be called a maximum of twice per connection */
3080 if (find_session_cb_cnt > 2)
3081 return 0;
3082
57dee9bb 3083 if (serverpsk == NULL)
02a3ed5a
MC		 3084 return 0;
3085
3086 /* Identity should match that set by the client */
3087 if (strlen(srvid) != identity_len
3088 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3089 /* No PSK found, continue but without a PSK */
3090 *sess = NULL;
3091 return 1;
3092 }
3093
57dee9bb
MC		 3094 SSL_SESSION_up_ref(serverpsk);
3095 *sess = serverpsk;
02a3ed5a
MC		 3096
3097 return 1;
3098}
3099
c2b290c3 3100#ifndef OPENSSL_NO_PSK
532f9578
MC		 3101static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3102 unsigned char *psk, unsigned int max_psk_len)
3103{
3104 unsigned int psklen = 0;
3105
3106 psk_server_cb_cnt++;
3107
3108 /* We should only ever be called a maximum of twice per connection */
3109 if (find_session_cb_cnt > 2)
3110 return 0;
3111
3112 if (serverpsk == NULL)
3113 return 0;
3114
3115 /* Identity should match that set by the client */
3116 if (strcmp(srvid, identity) != 0) {
3117 return 0;
3118 }
3119
3120 /* We'll reuse the PSK we set up for TLSv1.3 */
3121 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3122 return 0;
3123 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3124
3125 return psklen;
3126}
c2b290c3 3127#endif /* OPENSSL_NO_PSK */
532f9578 3128
5f982038
MC		 3129#define MSG1 "Hello"
3130#define MSG2 "World."
3131#define MSG3 "This"
3132#define MSG4 "is"
3133#define MSG5 "a"
90049cea
MC		 3134#define MSG6 "test"
3135#define MSG7 "message."
5f982038 3136
532f9578 3137#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3138#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3139#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3140#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3141#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3142
8614a4eb
MC		 3143
3144static SSL_SESSION *create_a_psk(SSL *ssl)
3145{
3146 const SSL_CIPHER *cipher = NULL;
3147 const unsigned char key[] = {
3148 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3149 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3150 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3151 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3152 0x2c, 0x2d, 0x2e, 0x2f
3153 };
3154 SSL_SESSION *sess = NULL;
3155
3156 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3157 sess = SSL_SESSION_new();
3158 if (!TEST_ptr(sess)
3159 || !TEST_ptr(cipher)
3160 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3161 sizeof(key)))
3162 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3163 || !TEST_true(
3164 SSL_SESSION_set_protocol_version(sess,
3165 TLS1_3_VERSION))) {
3166 SSL_SESSION_free(sess);
3167 return NULL;
3168 }
3169 return sess;
3170}
3171
5f982038
MC		 3172/*
3173 * Helper method to setup objects for early data test. Caller frees objects on
3174 * error.
3175 */
3176static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3177 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3178{
5a421415 3179 if (*sctx == NULL
5e30f2fd 3180 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3181 TLS_client_method(),
5c587fb6 3182 TLS1_VERSION, 0,
5a421415
MC		 3183 sctx, cctx, cert, privkey)))
3184 return 0;
3185
3186 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3187 return 0;
5f982038 3188
02a3ed5a
MC		 3189 if (idx == 1) {
3190 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3191 SSL_CTX_set_read_ahead(*cctx, 1);
3192 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3193 } else if (idx == 2) {
3194 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3195 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3196 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3197 use_session_cb_cnt = 0;
3198 find_session_cb_cnt = 0;
3199 srvid = pskid;
3cb47b4e
MC		 3200 }
3201
710756a9 3202 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3203 NULL, NULL)))
3204 return 0;
3205
141e4709
MC		 3206 /*
3207 * For one of the run throughs (doesn't matter which one), we'll try sending
3208 * some SNI data in the initial ClientHello. This will be ignored (because
3209 * there is no SNI cb set up by the server), so it should not impact
3210 * early_data.
3211 */
3212 if (idx == 1
3213 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3214 return 0;
3215
02a3ed5a 3216 if (idx == 2) {
8614a4eb 3217 clientpsk = create_a_psk(*clientssl);
57dee9bb 3218 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3219 /*
3220 * We just choose an arbitrary value for max_early_data which
3221 * should be big enough for testing purposes.
3222 */
57dee9bb
MC		 3223 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3224 0x100))
3225 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3226 SSL_SESSION_free(clientpsk);
3227 clientpsk = NULL;
02a3ed5a
MC		 3228 return 0;
3229 }
57dee9bb 3230 serverpsk = clientpsk;
02a3ed5a 3231
c20e3b28
MC		 3232 if (sess != NULL) {
3233 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3234 SSL_SESSION_free(clientpsk);
3235 SSL_SESSION_free(serverpsk);
3236 clientpsk = serverpsk = NULL;
3237 return 0;
3238 }
57dee9bb 3239 *sess = clientpsk;
c20e3b28 3240 }
02a3ed5a
MC		 3241 return 1;
3242 }
3243
3244 if (sess == NULL)
3245 return 1;
3246
3247 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3248 SSL_ERROR_NONE)))
5f982038 3249 return 0;
5f982038
MC		 3250
3251 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3252 SSL_shutdown(*clientssl);
3253 SSL_shutdown(*serverssl);
5f982038
MC		 3254 SSL_free(*serverssl);
3255 SSL_free(*clientssl);
3256 *serverssl = *clientssl = NULL;
3257
710756a9
RS		 3258 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3259 clientssl, NULL, NULL))
3260 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3261 return 0;
5f982038
MC		 3262
3263 return 1;
3264}
3265
3cb47b4e 3266static int test_early_data_read_write(int idx)
5f982038
MC		 3267{
3268 SSL_CTX *cctx = NULL, *sctx = NULL;
3269 SSL *clientssl = NULL, *serverssl = NULL;
3270 int testresult = 0;
3271 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3272 unsigned char buf[20], data[1024];
3273 size_t readbytes, written, eoedlen, rawread, rawwritten;
3274 BIO *rbio;
5f982038 3275
710756a9
RS		 3276 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3277 &serverssl, &sess, idx)))
5f982038
MC		 3278 goto end;
3279
3280 /* Write and read some early data */
710756a9
RS		 3281 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3282 &written))
3283 || !TEST_size_t_eq(written, strlen(MSG1))
3284 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3285 sizeof(buf), &readbytes),
3286 SSL_READ_EARLY_DATA_SUCCESS)
3287 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3288 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3289 SSL_EARLY_DATA_ACCEPTED))
5f982038 3290 goto end;
5f982038
MC		 3291
3292 /*
09f28874 3293 * Server should be able to write data, and client should be able to
5f982038
MC		 3294 * read it.
3295 */
710756a9
RS		 3296 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3297 &written))
3298 || !TEST_size_t_eq(written, strlen(MSG2))
3299 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3300 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3301 goto end;
5f982038
MC		 3302
3303 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3304 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3305 &written))
3306 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3307 goto end;
5f982038 3308
09f28874 3309 /* Server should still be able read early data after writing data */
710756a9
RS		 3310 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3311 &readbytes),
3312 SSL_READ_EARLY_DATA_SUCCESS)
3313 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3314 goto end;
5f982038 3315
09f28874 3316 /* Write more data from server and read it from client */
710756a9
RS		 3317 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3318 &written))
3319 || !TEST_size_t_eq(written, strlen(MSG4))
3320 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3321 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3322 goto end;
5f982038
MC		 3323
3324 /*
3325 * If client writes normal data it should mean writing early data is no
3326 * longer possible.
3327 */
710756a9
RS		 3328 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3329 || !TEST_size_t_eq(written, strlen(MSG5))
3330 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3331 SSL_EARLY_DATA_ACCEPTED))
5f982038 3332 goto end;
5f982038 3333
9b5c865d
MC		 3334 /*
3335 * At this point the client has written EndOfEarlyData, ClientFinished and
3336 * normal (fully protected) data. We are going to cause a delay between the
3337 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3338 * in the read BIO, and then just put back the EndOfEarlyData message.
3339 */
3340 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3341 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3342 || !TEST_size_t_lt(rawread, sizeof(data))
3343 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3344 goto end;
710756a9 3345
9b5c865d
MC		 3346 /* Record length is in the 4th and 5th bytes of the record header */
3347 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3348 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3349 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3350 goto end;
9b5c865d 3351
5f982038 3352 /* Server should be told that there is no more early data */
710756a9
RS		 3353 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3354 &readbytes),
3355 SSL_READ_EARLY_DATA_FINISH)
3356 || !TEST_size_t_eq(readbytes, 0))
5f982038 3357 goto end;
5f982038 3358
9b5c865d
MC		 3359 /*
3360 * Server has not finished init yet, so should still be able to write early
3361 * data.
3362 */
710756a9
RS		 3363 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3364 &written))
3365 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3366 goto end;
9b5c865d 3367
f8a303fa 3368 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3369 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3370 &rawwritten))
3371 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3372 goto end;
f8a303fa 3373
5f982038 3374 /* Server should be able to read normal data */
710756a9
RS		 3375 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3376 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3377 goto end;
5f982038 3378
09f28874 3379 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3380 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3381 &written)))
5f982038 3382 goto end;
5f982038 3383 ERR_clear_error();
710756a9
RS		 3384 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3385 &readbytes),
3386 SSL_READ_EARLY_DATA_ERROR))
5f982038 3387 goto end;
5f982038
MC		 3388 ERR_clear_error();
3389
9b5c865d 3390 /* Client should be able to read the data sent by the server */
710756a9
RS		 3391 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3392 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3393 goto end;
710756a9 3394
f8a303fa 3395 /*
36ff232c
MC		 3396 * Make sure we process the two NewSessionTickets. These arrive
3397 * post-handshake. We attempt reads which we do not expect to return any
3398 * data.
f8a303fa 3399 */
36ff232c
MC		 3400 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3401 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3402 &readbytes)))
f8a303fa 3403 goto end;
5f982038 3404
90049cea 3405 /* Server should be able to write normal data */
710756a9
RS		 3406 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3407 || !TEST_size_t_eq(written, strlen(MSG7))
3408 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3409 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3410 goto end;
90049cea 3411
c20e3b28 3412 SSL_SESSION_free(sess);
5f982038 3413 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3414 use_session_cb_cnt = 0;
3415 find_session_cb_cnt = 0;
5f982038
MC		 3416
3417 SSL_shutdown(clientssl);
3418 SSL_shutdown(serverssl);
5f982038
MC		 3419 SSL_free(serverssl);
3420 SSL_free(clientssl);
3421 serverssl = clientssl = NULL;
710756a9
RS		 3422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3423 &clientssl, NULL, NULL))
3424 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3425 goto end;
5f982038
MC		 3426
3427 /* Write and read some early data */
710756a9
RS		 3428 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3429 &written))
3430 || !TEST_size_t_eq(written, strlen(MSG1))
3431 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3432 &readbytes),
3433 SSL_READ_EARLY_DATA_SUCCESS)
3434 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3435 goto end;
5f982038 3436
710756a9
RS		 3437 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3438 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3439 goto end;
5f982038 3440
09f28874 3441 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3442 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3443 &written)))
5f982038 3444 goto end;
5f982038 3445 ERR_clear_error();
710756a9
RS		 3446 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3447 &readbytes),
3448 SSL_READ_EARLY_DATA_ERROR))
5f982038 3449 goto end;
5f982038
MC		 3450 ERR_clear_error();
3451
3452 /* Client and server should be able to write/read normal data */
710756a9
RS		 3453 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3454 || !TEST_size_t_eq(written, strlen(MSG5))
3455 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3456 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3457 goto end;
5f982038
MC		 3458
3459 testresult = 1;
3460
3461 end:
c20e3b28 3462 SSL_SESSION_free(sess);
57dee9bb
MC		 3463 SSL_SESSION_free(clientpsk);
3464 SSL_SESSION_free(serverpsk);
3465 clientpsk = serverpsk = NULL;
5f982038
MC		 3466 SSL_free(serverssl);
3467 SSL_free(clientssl);
3468 SSL_CTX_free(sctx);
3469 SSL_CTX_free(cctx);
5f982038
MC		 3470 return testresult;
3471}
3472
5a421415
MC		 3473static int allow_ed_cb_called = 0;
3474
3475static int allow_early_data_cb(SSL *s, void *arg)
3476{
3477 int *usecb = (int *)arg;
3478
3479 allow_ed_cb_called++;
3480
3481 if (*usecb == 1)
3482 return 0;
3483
3484 return 1;
3485}
3486
3487/*
3488 * idx == 0: Standard early_data setup
3489 * idx == 1: early_data setup using read_ahead
3490 * usecb == 0: Don't use a custom early data callback
3491 * usecb == 1: Use a custom early data callback and reject the early data
3492 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3493 * confopt == 0: Configure anti-replay directly
3494 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3495 */
3bb5e5b0 3496static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3497{
3498 SSL_CTX *cctx = NULL, *sctx = NULL;
3499 SSL *clientssl = NULL, *serverssl = NULL;
3500 int testresult = 0;
3501 SSL_SESSION *sess = NULL;
5a421415
MC		 3502 size_t readbytes, written;
3503 unsigned char buf[20];
3504
3505 allow_ed_cb_called = 0;
3506
5e30f2fd
MC		 3507 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3508 TLS_client_method(), TLS1_VERSION, 0,
3509 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3510 return 0;
3511
3512 if (usecb > 0) {
3bb5e5b0
MC		 3513 if (confopt == 0) {
3514 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3515 } else {
3516 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3517
3518 if (!TEST_ptr(confctx))
3519 goto end;
3520 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3521 | SSL_CONF_FLAG_SERVER);
3522 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3523 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3524 2)) {
3525 SSL_CONF_CTX_free(confctx);
3526 goto end;
3527 }
3528 SSL_CONF_CTX_free(confctx);
3529 }
5a421415
MC		 3530 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3531 }
78fb5374
MC		 3532
3533 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3534 &serverssl, &sess, idx)))
3535 goto end;
3536
3537 /*
3538 * The server is configured to accept early data. Create a connection to
3539 * "use up" the ticket
3540 */
3541 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3542 || !TEST_true(SSL_session_reused(clientssl)))
3543 goto end;
3544
3545 SSL_shutdown(clientssl);
3546 SSL_shutdown(serverssl);
3547 SSL_free(serverssl);
3548 SSL_free(clientssl);
3549 serverssl = clientssl = NULL;
3550
3551 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3552 &clientssl, NULL, NULL))
5a421415
MC		 3553 || !TEST_true(SSL_set_session(clientssl, sess)))
3554 goto end;
3555
3556 /* Write and read some early data */
3557 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3558 &written))
3559 || !TEST_size_t_eq(written, strlen(MSG1)))
3560 goto end;
3561
3562 if (usecb <= 1) {
3563 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3564 &readbytes),
3565 SSL_READ_EARLY_DATA_FINISH)
3566 /*
3567 * The ticket was reused, so the we should have rejected the
3568 * early data
3569 */
3570 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3571 SSL_EARLY_DATA_REJECTED))
3572 goto end;
3573 } else {
3574 /* In this case the callback decides to accept the early data */
3575 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3576 &readbytes),
3577 SSL_READ_EARLY_DATA_SUCCESS)
3578 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3579 /*
3580 * Server will have sent its flight so client can now send
3581 * end of early data and complete its half of the handshake
3582 */
3583 || !TEST_int_gt(SSL_connect(clientssl), 0)
3584 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3585 &readbytes),
3586 SSL_READ_EARLY_DATA_FINISH)
3587 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3588 SSL_EARLY_DATA_ACCEPTED))
3589 goto end;
3590 }
3591
3592 /* Complete the connection */
3593 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3594 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3595 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3596 goto end;
3597
3598 testresult = 1;
3599
3600 end:
c20e3b28 3601 SSL_SESSION_free(sess);
78fb5374
MC		 3602 SSL_SESSION_free(clientpsk);
3603 SSL_SESSION_free(serverpsk);
3604 clientpsk = serverpsk = NULL;
3605 SSL_free(serverssl);
3606 SSL_free(clientssl);
3607 SSL_CTX_free(sctx);
3608 SSL_CTX_free(cctx);
3609 return testresult;
3610}
3611
5a421415
MC		 3612static int test_early_data_replay(int idx)
3613{
3bb5e5b0 3614 int ret = 1, usecb, confopt;
5a421415 3615
3bb5e5b0
MC		 3616 for (usecb = 0; usecb < 3; usecb++) {
3617 for (confopt = 0; confopt < 2; confopt++)
3618 ret &= test_early_data_replay_int(idx, usecb, confopt);
3619 }
5a421415
MC		 3620
3621 return ret;
3622}
3623
710756a9 3624/*
6b84e6bf
MC		 3625 * Helper function to test that a server attempting to read early data can
3626 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3627 * testtype: 0 == No HRR
3628 * testtype: 1 == HRR
0efa0ba4
MC		 3629 * testtype: 2 == HRR, invalid early_data sent after HRR
3630 * testtype: 3 == recv_max_early_data set to 0
710756a9 3631 */
0d1b7789 3632static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3633{
3634 SSL_CTX *cctx = NULL, *sctx = NULL;
3635 SSL *clientssl = NULL, *serverssl = NULL;
3636 int testresult = 0;
018fcbec 3637 SSL_SESSION *sess = NULL;
5f982038
MC		 3638 unsigned char buf[20];
3639 size_t readbytes, written;
3640
710756a9
RS		 3641 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3642 &serverssl, &sess, idx)))
5f982038
MC		 3643 goto end;
3644
0efa0ba4 3645 if (testtype == 1 || testtype == 2) {
6b84e6bf 3646 /* Force an HRR to occur */
dbc6268f
MC		 3647#if defined(OPENSSL_NO_EC)
3648 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3649 goto end;
3650#else
6b84e6bf
MC		 3651 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3652 goto end;
dbc6268f 3653#endif
02a3ed5a
MC		 3654 } else if (idx == 2) {
3655 /*
3656 * We force early_data rejection by ensuring the PSK identity is
3657 * unrecognised
3658 */
3659 srvid = "Dummy Identity";
6b84e6bf
MC		 3660 } else {
3661 /*
3662 * Deliberately corrupt the creation time. We take 20 seconds off the
3663 * time. It could be any value as long as it is not within tolerance.
3664 * This should mean the ticket is rejected.
3665 */
5d99881e 3666 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3667 goto end;
3668 }
5f982038 3669
0efa0ba4 3670 if (testtype == 3
0d1b7789
MC		 3671 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3672 goto end;
3673
5f982038 3674 /* Write some early data */
710756a9
RS		 3675 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3676 &written))
3677 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3678 goto end;
5f982038 3679
0d1b7789 3680 /* Server should reject the early data */
710756a9
RS		 3681 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3682 &readbytes),
3683 SSL_READ_EARLY_DATA_FINISH)
3684 || !TEST_size_t_eq(readbytes, 0)
3685 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3686 SSL_EARLY_DATA_REJECTED))
5f982038 3687 goto end;
5f982038 3688
0efa0ba4
MC		 3689 switch (testtype) {
3690 case 0:
3691 /* Nothing to do */
3692 break;
3693
3694 case 1:
6b84e6bf
MC		 3695 /*
3696 * Finish off the handshake. We perform the same writes and reads as
3697 * further down but we expect them to fail due to the incomplete
3698 * handshake.
3699 */
3700 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3701 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3702 &readbytes)))
3703 goto end;
0efa0ba4
MC		 3704 break;
3705
3706 case 2:
3707 {
3708 BIO *wbio = SSL_get_wbio(clientssl);
3709 /* A record that will appear as bad early_data */
3710 const unsigned char bad_early_data[] = {
3711 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3712 };
3713
3714 /*
3715 * We force the client to attempt a write. This will fail because
3716 * we're still in the handshake. It will cause the second
3717 * ClientHello to be sent.
3718 */
3719 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3720 &written)))
3721 goto end;
3722
3723 /*
3724 * Inject some early_data after the second ClientHello. This should
3725 * cause the server to fail
3726 */
3727 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3728 sizeof(bad_early_data), &written)))
3729 goto end;
3730 }
3731 /* fallthrough */
3732
3733 case 3:
0d1b7789 3734 /*
0efa0ba4
MC		 3735 * This client has sent more early_data than we are willing to skip
3736 * (case 3) or sent invalid early_data (case 2) so the connection should
3737 * abort.
0d1b7789
MC		 3738 */
3739 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3740 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3741 goto end;
3742
3743 /* Connection has failed - nothing more to do */
3744 testresult = 1;
3745 goto end;
0efa0ba4
MC		 3746
3747 default:
3748 TEST_error("Invalid test type");
3749 goto end;
6b84e6bf
MC		 3750 }
3751
0d1b7789
MC		 3752 /*
3753 * Should be able to send normal data despite rejection of early data. The
3754 * early_data should be skipped.
3755 */
710756a9
RS		 3756 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3757 || !TEST_size_t_eq(written, strlen(MSG2))
3758 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3759 SSL_EARLY_DATA_REJECTED)
3760 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3761 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3762 goto end;
5f982038
MC		 3763
3764 testresult = 1;
3765
3766 end:
c20e3b28 3767 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3768 SSL_SESSION_free(serverpsk);
3769 clientpsk = serverpsk = NULL;
5f982038
MC		 3770 SSL_SESSION_free(sess);
3771 SSL_free(serverssl);
3772 SSL_free(clientssl);
3773 SSL_CTX_free(sctx);
3774 SSL_CTX_free(cctx);
5f982038
MC		 3775 return testresult;
3776}
3777
6b84e6bf
MC		 3778/*
3779 * Test that a server attempting to read early data can handle a connection
3780 * from a client where the early data is not acceptable.
3781 */
3782static int test_early_data_skip(int idx)
3783{
3784 return early_data_skip_helper(0, idx);
3785}
3786
3787/*
3788 * Test that a server attempting to read early data can handle a connection
3789 * from a client where an HRR occurs.
3790 */
3791static int test_early_data_skip_hrr(int idx)
3792{
3793 return early_data_skip_helper(1, idx);
3794}
3795
0efa0ba4
MC		 3796/*
3797 * Test that a server attempting to read early data can handle a connection
3798 * from a client where an HRR occurs and correctly fails if early_data is sent
3799 * after the HRR
3800 */
3801static int test_early_data_skip_hrr_fail(int idx)
3802{
3803 return early_data_skip_helper(2, idx);
3804}
3805
0d1b7789
MC		 3806/*
3807 * Test that a server attempting to read early data will abort if it tries to
3808 * skip over too much.
3809 */
3810static int test_early_data_skip_abort(int idx)
3811{
0efa0ba4 3812 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3813}
3814
710756a9
RS		 3815/*
3816 * Test that a server attempting to read early data can handle a connection
3817 * from a client that doesn't send any.
3818 */
3cb47b4e 3819static int test_early_data_not_sent(int idx)
5f982038
MC		 3820{
3821 SSL_CTX *cctx = NULL, *sctx = NULL;
3822 SSL *clientssl = NULL, *serverssl = NULL;
3823 int testresult = 0;
018fcbec 3824 SSL_SESSION *sess = NULL;
5f982038
MC		 3825 unsigned char buf[20];
3826 size_t readbytes, written;
3827
710756a9
RS		 3828 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3829 &serverssl, &sess, idx)))
5f982038
MC		 3830 goto end;
3831
3832 /* Write some data - should block due to handshake with server */
3833 SSL_set_connect_state(clientssl);
710756a9 3834 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3835 goto end;
5f982038
MC		 3836
3837 /* Server should detect that early data has not been sent */
710756a9
RS		 3838 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3839 &readbytes),
3840 SSL_READ_EARLY_DATA_FINISH)
3841 || !TEST_size_t_eq(readbytes, 0)
3842 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3843 SSL_EARLY_DATA_NOT_SENT)
3844 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3845 SSL_EARLY_DATA_NOT_SENT))
5f982038 3846 goto end;
5f982038
MC		 3847
3848 /* Continue writing the message we started earlier */
710756a9
RS		 3849 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3850 || !TEST_size_t_eq(written, strlen(MSG1))
3851 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3852 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3853 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3854 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3855 goto end;
5f982038 3856
710756a9
RS		 3857 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3858 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3859 goto end;
5f982038
MC		 3860
3861 testresult = 1;
3862
3863 end:
5f982038 3864 SSL_SESSION_free(sess);
c20e3b28 3865 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3866 SSL_SESSION_free(serverpsk);
3867 clientpsk = serverpsk = NULL;
5f982038
MC		 3868 SSL_free(serverssl);
3869 SSL_free(clientssl);
3870 SSL_CTX_free(sctx);
3871 SSL_CTX_free(cctx);
5f982038
MC		 3872 return testresult;
3873}
3874
976e5323
MC		 3875static const char *servalpn;
3876
c7558d5b
PY		 3877static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3878 unsigned char *outlen, const unsigned char *in,
3879 unsigned int inlen, void *arg)
976e5323 3880{
c7558d5b 3881 unsigned int protlen = 0;
976e5323
MC		 3882 const unsigned char *prot;
3883
c7558d5b
PY		 3884 for (prot = in; prot < in + inlen; prot += protlen) {
3885 protlen = *prot++;
5d99881e 3886 if (in + inlen < prot + protlen)
976e5323
MC		 3887 return SSL_TLSEXT_ERR_NOACK;
3888
3889 if (protlen == strlen(servalpn)
0bd42fde 3890 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3891 *out = prot;
3892 *outlen = protlen;
3893 return SSL_TLSEXT_ERR_OK;
3894 }
3895 }
3896
3897 return SSL_TLSEXT_ERR_NOACK;
3898}
3899
57dee9bb 3900/* Test that a PSK can be used to send early_data */
976e5323
MC		 3901static int test_early_data_psk(int idx)
3902{
3903 SSL_CTX *cctx = NULL, *sctx = NULL;
3904 SSL *clientssl = NULL, *serverssl = NULL;
3905 int testresult = 0;
3906 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3907 unsigned char alpnlist[] = {
3908 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3909 'l', 'p', 'n'
3910 };
3911#define GOODALPNLEN 9
3912#define BADALPNLEN 8
3913#define GOODALPN (alpnlist)
3914#define BADALPN (alpnlist + GOODALPNLEN)
3915 int err = 0;
976e5323
MC		 3916 unsigned char buf[20];
3917 size_t readbytes, written;
57dee9bb 3918 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3919 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3920
3921 /* We always set this up with a final parameter of "2" for PSK */
3922 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3923 &serverssl, &sess, 2)))
3924 goto end;
3925
976e5323
MC		 3926 servalpn = "goodalpn";
3927
57dee9bb
MC		 3928 /*
3929 * Note: There is no test for inconsistent SNI with late client detection.
3930 * This is because servers do not acknowledge SNI even if they are using
3931 * it in a resumption handshake - so it is not actually possible for a
3932 * client to detect a problem.
3933 */
976e5323
MC		 3934 switch (idx) {
3935 case 0:
57dee9bb 3936 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3937 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3938 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3939 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3940 goto end;
3941 break;
3942
3943 case 1:
57dee9bb 3944 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3945 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3946 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3947 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3948 GOODALPNLEN))
3949 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3950 BADALPNLEN)))
976e5323
MC		 3951 goto end;
3952 break;
3953
3954 case 2:
3955 /*
3956 * Set invalid protocol version. Technically this affects PSKs without
3957 * early_data too, but we test it here because it is similar to the
3958 * SNI/ALPN consistency tests.
3959 */
3960 err = SSL_R_BAD_PSK;
3961 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3962 goto end;
3963 break;
3964
3965 case 3:
3966 /*
49ef3d07
MC		 3967 * Set inconsistent SNI (server side). In this case the connection
3968 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3969 * is associated with each handshake - not the session. Therefore it
3970 * should not matter that we used a different server name last time.
976e5323 3971 */
281bf233
MC		 3972 SSL_SESSION_free(serverpsk);
3973 serverpsk = SSL_SESSION_dup(clientpsk);
3974 if (!TEST_ptr(serverpsk)
3975 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3976 goto end;
976e5323
MC		 3977 /* Fall through */
3978 case 4:
3979 /* Set consistent SNI */
976e5323
MC		 3980 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3981 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3982 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3983 hostname_cb)))
3984 goto end;
3985 break;
3986
3987 case 5:
3988 /*
3989 * Set inconsistent ALPN (server detected). In this case the connection
3990 * will succeed but reject early_data.
3991 */
3992 servalpn = "badalpn";
3993 edstatus = SSL_EARLY_DATA_REJECTED;
3994 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3995 /* Fall through */
3996 case 6:
976e5323 3997 /*
57dee9bb 3998 * Set consistent ALPN.
976e5323
MC		 3999 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4000 * accepts a list of protos (each one length prefixed).
4001 * SSL_set1_alpn_selected accepts a single protocol (not length
4002 * prefixed)
4003 */
57dee9bb
MC		 4004 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4005 GOODALPNLEN - 1))
4006 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4007 GOODALPNLEN)))
976e5323
MC		 4008 goto end;
4009
4010 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4011 break;
4012
57dee9bb
MC		 4013 case 7:
4014 /* Set inconsistent ALPN (late client detection) */
4015 SSL_SESSION_free(serverpsk);
4016 serverpsk = SSL_SESSION_dup(clientpsk);
4017 if (!TEST_ptr(serverpsk)
4018 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4019 BADALPN + 1,
4020 BADALPNLEN - 1))
4021 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4022 GOODALPN + 1,
4023 GOODALPNLEN - 1))
4024 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4025 sizeof(alpnlist))))
4026 goto end;
4027 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4028 edstatus = SSL_EARLY_DATA_ACCEPTED;
4029 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4030 /* SSL_connect() call should fail */
4031 connectres = -1;
4032 break;
4033
976e5323
MC		 4034 default:
4035 TEST_error("Bad test index");
4036 goto end;
4037 }
4038
4039 SSL_set_connect_state(clientssl);
4040 if (err != 0) {
4041 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4042 &written))
4043 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4044 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4045 goto end;
4046 } else {
4047 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4048 &written)))
4049 goto end;
4050
4051 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4052 &readbytes), readearlyres)
976e5323
MC		 4053 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4054 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4055 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4056 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4057 goto end;
4058 }
4059
4060 testresult = 1;
4061
4062 end:
c20e3b28 4063 SSL_SESSION_free(sess);
57dee9bb
MC		 4064 SSL_SESSION_free(clientpsk);
4065 SSL_SESSION_free(serverpsk);
4066 clientpsk = serverpsk = NULL;
976e5323
MC		 4067 SSL_free(serverssl);
4068 SSL_free(clientssl);
4069 SSL_CTX_free(sctx);
4070 SSL_CTX_free(cctx);
4071 return testresult;
4072}
4073
0b2b0be9 4074/*
4075 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4076 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4077 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4078 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4079 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4080 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4081 */
4082static int test_early_data_psk_with_all_ciphers(int idx)
4083{
4084 SSL_CTX *cctx = NULL, *sctx = NULL;
4085 SSL *clientssl = NULL, *serverssl = NULL;
4086 int testresult = 0;
4087 SSL_SESSION *sess = NULL;
4088 unsigned char buf[20];
4089 size_t readbytes, written;
4090 const SSL_CIPHER *cipher;
4091 const char *cipher_str[] = {
4092 TLS1_3_RFC_AES_128_GCM_SHA256,
4093 TLS1_3_RFC_AES_256_GCM_SHA384,
4094# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4095 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4096# else
4097 NULL,
4098# endif
4099 TLS1_3_RFC_AES_128_CCM_SHA256,
4100 TLS1_3_RFC_AES_128_CCM_8_SHA256
4101 };
4102 const unsigned char *cipher_bytes[] = {
4103 TLS13_AES_128_GCM_SHA256_BYTES,
4104 TLS13_AES_256_GCM_SHA384_BYTES,
4105# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4106 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4107# else
4108 NULL,
4109# endif
4110 TLS13_AES_128_CCM_SHA256_BYTES,
4111 TLS13_AES_128_CCM_8_SHA256_BYTES
4112 };
4113
4114 if (cipher_str[idx] == NULL)
4115 return 1;
4116 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4117 if (idx == 2 && is_fips == 1)
4118 return 1;
4119
4120 /* We always set this up with a final parameter of "2" for PSK */
4121 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4122 &serverssl, &sess, 2)))
4123 goto end;
4124
e0710222
P		 4125 if (idx == 4) {
4126 /* CCM8 ciphers are considered low security due to their short tag */
4127 SSL_set_security_level(clientssl, 0);
4128 SSL_set_security_level(serverssl, 0);
4129 }
4130
0b2b0be9 4131 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4132 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4133 goto end;
4134
4135 /*
4136 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4137 * and assigns to both client and server with incremented reference
4138 * and the same instance is updated in 'sess'.
4139 * So updating ciphersuite in 'sess' which will get reflected in
4140 * PSK handshake using psk use sess and find sess cb.
4141 */
4142 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4143 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4144 goto end;
4145
4146 SSL_set_connect_state(clientssl);
4147 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4148 &written)))
4149 goto end;
4150
4151 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4152 &readbytes),
4153 SSL_READ_EARLY_DATA_SUCCESS)
4154 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4155 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4156 SSL_EARLY_DATA_ACCEPTED)
4157 || !TEST_int_eq(SSL_connect(clientssl), 1)
4158 || !TEST_int_eq(SSL_accept(serverssl), 1))
4159 goto end;
4160
4161 /* Send some normal data from client to server */
4162 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4163 || !TEST_size_t_eq(written, strlen(MSG2)))
4164 goto end;
4165
4166 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4167 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4168 goto end;
4169
4170 testresult = 1;
4171 end:
4172 SSL_SESSION_free(sess);
4173 SSL_SESSION_free(clientpsk);
4174 SSL_SESSION_free(serverpsk);
4175 clientpsk = serverpsk = NULL;
4176 if (clientssl != NULL)
4177 SSL_shutdown(clientssl);
4178 if (serverssl != NULL)
4179 SSL_shutdown(serverssl);
4180 SSL_free(serverssl);
4181 SSL_free(clientssl);
4182 SSL_CTX_free(sctx);
4183 SSL_CTX_free(cctx);
4184 return testresult;
4185}
4186
710756a9
RS		 4187/*
4188 * Test that a server that doesn't try to read early data can handle a
4189 * client sending some.
4190 */
3cb47b4e 4191static int test_early_data_not_expected(int idx)
5f982038
MC		 4192{
4193 SSL_CTX *cctx = NULL, *sctx = NULL;
4194 SSL *clientssl = NULL, *serverssl = NULL;
4195 int testresult = 0;
018fcbec 4196 SSL_SESSION *sess = NULL;
5f982038
MC		 4197 unsigned char buf[20];
4198 size_t readbytes, written;
4199
710756a9
RS		 4200 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4201 &serverssl, &sess, idx)))
5f982038
MC		 4202 goto end;
4203
4204 /* Write some early data */
710756a9
RS		 4205 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4206 &written)))
5f982038 4207 goto end;
5f982038
MC		 4208
4209 /*
4210 * Server should skip over early data and then block waiting for client to
4211 * continue handshake
4212 */
710756a9
RS		 4213 if (!TEST_int_le(SSL_accept(serverssl), 0)
4214 || !TEST_int_gt(SSL_connect(clientssl), 0)
4215 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4216 SSL_EARLY_DATA_REJECTED)
4217 || !TEST_int_gt(SSL_accept(serverssl), 0)
4218 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4219 SSL_EARLY_DATA_REJECTED))
5f982038 4220 goto end;
5f982038
MC		 4221
4222 /* Send some normal data from client to server */
710756a9
RS		 4223 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4224 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4225 goto end;
5f982038 4226
710756a9
RS		 4227 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4228 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4229 goto end;
5f982038
MC		 4230
4231 testresult = 1;
4232
4233 end:
5f982038 4234 SSL_SESSION_free(sess);
c20e3b28 4235 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4236 SSL_SESSION_free(serverpsk);
4237 clientpsk = serverpsk = NULL;
5f982038
MC		 4238 SSL_free(serverssl);
4239 SSL_free(clientssl);
4240 SSL_CTX_free(sctx);
4241 SSL_CTX_free(cctx);
5f982038
MC		 4242 return testresult;
4243}
4244
4245
4246# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4247/*
4248 * Test that a server attempting to read early data can handle a connection
4249 * from a TLSv1.2 client.
4250 */
3cb47b4e 4251static int test_early_data_tls1_2(int idx)
5f982038
MC		 4252{
4253 SSL_CTX *cctx = NULL, *sctx = NULL;
4254 SSL *clientssl = NULL, *serverssl = NULL;
4255 int testresult = 0;
4256 unsigned char buf[20];
4257 size_t readbytes, written;
4258
02a3ed5a
MC		 4259 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4260 &serverssl, NULL, idx)))
5f982038 4261 goto end;
5f982038
MC		 4262
4263 /* Write some data - should block due to handshake with server */
4264 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4265 SSL_set_connect_state(clientssl);
710756a9 4266 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4267 goto end;
5f982038
MC		 4268
4269 /*
4270 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4271 * messages from client after ServerDone. Then SSL_read_early_data should
4272 * finish and detect that early data has not been sent
5f982038 4273 */
710756a9
RS		 4274 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4275 &readbytes),
4276 SSL_READ_EARLY_DATA_ERROR))
5f982038 4277 goto end;
5f982038
MC		 4278
4279 /*
4280 * Continue writing the message we started earlier. Will still block waiting
4281 * for the CCS/Finished from server
4282 */
710756a9
RS		 4283 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4284 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4285 &readbytes),
4286 SSL_READ_EARLY_DATA_FINISH)
4287 || !TEST_size_t_eq(readbytes, 0)
4288 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4289 SSL_EARLY_DATA_NOT_SENT))
5f982038 4290 goto end;
5f982038
MC		 4291
4292 /* Continue writing the message we started earlier */
710756a9
RS		 4293 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4294 || !TEST_size_t_eq(written, strlen(MSG1))
4295 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4296 SSL_EARLY_DATA_NOT_SENT)
4297 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4298 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4299 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4300 || !TEST_size_t_eq(written, strlen(MSG2))
4301 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4302 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4303 goto end;
5f982038
MC		 4304
4305 testresult = 1;
4306
4307 end:
57dee9bb
MC		 4308 SSL_SESSION_free(clientpsk);
4309 SSL_SESSION_free(serverpsk);
4310 clientpsk = serverpsk = NULL;
5f982038
MC		 4311 SSL_free(serverssl);
4312 SSL_free(clientssl);
4313 SSL_CTX_free(sctx);
4314 SSL_CTX_free(cctx);
4315
4316 return testresult;
4317}
ca0413ae
MC		 4318# endif /* OPENSSL_NO_TLS1_2 */
4319
034cb87b
MC		 4320/*
4321 * Test configuring the TLSv1.3 ciphersuites
4322 *
4323 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4324 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4325 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4326 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4327 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4328 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4329 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4330 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4331 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4332 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4333 */
4334static int test_set_ciphersuite(int idx)
4335{
4336 SSL_CTX *cctx = NULL, *sctx = NULL;
4337 SSL *clientssl = NULL, *serverssl = NULL;
4338 int testresult = 0;
4339
5e30f2fd
MC		 4340 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4341 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4342 &sctx, &cctx, cert, privkey))
4343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4344 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4345 goto end;
4346
4347 if (idx >=4 && idx <= 7) {
4348 /* SSL_CTX explicit cipher list */
4349 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4350 goto end;
4351 }
4352
4353 if (idx == 0 || idx == 4) {
4354 /* Default ciphersuite */
4355 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4356 "TLS_AES_128_GCM_SHA256")))
4357 goto end;
4358 } else if (idx == 1 || idx == 5) {
4359 /* Non default ciphersuite */
4360 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4361 "TLS_AES_128_CCM_SHA256")))
4362 goto end;
4363 }
4364
4365 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4366 &clientssl, NULL, NULL)))
4367 goto end;
4368
4369 if (idx == 8 || idx == 9) {
4370 /* SSL explicit cipher list */
4371 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4372 goto end;
4373 }
4374
4375 if (idx == 2 || idx == 6 || idx == 8) {
4376 /* Default ciphersuite */
4377 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4378 "TLS_AES_128_GCM_SHA256")))
4379 goto end;
4380 } else if (idx == 3 || idx == 7 || idx == 9) {
4381 /* Non default ciphersuite */
4382 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4383 "TLS_AES_128_CCM_SHA256")))
4384 goto end;
4385 }
4386
4387 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4388 goto end;
4389
4390 testresult = 1;
4391
4392 end:
4393 SSL_free(serverssl);
4394 SSL_free(clientssl);
4395 SSL_CTX_free(sctx);
4396 SSL_CTX_free(cctx);
4397
4398 return testresult;
4399}
4400
ca0413ae
MC		 4401static int test_ciphersuite_change(void)
4402{
4403 SSL_CTX *cctx = NULL, *sctx = NULL;
4404 SSL *clientssl = NULL, *serverssl = NULL;
4405 SSL_SESSION *clntsess = NULL;
4406 int testresult = 0;
4407 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4408
4409 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4410 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4411 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4412 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4413 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4414 "TLS_AES_128_GCM_SHA256:"
4415 "TLS_AES_256_GCM_SHA384:"
4416 "TLS_AES_128_CCM_SHA256"))
f865b081 4417 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4418 "TLS_AES_128_GCM_SHA256")))
4419 goto end;
4420
4421 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4422 NULL, NULL))
ca0413ae
MC		 4423 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4424 SSL_ERROR_NONE)))
4425 goto end;
4426
4427 clntsess = SSL_get1_session(clientssl);
4428 /* Save for later */
4429 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4430 SSL_shutdown(clientssl);
4431 SSL_shutdown(serverssl);
4432 SSL_free(serverssl);
4433 SSL_free(clientssl);
4434 serverssl = clientssl = NULL;
4435
4436 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4437 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4438 "TLS_AES_128_CCM_SHA256"))
4439 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4440 &clientssl, NULL, NULL))
ca0413ae
MC		 4441 || !TEST_true(SSL_set_session(clientssl, clntsess))
4442 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4443 SSL_ERROR_NONE))
4444 || !TEST_true(SSL_session_reused(clientssl)))
4445 goto end;
4446
4447 SSL_SESSION_free(clntsess);
4448 clntsess = SSL_get1_session(clientssl);
4449 SSL_shutdown(clientssl);
4450 SSL_shutdown(serverssl);
4451 SSL_free(serverssl);
4452 SSL_free(clientssl);
4453 serverssl = clientssl = NULL;
4454
4455 /*
4456 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4457 * succeeds but does not resume.
ca0413ae 4458 */
f865b081 4459 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4460 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4461 NULL, NULL))
4462 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4463 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4464 SSL_ERROR_SSL))
0de6d66d 4465 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4466 goto end;
4467
4468 SSL_SESSION_free(clntsess);
4469 clntsess = NULL;
4470 SSL_shutdown(clientssl);
4471 SSL_shutdown(serverssl);
4472 SSL_free(serverssl);
4473 SSL_free(clientssl);
4474 serverssl = clientssl = NULL;
4475
4476 /* Create a session based on SHA384 */
f865b081 4477 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4478 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4479 &clientssl, NULL, NULL))
4480 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4481 SSL_ERROR_NONE)))
4482 goto end;
4483
4484 clntsess = SSL_get1_session(clientssl);
4485 SSL_shutdown(clientssl);
4486 SSL_shutdown(serverssl);
4487 SSL_free(serverssl);
4488 SSL_free(clientssl);
4489 serverssl = clientssl = NULL;
4490
f865b081
MC		 4491 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4492 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4493 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4494 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4495 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4496 NULL, NULL))
4497 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4498 /*
4499 * We use SSL_ERROR_WANT_READ below so that we can pause the
4500 * connection after the initial ClientHello has been sent to
4501 * enable us to make some session changes.
4502 */
ca0413ae
MC		 4503 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4504 SSL_ERROR_WANT_READ)))
4505 goto end;
4506
4507 /* Trick the client into thinking this session is for a different digest */
4508 clntsess->cipher = aes_128_gcm_sha256;
4509 clntsess->cipher_id = clntsess->cipher->id;
4510
4511 /*
3b0e88d3
MC		 4512 * Continue the previously started connection. Server has selected a SHA-384
4513 * ciphersuite, but client thinks the session is for SHA-256, so it should
4514 * bail out.
ca0413ae
MC		 4515 */
4516 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4517 SSL_ERROR_SSL))
4518 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4519 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4520 goto end;
4521
4522 testresult = 1;
4523
4524 end:
4525 SSL_SESSION_free(clntsess);
4526 SSL_free(serverssl);
4527 SSL_free(clientssl);
4528 SSL_CTX_free(sctx);
4529 SSL_CTX_free(cctx);
4530
4531 return testresult;
4532}
4533
8e63900a 4534/*
5bf2eade 4535 * Test TLSv1.3 Key exchange
4536 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4537 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4538 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4539 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4540 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4541 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4542 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4543 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4544 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4545 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4546 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4547 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4548 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4549 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4550 */
f89d3d69
BK		 4551# ifndef OPENSSL_NO_EC
4552static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4553 NID_secp521r1, NID_X25519, NID_X448};
4554# endif
4555# ifndef OPENSSL_NO_DH
4556static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4557 NID_ffdhe6144, NID_ffdhe8192};
4558# endif
db26ec80 4559static int test_key_exchange(int idx)
8e63900a 4560{
4561 SSL_CTX *sctx = NULL, *cctx = NULL;
4562 SSL *serverssl = NULL, *clientssl = NULL;
4563 int testresult = 0;
fb8c6db4 4564 int kexch_alg;
4565 int *kexch_groups = &kexch_alg;
4566 int kexch_groups_size = 1;
8e63900a 4567 int max_version = TLS1_3_VERSION;
becbacd7 4568 char *kexch_name0 = NULL;
8e63900a 4569
4570 switch (idx) {
5bf2eade 4571# ifndef OPENSSL_NO_EC
db26ec80 4572# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4573 case 12:
fb8c6db4 4574 max_version = TLS1_2_VERSION;
db26ec80 4575# endif
fb8c6db4 4576 /* Fall through */
4577 case 0:
4578 kexch_groups = ecdhe_kexch_groups;
4579 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4580 kexch_name0 = "secp256r1";
fb8c6db4 4581 break;
5bf2eade 4582 case 1:
fb8c6db4 4583 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4584 kexch_name0 = "secp256r1";
fb8c6db4 4585 break;
5bf2eade 4586 case 2:
fb8c6db4 4587 kexch_alg = NID_secp384r1;
becbacd7 4588 kexch_name0 = "secp384r1";
fb8c6db4 4589 break;
5bf2eade 4590 case 3:
fb8c6db4 4591 kexch_alg = NID_secp521r1;
becbacd7 4592 kexch_name0 = "secp521r1";
fb8c6db4 4593 break;
5bf2eade 4594 case 4:
fb8c6db4 4595 kexch_alg = NID_X25519;
becbacd7 4596 kexch_name0 = "x25519";
fb8c6db4 4597 break;
5bf2eade 4598 case 5:
fb8c6db4 4599 kexch_alg = NID_X448;
becbacd7 4600 kexch_name0 = "x448";
fb8c6db4 4601 break;
5bf2eade 4602# endif
4603# ifndef OPENSSL_NO_DH
db26ec80 4604# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4605 case 13:
dbc6268f 4606 max_version = TLS1_2_VERSION;
becbacd7 4607 kexch_name0 = "ffdhe2048";
db26ec80 4608# endif
dbc6268f 4609 /* Fall through */
5bf2eade 4610 case 6:
8e63900a 4611 kexch_groups = ffdhe_kexch_groups;
4612 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4613 kexch_name0 = "ffdhe2048";
8e63900a 4614 break;
5bf2eade 4615 case 7:
fb8c6db4 4616 kexch_alg = NID_ffdhe2048;
becbacd7 4617 kexch_name0 = "ffdhe2048";
fb8c6db4 4618 break;
5bf2eade 4619 case 8:
fb8c6db4 4620 kexch_alg = NID_ffdhe3072;
becbacd7 4621 kexch_name0 = "ffdhe3072";
fb8c6db4 4622 break;
5bf2eade 4623 case 9:
fb8c6db4 4624 kexch_alg = NID_ffdhe4096;
becbacd7 4625 kexch_name0 = "ffdhe4096";
fb8c6db4 4626 break;
5bf2eade 4627 case 10:
fb8c6db4 4628 kexch_alg = NID_ffdhe6144;
becbacd7 4629 kexch_name0 = "ffdhe6144";
fb8c6db4 4630 break;
5bf2eade 4631 case 11:
fb8c6db4 4632 kexch_alg = NID_ffdhe8192;
becbacd7 4633 kexch_name0 = "ffdhe8192";
8e63900a 4634 break;
5bf2eade 4635# endif
6597d62b
MC		 4636 default:
4637 /* We're skipping this test */
4638 return 1;
8e63900a 4639 }
4640
5e30f2fd
MC		 4641 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4642 TLS_client_method(), TLS1_VERSION,
4643 max_version, &sctx, &cctx, cert,
4644 privkey)))
8e63900a 4645 goto end;
4646
5bf2eade 4647 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4648 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4649 goto end;
4650
5bf2eade 4651 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4652 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4653 goto end;
4654
5bf2eade 4655 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4656 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4657 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4658 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4659 goto end;
4660
dbc6268f
MC		 4661 /*
4662 * Must include an EC ciphersuite so that we send supported groups in
4663 * TLSv1.2
4664 */
5bf2eade 4665# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4666 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4667 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4668 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4669 goto end;
5bf2eade 4670# endif
8e63900a 4671
4672 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4673 NULL, NULL)))
4674 goto end;
4675
4676 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4677 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4678 goto end;
4679
5bf2eade 4680 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4681 goto end;
8e63900a 4682
dbc6268f 4683 /*
5bf2eade 4684 * If Handshake succeeds the negotiated kexch alg should be the first one in
4685 * configured, except in the case of FFDHE groups (idx 13), which are
4686 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4687 */
4688 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4689 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4690 goto end;
becbacd7
MB		 4691
4692 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4693 kexch_name0))
4694 goto end;
4695
75d48520
BK		 4696 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4697 if (idx != 13) {
fb8c6db4 4698 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4699 goto end;
4700 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4701 goto end;
4702 }
8e63900a 4703
4704 testresult = 1;
4705 end:
4706 SSL_free(serverssl);
4707 SSL_free(clientssl);
4708 SSL_CTX_free(sctx);
4709 SSL_CTX_free(cctx);
4710 return testresult;
4711}
4712
c9cddf05
P		 4713# if !defined(OPENSSL_NO_TLS1_2) \
4714 && !defined(OPENSSL_NO_EC) \
4715 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 4716static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4717 int isecdhe, int idx)
4718{
4719 int kexch_alg;
4720 int *kexch_groups = &kexch_alg;
4721 int numec, numff;
4722
4723 numec = OSSL_NELEM(ecdhe_kexch_groups);
4724 numff = OSSL_NELEM(ffdhe_kexch_groups);
4725 if (isecdhe)
4726 kexch_alg = ecdhe_kexch_groups[idx];
4727 else
4728 kexch_alg = ffdhe_kexch_groups[idx];
4729
4730 if (clientmulti) {
4731 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4732 return 0;
4733 if (isecdhe) {
4734 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4735 numec)))
4736 return 0;
4737 } else {
4738 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4739 numff)))
4740 return 0;
4741 }
4742 } else {
4743 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4744 return 0;
4745 if (isecdhe) {
4746 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4747 numec)))
4748 return 0;
4749 } else {
4750 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4751 numff)))
4752 return 0;
4753 }
4754 }
4755 return 1;
4756}
4757
4758/*-
4759 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4760 * Run through both the ECDHE and FFDHE group lists used in the previous
4761 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4762 * confirming the expected result; then perform a resumption handshake
4763 * while offering the same group list, and another resumption handshake
4764 * offering a different group list. The returned value should be the
4765 * negotiated group for the initial handshake; for TLS 1.3 resumption
4766 * handshakes the returned value will be negotiated on the resumption
4767 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4768 * be cached in the session from the original handshake, regardless of what
4769 * was offered in the resumption ClientHello.
4770 *
4771 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 4772 * E tests of ECDHE with TLS 1.3, server only has one group
4773 * F tests of FFDHE with TLS 1.3, server only has one group
4774 * E tests of ECDHE with TLS 1.2, server only has one group
4775 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 4776 * E tests of ECDHE with TLS 1.3, client sends only one group
4777 * F tests of FFDHE with TLS 1.3, client sends only one group
4778 * E tests of ECDHE with TLS 1.2, client sends only one group
4779 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 4780 */
4781static int test_negotiated_group(int idx)
4782{
4783 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4784 int expectednid;
4785 SSL_CTX *sctx = NULL, *cctx = NULL;
4786 SSL *serverssl = NULL, *clientssl = NULL;
4787 SSL_SESSION *origsess = NULL;
4788 int testresult = 0;
4789 int kexch_alg;
4790 int max_version = TLS1_3_VERSION;
4791
4792 numec = OSSL_NELEM(ecdhe_kexch_groups);
4793 numff = OSSL_NELEM(ffdhe_kexch_groups);
4794 numgroups = numec + numff;
4795 clientmulti = (idx < 2 * numgroups);
4796 idx = idx % (2 * numgroups);
4797 istls13 = (idx < numgroups);
4798 idx = idx % numgroups;
4799 isecdhe = (idx < numec);
4800 if (!isecdhe)
4801 idx -= numec;
4802 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4803 if (isecdhe)
4804 kexch_alg = ecdhe_kexch_groups[idx];
4805 else
4806 kexch_alg = ffdhe_kexch_groups[idx];
4807 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4808 if (!istls13 && !isecdhe)
4809 expectednid = NID_undef;
4810 else
4811 expectednid = kexch_alg;
4812
4813 if (!istls13)
4814 max_version = TLS1_2_VERSION;
4815
4816 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4817 TLS_client_method(), TLS1_VERSION,
4818 max_version, &sctx, &cctx, cert,
4819 privkey)))
4820 goto end;
4821
4822 /*
4823 * Force (EC)DHE ciphers for TLS 1.2.
4824 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4825 */
4826 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4827 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4828 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4829 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4830 goto end;
4831 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4832 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4833 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4834 goto end;
4835
4836 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4837 NULL, NULL)))
4838 goto end;
4839
4840 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4841 idx)))
4842 goto end;
4843
4844 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4845 goto end;
4846
4847 /* Initial handshake; always the configured one */
4848 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4849 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4850 goto end;
4851
4852 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4853 goto end;
4854
4855 SSL_shutdown(clientssl);
4856 SSL_shutdown(serverssl);
4857 SSL_free(serverssl);
4858 SSL_free(clientssl);
4859 serverssl = clientssl = NULL;
4860
4861 /* First resumption attempt; use the same config as initial handshake */
4862 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4863 NULL, NULL))
4864 || !TEST_true(SSL_set_session(clientssl, origsess))
4865 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4866 isecdhe, idx)))
4867 goto end;
4868
4869 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4870 || !TEST_true(SSL_session_reused(clientssl)))
4871 goto end;
4872
4873 /* Still had better agree, since nothing changed... */
4874 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4875 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4876 goto end;
4877
4878 SSL_shutdown(clientssl);
4879 SSL_shutdown(serverssl);
4880 SSL_free(serverssl);
4881 SSL_free(clientssl);
4882 serverssl = clientssl = NULL;
4883
4884 /*-
4885 * Second resumption attempt
4886 * The party that picks one group changes it, which we effectuate by
4887 * changing 'idx' and updating what we expect.
4888 */
4889 if (idx == 0)
4890 idx = 1;
4891 else
4892 idx--;
4893 if (istls13) {
4894 if (isecdhe)
4895 expectednid = ecdhe_kexch_groups[idx];
4896 else
4897 expectednid = ffdhe_kexch_groups[idx];
4898 /* Verify that we are changing what we expect. */
4899 if (!TEST_int_ne(expectednid, kexch_alg))
4900 goto end;
4901 } else {
4902 /* TLS 1.2 only supports named groups for ECDHE. */
4903 if (isecdhe)
4904 expectednid = kexch_alg;
4905 else
4906 expectednid = 0;
4907 }
4908 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4909 NULL, NULL))
4910 || !TEST_true(SSL_set_session(clientssl, origsess))
4911 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4912 isecdhe, idx)))
4913 goto end;
4914
4915 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4916 || !TEST_true(SSL_session_reused(clientssl)))
4917 goto end;
4918
4919 /* Check that we get what we expected */
4920 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4921 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4922 goto end;
4923
4924 testresult = 1;
4925 end:
4926 SSL_free(serverssl);
4927 SSL_free(clientssl);
4928 SSL_CTX_free(sctx);
4929 SSL_CTX_free(cctx);
4930 SSL_SESSION_free(origsess);
4931 return testresult;
4932}
4933# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4934
5bf2eade 4935/*
4936 * Test TLSv1.3 Cipher Suite
4937 * Test 0 = Set TLS1.3 cipher on context
4938 * Test 1 = Set TLS1.3 cipher on SSL
4939 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4940 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4941 */
4942static int test_tls13_ciphersuite(int idx)
4943{
4944 SSL_CTX *sctx = NULL, *cctx = NULL;
4945 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4946 static const struct {
4947 const char *ciphername;
4948 int fipscapable;
e0710222 4949 int low_security;
4f6c7044 4950 } t13_ciphers[] = {
e0710222
P		 4951 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
4952 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
4953 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 4954# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 4955 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 4956 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 4957 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 4958# endif
e0710222
P		 4959 /* CCM8 ciphers are considered low security due to their short tag */
4960 { TLS1_3_RFC_AES_128_CCM_8_SHA256
4961 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5bf2eade 4962 };
4963 const char *t13_cipher = NULL;
4964 const char *t12_cipher = NULL;
4965 const char *negotiated_scipher;
4966 const char *negotiated_ccipher;
4967 int set_at_ctx = 0;
4968 int set_at_ssl = 0;
4969 int testresult = 0;
4970 int max_ver;
4971 size_t i;
4972
4973 switch (idx) {
4974 case 0:
4975 set_at_ctx = 1;
4976 break;
4977 case 1:
4978 set_at_ssl = 1;
4979 break;
4980 case 2:
4981 set_at_ctx = 1;
2d900758 4982 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4983 break;
4984 case 3:
4985 set_at_ssl = 1;
2d900758 4986 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4987 break;
4988 }
4989
4990 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4991# ifdef OPENSSL_NO_TLS1_2
4992 if (max_ver == TLS1_2_VERSION)
4993 continue;
4994# endif
4995 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4996 if (is_fips && !t13_ciphers[i].fipscapable)
4997 continue;
4998 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4999 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5000 TLS_client_method(),
5001 TLS1_VERSION, max_ver,
5002 &sctx, &cctx, cert, privkey)))
5003 goto end;
5004
e0710222
P		 5005 if (t13_ciphers[i].low_security) {
5006 SSL_CTX_set_security_level(sctx, 0);
5007 SSL_CTX_set_security_level(cctx, 0);
5008 }
5009
5bf2eade 5010 if (set_at_ctx) {
5011 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5012 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5013 goto end;
5014 if (t12_cipher != NULL) {
5015 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5016 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5017 t12_cipher)))
5018 goto end;
5019 }
5020 }
5021
5022 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5023 &clientssl, NULL, NULL)))
5024 goto end;
5025
5026 if (set_at_ssl) {
5027 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5028 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5029 goto end;
5030 if (t12_cipher != NULL) {
5031 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5032 || !TEST_true(SSL_set_cipher_list(clientssl,
5033 t12_cipher)))
5034 goto end;
5035 }
5036 }
5037
5038 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5039 SSL_ERROR_NONE)))
5040 goto end;
5041
5042 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5043 serverssl));
5044 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5045 clientssl));
5046 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5047 goto end;
5048
5049 /*
5050 * TEST_strn_eq is used below because t13_cipher can contain
5051 * multiple ciphersuites
5052 */
5053 if (max_ver == TLS1_3_VERSION
5054 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5055 strlen(negotiated_scipher)))
5056 goto end;
5057
5058# ifndef OPENSSL_NO_TLS1_2
5059 /* Below validation is not done when t12_cipher is NULL */
5060 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5061 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5062 goto end;
5063# endif
5064
5065 SSL_free(serverssl);
5066 serverssl = NULL;
5067 SSL_free(clientssl);
5068 clientssl = NULL;
5069 SSL_CTX_free(sctx);
5070 sctx = NULL;
5071 SSL_CTX_free(cctx);
5072 cctx = NULL;
5073 }
5074 }
5075
5076 testresult = 1;
5077 end:
5078 SSL_free(serverssl);
5079 SSL_free(clientssl);
5080 SSL_CTX_free(sctx);
5081 SSL_CTX_free(cctx);
5082 return testresult;
5083}
5084
0d8da779
MC		 5085/*
5086 * Test TLSv1.3 PSKs
5087 * Test 0 = Test new style callbacks
5088 * Test 1 = Test both new and old style callbacks
5089 * Test 2 = Test old style callbacks
5090 * Test 3 = Test old style callbacks with no certificate
5091 */
532f9578 5092static int test_tls13_psk(int idx)
ca8c71ba
MC		 5093{
5094 SSL_CTX *sctx = NULL, *cctx = NULL;
5095 SSL *serverssl = NULL, *clientssl = NULL;
5096 const SSL_CIPHER *cipher = NULL;
5097 const unsigned char key[] = {
5098 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5099 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5100 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5101 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5102 };
5103 int testresult = 0;
5104
5e30f2fd
MC		 5105 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5106 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5107 &sctx, &cctx, idx == 3 ? NULL : cert,
5108 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5109 goto end;
5110
0d8da779
MC		 5111 if (idx != 3) {
5112 /*
5113 * We use a ciphersuite with SHA256 to ease testing old style PSK
5114 * callbacks which will always default to SHA256. This should not be
5115 * necessary if we have no cert/priv key. In that case the server should
5116 * prefer SHA256 automatically.
5117 */
5118 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5119 "TLS_AES_128_GCM_SHA256")))
5120 goto end;
4f6c7044
MC		 5121 } else {
5122 /*
5123 * As noted above the server should prefer SHA256 automatically. However
5124 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5125 * code works even if we are testing with only the FIPS provider loaded.
5126 */
5127 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5128 "TLS_AES_256_GCM_SHA384:"
5129 "TLS_AES_128_GCM_SHA256")))
5130 goto end;
0d8da779 5131 }
532f9578
MC		 5132
5133 /*
5134 * Test 0: New style callbacks only
5135 * Test 1: New and old style callbacks (only the new ones should be used)
5136 * Test 2: Old style callbacks only
5137 */
5138 if (idx == 0 || idx == 1) {
5139 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5140 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5141 }
c2b290c3 5142#ifndef OPENSSL_NO_PSK
0d8da779 5143 if (idx >= 1) {
532f9578
MC		 5144 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5145 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5146 }
c2b290c3 5147#endif
ca8c71ba 5148 srvid = pskid;
02a3ed5a
MC		 5149 use_session_cb_cnt = 0;
5150 find_session_cb_cnt = 0;
532f9578
MC		 5151 psk_client_cb_cnt = 0;
5152 psk_server_cb_cnt = 0;
ca8c71ba 5153
0d8da779
MC		 5154 if (idx != 3) {
5155 /*
5156 * Check we can create a connection if callback decides not to send a
5157 * PSK
5158 */
5159 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5160 NULL, NULL))
5161 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5162 SSL_ERROR_NONE))
5163 || !TEST_false(SSL_session_reused(clientssl))
5164 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5165 goto end;
532f9578 5166
0d8da779
MC		 5167 if (idx == 0 || idx == 1) {
5168 if (!TEST_true(use_session_cb_cnt == 1)
5169 || !TEST_true(find_session_cb_cnt == 0)
5170 /*
5171 * If no old style callback then below should be 0
5172 * otherwise 1
5173 */
5174 || !TEST_true(psk_client_cb_cnt == idx)
5175 || !TEST_true(psk_server_cb_cnt == 0))
5176 goto end;
5177 } else {
5178 if (!TEST_true(use_session_cb_cnt == 0)
5179 || !TEST_true(find_session_cb_cnt == 0)
5180 || !TEST_true(psk_client_cb_cnt == 1)
5181 || !TEST_true(psk_server_cb_cnt == 0))
5182 goto end;
5183 }
5184
5185 shutdown_ssl_connection(serverssl, clientssl);
5186 serverssl = clientssl = NULL;
5187 use_session_cb_cnt = psk_client_cb_cnt = 0;
5188 }
ca8c71ba
MC		 5189
5190 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5191 NULL, NULL)))
5192 goto end;
5193
5194 /* Create the PSK */
532f9578 5195 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5196 clientpsk = SSL_SESSION_new();
5197 if (!TEST_ptr(clientpsk)
ca8c71ba 5198 || !TEST_ptr(cipher)
57dee9bb
MC		 5199 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5200 sizeof(key)))
5201 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5202 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5203 TLS1_3_VERSION))
5204 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5205 goto end;
57dee9bb 5206 serverpsk = clientpsk;
ca8c71ba
MC		 5207
5208 /* Check we can create a connection and the PSK is used */
5209 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5210 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5211 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5212 goto end;
5213
532f9578
MC		 5214 if (idx == 0 || idx == 1) {
5215 if (!TEST_true(use_session_cb_cnt == 1)
5216 || !TEST_true(find_session_cb_cnt == 1)
5217 || !TEST_true(psk_client_cb_cnt == 0)
5218 || !TEST_true(psk_server_cb_cnt == 0))
5219 goto end;
5220 } else {
5221 if (!TEST_true(use_session_cb_cnt == 0)
5222 || !TEST_true(find_session_cb_cnt == 0)
5223 || !TEST_true(psk_client_cb_cnt == 1)
5224 || !TEST_true(psk_server_cb_cnt == 1))
5225 goto end;
5226 }
5227
ca8c71ba
MC		 5228 shutdown_ssl_connection(serverssl, clientssl);
5229 serverssl = clientssl = NULL;
5230 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5231 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5232
5233 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5234 NULL, NULL)))
5235 goto end;
5236
5237 /* Force an HRR */
dbc6268f
MC		 5238#if defined(OPENSSL_NO_EC)
5239 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5240 goto end;
5241#else
ca8c71ba
MC		 5242 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5243 goto end;
dbc6268f 5244#endif
ca8c71ba
MC		 5245
5246 /*
5247 * Check we can create a connection, the PSK is used and the callbacks are
5248 * called twice.
5249 */
5250 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5251 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5252 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5253 goto end;
5254
532f9578
MC		 5255 if (idx == 0 || idx == 1) {
5256 if (!TEST_true(use_session_cb_cnt == 2)
5257 || !TEST_true(find_session_cb_cnt == 2)
5258 || !TEST_true(psk_client_cb_cnt == 0)
5259 || !TEST_true(psk_server_cb_cnt == 0))
5260 goto end;
5261 } else {
5262 if (!TEST_true(use_session_cb_cnt == 0)
5263 || !TEST_true(find_session_cb_cnt == 0)
5264 || !TEST_true(psk_client_cb_cnt == 2)
5265 || !TEST_true(psk_server_cb_cnt == 2))
5266 goto end;
5267 }
5268
ca8c71ba
MC		 5269 shutdown_ssl_connection(serverssl, clientssl);
5270 serverssl = clientssl = NULL;
5271 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5272 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5273
0d8da779
MC		 5274 if (idx != 3) {
5275 /*
5276 * Check that if the server rejects the PSK we can still connect, but with
5277 * a full handshake
5278 */
5279 srvid = "Dummy Identity";
5280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5281 NULL, NULL))
5282 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5283 SSL_ERROR_NONE))
5284 || !TEST_false(SSL_session_reused(clientssl))
5285 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5286 goto end;
532f9578 5287
0d8da779
MC		 5288 if (idx == 0 || idx == 1) {
5289 if (!TEST_true(use_session_cb_cnt == 1)
5290 || !TEST_true(find_session_cb_cnt == 1)
5291 || !TEST_true(psk_client_cb_cnt == 0)
5292 /*
5293 * If no old style callback then below should be 0
5294 * otherwise 1
5295 */
5296 || !TEST_true(psk_server_cb_cnt == idx))
5297 goto end;
5298 } else {
5299 if (!TEST_true(use_session_cb_cnt == 0)
5300 || !TEST_true(find_session_cb_cnt == 0)
5301 || !TEST_true(psk_client_cb_cnt == 1)
5302 || !TEST_true(psk_server_cb_cnt == 1))
5303 goto end;
5304 }
5305
5306 shutdown_ssl_connection(serverssl, clientssl);
5307 serverssl = clientssl = NULL;
5308 }
ca8c71ba
MC		 5309 testresult = 1;
5310
5311 end:
57dee9bb
MC		 5312 SSL_SESSION_free(clientpsk);
5313 SSL_SESSION_free(serverpsk);
5314 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5315 SSL_free(serverssl);
5316 SSL_free(clientssl);
5317 SSL_CTX_free(sctx);
5318 SSL_CTX_free(cctx);
5319 return testresult;
5320}
5321
c7b8ff25
MC		 5322static unsigned char cookie_magic_value[] = "cookie magic";
5323
5324static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5325 unsigned int *cookie_len)
5326{
5327 /*
5328 * Not suitable as a real cookie generation function but good enough for
5329 * testing!
5330 */
97ea1e7f
MC		 5331 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5332 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5333
5334 return 1;
5335}
5336
5337static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5338 unsigned int cookie_len)
5339{
97ea1e7f 5340 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5341 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5342 return 1;
5343
5344 return 0;
5345}
5346
3fa2812f
BS		 5347static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5348 size_t *cookie_len)
5349{
5350 unsigned int temp;
5351 int res = generate_cookie_callback(ssl, cookie, &temp);
5352 *cookie_len = temp;
5353 return res;
5354}
5355
5356static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5357 size_t cookie_len)
5358{
5359 return verify_cookie_callback(ssl, cookie, cookie_len);
5360}
5361
c7b8ff25
MC		 5362static int test_stateless(void)
5363{
5364 SSL_CTX *sctx = NULL, *cctx = NULL;
5365 SSL *serverssl = NULL, *clientssl = NULL;
5366 int testresult = 0;
5367
5e30f2fd
MC		 5368 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5369 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5370 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5371 goto end;
5372
e440f513
MC		 5373 /* The arrival of CCS messages can confuse the test */
5374 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5375
5376 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5377 NULL, NULL))
5378 /* Send the first ClientHello */
5379 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5380 SSL_ERROR_WANT_READ))
5381 /*
5382 * This should fail with a -1 return because we have no callbacks
5383 * set up
5384 */
5385 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5386 goto end;
5387
5388 /* Fatal error so abandon the connection from this client */
5389 SSL_free(clientssl);
5390 clientssl = NULL;
5391
c7b8ff25 5392 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5393 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5394 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5395
e440f513
MC		 5396 /*
5397 * Create a new connection from the client (we can reuse the server SSL
5398 * object).
5399 */
c7b8ff25
MC		 5400 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5401 NULL, NULL))
5402 /* Send the first ClientHello */
5403 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5404 SSL_ERROR_WANT_READ))
5405 /* This should fail because there is no cookie */
e440f513 5406 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5407 goto end;
5408
5409 /* Abandon the connection from this client */
5410 SSL_free(clientssl);
5411 clientssl = NULL;
5412
5413 /*
5414 * Now create a connection from a new client but with the same server SSL
5415 * object
5416 */
5417 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5418 NULL, NULL))
5419 /* Send the first ClientHello */
5420 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5421 SSL_ERROR_WANT_READ))
5422 /* This should fail because there is no cookie */
e440f513 5423 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5424 /* Send the second ClientHello */
5425 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5426 SSL_ERROR_WANT_READ))
5427 /* This should succeed because a cookie is now present */
e440f513 5428 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5429 /* Complete the connection */
5430 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5431 SSL_ERROR_NONE)))
5432 goto end;
5433
5434 shutdown_ssl_connection(serverssl, clientssl);
5435 serverssl = clientssl = NULL;
5436 testresult = 1;
5437
5438 end:
5439 SSL_free(serverssl);
5440 SSL_free(clientssl);
5441 SSL_CTX_free(sctx);
5442 SSL_CTX_free(cctx);
5443 return testresult;
5444
5445}
a763ca11 5446#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5447
a37008d9
MC		 5448static int clntaddoldcb = 0;
5449static int clntparseoldcb = 0;
5450static int srvaddoldcb = 0;
5451static int srvparseoldcb = 0;
5452static int clntaddnewcb = 0;
5453static int clntparsenewcb = 0;
5454static int srvaddnewcb = 0;
5455static int srvparsenewcb = 0;
bb01ef3f 5456static int snicb = 0;
a37008d9
MC		 5457
5458#define TEST_EXT_TYPE1 0xff00
5459
5460static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5461 size_t *outlen, int *al, void *add_arg)
5462{
5463 int *server = (int *)add_arg;
5464 unsigned char *data;
5465
5466 if (SSL_is_server(s))
5467 srvaddoldcb++;
5468 else
5469 clntaddoldcb++;
5470
710756a9
RS		 5471 if (*server != SSL_is_server(s)
5472 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5473 return -1;
5474
5475 *data = 1;
5476 *out = data;
5477 *outlen = sizeof(char);
a37008d9
MC		 5478 return 1;
5479}
5480
5481static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5482 void *add_arg)
5483{
5484 OPENSSL_free((unsigned char *)out);
5485}
5486
5487static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5488 size_t inlen, int *al, void *parse_arg)
5489{
5490 int *server = (int *)parse_arg;
5491
5492 if (SSL_is_server(s))
5493 srvparseoldcb++;
5494 else
5495 clntparseoldcb++;
5496
710756a9
RS		 5497 if (*server != SSL_is_server(s)
5498 || inlen != sizeof(char)
5499 || *in != 1)
a37008d9
MC		 5500 return -1;
5501
5502 return 1;
5503}
5504
5505static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5506 const unsigned char **out, size_t *outlen, X509 *x,
5507 size_t chainidx, int *al, void *add_arg)
5508{
5509 int *server = (int *)add_arg;
5510 unsigned char *data;
5511
5512 if (SSL_is_server(s))
5513 srvaddnewcb++;
5514 else
5515 clntaddnewcb++;
5516
710756a9
RS		 5517 if (*server != SSL_is_server(s)
5518 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5519 return -1;
5520
5521 *data = 1;
5522 *out = data;
710756a9 5523 *outlen = sizeof(*data);
a37008d9
MC		 5524 return 1;
5525}
5526
5527static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5528 const unsigned char *out, void *add_arg)
5529{
5530 OPENSSL_free((unsigned char *)out);
5531}
5532
5533static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5534 const unsigned char *in, size_t inlen, X509 *x,
5535 size_t chainidx, int *al, void *parse_arg)
5536{
5537 int *server = (int *)parse_arg;
5538
5539 if (SSL_is_server(s))
5540 srvparsenewcb++;
5541 else
5542 clntparsenewcb++;
5543
710756a9
RS		 5544 if (*server != SSL_is_server(s)
5545 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5546 return -1;
5547
5548 return 1;
5549}
bb01ef3f
MC		 5550
5551static int sni_cb(SSL *s, int *al, void *arg)
5552{
5553 SSL_CTX *ctx = (SSL_CTX *)arg;
5554
5555 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5556 *al = SSL_AD_INTERNAL_ERROR;
5557 return SSL_TLSEXT_ERR_ALERT_FATAL;
5558 }
5559 snicb++;
5560 return SSL_TLSEXT_ERR_OK;
5561}
5562
0db3a990
MC		 5563static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5564{
5565 return 1;
5566}
5567
a37008d9
MC		 5568/*
5569 * Custom call back tests.
5570 * Test 0: Old style callbacks in TLSv1.2
5571 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5572 * Test 2: New style callbacks in TLSv1.2 with SNI
5573 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5574 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 5575 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 5576 */
710756a9
RS		 5577static int test_custom_exts(int tst)
5578{
bb01ef3f 5579 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5580 SSL *clientssl = NULL, *serverssl = NULL;
5581 int testresult = 0;
5582 static int server = 1;
5583 static int client = 0;
5584 SSL_SESSION *sess = NULL;
5585 unsigned int context;
5586
a763ca11 5587#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5588 /* Skip tests for TLSv1.2 and below in this case */
5589 if (tst < 3)
5590 return 1;
5591#endif
5592
a37008d9
MC		 5593 /* Reset callback counters */
5594 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5595 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5596 snicb = 0;
a37008d9 5597
5e30f2fd
MC		 5598 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5599 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5600 &sctx, &cctx, cert, privkey)))
710756a9 5601 goto end;
a37008d9 5602
bb01ef3f 5603 if (tst == 2
5e30f2fd 5604 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5605 TLS1_VERSION, 0,
7d7f6834 5606 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5607 goto end;
5608
5609
5610 if (tst < 3) {
a37008d9
MC		 5611 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5612 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5613 if (sctx2 != NULL)
5614 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5615 }
5616
0db3a990
MC		 5617 if (tst == 5) {
5618 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5619 | SSL_EXT_TLS1_3_CERTIFICATE;
5620 SSL_CTX_set_verify(sctx,
5621 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5622 verify_cb);
5623 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5624 SSL_FILETYPE_PEM), 1)
5625 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5626 SSL_FILETYPE_PEM), 1)
5627 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5628 goto end;
5629 } else if (tst == 4) {
710756a9
RS		 5630 context = SSL_EXT_CLIENT_HELLO
5631 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5632 | SSL_EXT_TLS1_3_SERVER_HELLO
5633 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5634 | SSL_EXT_TLS1_3_CERTIFICATE
5635 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5636 } else {
710756a9
RS		 5637 context = SSL_EXT_CLIENT_HELLO
5638 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5639 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5640 }
5641
5642 /* Create a client side custom extension */
5643 if (tst == 0) {
710756a9
RS		 5644 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5645 old_add_cb, old_free_cb,
5646 &client, old_parse_cb,
5647 &client)))
5648 goto end;
a37008d9 5649 } else {
710756a9
RS		 5650 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5651 new_add_cb, new_free_cb,
5652 &client, new_parse_cb, &client)))
5653 goto end;
a37008d9
MC		 5654 }
5655
5656 /* Should not be able to add duplicates */
710756a9
RS		 5657 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5658 old_add_cb, old_free_cb,
5659 &client, old_parse_cb,
5660 &client))
5661 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5662 context, new_add_cb,
5663 new_free_cb, &client,
5664 new_parse_cb, &client)))
5665 goto end;
a37008d9
MC		 5666
5667 /* Create a server side custom extension */
5668 if (tst == 0) {
710756a9
RS		 5669 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5670 old_add_cb, old_free_cb,
5671 &server, old_parse_cb,
5672 &server)))
5673 goto end;
a37008d9 5674 } else {
710756a9
RS		 5675 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5676 new_add_cb, new_free_cb,
5677 &server, new_parse_cb, &server)))
5678 goto end;
bb01ef3f
MC		 5679 if (sctx2 != NULL
5680 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5681 context, new_add_cb,
5682 new_free_cb, &server,
5683 new_parse_cb, &server)))
5684 goto end;
a37008d9
MC		 5685 }
5686
5687 /* Should not be able to add duplicates */
710756a9
RS		 5688 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5689 old_add_cb, old_free_cb,
5690 &server, old_parse_cb,
5691 &server))
5692 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5693 context, new_add_cb,
5694 new_free_cb, &server,
5695 new_parse_cb, &server)))
a37008d9 5696 goto end;
a37008d9 5697
bb01ef3f
MC		 5698 if (tst == 2) {
5699 /* Set up SNI */
5700 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5701 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5702 goto end;
5703 }
5704
710756a9
RS		 5705 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5706 &clientssl, NULL, NULL))
5707 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5708 SSL_ERROR_NONE)))
a37008d9 5709 goto end;
a37008d9
MC		 5710
5711 if (tst == 0) {
710756a9
RS		 5712 if (clntaddoldcb != 1
5713 || clntparseoldcb != 1
5714 || srvaddoldcb != 1
5715 || srvparseoldcb != 1)
a37008d9 5716 goto end;
bb01ef3f 5717 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5718 if (clntaddnewcb != 1
5719 || clntparsenewcb != 1
5720 || srvaddnewcb != 1
bb01ef3f
MC		 5721 || srvparsenewcb != 1
5722 || (tst != 2 && snicb != 0)
5723 || (tst == 2 && snicb != 1))
a37008d9 5724 goto end;
0db3a990
MC		 5725 } else if (tst == 5) {
5726 if (clntaddnewcb != 1
5727 || clntparsenewcb != 1
5728 || srvaddnewcb != 1
5729 || srvparsenewcb != 1)
5730 goto end;
a37008d9 5731 } else {
36ff232c 5732 /* In this case there 2 NewSessionTicket messages created */
710756a9 5733 if (clntaddnewcb != 1
36ff232c
MC		 5734 || clntparsenewcb != 5
5735 || srvaddnewcb != 5
710756a9 5736 || srvparsenewcb != 1)
a37008d9 5737 goto end;
a37008d9
MC		 5738 }
5739
5740 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5741 SSL_shutdown(clientssl);
5742 SSL_shutdown(serverssl);
a37008d9
MC		 5743 SSL_free(serverssl);
5744 SSL_free(clientssl);
5745 serverssl = clientssl = NULL;
5746
0db3a990
MC		 5747 if (tst == 3 || tst == 5) {
5748 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 5749 testresult = 1;
5750 goto end;
5751 }
5752
710756a9
RS		 5753 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5754 NULL, NULL))
5755 || !TEST_true(SSL_set_session(clientssl, sess))
5756 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5757 SSL_ERROR_NONE)))
a37008d9 5758 goto end;
a37008d9
MC		 5759
5760 /*
5761 * For a resumed session we expect to add the ClientHello extension. For the
5762 * old style callbacks we ignore it on the server side because they set
5763 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5764 * them.
5765 */
5766 if (tst == 0) {
710756a9
RS		 5767 if (clntaddoldcb != 2
5768 || clntparseoldcb != 1
5769 || srvaddoldcb != 1
5770 || srvparseoldcb != 1)
a37008d9 5771 goto end;
bb01ef3f 5772 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5773 if (clntaddnewcb != 2
5774 || clntparsenewcb != 2
5775 || srvaddnewcb != 2
5776 || srvparsenewcb != 2)
a37008d9 5777 goto end;
a37008d9 5778 } else {
36ff232c
MC		 5779 /*
5780 * No Certificate message extensions in the resumption handshake,
5781 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5782 */
710756a9 5783 if (clntaddnewcb != 2
36ff232c
MC		 5784 || clntparsenewcb != 8
5785 || srvaddnewcb != 8
710756a9 5786 || srvparsenewcb != 2)
a37008d9 5787 goto end;
a37008d9
MC		 5788 }
5789
5790 testresult = 1;
5791
5792end:
5793 SSL_SESSION_free(sess);
5794 SSL_free(serverssl);
5795 SSL_free(clientssl);
bb01ef3f 5796 SSL_CTX_free(sctx2);
a37008d9
MC		 5797 SSL_CTX_free(sctx);
5798 SSL_CTX_free(cctx);
a37008d9
MC		 5799 return testresult;
5800}
5801
16afd71c
MC		 5802/*
5803 * Test loading of serverinfo data in various formats. test_sslmessages actually
5804 * tests to make sure the extensions appear in the handshake
5805 */
5806static int test_serverinfo(int tst)
5807{
5808 unsigned int version;
5809 unsigned char *sibuf;
5810 size_t sibuflen;
5811 int ret, expected, testresult = 0;
5812 SSL_CTX *ctx;
5813
d8652be0 5814 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5815 if (!TEST_ptr(ctx))
5816 goto end;
5817
5818 if ((tst & 0x01) == 0x01)
5819 version = SSL_SERVERINFOV2;
5820 else
5821 version = SSL_SERVERINFOV1;
5822
5823 if ((tst & 0x02) == 0x02) {
5824 sibuf = serverinfov2;
5825 sibuflen = sizeof(serverinfov2);
5826 expected = (version == SSL_SERVERINFOV2);
5827 } else {
5828 sibuf = serverinfov1;
5829 sibuflen = sizeof(serverinfov1);
5830 expected = (version == SSL_SERVERINFOV1);
5831 }
5832
5833 if ((tst & 0x04) == 0x04) {
5834 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5835 } else {
5836 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5837
5838 /*
5839 * The version variable is irrelevant in this case - it's what is in the
5840 * buffer that matters
5841 */
5842 if ((tst & 0x02) == 0x02)
5843 expected = 0;
5844 else
5845 expected = 1;
5846 }
5847
5848 if (!TEST_true(ret == expected))
5849 goto end;
5850
5851 testresult = 1;
5852
5853 end:
5854 SSL_CTX_free(ctx);
5855
5856 return testresult;
5857}
5858
2197d1df
MC		 5859/*
5860 * Test that SSL_export_keying_material() produces expected results. There are
5861 * no test vectors so all we do is test that both sides of the communication
5862 * produce the same results for different protocol versions.
5863 */
0fb2815b
MC		 5864#define SMALL_LABEL_LEN 10
5865#define LONG_LABEL_LEN 249
2197d1df
MC		 5866static int test_export_key_mat(int tst)
5867{
a599574b 5868 int testresult = 0;
2197d1df
MC		 5869 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5870 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5871 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5872 const unsigned char context[] = "context";
5873 const unsigned char *emptycontext = NULL;
5874 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5875 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5876 size_t labellen;
a599574b
MC		 5877 const int protocols[] = {
5878 TLS1_VERSION,
5879 TLS1_1_VERSION,
5880 TLS1_2_VERSION,
0fb2815b
MC		 5881 TLS1_3_VERSION,
5882 TLS1_3_VERSION,
a599574b
MC		 5883 TLS1_3_VERSION
5884 };
2197d1df
MC		 5885
5886#ifdef OPENSSL_NO_TLS1
5887 if (tst == 0)
5888 return 1;
5889#endif
5890#ifdef OPENSSL_NO_TLS1_1
5891 if (tst == 1)
5892 return 1;
5893#endif
4f6c7044
MC		 5894 if (is_fips && (tst == 0 || tst == 1))
5895 return 1;
2197d1df
MC		 5896#ifdef OPENSSL_NO_TLS1_2
5897 if (tst == 2)
5898 return 1;
5899#endif
a763ca11 5900#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 5901 if (tst >= 3)
2197d1df
MC		 5902 return 1;
5903#endif
5e30f2fd
MC		 5904 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5905 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5906 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5907 goto end;
5908
a599574b
MC		 5909 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5910 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5911 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5912 if ((protocols[tst] < TLS1_2_VERSION) &&
5913 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5914 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5915 goto end;
2197d1df
MC		 5916
5917 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5918 NULL)))
5919 goto end;
5920
5921 /*
5922 * Premature call of SSL_export_keying_material should just fail.
5923 */
5924 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5925 sizeof(ckeymat1), label,
5926 SMALL_LABEL_LEN + 1, context,
5927 sizeof(context) - 1, 1), 0))
5928 goto end;
5929
5930 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5931 SSL_ERROR_NONE)))
2197d1df
MC		 5932 goto end;
5933
0fb2815b
MC		 5934 if (tst == 5) {
5935 /*
5936 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5937 * go over that.
5938 */
5939 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5940 sizeof(ckeymat1), label,
5941 LONG_LABEL_LEN + 1, context,
5942 sizeof(context) - 1, 1), 0))
5943 goto end;
5944
5945 testresult = 1;
5946 goto end;
5947 } else if (tst == 4) {
5948 labellen = LONG_LABEL_LEN;
5949 } else {
5950 labellen = SMALL_LABEL_LEN;
5951 }
5952
2197d1df
MC		 5953 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5954 sizeof(ckeymat1), label,
0fb2815b 5955 labellen, context,
2197d1df
MC		 5956 sizeof(context) - 1, 1), 1)
5957 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5958 sizeof(ckeymat2), label,
0fb2815b 5959 labellen,
2197d1df
MC		 5960 emptycontext,
5961 0, 1), 1)
5962 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5963 sizeof(ckeymat3), label,
0fb2815b 5964 labellen,
2197d1df
MC		 5965 NULL, 0, 0), 1)
5966 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5967 sizeof(skeymat1), label,
0fb2815b 5968 labellen,
2197d1df
MC		 5969 context,
5970 sizeof(context) -1, 1),
5971 1)
5972 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5973 sizeof(skeymat2), label,
0fb2815b 5974 labellen,
2197d1df
MC		 5975 emptycontext,
5976 0, 1), 1)
5977 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5978 sizeof(skeymat3), label,
0fb2815b 5979 labellen,
2197d1df
MC		 5980 NULL, 0, 0), 1)
5981 /*
5982 * Check that both sides created the same key material with the
5983 * same context.
5984 */
5985 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5986 sizeof(skeymat1))
5987 /*
5988 * Check that both sides created the same key material with an
5989 * empty context.
5990 */
5991 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5992 sizeof(skeymat2))
5993 /*
5994 * Check that both sides created the same key material without a
5995 * context.
5996 */
5997 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5998 sizeof(skeymat3))
5999 /* Different contexts should produce different results */
6000 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6001 sizeof(ckeymat2)))
6002 goto end;
6003
6004 /*
6005 * Check that an empty context and no context produce different results in
6006 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6007 */
0fb2815b 6008 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6009 sizeof(ckeymat3)))
0fb2815b
MC		 6010 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6011 sizeof(ckeymat3))))
2197d1df
MC		 6012 goto end;
6013
6014 testresult = 1;
6015
6016 end:
6017 SSL_free(serverssl);
6018 SSL_free(clientssl);
6019 SSL_CTX_free(sctx2);
6020 SSL_CTX_free(sctx);
6021 SSL_CTX_free(cctx);
6022
6023 return testresult;
6024}
6025
a763ca11 6026#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6027/*
6028 * Test that SSL_export_keying_material_early() produces expected
6029 * results. There are no test vectors so all we do is test that both
6030 * sides of the communication produce the same results for different
6031 * protocol versions.
6032 */
6033static int test_export_key_mat_early(int idx)
6034{
6035 static const char label[] = "test label";
6036 static const unsigned char context[] = "context";
6037 int testresult = 0;
6038 SSL_CTX *cctx = NULL, *sctx = NULL;
6039 SSL *clientssl = NULL, *serverssl = NULL;
6040 SSL_SESSION *sess = NULL;
6041 const unsigned char *emptycontext = NULL;
6042 unsigned char ckeymat1[80], ckeymat2[80];
6043 unsigned char skeymat1[80], skeymat2[80];
6044 unsigned char buf[1];
6045 size_t readbytes, written;
6046
6047 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6048 &sess, idx)))
6049 goto end;
6050
6051 /* Here writing 0 length early data is enough. */
6052 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6053 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6054 &readbytes),
6055 SSL_READ_EARLY_DATA_ERROR)
6056 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6057 SSL_EARLY_DATA_ACCEPTED))
6058 goto end;
6059
6060 if (!TEST_int_eq(SSL_export_keying_material_early(
6061 clientssl, ckeymat1, sizeof(ckeymat1), label,
6062 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6063 || !TEST_int_eq(SSL_export_keying_material_early(
6064 clientssl, ckeymat2, sizeof(ckeymat2), label,
6065 sizeof(label) - 1, emptycontext, 0), 1)
6066 || !TEST_int_eq(SSL_export_keying_material_early(
6067 serverssl, skeymat1, sizeof(skeymat1), label,
6068 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6069 || !TEST_int_eq(SSL_export_keying_material_early(
6070 serverssl, skeymat2, sizeof(skeymat2), label,
6071 sizeof(label) - 1, emptycontext, 0), 1)
6072 /*
6073 * Check that both sides created the same key material with the
6074 * same context.
6075 */
6076 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6077 sizeof(skeymat1))
6078 /*
6079 * Check that both sides created the same key material with an
6080 * empty context.
6081 */
6082 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6083 sizeof(skeymat2))
6084 /* Different contexts should produce different results */
6085 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6086 sizeof(ckeymat2)))
6087 goto end;
6088
6089 testresult = 1;
6090
6091 end:
c20e3b28 6092 SSL_SESSION_free(sess);
b38ede80
TT		 6093 SSL_SESSION_free(clientpsk);
6094 SSL_SESSION_free(serverpsk);
34ff74eb 6095 clientpsk = serverpsk = NULL;
b38ede80
TT		 6096 SSL_free(serverssl);
6097 SSL_free(clientssl);
6098 SSL_CTX_free(sctx);
6099 SSL_CTX_free(cctx);
6100
6101 return testresult;
6102}
3409a5ff
MC		 6103
6104#define NUM_KEY_UPDATE_MESSAGES 40
6105/*
6106 * Test KeyUpdate.
6107 */
6108static int test_key_update(void)
6109{
6110 SSL_CTX *cctx = NULL, *sctx = NULL;
6111 SSL *clientssl = NULL, *serverssl = NULL;
6112 int testresult = 0, i, j;
6113 char buf[20];
6114 static char *mess = "A test message";
6115
5e30f2fd 6116 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6117 TLS_client_method(),
6118 TLS1_3_VERSION,
6119 0,
6120 &sctx, &cctx, cert, privkey))
6121 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6122 NULL, NULL))
6123 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6124 SSL_ERROR_NONE)))
6125 goto end;
6126
6127 for (j = 0; j < 2; j++) {
6128 /* Send lots of KeyUpdate messages */
6129 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6130 if (!TEST_true(SSL_key_update(clientssl,
6131 (j == 0)
6132 ? SSL_KEY_UPDATE_NOT_REQUESTED
6133 : SSL_KEY_UPDATE_REQUESTED))
6134 || !TEST_true(SSL_do_handshake(clientssl)))
6135 goto end;
6136 }
6137
6138 /* Check that sending and receiving app data is ok */
6139 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6140 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6141 strlen(mess)))
6142 goto end;
a77b4dba
MC		 6143
6144 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6145 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6146 strlen(mess)))
6147 goto end;
3409a5ff
MC		 6148 }
6149
6150 testresult = 1;
6151
6152 end:
6153 SSL_free(serverssl);
6154 SSL_free(clientssl);
6155 SSL_CTX_free(sctx);
6156 SSL_CTX_free(cctx);
6157
6158 return testresult;
6159}
a77b4dba
MC		 6160
6161/*
0c48fda8 6162 * Test we can handle a KeyUpdate (update requested) message while
6163 * write data is pending in peer.
a77b4dba
MC		 6164 * Test 0: Client sends KeyUpdate while Server is writing
6165 * Test 1: Server sends KeyUpdate while Client is writing
6166 */
0c48fda8 6167static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6168{
6169 SSL_CTX *cctx = NULL, *sctx = NULL;
6170 SSL *clientssl = NULL, *serverssl = NULL;
6171 int testresult = 0;
6172 char buf[20];
6173 static char *mess = "A test message";
6174 BIO *bretry = BIO_new(bio_s_always_retry());
6175 BIO *tmp = NULL;
6176 SSL *peerupdate = NULL, *peerwrite = NULL;
6177
6178 if (!TEST_ptr(bretry)
5e30f2fd 6179 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6180 TLS_client_method(),
6181 TLS1_3_VERSION,
6182 0,
6183 &sctx, &cctx, cert, privkey))
6184 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6185 NULL, NULL))
6186 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6187 SSL_ERROR_NONE)))
6188 goto end;
6189
6190 peerupdate = tst == 0 ? clientssl : serverssl;
6191 peerwrite = tst == 0 ? serverssl : clientssl;
6192
6193 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6194 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6195 goto end;
6196
6197 /* Swap the writing endpoint's write BIO to force a retry */
6198 tmp = SSL_get_wbio(peerwrite);
6199 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6200 tmp = NULL;
6201 goto end;
6202 }
6203 SSL_set0_wbio(peerwrite, bretry);
6204 bretry = NULL;
6205
6206 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6207 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6208 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6209 goto end;
6210
6211 /* Reinstate the original writing endpoint's write BIO */
6212 SSL_set0_wbio(peerwrite, tmp);
6213 tmp = NULL;
6214
6215 /* Now read some data - we will read the key update */
6216 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6217 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6218 goto end;
6219
6220 /*
6221 * Complete the write we started previously and read it from the other
6222 * endpoint
6223 */
6224 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6225 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6226 goto end;
6227
6228 /* Write more data to ensure we send the KeyUpdate message back */
6229 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6230 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6231 goto end;
6232
6233 testresult = 1;
6234
6235 end:
6236 SSL_free(serverssl);
6237 SSL_free(clientssl);
6238 SSL_CTX_free(sctx);
6239 SSL_CTX_free(cctx);
6240 BIO_free(bretry);
6241 BIO_free(tmp);
6242
6243 return testresult;
6244}
0c48fda8 6245
6246/*
6247 * Test we can handle a KeyUpdate (update requested) message while
6248 * peer read data is pending after peer accepted keyupdate(the msg header
6249 * had been read 5 bytes).
6250 * Test 0: Client sends KeyUpdate while Server is reading
6251 * Test 1: Server sends KeyUpdate while Client is reading
6252 */
6253static int test_key_update_peer_in_read(int tst)
6254{
6255 SSL_CTX *cctx = NULL, *sctx = NULL;
6256 SSL *clientssl = NULL, *serverssl = NULL;
6257 int testresult = 0;
6258 char prbuf[515], lwbuf[515] = {0};
6259 static char *mess = "A test message";
6260 BIO *lbio = NULL, *pbio = NULL;
6261 SSL *local = NULL, *peer = NULL;
6262
6263 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6264 TLS_client_method(),
6265 TLS1_3_VERSION,
6266 0,
6267 &sctx, &cctx, cert, privkey))
6268 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6269 NULL, NULL))
6270 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6271 SSL_ERROR_NONE)))
6272 goto end;
6273
6274 local = tst == 0 ? clientssl : serverssl;
6275 peer = tst == 0 ? serverssl : clientssl;
6276
6277 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6278 goto end;
6279
6280 SSL_set_bio(local, lbio, lbio);
6281 SSL_set_bio(peer, pbio, pbio);
6282
6283 /*
6284 * we first write keyupdate msg then appdata in local
6285 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6286 * lwbuf app data msg size + key updata msg size > 512(the size of
6287 * the bio pair buffer)
6288 */
6289 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6290 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6291 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6292 goto end;
6293
6294 /*
6295 * first read keyupdate msg in peer in peer
6296 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6297 */
6298 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6299 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6300 goto end;
6301
6302 /* Now write some data in peer - we will write the key update */
6303 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6304 goto end;
6305
6306 /*
6307 * write data in local previously that we will complete
6308 * read data in peer previously that we will complete
6309 */
6310 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6311 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6312 goto end;
6313
6314 /* check that sending and receiving appdata ok */
6315 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6316 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6317 goto end;
6318
6319 testresult = 1;
6320
6321 end:
6322 SSL_free(serverssl);
6323 SSL_free(clientssl);
6324 SSL_CTX_free(sctx);
6325 SSL_CTX_free(cctx);
6326
6327 return testresult;
6328}
6329
6330/*
6331 * Test we can't send a KeyUpdate (update requested) message while
6332 * local write data is pending.
6333 * Test 0: Client sends KeyUpdate while Client is writing
6334 * Test 1: Server sends KeyUpdate while Server is writing
6335 */
6336static int test_key_update_local_in_write(int tst)
6337{
6338 SSL_CTX *cctx = NULL, *sctx = NULL;
6339 SSL *clientssl = NULL, *serverssl = NULL;
6340 int testresult = 0;
6341 char buf[20];
6342 static char *mess = "A test message";
6343 BIO *bretry = BIO_new(bio_s_always_retry());
6344 BIO *tmp = NULL;
6345 SSL *local = NULL, *peer = NULL;
6346
6347 if (!TEST_ptr(bretry)
6348 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6349 TLS_client_method(),
6350 TLS1_3_VERSION,
6351 0,
6352 &sctx, &cctx, cert, privkey))
6353 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6354 NULL, NULL))
6355 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6356 SSL_ERROR_NONE)))
6357 goto end;
6358
6359 local = tst == 0 ? clientssl : serverssl;
6360 peer = tst == 0 ? serverssl : clientssl;
6361
6362 /* Swap the writing endpoint's write BIO to force a retry */
6363 tmp = SSL_get_wbio(local);
6364 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6365 tmp = NULL;
6366 goto end;
6367 }
6368 SSL_set0_wbio(local, bretry);
6369 bretry = NULL;
6370
6371 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6372 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6373 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6374 goto end;
6375
6376 /* Reinstate the original writing endpoint's write BIO */
6377 SSL_set0_wbio(local, tmp);
6378 tmp = NULL;
6379
6380 /* SSL_key_update will fail, because writing in local*/
6381 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6382 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6383 goto end;
6384
6385 ERR_clear_error();
6386 /* write data in local previously that we will complete */
6387 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6388 goto end;
6389
6390 /* SSL_key_update will succeed because there is no pending write data */
6391 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6392 || !TEST_int_eq(SSL_do_handshake(local), 1))
6393 goto end;
6394
6395 /*
6396 * we write some appdata in local
6397 * read data in peer - we will read the keyupdate msg
6398 */
6399 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6400 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6401 goto end;
6402
6403 /* Write more peer more data to ensure we send the keyupdate message back */
6404 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6405 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6406 goto end;
6407
6408 testresult = 1;
6409
6410 end:
6411 SSL_free(serverssl);
6412 SSL_free(clientssl);
6413 SSL_CTX_free(sctx);
6414 SSL_CTX_free(cctx);
6415 BIO_free(bretry);
6416 BIO_free(tmp);
6417
6418 return testresult;
6419}
6420
6421/*
6422 * Test we can handle a KeyUpdate (update requested) message while
6423 * local read data is pending(the msg header had been read 5 bytes).
6424 * Test 0: Client sends KeyUpdate while Client is reading
6425 * Test 1: Server sends KeyUpdate while Server is reading
6426 */
6427static int test_key_update_local_in_read(int tst)
6428{
6429 SSL_CTX *cctx = NULL, *sctx = NULL;
6430 SSL *clientssl = NULL, *serverssl = NULL;
6431 int testresult = 0;
6432 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6433 static char *mess = "A test message";
6434 BIO *lbio = NULL, *pbio = NULL;
6435 SSL *local = NULL, *peer = NULL;
6436
6437 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6438 TLS_client_method(),
6439 TLS1_3_VERSION,
6440 0,
6441 &sctx, &cctx, cert, privkey))
6442 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6443 NULL, NULL))
6444 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6445 SSL_ERROR_NONE)))
6446 goto end;
6447
6448 local = tst == 0 ? clientssl : serverssl;
6449 peer = tst == 0 ? serverssl : clientssl;
6450
6451 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6452 goto end;
6453
6454 SSL_set_bio(local, lbio, lbio);
6455 SSL_set_bio(peer, pbio, pbio);
6456
6457 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6458 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6459 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6460 goto end;
6461
6462 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6463 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6464 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6465 goto end;
6466
6467 /* SSL_do_handshake will send keyupdate msg */
6468 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6469 || !TEST_int_eq(SSL_do_handshake(local), 1))
6470 goto end;
6471
6472 /*
6473 * write data in peer previously that we will complete
6474 * read data in local previously that we will complete
6475 */
6476 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6477 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6478 goto end;
6479
6480 /*
6481 * write data in local
6482 * read data in peer - we will read the key update
6483 */
6484 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6485 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6486 goto end;
6487
6488 /* Write more peer data to ensure we send the keyupdate message back */
6489 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6490 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6491 goto end;
6492
6493 testresult = 1;
6494
6495 end:
6496 SSL_free(serverssl);
6497 SSL_free(clientssl);
6498 SSL_CTX_free(sctx);
6499 SSL_CTX_free(cctx);
6500
6501 return testresult;
6502}
a763ca11 6503#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 6504
e11b6aa4
MC		 6505static int test_ssl_clear(int idx)
6506{
6507 SSL_CTX *cctx = NULL, *sctx = NULL;
6508 SSL *clientssl = NULL, *serverssl = NULL;
6509 int testresult = 0;
6510
6511#ifdef OPENSSL_NO_TLS1_2
6512 if (idx == 1)
6513 return 1;
6514#endif
6515
6516 /* Create an initial connection */
5e30f2fd
MC		 6517 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6518 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6519 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 6520 || (idx == 1
6521 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6522 TLS1_2_VERSION)))
6523 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6524 &clientssl, NULL, NULL))
6525 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6526 SSL_ERROR_NONE)))
6527 goto end;
6528
6529 SSL_shutdown(clientssl);
6530 SSL_shutdown(serverssl);
6531 SSL_free(serverssl);
6532 serverssl = NULL;
6533
6534 /* Clear clientssl - we're going to reuse the object */
6535 if (!TEST_true(SSL_clear(clientssl)))
6536 goto end;
6537
6538 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6539 NULL, NULL))
6540 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6541 SSL_ERROR_NONE))
6542 || !TEST_true(SSL_session_reused(clientssl)))
6543 goto end;
6544
6545 SSL_shutdown(clientssl);
6546 SSL_shutdown(serverssl);
6547
6548 testresult = 1;
6549
6550 end:
6551 SSL_free(serverssl);
6552 SSL_free(clientssl);
6553 SSL_CTX_free(sctx);
6554 SSL_CTX_free(cctx);
6555
6556 return testresult;
6557}
6558
cf72c757
F		 6559/* Parse CH and retrieve any MFL extension value if present */
6560static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6561{
6562 long len;
6563 unsigned char *data;
72962d02 6564 PACKET pkt, pkt2, pkt3;
cf72c757
F		 6565 unsigned int MFL_code = 0, type = 0;
6566
1287dabd 6567 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 6568 goto end;
6569
72962d02
P		 6570 memset(&pkt, 0, sizeof(pkt));
6571 memset(&pkt2, 0, sizeof(pkt2));
6572 memset(&pkt3, 0, sizeof(pkt3));
6573
9ba18520 6574 if (!TEST_long_gt(len, 0)
1287dabd 6575 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 6576 /* Skip the record header */
6577 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6578 /* Skip the handshake message header */
6579 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6580 /* Skip client version and random */
6581 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6582 + SSL3_RANDOM_SIZE))
6583 /* Skip session id */
6584 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6585 /* Skip ciphers */
6586 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6587 /* Skip compression */
6588 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6589 /* Extensions len */
6590 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6591 goto end;
6592
6593 /* Loop through all extensions */
6594 while (PACKET_remaining(&pkt2)) {
6595 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6596 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6597 goto end;
6598
6599 if (type == TLSEXT_TYPE_max_fragment_length) {
6600 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6601 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6602 goto end;
6603
6604 *mfl_codemfl_code = MFL_code;
6605 return 1;
6606 }
6607 }
6608
6609 end:
6610 return 0;
6611}
6612
6613/* Maximum-Fragment-Length TLS extension mode to test */
6614static const unsigned char max_fragment_len_test[] = {
6615 TLSEXT_max_fragment_length_512,
6616 TLSEXT_max_fragment_length_1024,
6617 TLSEXT_max_fragment_length_2048,
6618 TLSEXT_max_fragment_length_4096
6619};
6620
6621static int test_max_fragment_len_ext(int idx_tst)
6622{
a763ca11 6623 SSL_CTX *ctx = NULL;
cf72c757
F		 6624 SSL *con = NULL;
6625 int testresult = 0, MFL_mode = 0;
6626 BIO *rbio, *wbio;
6627
a763ca11
MC		 6628 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6629 TLS1_VERSION, 0, NULL, &ctx, NULL,
6630 NULL)))
6631 return 0;
cf72c757
F		 6632
6633 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6634 ctx, max_fragment_len_test[idx_tst])))
6635 goto end;
6636
6637 con = SSL_new(ctx);
6638 if (!TEST_ptr(con))
6639 goto end;
6640
6641 rbio = BIO_new(BIO_s_mem());
6642 wbio = BIO_new(BIO_s_mem());
6643 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6644 BIO_free(rbio);
6645 BIO_free(wbio);
6646 goto end;
6647 }
6648
6649 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 6650
6651 if (!TEST_int_le(SSL_connect(con), 0)) {
6652 /* This shouldn't succeed because we don't have a server! */
6653 goto end;
6654 }
6655
6656 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6657 /* no MFL in client hello */
6658 goto end;
6659 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6660 goto end;
6661
6662 testresult = 1;
6663
6664end:
6665 SSL_free(con);
6666 SSL_CTX_free(ctx);
6667
6668 return testresult;
6669}
6670
a763ca11 6671#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 6672static int test_pha_key_update(void)
6673{
6674 SSL_CTX *cctx = NULL, *sctx = NULL;
6675 SSL *clientssl = NULL, *serverssl = NULL;
6676 int testresult = 0;
6677
5e30f2fd
MC		 6678 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6679 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6680 &sctx, &cctx, cert, privkey)))
6681 return 0;
6682
6683 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6684 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6685 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6686 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6687 goto end;
6688
e97be718 6689 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6690
6691 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6692 NULL, NULL)))
6693 goto end;
6694
9d75dce3
TS		 6695 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6696 SSL_ERROR_NONE)))
6697 goto end;
6698
6699 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6700 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6701 goto end;
6702
6703 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6704 goto end;
6705
6706 /* Start handshake on the server */
6707 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6708 goto end;
6709
6710 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6711 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6712 SSL_ERROR_NONE)))
6713 goto end;
6714
6715 SSL_shutdown(clientssl);
6716 SSL_shutdown(serverssl);
6717
6718 testresult = 1;
6719
6720 end:
6721 SSL_free(serverssl);
6722 SSL_free(clientssl);
6723 SSL_CTX_free(sctx);
6724 SSL_CTX_free(cctx);
6725 return testresult;
6726}
6727#endif
6728
76fd7a1d
MC		 6729#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6730
6731static SRP_VBASE *vbase = NULL;
6732
6733static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6734{
6735 int ret = SSL3_AL_FATAL;
6736 char *username;
6737 SRP_user_pwd *user = NULL;
6738
6739 username = SSL_get_srp_username(s);
6740 if (username == NULL) {
6741 *ad = SSL_AD_INTERNAL_ERROR;
6742 goto err;
6743 }
6744
6745 user = SRP_VBASE_get1_by_user(vbase, username);
6746 if (user == NULL) {
6747 *ad = SSL_AD_INTERNAL_ERROR;
6748 goto err;
6749 }
6750
6751 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6752 user->info) <= 0) {
6753 *ad = SSL_AD_INTERNAL_ERROR;
6754 goto err;
6755 }
6756
6757 ret = 0;
6758
6759 err:
6760 SRP_user_pwd_free(user);
6761 return ret;
6762}
6763
6764static int create_new_vfile(char *userid, char *password, const char *filename)
6765{
6766 char *gNid = NULL;
6767 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6768 TXT_DB *db = NULL;
6769 int ret = 0;
6770 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6771 size_t i;
6772
6773 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6774 goto end;
6775
20c00d0a 6776 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6777 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6778 if (!TEST_ptr(gNid))
6779 goto end;
6780
6781 /*
6782 * The only way to create an empty TXT_DB is to provide a BIO with no data
6783 * in it!
6784 */
6785 db = TXT_DB_read(dummy, DB_NUMBER);
6786 if (!TEST_ptr(db))
6787 goto end;
6788
6789 out = BIO_new_file(filename, "w");
6790 if (!TEST_ptr(out))
6791 goto end;
6792
6793 row[DB_srpid] = OPENSSL_strdup(userid);
6794 row[DB_srptype] = OPENSSL_strdup("V");
6795 row[DB_srpgN] = OPENSSL_strdup(gNid);
6796
6797 if (!TEST_ptr(row[DB_srpid])
6798 || !TEST_ptr(row[DB_srptype])
6799 || !TEST_ptr(row[DB_srpgN])
6800 || !TEST_true(TXT_DB_insert(db, row)))
6801 goto end;
6802
6803 row = NULL;
6804
aba9943f 6805 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 6806 goto end;
6807
6808 ret = 1;
6809 end:
6810 if (row != NULL) {
6811 for (i = 0; i < DB_NUMBER; i++)
6812 OPENSSL_free(row[i]);
6813 }
6814 OPENSSL_free(row);
6815 BIO_free(dummy);
6816 BIO_free(out);
6817 TXT_DB_free(db);
6818
6819 return ret;
6820}
6821
6822static int create_new_vbase(char *userid, char *password)
6823{
6824 BIGNUM *verifier = NULL, *salt = NULL;
6825 const SRP_gN *lgN = NULL;
6826 SRP_user_pwd *user_pwd = NULL;
6827 int ret = 0;
6828
6829 lgN = SRP_get_default_gN(NULL);
6830 if (!TEST_ptr(lgN))
6831 goto end;
6832
20c00d0a 6833 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6834 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6835 goto end;
6836
6837 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6838 if (!TEST_ptr(user_pwd))
6839 goto end;
6840
6841 user_pwd->N = lgN->N;
6842 user_pwd->g = lgN->g;
6843 user_pwd->id = OPENSSL_strdup(userid);
6844 if (!TEST_ptr(user_pwd->id))
6845 goto end;
6846
6847 user_pwd->v = verifier;
6848 user_pwd->s = salt;
6849 verifier = salt = NULL;
6850
6851 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6852 goto end;
6853 user_pwd = NULL;
6854
6855 ret = 1;
6856end:
6857 SRP_user_pwd_free(user_pwd);
6858 BN_free(salt);
6859 BN_free(verifier);
6860
6861 return ret;
6862}
6863
6864/*
6865 * SRP tests
6866 *
6867 * Test 0: Simple successful SRP connection, new vbase
6868 * Test 1: Connection failure due to bad password, new vbase
6869 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6870 * Test 3: Connection failure due to bad password, vbase loaded from existing
6871 * file
6872 * Test 4: Simple successful SRP connection, vbase loaded from new file
6873 * Test 5: Connection failure due to bad password, vbase loaded from new file
6874 */
6875static int test_srp(int tst)
6876{
6877 char *userid = "test", *password = "password", *tstsrpfile;
6878 SSL_CTX *cctx = NULL, *sctx = NULL;
6879 SSL *clientssl = NULL, *serverssl = NULL;
6880 int ret, testresult = 0;
6881
6882 vbase = SRP_VBASE_new(NULL);
6883 if (!TEST_ptr(vbase))
6884 goto end;
6885
6886 if (tst == 0 || tst == 1) {
6887 if (!TEST_true(create_new_vbase(userid, password)))
6888 goto end;
6889 } else {
6890 if (tst == 4 || tst == 5) {
6891 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6892 goto end;
6893 tstsrpfile = tmpfilename;
6894 } else {
6895 tstsrpfile = srpvfile;
6896 }
6897 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6898 goto end;
6899 }
6900
5e30f2fd
MC		 6901 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6902 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6903 &sctx, &cctx, cert, privkey)))
6904 goto end;
6905
6906 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6907 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6908 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6909 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6910 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6911 goto end;
6912
6913 if (tst % 2 == 1) {
6914 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6915 goto end;
6916 } else {
6917 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6918 goto end;
6919 }
6920
6921 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6922 NULL, NULL)))
6923 goto end;
6924
6925 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6926 if (ret) {
6927 if (!TEST_true(tst % 2 == 0))
6928 goto end;
6929 } else {
6930 if (!TEST_true(tst % 2 == 1))
6931 goto end;
6932 }
6933
6934 testresult = 1;
6935
6936 end:
6937 SRP_VBASE_free(vbase);
6938 vbase = NULL;
6939 SSL_free(serverssl);
6940 SSL_free(clientssl);
6941 SSL_CTX_free(sctx);
6942 SSL_CTX_free(cctx);
6943
6944 return testresult;
6945}
6946#endif
6947
5718fe45
MC		 6948static int info_cb_failed = 0;
6949static int info_cb_offset = 0;
6950static int info_cb_this_state = -1;
6951
6952static struct info_cb_states_st {
6953 int where;
6954 const char *statestr;
6955} info_cb_states[][60] = {
6956 {
6957 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 6958 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6959 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 6960 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6961 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6962 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6963 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6964 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6965 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 6966 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 6967 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6968 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6969 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6970 {SSL_CB_EXIT, NULL}, {0, NULL},
6971 }, {
6972 /* TLSv1.2 client followed by resumption */
e0f69c35 6973 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 6974 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6975 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6976 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6977 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6978 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6979 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 6980 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 6981 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6982 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6983 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6984 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6985 }, {
6986 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 6987 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6988 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 6989 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 6990 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 6991 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6992 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6993 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 6994 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6995 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 6996 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6997 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6998 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6999 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7000 }, {
7001 /* TLSv1.3 client followed by resumption */
e0f69c35 7002 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7003 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7004 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7005 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7006 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7007 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7008 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7009 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7010 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7011 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7012 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7013 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7014 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7015 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7016 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7017 }, {
7018 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7019 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7020 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7021 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7022 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7023 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7024 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7025 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7026 {SSL_CB_EXIT, NULL}, {0, NULL},
7027 }, {
7028 /* TLSv1.3 client, early_data */
e0f69c35 7029 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7030 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7031 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7032 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7033 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7034 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7035 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7036 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7037 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7038 }, {
7039 {0, NULL},
7040 }
7041};
7042
7043static void sslapi_info_callback(const SSL *s, int where, int ret)
7044{
7045 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7046
7047 /* We do not ever expect a connection to fail in this test */
7048 if (!TEST_false(ret == 0)) {
7049 info_cb_failed = 1;
7050 return;
7051 }
7052
7053 /*
7054 * Do some sanity checks. We never expect these things to happen in this
7055 * test
7056 */
7057 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7058 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7059 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7060 info_cb_failed = 1;
7061 return;
7062 }
7063
7064 /* Now check we're in the right state */
7065 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7066 info_cb_failed = 1;
7067 return;
7068 }
7069 if ((where & SSL_CB_LOOP) != 0
7070 && !TEST_int_eq(strcmp(SSL_state_string(s),
7071 state[info_cb_this_state].statestr), 0)) {
7072 info_cb_failed = 1;
7073 return;
7074 }
033c181b 7075
4af5836b
MC		 7076 /*
7077 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7078 */
7079 if ((where & SSL_CB_HANDSHAKE_DONE)
7080 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7081 info_cb_failed = 1;
7082 return;
7083 }
5718fe45
MC		 7084}
7085
7086/*
7087 * Test the info callback gets called when we expect it to.
7088 *
7089 * Test 0: TLSv1.2, server
7090 * Test 1: TLSv1.2, client
7091 * Test 2: TLSv1.3, server
7092 * Test 3: TLSv1.3, client
7093 * Test 4: TLSv1.3, server, early_data
7094 * Test 5: TLSv1.3, client, early_data
7095 */
7096static int test_info_callback(int tst)
7097{
7098 SSL_CTX *cctx = NULL, *sctx = NULL;
7099 SSL *clientssl = NULL, *serverssl = NULL;
7100 SSL_SESSION *clntsess = NULL;
7101 int testresult = 0;
7102 int tlsvers;
7103
7104 if (tst < 2) {
1aac20f5
MC		 7105/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7106#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7107 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7108 tlsvers = TLS1_2_VERSION;
7109#else
7110 return 1;
7111#endif
7112 } else {
a763ca11 7113#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7114 tlsvers = TLS1_3_VERSION;
7115#else
7116 return 1;
7117#endif
7118 }
7119
7120 /* Reset globals */
7121 info_cb_failed = 0;
7122 info_cb_this_state = -1;
7123 info_cb_offset = tst;
7124
a763ca11 7125#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7126 if (tst >= 4) {
7127 SSL_SESSION *sess = NULL;
7128 size_t written, readbytes;
7129 unsigned char buf[80];
7130
7131 /* early_data tests */
7132 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7133 &serverssl, &sess, 0)))
7134 goto end;
7135
7136 /* We don't actually need this reference */
7137 SSL_SESSION_free(sess);
7138
7139 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7140 sslapi_info_callback);
7141
7142 /* Write and read some early data and then complete the connection */
7143 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7144 &written))
7145 || !TEST_size_t_eq(written, strlen(MSG1))
7146 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7147 sizeof(buf), &readbytes),
7148 SSL_READ_EARLY_DATA_SUCCESS)
7149 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7150 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7151 SSL_EARLY_DATA_ACCEPTED)
7152 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7153 SSL_ERROR_NONE))
7154 || !TEST_false(info_cb_failed))
7155 goto end;
7156
7157 testresult = 1;
7158 goto end;
7159 }
6e07834c 7160#endif
5718fe45 7161
5e30f2fd 7162 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7163 TLS_client_method(),
7164 tlsvers, tlsvers, &sctx, &cctx, cert,
7165 privkey)))
7166 goto end;
7167
33c39a06
MC		 7168 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7169 goto end;
7170
5718fe45
MC		 7171 /*
7172 * For even numbered tests we check the server callbacks. For odd numbers we
7173 * check the client.
7174 */
7175 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7176 sslapi_info_callback);
7177
7178 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7179 &clientssl, NULL, NULL))
7180 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7181 SSL_ERROR_NONE))
7182 || !TEST_false(info_cb_failed))
7183 goto end;
7184
7185
7186
7187 clntsess = SSL_get1_session(clientssl);
7188 SSL_shutdown(clientssl);
7189 SSL_shutdown(serverssl);
7190 SSL_free(serverssl);
7191 SSL_free(clientssl);
7192 serverssl = clientssl = NULL;
7193
7194 /* Now do a resumption */
7195 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7196 NULL))
7197 || !TEST_true(SSL_set_session(clientssl, clntsess))
7198 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7199 SSL_ERROR_NONE))
7200 || !TEST_true(SSL_session_reused(clientssl))
7201 || !TEST_false(info_cb_failed))
7202 goto end;
7203
7204 testresult = 1;
7205
7206 end:
7207 SSL_free(serverssl);
7208 SSL_free(clientssl);
7209 SSL_SESSION_free(clntsess);
7210 SSL_CTX_free(sctx);
7211 SSL_CTX_free(cctx);
7212 return testresult;
7213}
7214
4a432af8
MC		 7215static int test_ssl_pending(int tst)
7216{
7217 SSL_CTX *cctx = NULL, *sctx = NULL;
7218 SSL *clientssl = NULL, *serverssl = NULL;
7219 int testresult = 0;
7220 char msg[] = "A test message";
7221 char buf[5];
7222 size_t written, readbytes;
7223
7224 if (tst == 0) {
5e30f2fd 7225 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7226 TLS_client_method(),
5c587fb6 7227 TLS1_VERSION, 0,
4a432af8
MC		 7228 &sctx, &cctx, cert, privkey)))
7229 goto end;
7230 } else {
7231#ifndef OPENSSL_NO_DTLS
5e30f2fd 7232 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7233 DTLS_client_method(),
5c587fb6 7234 DTLS1_VERSION, 0,
4a432af8
MC		 7235 &sctx, &cctx, cert, privkey)))
7236 goto end;
8ce390e1
MC		 7237
7238# ifdef OPENSSL_NO_DTLS1_2
7239 /* Not supported in the FIPS provider */
7240 if (is_fips) {
7241 testresult = 1;
7242 goto end;
7243 };
7244 /*
7245 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7246 * level 0
7247 */
7248 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7249 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7250 "DEFAULT:@SECLEVEL=0")))
7251 goto end;
7252# endif
4a432af8
MC		 7253#else
7254 return 1;
7255#endif
7256 }
7257
7258 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7259 NULL, NULL))
7260 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7261 SSL_ERROR_NONE)))
7262 goto end;
7263
e8251092
MC		 7264 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7265 || !TEST_false(SSL_has_pending(clientssl))
7266 || !TEST_int_eq(SSL_pending(serverssl), 0)
7267 || !TEST_false(SSL_has_pending(serverssl))
7268 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 7269 || !TEST_size_t_eq(written, sizeof(msg))
7270 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7271 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 7272 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7273 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 7274 goto end;
7275
7276 testresult = 1;
7277
7278 end:
7279 SSL_free(serverssl);
7280 SSL_free(clientssl);
7281 SSL_CTX_free(sctx);
7282 SSL_CTX_free(cctx);
7283
7284 return testresult;
7285}
7286
e401389a
MC		 7287static struct {
7288 unsigned int maxprot;
7289 const char *clntciphers;
7290 const char *clnttls13ciphers;
7291 const char *srvrciphers;
7292 const char *srvrtls13ciphers;
7293 const char *shared;
a96e6c34 7294 const char *fipsshared;
e401389a 7295} shared_ciphers_data[] = {
60155b9a
MC		 7296/*
7297 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7298 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7299 */
a763ca11 7300#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 7301 {
7302 TLS1_2_VERSION,
7303 "AES128-SHA:AES256-SHA",
7304 NULL,
7305 "AES256-SHA:DHE-RSA-AES128-SHA",
7306 NULL,
a96e6c34 7307 "AES256-SHA",
e401389a
MC		 7308 "AES256-SHA"
7309 },
a96e6c34
MC		 7310# if !defined(OPENSSL_NO_CHACHA) \
7311 && !defined(OPENSSL_NO_POLY1305) \
7312 && !defined(OPENSSL_NO_EC)
7313 {
7314 TLS1_2_VERSION,
7315 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7316 NULL,
7317 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7318 NULL,
7319 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7320 "AES128-SHA"
7321 },
7322# endif
e401389a
MC		 7323 {
7324 TLS1_2_VERSION,
7325 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7326 NULL,
7327 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7328 NULL,
a96e6c34 7329 "AES128-SHA:AES256-SHA",
e401389a
MC		 7330 "AES128-SHA:AES256-SHA"
7331 },
7332 {
7333 TLS1_2_VERSION,
7334 "AES128-SHA:AES256-SHA",
7335 NULL,
7336 "AES128-SHA:DHE-RSA-AES128-SHA",
7337 NULL,
a96e6c34 7338 "AES128-SHA",
e401389a
MC		 7339 "AES128-SHA"
7340 },
60155b9a
MC		 7341#endif
7342/*
7343 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7344 * enabled.
7345 */
a763ca11 7346#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7347 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7348 {
7349 TLS1_3_VERSION,
7350 "AES128-SHA:AES256-SHA",
7351 NULL,
7352 "AES256-SHA:AES128-SHA256",
7353 NULL,
7354 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 7355 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7356 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 7357 },
60155b9a 7358#endif
a763ca11 7359#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 7360 {
7361 TLS1_3_VERSION,
7362 "AES128-SHA",
7363 "TLS_AES_256_GCM_SHA384",
7364 "AES256-SHA",
7365 "TLS_AES_256_GCM_SHA384",
a96e6c34 7366 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 7367 "TLS_AES_256_GCM_SHA384"
7368 },
7369#endif
7370};
7371
a96e6c34 7372static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 7373{
7374 SSL_CTX *cctx = NULL, *sctx = NULL;
7375 SSL *clientssl = NULL, *serverssl = NULL;
7376 int testresult = 0;
7377 char buf[1024];
b4250010 7378 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 7379
7380 if (!TEST_ptr(tmplibctx))
7381 goto end;
7382
7383 /*
7384 * Regardless of whether we're testing with the FIPS provider loaded into
7385 * libctx, we want one peer to always use the full set of ciphersuites
7386 * available. Therefore we use a separate libctx with the default provider
7387 * loaded into it. We run the same tests twice - once with the client side
7388 * having the full set of ciphersuites and once with the server side.
7389 */
7390 if (clnt) {
d8652be0 7391 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 7392 if (!TEST_ptr(cctx))
7393 goto end;
7394 } else {
d8652be0 7395 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 7396 if (!TEST_ptr(sctx))
7397 goto end;
7398 }
e401389a 7399
5e30f2fd 7400 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 7401 TLS_client_method(),
7402 TLS1_VERSION,
7403 shared_ciphers_data[tst].maxprot,
7404 &sctx, &cctx, cert, privkey)))
7405 goto end;
7406
7407 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7408 shared_ciphers_data[tst].clntciphers))
7409 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7410 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7411 shared_ciphers_data[tst].clnttls13ciphers)))
7412 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7413 shared_ciphers_data[tst].srvrciphers))
7414 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7415 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7416 shared_ciphers_data[tst].srvrtls13ciphers))))
7417 goto end;
7418
7419
7420 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7421 NULL, NULL))
7422 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7423 SSL_ERROR_NONE)))
7424 goto end;
7425
7426 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 7427 || !TEST_int_eq(strcmp(buf,
7428 is_fips
7429 ? shared_ciphers_data[tst].fipsshared
7430 : shared_ciphers_data[tst].shared),
7431 0)) {
e401389a
MC		 7432 TEST_info("Shared ciphers are: %s\n", buf);
7433 goto end;
7434 }
7435
7436 testresult = 1;
7437
7438 end:
7439 SSL_free(serverssl);
7440 SSL_free(clientssl);
7441 SSL_CTX_free(sctx);
7442 SSL_CTX_free(cctx);
b4250010 7443 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 7444
7445 return testresult;
7446}
7447
a96e6c34
MC		 7448static int test_ssl_get_shared_ciphers(int tst)
7449{
7450 return int_test_ssl_get_shared_ciphers(tst, 0)
7451 && int_test_ssl_get_shared_ciphers(tst, 1);
7452}
7453
7454
d0191fe0 7455static const char *appdata = "Hello World";
61fb5923
MC		 7456static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7457static int tick_key_renew = 0;
7458static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 7459
7460static int gen_tick_cb(SSL *s, void *arg)
7461{
7462 gen_tick_called = 1;
7463
7464 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7465 strlen(appdata));
7466}
7467
7468static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7469 const unsigned char *keyname,
7470 size_t keyname_length,
61fb5923
MC		 7471 SSL_TICKET_STATUS status,
7472 void *arg)
d0191fe0
MC		 7473{
7474 void *tickdata;
7475 size_t tickdlen;
7476
7477 dec_tick_called = 1;
7478
61fb5923
MC		 7479 if (status == SSL_TICKET_EMPTY)
7480 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 7481
61fb5923
MC		 7482 if (!TEST_true(status == SSL_TICKET_SUCCESS
7483 || status == SSL_TICKET_SUCCESS_RENEW))
7484 return SSL_TICKET_RETURN_ABORT;
7485
7486 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7487 &tickdlen))
d0191fe0
MC		 7488 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7489 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 7490 return SSL_TICKET_RETURN_ABORT;
d0191fe0 7491
61fb5923
MC		 7492 if (tick_key_cb_called) {
7493 /* Don't change what the ticket key callback wanted to do */
7494 switch (status) {
7495 case SSL_TICKET_NO_DECRYPT:
7496 return SSL_TICKET_RETURN_IGNORE_RENEW;
7497
7498 case SSL_TICKET_SUCCESS:
7499 return SSL_TICKET_RETURN_USE;
d0191fe0 7500
61fb5923
MC		 7501 case SSL_TICKET_SUCCESS_RENEW:
7502 return SSL_TICKET_RETURN_USE_RENEW;
7503
7504 default:
7505 return SSL_TICKET_RETURN_ABORT;
7506 }
7507 }
7508 return tick_dec_ret;
7509
7510}
d0191fe0 7511
a76ce286 7512#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 7513static int tick_key_cb(SSL *s, unsigned char key_name[16],
7514 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7515 HMAC_CTX *hctx, int enc)
7516{
7517 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7518 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 7519 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7520 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7521 int ret;
d0191fe0 7522
61fb5923 7523 tick_key_cb_called = 1;
d0191fe0
MC		 7524 memset(iv, 0, AES_BLOCK_SIZE);
7525 memset(key_name, 0, 16);
5e30f2fd
MC		 7526 if (aes128cbc == NULL
7527 || sha256 == NULL
7528 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7529 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7530 NULL))
7531 ret = -1;
7532 else
7533 ret = tick_key_renew ? 2 : 1;
d0191fe0 7534
5e30f2fd
MC		 7535 EVP_CIPHER_free(aes128cbc);
7536 EVP_MD_free(sha256);
7537
7538 return ret;
d0191fe0 7539}
a76ce286
P		 7540#endif
7541
7542static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7543 unsigned char iv[EVP_MAX_IV_LENGTH],
7544 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7545{
7546 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7547 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 7548 OSSL_PARAM params[2];
5e30f2fd
MC		 7549 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7550 int ret;
a76ce286
P		 7551
7552 tick_key_cb_called = 1;
7553 memset(iv, 0, AES_BLOCK_SIZE);
7554 memset(key_name, 0, 16);
7555 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7556 "SHA256", 0);
77e4ae58 7557 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 7558 if (aes128cbc == NULL
7559 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 7560 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7561 params))
5e30f2fd
MC		 7562 ret = -1;
7563 else
7564 ret = tick_key_renew ? 2 : 1;
7565
7566 EVP_CIPHER_free(aes128cbc);
a76ce286 7567
5e30f2fd 7568 return ret;
a76ce286 7569}
d0191fe0
MC		 7570
7571/*
7572 * Test the various ticket callbacks
61fb5923
MC		 7573 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7574 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7575 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7576 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7577 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7578 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7579 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7580 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 7581 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7582 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7583 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7584 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7585 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7586 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7587 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7588 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 7589 */
7590static int test_ticket_callbacks(int tst)
7591{
7592 SSL_CTX *cctx = NULL, *sctx = NULL;
7593 SSL *clientssl = NULL, *serverssl = NULL;
7594 SSL_SESSION *clntsess = NULL;
7595 int testresult = 0;
7596
7597#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 7598 if (tst % 2 == 0)
d0191fe0
MC		 7599 return 1;
7600#endif
a763ca11 7601#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 7602 if (tst % 2 == 1)
d0191fe0
MC		 7603 return 1;
7604#endif
a76ce286
P		 7605#ifdef OPENSSL_NO_DEPRECATED_3_0
7606 if (tst >= 8 && tst <= 11)
7607 return 1;
7608#endif
d0191fe0 7609
61fb5923 7610 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 7611
7612 /* Which tests the ticket key callback should request renewal for */
a76ce286 7613 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 7614 tick_key_renew = 1;
d0191fe0 7615 else
61fb5923
MC		 7616 tick_key_renew = 0;
7617
7618 /* Which tests the decrypt ticket callback should request renewal for */
7619 switch (tst) {
7620 case 0:
7621 case 1:
7622 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7623 break;
7624
7625 case 2:
7626 case 3:
7627 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7628 break;
7629
7630 case 4:
7631 case 5:
7632 tick_dec_ret = SSL_TICKET_RETURN_USE;
7633 break;
7634
7635 case 6:
7636 case 7:
7637 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7638 break;
7639
7640 default:
7641 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7642 }
d0191fe0 7643
5e30f2fd 7644 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 7645 TLS_client_method(),
7646 TLS1_VERSION,
61fb5923
MC		 7647 ((tst % 2) == 0) ? TLS1_2_VERSION
7648 : TLS1_3_VERSION,
d0191fe0
MC		 7649 &sctx, &cctx, cert, privkey)))
7650 goto end;
7651
61fb5923
MC		 7652 /*
7653 * We only want sessions to resume from tickets - not the session cache. So
7654 * switch the cache off.
7655 */
7656 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7657 goto end;
7658
d0191fe0
MC		 7659 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7660 NULL)))
7661 goto end;
7662
a76ce286
P		 7663 if (tst >= 12) {
7664 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7665 goto end;
7666#ifndef OPENSSL_NO_DEPRECATED_3_0
7667 } else if (tst >= 8) {
7668 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7669 goto end;
7670#endif
7671 }
d0191fe0
MC		 7672
7673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7674 NULL, NULL))
7675 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7676 SSL_ERROR_NONE)))
7677 goto end;
7678
61fb5923
MC		 7679 /*
7680 * The decrypt ticket key callback in TLSv1.2 should be called even though
7681 * we have no ticket yet, because it gets called with a status of
7682 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7683 * actually send any ticket data). This does not happen in TLSv1.3 because
7684 * it is not valid to send empty ticket data in TLSv1.3.
7685 */
d0191fe0 7686 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7687 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7688 goto end;
7689
7690 gen_tick_called = dec_tick_called = 0;
7691
7692 clntsess = SSL_get1_session(clientssl);
7693 SSL_shutdown(clientssl);
7694 SSL_shutdown(serverssl);
7695 SSL_free(serverssl);
7696 SSL_free(clientssl);
7697 serverssl = clientssl = NULL;
7698
7699 /* Now do a resumption */
7700 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7701 NULL))
7702 || !TEST_true(SSL_set_session(clientssl, clntsess))
7703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7704 SSL_ERROR_NONE)))
d0191fe0
MC		 7705 goto end;
7706
61fb5923
MC		 7707 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7708 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7709 if (!TEST_false(SSL_session_reused(clientssl)))
7710 goto end;
7711 } else {
7712 if (!TEST_true(SSL_session_reused(clientssl)))
7713 goto end;
7714 }
7715
d0191fe0 7716 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7717 (tick_key_renew
7718 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7719 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7720 ? 1 : 0)
d0191fe0
MC		 7721 || !TEST_int_eq(dec_tick_called, 1))
7722 goto end;
7723
7724 testresult = 1;
7725
7726 end:
7727 SSL_SESSION_free(clntsess);
7728 SSL_free(serverssl);
7729 SSL_free(clientssl);
7730 SSL_CTX_free(sctx);
7731 SSL_CTX_free(cctx);
7732
7733 return testresult;
7734}
7735
e638112e
DB		 7736/*
7737 * Test incorrect shutdown.
7738 * Test 0: client does not shutdown properly,
7739 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7740 * server should get SSL_ERROR_SSL
7741 * Test 1: client does not shutdown properly,
7742 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7743 * server should get SSL_ERROR_ZERO_RETURN
7744 */
7745static int test_incorrect_shutdown(int tst)
7746{
7747 SSL_CTX *cctx = NULL, *sctx = NULL;
7748 SSL *clientssl = NULL, *serverssl = NULL;
7749 int testresult = 0;
7750 char buf[80];
7751 BIO *c2s;
7752
7753 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7754 TLS_client_method(), 0, 0,
7755 &sctx, &cctx, cert, privkey)))
7756 goto end;
7757
7758 if (tst == 1)
7759 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7760
7761 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7762 NULL, NULL)))
7763 goto end;
7764
7765 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7766 SSL_ERROR_NONE)))
7767 goto end;
7768
7769 c2s = SSL_get_rbio(serverssl);
7770 BIO_set_mem_eof_return(c2s, 0);
7771
7772 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7773 goto end;
7774
7775 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7776 goto end;
7777 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7778 goto end;
7779
7780 testresult = 1;
7781
7782 end:
7783 SSL_free(serverssl);
7784 SSL_free(clientssl);
7785 SSL_CTX_free(sctx);
7786 SSL_CTX_free(cctx);
7787
7788 return testresult;
7789}
7790
c748834f
MC		 7791/*
7792 * Test bi-directional shutdown.
7793 * Test 0: TLSv1.2
7794 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7795 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7796 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7797 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7798 * sends key update, client reads it
57d7b988
MC		 7799 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7800 * sends CertificateRequest, client reads and ignores it
7801 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7802 * doesn't read it
7803 */
7804static int test_shutdown(int tst)
7805{
7806 SSL_CTX *cctx = NULL, *sctx = NULL;
7807 SSL *clientssl = NULL, *serverssl = NULL;
7808 int testresult = 0;
7809 char msg[] = "A test message";
7810 char buf[80];
7811 size_t written, readbytes;
80eff008 7812 SSL_SESSION *sess;
c748834f
MC		 7813
7814#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7815 if (tst <= 1)
c748834f
MC		 7816 return 1;
7817#endif
a763ca11 7818#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 7819 if (tst >= 2)
c748834f
MC		 7820 return 1;
7821#endif
7822
5e30f2fd 7823 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7824 TLS_client_method(),
7825 TLS1_VERSION,
7826 (tst <= 1) ? TLS1_2_VERSION
7827 : TLS1_3_VERSION,
57d7b988
MC		 7828 &sctx, &cctx, cert, privkey)))
7829 goto end;
7830
7831 if (tst == 5)
7832 SSL_CTX_set_post_handshake_auth(cctx, 1);
7833
7834 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7835 NULL, NULL)))
7836 goto end;
7837
7838 if (tst == 3) {
7839 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7840 SSL_ERROR_NONE, 1))
80eff008
KR		 7841 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7842 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7843 goto end;
7844 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7845 SSL_ERROR_NONE))
7846 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7847 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7848 goto end;
7849 }
7850
7851 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7852 goto end;
7853
7854 if (tst >= 4) {
7855 /*
7856 * Reading on the server after the client has sent close_notify should
7857 * fail and provide SSL_ERROR_ZERO_RETURN
7858 */
7859 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7860 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7861 SSL_ERROR_ZERO_RETURN)
7862 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7863 SSL_RECEIVED_SHUTDOWN)
7864 /*
7865 * Even though we're shutdown on receive we should still be
7866 * able to write.
7867 */
80eff008
KR		 7868 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7869 goto end;
57d7b988
MC		 7870 if (tst == 4
7871 && !TEST_true(SSL_key_update(serverssl,
7872 SSL_KEY_UPDATE_REQUESTED)))
7873 goto end;
7874 if (tst == 5) {
7875 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7876 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7877 goto end;
7878 }
7879 if ((tst == 4 || tst == 5)
7880 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7881 goto end;
7882 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7883 goto end;
57d7b988 7884 if (tst == 4 || tst == 5) {
80eff008 7885 /* Should still be able to read data from server */
c748834f 7886 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7887 &readbytes))
7888 || !TEST_size_t_eq(readbytes, sizeof(msg))
7889 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7890 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7891 &readbytes))
c748834f
MC		 7892 || !TEST_size_t_eq(readbytes, sizeof(msg))
7893 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7894 goto end;
7895 }
7896 }
7897
7898 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7899 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7900 goto end;
7901
7902 if (tst < 4) {
7903 /*
7904 * For these tests the client has sent close_notify but it has not yet
7905 * been received by the server. The server has not sent close_notify
7906 * yet.
7907 */
7908 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7909 /*
7910 * Writing on the server after sending close_notify shouldn't
7911 * be possible.
7912 */
7913 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7914 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7915 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7916 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7917 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7918 goto end;
57d7b988 7919 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7920 /*
7921 * In this test the client has sent close_notify and it has been
7922 * received by the server which has responded with a close_notify. The
358ffa05 7923 * client needs to read the close_notify sent by the server.
c748834f 7924 */
80eff008
KR		 7925 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7926 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7927 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7928 goto end;
358ffa05
MC		 7929 } else {
7930 /*
57d7b988 7931 * tst == 6
358ffa05
MC		 7932 *
7933 * The client has sent close_notify and is expecting a close_notify
7934 * back, but instead there is application data first. The shutdown
7935 * should fail with a fatal error.
7936 */
7937 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7938 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7939 goto end;
c748834f
MC		 7940 }
7941
7942 testresult = 1;
7943
7944 end:
7945 SSL_free(serverssl);
7946 SSL_free(clientssl);
7947 SSL_CTX_free(sctx);
7948 SSL_CTX_free(cctx);
7949
7950 return testresult;
7951}
7952
a763ca11 7953#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 7954static int cert_cb_cnt;
7955
7956static int cert_cb(SSL *s, void *arg)
7957{
7958 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7959 BIO *in = NULL;
7960 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7961 X509 *x509 = NULL, *rootx = NULL;
7962 STACK_OF(X509) *chain = NULL;
7963 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7964 int ret = 0;
cd6fe29f
MC		 7965
7966 if (cert_cb_cnt == 0) {
7967 /* Suspend the handshake */
7968 cert_cb_cnt++;
7969 return -1;
7970 } else if (cert_cb_cnt == 1) {
7971 /*
7972 * Update the SSL_CTX, set the certificate and private key and then
7973 * continue the handshake normally.
7974 */
7975 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7976 return 0;
7977
7978 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7979 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7980 SSL_FILETYPE_PEM))
7981 || !TEST_true(SSL_check_private_key(s)))
7982 return 0;
7983 cert_cb_cnt++;
7984 return 1;
7cb8fb07
BK		 7985 } else if (cert_cb_cnt == 3) {
7986 int rv;
1a2a3a42
MC		 7987
7988 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7989 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7990 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7991 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7992 goto out;
7993 chain = sk_X509_new_null();
7994 if (!TEST_ptr(chain))
7995 goto out;
7cb8fb07 7996 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 7997 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 7998 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 7999 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8000 || !TEST_true(sk_X509_push(chain, rootx)))
8001 goto out;
8002 rootx = NULL;
8003 BIO_free(in);
8004 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8005 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8006 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8007 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8008 goto out;
8009 BIO_free(in);
8010 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8011 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8012 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8013 NULL, NULL,
8014 libctx, NULL)))
7cb8fb07 8015 goto out;
1a2a3a42 8016 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8017 /*
8018 * If the cert doesn't show as valid here (e.g., because we don't
8019 * have any shared sigalgs), then we will not set it, and there will
8020 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8021 * will cause tls_choose_sigalgs() to fail the connection.
8022 */
1a2a3a42
MC		 8023 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8024 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8025 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8026 goto out;
8027 }
1a2a3a42
MC		 8028
8029 ret = 1;
cd6fe29f
MC		 8030 }
8031
8032 /* Abort the handshake */
7cb8fb07 8033 out:
1a2a3a42
MC		 8034 OPENSSL_free(ecdsacert);
8035 OPENSSL_free(ecdsakey);
8036 OPENSSL_free(rootfile);
7cb8fb07
BK		 8037 BIO_free(in);
8038 EVP_PKEY_free(pkey);
8039 X509_free(x509);
1a2a3a42 8040 X509_free(rootx);
79b2a2f2 8041 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8042 return ret;
cd6fe29f
MC		 8043}
8044
8045/*
8046 * Test the certificate callback.
8047 * Test 0: Callback fails
8048 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8049 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8050 * Test 3: Success - Call SSL_check_chain from the callback
8051 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8052 * chain
8053 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8054 */
8055static int test_cert_cb_int(int prot, int tst)
8056{
8057 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8058 SSL *clientssl = NULL, *serverssl = NULL;
8059 int testresult = 0, ret;
8060
1a2a3a42
MC		 8061#ifdef OPENSSL_NO_EC
8062 /* We use an EC cert in these tests, so we skip in a no-ec build */
8063 if (tst >= 3)
8064 return 1;
8065#endif
8066
5e30f2fd 8067 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8068 TLS_client_method(),
8069 TLS1_VERSION,
8070 prot,
8071 &sctx, &cctx, NULL, NULL)))
8072 goto end;
8073
8074 if (tst == 0)
8075 cert_cb_cnt = -1;
1a2a3a42 8076 else if (tst >= 3)
7cb8fb07 8077 cert_cb_cnt = 3;
cd6fe29f
MC		 8078 else
8079 cert_cb_cnt = 0;
1a2a3a42 8080
cd6fe29f
MC		 8081 if (tst == 2)
8082 snictx = SSL_CTX_new(TLS_server_method());
8083 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8084
8085 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8086 NULL, NULL)))
8087 goto end;
8088
1a2a3a42
MC		 8089 if (tst == 4) {
8090 /*
8091 * We cause SSL_check_chain() to fail by specifying sig_algs that
8092 * the chain doesn't meet (the root uses an RSA cert)
8093 */
8094 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8095 "ecdsa_secp256r1_sha256")))
8096 goto end;
8097 } else if (tst == 5) {
8098 /*
8099 * We cause SSL_check_chain() to fail by specifying sig_algs that
8100 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8101 */
8102 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8103 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8104 goto end;
8105 }
8106
cd6fe29f 8107 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8108 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8109 || (tst > 0
8110 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8111 goto end;
8112 }
8113
8114 testresult = 1;
8115
8116 end:
8117 SSL_free(serverssl);
8118 SSL_free(clientssl);
8119 SSL_CTX_free(sctx);
8120 SSL_CTX_free(cctx);
8121 SSL_CTX_free(snictx);
8122
8123 return testresult;
8124}
7f1d923a 8125#endif
cd6fe29f
MC		 8126
8127static int test_cert_cb(int tst)
8128{
8129 int testresult = 1;
8130
8131#ifndef OPENSSL_NO_TLS1_2
8132 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8133#endif
a763ca11 8134#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8135 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8136#endif
8137
8138 return testresult;
8139}
8140
6e46c065
MC		 8141static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8142{
8c2bfd25 8143 X509 *xcert;
6e46c065
MC		 8144 EVP_PKEY *privpkey;
8145 BIO *in = NULL;
6725682d 8146 BIO *priv_in = NULL;
6e46c065 8147
8c2bfd25
TS		 8148 /* Check that SSL_get0_peer_certificate() returns something sensible */
8149 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8150 return 0;
6e46c065
MC		 8151
8152 in = BIO_new_file(cert, "r");
8153 if (!TEST_ptr(in))
8154 return 0;
8155
d8652be0 8156 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 8157 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8158 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 8159 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8160 NULL, NULL,
8161 libctx, NULL)))
6725682d 8162 goto err;
6e46c065
MC		 8163
8164 *x509 = xcert;
8165 *pkey = privpkey;
8166
6725682d
SL		 8167 BIO_free(in);
8168 BIO_free(priv_in);
6e46c065 8169 return 1;
6725682d
SL		 8170err:
8171 X509_free(xcert);
8172 BIO_free(in);
8173 BIO_free(priv_in);
8174 return 0;
6e46c065
MC		 8175}
8176
6e46c065
MC		 8177static int test_client_cert_cb(int tst)
8178{
8179 SSL_CTX *cctx = NULL, *sctx = NULL;
8180 SSL *clientssl = NULL, *serverssl = NULL;
8181 int testresult = 0;
8182
8183#ifdef OPENSSL_NO_TLS1_2
8184 if (tst == 0)
8185 return 1;
8186#endif
a763ca11 8187#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 8188 if (tst == 1)
8189 return 1;
8190#endif
8191
5e30f2fd 8192 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 8193 TLS_client_method(),
8194 TLS1_VERSION,
8195 tst == 0 ? TLS1_2_VERSION
8196 : TLS1_3_VERSION,
8197 &sctx, &cctx, cert, privkey)))
8198 goto end;
8199
8200 /*
8201 * Test that setting a client_cert_cb results in a client certificate being
8202 * sent.
8203 */
8204 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8205 SSL_CTX_set_verify(sctx,
8206 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8207 verify_cb);
fb8c8359
MC		 8208
8209 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8210 NULL, NULL))
8211 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8212 SSL_ERROR_NONE)))
8213 goto end;
8214
8215 testresult = 1;
8216
8217 end:
8218 SSL_free(serverssl);
8219 SSL_free(clientssl);
8220 SSL_CTX_free(sctx);
8221 SSL_CTX_free(cctx);
8222
8223 return testresult;
8224}
8225
a763ca11 8226#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 8227/*
8228 * Test setting certificate authorities on both client and server.
8229 *
8230 * Test 0: SSL_CTX_set0_CA_list() only
8231 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8232 * Test 2: Only SSL_CTX_set_client_CA_list()
8233 */
8234static int test_ca_names_int(int prot, int tst)
8235{
8236 SSL_CTX *cctx = NULL, *sctx = NULL;
8237 SSL *clientssl = NULL, *serverssl = NULL;
8238 int testresult = 0;
8239 size_t i;
8240 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8241 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8242 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8243 const STACK_OF(X509_NAME) *sktmp = NULL;
8244
8245 for (i = 0; i < OSSL_NELEM(name); i++) {
8246 name[i] = X509_NAME_new();
8247 if (!TEST_ptr(name[i])
8248 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8249 MBSTRING_ASC,
8250 (unsigned char *)
8251 strnames[i],
8252 -1, -1, 0)))
8253 goto end;
8254 }
8255
5e30f2fd 8256 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 8257 TLS_client_method(),
8258 TLS1_VERSION,
8259 prot,
8260 &sctx, &cctx, cert, privkey)))
8261 goto end;
8262
8263 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8264
8265 if (tst == 0 || tst == 1) {
8266 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8267 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8268 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8269 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8270 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8271 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8272 goto end;
8273
8274 SSL_CTX_set0_CA_list(sctx, sk1);
8275 SSL_CTX_set0_CA_list(cctx, sk2);
8276 sk1 = sk2 = NULL;
8277 }
8278 if (tst == 1 || tst == 2) {
8279 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8280 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8281 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8282 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8283 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8284 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8285 goto end;
8286
8287 SSL_CTX_set_client_CA_list(sctx, sk1);
8288 SSL_CTX_set_client_CA_list(cctx, sk2);
8289 sk1 = sk2 = NULL;
8290 }
8291
6e46c065
MC		 8292 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8293 NULL, NULL))
8294 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8295 SSL_ERROR_NONE)))
8296 goto end;
8297
fb8c8359
MC		 8298 /*
8299 * We only expect certificate authorities to have been sent to the server
8300 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8301 */
8302 sktmp = SSL_get0_peer_CA_list(serverssl);
8303 if (prot == TLS1_3_VERSION
8304 && (tst == 0 || tst == 1)) {
8305 if (!TEST_ptr(sktmp)
8306 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8307 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8308 name[0]), 0)
8309 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8310 name[1]), 0))
8311 goto end;
8312 } else if (!TEST_ptr_null(sktmp)) {
8313 goto end;
8314 }
8315
8316 /*
8317 * In all tests we expect certificate authorities to have been sent to the
8318 * client. However, SSL_set_client_CA_list() should override
8319 * SSL_set0_CA_list()
8320 */
8321 sktmp = SSL_get0_peer_CA_list(clientssl);
8322 if (!TEST_ptr(sktmp)
8323 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8324 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8325 name[tst == 0 ? 0 : 2]), 0)
8326 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8327 name[tst == 0 ? 1 : 3]), 0))
8328 goto end;
8329
6e46c065
MC		 8330 testresult = 1;
8331
8332 end:
8333 SSL_free(serverssl);
8334 SSL_free(clientssl);
8335 SSL_CTX_free(sctx);
8336 SSL_CTX_free(cctx);
fb8c8359
MC		 8337 for (i = 0; i < OSSL_NELEM(name); i++)
8338 X509_NAME_free(name[i]);
8339 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8340 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8341
8342 return testresult;
8343}
8344#endif
8345
8346static int test_ca_names(int tst)
8347{
8348 int testresult = 1;
8349
8350#ifndef OPENSSL_NO_TLS1_2
8351 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8352#endif
a763ca11 8353#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 8354 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8355#endif
6e46c065
MC		 8356
8357 return testresult;
8358}
8359
0d2bfe52
SL		 8360#ifndef OPENSSL_NO_TLS1_2
8361static const char *multiblock_cipherlist_data[]=
8362{
8363 "AES128-SHA",
8364 "AES128-SHA256",
8365 "AES256-SHA",
8366 "AES256-SHA256",
8367};
8368
8369/* Reduce the fragment size - so the multiblock test buffer can be small */
8370# define MULTIBLOCK_FRAGSIZE 512
8371
8372static int test_multiblock_write(int test_index)
8373{
8374 static const char *fetchable_ciphers[]=
8375 {
8376 "AES-128-CBC-HMAC-SHA1",
8377 "AES-128-CBC-HMAC-SHA256",
8378 "AES-256-CBC-HMAC-SHA1",
8379 "AES-256-CBC-HMAC-SHA256"
8380 };
8381 const char *cipherlist = multiblock_cipherlist_data[test_index];
8382 const SSL_METHOD *smeth = TLS_server_method();
8383 const SSL_METHOD *cmeth = TLS_client_method();
8384 int min_version = TLS1_VERSION;
8385 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8386 SSL_CTX *cctx = NULL, *sctx = NULL;
8387 SSL *clientssl = NULL, *serverssl = NULL;
8388 int testresult = 0;
8389
8390 /*
8391 * Choose a buffer large enough to perform a multi-block operation
8392 * i.e: write_len >= 4 * frag_size
8393 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8394 */
8395 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8396 unsigned char buf[sizeof(msg)], *p = buf;
8397 size_t readbytes, written, len;
8398 EVP_CIPHER *ciph = NULL;
8399
8400 /*
8401 * Check if the cipher exists before attempting to use it since it only has
8402 * a hardware specific implementation.
8403 */
8404 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8405 if (ciph == NULL) {
8406 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8407 return 1;
8408 }
8409 EVP_CIPHER_free(ciph);
8410
8411 /* Set up a buffer with some data that will be sent to the client */
8412 RAND_bytes(msg, sizeof(msg));
8413
5e30f2fd
MC		 8414 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8415 max_version, &sctx, &cctx, cert,
8416 privkey)))
0d2bfe52
SL		 8417 goto end;
8418
8419 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8420 goto end;
8421
8422 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8423 NULL, NULL)))
8424 goto end;
8425
8426 /* settings to force it to use AES-CBC-HMAC_SHA */
8427 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8428 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8429 goto end;
8430
8431 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8432 goto end;
8433
8434 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8435 || !TEST_size_t_eq(written, sizeof(msg)))
8436 goto end;
8437
8438 len = written;
8439 while (len > 0) {
8440 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8441 goto end;
8442 p += readbytes;
8443 len -= readbytes;
8444 }
8445 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8446 goto end;
8447
8448 testresult = 1;
8449end:
8450 SSL_free(serverssl);
8451 SSL_free(clientssl);
8452 SSL_CTX_free(sctx);
8453 SSL_CTX_free(cctx);
8454
8455 return testresult;
8456}
8457#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 8458
25959e04
TS		 8459static int test_session_timeout(int test)
8460{
8461 /*
8462 * Test session ordering and timeout
8463 * Can't explicitly test performance of the new code,
8464 * but can test to see if the ordering of the sessions
8465 * are correct, and they they are removed as expected
8466 */
8467 SSL_SESSION *early = NULL;
8468 SSL_SESSION *middle = NULL;
8469 SSL_SESSION *late = NULL;
8470 SSL_CTX *ctx;
8471 int testresult = 0;
8472 long now = (long)time(NULL);
8473#define TIMEOUT 10
8474
8475 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8476 || !TEST_ptr(early = SSL_SESSION_new())
8477 || !TEST_ptr(middle = SSL_SESSION_new())
8478 || !TEST_ptr(late = SSL_SESSION_new()))
8479 goto end;
8480
8481 /* assign unique session ids */
8482 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8483 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8484 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8485 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8486 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8487 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8488
8489 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8490 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8491 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8492 goto end;
8493
8494 /* Make sure they are all added */
8495 if (!TEST_ptr(early->prev)
8496 || !TEST_ptr(middle->prev)
8497 || !TEST_ptr(late->prev))
8498 goto end;
8499
8500 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8501 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8502 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8503 goto end;
8504
8505 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8506 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8507 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8508 goto end;
8509
8510 /* Make sure they are all still there */
8511 if (!TEST_ptr(early->prev)
8512 || !TEST_ptr(middle->prev)
8513 || !TEST_ptr(late->prev))
8514 goto end;
8515
8516 /* Make sure they are in the expected order */
8517 if (!TEST_ptr_eq(late->next, middle)
8518 || !TEST_ptr_eq(middle->next, early)
8519 || !TEST_ptr_eq(early->prev, middle)
8520 || !TEST_ptr_eq(middle->prev, late))
8521 goto end;
8522
8523 /* This should remove "early" */
8524 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8525 if (!TEST_ptr_null(early->prev)
8526 || !TEST_ptr(middle->prev)
8527 || !TEST_ptr(late->prev))
8528 goto end;
8529
8530 /* This should remove "middle" */
8531 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8532 if (!TEST_ptr_null(early->prev)
8533 || !TEST_ptr_null(middle->prev)
8534 || !TEST_ptr(late->prev))
8535 goto end;
8536
8537 /* This should remove "late" */
8538 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8539 if (!TEST_ptr_null(early->prev)
8540 || !TEST_ptr_null(middle->prev)
8541 || !TEST_ptr_null(late->prev))
8542 goto end;
8543
8544 /* Add them back in again */
8545 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8546 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8547 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8548 goto end;
8549
8550 /* Make sure they are all added */
8551 if (!TEST_ptr(early->prev)
8552 || !TEST_ptr(middle->prev)
8553 || !TEST_ptr(late->prev))
8554 goto end;
8555
8556 /* This should remove all of them */
8557 SSL_CTX_flush_sessions(ctx, 0);
8558 if (!TEST_ptr_null(early->prev)
8559 || !TEST_ptr_null(middle->prev)
8560 || !TEST_ptr_null(late->prev))
8561 goto end;
8562
8563 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8564 | SSL_CTX_get_session_cache_mode(ctx));
8565
8566 /* make sure |now| is NOT equal to the current time */
8567 now -= 10;
8568 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8569 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8570 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8571 goto end;
8572
8573 testresult = 1;
8574 end:
8575 SSL_CTX_free(ctx);
8576 SSL_SESSION_free(early);
8577 SSL_SESSION_free(middle);
8578 SSL_SESSION_free(late);
8579 return testresult;
8580}
8581
49ef3d07
MC		 8582/*
8583 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8584 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8585 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8586 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8587 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8588 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8589 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8590 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8591 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8592 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8593 */
8594static int test_servername(int tst)
8595{
8596 SSL_CTX *cctx = NULL, *sctx = NULL;
8597 SSL *clientssl = NULL, *serverssl = NULL;
8598 int testresult = 0;
8599 SSL_SESSION *sess = NULL;
8600 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8601
8602#ifdef OPENSSL_NO_TLS1_2
8603 if (tst <= 4)
8604 return 1;
8605#endif
a763ca11 8606#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 8607 if (tst >= 5)
8608 return 1;
8609#endif
8610
5e30f2fd 8611 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 8612 TLS_client_method(),
8613 TLS1_VERSION,
8614 (tst <= 4) ? TLS1_2_VERSION
8615 : TLS1_3_VERSION,
8616 &sctx, &cctx, cert, privkey))
8617 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8618 NULL, NULL)))
8619 goto end;
8620
8621 if (tst != 1 && tst != 6) {
8622 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8623 hostname_cb)))
8624 goto end;
8625 }
8626
8627 if (tst != 3 && tst != 8) {
8628 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8629 goto end;
8630 sexpectedhost = cexpectedhost = "goodhost";
8631 }
8632
8633 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8634 goto end;
8635
8636 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8637 cexpectedhost)
8638 || !TEST_str_eq(SSL_get_servername(serverssl,
8639 TLSEXT_NAMETYPE_host_name),
8640 sexpectedhost))
8641 goto end;
8642
8643 /* Now repeat with a resumption handshake */
8644
8645 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8646 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8647 || !TEST_true(SSL_SESSION_is_resumable(sess))
8648 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8649 goto end;
8650
8651 SSL_free(clientssl);
8652 SSL_free(serverssl);
8653 clientssl = serverssl = NULL;
8654
8655 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8656 NULL)))
8657 goto end;
8658
8659 if (!TEST_true(SSL_set_session(clientssl, sess)))
8660 goto end;
8661
8662 sexpectedhost = cexpectedhost = "goodhost";
8663 if (tst == 2 || tst == 7) {
8664 /* Set an inconsistent hostname */
8665 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8666 goto end;
8667 /*
8668 * In TLSv1.2 we expect the hostname from the original handshake, in
8669 * TLSv1.3 we expect the hostname from this handshake
8670 */
8671 if (tst == 7)
8672 sexpectedhost = cexpectedhost = "altgoodhost";
8673
8674 if (!TEST_str_eq(SSL_get_servername(clientssl,
8675 TLSEXT_NAMETYPE_host_name),
8676 "altgoodhost"))
8677 goto end;
8678 } else if (tst == 4 || tst == 9) {
8679 /*
8680 * A TLSv1.3 session does not associate a session with a servername,
8681 * but a TLSv1.2 session does.
8682 */
8683 if (tst == 9)
8684 sexpectedhost = cexpectedhost = NULL;
8685
8686 if (!TEST_str_eq(SSL_get_servername(clientssl,
8687 TLSEXT_NAMETYPE_host_name),
8688 cexpectedhost))
8689 goto end;
8690 } else {
8691 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8692 goto end;
8693 /*
8694 * In a TLSv1.2 resumption where the hostname was not acknowledged
8695 * we expect the hostname on the server to be empty. On the client we
8696 * return what was requested in this case.
8697 *
8698 * Similarly if the client didn't set a hostname on an original TLSv1.2
8699 * session but is now, the server hostname will be empty, but the client
8700 * is as we set it.
8701 */
8702 if (tst == 1 || tst == 3)
8703 sexpectedhost = NULL;
8704
8705 if (!TEST_str_eq(SSL_get_servername(clientssl,
8706 TLSEXT_NAMETYPE_host_name),
8707 "goodhost"))
8708 goto end;
8709 }
8710
8711 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8712 goto end;
8713
8714 if (!TEST_true(SSL_session_reused(clientssl))
8715 || !TEST_true(SSL_session_reused(serverssl))
8716 || !TEST_str_eq(SSL_get_servername(clientssl,
8717 TLSEXT_NAMETYPE_host_name),
8718 cexpectedhost)
8719 || !TEST_str_eq(SSL_get_servername(serverssl,
8720 TLSEXT_NAMETYPE_host_name),
8721 sexpectedhost))
8722 goto end;
8723
8724 testresult = 1;
8725
8726 end:
8727 SSL_SESSION_free(sess);
8728 SSL_free(serverssl);
8729 SSL_free(clientssl);
8730 SSL_CTX_free(sctx);
8731 SSL_CTX_free(cctx);
8732
8733 return testresult;
8734}
8735
b1fdbc68 8736#if !defined(OPENSSL_NO_EC) \
a763ca11 8737 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 8738/*
8739 * Test that if signature algorithms are not available, then we do not offer or
8740 * accept them.
8741 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8742 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8743 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8744 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8745 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8746 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8747 */
8748static int test_sigalgs_available(int idx)
8749{
8750 SSL_CTX *cctx = NULL, *sctx = NULL;
8751 SSL *clientssl = NULL, *serverssl = NULL;
8752 int testresult = 0;
b4250010
DMSP		 8753 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8754 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 8755 OSSL_PROVIDER *filterprov = NULL;
8756 int sig, hash;
8757
8758 if (!TEST_ptr(tmpctx))
8759 goto end;
8760
8761 if (idx != 0 && idx != 3) {
8762 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8763 filter_provider_init)))
8764 goto end;
8765
8766 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8767 if (!TEST_ptr(filterprov))
8768 goto end;
8769
8770 if (idx < 3) {
8771 /*
8772 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8773 * or accepted for the peer that uses this libctx. Note that libssl
8774 * *requires* SHA2-256 to be available so we cannot disable that. We
8775 * also need SHA1 for our certificate.
8776 */
8777 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8778 "SHA2-256:SHA1")))
8779 goto end;
8780 } else {
8781 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8782 "ECDSA"))
8783 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8784 "EC:X25519:X448")))
8785 goto end;
8786 }
8787
8788 if (idx == 1 || idx == 4)
8789 clientctx = tmpctx;
8790 else
8791 serverctx = tmpctx;
8792 }
8793
d8652be0
MC		 8794 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8795 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 8796 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8797 goto end;
b3842539 8798
b4c4a2c6
TM		 8799 if (idx != 5) {
8800 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8801 TLS_client_method(),
8802 TLS1_VERSION,
8803 0,
8804 &sctx, &cctx, cert, privkey)))
8805 goto end;
8806 } else {
8807 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8808 TLS_client_method(),
8809 TLS1_VERSION,
8810 0,
8811 &sctx, &cctx, cert2, privkey2)))
8812 goto end;
8813 }
b3842539 8814
b1fdbc68
MC		 8815 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8816 if (idx < 4) {
8817 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8818 "ECDHE-RSA-AES128-GCM-SHA256")))
8819 goto end;
8820 } else {
8821 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8822 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8823 goto end;
8824 }
8825
b3842539
MC		 8826 if (idx < 3) {
8827 if (!SSL_CTX_set1_sigalgs_list(cctx,
8828 "rsa_pss_rsae_sha384"
8829 ":rsa_pss_rsae_sha256")
8830 || !SSL_CTX_set1_sigalgs_list(sctx,
8831 "rsa_pss_rsae_sha384"
8832 ":rsa_pss_rsae_sha256"))
8833 goto end;
8834 } else {
8835 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8836 || !SSL_CTX_set1_sigalgs_list(sctx,
8837 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8838 goto end;
8839 }
8840
b4c4a2c6
TM		 8841 if (idx != 5
8842 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8843 SSL_FILETYPE_PEM), 1)
b3842539
MC		 8844 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8845 privkey2,
8846 SSL_FILETYPE_PEM), 1)
b4c4a2c6 8847 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 8848 goto end;
8849
8850 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 8851 NULL, NULL)))
b3842539
MC		 8852 goto end;
8853
8854 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8855 goto end;
8856
8857 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8858 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8859 NULL, NULL),
8860 (idx == 0 || idx == 3) ? 2 : 1))
8861 goto end;
8862
8863 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8864 goto end;
8865
8866 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8867 : NID_rsassaPss))
8868 goto end;
8869
b0001d0c 8870 testresult = filter_provider_check_clean_finish();
b3842539
MC		 8871
8872 end:
8873 SSL_free(serverssl);
8874 SSL_free(clientssl);
8875 SSL_CTX_free(sctx);
8876 SSL_CTX_free(cctx);
8877 OSSL_PROVIDER_unload(filterprov);
b4250010 8878 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 8879
8880 return testresult;
8881}
b1fdbc68
MC		 8882#endif /*
8883 * !defined(OPENSSL_NO_EC) \
a763ca11 8884 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 8885 */
b3842539 8886
0c13cdf8 8887#ifndef OPENSSL_NO_TLS1_3
a763ca11 8888/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 8889static int test_pluggable_group(int idx)
0c13cdf8
MC		 8890{
8891 SSL_CTX *cctx = NULL, *sctx = NULL;
8892 SSL *clientssl = NULL, *serverssl = NULL;
8893 int testresult = 0;
8894 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 8895 /* Check that we are not impacted by a provider without any groups */
8896 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 8897 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 8898
5ae54dba 8899 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 8900 goto end;
8901
5ae54dba
MC		 8902 if (legacyprov == NULL) {
8903 /*
8904 * In this case we assume we've been built with "no-legacy" and skip
8905 * this test (there is no OPENSSL_NO_LEGACY)
8906 */
8907 testresult = 1;
8908 goto end;
8909 }
8910
0c13cdf8
MC		 8911 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8912 TLS_client_method(),
8913 TLS1_3_VERSION,
8914 TLS1_3_VERSION,
8915 &sctx, &cctx, cert, privkey))
8916 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8917 NULL, NULL)))
8918 goto end;
8919
c8e3a4c6
NT		 8920 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8921 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 8922 goto end;
8923
8924 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8925 goto end;
8926
becbacd7
MB		 8927 if (!TEST_str_eq(group_name,
8928 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8929 goto end;
8930
0c13cdf8
MC		 8931 testresult = 1;
8932
8933 end:
8934 SSL_free(serverssl);
8935 SSL_free(clientssl);
8936 SSL_CTX_free(sctx);
8937 SSL_CTX_free(cctx);
8938 OSSL_PROVIDER_unload(tlsprov);
146aebc6 8939 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 8940
8941 return testresult;
8942}
8943#endif
b3842539 8944
49a36a52
MC		 8945#ifndef OPENSSL_NO_TLS1_2
8946static int test_ssl_dup(void)
8947{
8948 SSL_CTX *cctx = NULL, *sctx = NULL;
8949 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8950 int testresult = 0;
8951 BIO *rbio = NULL, *wbio = NULL;
8952
8953 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8954 TLS_client_method(),
8955 0,
8956 0,
8957 &sctx, &cctx, cert, privkey)))
8958 goto end;
8959
8960 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8961 NULL, NULL)))
8962 goto end;
8963
8964 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8965 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8966 goto end;
8967
8968 client2ssl = SSL_dup(clientssl);
8969 rbio = SSL_get_rbio(clientssl);
8970 if (!TEST_ptr(rbio)
8971 || !TEST_true(BIO_up_ref(rbio)))
8972 goto end;
8973 SSL_set0_rbio(client2ssl, rbio);
8974 rbio = NULL;
8975
8976 wbio = SSL_get_wbio(clientssl);
8977 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8978 goto end;
8979 SSL_set0_wbio(client2ssl, wbio);
8980 rbio = NULL;
8981
8982 if (!TEST_ptr(client2ssl)
8983 /* Handshake not started so pointers should be different */
8984 || !TEST_ptr_ne(clientssl, client2ssl))
8985 goto end;
8986
8987 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8988 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8989 goto end;
8990
8991 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8992 goto end;
8993
8994 SSL_free(clientssl);
8995 clientssl = SSL_dup(client2ssl);
8996 if (!TEST_ptr(clientssl)
8997 /* Handshake has finished so pointers should be the same */
8998 || !TEST_ptr_eq(clientssl, client2ssl))
8999 goto end;
9000
9001 testresult = 1;
9002
9003 end:
9004 SSL_free(serverssl);
9005 SSL_free(clientssl);
9006 SSL_free(client2ssl);
9007 SSL_CTX_free(sctx);
9008 SSL_CTX_free(cctx);
9009
9010 return testresult;
9011}
33c39a06
MC		 9012
9013# ifndef OPENSSL_NO_DH
9014
9015static EVP_PKEY *tmp_dh_params = NULL;
9016
9017/* Helper function for the test_set_tmp_dh() tests */
9018static EVP_PKEY *get_tmp_dh_params(void)
9019{
9020 if (tmp_dh_params == NULL) {
9021 BIGNUM *p = NULL;
9022 OSSL_PARAM_BLD *tmpl = NULL;
9023 EVP_PKEY_CTX *pctx = NULL;
9024 OSSL_PARAM *params = NULL;
9025 EVP_PKEY *dhpkey = NULL;
9026
9027 p = BN_get_rfc3526_prime_2048(NULL);
9028 if (!TEST_ptr(p))
9029 goto end;
9030
9031 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9032 if (!TEST_ptr(pctx)
884400d7 9033 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 9034 goto end;
9035
9036 tmpl = OSSL_PARAM_BLD_new();
9037 if (!TEST_ptr(tmpl)
9038 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9039 OSSL_PKEY_PARAM_FFC_P,
9040 p))
9041 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9042 OSSL_PKEY_PARAM_FFC_G,
9043 2)))
9044 goto end;
9045
9046 params = OSSL_PARAM_BLD_to_param(tmpl);
9047 if (!TEST_ptr(params)
884400d7 9048 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9049 EVP_PKEY_KEY_PARAMETERS,
9050 params), 1))
33c39a06
MC		 9051 goto end;
9052
9053 tmp_dh_params = dhpkey;
9054 end:
9055 BN_free(p);
9056 EVP_PKEY_CTX_free(pctx);
9057 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 9058 OSSL_PARAM_free(params);
33c39a06
MC		 9059 }
9060
f1619160 9061 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 9062 return NULL;
9063
9064 return tmp_dh_params;
9065}
9066
39f3427d 9067# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 9068/* Callback used by test_set_tmp_dh() */
9069static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9070{
9071 EVP_PKEY *dhpkey = get_tmp_dh_params();
9072 DH *ret = NULL;
9073
9074 if (!TEST_ptr(dhpkey))
9075 return NULL;
9076
7bc0fdd3
MC		 9077 /*
9078 * libssl does not free the returned DH, so we free it now knowing that even
9079 * after we free dhpkey, there will still be a reference to the owning
9080 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9081 * of time we need it for.
9082 */
9083 ret = EVP_PKEY_get1_DH(dhpkey);
9084 DH_free(ret);
33c39a06
MC		 9085
9086 EVP_PKEY_free(dhpkey);
9087
9088 return ret;
9089}
9090# endif
9091
9092/*
9093 * Test the various methods for setting temporary DH parameters
9094 *
9095 * Test 0: Default (no auto) setting
9096 * Test 1: Explicit SSL_CTX auto off
9097 * Test 2: Explicit SSL auto off
9098 * Test 3: Explicit SSL_CTX auto on
9099 * Test 4: Explicit SSL auto on
9100 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9101 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9102 *
9103 * The following are testing deprecated APIs, so we only run them if available
9104 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9105 * Test 8: Explicit SSL auto off, custom DH params via DH
9106 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9107 * Test 10: Explicit SSL auto off, custom DH params via callback
9108 */
9109static int test_set_tmp_dh(int idx)
9110{
9111 SSL_CTX *cctx = NULL, *sctx = NULL;
9112 SSL *clientssl = NULL, *serverssl = NULL;
9113 int testresult = 0;
9114 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9115 int expected = (idx <= 2) ? 0 : 1;
9116 EVP_PKEY *dhpkey = NULL;
9117# ifndef OPENSSL_NO_DEPRECATED_3_0
9118 DH *dh = NULL;
9119# else
9120
9121 if (idx >= 7)
9122 return 1;
9123# endif
9124
9125 if (idx >= 5 && idx <= 8) {
9126 dhpkey = get_tmp_dh_params();
9127 if (!TEST_ptr(dhpkey))
9128 goto end;
9129 }
9130# ifndef OPENSSL_NO_DEPRECATED_3_0
9131 if (idx == 7 || idx == 8) {
7bc0fdd3 9132 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 9133 if (!TEST_ptr(dh))
9134 goto end;
9135 }
9136# endif
9137
9138 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9139 TLS_client_method(),
9140 0,
9141 0,
9142 &sctx, &cctx, cert, privkey)))
9143 goto end;
9144
9145 if ((idx & 1) == 1) {
9146 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9147 goto end;
9148 }
9149
9150 if (idx == 5) {
9151 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9152 goto end;
9153 dhpkey = NULL;
9154 }
9155# ifndef OPENSSL_NO_DEPRECATED_3_0
9156 else if (idx == 7) {
9157 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9158 goto end;
9159 } else if (idx == 9) {
9160 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9161 }
9162# endif
9163
9164 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9165 NULL, NULL)))
9166 goto end;
9167
9168 if ((idx & 1) == 0 && idx != 0) {
9169 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9170 goto end;
9171 }
9172 if (idx == 6) {
9173 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9174 goto end;
9175 dhpkey = NULL;
9176 }
9177# ifndef OPENSSL_NO_DEPRECATED_3_0
9178 else if (idx == 8) {
9179 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9180 goto end;
9181 } else if (idx == 10) {
9182 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9183 }
9184# endif
9185
9186 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9187 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9188 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9189 goto end;
9190
9191 /*
9192 * If autoon then we should succeed. Otherwise we expect failure because
9193 * there are no parameters
9194 */
9195 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9196 SSL_ERROR_NONE), expected))
9197 goto end;
9198
9199 testresult = 1;
9200
9201 end:
7bc0fdd3
MC		 9202# ifndef OPENSSL_NO_DEPRECATED_3_0
9203 DH_free(dh);
9204# endif
33c39a06
MC		 9205 SSL_free(serverssl);
9206 SSL_free(clientssl);
9207 SSL_CTX_free(sctx);
9208 SSL_CTX_free(cctx);
9209 EVP_PKEY_free(dhpkey);
9210
9211 return testresult;
9212}
3105d846
MC		 9213
9214/*
9215 * Test the auto DH keys are appropriately sized
9216 */
9217static int test_dh_auto(int idx)
9218{
61cab650
MC		 9219 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9220 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 9221 SSL *clientssl = NULL, *serverssl = NULL;
9222 int testresult = 0;
9223 EVP_PKEY *tmpkey = NULL;
9224 char *thiscert = NULL, *thiskey = NULL;
9225 size_t expdhsize = 0;
9226 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9227
61cab650
MC		 9228 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9229 goto end;
9230
3105d846
MC		 9231 switch (idx) {
9232 case 0:
9233 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9234 if (is_fips) {
9235 testresult = 1;
9236 goto end;
9237 }
3105d846
MC		 9238 thiscert = cert1024;
9239 thiskey = privkey1024;
9240 expdhsize = 1024;
61cab650
MC		 9241 SSL_CTX_set_security_level(sctx, 1);
9242 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 9243 break;
9244 case 1:
9245 /* 2048 bit prime */
9246 thiscert = cert;
9247 thiskey = privkey;
9248 expdhsize = 2048;
9249 break;
9250 case 2:
9251 thiscert = cert3072;
9252 thiskey = privkey3072;
9253 expdhsize = 3072;
9254 break;
9255 case 3:
9256 thiscert = cert4096;
9257 thiskey = privkey4096;
9258 expdhsize = 4096;
9259 break;
9260 case 4:
9261 thiscert = cert8192;
9262 thiskey = privkey8192;
9263 expdhsize = 8192;
9264 break;
9265 /* No certificate cases */
9266 case 5:
9267 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9268 if (is_fips) {
9269 testresult = 1;
9270 goto end;
9271 }
3105d846
MC		 9272 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9273 expdhsize = 1024;
9274 break;
9275 case 6:
9276 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9277 expdhsize = 3072;
9278 break;
9279 default:
9280 TEST_error("Invalid text index");
9281 goto end;
9282 }
9283
61cab650
MC		 9284 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9285 NULL,
3105d846
MC		 9286 0,
9287 0,
9288 &sctx, &cctx, thiscert, thiskey)))
9289 goto end;
9290
9291 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9292 NULL, NULL)))
9293 goto end;
9294
9295 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9296 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9297 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9298 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9299 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9300 goto end;
9301
9302 /*
9303 * Send the server's first flight. At this point the server has created the
9304 * temporary DH key but hasn't finished using it yet. Once used it is
9305 * removed, so we cannot test it.
9306 */
9307 if (!TEST_int_le(SSL_connect(clientssl), 0)
9308 || !TEST_int_le(SSL_accept(serverssl), 0))
9309 goto end;
9310
9311 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9312 goto end;
ed576acd 9313 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 9314 goto end;
9315
9316 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9317 goto end;
9318
9319 testresult = 1;
9320
9321 end:
9322 SSL_free(serverssl);
9323 SSL_free(clientssl);
9324 SSL_CTX_free(sctx);
9325 SSL_CTX_free(cctx);
9326 EVP_PKEY_free(tmpkey);
9327
9328 return testresult;
9329
9330}
33c39a06
MC		 9331# endif /* OPENSSL_NO_DH */
9332#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 9333
a763ca11 9334#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 9335/*
9336 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9337 * that it works even without a certificate configured for the original
9338 * SSL_CTX
9339 */
9340static int test_sni_tls13(void)
9341{
9342 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9343 SSL *clientssl = NULL, *serverssl = NULL;
9344 int testresult = 0;
9345
9346 /* Reset callback counter */
9347 snicb = 0;
9348
9349 /* Create an initial SSL_CTX with no certificate configured */
9350 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9351 if (!TEST_ptr(sctx))
9352 goto end;
9353 /* Require TLSv1.3 as a minimum */
9354 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9355 TLS_client_method(), TLS1_3_VERSION, 0,
9356 &sctx2, &cctx, cert, privkey)))
9357 goto end;
9358
9359 /* Set up SNI */
9360 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9361 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9362 goto end;
9363
9364 /*
9365 * Connection should still succeed because the final SSL_CTX has the right
9366 * certificates configured.
9367 */
9368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9369 &clientssl, NULL, NULL))
9370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9371 SSL_ERROR_NONE)))
9372 goto end;
9373
9374 /* We should have had the SNI callback called exactly once */
9375 if (!TEST_int_eq(snicb, 1))
9376 goto end;
9377
9378 testresult = 1;
9379
9380end:
9381 SSL_free(serverssl);
9382 SSL_free(clientssl);
9383 SSL_CTX_free(sctx2);
9384 SSL_CTX_free(sctx);
9385 SSL_CTX_free(cctx);
9386 return testresult;
9387}
9388#endif
feba11cf
TS		 9389/*
9390 * Test that setting an ALPN does not violate RFC
9391 */
9392static int test_set_alpn(void)
9393{
9394 SSL_CTX *ctx = NULL;
9395 SSL *ssl = NULL;
9396 int testresult = 0;
9397
9398 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9399 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9400 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9401 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9402 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9403 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9404
9405 /* Create an initial SSL_CTX with no certificate configured */
9406 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9407 if (!TEST_ptr(ctx))
9408 goto end;
9409
9410 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9411 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9412 goto end;
9413 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9414 goto end;
9415 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9416 goto end;
9417 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9418 goto end;
9419 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9420 goto end;
9421 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9422 goto end;
9423 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9424 goto end;
9425 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9426 goto end;
9427 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9428 goto end;
9429
9430 ssl = SSL_new(ctx);
9431 if (!TEST_ptr(ssl))
9432 goto end;
9433
9434 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9435 goto end;
9436 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9437 goto end;
9438 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9439 goto end;
9440 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9441 goto end;
9442 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9443 goto end;
9444 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9445 goto end;
9446 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9447 goto end;
9448 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9449 goto end;
9450 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9451 goto end;
9452
9453 testresult = 1;
9454
9455end:
9456 SSL_free(ssl);
9457 SSL_CTX_free(ctx);
9458 return testresult;
9459}
6582661f 9460
dfccfde0
CH		 9461static int test_inherit_verify_param(void)
9462{
9463 int testresult = 0;
9464
9465 SSL_CTX *ctx = NULL;
9466 X509_VERIFY_PARAM *cp = NULL;
9467 SSL *ssl = NULL;
9468 X509_VERIFY_PARAM *sp = NULL;
9469 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9470
9471 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9472 if (!TEST_ptr(ctx))
9473 goto end;
9474
9475 cp = SSL_CTX_get0_param(ctx);
9476 if (!TEST_ptr(cp))
9477 goto end;
9478 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9479 goto end;
9480
9481 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9482
9483 ssl = SSL_new(ctx);
9484 if (!TEST_ptr(ssl))
9485 goto end;
9486
9487 sp = SSL_get0_param(ssl);
9488 if (!TEST_ptr(sp))
9489 goto end;
9490 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9491 goto end;
9492
9493 testresult = 1;
9494
9495 end:
9496 SSL_free(ssl);
9497 SSL_CTX_free(ctx);
9498
9499 return testresult;
9500}
9501
5e30f2fd 9502OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 9503
ad887416 9504int setup_tests(void)
2cb4b5f6 9505{
5e30f2fd
MC		 9506 char *modulename;
9507 char *configfile;
9508
b4250010 9509 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 9510 if (!TEST_ptr(libctx))
9511 return 0;
9512
9513 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9514
9515 /*
9516 * Verify that the default and fips providers in the default libctx are not
9517 * available
9518 */
9519 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9520 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9521 return 0;
9522
8d242823
MC		 9523 if (!test_skip_common_options()) {
9524 TEST_error("Error parsing test options\n");
9525 return 0;
9526 }
9527
1a2a3a42
MC		 9528 if (!TEST_ptr(certsdir = test_get_argument(0))
9529 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 9530 || !TEST_ptr(tmpfilename = test_get_argument(2))
9531 || !TEST_ptr(modulename = test_get_argument(3))
9532 || !TEST_ptr(configfile = test_get_argument(4)))
9533 return 0;
9534
b4250010 9535 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 9536 return 0;
9537
9538 /* Check we have the expected provider available */
9539 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9540 return 0;
9541
9542 /* Check the default provider is not available */
9543 if (strcmp(modulename, "default") != 0
9544 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 9545 return 0;
2cb4b5f6 9546
4f6c7044
MC		 9547 if (strcmp(modulename, "fips") == 0)
9548 is_fips = 1;
9549
0c13cdf8
MC		 9550 /*
9551 * We add, but don't load the test "tls-provider". We'll load it when we
9552 * need it.
9553 */
9554 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9555 tls_provider_init)))
9556 return 0;
9557
9558
f297e4ec
RS		 9559 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9560#ifdef OPENSSL_NO_CRYPTO_MDEBUG
9561 TEST_error("not supported in this build");
9562 return 0;
9563#else
9564 int i, mcount, rcount, fcount;
9565
9566 for (i = 0; i < 4; i++)
9567 test_export_key_mat(i);
9568 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9569 test_printf_stdout("malloc %d realloc %d free %d\n",
9570 mcount, rcount, fcount);
9571 return 1;
9572#endif
9573 }
9574
1a2a3a42
MC		 9575 cert = test_mk_file_path(certsdir, "servercert.pem");
9576 if (cert == NULL)
b3842539 9577 goto err;
1a2a3a42
MC		 9578
9579 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 9580 if (privkey == NULL)
9581 goto err;
9582
9583 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9584 if (cert2 == NULL)
9585 goto err;
9586
9587 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9588 if (privkey2 == NULL)
9589 goto err;
1a2a3a42 9590
3105d846
MC		 9591 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9592 if (cert1024 == NULL)
9593 goto err;
9594
9595 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9596 if (privkey1024 == NULL)
9597 goto err;
9598
9599 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9600 if (cert3072 == NULL)
9601 goto err;
9602
9603 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9604 if (privkey3072 == NULL)
9605 goto err;
9606
9607 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9608 if (cert4096 == NULL)
9609 goto err;
9610
9611 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9612 if (privkey4096 == NULL)
9613 goto err;
9614
9615 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9616 if (cert8192 == NULL)
9617 goto err;
9618
9619 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9620 if (privkey8192 == NULL)
9621 goto err;
9622
da4db160 9623#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 9624# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526
JB		 9625 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9626 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
c8e3a4c6 9627# endif
fe5d9450 9628#endif
84d5549e 9629 ADD_TEST(test_large_message_tls);
7856332e 9630 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 9631#ifndef OPENSSL_NO_DTLS
84d5549e 9632 ADD_TEST(test_large_message_dtls);
55386bef 9633#endif
163b8016 9634 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 9635#ifndef OPENSSL_NO_OCSP
c887104f 9636 ADD_TEST(test_tlsext_status_type);
8f8c11d8 9637#endif
eaa776da
MC		 9638 ADD_TEST(test_session_with_only_int_cache);
9639 ADD_TEST(test_session_with_only_ext_cache);
9640 ADD_TEST(test_session_with_both_cache);
90fc2c26 9641 ADD_TEST(test_session_wo_ca_names);
a763ca11 9642#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 9643 ADD_ALL_TESTS(test_stateful_tickets, 3);
9644 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 9645 ADD_TEST(test_psk_tickets);
f0049b86 9646 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 9647#endif
7fb4c820 9648 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 9649 ADD_TEST(test_ssl_bio_pop_next_bio);
9650 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9651 ADD_TEST(test_ssl_bio_change_rbio);
9652 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 9653#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 9654 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 9655 ADD_TEST(test_keylog);
c423ecaa 9656#endif
a763ca11 9657#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 9658 ADD_TEST(test_keylog_no_master_key);
9659#endif
0c3eb279 9660 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 9661 ADD_TEST(test_ssl_build_cert_chain);
9662 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 9663#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 9664 ADD_TEST(test_client_hello_cb);
088dfa13 9665 ADD_TEST(test_no_ems);
3cd14e5e 9666 ADD_TEST(test_ccs_change_cipher);
5f982038 9667#endif
a763ca11 9668#ifndef OSSL_NO_USABLE_TLS1_3
02a3ed5a 9669 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 9670 /*
9671 * We don't do replay tests for external PSK. Replay protection isn't used
9672 * in that scenario.
9673 */
9674 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 9675 ADD_ALL_TESTS(test_early_data_skip, 3);
9676 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 9677 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 9678 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 9679 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 9680 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 9681 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 9682 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 9683# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 9684 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 9685# endif
e9ee6536 9686#endif
a763ca11 9687#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 9688 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 9689 ADD_TEST(test_ciphersuite_change);
5bf2eade 9690 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9691# ifdef OPENSSL_NO_PSK
c2b290c3 9692 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 9693# else
0d8da779 9694 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 9695# endif /* OPENSSL_NO_PSK */
9696# ifndef OPENSSL_NO_TLS1_2
9697 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 9698 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 9699# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9700 ADD_ALL_TESTS(test_negotiated_group,
9701 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9702 + OSSL_NELEM(ffdhe_kexch_groups)));
9703# endif
5bf2eade 9704# else
9705 /* Test with only TLSv1.3 versions */
9706 ADD_ALL_TESTS(test_key_exchange, 12);
9707# endif
0db3a990 9708 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 9709 ADD_TEST(test_stateless);
9d75dce3 9710 ADD_TEST(test_pha_key_update);
a273157a 9711#else
bb01ef3f 9712 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 9713#endif
16afd71c 9714 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 9715 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 9716#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 9717 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 9718 ADD_TEST(test_key_update);
0c48fda8 9719 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
9720 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
9721 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
9722 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 9723#endif
e11b6aa4 9724 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 9725 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 9726#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9727 ADD_ALL_TESTS(test_srp, 6);
9728#endif
5718fe45 9729 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 9730 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 9731 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 9732 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 9733 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 9734 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 9735 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 9736 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 9737 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 9738#ifndef OPENSSL_NO_TLS1_2
9739 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9740#endif
49ef3d07 9741 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 9742#if !defined(OPENSSL_NO_EC) \
a763ca11 9743 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 9744 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 9745#endif
9746#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 9747 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 9748#endif
9749#ifndef OPENSSL_NO_TLS1_2
9750 ADD_TEST(test_ssl_dup);
33c39a06
MC		 9751# ifndef OPENSSL_NO_DH
9752 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 9753 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 9754# endif
6582661f 9755#endif
a763ca11 9756#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 9757 ADD_TEST(test_sni_tls13);
b3842539 9758#endif
dfccfde0 9759 ADD_TEST(test_inherit_verify_param);
feba11cf 9760 ADD_TEST(test_set_alpn);
25959e04 9761 ADD_ALL_TESTS(test_session_timeout, 1);
ad887416 9762 return 1;
b3842539
MC		 9763
9764 err:
9765 OPENSSL_free(cert);
9766 OPENSSL_free(privkey);
9767 OPENSSL_free(cert2);
9768 OPENSSL_free(privkey2);
9769 return 0;
ad887416 9770}
2cb4b5f6 9771
ad887416
P		 9772void cleanup_tests(void)
9773{
8778f0eb 9774# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 9775 EVP_PKEY_free(tmp_dh_params);
9776#endif
1a2a3a42
MC		 9777 OPENSSL_free(cert);
9778 OPENSSL_free(privkey);
b3842539
MC		 9779 OPENSSL_free(cert2);
9780 OPENSSL_free(privkey2);
3105d846
MC		 9781 OPENSSL_free(cert1024);
9782 OPENSSL_free(privkey1024);
9783 OPENSSL_free(cert3072);
9784 OPENSSL_free(privkey3072);
9785 OPENSSL_free(cert4096);
9786 OPENSSL_free(privkey4096);
9787 OPENSSL_free(cert8192);
9788 OPENSSL_free(privkey8192);
fa454945 9789 bio_s_mempacket_test_free();
a77b4dba 9790 bio_s_always_retry_free();
5e30f2fd 9791 OSSL_PROVIDER_unload(defctxnull);
b4250010 9792 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 9793}
A mirror of the official openssl repository