]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
test_export_key_mat(): Long context support works with new fips provider only
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
da1c088f 2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
b718f6fc 36#include <openssl/engine.h>
2cb4b5f6 37
20f8bc72 38#include "helpers/ssltestlib.h"
c887104f 39#include "testutil.h"
f297e4ec 40#include "testutil/output.h"
176db6dc 41#include "internal/nelem.h"
fe5d9450 42#include "internal/ktls.h"
706457b7 43#include "../ssl/ssl_local.h"
0755722c 44#include "../ssl/record/methods/recmethod_local.h"
b0001d0c 45#include "filterprov.h"
2cb4b5f6 46
a763ca11
MC		 47#undef OSSL_NO_USABLE_TLS1_3
48#if defined(OPENSSL_NO_TLS1_3) \
49 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
50/*
51 * If we don't have ec or dh then there are no built-in groups that are usable
52 * with TLSv1.3
53 */
54# define OSSL_NO_USABLE_TLS1_3
55#endif
56
0c13cdf8
MC		 57/* Defined in tls-provider.c */
58int tls_provider_init(const OSSL_CORE_HANDLE *handle,
59 const OSSL_DISPATCH *in,
60 const OSSL_DISPATCH **out,
61 void **provctx);
852c2ed2 62
b4250010 63static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 64static OSSL_PROVIDER *defctxnull = NULL;
65
a763ca11 66#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 67
68static SSL_SESSION *clientpsk = NULL;
69static SSL_SESSION *serverpsk = NULL;
70static const char *pskid = "Identity";
71static const char *srvid;
72
73static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
74 size_t *idlen, SSL_SESSION **sess);
75static int find_session_cb(SSL *ssl, const unsigned char *identity,
76 size_t identity_len, SSL_SESSION **sess);
77
78static int use_session_cb_cnt = 0;
79static int find_session_cb_cnt = 0;
8614a4eb
MC		 80#endif
81
1a2a3a42 82static char *certsdir = NULL;
2cb4b5f6
MC		 83static char *cert = NULL;
84static char *privkey = NULL;
b3842539
MC		 85static char *cert2 = NULL;
86static char *privkey2 = NULL;
3105d846
MC		 87static char *cert1024 = NULL;
88static char *privkey1024 = NULL;
89static char *cert3072 = NULL;
90static char *privkey3072 = NULL;
91static char *cert4096 = NULL;
92static char *privkey4096 = NULL;
93static char *cert8192 = NULL;
94static char *privkey8192 = NULL;
76fd7a1d
MC		 95static char *srpvfile = NULL;
96static char *tmpfilename = NULL;
b2b8d188 97static char *dhfile = NULL;
2cb4b5f6 98
4f6c7044 99static int is_fips = 0;
50ea5cdc 100static int fips_ems_check = 0;
4f6c7044 101
cffe973c 102#define LOG_BUFFER_SIZE 2048
6acdd3e5 103static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 104static size_t server_log_buffer_index = 0;
6acdd3e5 105static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 106static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 107static int error_writing_log = 0;
108
8f8c11d8 109#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 110static const unsigned char orespder[] = "Dummy OCSP Response";
111static int ocsp_server_called = 0;
112static int ocsp_client_called = 0;
113
114static int cdummyarg = 1;
115static X509 *ocspcert = NULL;
8f8c11d8 116#endif
ba881d3b 117
cf72c757 118#define CLIENT_VERSION_LEN 2
84d5549e 119
f1a5939f
CB		 120/*
121 * This structure is used to validate that the correct number of log messages
122 * of various types are emitted when emitting secret logs.
123 */
124struct sslapitest_log_counts {
125 unsigned int rsa_key_exchange_count;
126 unsigned int master_secret_count;
cffe973c 127 unsigned int client_early_secret_count;
f1a5939f
CB		 128 unsigned int client_handshake_secret_count;
129 unsigned int server_handshake_secret_count;
130 unsigned int client_application_secret_count;
131 unsigned int server_application_secret_count;
01a2a654 132 unsigned int early_exporter_secret_count;
6329ce8f 133 unsigned int exporter_secret_count;
f1a5939f
CB		 134};
135
16afd71c 136
104a733d
MC		 137static int hostname_cb(SSL *s, int *al, void *arg)
138{
139 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
140
141 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
142 || strcmp(hostname, "altgoodhost") == 0))
143 return SSL_TLSEXT_ERR_OK;
144
145 return SSL_TLSEXT_ERR_NOACK;
146}
147
710756a9
RS		 148static void client_keylog_callback(const SSL *ssl, const char *line)
149{
6acdd3e5
CB		 150 int line_length = strlen(line);
151
152 /* If the log doesn't fit, error out. */
710756a9
RS		 153 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
154 TEST_info("Client log too full");
6acdd3e5
CB		 155 error_writing_log = 1;
156 return;
157 }
158
159 strcat(client_log_buffer, line);
160 client_log_buffer_index += line_length;
710756a9 161 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 162}
163
710756a9
RS		 164static void server_keylog_callback(const SSL *ssl, const char *line)
165{
6acdd3e5
CB		 166 int line_length = strlen(line);
167
168 /* If the log doesn't fit, error out. */
710756a9 169 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 170 TEST_info("Server log too full");
6acdd3e5
CB		 171 error_writing_log = 1;
172 return;
173 }
174
175 strcat(server_log_buffer, line);
176 server_log_buffer_index += line_length;
710756a9 177 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 178}
179
180static int compare_hex_encoded_buffer(const char *hex_encoded,
181 size_t hex_length,
182 const uint8_t *raw,
710756a9
RS		 183 size_t raw_length)
184{
185 size_t i, j;
186 char hexed[3];
6acdd3e5 187
710756a9 188 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 189 return 1;
6acdd3e5 190
710756a9 191 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 192 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 193 if (!TEST_int_eq(hexed[0], hex_encoded[j])
194 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 195 return 1;
6acdd3e5
CB		 196 }
197
198 return 0;
199}
200
201static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 202 const SSL_SESSION *session,
710756a9
RS		 203 struct sslapitest_log_counts *expected)
204{
6acdd3e5
CB		 205 char *token = NULL;
206 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
207 size_t client_random_size = SSL3_RANDOM_SIZE;
208 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
209 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 210 unsigned int rsa_key_exchange_count = 0;
211 unsigned int master_secret_count = 0;
cffe973c 212 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 213 unsigned int client_handshake_secret_count = 0;
214 unsigned int server_handshake_secret_count = 0;
215 unsigned int client_application_secret_count = 0;
216 unsigned int server_application_secret_count = 0;
01a2a654 217 unsigned int early_exporter_secret_count = 0;
6329ce8f 218 unsigned int exporter_secret_count = 0;
6acdd3e5 219
710756a9
RS		 220 for (token = strtok(buffer, " \n"); token != NULL;
221 token = strtok(NULL, " \n")) {
6acdd3e5 222 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 223 /*
224 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 225 * hex-encoded encrypted secret, then the hex-encoded pre-master
226 * secret.
227 */
710756a9 228 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 229 return 0;
710756a9 230 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 231 return 0;
710756a9 232 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 233 return 0;
f1a5939f
CB		 234 /*
235 * We can't sensibly check the log because the premaster secret is
236 * transient, and OpenSSL doesn't keep hold of it once the master
237 * secret is generated.
238 */
239 rsa_key_exchange_count++;
6acdd3e5 240 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 241 /*
242 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 243 * client random, then the hex-encoded master secret.
244 */
245 client_random_size = SSL_get_client_random(ssl,
246 actual_client_random,
247 SSL3_RANDOM_SIZE);
710756a9 248 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 249 return 0;
6acdd3e5 250
710756a9 251 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 252 return 0;
710756a9 253 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 254 return 0;
710756a9
RS		 255 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
256 actual_client_random,
257 client_random_size)))
f1a5939f 258 return 0;
6acdd3e5 259
710756a9 260 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 261 return 0;
6acdd3e5
CB		 262 master_key_size = SSL_SESSION_get_master_key(session,
263 actual_master_key,
264 master_key_size);
710756a9 265 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 266 return 0;
710756a9
RS		 267 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
268 actual_master_key,
269 master_key_size)))
f1a5939f 270 return 0;
f1a5939f 271 master_secret_count++;
cffe973c
PW		 272 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
273 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 274 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
275 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 276 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 277 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 278 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 279 /*
280 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
281 * client random, and then the hex-encoded secret. In this case,
282 * we treat all of these secrets identically and then just
283 * distinguish between them when counting what we saw.
284 */
cffe973c
PW		 285 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
286 client_early_secret_count++;
287 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 288 client_handshake_secret_count++;
289 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
290 server_handshake_secret_count++;
291 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
292 client_application_secret_count++;
293 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
294 server_application_secret_count++;
01a2a654
PW		 295 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
296 early_exporter_secret_count++;
6329ce8f
PW		 297 else if (strcmp(token, "EXPORTER_SECRET") == 0)
298 exporter_secret_count++;
f1a5939f
CB		 299
300 client_random_size = SSL_get_client_random(ssl,
301 actual_client_random,
302 SSL3_RANDOM_SIZE);
710756a9 303 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 304 return 0;
f1a5939f 305
710756a9 306 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 307 return 0;
710756a9 308 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 309 return 0;
710756a9
RS		 310 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
311 actual_client_random,
312 client_random_size)))
f1a5939f 313 return 0;
6acdd3e5 314
710756a9 315 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 316 return 0;
6acdd3e5 317 } else {
710756a9 318 TEST_info("Unexpected token %s\n", token);
f1a5939f 319 return 0;
6acdd3e5 320 }
6acdd3e5
CB		 321 }
322
710756a9
RS		 323 /* Got what we expected? */
324 if (!TEST_size_t_eq(rsa_key_exchange_count,
325 expected->rsa_key_exchange_count)
326 || !TEST_size_t_eq(master_secret_count,
327 expected->master_secret_count)
cffe973c
PW		 328 || !TEST_size_t_eq(client_early_secret_count,
329 expected->client_early_secret_count)
710756a9
RS		 330 || !TEST_size_t_eq(client_handshake_secret_count,
331 expected->client_handshake_secret_count)
332 || !TEST_size_t_eq(server_handshake_secret_count,
333 expected->server_handshake_secret_count)
334 || !TEST_size_t_eq(client_application_secret_count,
335 expected->client_application_secret_count)
336 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 337 expected->server_application_secret_count)
01a2a654
PW		 338 || !TEST_size_t_eq(early_exporter_secret_count,
339 expected->early_exporter_secret_count)
6329ce8f
PW		 340 || !TEST_size_t_eq(exporter_secret_count,
341 expected->exporter_secret_count))
710756a9
RS		 342 return 0;
343 return 1;
6acdd3e5
CB		 344}
345
a763ca11 346#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 347static int test_keylog(void)
348{
6acdd3e5
CB		 349 SSL_CTX *cctx = NULL, *sctx = NULL;
350 SSL *clientssl = NULL, *serverssl = NULL;
351 int testresult = 0;
6fc1e624 352 struct sslapitest_log_counts expected;
6acdd3e5
CB		 353
354 /* Clean up logging space */
6fc1e624 355 memset(&expected, 0, sizeof(expected));
710756a9
RS		 356 memset(client_log_buffer, 0, sizeof(client_log_buffer));
357 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 358 client_log_buffer_index = 0;
359 server_log_buffer_index = 0;
360 error_writing_log = 0;
361
5e30f2fd 362 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 363 TLS_client_method(),
5c587fb6 364 TLS1_VERSION, 0,
710756a9 365 &sctx, &cctx, cert, privkey)))
6acdd3e5 366 return 0;
6acdd3e5
CB		 367
368 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
369 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
370 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
371
f0deb4d3 372 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 373 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 374 goto end;
f0deb4d3 375
cf10df81
RS		 376 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
377 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 378 goto end;
6acdd3e5 379 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 380 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
381 == client_keylog_callback))
6acdd3e5 382 goto end;
710756a9 383 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 384 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
385 == server_keylog_callback))
6acdd3e5 386 goto end;
6acdd3e5 387
710756a9
RS		 388 /* Now do a handshake and check that the logs have been written to. */
389 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
390 &clientssl, NULL, NULL))
391 || !TEST_true(create_ssl_connection(serverssl, clientssl,
392 SSL_ERROR_NONE))
393 || !TEST_false(error_writing_log)
394 || !TEST_int_gt(client_log_buffer_index, 0)
395 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 396 goto end;
6acdd3e5 397
f1a5939f
CB		 398 /*
399 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 400 * do that by using strtok and confirming that we have more or less the
f1a5939f 401 * data we expect. For both client and server, we expect to see one master
a63fa5f7 402 * secret. The client should also see an RSA key exchange.
6acdd3e5 403 */
f1a5939f
CB		 404 expected.rsa_key_exchange_count = 1;
405 expected.master_secret_count = 1;
710756a9
RS		 406 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
407 SSL_get_session(clientssl), &expected)))
6acdd3e5 408 goto end;
f1a5939f
CB		 409
410 expected.rsa_key_exchange_count = 0;
710756a9
RS		 411 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
412 SSL_get_session(serverssl), &expected)))
6acdd3e5 413 goto end;
6acdd3e5
CB		 414
415 testresult = 1;
416
417end:
418 SSL_free(serverssl);
419 SSL_free(clientssl);
420 SSL_CTX_free(sctx);
421 SSL_CTX_free(cctx);
422
423 return testresult;
424}
c423ecaa 425#endif
6acdd3e5 426
a763ca11 427#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 428static int test_keylog_no_master_key(void)
429{
6acdd3e5
CB		 430 SSL_CTX *cctx = NULL, *sctx = NULL;
431 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 432 SSL_SESSION *sess = NULL;
6acdd3e5 433 int testresult = 0;
6fc1e624 434 struct sslapitest_log_counts expected;
cffe973c
PW		 435 unsigned char buf[1];
436 size_t readbytes, written;
6acdd3e5
CB		 437
438 /* Clean up logging space */
6fc1e624 439 memset(&expected, 0, sizeof(expected));
710756a9
RS		 440 memset(client_log_buffer, 0, sizeof(client_log_buffer));
441 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 442 client_log_buffer_index = 0;
443 server_log_buffer_index = 0;
444 error_writing_log = 0;
445
5e30f2fd
MC		 446 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
447 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 448 &sctx, &cctx, cert, privkey))
449 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 450 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 451 return 0;
6acdd3e5 452
cf10df81
RS		 453 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
454 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 455 goto end;
6acdd3e5
CB		 456
457 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 458 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
459 == client_keylog_callback))
6acdd3e5 460 goto end;
6acdd3e5 461
710756a9 462 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 463 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
464 == server_keylog_callback))
6acdd3e5 465 goto end;
6acdd3e5 466
710756a9
RS		 467 /* Now do a handshake and check that the logs have been written to. */
468 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
469 &clientssl, NULL, NULL))
470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
471 SSL_ERROR_NONE))
472 || !TEST_false(error_writing_log))
6acdd3e5 473 goto end;
6acdd3e5 474
f1a5939f
CB		 475 /*
476 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 477 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 478 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 479 */
f1a5939f
CB		 480 expected.client_handshake_secret_count = 1;
481 expected.server_handshake_secret_count = 1;
482 expected.client_application_secret_count = 1;
483 expected.server_application_secret_count = 1;
6329ce8f 484 expected.exporter_secret_count = 1;
710756a9
RS		 485 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
486 SSL_get_session(clientssl), &expected))
487 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
488 SSL_get_session(serverssl),
489 &expected)))
6acdd3e5 490 goto end;
6acdd3e5 491
cffe973c
PW		 492 /* Terminate old session and resume with early data. */
493 sess = SSL_get1_session(clientssl);
494 SSL_shutdown(clientssl);
495 SSL_shutdown(serverssl);
496 SSL_free(serverssl);
497 SSL_free(clientssl);
498 serverssl = clientssl = NULL;
499
500 /* Reset key log */
501 memset(client_log_buffer, 0, sizeof(client_log_buffer));
502 memset(server_log_buffer, 0, sizeof(server_log_buffer));
503 client_log_buffer_index = 0;
504 server_log_buffer_index = 0;
505
506 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
507 &clientssl, NULL, NULL))
508 || !TEST_true(SSL_set_session(clientssl, sess))
509 /* Here writing 0 length early data is enough. */
510 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
511 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
512 &readbytes),
513 SSL_READ_EARLY_DATA_ERROR)
514 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
515 SSL_EARLY_DATA_ACCEPTED)
516 || !TEST_true(create_ssl_connection(serverssl, clientssl,
517 SSL_ERROR_NONE))
518 || !TEST_true(SSL_session_reused(clientssl)))
519 goto end;
520
521 /* In addition to the previous entries, expect early secrets. */
522 expected.client_early_secret_count = 1;
01a2a654 523 expected.early_exporter_secret_count = 1;
cffe973c
PW		 524 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
525 SSL_get_session(clientssl), &expected))
526 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
527 SSL_get_session(serverssl),
528 &expected)))
529 goto end;
530
6acdd3e5
CB		 531 testresult = 1;
532
533end:
cffe973c 534 SSL_SESSION_free(sess);
6acdd3e5
CB		 535 SSL_free(serverssl);
536 SSL_free(clientssl);
537 SSL_CTX_free(sctx);
538 SSL_CTX_free(cctx);
539
540 return testresult;
541}
542#endif
543
0c3eb279
DDO		 544static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
545{
546 int res = X509_verify_cert(ctx);
dfb39f73
TM		 547 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
548 SSL *ssl;
549
550 /* this should not happen but check anyway */
551 if (idx < 0
552 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
553 return 0;
0c3eb279
DDO		 554
555 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
556 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
dfb39f73
TM		 557 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
558 return SSL_set_retry_verify(ssl);
559
0c3eb279
DDO		 560 return res;
561}
562
563static int test_client_cert_verify_cb(void)
564{
565 /* server key, cert, chain, and root */
566 char *skey = test_mk_file_path(certsdir, "leaf.key");
567 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
568 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
569 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
570 char *root = test_mk_file_path(certsdir, "rootCA.pem");
571 X509 *crt1 = NULL, *crt2 = NULL;
572 STACK_OF(X509) *server_chain;
573 SSL_CTX *cctx = NULL, *sctx = NULL;
574 SSL *clientssl = NULL, *serverssl = NULL;
575 int testresult = 0;
576
577 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
578 TLS_client_method(), TLS1_VERSION, 0,
579 &sctx, &cctx, NULL, NULL)))
580 goto end;
581 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
582 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
583 SSL_FILETYPE_PEM), 1)
584 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
585 goto end;
586 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
587 goto end;
588 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
589 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
591 &clientssl, NULL, NULL)))
592 goto end;
593
594 /* attempt SSL_connect() with incomplete server chain */
595 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
596 SSL_ERROR_WANT_RETRY_VERIFY)))
597 goto end;
598
599 /* application provides intermediate certs needed to verify server cert */
600 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
601 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
602 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
603 goto end;
604 /* add certs in reverse order to demonstrate real chain building */
605 if (!TEST_true(sk_X509_push(server_chain, crt1)))
606 goto end;
607 crt1 = NULL;
608 if (!TEST_true(sk_X509_push(server_chain, crt2)))
609 goto end;
610 crt2 = NULL;
611
612 /* continue SSL_connect(), must now succeed with completed server chain */
613 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
614 SSL_ERROR_NONE)))
615 goto end;
616
617 testresult = 1;
618
619end:
620 X509_free(crt1);
621 X509_free(crt2);
c38048e7
P		 622 if (clientssl != NULL) {
623 SSL_shutdown(clientssl);
624 SSL_free(clientssl);
625 }
626 if (serverssl != NULL) {
627 SSL_shutdown(serverssl);
628 SSL_free(serverssl);
629 }
0c3eb279
DDO		 630 SSL_CTX_free(sctx);
631 SSL_CTX_free(cctx);
632
633 OPENSSL_free(skey);
634 OPENSSL_free(leaf);
635 OPENSSL_free(int2);
636 OPENSSL_free(int1);
637 OPENSSL_free(root);
638
639 return testresult;
640}
641
4e4ae840
SL		 642static int test_ssl_build_cert_chain(void)
643{
644 int ret = 0;
645 SSL_CTX *ssl_ctx = NULL;
646 SSL *ssl = NULL;
647 char *skey = test_mk_file_path(certsdir, "leaf.key");
648 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
649
650 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
651 goto end;
652 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
653 goto end;
654 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
655 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
656 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
657 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
658 goto end;
659 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
660 | SSL_BUILD_CHAIN_FLAG_CHECK)))
661 goto end;
662 ret = 1;
663end:
664 SSL_free(ssl);
665 SSL_CTX_free(ssl_ctx);
666 OPENSSL_free(leaf_chain);
667 OPENSSL_free(skey);
668 return ret;
669}
670
c7debe81
TM		 671static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
672{
673 static const char pass[] = "testpass";
674
675 if (!TEST_int_eq(size, PEM_BUFSIZE))
676 return -1;
677
678 memcpy(buf, pass, sizeof(pass) - 1);
679 return sizeof(pass) - 1;
680}
681
4e4ae840
SL		 682static int test_ssl_ctx_build_cert_chain(void)
683{
684 int ret = 0;
685 SSL_CTX *ctx = NULL;
c7debe81 686 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
4e4ae840
SL		 687 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
688
689 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
690 goto end;
c7debe81 691 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
4e4ae840
SL		 692 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
693 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
694 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
695 SSL_FILETYPE_PEM), 1)
696 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
697 goto end;
698 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
699 | SSL_BUILD_CHAIN_FLAG_CHECK)))
700 goto end;
701 ret = 1;
702end:
703 SSL_CTX_free(ctx);
704 OPENSSL_free(leaf_chain);
705 OPENSSL_free(skey);
706 return ret;
707}
708
e9ee6536 709#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 710static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 711{
712 int *ctr = arg;
713 const unsigned char *p;
8ea404fb 714 int *exts;
2afaee51
BK		 715 /* We only configure two ciphers, but the SCSV is added automatically. */
716#ifdef OPENSSL_NO_EC
717 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
718#else
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
720 0x2c, 0x00, 0xff};
721#endif
8ea404fb
BK		 722 const int expected_extensions[] = {
723#ifndef OPENSSL_NO_EC
724 11, 10,
725#endif
10ed1b72 726 35, 22, 23, 13};
2afaee51
BK		 727 size_t len;
728
729 /* Make sure we can defer processing and get called back. */
730 if ((*ctr)++ == 0)
f1b97da1 731 return SSL_CLIENT_HELLO_RETRY;
2afaee51 732
a9c0d8be 733 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 734 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 735 || !TEST_size_t_eq(
736 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 737 || !TEST_int_eq(*p, 0))
f1b97da1 738 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 739 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 740 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 741 if (len != OSSL_NELEM(expected_extensions) ||
742 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 743 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 744 OPENSSL_free(exts);
f1b97da1 745 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 746 }
747 OPENSSL_free(exts);
f1b97da1 748 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 749}
750
a9c0d8be 751static int test_client_hello_cb(void)
710756a9 752{
2afaee51
BK		 753 SSL_CTX *cctx = NULL, *sctx = NULL;
754 SSL *clientssl = NULL, *serverssl = NULL;
755 int testctr = 0, testresult = 0;
756
5e30f2fd
MC		 757 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
758 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 759 &sctx, &cctx, cert, privkey)))
2afaee51 760 goto end;
a9c0d8be 761 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 762
2afaee51
BK		 763 /* The gimpy cipher list we configure can't do TLS 1.3. */
764 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 765
710756a9
RS		 766 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
767 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
768 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
769 &clientssl, NULL, NULL))
770 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 771 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 772 /*
773 * Passing a -1 literal is a hack since
774 * the real value was lost.
775 * */
a9c0d8be
DB		 776 || !TEST_int_eq(SSL_get_error(serverssl, -1),
777 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 778 || !TEST_true(create_ssl_connection(serverssl, clientssl,
779 SSL_ERROR_NONE)))
2afaee51 780 goto end;
2afaee51
BK		 781
782 testresult = 1;
783
088dfa13
TS		 784end:
785 SSL_free(serverssl);
786 SSL_free(clientssl);
787 SSL_CTX_free(sctx);
788 SSL_CTX_free(cctx);
789
790 return testresult;
791}
792
793static int test_no_ems(void)
794{
795 SSL_CTX *cctx = NULL, *sctx = NULL;
796 SSL *clientssl = NULL, *serverssl = NULL;
50ea5cdc 797 int testresult = 0, status;
088dfa13 798
5e30f2fd 799 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 800 TLS1_VERSION, TLS1_2_VERSION,
801 &sctx, &cctx, cert, privkey)) {
802 printf("Unable to create SSL_CTX pair\n");
803 goto end;
804 }
805
806 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
807
808 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
809 printf("Unable to create SSL objects\n");
810 goto end;
811 }
812
50ea5cdc 813 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
814 if (fips_ems_check) {
815 if (status == 1) {
eb4129e1 816 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
50ea5cdc 817 goto end;
818 }
819 } else {
820 if (!status) {
821 printf("Creating SSL connection failed\n");
822 goto end;
823 }
824 if (SSL_get_extms_support(serverssl)) {
825 printf("Server reports Extended Master Secret support\n");
826 goto end;
827 }
828 if (SSL_get_extms_support(clientssl)) {
829 printf("Client reports Extended Master Secret support\n");
830 goto end;
831 }
088dfa13
TS		 832 }
833 testresult = 1;
834
2afaee51
BK		 835end:
836 SSL_free(serverssl);
837 SSL_free(clientssl);
838 SSL_CTX_free(sctx);
839 SSL_CTX_free(cctx);
840
841 return testresult;
842}
843
3cd14e5e
BK		 844/*
845 * Very focused test to exercise a single case in the server-side state
846 * machine, when the ChangeCipherState message needs to actually change
847 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 848 * encryption to real encryption).
3cd14e5e
BK		 849 */
850static int test_ccs_change_cipher(void)
851{
852 SSL_CTX *cctx = NULL, *sctx = NULL;
853 SSL *clientssl = NULL, *serverssl = NULL;
854 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
855 int testresult = 0;
856 int i;
857 unsigned char buf;
858 size_t readbytes;
859
860 /*
e304aa87 861 * Create a connection so we can resume and potentially (but not) use
3cd14e5e
BK		 862 * a different cipher in the second connection.
863 */
5e30f2fd 864 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 865 TLS_client_method(),
866 TLS1_VERSION, TLS1_2_VERSION,
867 &sctx, &cctx, cert, privkey))
868 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
869 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
870 NULL, NULL))
871 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
872 || !TEST_true(create_ssl_connection(serverssl, clientssl,
873 SSL_ERROR_NONE))
874 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
875 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
876 goto end;
877
878 shutdown_ssl_connection(serverssl, clientssl);
879 serverssl = clientssl = NULL;
880
881 /* Resume, preferring a different cipher. Our server will force the
882 * same cipher to be used as the initial handshake. */
883 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
884 NULL, NULL))
885 || !TEST_true(SSL_set_session(clientssl, sess))
886 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
888 SSL_ERROR_NONE))
889 || !TEST_true(SSL_session_reused(clientssl))
890 || !TEST_true(SSL_session_reused(serverssl))
891 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
892 || !TEST_ptr_eq(sesspre, sesspost)
893 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
894 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
895 goto end;
896 shutdown_ssl_connection(serverssl, clientssl);
897 serverssl = clientssl = NULL;
898
899 /*
900 * Now create a fresh connection and try to renegotiate a different
901 * cipher on it.
902 */
b3e6d666
BK		 903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
904 NULL, NULL))
3cd14e5e
BK		 905 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
906 || !TEST_true(create_ssl_connection(serverssl, clientssl,
907 SSL_ERROR_NONE))
908 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
909 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
910 || !TEST_true(SSL_renegotiate(clientssl))
911 || !TEST_true(SSL_renegotiate_pending(clientssl)))
912 goto end;
913 /* Actually drive the renegotiation. */
914 for (i = 0; i < 3; i++) {
915 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
916 if (!TEST_ulong_eq(readbytes, 0))
917 goto end;
918 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
919 SSL_ERROR_WANT_READ)) {
920 goto end;
921 }
922 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
923 if (!TEST_ulong_eq(readbytes, 0))
924 goto end;
925 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
926 SSL_ERROR_WANT_READ)) {
927 goto end;
928 }
929 }
930 /* sesspre and sesspost should be different since the cipher changed. */
931 if (!TEST_false(SSL_renegotiate_pending(clientssl))
932 || !TEST_false(SSL_session_reused(clientssl))
933 || !TEST_false(SSL_session_reused(serverssl))
934 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
935 || !TEST_ptr_ne(sesspre, sesspost)
936 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
937 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
938 goto end;
939
940 shutdown_ssl_connection(serverssl, clientssl);
941 serverssl = clientssl = NULL;
942
943 testresult = 1;
944
945end:
946 SSL_free(serverssl);
947 SSL_free(clientssl);
948 SSL_CTX_free(sctx);
949 SSL_CTX_free(cctx);
950 SSL_SESSION_free(sess);
951
952 return testresult;
953}
fb121631 954#endif
3cd14e5e 955
149c4f98
MC		 956static int execute_test_large_message(const SSL_METHOD *smeth,
957 const SSL_METHOD *cmeth,
958 int min_version, int max_version,
959 int read_ahead)
960{
961 SSL_CTX *cctx = NULL, *sctx = NULL;
962 SSL *clientssl = NULL, *serverssl = NULL;
963 int testresult = 0;
964
5e30f2fd
MC		 965 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
966 max_version, &sctx, &cctx, cert,
967 privkey)))
84d5549e 968 goto end;
84d5549e 969
8ce390e1
MC		 970#ifdef OPENSSL_NO_DTLS1_2
971 if (smeth == DTLS_server_method()) {
972 /*
973 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
974 * level 0
975 */
976 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
977 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
978 "DEFAULT:@SECLEVEL=0")))
979 goto end;
980 }
981#endif
982
710756a9 983 if (read_ahead) {
7856332e
MC		 984 /*
985 * Test that read_ahead works correctly when dealing with large
986 * records
987 */
988 SSL_CTX_set_read_ahead(cctx, 1);
989 }
990
3860ef2a 991 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
149c4f98 992 goto end;
84d5549e 993
710756a9
RS		 994 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
995 NULL, NULL))
996 || !TEST_true(create_ssl_connection(serverssl, clientssl,
997 SSL_ERROR_NONE)))
84d5549e 998 goto end;
84d5549e 999
4bf08600
MC		 1000 /*
1001 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1002 * doesn't leak.
4bf08600 1003 */
710756a9 1004 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1005 goto end;
84d5549e 1006
4bf08600 1007 testresult = 1;
84d5549e 1008 end:
84d5549e
MC		 1009 SSL_free(serverssl);
1010 SSL_free(clientssl);
1011 SSL_CTX_free(sctx);
1012 SSL_CTX_free(cctx);
1013
1014 return testresult;
1015}
1016
da4db160 1017#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1018 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1019/* sock must be connected */
1020static int ktls_chk_platform(int sock)
1021{
1022 if (!ktls_enable(sock))
1023 return 0;
1024 return 1;
1025}
1026
e1fdd526 1027static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1028{
1029 static char count = 1;
1030 unsigned char cbuf[16000] = {0};
1031 unsigned char sbuf[16000];
1032 size_t err = 0;
e1fdd526
JB		 1033 char crec_wseq_before[SEQ_NUM_SIZE];
1034 char crec_wseq_after[SEQ_NUM_SIZE];
1035 char crec_rseq_before[SEQ_NUM_SIZE];
1036 char crec_rseq_after[SEQ_NUM_SIZE];
1037 char srec_wseq_before[SEQ_NUM_SIZE];
1038 char srec_wseq_after[SEQ_NUM_SIZE];
1039 char srec_rseq_before[SEQ_NUM_SIZE];
1040 char srec_rseq_after[SEQ_NUM_SIZE];
38b051a1
TM		 1041 SSL_CONNECTION *clientsc, *serversc;
1042
1043 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1044 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1045 goto end;
fe5d9450
BP		 1046
1047 cbuf[0] = count++;
2c50d7fb
MC		 1048 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1049 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1050 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1051 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1052
1053 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1054 goto end;
1055
1056 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1057 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1058 goto end;
1059 }
1060 }
1061
1062 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1063 goto end;
1064
1065 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1066 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1067 goto end;
1068 }
1069 }
1070
2c50d7fb
MC		 1071 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1072 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1073 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1074 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1075
1076 /* verify the payload */
1077 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1078 goto end;
1079
e1fdd526
JB		 1080 /*
1081 * If ktls is used then kernel sequences are used instead of
1082 * OpenSSL sequences
1083 */
38b051a1 1084 if (!BIO_get_ktls_send(clientsc->wbio)) {
e1fdd526
JB		 1085 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1086 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1087 goto end;
1088 } else {
e1fdd526
JB		 1089 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1090 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1091 goto end;
1092 }
1093
38b051a1 1094 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1095 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1096 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1097 goto end;
1098 } else {
e1fdd526
JB		 1099 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1100 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1101 goto end;
1102 }
1103
38b051a1 1104 if (!BIO_get_ktls_recv(clientsc->wbio)) {
e1fdd526
JB		 1105 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1106 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1107 goto end;
1108 } else {
e1fdd526
JB		 1109 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1110 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1111 goto end;
1112 }
1113
38b051a1 1114 if (!BIO_get_ktls_recv(serversc->wbio)) {
e1fdd526
JB		 1115 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1116 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1117 goto end;
1118 } else {
e1fdd526
JB		 1119 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1120 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1121 goto end;
1122 }
fe5d9450
BP		 1123
1124 return 1;
1125end:
1126 return 0;
1127}
1128
a3a54179 1129static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1130 int tls_version, const char *cipher)
fe5d9450
BP		 1131{
1132 SSL_CTX *cctx = NULL, *sctx = NULL;
1133 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1134 int ktls_used = 0, testresult = 0;
1135 int cfd = -1, sfd = -1;
1136 int rx_supported;
38b051a1 1137 SSL_CONNECTION *clientsc, *serversc;
fe5d9450 1138
0c593328 1139 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
fe5d9450
BP		 1140 goto end;
1141
1142 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1143 if (!ktls_chk_platform(cfd)) {
1144 testresult = TEST_skip("Kernel does not support KTLS");
1145 goto end;
1146 }
fe5d9450 1147
a5d8a2f8
DB		 1148 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1149 testresult = TEST_skip("CHACHA is not supported in FIPS");
1150 goto end;
1151 }
1152
fe5d9450 1153 /* Create a session based on SHA-256 */
5e30f2fd 1154 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1155 TLS_client_method(),
da4db160 1156 tls_version, tls_version,
e1fdd526
JB		 1157 &sctx, &cctx, cert, privkey)))
1158 goto end;
1159
1160 if (tls_version == TLS1_3_VERSION) {
1161 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1162 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1163 goto end;
1164 } else {
1165 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1166 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1167 goto end;
1168 }
1169
1170 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1171 &clientssl, sfd, cfd)))
fe5d9450
BP		 1172 goto end;
1173
38b051a1
TM		 1174 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1175 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1176 goto end;
1177
a3a54179
MC		 1178 if (cis_ktls) {
1179 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1180 goto end;
1181 }
1182
a3a54179 1183 if (sis_ktls) {
e1fdd526 1184 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1185 goto end;
1186 }
1187
e1fdd526 1188 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1189 goto end;
1190
e1fdd526
JB		 1191 /*
1192 * The running kernel may not support a given cipher suite
1193 * or direction, so just check that KTLS isn't used when it
1194 * isn't enabled.
1195 */
a3a54179 1196 if (!cis_ktls) {
38b051a1 1197 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
fe5d9450
BP		 1198 goto end;
1199 } else {
38b051a1 1200 if (BIO_get_ktls_send(clientsc->wbio))
e1fdd526 1201 ktls_used = 1;
fe5d9450
BP		 1202 }
1203
a3a54179 1204 if (!sis_ktls) {
38b051a1 1205 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
fe5d9450
BP		 1206 goto end;
1207 } else {
38b051a1 1208 if (BIO_get_ktls_send(serversc->wbio))
e1fdd526 1209 ktls_used = 1;
fe5d9450
BP		 1210 }
1211
a3a54179 1212#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1213 rx_supported = 0;
1214#else
7c78932b 1215 rx_supported = 1;
a3a54179 1216#endif
e1fdd526 1217 if (!cis_ktls || !rx_supported) {
38b051a1 1218 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
2fab79af
BP		 1219 goto end;
1220 } else {
38b051a1 1221 if (BIO_get_ktls_send(clientsc->rbio))
e1fdd526 1222 ktls_used = 1;
2fab79af
BP		 1223 }
1224
e1fdd526 1225 if (!sis_ktls || !rx_supported) {
38b051a1 1226 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
2fab79af
BP		 1227 goto end;
1228 } else {
38b051a1 1229 if (BIO_get_ktls_send(serversc->rbio))
e1fdd526
JB		 1230 ktls_used = 1;
1231 }
1232
1233 if ((cis_ktls || sis_ktls) && !ktls_used) {
1234 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1235 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1236 "TLS 1.2", cipher);
1237 goto end;
2fab79af
BP		 1238 }
1239
e1fdd526 1240 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1241 goto end;
1242
1243 testresult = 1;
1244end:
1245 if (clientssl) {
1246 SSL_shutdown(clientssl);
1247 SSL_free(clientssl);
1248 }
1249 if (serverssl) {
1250 SSL_shutdown(serverssl);
1251 SSL_free(serverssl);
1252 }
1253 SSL_CTX_free(sctx);
1254 SSL_CTX_free(cctx);
1255 serverssl = clientssl = NULL;
e1fdd526
JB		 1256 if (cfd != -1)
1257 close(cfd);
1258 if (sfd != -1)
1259 close(sfd);
fe5d9450
BP		 1260 return testresult;
1261}
1262
7c3a7561
BP		 1263#define SENDFILE_SZ (16 * 4096)
1264#define SENDFILE_CHUNK (4 * 4096)
1265#define min(a,b) ((a) > (b) ? (b) : (a))
1266
cd715b7e
MM		 1267static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1268 int zerocopy)
7c3a7561
BP		 1269{
1270 SSL_CTX *cctx = NULL, *sctx = NULL;
1271 SSL *clientssl = NULL, *serverssl = NULL;
1272 unsigned char *buf, *buf_dst;
1273 BIO *out = NULL, *in = NULL;
e1fdd526 1274 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1275 ssize_t chunk_size = 0;
1276 off_t chunk_off = 0;
1277 int testresult = 0;
1278 FILE *ffdp;
38b051a1 1279 SSL_CONNECTION *serversc;
7c3a7561
BP		 1280
1281 buf = OPENSSL_zalloc(SENDFILE_SZ);
1282 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1283 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
0c593328 1284 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
7c3a7561
BP		 1285 goto end;
1286
1287 /* Skip this test if the platform does not support ktls */
1288 if (!ktls_chk_platform(sfd)) {
e1fdd526 1289 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1290 goto end;
1291 }
1292
a5d8a2f8
DB		 1293 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1294 testresult = TEST_skip("CHACHA is not supported in FIPS");
1295 goto end;
1296 }
1297
7c3a7561 1298 /* Create a session based on SHA-256 */
5e30f2fd 1299 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1300 TLS_client_method(),
da4db160 1301 tls_version, tls_version,
e1fdd526
JB		 1302 &sctx, &cctx, cert, privkey)))
1303 goto end;
1304
1305 if (tls_version == TLS1_3_VERSION) {
1306 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1307 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1308 goto end;
1309 } else {
1310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1311 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1312 goto end;
1313 }
1314
1315 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1316 &clientssl, sfd, cfd)))
1317 goto end;
1318
38b051a1
TM		 1319 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1320 goto end;
1321
e1fdd526 1322 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1323 goto end;
1324
cd715b7e
MM		 1325 if (zerocopy) {
1326 if (!TEST_true(SSL_set_options(serverssl,
1327 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1328 goto end;
1329 }
1330
7c3a7561 1331 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1332 SSL_ERROR_NONE)))
7c3a7561
BP		 1333 goto end;
1334
38b051a1 1335 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1336 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1337 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1338 "TLS 1.2", cipher);
1339 goto end;
1340 }
1341
c9007bda 1342 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1343 goto end;
1344
7c3a7561
BP		 1345 out = BIO_new_file(tmpfilename, "wb");
1346 if (!TEST_ptr(out))
1347 goto end;
1348
1349 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1350 goto end;
1351
1352 BIO_free(out);
1353 out = NULL;
1354 in = BIO_new_file(tmpfilename, "rb");
1355 BIO_get_fp(in, &ffdp);
1356 ffd = fileno(ffdp);
1357
1358 while (chunk_off < SENDFILE_SZ) {
1359 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1360 while ((err = SSL_sendfile(serverssl,
1361 ffd,
1362 chunk_off,
1363 chunk_size,
1364 0)) != chunk_size) {
1365 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1366 goto end;
1367 }
1368 while ((err = SSL_read(clientssl,
1369 buf_dst + chunk_off,
1370 chunk_size)) != chunk_size) {
1371 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1372 goto end;
1373 }
1374
1375 /* verify the payload */
1376 if (!TEST_mem_eq(buf_dst + chunk_off,
1377 chunk_size,
1378 buf + chunk_off,
1379 chunk_size))
1380 goto end;
1381
1382 chunk_off += chunk_size;
1383 }
1384
1385 testresult = 1;
1386end:
1387 if (clientssl) {
1388 SSL_shutdown(clientssl);
1389 SSL_free(clientssl);
1390 }
1391 if (serverssl) {
1392 SSL_shutdown(serverssl);
1393 SSL_free(serverssl);
1394 }
1395 SSL_CTX_free(sctx);
1396 SSL_CTX_free(cctx);
1397 serverssl = clientssl = NULL;
1398 BIO_free(out);
1399 BIO_free(in);
e1fdd526
JB		 1400 if (cfd != -1)
1401 close(cfd);
1402 if (sfd != -1)
1403 close(sfd);
7c3a7561
BP		 1404 OPENSSL_free(buf);
1405 OPENSSL_free(buf_dst);
1406 return testresult;
1407}
1408
e1fdd526
JB		 1409static struct ktls_test_cipher {
1410 int tls_version;
1411 const char *cipher;
1412} ktls_test_ciphers[] = {
1413# if !defined(OPENSSL_NO_TLS1_2)
1414# ifdef OPENSSL_KTLS_AES_GCM_128
1415 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1416# endif
1417# ifdef OPENSSL_KTLS_AES_CCM_128
1418 { TLS1_2_VERSION, "AES128-CCM"},
1419# endif
1420# ifdef OPENSSL_KTLS_AES_GCM_256
1421 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1422# endif
11bac1b4 1423# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
2dded44a 1424# ifndef OPENSSL_NO_EC
11bac1b4 1425 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
2dded44a 1426# endif
11bac1b4 1427# endif
e1fdd526
JB		 1428# endif
1429# if !defined(OSSL_NO_USABLE_TLS1_3)
1430# ifdef OPENSSL_KTLS_AES_GCM_128
1431 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1432# endif
1433# ifdef OPENSSL_KTLS_AES_CCM_128
1434 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1435# endif
1436# ifdef OPENSSL_KTLS_AES_GCM_256
1437 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1438# endif
11bac1b4
JB		 1439# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1440 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1441# endif
e1fdd526
JB		 1442# endif
1443};
1444
1445#define NUM_KTLS_TEST_CIPHERS \
1446 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1447
da4db160
VF		 1448static int test_ktls(int test)
1449{
e1fdd526 1450 struct ktls_test_cipher *cipher;
a3a54179 1451 int cis_ktls, sis_ktls;
da4db160 1452
2cff17fd 1453 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1454 cipher = &ktls_test_ciphers[test / 4];
da4db160 1455
a3a54179
MC		 1456 cis_ktls = (test & 1) != 0;
1457 sis_ktls = (test & 2) != 0;
cd03b5dc 1458
e1fdd526
JB		 1459 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1460 cipher->cipher);
2fab79af
BP		 1461}
1462
cd715b7e 1463static int test_ktls_sendfile(int test)
fe5d9450 1464{
e1fdd526 1465 struct ktls_test_cipher *cipher;
cd715b7e 1466 int tst = test >> 1;
da4db160 1467
2cff17fd 1468 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1469 cipher = &ktls_test_ciphers[tst];
da4db160 1470
cd715b7e
MM		 1471 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1472 test & 1);
fe5d9450 1473}
fe5d9450
BP		 1474#endif
1475
84d5549e
MC		 1476static int test_large_message_tls(void)
1477{
7856332e 1478 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1479 TLS1_VERSION, 0, 0);
7856332e
MC		 1480}
1481
1482static int test_large_message_tls_read_ahead(void)
1483{
1484 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1485 TLS1_VERSION, 0, 1);
84d5549e
MC		 1486}
1487
55386bef 1488#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1489static int test_large_message_dtls(void)
1490{
8ce390e1
MC		 1491# ifdef OPENSSL_NO_DTLS1_2
1492 /* Not supported in the FIPS provider */
1493 if (is_fips)
1494 return 1;
1495# endif
7856332e
MC		 1496 /*
1497 * read_ahead is not relevant to DTLS because DTLS always acts as if
1498 * read_ahead is set.
1499 */
84d5549e 1500 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1501 DTLS_client_method(),
5c587fb6 1502 DTLS1_VERSION, 0, 0);
84d5549e 1503}
55386bef 1504#endif
84d5549e 1505
3ff0a48a
MC		 1506/*
1507 * Test we can successfully send the maximum amount of application data. We
1508 * test each protocol version individually, each with and without EtM enabled.
1509 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1510 * simpler this way. We also test all combinations with and without the
1511 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1512 * underlying buffer.
1513 */
1514static int test_large_app_data(int tst)
1515{
1516 SSL_CTX *cctx = NULL, *sctx = NULL;
1517 SSL *clientssl = NULL, *serverssl = NULL;
1518 int testresult = 0, prot;
1519 unsigned char *msg, *buf = NULL;
1520 size_t written, readbytes;
2fda45d5
MC		 1521 const SSL_METHOD *smeth = TLS_server_method();
1522 const SSL_METHOD *cmeth = TLS_client_method();
3ff0a48a
MC		 1523
1524 switch (tst >> 2) {
1525 case 0:
1526#ifndef OSSL_NO_USABLE_TLS1_3
1527 prot = TLS1_3_VERSION;
1528 break;
1529#else
1530 return 1;
1531#endif
1532
1533 case 1:
1534#ifndef OPENSSL_NO_TLS1_2
1535 prot = TLS1_2_VERSION;
1536 break;
1537#else
1538 return 1;
1539#endif
1540
1541 case 2:
1542#ifndef OPENSSL_NO_TLS1_1
1543 prot = TLS1_1_VERSION;
1544 break;
1545#else
1546 return 1;
1547#endif
1548
1549 case 3:
1550#ifndef OPENSSL_NO_TLS1
1551 prot = TLS1_VERSION;
1552 break;
1553#else
1554 return 1;
1555#endif
1556
1557 case 4:
1558#ifndef OPENSSL_NO_SSL3
1559 prot = SSL3_VERSION;
1560 break;
1561#else
1562 return 1;
1563#endif
1564
2fda45d5
MC		 1565 case 5:
1566#ifndef OPENSSL_NO_DTLS1_2
1567 prot = DTLS1_2_VERSION;
1568 smeth = DTLS_server_method();
1569 cmeth = DTLS_client_method();
1570 break;
1571#else
1572 return 1;
1573#endif
1574
1575 case 6:
1576#ifndef OPENSSL_NO_DTLS1
1577 prot = DTLS1_VERSION;
1578 smeth = DTLS_server_method();
1579 cmeth = DTLS_client_method();
1580 break;
1581#else
1582 return 1;
1583#endif
1584
3ff0a48a
MC		 1585 default:
1586 /* Shouldn't happen */
1587 return 0;
1588 }
1589
2fda45d5 1590 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
3ff0a48a
MC		 1591 return 1;
1592
1593 /* Maximal sized message of zeros */
1594 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1595 if (!TEST_ptr(msg))
1596 goto end;
1597
1598 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1599 if (!TEST_ptr(buf))
1600 goto end;
1601 /* Set whole buffer to all bits set */
1602 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1603
2fda45d5 1604 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
3ff0a48a
MC		 1605 &sctx, &cctx, cert, privkey)))
1606 goto end;
1607
2fda45d5 1608 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
3ff0a48a
MC		 1609 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1610 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1611 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1612 "DEFAULT:@SECLEVEL=0")))
1613 goto end;
1614 }
1615
1616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1617 &clientssl, NULL, NULL)))
1618 goto end;
1619
1620 if ((tst & 1) != 0) {
1621 /* Setting this option gives us a minimally sized underlying buffer */
1622 if (!TEST_true(SSL_set_options(serverssl,
1623 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1624 || !TEST_true(SSL_set_options(clientssl,
1625 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1626 goto end;
1627 }
1628
1629 if ((tst & 2) != 0) {
1630 /*
1631 * Setting this option means the MAC is added before encryption
1632 * giving us a larger record for the encryption process
1633 */
1634 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1635 || !TEST_true(SSL_set_options(clientssl,
1636 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1637 goto end;
1638 }
1639
1640 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1641 goto end;
1642
1643 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1644 &written))
1645 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1646 goto end;
1647
1648 /* We provide a buffer slightly larger than what we are actually expecting */
1649 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1650 &readbytes)))
1651 goto end;
1652
1653 if (!TEST_mem_eq(msg, written, buf, readbytes))
1654 goto end;
1655
1656 testresult = 1;
1657end:
1658 OPENSSL_free(msg);
1659 OPENSSL_free(buf);
1660 SSL_free(serverssl);
1661 SSL_free(clientssl);
1662 SSL_CTX_free(sctx);
1663 SSL_CTX_free(cctx);
1664 return testresult;
1665}
1666
fb32f6ea
MC		 1667#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1668 || !defined(OPENSSL_NO_DTLS)
163b8016
ME		 1669static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1670 const SSL_METHOD *cmeth,
1671 int min_version, int max_version)
1672{
1673 size_t i;
1674 SSL_CTX *cctx = NULL, *sctx = NULL;
1675 SSL *clientssl = NULL, *serverssl = NULL;
1676 int testresult = 0;
2eb91b0e 1677 const unsigned char *zbuf;
38b051a1 1678 SSL_CONNECTION *serversc;
eddb067e 1679 TLS_RECORD *rr;
163b8016
ME		 1680
1681 static unsigned char cbuf[16000];
1682 static unsigned char sbuf[16000];
1683
1684 if (!TEST_true(create_ssl_ctx_pair(libctx,
1685 smeth, cmeth,
1686 min_version, max_version,
1687 &sctx, &cctx, cert,
1688 privkey)))
1689 goto end;
1690
8ce390e1 1691# ifdef OPENSSL_NO_DTLS1_2
fb32f6ea 1692 if (smeth == DTLS_server_method()) {
8ce390e1
MC		 1693 /* Not supported in the FIPS provider */
1694 if (is_fips) {
1695 testresult = 1;
1696 goto end;
1697 };
8ce390e1
MC		 1698 /*
1699 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1700 * level 0
1701 */
1702 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1703 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1704 "DEFAULT:@SECLEVEL=0")))
1705 goto end;
1706 }
fb32f6ea 1707# endif
8ce390e1 1708
163b8016
ME		 1709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1710 NULL, NULL)))
1711 goto end;
1712
1713 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1714 goto end;
1715
1716 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1717 SSL_ERROR_NONE)))
1718 goto end;
1719
1720 for (i = 0; i < sizeof(cbuf); i++) {
1721 cbuf[i] = i & 0xff;
1722 }
1723
1724 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1725 goto end;
1726
1727 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1728 goto end;
1729
1730 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1731 goto end;
1732
1733 /*
1734 * Since we called SSL_peek(), we know the data in the record
1735 * layer is a plaintext record. We can gather the pointer to check
1736 * for zeroization after SSL_read().
1737 */
38b051a1
TM		 1738 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1739 goto end;
eddb067e 1740 rr = serversc->rlayer.tlsrecs;
4030869d 1741
eddb067e
MC		 1742 zbuf = &rr->data[rr->off];
1743 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1744 goto end;
163b8016
ME		 1745
1746 /*
1747 * After SSL_peek() the plaintext must still be stored in the
1748 * record.
1749 */
1750 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1751 goto end;
1752
1753 memset(sbuf, 0, sizeof(sbuf));
1754 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1755 goto end;
1756
1757 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1758 goto end;
1759
1760 /* Check if rbuf is cleansed */
1761 memset(cbuf, 0, sizeof(cbuf));
1762 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1763 goto end;
1764
1765 testresult = 1;
1766 end:
1767 SSL_free(serverssl);
1768 SSL_free(clientssl);
1769 SSL_CTX_free(sctx);
1770 SSL_CTX_free(cctx);
1771
1772 return testresult;
1773}
fb32f6ea
MC		 1774#endif /*
1775 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1776 * || !defined(OPENSSL_NO_DTLS)
1777 */
163b8016
ME		 1778
1779static int test_cleanse_plaintext(void)
1780{
1781#if !defined(OPENSSL_NO_TLS1_2)
1782 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1783 TLS_client_method(),
1784 TLS1_2_VERSION,
1785 TLS1_2_VERSION)))
1786 return 0;
1787
1788#endif
1789
a763ca11 1790#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1791 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1792 TLS_client_method(),
1793 TLS1_3_VERSION,
1794 TLS1_3_VERSION)))
1795 return 0;
1796#endif
1797
1798#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1799
163b8016
ME		 1800 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1801 DTLS_client_method(),
1802 DTLS1_VERSION,
1803 0)))
1804 return 0;
1805#endif
1806 return 1;
1807}
1808
8f8c11d8 1809#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1810static int ocsp_server_cb(SSL *s, void *arg)
1811{
1812 int *argi = (int *)arg;
710756a9 1813 unsigned char *copy = NULL;
ba881d3b
MC		 1814 STACK_OF(OCSP_RESPID) *ids = NULL;
1815 OCSP_RESPID *id = NULL;
1816
1817 if (*argi == 2) {
1818 /* In this test we are expecting exactly 1 OCSP_RESPID */
1819 SSL_get_tlsext_status_ids(s, &ids);
1820 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1821 return SSL_TLSEXT_ERR_ALERT_FATAL;
1822
1823 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1824 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1825 return SSL_TLSEXT_ERR_ALERT_FATAL;
1826 } else if (*argi != 1) {
1827 return SSL_TLSEXT_ERR_ALERT_FATAL;
1828 }
1829
710756a9 1830 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1831 return SSL_TLSEXT_ERR_ALERT_FATAL;
1832
711d5a2f
P		 1833 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1834 sizeof(orespder)))) {
1835 OPENSSL_free(copy);
1836 return SSL_TLSEXT_ERR_ALERT_FATAL;
1837 }
ba881d3b 1838 ocsp_server_called = 1;
ba881d3b
MC		 1839 return SSL_TLSEXT_ERR_OK;
1840}
1841
1842static int ocsp_client_cb(SSL *s, void *arg)
1843{
1844 int *argi = (int *)arg;
1845 const unsigned char *respderin;
1846 size_t len;
1847
1848 if (*argi != 1 && *argi != 2)
1849 return 0;
1850
1851 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1852 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1853 return 0;
1854
1855 ocsp_client_called = 1;
ba881d3b
MC		 1856 return 1;
1857}
1858
2cb4b5f6
MC		 1859static int test_tlsext_status_type(void)
1860{
ba881d3b
MC		 1861 SSL_CTX *cctx = NULL, *sctx = NULL;
1862 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1863 int testresult = 0;
ba881d3b
MC		 1864 STACK_OF(OCSP_RESPID) *ids = NULL;
1865 OCSP_RESPID *id = NULL;
1866 BIO *certbio = NULL;
2cb4b5f6 1867
5e30f2fd 1868 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1869 TLS1_VERSION, 0,
7d7f6834 1870 &sctx, &cctx, cert, privkey))
ba881d3b 1871 return 0;
2cb4b5f6 1872
710756a9 1873 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1874 goto end;
2cb4b5f6 1875
ba881d3b 1876 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1877
ba881d3b 1878 clientssl = SSL_new(cctx);
710756a9
RS		 1879 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1880 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1881 TLSEXT_STATUSTYPE_ocsp))
1882 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1883 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1884 goto end;
2cb4b5f6 1885
ba881d3b
MC		 1886 SSL_free(clientssl);
1887 clientssl = NULL;
2cb4b5f6 1888
710756a9
RS		 1889 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1890 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1891 goto end;
2cb4b5f6 1892
ba881d3b 1893 clientssl = SSL_new(cctx);
710756a9 1894 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1895 goto end;
ba881d3b
MC		 1896 SSL_free(clientssl);
1897 clientssl = NULL;
1898
1899 /*
1900 * Now actually do a handshake and check OCSP information is exchanged and
1901 * the callbacks get called
1902 */
ba881d3b
MC		 1903 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1904 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1905 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1906 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1907 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1908 &clientssl, NULL, NULL))
1909 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1910 SSL_ERROR_NONE))
1911 || !TEST_true(ocsp_client_called)
1912 || !TEST_true(ocsp_server_called))
ba881d3b 1913 goto end;
ba881d3b
MC		 1914 SSL_free(serverssl);
1915 SSL_free(clientssl);
1916 serverssl = NULL;
1917 clientssl = NULL;
1918
1919 /* Try again but this time force the server side callback to fail */
1920 ocsp_client_called = 0;
1921 ocsp_server_called = 0;
1922 cdummyarg = 0;
710756a9
RS		 1923 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1924 &clientssl, NULL, NULL))
1925 /* This should fail because the callback will fail */
1926 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1927 SSL_ERROR_NONE))
1928 || !TEST_false(ocsp_client_called)
1929 || !TEST_false(ocsp_server_called))
ba881d3b 1930 goto end;
ba881d3b
MC		 1931 SSL_free(serverssl);
1932 SSL_free(clientssl);
1933 serverssl = NULL;
1934 clientssl = NULL;
1935
1936 /*
1937 * This time we'll get the client to send an OCSP_RESPID that it will
1938 * accept.
1939 */
1940 ocsp_client_called = 0;
1941 ocsp_server_called = 0;
1942 cdummyarg = 2;
710756a9
RS		 1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL)))
ba881d3b 1945 goto end;
ba881d3b
MC		 1946
1947 /*
1948 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1949 * specific one. We'll use the server cert.
ba881d3b 1950 */
710756a9
RS		 1951 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1952 || !TEST_ptr(id = OCSP_RESPID_new())
1953 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1954 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1955 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1956 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1957 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1958 goto end;
ba881d3b
MC		 1959 id = NULL;
1960 SSL_set_tlsext_status_ids(clientssl, ids);
1961 /* Control has been transferred */
1962 ids = NULL;
1963
1964 BIO_free(certbio);
1965 certbio = NULL;
1966
710756a9
RS		 1967 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1968 SSL_ERROR_NONE))
1969 || !TEST_true(ocsp_client_called)
1970 || !TEST_true(ocsp_server_called))
ba881d3b 1971 goto end;
ba881d3b 1972
2cb4b5f6
MC		 1973 testresult = 1;
1974
1975 end:
ba881d3b
MC		 1976 SSL_free(serverssl);
1977 SSL_free(clientssl);
1978 SSL_CTX_free(sctx);
1979 SSL_CTX_free(cctx);
1980 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1981 OCSP_RESPID_free(id);
1982 BIO_free(certbio);
1983 X509_free(ocspcert);
1984 ocspcert = NULL;
2cb4b5f6
MC		 1985
1986 return testresult;
1987}
8f8c11d8 1988#endif
2cb4b5f6 1989
a763ca11 1990#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1991static int new_called, remove_called, get_called;
eaa776da 1992
eaa776da
MC		 1993static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1994{
1995 new_called++;
c0537ebd
MC		 1996 /*
1997 * sess has been up-refed for us, but we don't actually need it so free it
1998 * immediately.
1999 */
2000 SSL_SESSION_free(sess);
eaa776da
MC		 2001 return 1;
2002}
2003
2004static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2005{
2006 remove_called++;
2007}
2008
7a301f08
MC		 2009static SSL_SESSION *get_sess_val = NULL;
2010
2011static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2012 int *copy)
2013{
0afca811 2014 get_called++;
7a301f08
MC		 2015 *copy = 1;
2016 return get_sess_val;
2017}
2018
7a301f08 2019static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 2020 int use_ext_cache, long s_options)
2cb4b5f6
MC		 2021{
2022 SSL_CTX *sctx = NULL, *cctx = NULL;
2023 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2024 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 2025# ifndef OPENSSL_NO_TLS1_1
eaa776da 2026 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 2027# endif
2cb4b5f6 2028 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 2029 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 2030
7e885b7b
P		 2031 new_called = remove_called = 0;
2032
36ff232c
MC		 2033 /* TLSv1.3 sends 2 NewSessionTickets */
2034 if (maxprot == TLS1_3_VERSION)
2035 numnewsesstick = 2;
2036
5e30f2fd
MC		 2037 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2038 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2039 &sctx, &cctx, cert, privkey)))
2cb4b5f6 2040 return 0;
2cb4b5f6 2041
7a301f08
MC		 2042 /*
2043 * Only allow the max protocol version so we can force a connection failure
2044 * later
2045 */
2046 SSL_CTX_set_min_proto_version(cctx, maxprot);
2047 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 2048
2049 /* Set up session cache */
7e885b7b 2050 if (use_ext_cache) {
eaa776da
MC		 2051 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2052 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2053 }
7e885b7b 2054 if (use_int_cache) {
eaa776da
MC		 2055 /* Also covers instance where both are set */
2056 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2057 } else {
2058 SSL_CTX_set_session_cache_mode(cctx,
2059 SSL_SESS_CACHE_CLIENT
2060 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2061 }
2cb4b5f6 2062
90fc2c26
NM		 2063 if (s_options) {
2064 SSL_CTX_set_options(sctx, s_options);
2065 }
2066
710756a9
RS		 2067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2068 NULL, NULL))
2069 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2070 SSL_ERROR_NONE))
2071 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 2072 goto end;
2cb4b5f6 2073
710756a9 2074 /* Should fail because it should already be in the cache */
7e885b7b 2075 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 2076 goto end;
7a301f08 2077 if (use_ext_cache
36ff232c
MC		 2078 && (!TEST_int_eq(new_called, numnewsesstick)
2079
2080 || !TEST_int_eq(remove_called, 0)))
b4982125 2081 goto end;
b4982125 2082
c0537ebd
MC		 2083 new_called = remove_called = 0;
2084 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2085 &clientssl2, NULL, NULL))
2086 || !TEST_true(SSL_set_session(clientssl2, sess1))
2087 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2088 SSL_ERROR_NONE))
2089 || !TEST_true(SSL_session_reused(clientssl2)))
2090 goto end;
2091
7a301f08
MC		 2092 if (maxprot == TLS1_3_VERSION) {
2093 /*
2094 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 2095 * resumed. Since we attempted a resume we should also have removed the
2096 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 2097 */
2098 if (use_ext_cache
2099 && (!TEST_int_eq(new_called, 1)
4cb00457 2100 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 2101 goto end;
2102 } else {
2103 /*
2104 * In TLSv1.2 we expect to have resumed so no sessions added or
2105 * removed.
2106 */
2107 if (use_ext_cache
2108 && (!TEST_int_eq(new_called, 0)
2109 || !TEST_int_eq(remove_called, 0)))
2110 goto end;
2111 }
c0537ebd
MC		 2112
2113 SSL_SESSION_free(sess1);
2114 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2115 goto end;
2116 shutdown_ssl_connection(serverssl2, clientssl2);
2117 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 2118
2119 new_called = remove_called = 0;
710756a9
RS		 2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2121 &clientssl2, NULL, NULL))
2122 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2123 SSL_ERROR_NONE)))
2cb4b5f6 2124 goto end;
2cb4b5f6 2125
710756a9 2126 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 2127 goto end;
2cb4b5f6 2128
7a301f08 2129 if (use_ext_cache
36ff232c
MC		 2130 && (!TEST_int_eq(new_called, numnewsesstick)
2131 || !TEST_int_eq(remove_called, 0)))
eaa776da 2132 goto end;
eaa776da 2133
c0537ebd 2134 new_called = remove_called = 0;
2cb4b5f6 2135 /*
710756a9
RS		 2136 * This should clear sess2 from the cache because it is a "bad" session.
2137 * See SSL_set_session() documentation.
2cb4b5f6 2138 */
710756a9 2139 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 2140 goto end;
7a301f08
MC		 2141 if (use_ext_cache
2142 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 2143 goto end;
710756a9 2144 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 2145 goto end;
2cb4b5f6 2146
7e885b7b 2147 if (use_int_cache) {
710756a9
RS		 2148 /* Should succeeded because it should not already be in the cache */
2149 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2150 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 2151 goto end;
eaa776da
MC		 2152 }
2153
c0537ebd 2154 new_called = remove_called = 0;
eaa776da 2155 /* This shouldn't be in the cache so should fail */
710756a9 2156 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2157 goto end;
2cb4b5f6 2158
7a301f08
MC		 2159 if (use_ext_cache
2160 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2161 goto end;
2cb4b5f6 2162
bf208d95 2163# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2164 new_called = remove_called = 0;
eaa776da
MC		 2165 /* Force a connection failure */
2166 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2168 &clientssl3, NULL, NULL))
2169 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2170 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2171 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2172 SSL_ERROR_NONE)))
eaa776da 2173 goto end;
b4982125 2174
eaa776da 2175 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2176 if (use_ext_cache
2177 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2178 goto end;
2cb4b5f6 2179
710756a9 2180 /* Should succeed because it should not already be in the cache */
7e885b7b 2181 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2182 goto end;
bf208d95 2183# endif
eaa776da 2184
7a301f08
MC		 2185 /* Now do some tests for server side caching */
2186 if (use_ext_cache) {
2187 SSL_CTX_sess_set_new_cb(cctx, NULL);
2188 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2189 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2190 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2191 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2192 get_sess_val = NULL;
2193 }
2194
2195 SSL_CTX_set_session_cache_mode(cctx, 0);
2196 /* Internal caching is the default on the server side */
2197 if (!use_int_cache)
2198 SSL_CTX_set_session_cache_mode(sctx,
2199 SSL_SESS_CACHE_SERVER
2200 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2201
2202 SSL_free(serverssl1);
2203 SSL_free(clientssl1);
2204 serverssl1 = clientssl1 = NULL;
2205 SSL_free(serverssl2);
2206 SSL_free(clientssl2);
2207 serverssl2 = clientssl2 = NULL;
2208 SSL_SESSION_free(sess1);
2209 sess1 = NULL;
2210 SSL_SESSION_free(sess2);
2211 sess2 = NULL;
2212
2213 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2214 if (maxprot == TLS1_2_VERSION)
2215 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2216 new_called = remove_called = get_called = 0;
7a301f08
MC		 2217 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2218 NULL, NULL))
2219 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2220 SSL_ERROR_NONE))
2221 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2222 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2223 goto end;
2224
ee94ec2e
MC		 2225 if (use_int_cache) {
2226 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2227 /*
2228 * In TLSv1.3 it should not have been added to the internal cache,
2229 * except in the case where we also have an external cache (in that
2230 * case it gets added to the cache in order to generate remove
2231 * events after timeout).
2232 */
2233 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2234 goto end;
2235 } else {
2236 /* Should fail because it should already be in the cache */
2237 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2238 goto end;
2239 }
2240 }
7a301f08
MC		 2241
2242 if (use_ext_cache) {
2243 SSL_SESSION *tmp = sess2;
2244
36ff232c 2245 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2246 || !TEST_int_eq(remove_called, 0)
2247 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2248 goto end;
2249 /*
2250 * Delete the session from the internal cache to force a lookup from
2251 * the external cache. We take a copy first because
2252 * SSL_CTX_remove_session() also marks the session as non-resumable.
2253 */
ee94ec2e 2254 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6 2255 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
9fdf9a44
WL		 2256 || !TEST_true(sess2->owner != NULL)
2257 || !TEST_true(tmp->owner == NULL)
2258 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
3cb6a4d6
BK		 2259 goto end;
2260 SSL_SESSION_free(sess2);
2261 }
7a301f08
MC		 2262 sess2 = tmp;
2263 }
2264
0afca811 2265 new_called = remove_called = get_called = 0;
7a301f08
MC		 2266 get_sess_val = sess2;
2267 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2268 &clientssl2, NULL, NULL))
2269 || !TEST_true(SSL_set_session(clientssl2, sess1))
2270 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2271 SSL_ERROR_NONE))
2272 || !TEST_true(SSL_session_reused(clientssl2)))
2273 goto end;
2274
0afca811 2275 if (use_ext_cache) {
32305f88 2276 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2277 goto end;
2278
2279 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2280 if (!TEST_int_eq(new_called, 1)
2281 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2282 goto end;
2283 } else {
32305f88
MC		 2284 if (!TEST_int_eq(new_called, 0)
2285 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2286 goto end;
2287 }
2288 }
4842a27b
TS		 2289 /*
2290 * Make a small cache, force out all other sessions but
2291 * sess2, try to add sess1, which should succeed. Then
2292 * make sure it's there by checking the owners. Despite
2293 * the timeouts, sess1 should have kicked out sess2
2294 */
2295
2296 /* Make sess1 expire before sess2 */
2297 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2298 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2299 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2300 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2301 goto end;
2302
2303 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2304 goto end;
2305
2306 /* Don't care about results - cache should only be sess2 at end */
2307 SSL_CTX_add_session(sctx, sess1);
2308 SSL_CTX_add_session(sctx, sess2);
2309
2310 /* Now add sess1, and make sure it remains, despite timeout */
2311 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2312 || !TEST_ptr(sess1->owner)
2313 || !TEST_ptr_null(sess2->owner))
2314 goto end;
7a301f08 2315
2cb4b5f6 2316 testresult = 1;
eaa776da 2317
2cb4b5f6
MC		 2318 end:
2319 SSL_free(serverssl1);
2320 SSL_free(clientssl1);
2321 SSL_free(serverssl2);
2322 SSL_free(clientssl2);
bf208d95 2323# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2324 SSL_free(serverssl3);
2325 SSL_free(clientssl3);
bf208d95 2326# endif
2cb4b5f6
MC		 2327 SSL_SESSION_free(sess1);
2328 SSL_SESSION_free(sess2);
2329 SSL_CTX_free(sctx);
2330 SSL_CTX_free(cctx);
2331
2332 return testresult;
2333}
a763ca11 2334#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2335
7fb4c820
MC		 2336static int test_session_with_only_int_cache(void)
2337{
a763ca11 2338#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2339 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2340 return 0;
2341#endif
2342
2343#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2344 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2345#else
2346 return 1;
2347#endif
eaa776da
MC		 2348}
2349
7fb4c820
MC		 2350static int test_session_with_only_ext_cache(void)
2351{
a763ca11 2352#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2353 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2354 return 0;
2355#endif
2356
2357#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2358 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2359#else
2360 return 1;
2361#endif
eaa776da
MC		 2362}
2363
7fb4c820
MC		 2364static int test_session_with_both_cache(void)
2365{
a763ca11 2366#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2367 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2368 return 0;
2369#endif
2370
2371#ifndef OPENSSL_NO_TLS1_2
2372 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2373#else
2374 return 1;
2375#endif
2376}
2377
2378static int test_session_wo_ca_names(void)
2379{
a763ca11 2380#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2381 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2382 return 0;
2383#endif
2384
2385#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2386 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2387#else
2388 return 1;
2389#endif
eaa776da
MC		 2390}
2391
90fc2c26 2392
a763ca11 2393#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2394static SSL_SESSION *sesscache[6];
2395static int do_cache;
36ff232c
MC		 2396
2397static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2398{
c22365b3
MC		 2399 if (do_cache) {
2400 sesscache[new_called] = sess;
2401 } else {
2402 /* We don't need the reference to the session, so free it */
2403 SSL_SESSION_free(sess);
2404 }
2405 new_called++;
2406
2407 return 1;
2408}
2409
2410static int post_handshake_verify(SSL *sssl, SSL *cssl)
2411{
2412 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2413 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2414 return 0;
2415
2416 /* Start handshake on the server and client */
2417 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2418 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2419 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2420 || !TEST_true(create_ssl_connection(sssl, cssl,
2421 SSL_ERROR_NONE)))
2422 return 0;
36ff232c
MC		 2423
2424 return 1;
2425}
2426
fbe9dafd 2427static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2428 SSL_CTX **cctx)
2429{
2430 int sess_id_ctx = 1;
2431
5e30f2fd
MC		 2432 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2433 TLS_client_method(), TLS1_VERSION, 0,
2434 sctx, cctx, cert, privkey))
03cdf559
MC		 2435 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2436 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2437 (void *)&sess_id_ctx,
2438 sizeof(sess_id_ctx))))
2439 return 0;
2440
2441 if (stateful)
2442 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2443
2444 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2445 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2446 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2447
2448 return 1;
2449}
2450
2451static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2452{
2453 SSL *serverssl = NULL, *clientssl = NULL;
2454 int i;
2455
2456 /* Test that we can resume with all the tickets we got given */
2457 for (i = 0; i < idx * 2; i++) {
2458 new_called = 0;
2459 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2460 &clientssl, NULL, NULL))
2461 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2462 goto end;
2463
32097b33 2464 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2465
2466 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2467 SSL_ERROR_NONE)))
2468 goto end;
2469
2470 /*
2471 * Following a successful resumption we only get 1 ticket. After a
2472 * failed one we should get idx tickets.
2473 */
2474 if (succ) {
2475 if (!TEST_true(SSL_session_reused(clientssl))
2476 || !TEST_int_eq(new_called, 1))
2477 goto end;
2478 } else {
2479 if (!TEST_false(SSL_session_reused(clientssl))
2480 || !TEST_int_eq(new_called, idx))
2481 goto end;
2482 }
2483
2484 new_called = 0;
2485 /* After a post-handshake authentication we should get 1 new ticket */
2486 if (succ
2487 && (!post_handshake_verify(serverssl, clientssl)
2488 || !TEST_int_eq(new_called, 1)))
2489 goto end;
2490
2491 SSL_shutdown(clientssl);
2492 SSL_shutdown(serverssl);
2493 SSL_free(serverssl);
2494 SSL_free(clientssl);
2495 serverssl = clientssl = NULL;
2496 SSL_SESSION_free(sesscache[i]);
2497 sesscache[i] = NULL;
2498 }
2499
2500 return 1;
2501
2502 end:
2503 SSL_free(clientssl);
2504 SSL_free(serverssl);
2505 return 0;
2506}
2507
04d7814a 2508static int test_tickets(int stateful, int idx)
36ff232c
MC		 2509{
2510 SSL_CTX *sctx = NULL, *cctx = NULL;
2511 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2512 int testresult = 0;
36ff232c
MC		 2513 size_t j;
2514
2515 /* idx is the test number, but also the number of tickets we want */
2516
2517 new_called = 0;
c22365b3 2518 do_cache = 1;
36ff232c 2519
fbe9dafd 2520 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2521 goto end;
2522
03cdf559
MC		 2523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2524 &clientssl, NULL, NULL)))
2525 goto end;
2526
2527 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2528 SSL_ERROR_NONE))
2529 /* Check we got the number of tickets we were expecting */
2530 || !TEST_int_eq(idx, new_called))
2531 goto end;
04d7814a 2532
03cdf559
MC		 2533 SSL_shutdown(clientssl);
2534 SSL_shutdown(serverssl);
2535 SSL_free(serverssl);
2536 SSL_free(clientssl);
2537 SSL_CTX_free(sctx);
2538 SSL_CTX_free(cctx);
2539 clientssl = serverssl = NULL;
2540 sctx = cctx = NULL;
2541
2542 /*
2543 * Now we try to resume with the tickets we previously created. The
2544 * resumption attempt is expected to fail (because we're now using a new
2545 * SSL_CTX). We should see idx number of tickets issued again.
2546 */
2547
2548 /* Stop caching sessions - just count them */
2549 do_cache = 0;
2550
fbe9dafd 2551 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2552 goto end;
2553
2554 if (!check_resumption(idx, sctx, cctx, 0))
2555 goto end;
2556
2557 /* Start again with caching sessions */
2558 new_called = 0;
2559 do_cache = 1;
fbe9dafd
MC		 2560 SSL_CTX_free(sctx);
2561 SSL_CTX_free(cctx);
2562 sctx = cctx = NULL;
03cdf559 2563
fbe9dafd 2564 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2565 goto end;
36ff232c
MC		 2566
2567 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2568 &clientssl, NULL, NULL)))
2569 goto end;
2570
32097b33 2571 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2572
2573 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2574 SSL_ERROR_NONE))
2575 /* Check we got the number of tickets we were expecting */
2576 || !TEST_int_eq(idx, new_called))
2577 goto end;
2578
2579 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2580 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2581 || !TEST_int_eq(idx * 2, new_called))
2582 goto end;
2583
36ff232c
MC		 2584 SSL_shutdown(clientssl);
2585 SSL_shutdown(serverssl);
2586 SSL_free(serverssl);
2587 SSL_free(clientssl);
2588 serverssl = clientssl = NULL;
2589
c22365b3
MC		 2590 /* Stop caching sessions - just count them */
2591 do_cache = 0;
2592
03cdf559
MC		 2593 /*
2594 * Check we can resume with all the tickets we created. This time around the
2595 * resumptions should all be successful.
2596 */
2597 if (!check_resumption(idx, sctx, cctx, 1))
2598 goto end;
36ff232c
MC		 2599
2600 testresult = 1;
2601
2602 end:
2603 SSL_free(serverssl);
2604 SSL_free(clientssl);
c22365b3 2605 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2606 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2607 sesscache[j] = NULL;
2608 }
36ff232c
MC		 2609 SSL_CTX_free(sctx);
2610 SSL_CTX_free(cctx);
2611
2612 return testresult;
2613}
04d7814a
MC		 2614
2615static int test_stateless_tickets(int idx)
2616{
2617 return test_tickets(0, idx);
2618}
2619
2620static int test_stateful_tickets(int idx)
2621{
2622 return test_tickets(1, idx);
2623}
8614a4eb
MC		 2624
2625static int test_psk_tickets(void)
2626{
2627 SSL_CTX *sctx = NULL, *cctx = NULL;
2628 SSL *serverssl = NULL, *clientssl = NULL;
2629 int testresult = 0;
2630 int sess_id_ctx = 1;
2631
5e30f2fd
MC		 2632 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2633 TLS_client_method(), TLS1_VERSION, 0,
2634 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2635 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2636 (void *)&sess_id_ctx,
2637 sizeof(sess_id_ctx))))
2638 goto end;
2639
2640 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2641 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2642 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2643 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2644 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2645 use_session_cb_cnt = 0;
2646 find_session_cb_cnt = 0;
2647 srvid = pskid;
2648 new_called = 0;
2649
2650 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2651 NULL, NULL)))
2652 goto end;
10836921 2653 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
8614a4eb
MC		 2654 if (!TEST_ptr(clientpsk))
2655 goto end;
2656 SSL_SESSION_up_ref(clientpsk);
2657
2658 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2659 SSL_ERROR_NONE))
2660 || !TEST_int_eq(1, find_session_cb_cnt)
2661 || !TEST_int_eq(1, use_session_cb_cnt)
2662 /* We should always get 1 ticket when using external PSK */
2663 || !TEST_int_eq(1, new_called))
2664 goto end;
2665
2666 testresult = 1;
2667
2668 end:
2669 SSL_free(serverssl);
2670 SSL_free(clientssl);
2671 SSL_CTX_free(sctx);
2672 SSL_CTX_free(cctx);
2673 SSL_SESSION_free(clientpsk);
2674 SSL_SESSION_free(serverpsk);
2675 clientpsk = serverpsk = NULL;
2676
2677 return testresult;
2678}
f0049b86
BK		 2679
2680static int test_extra_tickets(int idx)
2681{
2682 SSL_CTX *sctx = NULL, *cctx = NULL;
2683 SSL *serverssl = NULL, *clientssl = NULL;
2684 BIO *bretry = BIO_new(bio_s_always_retry());
2685 BIO *tmp = NULL;
2686 int testresult = 0;
2687 int stateful = 0;
2688 size_t nbytes;
2689 unsigned char c, buf[1];
2690
2691 new_called = 0;
2692 do_cache = 1;
2693
2694 if (idx >= 3) {
2695 idx -= 3;
2696 stateful = 1;
2697 }
2698
2699 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2700 goto end;
2701 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2702 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2703 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2704
2705 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2706 &clientssl, NULL, NULL)))
2707 goto end;
2708
2709 /*
2710 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2711 * incremented by both client and server.
2712 */
2713 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2714 SSL_ERROR_NONE))
2715 /* Check we got the number of tickets we were expecting */
2716 || !TEST_int_eq(idx * 2, new_called)
2717 || !TEST_true(SSL_new_session_ticket(serverssl))
2718 || !TEST_true(SSL_new_session_ticket(serverssl))
2719 || !TEST_int_eq(idx * 2, new_called))
2720 goto end;
2721
2722 /* Now try a (real) write to actually send the tickets */
2723 c = '1';
2724 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2725 || !TEST_size_t_eq(1, nbytes)
2726 || !TEST_int_eq(idx * 2 + 2, new_called)
2727 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2728 || !TEST_int_eq(idx * 2 + 4, new_called)
2729 || !TEST_int_eq(sizeof(buf), nbytes)
2730 || !TEST_int_eq(c, buf[0])
2731 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2732 goto end;
2733
2734 /* Try with only requesting one new ticket, too */
2735 c = '2';
2736 new_called = 0;
2737 if (!TEST_true(SSL_new_session_ticket(serverssl))
2738 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2739 || !TEST_size_t_eq(sizeof(c), nbytes)
2740 || !TEST_int_eq(1, new_called)
2741 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2742 || !TEST_int_eq(2, new_called)
2743 || !TEST_size_t_eq(sizeof(buf), nbytes)
2744 || !TEST_int_eq(c, buf[0]))
2745 goto end;
2746
2747 /* Do it again but use dummy writes to drive the ticket generation */
2748 c = '3';
2749 new_called = 0;
2750 if (!TEST_true(SSL_new_session_ticket(serverssl))
2751 || !TEST_true(SSL_new_session_ticket(serverssl))
2752 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2753 || !TEST_size_t_eq(0, nbytes)
2754 || !TEST_int_eq(2, new_called)
2755 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2756 || !TEST_int_eq(4, new_called))
2757 goto end;
2758
a0bbcb42
BK		 2759 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2760 c = '4';
2761 new_called = 0;
2762 if (!TEST_true(SSL_new_session_ticket(serverssl))
2763 || !TEST_true(SSL_new_session_ticket(serverssl))
2764 || !TEST_true(SSL_do_handshake(serverssl))
2765 || !TEST_int_eq(2, new_called)
2766 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2767 || !TEST_int_eq(4, new_called))
2768 goto end;
2769
f0049b86
BK		 2770 /*
2771 * Use the always-retry BIO to exercise the logic that forces ticket
2772 * generation to wait until a record boundary.
2773 */
a0bbcb42 2774 c = '5';
f0049b86
BK		 2775 new_called = 0;
2776 tmp = SSL_get_wbio(serverssl);
2777 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2778 tmp = NULL;
2779 goto end;
2780 }
2781 SSL_set0_wbio(serverssl, bretry);
2782 bretry = NULL;
2783 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2784 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2785 || !TEST_size_t_eq(nbytes, 0))
2786 goto end;
2787 /* Restore a BIO that will let the write succeed */
2788 SSL_set0_wbio(serverssl, tmp);
2789 tmp = NULL;
a0bbcb42
BK		 2790 /*
2791 * These calls should just queue the request and not send anything
2792 * even if we explicitly try to hit the state machine.
2793 */
f0049b86
BK		 2794 if (!TEST_true(SSL_new_session_ticket(serverssl))
2795 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2796 || !TEST_int_eq(0, new_called)
2797 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2798 || !TEST_int_eq(0, new_called))
2799 goto end;
2800 /* Re-do the write; still no tickets sent */
2801 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2802 || !TEST_size_t_eq(1, nbytes)
2803 || !TEST_int_eq(0, new_called)
2804 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2805 || !TEST_int_eq(0, new_called)
2806 || !TEST_int_eq(sizeof(buf), nbytes)
2807 || !TEST_int_eq(c, buf[0])
2808 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2809 goto end;
a0bbcb42
BK		 2810 /* Even trying to hit the state machine now will still not send tickets */
2811 if (!TEST_true(SSL_do_handshake(serverssl))
2812 || !TEST_int_eq(0, new_called))
2813 goto end;
f0049b86 2814 /* Now the *next* write should send the tickets */
a0bbcb42 2815 c = '6';
f0049b86
BK		 2816 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2817 || !TEST_size_t_eq(1, nbytes)
2818 || !TEST_int_eq(2, new_called)
2819 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2820 || !TEST_int_eq(4, new_called)
2821 || !TEST_int_eq(sizeof(buf), nbytes)
2822 || !TEST_int_eq(c, buf[0])
2823 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2824 goto end;
2825
2826 SSL_shutdown(clientssl);
2827 SSL_shutdown(serverssl);
2828 testresult = 1;
2829
2830 end:
2831 BIO_free(bretry);
2832 BIO_free(tmp);
2833 SSL_free(serverssl);
2834 SSL_free(clientssl);
2835 SSL_CTX_free(sctx);
2836 SSL_CTX_free(cctx);
2837 clientssl = serverssl = NULL;
2838 sctx = cctx = NULL;
2839 return testresult;
2840}
04225915 2841#endif
36ff232c 2842
7d4488bb
MC		 2843#define USE_NULL 0
2844#define USE_BIO_1 1
2845#define USE_BIO_2 2
2846#define USE_DEFAULT 3
2847
2848#define CONNTYPE_CONNECTION_SUCCESS 0
2849#define CONNTYPE_CONNECTION_FAIL 1
2850#define CONNTYPE_NO_CONNECTION 2
2851
2852#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2853#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2854#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2855# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2856#else
2857# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2858#endif
2859
7d4488bb
MC		 2860#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2861 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2862 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2863
2864static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2865{
2866 switch (type) {
2867 case USE_NULL:
2868 *res = NULL;
2869 break;
2870 case USE_BIO_1:
2871 *res = bio1;
2872 break;
2873 case USE_BIO_2:
2874 *res = bio2;
2875 break;
2876 }
2877}
2878
7d4488bb
MC		 2879
2880/*
2881 * Tests calls to SSL_set_bio() under various conditions.
2882 *
2883 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2884 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2885 * then do more tests where we create a successful connection first using our
2886 * standard connection setup functions, and then call SSL_set_bio() with
2887 * various combinations of valid BIOs or NULL. We then repeat these tests
2888 * following a failed connection. In this last case we are looking to check that
2889 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2890 */
7fb4c820
MC		 2891static int test_ssl_set_bio(int idx)
2892{
7d4488bb 2893 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2894 BIO *bio1 = NULL;
2895 BIO *bio2 = NULL;
0fae8150 2896 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2897 SSL *serverssl = NULL, *clientssl = NULL;
2898 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2899 int testresult = 0;
2900
7d4488bb
MC		 2901 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2902 initrbio = idx % 3;
2903 idx /= 3;
2904 initwbio = idx % 3;
2905 idx /= 3;
2906 newrbio = idx % 3;
2907 idx /= 3;
2908 newwbio = idx % 3;
2909 conntype = CONNTYPE_NO_CONNECTION;
2910 } else {
2911 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2912 initrbio = initwbio = USE_DEFAULT;
2913 newrbio = idx % 2;
2914 idx /= 2;
2915 newwbio = idx % 2;
2916 idx /= 2;
2917 conntype = idx % 2;
2918 }
710756a9 2919
5e30f2fd
MC		 2920 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2921 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2922 &sctx, &cctx, cert, privkey)))
2923 goto end;
2924
2925 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2926 /*
2927 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2928 * because we reduced the number of tests in the definition of
2929 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2930 * mismatched protocol versions we will force a connection failure.
2931 */
2932 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2933 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2934 }
2935
2936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2937 NULL, NULL)))
710756a9 2938 goto end;
7fb4c820 2939
710756a9
RS		 2940 if (initrbio == USE_BIO_1
2941 || initwbio == USE_BIO_1
2942 || newrbio == USE_BIO_1
7fb4c820 2943 || newwbio == USE_BIO_1) {
710756a9 2944 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2945 goto end;
7fb4c820
MC		 2946 }
2947
710756a9
RS		 2948 if (initrbio == USE_BIO_2
2949 || initwbio == USE_BIO_2
2950 || newrbio == USE_BIO_2
7fb4c820 2951 || newwbio == USE_BIO_2) {
710756a9 2952 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2953 goto end;
7fb4c820
MC		 2954 }
2955
7d4488bb
MC		 2956 if (initrbio != USE_DEFAULT) {
2957 setupbio(&irbio, bio1, bio2, initrbio);
2958 setupbio(&iwbio, bio1, bio2, initwbio);
2959 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2960
7d4488bb
MC		 2961 /*
2962 * We want to maintain our own refs to these BIO, so do an up ref for
2963 * each BIO that will have ownership transferred in the SSL_set_bio()
2964 * call
2965 */
2966 if (irbio != NULL)
2967 BIO_up_ref(irbio);
2968 if (iwbio != NULL && iwbio != irbio)
2969 BIO_up_ref(iwbio);
2970 }
7fb4c820 2971
7d4488bb
MC		 2972 if (conntype != CONNTYPE_NO_CONNECTION
2973 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2974 SSL_ERROR_NONE)
2975 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2976 goto end;
7fb4c820
MC		 2977
2978 setupbio(&nrbio, bio1, bio2, newrbio);
2979 setupbio(&nwbio, bio1, bio2, newwbio);
2980
2981 /*
2982 * We will (maybe) transfer ownership again so do more up refs.
2983 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2984 * already been set!
2985 */
710756a9
RS		 2986 if (nrbio != NULL
2987 && nrbio != irbio
2988 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2989 BIO_up_ref(nrbio);
710756a9
RS		 2990 if (nwbio != NULL
2991 && nwbio != nrbio
2992 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2993 BIO_up_ref(nwbio);
2994
7d4488bb 2995 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2996
2997 testresult = 1;
2998
2999 end:
7fb4c820
MC		 3000 BIO_free(bio1);
3001 BIO_free(bio2);
710756a9 3002
7fb4c820
MC		 3003 /*
3004 * This test is checking that the ref counting for SSL_set_bio is correct.
3005 * If we get here and we did too many frees then we will fail in the above
742ccab3 3006 * functions.
7fb4c820 3007 */
7d4488bb
MC		 3008 SSL_free(serverssl);
3009 SSL_free(clientssl);
3010 SSL_CTX_free(sctx);
3011 SSL_CTX_free(cctx);
7fb4c820
MC		 3012 return testresult;
3013}
3014
7e885b7b 3015typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 3016
7e885b7b 3017static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 3018{
3019 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 3020 SSL_CTX *ctx;
9a716987
MC		 3021 SSL *ssl = NULL;
3022 int testresult = 0;
3023
d8652be0 3024 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 3025 || !TEST_ptr(ssl = SSL_new(ctx))
3026 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3027 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 3028 goto end;
9a716987
MC		 3029
3030 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3031
3032 /*
742ccab3 3033 * If anything goes wrong here then we could leak memory.
9a716987
MC		 3034 */
3035 BIO_push(sslbio, membio1);
3036
69687aa8 3037 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 3038 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 3039 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3040 ssl = NULL;
9a716987 3041 goto end;
493e7898 3042 }
7e885b7b 3043 if (change_bio == CHANGE_RBIO)
65e2d672 3044 SSL_set0_rbio(ssl, membio2);
9a716987 3045 else
65e2d672 3046 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 3047 }
3048 ssl = NULL;
3049
7e885b7b 3050 if (pop_ssl)
9a716987
MC		 3051 BIO_pop(sslbio);
3052 else
3053 BIO_pop(membio1);
3054
3055 testresult = 1;
3056 end:
3057 BIO_free(membio1);
3058 BIO_free(sslbio);
3059 SSL_free(ssl);
3060 SSL_CTX_free(ctx);
3061
3062 return testresult;
3063}
3064
3065static int test_ssl_bio_pop_next_bio(void)
3066{
7e885b7b 3067 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 3068}
3069
3070static int test_ssl_bio_pop_ssl_bio(void)
3071{
7e885b7b 3072 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 3073}
3074
3075static int test_ssl_bio_change_rbio(void)
3076{
7e885b7b 3077 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 3078}
3079
3080static int test_ssl_bio_change_wbio(void)
3081{
7e885b7b 3082 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 3083}
3084
a763ca11 3085#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 3086typedef struct {
3087 /* The list of sig algs */
3088 const int *list;
3089 /* The length of the list */
3090 size_t listlen;
3091 /* A sigalgs list in string format */
3092 const char *liststr;
3093 /* Whether setting the list should succeed */
3094 int valid;
3095 /* Whether creating a connection with the list should succeed */
3096 int connsuccess;
3097} sigalgs_list;
3098
3099static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 3100# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3101static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3102static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 3103# endif
f1b25aae
MC		 3104static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3105static const int invalidlist2[] = {NID_sha256, NID_undef};
3106static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3107static const int invalidlist4[] = {NID_sha256};
3108static const sigalgs_list testsigalgs[] = {
3109 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 3110# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3111 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3112 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 3113# endif
f1b25aae 3114 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 3115# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3116 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3117 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 3118# endif
f1b25aae
MC		 3119 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3120 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3121 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3122 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3123 {NULL, 0, "RSA", 0, 0},
3124 {NULL, 0, "SHA256", 0, 0},
3125 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 3126 {NULL, 0, "Invalid", 0, 0}
3127};
f1b25aae
MC		 3128
3129static int test_set_sigalgs(int idx)
3130{
3131 SSL_CTX *cctx = NULL, *sctx = NULL;
3132 SSL *clientssl = NULL, *serverssl = NULL;
3133 int testresult = 0;
3134 const sigalgs_list *curr;
3135 int testctx;
3136
3137 /* Should never happen */
710756a9 3138 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 3139 return 0;
3140
3141 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3142 curr = testctx ? &testsigalgs[idx]
3143 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3144
5e30f2fd
MC		 3145 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3146 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 3147 &sctx, &cctx, cert, privkey)))
f1b25aae 3148 return 0;
f1b25aae 3149
d2e491f2
MC		 3150 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3151
f1b25aae
MC		 3152 if (testctx) {
3153 int ret;
710756a9 3154
f1b25aae
MC		 3155 if (curr->list != NULL)
3156 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3157 else
3158 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3159
3160 if (!ret) {
3161 if (curr->valid)
710756a9 3162 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3163 else
3164 testresult = 1;
3165 goto end;
3166 }
3167 if (!curr->valid) {
710756a9 3168 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3169 goto end;
3170 }
3171 }
3172
710756a9
RS		 3173 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3174 &clientssl, NULL, NULL)))
f1b25aae 3175 goto end;
f1b25aae
MC		 3176
3177 if (!testctx) {
3178 int ret;
3179
3180 if (curr->list != NULL)
3181 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3182 else
3183 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3184 if (!ret) {
3185 if (curr->valid)
710756a9 3186 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3187 else
3188 testresult = 1;
3189 goto end;
3190 }
710756a9 3191 if (!curr->valid)
f1b25aae 3192 goto end;
f1b25aae
MC		 3193 }
3194
710756a9
RS		 3195 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3196 SSL_ERROR_NONE),
3197 curr->connsuccess))
f1b25aae 3198 goto end;
f1b25aae
MC		 3199
3200 testresult = 1;
3201
3202 end:
3203 SSL_free(serverssl);
3204 SSL_free(clientssl);
3205 SSL_CTX_free(sctx);
3206 SSL_CTX_free(cctx);
3207
3208 return testresult;
3209}
c423ecaa 3210#endif
f1b25aae 3211
a763ca11 3212#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3213static int psk_client_cb_cnt = 0;
3214static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3215
3216static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3217 size_t *idlen, SSL_SESSION **sess)
3218{
3219 switch (++use_session_cb_cnt) {
3220 case 1:
3221 /* The first call should always have a NULL md */
3222 if (md != NULL)
3223 return 0;
3224 break;
3225
3226 case 2:
3227 /* The second call should always have an md */
3228 if (md == NULL)
3229 return 0;
3230 break;
3231
3232 default:
3233 /* We should only be called a maximum of twice */
3234 return 0;
3235 }
3236
57dee9bb
MC		 3237 if (clientpsk != NULL)
3238 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3239
57dee9bb 3240 *sess = clientpsk;
02a3ed5a
MC		 3241 *id = (const unsigned char *)pskid;
3242 *idlen = strlen(pskid);
3243
3244 return 1;
3245}
3246
c2b290c3 3247#ifndef OPENSSL_NO_PSK
532f9578
MC		 3248static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3249 unsigned int max_id_len,
3250 unsigned char *psk,
3251 unsigned int max_psk_len)
3252{
3253 unsigned int psklen = 0;
3254
3255 psk_client_cb_cnt++;
3256
3257 if (strlen(pskid) + 1 > max_id_len)
3258 return 0;
3259
3260 /* We should only ever be called a maximum of twice per connection */
3261 if (psk_client_cb_cnt > 2)
3262 return 0;
3263
3264 if (clientpsk == NULL)
3265 return 0;
3266
3267 /* We'll reuse the PSK we set up for TLSv1.3 */
3268 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3269 return 0;
3270 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3271 strncpy(id, pskid, max_id_len);
3272
3273 return psklen;
3274}
c2b290c3 3275#endif /* OPENSSL_NO_PSK */
532f9578 3276
02a3ed5a
MC		 3277static int find_session_cb(SSL *ssl, const unsigned char *identity,
3278 size_t identity_len, SSL_SESSION **sess)
3279{
3280 find_session_cb_cnt++;
3281
3282 /* We should only ever be called a maximum of twice per connection */
3283 if (find_session_cb_cnt > 2)
3284 return 0;
3285
57dee9bb 3286 if (serverpsk == NULL)
02a3ed5a
MC		 3287 return 0;
3288
3289 /* Identity should match that set by the client */
3290 if (strlen(srvid) != identity_len
3291 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3292 /* No PSK found, continue but without a PSK */
3293 *sess = NULL;
3294 return 1;
3295 }
3296
57dee9bb
MC		 3297 SSL_SESSION_up_ref(serverpsk);
3298 *sess = serverpsk;
02a3ed5a
MC		 3299
3300 return 1;
3301}
3302
c2b290c3 3303#ifndef OPENSSL_NO_PSK
532f9578
MC		 3304static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3305 unsigned char *psk, unsigned int max_psk_len)
3306{
3307 unsigned int psklen = 0;
3308
3309 psk_server_cb_cnt++;
3310
3311 /* We should only ever be called a maximum of twice per connection */
3312 if (find_session_cb_cnt > 2)
3313 return 0;
3314
3315 if (serverpsk == NULL)
3316 return 0;
3317
3318 /* Identity should match that set by the client */
3319 if (strcmp(srvid, identity) != 0) {
3320 return 0;
3321 }
3322
3323 /* We'll reuse the PSK we set up for TLSv1.3 */
3324 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3325 return 0;
3326 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3327
3328 return psklen;
3329}
c2b290c3 3330#endif /* OPENSSL_NO_PSK */
532f9578 3331
5f982038
MC		 3332#define MSG1 "Hello"
3333#define MSG2 "World."
3334#define MSG3 "This"
3335#define MSG4 "is"
3336#define MSG5 "a"
90049cea
MC		 3337#define MSG6 "test"
3338#define MSG7 "message."
5f982038 3339
2be5065b
MC		 3340static int artificial_ticket_time = 0;
3341
3342static int ed_gen_cb(SSL *s, void *arg)
3343{
3344 SSL_SESSION *sess = SSL_get0_session(s);
3345
3346 if (sess == NULL)
3347 return 0;
3348
3349 /*
3350 * Artificially give the ticket some age. Just do it for the number of
3351 * tickets we've been told to do.
3352 */
3353 if (artificial_ticket_time == 0)
3354 return 1;
3355 artificial_ticket_time--;
3356
3357 if (SSL_SESSION_set_time(sess, SSL_SESSION_get_time(sess) - 10) == 0)
3358 return 0;
3359
3360 return 1;
3361}
3362
5f982038
MC		 3363/*
3364 * Helper method to setup objects for early data test. Caller frees objects on
3365 * error.
3366 */
3367static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
10836921
MC		 3368 SSL **serverssl, SSL_SESSION **sess, int idx,
3369 size_t mdsize)
5f982038 3370{
2be5065b
MC		 3371 int artificial = (artificial_ticket_time > 0);
3372
5a421415 3373 if (*sctx == NULL
5e30f2fd 3374 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3375 TLS_client_method(),
5c587fb6 3376 TLS1_VERSION, 0,
5a421415
MC		 3377 sctx, cctx, cert, privkey)))
3378 return 0;
3379
2be5065b
MC		 3380 if (artificial)
3381 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3382
5a421415 3383 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3384 return 0;
5f982038 3385
02a3ed5a
MC		 3386 if (idx == 1) {
3387 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3388 SSL_CTX_set_read_ahead(*cctx, 1);
3389 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3390 } else if (idx == 2) {
3391 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3392 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3393 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3394 use_session_cb_cnt = 0;
3395 find_session_cb_cnt = 0;
3396 srvid = pskid;
3cb47b4e
MC		 3397 }
3398
710756a9 3399 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3400 NULL, NULL)))
3401 return 0;
3402
141e4709
MC		 3403 /*
3404 * For one of the run throughs (doesn't matter which one), we'll try sending
3405 * some SNI data in the initial ClientHello. This will be ignored (because
3406 * there is no SNI cb set up by the server), so it should not impact
3407 * early_data.
3408 */
3409 if (idx == 1
3410 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3411 return 0;
3412
02a3ed5a 3413 if (idx == 2) {
10836921 3414 clientpsk = create_a_psk(*clientssl, mdsize);
57dee9bb 3415 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3416 /*
3417 * We just choose an arbitrary value for max_early_data which
3418 * should be big enough for testing purposes.
3419 */
57dee9bb
MC		 3420 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3421 0x100))
3422 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3423 SSL_SESSION_free(clientpsk);
3424 clientpsk = NULL;
02a3ed5a
MC		 3425 return 0;
3426 }
57dee9bb 3427 serverpsk = clientpsk;
02a3ed5a 3428
c20e3b28
MC		 3429 if (sess != NULL) {
3430 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3431 SSL_SESSION_free(clientpsk);
3432 SSL_SESSION_free(serverpsk);
3433 clientpsk = serverpsk = NULL;
3434 return 0;
3435 }
57dee9bb 3436 *sess = clientpsk;
c20e3b28 3437 }
02a3ed5a
MC		 3438 return 1;
3439 }
3440
3441 if (sess == NULL)
3442 return 1;
3443
3444 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3445 SSL_ERROR_NONE)))
5f982038 3446 return 0;
5f982038
MC		 3447
3448 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3449 SSL_shutdown(*clientssl);
3450 SSL_shutdown(*serverssl);
5f982038
MC		 3451 SSL_free(*serverssl);
3452 SSL_free(*clientssl);
3453 *serverssl = *clientssl = NULL;
3454
2be5065b
MC		 3455 /*
3456 * Artificially give the ticket some age to match the artificial age we
3457 * gave it on the server side
3458 */
3459 if (artificial
3460 && !TEST_long_gt(SSL_SESSION_set_time(*sess,
3461 SSL_SESSION_get_time(*sess) - 10), 0))
3462 return 0;
3463
710756a9
RS		 3464 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3465 clientssl, NULL, NULL))
3466 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3467 return 0;
5f982038
MC		 3468
3469 return 1;
3470}
3471
3cb47b4e 3472static int test_early_data_read_write(int idx)
5f982038
MC		 3473{
3474 SSL_CTX *cctx = NULL, *sctx = NULL;
3475 SSL *clientssl = NULL, *serverssl = NULL;
3476 int testresult = 0;
3477 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3478 unsigned char buf[20], data[1024];
3479 size_t readbytes, written, eoedlen, rawread, rawwritten;
3480 BIO *rbio;
5f982038 3481
2be5065b
MC		 3482 /* Artificially give the next 2 tickets some age for non PSK sessions */
3483 if (idx != 2)
3484 artificial_ticket_time = 2;
710756a9 3485 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3486 &serverssl, &sess, idx,
3487 SHA384_DIGEST_LENGTH))) {
2be5065b 3488 artificial_ticket_time = 0;
5f982038 3489 goto end;
2be5065b
MC		 3490 }
3491 artificial_ticket_time = 0;
5f982038
MC		 3492
3493 /* Write and read some early data */
710756a9
RS		 3494 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3495 &written))
3496 || !TEST_size_t_eq(written, strlen(MSG1))
3497 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3498 sizeof(buf), &readbytes),
3499 SSL_READ_EARLY_DATA_SUCCESS)
3500 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3501 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3502 SSL_EARLY_DATA_ACCEPTED))
5f982038 3503 goto end;
5f982038
MC		 3504
3505 /*
09f28874 3506 * Server should be able to write data, and client should be able to
5f982038
MC		 3507 * read it.
3508 */
710756a9
RS		 3509 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3510 &written))
3511 || !TEST_size_t_eq(written, strlen(MSG2))
3512 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3513 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3514 goto end;
5f982038
MC		 3515
3516 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3517 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3518 &written))
3519 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3520 goto end;
5f982038 3521
09f28874 3522 /* Server should still be able read early data after writing data */
710756a9
RS		 3523 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3524 &readbytes),
3525 SSL_READ_EARLY_DATA_SUCCESS)
3526 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3527 goto end;
5f982038 3528
09f28874 3529 /* Write more data from server and read it from client */
710756a9
RS		 3530 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3531 &written))
3532 || !TEST_size_t_eq(written, strlen(MSG4))
3533 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3534 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3535 goto end;
5f982038
MC		 3536
3537 /*
3538 * If client writes normal data it should mean writing early data is no
3539 * longer possible.
3540 */
710756a9
RS		 3541 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3542 || !TEST_size_t_eq(written, strlen(MSG5))
3543 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3544 SSL_EARLY_DATA_ACCEPTED))
5f982038 3545 goto end;
5f982038 3546
9b5c865d
MC		 3547 /*
3548 * At this point the client has written EndOfEarlyData, ClientFinished and
3549 * normal (fully protected) data. We are going to cause a delay between the
3550 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3551 * in the read BIO, and then just put back the EndOfEarlyData message.
3552 */
3553 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3554 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3555 || !TEST_size_t_lt(rawread, sizeof(data))
3556 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3557 goto end;
710756a9 3558
9b5c865d
MC		 3559 /* Record length is in the 4th and 5th bytes of the record header */
3560 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3561 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3562 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3563 goto end;
9b5c865d 3564
5f982038 3565 /* Server should be told that there is no more early data */
710756a9
RS		 3566 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3567 &readbytes),
3568 SSL_READ_EARLY_DATA_FINISH)
3569 || !TEST_size_t_eq(readbytes, 0))
5f982038 3570 goto end;
5f982038 3571
9b5c865d
MC		 3572 /*
3573 * Server has not finished init yet, so should still be able to write early
3574 * data.
3575 */
710756a9
RS		 3576 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3577 &written))
3578 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3579 goto end;
9b5c865d 3580
f8a303fa 3581 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3582 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3583 &rawwritten))
3584 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3585 goto end;
f8a303fa 3586
5f982038 3587 /* Server should be able to read normal data */
710756a9
RS		 3588 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3589 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3590 goto end;
5f982038 3591
09f28874 3592 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3593 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3594 &written)))
5f982038 3595 goto end;
5f982038 3596 ERR_clear_error();
710756a9
RS		 3597 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3598 &readbytes),
3599 SSL_READ_EARLY_DATA_ERROR))
5f982038 3600 goto end;
5f982038
MC		 3601 ERR_clear_error();
3602
9b5c865d 3603 /* Client should be able to read the data sent by the server */
710756a9
RS		 3604 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3605 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3606 goto end;
710756a9 3607
f8a303fa 3608 /*
36ff232c
MC		 3609 * Make sure we process the two NewSessionTickets. These arrive
3610 * post-handshake. We attempt reads which we do not expect to return any
3611 * data.
f8a303fa 3612 */
36ff232c
MC		 3613 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3614 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3615 &readbytes)))
f8a303fa 3616 goto end;
5f982038 3617
90049cea 3618 /* Server should be able to write normal data */
710756a9
RS		 3619 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3620 || !TEST_size_t_eq(written, strlen(MSG7))
3621 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3622 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3623 goto end;
90049cea 3624
c20e3b28 3625 SSL_SESSION_free(sess);
5f982038 3626 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3627 use_session_cb_cnt = 0;
3628 find_session_cb_cnt = 0;
5f982038
MC		 3629
3630 SSL_shutdown(clientssl);
3631 SSL_shutdown(serverssl);
5f982038
MC		 3632 SSL_free(serverssl);
3633 SSL_free(clientssl);
3634 serverssl = clientssl = NULL;
710756a9
RS		 3635 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3636 &clientssl, NULL, NULL))
3637 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3638 goto end;
5f982038
MC		 3639
3640 /* Write and read some early data */
710756a9
RS		 3641 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3642 &written))
3643 || !TEST_size_t_eq(written, strlen(MSG1))
3644 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3645 &readbytes),
3646 SSL_READ_EARLY_DATA_SUCCESS)
3647 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3648 goto end;
5f982038 3649
710756a9
RS		 3650 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3651 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3652 goto end;
5f982038 3653
09f28874 3654 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3655 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3656 &written)))
5f982038 3657 goto end;
5f982038 3658 ERR_clear_error();
710756a9
RS		 3659 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3660 &readbytes),
3661 SSL_READ_EARLY_DATA_ERROR))
5f982038 3662 goto end;
5f982038
MC		 3663 ERR_clear_error();
3664
3665 /* Client and server should be able to write/read normal data */
710756a9
RS		 3666 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3667 || !TEST_size_t_eq(written, strlen(MSG5))
3668 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3669 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3670 goto end;
5f982038
MC		 3671
3672 testresult = 1;
3673
3674 end:
c20e3b28 3675 SSL_SESSION_free(sess);
57dee9bb
MC		 3676 SSL_SESSION_free(clientpsk);
3677 SSL_SESSION_free(serverpsk);
3678 clientpsk = serverpsk = NULL;
5f982038
MC		 3679 SSL_free(serverssl);
3680 SSL_free(clientssl);
3681 SSL_CTX_free(sctx);
3682 SSL_CTX_free(cctx);
5f982038
MC		 3683 return testresult;
3684}
3685
5a421415
MC		 3686static int allow_ed_cb_called = 0;
3687
3688static int allow_early_data_cb(SSL *s, void *arg)
3689{
3690 int *usecb = (int *)arg;
3691
3692 allow_ed_cb_called++;
3693
3694 if (*usecb == 1)
3695 return 0;
3696
3697 return 1;
3698}
3699
3700/*
3701 * idx == 0: Standard early_data setup
3702 * idx == 1: early_data setup using read_ahead
3703 * usecb == 0: Don't use a custom early data callback
3704 * usecb == 1: Use a custom early data callback and reject the early data
3705 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3706 * confopt == 0: Configure anti-replay directly
3707 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3708 */
3bb5e5b0 3709static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3710{
3711 SSL_CTX *cctx = NULL, *sctx = NULL;
3712 SSL *clientssl = NULL, *serverssl = NULL;
3713 int testresult = 0;
3714 SSL_SESSION *sess = NULL;
5a421415
MC		 3715 size_t readbytes, written;
3716 unsigned char buf[20];
3717
3718 allow_ed_cb_called = 0;
3719
5e30f2fd
MC		 3720 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3721 TLS_client_method(), TLS1_VERSION, 0,
3722 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3723 return 0;
3724
3725 if (usecb > 0) {
3bb5e5b0
MC		 3726 if (confopt == 0) {
3727 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3728 } else {
3729 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3730
3731 if (!TEST_ptr(confctx))
3732 goto end;
3733 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3734 | SSL_CONF_FLAG_SERVER);
3735 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3736 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3737 2)) {
3738 SSL_CONF_CTX_free(confctx);
3739 goto end;
3740 }
3741 SSL_CONF_CTX_free(confctx);
3742 }
5a421415
MC		 3743 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3744 }
78fb5374
MC		 3745
3746 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3747 &serverssl, &sess, idx,
3748 SHA384_DIGEST_LENGTH)))
78fb5374
MC		 3749 goto end;
3750
3751 /*
3752 * The server is configured to accept early data. Create a connection to
3753 * "use up" the ticket
3754 */
3755 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3756 || !TEST_true(SSL_session_reused(clientssl)))
3757 goto end;
3758
3759 SSL_shutdown(clientssl);
3760 SSL_shutdown(serverssl);
3761 SSL_free(serverssl);
3762 SSL_free(clientssl);
3763 serverssl = clientssl = NULL;
3764
3765 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3766 &clientssl, NULL, NULL))
5a421415
MC		 3767 || !TEST_true(SSL_set_session(clientssl, sess)))
3768 goto end;
3769
3770 /* Write and read some early data */
3771 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3772 &written))
3773 || !TEST_size_t_eq(written, strlen(MSG1)))
3774 goto end;
3775
3776 if (usecb <= 1) {
3777 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3778 &readbytes),
3779 SSL_READ_EARLY_DATA_FINISH)
3780 /*
3781 * The ticket was reused, so the we should have rejected the
3782 * early data
3783 */
3784 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3785 SSL_EARLY_DATA_REJECTED))
3786 goto end;
3787 } else {
3788 /* In this case the callback decides to accept the early data */
3789 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3790 &readbytes),
3791 SSL_READ_EARLY_DATA_SUCCESS)
3792 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3793 /*
3794 * Server will have sent its flight so client can now send
3795 * end of early data and complete its half of the handshake
3796 */
3797 || !TEST_int_gt(SSL_connect(clientssl), 0)
3798 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3799 &readbytes),
3800 SSL_READ_EARLY_DATA_FINISH)
3801 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3802 SSL_EARLY_DATA_ACCEPTED))
3803 goto end;
3804 }
3805
3806 /* Complete the connection */
3807 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3808 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3809 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3810 goto end;
3811
3812 testresult = 1;
3813
3814 end:
c20e3b28 3815 SSL_SESSION_free(sess);
78fb5374
MC		 3816 SSL_SESSION_free(clientpsk);
3817 SSL_SESSION_free(serverpsk);
3818 clientpsk = serverpsk = NULL;
3819 SSL_free(serverssl);
3820 SSL_free(clientssl);
3821 SSL_CTX_free(sctx);
3822 SSL_CTX_free(cctx);
3823 return testresult;
3824}
3825
5a421415
MC		 3826static int test_early_data_replay(int idx)
3827{
3bb5e5b0 3828 int ret = 1, usecb, confopt;
5a421415 3829
3bb5e5b0
MC		 3830 for (usecb = 0; usecb < 3; usecb++) {
3831 for (confopt = 0; confopt < 2; confopt++)
3832 ret &= test_early_data_replay_int(idx, usecb, confopt);
3833 }
5a421415
MC		 3834
3835 return ret;
3836}
3837
10836921
MC		 3838static const char *ciphersuites[] = {
3839 "TLS_AES_128_CCM_8_SHA256",
3840 "TLS_AES_128_GCM_SHA256",
3841 "TLS_AES_256_GCM_SHA384",
3842 "TLS_AES_128_CCM_SHA256",
3843#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3844 "TLS_CHACHA20_POLY1305_SHA256"
3845#endif
3846};
3847
710756a9 3848/*
6b84e6bf
MC		 3849 * Helper function to test that a server attempting to read early data can
3850 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3851 * testtype: 0 == No HRR
3852 * testtype: 1 == HRR
0efa0ba4
MC		 3853 * testtype: 2 == HRR, invalid early_data sent after HRR
3854 * testtype: 3 == recv_max_early_data set to 0
710756a9 3855 */
10836921 3856static int early_data_skip_helper(int testtype, int cipher, int idx)
5f982038
MC		 3857{
3858 SSL_CTX *cctx = NULL, *sctx = NULL;
3859 SSL *clientssl = NULL, *serverssl = NULL;
3860 int testresult = 0;
018fcbec 3861 SSL_SESSION *sess = NULL;
5f982038
MC		 3862 unsigned char buf[20];
3863 size_t readbytes, written;
3864
10836921
MC		 3865 if (is_fips && cipher == 4)
3866 return 1;
3867
3868 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3869 TLS_client_method(),
3870 TLS1_VERSION, 0,
3871 &sctx, &cctx, cert, privkey)))
3872 goto end;
3873
3874 if (cipher == 0) {
3875 SSL_CTX_set_security_level(sctx, 0);
3876 SSL_CTX_set_security_level(cctx, 0);
3877 }
3878
3879 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3880 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3881 goto end;
3882
710756a9 3883 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3884 &serverssl, &sess, idx,
3885 cipher == 2 ? SHA384_DIGEST_LENGTH
3886 : SHA256_DIGEST_LENGTH)))
5f982038
MC		 3887 goto end;
3888
0efa0ba4 3889 if (testtype == 1 || testtype == 2) {
6b84e6bf 3890 /* Force an HRR to occur */
dbc6268f
MC		 3891#if defined(OPENSSL_NO_EC)
3892 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3893 goto end;
3894#else
4032cd9a 3895 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
6b84e6bf 3896 goto end;
dbc6268f 3897#endif
02a3ed5a
MC		 3898 } else if (idx == 2) {
3899 /*
3900 * We force early_data rejection by ensuring the PSK identity is
3901 * unrecognised
3902 */
3903 srvid = "Dummy Identity";
6b84e6bf
MC		 3904 } else {
3905 /*
3906 * Deliberately corrupt the creation time. We take 20 seconds off the
3907 * time. It could be any value as long as it is not within tolerance.
3908 * This should mean the ticket is rejected.
3909 */
5d99881e 3910 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3911 goto end;
3912 }
5f982038 3913
0efa0ba4 3914 if (testtype == 3
0d1b7789
MC		 3915 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3916 goto end;
3917
5f982038 3918 /* Write some early data */
710756a9
RS		 3919 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3920 &written))
3921 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3922 goto end;
5f982038 3923
0d1b7789 3924 /* Server should reject the early data */
710756a9
RS		 3925 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3926 &readbytes),
3927 SSL_READ_EARLY_DATA_FINISH)
3928 || !TEST_size_t_eq(readbytes, 0)
3929 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3930 SSL_EARLY_DATA_REJECTED))
5f982038 3931 goto end;
5f982038 3932
0efa0ba4
MC		 3933 switch (testtype) {
3934 case 0:
3935 /* Nothing to do */
3936 break;
3937
3938 case 1:
6b84e6bf
MC		 3939 /*
3940 * Finish off the handshake. We perform the same writes and reads as
3941 * further down but we expect them to fail due to the incomplete
3942 * handshake.
3943 */
3944 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3945 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3946 &readbytes)))
3947 goto end;
0efa0ba4
MC		 3948 break;
3949
3950 case 2:
3951 {
3952 BIO *wbio = SSL_get_wbio(clientssl);
3953 /* A record that will appear as bad early_data */
3954 const unsigned char bad_early_data[] = {
3955 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3956 };
3957
3958 /*
3959 * We force the client to attempt a write. This will fail because
3960 * we're still in the handshake. It will cause the second
3961 * ClientHello to be sent.
3962 */
3963 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3964 &written)))
3965 goto end;
3966
3967 /*
3968 * Inject some early_data after the second ClientHello. This should
3969 * cause the server to fail
3970 */
3971 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3972 sizeof(bad_early_data), &written)))
3973 goto end;
3974 }
3975 /* fallthrough */
3976
3977 case 3:
0d1b7789 3978 /*
0efa0ba4
MC		 3979 * This client has sent more early_data than we are willing to skip
3980 * (case 3) or sent invalid early_data (case 2) so the connection should
3981 * abort.
0d1b7789
MC		 3982 */
3983 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3984 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3985 goto end;
3986
3987 /* Connection has failed - nothing more to do */
3988 testresult = 1;
3989 goto end;
0efa0ba4
MC		 3990
3991 default:
3992 TEST_error("Invalid test type");
3993 goto end;
6b84e6bf
MC		 3994 }
3995
10836921 3996 ERR_clear_error();
0d1b7789
MC		 3997 /*
3998 * Should be able to send normal data despite rejection of early data. The
3999 * early_data should be skipped.
4000 */
710756a9
RS		 4001 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4002 || !TEST_size_t_eq(written, strlen(MSG2))
4003 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4004 SSL_EARLY_DATA_REJECTED)
4005 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4006 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4007 goto end;
5f982038 4008
10836921
MC		 4009 /*
4010 * Failure to decrypt early data records should not leave spurious errors
4011 * on the error stack
4012 */
4013 if (!TEST_long_eq(ERR_peek_error(), 0))
4014 goto end;
4015
5f982038
MC		 4016 testresult = 1;
4017
4018 end:
c20e3b28 4019 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4020 SSL_SESSION_free(serverpsk);
4021 clientpsk = serverpsk = NULL;
5f982038
MC		 4022 SSL_SESSION_free(sess);
4023 SSL_free(serverssl);
4024 SSL_free(clientssl);
4025 SSL_CTX_free(sctx);
4026 SSL_CTX_free(cctx);
5f982038
MC		 4027 return testresult;
4028}
4029
6b84e6bf
MC		 4030/*
4031 * Test that a server attempting to read early data can handle a connection
4032 * from a client where the early data is not acceptable.
4033 */
4034static int test_early_data_skip(int idx)
4035{
10836921
MC		 4036 return early_data_skip_helper(0,
4037 idx % OSSL_NELEM(ciphersuites),
4038 idx / OSSL_NELEM(ciphersuites));
6b84e6bf
MC		 4039}
4040
4041/*
4042 * Test that a server attempting to read early data can handle a connection
4043 * from a client where an HRR occurs.
4044 */
4045static int test_early_data_skip_hrr(int idx)
4046{
10836921
MC		 4047 return early_data_skip_helper(1,
4048 idx % OSSL_NELEM(ciphersuites),
4049 idx / OSSL_NELEM(ciphersuites));
6b84e6bf
MC		 4050}
4051
0efa0ba4
MC		 4052/*
4053 * Test that a server attempting to read early data can handle a connection
4054 * from a client where an HRR occurs and correctly fails if early_data is sent
4055 * after the HRR
4056 */
4057static int test_early_data_skip_hrr_fail(int idx)
4058{
10836921
MC		 4059 return early_data_skip_helper(2,
4060 idx % OSSL_NELEM(ciphersuites),
4061 idx / OSSL_NELEM(ciphersuites));
0efa0ba4
MC		 4062}
4063
0d1b7789
MC		 4064/*
4065 * Test that a server attempting to read early data will abort if it tries to
4066 * skip over too much.
4067 */
4068static int test_early_data_skip_abort(int idx)
4069{
10836921
MC		 4070 return early_data_skip_helper(3,
4071 idx % OSSL_NELEM(ciphersuites),
4072 idx / OSSL_NELEM(ciphersuites));
0d1b7789
MC		 4073}
4074
710756a9
RS		 4075/*
4076 * Test that a server attempting to read early data can handle a connection
4077 * from a client that doesn't send any.
4078 */
3cb47b4e 4079static int test_early_data_not_sent(int idx)
5f982038
MC		 4080{
4081 SSL_CTX *cctx = NULL, *sctx = NULL;
4082 SSL *clientssl = NULL, *serverssl = NULL;
4083 int testresult = 0;
018fcbec 4084 SSL_SESSION *sess = NULL;
5f982038
MC		 4085 unsigned char buf[20];
4086 size_t readbytes, written;
4087
710756a9 4088 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4089 &serverssl, &sess, idx,
4090 SHA384_DIGEST_LENGTH)))
5f982038
MC		 4091 goto end;
4092
4093 /* Write some data - should block due to handshake with server */
4094 SSL_set_connect_state(clientssl);
710756a9 4095 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4096 goto end;
5f982038
MC		 4097
4098 /* Server should detect that early data has not been sent */
710756a9
RS		 4099 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4100 &readbytes),
4101 SSL_READ_EARLY_DATA_FINISH)
4102 || !TEST_size_t_eq(readbytes, 0)
4103 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4104 SSL_EARLY_DATA_NOT_SENT)
4105 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4106 SSL_EARLY_DATA_NOT_SENT))
5f982038 4107 goto end;
5f982038
MC		 4108
4109 /* Continue writing the message we started earlier */
710756a9
RS		 4110 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4111 || !TEST_size_t_eq(written, strlen(MSG1))
4112 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4113 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4114 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4115 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4116 goto end;
5f982038 4117
710756a9
RS		 4118 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4119 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4120 goto end;
5f982038
MC		 4121
4122 testresult = 1;
4123
4124 end:
5f982038 4125 SSL_SESSION_free(sess);
c20e3b28 4126 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4127 SSL_SESSION_free(serverpsk);
4128 clientpsk = serverpsk = NULL;
5f982038
MC		 4129 SSL_free(serverssl);
4130 SSL_free(clientssl);
4131 SSL_CTX_free(sctx);
4132 SSL_CTX_free(cctx);
5f982038
MC		 4133 return testresult;
4134}
4135
976e5323
MC		 4136static const char *servalpn;
4137
c7558d5b
PY		 4138static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4139 unsigned char *outlen, const unsigned char *in,
4140 unsigned int inlen, void *arg)
976e5323 4141{
c7558d5b 4142 unsigned int protlen = 0;
976e5323
MC		 4143 const unsigned char *prot;
4144
c7558d5b
PY		 4145 for (prot = in; prot < in + inlen; prot += protlen) {
4146 protlen = *prot++;
5d99881e 4147 if (in + inlen < prot + protlen)
976e5323
MC		 4148 return SSL_TLSEXT_ERR_NOACK;
4149
4150 if (protlen == strlen(servalpn)
0bd42fde 4151 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 4152 *out = prot;
4153 *outlen = protlen;
4154 return SSL_TLSEXT_ERR_OK;
4155 }
4156 }
4157
4158 return SSL_TLSEXT_ERR_NOACK;
4159}
4160
57dee9bb 4161/* Test that a PSK can be used to send early_data */
976e5323
MC		 4162static int test_early_data_psk(int idx)
4163{
4164 SSL_CTX *cctx = NULL, *sctx = NULL;
4165 SSL *clientssl = NULL, *serverssl = NULL;
4166 int testresult = 0;
4167 SSL_SESSION *sess = NULL;
57dee9bb
MC		 4168 unsigned char alpnlist[] = {
4169 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4170 'l', 'p', 'n'
4171 };
4172#define GOODALPNLEN 9
4173#define BADALPNLEN 8
4174#define GOODALPN (alpnlist)
4175#define BADALPN (alpnlist + GOODALPNLEN)
4176 int err = 0;
976e5323
MC		 4177 unsigned char buf[20];
4178 size_t readbytes, written;
57dee9bb 4179 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 4180 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4181
4182 /* We always set this up with a final parameter of "2" for PSK */
4183 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4184 &serverssl, &sess, 2,
4185 SHA384_DIGEST_LENGTH)))
976e5323
MC		 4186 goto end;
4187
976e5323
MC		 4188 servalpn = "goodalpn";
4189
57dee9bb
MC		 4190 /*
4191 * Note: There is no test for inconsistent SNI with late client detection.
4192 * This is because servers do not acknowledge SNI even if they are using
4193 * it in a resumption handshake - so it is not actually possible for a
4194 * client to detect a problem.
4195 */
976e5323
MC		 4196 switch (idx) {
4197 case 0:
57dee9bb 4198 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 4199 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4200 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4201 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4202 goto end;
4203 break;
4204
4205 case 1:
57dee9bb 4206 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 4207 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4208 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 4209 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4210 GOODALPNLEN))
4211 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4212 BADALPNLEN)))
976e5323
MC		 4213 goto end;
4214 break;
4215
4216 case 2:
4217 /*
4218 * Set invalid protocol version. Technically this affects PSKs without
4219 * early_data too, but we test it here because it is similar to the
4220 * SNI/ALPN consistency tests.
4221 */
4222 err = SSL_R_BAD_PSK;
4223 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4224 goto end;
4225 break;
4226
4227 case 3:
4228 /*
49ef3d07
MC		 4229 * Set inconsistent SNI (server side). In this case the connection
4230 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4231 * is associated with each handshake - not the session. Therefore it
4232 * should not matter that we used a different server name last time.
976e5323 4233 */
281bf233
MC		 4234 SSL_SESSION_free(serverpsk);
4235 serverpsk = SSL_SESSION_dup(clientpsk);
4236 if (!TEST_ptr(serverpsk)
4237 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4238 goto end;
976e5323
MC		 4239 /* Fall through */
4240 case 4:
4241 /* Set consistent SNI */
976e5323
MC		 4242 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4243 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4244 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4245 hostname_cb)))
4246 goto end;
4247 break;
4248
4249 case 5:
4250 /*
4251 * Set inconsistent ALPN (server detected). In this case the connection
4252 * will succeed but reject early_data.
4253 */
4254 servalpn = "badalpn";
4255 edstatus = SSL_EARLY_DATA_REJECTED;
4256 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4257 /* Fall through */
4258 case 6:
976e5323 4259 /*
57dee9bb 4260 * Set consistent ALPN.
976e5323
MC		 4261 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4262 * accepts a list of protos (each one length prefixed).
4263 * SSL_set1_alpn_selected accepts a single protocol (not length
4264 * prefixed)
4265 */
57dee9bb
MC		 4266 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4267 GOODALPNLEN - 1))
4268 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4269 GOODALPNLEN)))
976e5323
MC		 4270 goto end;
4271
4272 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4273 break;
4274
57dee9bb
MC		 4275 case 7:
4276 /* Set inconsistent ALPN (late client detection) */
4277 SSL_SESSION_free(serverpsk);
4278 serverpsk = SSL_SESSION_dup(clientpsk);
4279 if (!TEST_ptr(serverpsk)
4280 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4281 BADALPN + 1,
4282 BADALPNLEN - 1))
4283 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4284 GOODALPN + 1,
4285 GOODALPNLEN - 1))
4286 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4287 sizeof(alpnlist))))
4288 goto end;
4289 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4290 edstatus = SSL_EARLY_DATA_ACCEPTED;
4291 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4292 /* SSL_connect() call should fail */
4293 connectres = -1;
4294 break;
4295
976e5323
MC		 4296 default:
4297 TEST_error("Bad test index");
4298 goto end;
4299 }
4300
4301 SSL_set_connect_state(clientssl);
4302 if (err != 0) {
4303 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4304 &written))
4305 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4306 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4307 goto end;
4308 } else {
4309 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4310 &written)))
4311 goto end;
4312
4313 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4314 &readbytes), readearlyres)
976e5323
MC		 4315 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4316 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4317 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4318 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4319 goto end;
4320 }
4321
4322 testresult = 1;
4323
4324 end:
c20e3b28 4325 SSL_SESSION_free(sess);
57dee9bb
MC		 4326 SSL_SESSION_free(clientpsk);
4327 SSL_SESSION_free(serverpsk);
4328 clientpsk = serverpsk = NULL;
976e5323
MC		 4329 SSL_free(serverssl);
4330 SSL_free(clientssl);
4331 SSL_CTX_free(sctx);
4332 SSL_CTX_free(cctx);
4333 return testresult;
4334}
4335
0b2b0be9 4336/*
4337 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4338 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4339 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4340 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4341 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4342 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4343 */
4344static int test_early_data_psk_with_all_ciphers(int idx)
4345{
4346 SSL_CTX *cctx = NULL, *sctx = NULL;
4347 SSL *clientssl = NULL, *serverssl = NULL;
4348 int testresult = 0;
4349 SSL_SESSION *sess = NULL;
4350 unsigned char buf[20];
4351 size_t readbytes, written;
4352 const SSL_CIPHER *cipher;
4353 const char *cipher_str[] = {
4354 TLS1_3_RFC_AES_128_GCM_SHA256,
4355 TLS1_3_RFC_AES_256_GCM_SHA384,
4356# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4357 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4358# else
4359 NULL,
4360# endif
4361 TLS1_3_RFC_AES_128_CCM_SHA256,
4362 TLS1_3_RFC_AES_128_CCM_8_SHA256
4363 };
4364 const unsigned char *cipher_bytes[] = {
4365 TLS13_AES_128_GCM_SHA256_BYTES,
4366 TLS13_AES_256_GCM_SHA384_BYTES,
4367# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4368 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4369# else
4370 NULL,
4371# endif
4372 TLS13_AES_128_CCM_SHA256_BYTES,
4373 TLS13_AES_128_CCM_8_SHA256_BYTES
4374 };
4375
4376 if (cipher_str[idx] == NULL)
4377 return 1;
4378 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4379 if (idx == 2 && is_fips == 1)
4380 return 1;
4381
4382 /* We always set this up with a final parameter of "2" for PSK */
4383 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4384 &serverssl, &sess, 2,
4385 SHA384_DIGEST_LENGTH)))
0b2b0be9 4386 goto end;
4387
e0710222
P		 4388 if (idx == 4) {
4389 /* CCM8 ciphers are considered low security due to their short tag */
4390 SSL_set_security_level(clientssl, 0);
4391 SSL_set_security_level(serverssl, 0);
4392 }
4393
0b2b0be9 4394 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4395 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4396 goto end;
4397
4398 /*
4399 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4400 * and assigns to both client and server with incremented reference
4401 * and the same instance is updated in 'sess'.
4402 * So updating ciphersuite in 'sess' which will get reflected in
4403 * PSK handshake using psk use sess and find sess cb.
4404 */
4405 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4406 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4407 goto end;
4408
4409 SSL_set_connect_state(clientssl);
4410 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4411 &written)))
4412 goto end;
4413
4414 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4415 &readbytes),
4416 SSL_READ_EARLY_DATA_SUCCESS)
4417 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4418 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4419 SSL_EARLY_DATA_ACCEPTED)
4420 || !TEST_int_eq(SSL_connect(clientssl), 1)
4421 || !TEST_int_eq(SSL_accept(serverssl), 1))
4422 goto end;
4423
4424 /* Send some normal data from client to server */
4425 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4426 || !TEST_size_t_eq(written, strlen(MSG2)))
4427 goto end;
4428
4429 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4430 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4431 goto end;
4432
4433 testresult = 1;
4434 end:
4435 SSL_SESSION_free(sess);
4436 SSL_SESSION_free(clientpsk);
4437 SSL_SESSION_free(serverpsk);
4438 clientpsk = serverpsk = NULL;
4439 if (clientssl != NULL)
4440 SSL_shutdown(clientssl);
4441 if (serverssl != NULL)
4442 SSL_shutdown(serverssl);
4443 SSL_free(serverssl);
4444 SSL_free(clientssl);
4445 SSL_CTX_free(sctx);
4446 SSL_CTX_free(cctx);
4447 return testresult;
4448}
4449
710756a9
RS		 4450/*
4451 * Test that a server that doesn't try to read early data can handle a
4452 * client sending some.
4453 */
3cb47b4e 4454static int test_early_data_not_expected(int idx)
5f982038
MC		 4455{
4456 SSL_CTX *cctx = NULL, *sctx = NULL;
4457 SSL *clientssl = NULL, *serverssl = NULL;
4458 int testresult = 0;
018fcbec 4459 SSL_SESSION *sess = NULL;
5f982038
MC		 4460 unsigned char buf[20];
4461 size_t readbytes, written;
4462
710756a9 4463 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4464 &serverssl, &sess, idx,
4465 SHA384_DIGEST_LENGTH)))
5f982038
MC		 4466 goto end;
4467
4468 /* Write some early data */
710756a9
RS		 4469 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4470 &written)))
5f982038 4471 goto end;
5f982038
MC		 4472
4473 /*
4474 * Server should skip over early data and then block waiting for client to
4475 * continue handshake
4476 */
710756a9
RS		 4477 if (!TEST_int_le(SSL_accept(serverssl), 0)
4478 || !TEST_int_gt(SSL_connect(clientssl), 0)
4479 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4480 SSL_EARLY_DATA_REJECTED)
4481 || !TEST_int_gt(SSL_accept(serverssl), 0)
4482 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4483 SSL_EARLY_DATA_REJECTED))
5f982038 4484 goto end;
5f982038
MC		 4485
4486 /* Send some normal data from client to server */
710756a9
RS		 4487 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4488 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4489 goto end;
5f982038 4490
710756a9
RS		 4491 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4492 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4493 goto end;
5f982038
MC		 4494
4495 testresult = 1;
4496
4497 end:
5f982038 4498 SSL_SESSION_free(sess);
c20e3b28 4499 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4500 SSL_SESSION_free(serverpsk);
4501 clientpsk = serverpsk = NULL;
5f982038
MC		 4502 SSL_free(serverssl);
4503 SSL_free(clientssl);
4504 SSL_CTX_free(sctx);
4505 SSL_CTX_free(cctx);
5f982038
MC		 4506 return testresult;
4507}
4508
4509
4510# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4511/*
4512 * Test that a server attempting to read early data can handle a connection
4513 * from a TLSv1.2 client.
4514 */
3cb47b4e 4515static int test_early_data_tls1_2(int idx)
5f982038
MC		 4516{
4517 SSL_CTX *cctx = NULL, *sctx = NULL;
4518 SSL *clientssl = NULL, *serverssl = NULL;
4519 int testresult = 0;
4520 unsigned char buf[20];
4521 size_t readbytes, written;
4522
02a3ed5a 4523 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4524 &serverssl, NULL, idx,
4525 SHA384_DIGEST_LENGTH)))
5f982038 4526 goto end;
5f982038
MC		 4527
4528 /* Write some data - should block due to handshake with server */
4529 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4530 SSL_set_connect_state(clientssl);
710756a9 4531 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4532 goto end;
5f982038
MC		 4533
4534 /*
4535 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4536 * messages from client after ServerDone. Then SSL_read_early_data should
4537 * finish and detect that early data has not been sent
5f982038 4538 */
710756a9
RS		 4539 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4540 &readbytes),
4541 SSL_READ_EARLY_DATA_ERROR))
5f982038 4542 goto end;
5f982038
MC		 4543
4544 /*
4545 * Continue writing the message we started earlier. Will still block waiting
4546 * for the CCS/Finished from server
4547 */
710756a9
RS		 4548 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4549 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4550 &readbytes),
4551 SSL_READ_EARLY_DATA_FINISH)
4552 || !TEST_size_t_eq(readbytes, 0)
4553 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4554 SSL_EARLY_DATA_NOT_SENT))
5f982038 4555 goto end;
5f982038
MC		 4556
4557 /* Continue writing the message we started earlier */
710756a9
RS		 4558 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4559 || !TEST_size_t_eq(written, strlen(MSG1))
4560 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4561 SSL_EARLY_DATA_NOT_SENT)
4562 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4563 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4564 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4565 || !TEST_size_t_eq(written, strlen(MSG2))
4566 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4567 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4568 goto end;
5f982038
MC		 4569
4570 testresult = 1;
4571
4572 end:
57dee9bb
MC		 4573 SSL_SESSION_free(clientpsk);
4574 SSL_SESSION_free(serverpsk);
4575 clientpsk = serverpsk = NULL;
5f982038
MC		 4576 SSL_free(serverssl);
4577 SSL_free(clientssl);
4578 SSL_CTX_free(sctx);
4579 SSL_CTX_free(cctx);
4580
4581 return testresult;
4582}
ca0413ae
MC		 4583# endif /* OPENSSL_NO_TLS1_2 */
4584
034cb87b
MC		 4585/*
4586 * Test configuring the TLSv1.3 ciphersuites
4587 *
4588 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4589 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4590 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4591 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4592 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4593 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4594 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4595 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4596 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4597 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4598 */
4599static int test_set_ciphersuite(int idx)
4600{
4601 SSL_CTX *cctx = NULL, *sctx = NULL;
4602 SSL *clientssl = NULL, *serverssl = NULL;
4603 int testresult = 0;
4604
5e30f2fd
MC		 4605 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4606 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4607 &sctx, &cctx, cert, privkey))
4608 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4609 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4610 goto end;
4611
4612 if (idx >=4 && idx <= 7) {
4613 /* SSL_CTX explicit cipher list */
4614 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4615 goto end;
4616 }
4617
4618 if (idx == 0 || idx == 4) {
4619 /* Default ciphersuite */
4620 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4621 "TLS_AES_128_GCM_SHA256")))
4622 goto end;
4623 } else if (idx == 1 || idx == 5) {
4624 /* Non default ciphersuite */
4625 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4626 "TLS_AES_128_CCM_SHA256")))
4627 goto end;
4628 }
4629
4630 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4631 &clientssl, NULL, NULL)))
4632 goto end;
4633
4634 if (idx == 8 || idx == 9) {
4635 /* SSL explicit cipher list */
4636 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4637 goto end;
4638 }
4639
4640 if (idx == 2 || idx == 6 || idx == 8) {
4641 /* Default ciphersuite */
4642 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4643 "TLS_AES_128_GCM_SHA256")))
4644 goto end;
4645 } else if (idx == 3 || idx == 7 || idx == 9) {
4646 /* Non default ciphersuite */
4647 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4648 "TLS_AES_128_CCM_SHA256")))
4649 goto end;
4650 }
4651
4652 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4653 goto end;
4654
4655 testresult = 1;
4656
4657 end:
4658 SSL_free(serverssl);
4659 SSL_free(clientssl);
4660 SSL_CTX_free(sctx);
4661 SSL_CTX_free(cctx);
4662
4663 return testresult;
4664}
4665
ca0413ae
MC		 4666static int test_ciphersuite_change(void)
4667{
4668 SSL_CTX *cctx = NULL, *sctx = NULL;
4669 SSL *clientssl = NULL, *serverssl = NULL;
4670 SSL_SESSION *clntsess = NULL;
4671 int testresult = 0;
4672 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4673
4674 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4675 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4676 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4677 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4678 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4679 "TLS_AES_128_GCM_SHA256:"
4680 "TLS_AES_256_GCM_SHA384:"
4681 "TLS_AES_128_CCM_SHA256"))
f865b081 4682 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4683 "TLS_AES_128_GCM_SHA256")))
4684 goto end;
4685
4686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4687 NULL, NULL))
ca0413ae
MC		 4688 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4689 SSL_ERROR_NONE)))
4690 goto end;
4691
4692 clntsess = SSL_get1_session(clientssl);
4693 /* Save for later */
4694 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4695 SSL_shutdown(clientssl);
4696 SSL_shutdown(serverssl);
4697 SSL_free(serverssl);
4698 SSL_free(clientssl);
4699 serverssl = clientssl = NULL;
4700
4701 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4702 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4703 "TLS_AES_128_CCM_SHA256"))
4704 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4705 &clientssl, NULL, NULL))
ca0413ae
MC		 4706 || !TEST_true(SSL_set_session(clientssl, clntsess))
4707 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4708 SSL_ERROR_NONE))
4709 || !TEST_true(SSL_session_reused(clientssl)))
4710 goto end;
4711
4712 SSL_SESSION_free(clntsess);
4713 clntsess = SSL_get1_session(clientssl);
4714 SSL_shutdown(clientssl);
4715 SSL_shutdown(serverssl);
4716 SSL_free(serverssl);
4717 SSL_free(clientssl);
4718 serverssl = clientssl = NULL;
4719
4720 /*
4721 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4722 * succeeds but does not resume.
ca0413ae 4723 */
f865b081 4724 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4725 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4726 NULL, NULL))
4727 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4728 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4729 SSL_ERROR_SSL))
0de6d66d 4730 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4731 goto end;
4732
4733 SSL_SESSION_free(clntsess);
4734 clntsess = NULL;
4735 SSL_shutdown(clientssl);
4736 SSL_shutdown(serverssl);
4737 SSL_free(serverssl);
4738 SSL_free(clientssl);
4739 serverssl = clientssl = NULL;
4740
4741 /* Create a session based on SHA384 */
f865b081 4742 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4743 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4744 &clientssl, NULL, NULL))
4745 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4746 SSL_ERROR_NONE)))
4747 goto end;
4748
4749 clntsess = SSL_get1_session(clientssl);
4750 SSL_shutdown(clientssl);
4751 SSL_shutdown(serverssl);
4752 SSL_free(serverssl);
4753 SSL_free(clientssl);
4754 serverssl = clientssl = NULL;
4755
f865b081
MC		 4756 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4757 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4758 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4759 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4760 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4761 NULL, NULL))
4762 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4763 /*
4764 * We use SSL_ERROR_WANT_READ below so that we can pause the
4765 * connection after the initial ClientHello has been sent to
4766 * enable us to make some session changes.
4767 */
ca0413ae
MC		 4768 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4769 SSL_ERROR_WANT_READ)))
4770 goto end;
4771
4772 /* Trick the client into thinking this session is for a different digest */
4773 clntsess->cipher = aes_128_gcm_sha256;
4774 clntsess->cipher_id = clntsess->cipher->id;
4775
4776 /*
3b0e88d3
MC		 4777 * Continue the previously started connection. Server has selected a SHA-384
4778 * ciphersuite, but client thinks the session is for SHA-256, so it should
4779 * bail out.
ca0413ae
MC		 4780 */
4781 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4782 SSL_ERROR_SSL))
4783 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4784 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4785 goto end;
4786
4787 testresult = 1;
4788
4789 end:
4790 SSL_SESSION_free(clntsess);
4791 SSL_free(serverssl);
4792 SSL_free(clientssl);
4793 SSL_CTX_free(sctx);
4794 SSL_CTX_free(cctx);
4795
4796 return testresult;
4797}
4798
8e63900a 4799/*
5bf2eade 4800 * Test TLSv1.3 Key exchange
4801 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4802 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4803 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4804 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4805 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4806 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4807 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4808 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4809 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4810 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4811 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4812 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4813 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4814 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4815 */
f89d3d69
BK		 4816# ifndef OPENSSL_NO_EC
4817static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4032cd9a
YL		 4818 NID_secp521r1,
4819# ifndef OPENSSL_NO_ECX
4820 NID_X25519, NID_X448
4821# endif
4822 };
f89d3d69
BK		 4823# endif
4824# ifndef OPENSSL_NO_DH
4825static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4826 NID_ffdhe6144, NID_ffdhe8192};
4827# endif
db26ec80 4828static int test_key_exchange(int idx)
8e63900a 4829{
4830 SSL_CTX *sctx = NULL, *cctx = NULL;
4831 SSL *serverssl = NULL, *clientssl = NULL;
4832 int testresult = 0;
fb8c6db4 4833 int kexch_alg;
4834 int *kexch_groups = &kexch_alg;
4835 int kexch_groups_size = 1;
8e63900a 4836 int max_version = TLS1_3_VERSION;
becbacd7 4837 char *kexch_name0 = NULL;
8e63900a 4838
4839 switch (idx) {
5bf2eade 4840# ifndef OPENSSL_NO_EC
db26ec80 4841# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4842 case 12:
fb8c6db4 4843 max_version = TLS1_2_VERSION;
db26ec80 4844# endif
fb8c6db4 4845 /* Fall through */
4846 case 0:
4847 kexch_groups = ecdhe_kexch_groups;
4848 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4849 kexch_name0 = "secp256r1";
fb8c6db4 4850 break;
5bf2eade 4851 case 1:
fb8c6db4 4852 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4853 kexch_name0 = "secp256r1";
fb8c6db4 4854 break;
5bf2eade 4855 case 2:
fb8c6db4 4856 kexch_alg = NID_secp384r1;
becbacd7 4857 kexch_name0 = "secp384r1";
fb8c6db4 4858 break;
5bf2eade 4859 case 3:
fb8c6db4 4860 kexch_alg = NID_secp521r1;
becbacd7 4861 kexch_name0 = "secp521r1";
fb8c6db4 4862 break;
4032cd9a 4863# ifndef OPENSSL_NO_ECX
5bf2eade 4864 case 4:
fb8c6db4 4865 kexch_alg = NID_X25519;
becbacd7 4866 kexch_name0 = "x25519";
fb8c6db4 4867 break;
5bf2eade 4868 case 5:
fb8c6db4 4869 kexch_alg = NID_X448;
becbacd7 4870 kexch_name0 = "x448";
fb8c6db4 4871 break;
4032cd9a 4872# endif
5bf2eade 4873# endif
4874# ifndef OPENSSL_NO_DH
db26ec80 4875# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4876 case 13:
dbc6268f 4877 max_version = TLS1_2_VERSION;
becbacd7 4878 kexch_name0 = "ffdhe2048";
db26ec80 4879# endif
dbc6268f 4880 /* Fall through */
5bf2eade 4881 case 6:
8e63900a 4882 kexch_groups = ffdhe_kexch_groups;
4883 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4884 kexch_name0 = "ffdhe2048";
8e63900a 4885 break;
5bf2eade 4886 case 7:
fb8c6db4 4887 kexch_alg = NID_ffdhe2048;
becbacd7 4888 kexch_name0 = "ffdhe2048";
fb8c6db4 4889 break;
5bf2eade 4890 case 8:
fb8c6db4 4891 kexch_alg = NID_ffdhe3072;
becbacd7 4892 kexch_name0 = "ffdhe3072";
fb8c6db4 4893 break;
5bf2eade 4894 case 9:
fb8c6db4 4895 kexch_alg = NID_ffdhe4096;
becbacd7 4896 kexch_name0 = "ffdhe4096";
fb8c6db4 4897 break;
5bf2eade 4898 case 10:
fb8c6db4 4899 kexch_alg = NID_ffdhe6144;
becbacd7 4900 kexch_name0 = "ffdhe6144";
fb8c6db4 4901 break;
5bf2eade 4902 case 11:
fb8c6db4 4903 kexch_alg = NID_ffdhe8192;
becbacd7 4904 kexch_name0 = "ffdhe8192";
8e63900a 4905 break;
5bf2eade 4906# endif
6597d62b
MC		 4907 default:
4908 /* We're skipping this test */
4909 return 1;
8e63900a 4910 }
4911
5e30f2fd
MC		 4912 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4913 TLS_client_method(), TLS1_VERSION,
4914 max_version, &sctx, &cctx, cert,
4915 privkey)))
8e63900a 4916 goto end;
4917
5bf2eade 4918 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4919 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4920 goto end;
4921
5bf2eade 4922 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4923 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4924 goto end;
4925
5bf2eade 4926 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4927 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4928 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4929 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4930 goto end;
4931
dbc6268f
MC		 4932 /*
4933 * Must include an EC ciphersuite so that we send supported groups in
4934 * TLSv1.2
4935 */
5bf2eade 4936# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4937 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4938 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4939 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4940 goto end;
5bf2eade 4941# endif
8e63900a 4942
4943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4944 NULL, NULL)))
4945 goto end;
4946
4947 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4948 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4949 goto end;
4950
5bf2eade 4951 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4952 goto end;
8e63900a 4953
dbc6268f 4954 /*
5bf2eade 4955 * If Handshake succeeds the negotiated kexch alg should be the first one in
4956 * configured, except in the case of FFDHE groups (idx 13), which are
4957 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4958 */
4959 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4960 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4961 goto end;
becbacd7
MB		 4962
4963 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4964 kexch_name0))
4965 goto end;
4966
75d48520
BK		 4967 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4968 if (idx != 13) {
68668243
AB		 4969 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
4970 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
4971 goto end;
fb8c6db4 4972 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4973 goto end;
4974 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4975 goto end;
4976 }
8e63900a 4977
4978 testresult = 1;
4979 end:
4980 SSL_free(serverssl);
4981 SSL_free(clientssl);
4982 SSL_CTX_free(sctx);
4983 SSL_CTX_free(cctx);
4984 return testresult;
4985}
4986
c9cddf05
P		 4987# if !defined(OPENSSL_NO_TLS1_2) \
4988 && !defined(OPENSSL_NO_EC) \
4989 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 4990static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4991 int isecdhe, int idx)
4992{
4993 int kexch_alg;
4994 int *kexch_groups = &kexch_alg;
4995 int numec, numff;
4996
4997 numec = OSSL_NELEM(ecdhe_kexch_groups);
4998 numff = OSSL_NELEM(ffdhe_kexch_groups);
4999 if (isecdhe)
5000 kexch_alg = ecdhe_kexch_groups[idx];
5001 else
5002 kexch_alg = ffdhe_kexch_groups[idx];
5003
5004 if (clientmulti) {
5005 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5006 return 0;
5007 if (isecdhe) {
5008 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5009 numec)))
5010 return 0;
5011 } else {
5012 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5013 numff)))
5014 return 0;
5015 }
5016 } else {
5017 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5018 return 0;
5019 if (isecdhe) {
5020 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5021 numec)))
5022 return 0;
5023 } else {
5024 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5025 numff)))
5026 return 0;
5027 }
5028 }
5029 return 1;
5030}
5031
5032/*-
5033 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5034 * Run through both the ECDHE and FFDHE group lists used in the previous
5035 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5036 * confirming the expected result; then perform a resumption handshake
5037 * while offering the same group list, and another resumption handshake
5038 * offering a different group list. The returned value should be the
5039 * negotiated group for the initial handshake; for TLS 1.3 resumption
5040 * handshakes the returned value will be negotiated on the resumption
5041 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5042 * be cached in the session from the original handshake, regardless of what
5043 * was offered in the resumption ClientHello.
5044 *
5045 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 5046 * E tests of ECDHE with TLS 1.3, server only has one group
5047 * F tests of FFDHE with TLS 1.3, server only has one group
5048 * E tests of ECDHE with TLS 1.2, server only has one group
5049 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 5050 * E tests of ECDHE with TLS 1.3, client sends only one group
5051 * F tests of FFDHE with TLS 1.3, client sends only one group
5052 * E tests of ECDHE with TLS 1.2, client sends only one group
5053 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 5054 */
5055static int test_negotiated_group(int idx)
5056{
5057 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5058 int expectednid;
5059 SSL_CTX *sctx = NULL, *cctx = NULL;
5060 SSL *serverssl = NULL, *clientssl = NULL;
5061 SSL_SESSION *origsess = NULL;
5062 int testresult = 0;
5063 int kexch_alg;
5064 int max_version = TLS1_3_VERSION;
5065
5066 numec = OSSL_NELEM(ecdhe_kexch_groups);
5067 numff = OSSL_NELEM(ffdhe_kexch_groups);
5068 numgroups = numec + numff;
5069 clientmulti = (idx < 2 * numgroups);
5070 idx = idx % (2 * numgroups);
5071 istls13 = (idx < numgroups);
5072 idx = idx % numgroups;
5073 isecdhe = (idx < numec);
5074 if (!isecdhe)
5075 idx -= numec;
5076 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5077 if (isecdhe)
5078 kexch_alg = ecdhe_kexch_groups[idx];
5079 else
5080 kexch_alg = ffdhe_kexch_groups[idx];
5081 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5082 if (!istls13 && !isecdhe)
5083 expectednid = NID_undef;
5084 else
5085 expectednid = kexch_alg;
5086
5087 if (!istls13)
5088 max_version = TLS1_2_VERSION;
5089
5090 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5091 TLS_client_method(), TLS1_VERSION,
5092 max_version, &sctx, &cctx, cert,
5093 privkey)))
5094 goto end;
5095
5096 /*
5097 * Force (EC)DHE ciphers for TLS 1.2.
5098 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5099 */
5100 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5101 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5102 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5103 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5104 goto end;
5105 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5106 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5107 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5108 goto end;
5109
5110 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5111 NULL, NULL)))
5112 goto end;
5113
5114 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5115 idx)))
5116 goto end;
5117
5118 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5119 goto end;
5120
5121 /* Initial handshake; always the configured one */
5122 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5123 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5124 goto end;
5125
5126 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5127 goto end;
5128
5129 SSL_shutdown(clientssl);
5130 SSL_shutdown(serverssl);
5131 SSL_free(serverssl);
5132 SSL_free(clientssl);
5133 serverssl = clientssl = NULL;
5134
5135 /* First resumption attempt; use the same config as initial handshake */
5136 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5137 NULL, NULL))
5138 || !TEST_true(SSL_set_session(clientssl, origsess))
5139 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5140 isecdhe, idx)))
5141 goto end;
5142
5143 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5144 || !TEST_true(SSL_session_reused(clientssl)))
5145 goto end;
5146
5147 /* Still had better agree, since nothing changed... */
5148 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5149 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5150 goto end;
5151
5152 SSL_shutdown(clientssl);
5153 SSL_shutdown(serverssl);
5154 SSL_free(serverssl);
5155 SSL_free(clientssl);
5156 serverssl = clientssl = NULL;
5157
5158 /*-
5159 * Second resumption attempt
5160 * The party that picks one group changes it, which we effectuate by
5161 * changing 'idx' and updating what we expect.
5162 */
5163 if (idx == 0)
5164 idx = 1;
5165 else
5166 idx--;
5167 if (istls13) {
5168 if (isecdhe)
5169 expectednid = ecdhe_kexch_groups[idx];
5170 else
5171 expectednid = ffdhe_kexch_groups[idx];
5172 /* Verify that we are changing what we expect. */
5173 if (!TEST_int_ne(expectednid, kexch_alg))
5174 goto end;
5175 } else {
5176 /* TLS 1.2 only supports named groups for ECDHE. */
5177 if (isecdhe)
5178 expectednid = kexch_alg;
5179 else
5180 expectednid = 0;
5181 }
5182 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5183 NULL, NULL))
5184 || !TEST_true(SSL_set_session(clientssl, origsess))
5185 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5186 isecdhe, idx)))
5187 goto end;
5188
5189 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5190 || !TEST_true(SSL_session_reused(clientssl)))
5191 goto end;
5192
5193 /* Check that we get what we expected */
5194 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5195 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5196 goto end;
5197
5198 testresult = 1;
5199 end:
5200 SSL_free(serverssl);
5201 SSL_free(clientssl);
5202 SSL_CTX_free(sctx);
5203 SSL_CTX_free(cctx);
5204 SSL_SESSION_free(origsess);
5205 return testresult;
5206}
5207# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5208
5bf2eade 5209/*
5210 * Test TLSv1.3 Cipher Suite
5211 * Test 0 = Set TLS1.3 cipher on context
5212 * Test 1 = Set TLS1.3 cipher on SSL
5213 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5214 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5215 */
5216static int test_tls13_ciphersuite(int idx)
5217{
5218 SSL_CTX *sctx = NULL, *cctx = NULL;
5219 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 5220 static const struct {
5221 const char *ciphername;
5222 int fipscapable;
e0710222 5223 int low_security;
4f6c7044 5224 } t13_ciphers[] = {
e0710222
P		 5225 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5226 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5227 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 5228# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 5229 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 5230 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 5231 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 5232# endif
e0710222
P		 5233 /* CCM8 ciphers are considered low security due to their short tag */
5234 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5235 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5bf2eade 5236 };
5237 const char *t13_cipher = NULL;
5238 const char *t12_cipher = NULL;
5239 const char *negotiated_scipher;
5240 const char *negotiated_ccipher;
5241 int set_at_ctx = 0;
5242 int set_at_ssl = 0;
5243 int testresult = 0;
5244 int max_ver;
5245 size_t i;
5246
5247 switch (idx) {
5248 case 0:
5249 set_at_ctx = 1;
5250 break;
5251 case 1:
5252 set_at_ssl = 1;
5253 break;
5254 case 2:
5255 set_at_ctx = 1;
2d900758 5256 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5257 break;
5258 case 3:
5259 set_at_ssl = 1;
2d900758 5260 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5261 break;
5262 }
5263
5264 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5265# ifdef OPENSSL_NO_TLS1_2
5266 if (max_ver == TLS1_2_VERSION)
5267 continue;
5268# endif
5269 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 5270 if (is_fips && !t13_ciphers[i].fipscapable)
5271 continue;
5272 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 5273 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5274 TLS_client_method(),
5275 TLS1_VERSION, max_ver,
5276 &sctx, &cctx, cert, privkey)))
5277 goto end;
5278
e0710222
P		 5279 if (t13_ciphers[i].low_security) {
5280 SSL_CTX_set_security_level(sctx, 0);
5281 SSL_CTX_set_security_level(cctx, 0);
5282 }
5283
5bf2eade 5284 if (set_at_ctx) {
5285 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5286 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5287 goto end;
5288 if (t12_cipher != NULL) {
5289 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5290 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5291 t12_cipher)))
5292 goto end;
5293 }
5294 }
5295
5296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5297 &clientssl, NULL, NULL)))
5298 goto end;
5299
5300 if (set_at_ssl) {
5301 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5302 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5303 goto end;
5304 if (t12_cipher != NULL) {
5305 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5306 || !TEST_true(SSL_set_cipher_list(clientssl,
5307 t12_cipher)))
5308 goto end;
5309 }
5310 }
5311
5312 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5313 SSL_ERROR_NONE)))
5314 goto end;
5315
5316 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5317 serverssl));
5318 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5319 clientssl));
5320 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5321 goto end;
5322
5323 /*
5324 * TEST_strn_eq is used below because t13_cipher can contain
5325 * multiple ciphersuites
5326 */
5327 if (max_ver == TLS1_3_VERSION
5328 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5329 strlen(negotiated_scipher)))
5330 goto end;
5331
5332# ifndef OPENSSL_NO_TLS1_2
5333 /* Below validation is not done when t12_cipher is NULL */
5334 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5335 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5336 goto end;
5337# endif
5338
5339 SSL_free(serverssl);
5340 serverssl = NULL;
5341 SSL_free(clientssl);
5342 clientssl = NULL;
5343 SSL_CTX_free(sctx);
5344 sctx = NULL;
5345 SSL_CTX_free(cctx);
5346 cctx = NULL;
5347 }
5348 }
5349
5350 testresult = 1;
5351 end:
5352 SSL_free(serverssl);
5353 SSL_free(clientssl);
5354 SSL_CTX_free(sctx);
5355 SSL_CTX_free(cctx);
5356 return testresult;
5357}
5358
0d8da779
MC		 5359/*
5360 * Test TLSv1.3 PSKs
5361 * Test 0 = Test new style callbacks
5362 * Test 1 = Test both new and old style callbacks
5363 * Test 2 = Test old style callbacks
5364 * Test 3 = Test old style callbacks with no certificate
5365 */
532f9578 5366static int test_tls13_psk(int idx)
ca8c71ba
MC		 5367{
5368 SSL_CTX *sctx = NULL, *cctx = NULL;
5369 SSL *serverssl = NULL, *clientssl = NULL;
5370 const SSL_CIPHER *cipher = NULL;
5371 const unsigned char key[] = {
5372 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5373 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5374 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5375 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5376 };
5377 int testresult = 0;
5378
5e30f2fd
MC		 5379 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5380 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5381 &sctx, &cctx, idx == 3 ? NULL : cert,
5382 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5383 goto end;
5384
0d8da779
MC		 5385 if (idx != 3) {
5386 /*
5387 * We use a ciphersuite with SHA256 to ease testing old style PSK
5388 * callbacks which will always default to SHA256. This should not be
5389 * necessary if we have no cert/priv key. In that case the server should
5390 * prefer SHA256 automatically.
5391 */
5392 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5393 "TLS_AES_128_GCM_SHA256")))
5394 goto end;
4f6c7044
MC		 5395 } else {
5396 /*
5397 * As noted above the server should prefer SHA256 automatically. However
5398 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5399 * code works even if we are testing with only the FIPS provider loaded.
5400 */
5401 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5402 "TLS_AES_256_GCM_SHA384:"
5403 "TLS_AES_128_GCM_SHA256")))
5404 goto end;
0d8da779 5405 }
532f9578
MC		 5406
5407 /*
5408 * Test 0: New style callbacks only
5409 * Test 1: New and old style callbacks (only the new ones should be used)
5410 * Test 2: Old style callbacks only
5411 */
5412 if (idx == 0 || idx == 1) {
5413 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5414 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5415 }
c2b290c3 5416#ifndef OPENSSL_NO_PSK
0d8da779 5417 if (idx >= 1) {
532f9578
MC		 5418 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5419 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5420 }
c2b290c3 5421#endif
ca8c71ba 5422 srvid = pskid;
02a3ed5a
MC		 5423 use_session_cb_cnt = 0;
5424 find_session_cb_cnt = 0;
532f9578
MC		 5425 psk_client_cb_cnt = 0;
5426 psk_server_cb_cnt = 0;
ca8c71ba 5427
0d8da779
MC		 5428 if (idx != 3) {
5429 /*
5430 * Check we can create a connection if callback decides not to send a
5431 * PSK
5432 */
5433 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5434 NULL, NULL))
5435 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5436 SSL_ERROR_NONE))
5437 || !TEST_false(SSL_session_reused(clientssl))
5438 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5439 goto end;
532f9578 5440
0d8da779
MC		 5441 if (idx == 0 || idx == 1) {
5442 if (!TEST_true(use_session_cb_cnt == 1)
5443 || !TEST_true(find_session_cb_cnt == 0)
5444 /*
5445 * If no old style callback then below should be 0
5446 * otherwise 1
5447 */
5448 || !TEST_true(psk_client_cb_cnt == idx)
5449 || !TEST_true(psk_server_cb_cnt == 0))
5450 goto end;
5451 } else {
5452 if (!TEST_true(use_session_cb_cnt == 0)
5453 || !TEST_true(find_session_cb_cnt == 0)
5454 || !TEST_true(psk_client_cb_cnt == 1)
5455 || !TEST_true(psk_server_cb_cnt == 0))
5456 goto end;
5457 }
5458
5459 shutdown_ssl_connection(serverssl, clientssl);
5460 serverssl = clientssl = NULL;
5461 use_session_cb_cnt = psk_client_cb_cnt = 0;
5462 }
ca8c71ba
MC		 5463
5464 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5465 NULL, NULL)))
5466 goto end;
5467
5468 /* Create the PSK */
532f9578 5469 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5470 clientpsk = SSL_SESSION_new();
5471 if (!TEST_ptr(clientpsk)
ca8c71ba 5472 || !TEST_ptr(cipher)
57dee9bb
MC		 5473 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5474 sizeof(key)))
5475 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5476 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5477 TLS1_3_VERSION))
5478 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5479 goto end;
57dee9bb 5480 serverpsk = clientpsk;
ca8c71ba
MC		 5481
5482 /* Check we can create a connection and the PSK is used */
5483 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5484 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5485 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5486 goto end;
5487
532f9578
MC		 5488 if (idx == 0 || idx == 1) {
5489 if (!TEST_true(use_session_cb_cnt == 1)
5490 || !TEST_true(find_session_cb_cnt == 1)
5491 || !TEST_true(psk_client_cb_cnt == 0)
5492 || !TEST_true(psk_server_cb_cnt == 0))
5493 goto end;
5494 } else {
5495 if (!TEST_true(use_session_cb_cnt == 0)
5496 || !TEST_true(find_session_cb_cnt == 0)
5497 || !TEST_true(psk_client_cb_cnt == 1)
5498 || !TEST_true(psk_server_cb_cnt == 1))
5499 goto end;
5500 }
5501
ca8c71ba
MC		 5502 shutdown_ssl_connection(serverssl, clientssl);
5503 serverssl = clientssl = NULL;
5504 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5505 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5506
5507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5508 NULL, NULL)))
5509 goto end;
5510
5511 /* Force an HRR */
dbc6268f
MC		 5512#if defined(OPENSSL_NO_EC)
5513 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5514 goto end;
5515#else
4032cd9a 5516 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
ca8c71ba 5517 goto end;
dbc6268f 5518#endif
ca8c71ba
MC		 5519
5520 /*
5521 * Check we can create a connection, the PSK is used and the callbacks are
5522 * called twice.
5523 */
5524 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5525 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5526 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5527 goto end;
5528
532f9578
MC		 5529 if (idx == 0 || idx == 1) {
5530 if (!TEST_true(use_session_cb_cnt == 2)
5531 || !TEST_true(find_session_cb_cnt == 2)
5532 || !TEST_true(psk_client_cb_cnt == 0)
5533 || !TEST_true(psk_server_cb_cnt == 0))
5534 goto end;
5535 } else {
5536 if (!TEST_true(use_session_cb_cnt == 0)
5537 || !TEST_true(find_session_cb_cnt == 0)
5538 || !TEST_true(psk_client_cb_cnt == 2)
5539 || !TEST_true(psk_server_cb_cnt == 2))
5540 goto end;
5541 }
5542
ca8c71ba
MC		 5543 shutdown_ssl_connection(serverssl, clientssl);
5544 serverssl = clientssl = NULL;
5545 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5546 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5547
0d8da779
MC		 5548 if (idx != 3) {
5549 /*
5550 * Check that if the server rejects the PSK we can still connect, but with
5551 * a full handshake
5552 */
5553 srvid = "Dummy Identity";
5554 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5555 NULL, NULL))
5556 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5557 SSL_ERROR_NONE))
5558 || !TEST_false(SSL_session_reused(clientssl))
5559 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5560 goto end;
532f9578 5561
0d8da779
MC		 5562 if (idx == 0 || idx == 1) {
5563 if (!TEST_true(use_session_cb_cnt == 1)
5564 || !TEST_true(find_session_cb_cnt == 1)
5565 || !TEST_true(psk_client_cb_cnt == 0)
5566 /*
5567 * If no old style callback then below should be 0
5568 * otherwise 1
5569 */
5570 || !TEST_true(psk_server_cb_cnt == idx))
5571 goto end;
5572 } else {
5573 if (!TEST_true(use_session_cb_cnt == 0)
5574 || !TEST_true(find_session_cb_cnt == 0)
5575 || !TEST_true(psk_client_cb_cnt == 1)
5576 || !TEST_true(psk_server_cb_cnt == 1))
5577 goto end;
5578 }
5579
5580 shutdown_ssl_connection(serverssl, clientssl);
5581 serverssl = clientssl = NULL;
5582 }
ca8c71ba
MC		 5583 testresult = 1;
5584
5585 end:
57dee9bb
MC		 5586 SSL_SESSION_free(clientpsk);
5587 SSL_SESSION_free(serverpsk);
5588 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5589 SSL_free(serverssl);
5590 SSL_free(clientssl);
5591 SSL_CTX_free(sctx);
5592 SSL_CTX_free(cctx);
5593 return testresult;
5594}
5595
71583393
MM		 5596#ifndef OSSL_NO_USABLE_TLS1_3
5597/*
5598 * Test TLS1.3 connection establishment succeeds with various configurations of
5599 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
5600 * The verification of whether the right KEX mode is choosen is not covered by
5601 * this test but by `test_tls13kexmodes`.
5602 *
5603 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5604 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5605 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5606 */
5607static int test_tls13_no_dhe_kex(const int idx)
5608{
5609 SSL_CTX *sctx = NULL, *cctx = NULL;
5610 SSL *serverssl = NULL, *clientssl = NULL;
5611 int testresult = 0;
5612 size_t j;
5613 SSL_SESSION *saved_session;
5614
5615 int server_allow_no_dhe = (idx & 1) != 0;
5616 int server_prefer_no_dhe = (idx & 2) != 0;
5617 int client_allow_no_dhe = (idx & 4) != 0;
5618
5619 uint64_t server_options = 0
5620 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5621 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5622
5623 uint64_t client_options = 0
5624 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5625
5626 new_called = 0;
5627 do_cache = 1;
5628
5629 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5630 TLS_client_method(), TLS1_3_VERSION, 0,
5631 &sctx, &cctx, cert, privkey)))
5632 goto end;
5633
5634 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5635 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5636
5637 SSL_CTX_set_options(sctx, server_options);
5638 SSL_CTX_set_options(cctx, client_options);
5639
5640 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5641
5642 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5643 &clientssl, NULL, NULL)))
5644 goto end;
5645
5646 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5647 SSL_ERROR_NONE))
5648 /* Check we got the number of tickets we were expecting */
5649 || !TEST_int_eq(2, new_called))
5650 goto end;
5651
5652 /* We'll reuse the last ticket. */
5653 saved_session = sesscache[new_called - 1];
5654
5655 SSL_shutdown(clientssl);
5656 SSL_shutdown(serverssl);
5657 SSL_free(serverssl);
5658 SSL_free(clientssl);
5659 SSL_CTX_free(cctx);
5660 clientssl = serverssl = NULL;
5661 cctx = NULL;
5662
5663 /*
5664 * Now we resume with the last ticket we created.
5665 */
5666
5667 /* The server context already exists, so we only create the client. */
5668 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5669 TLS_client_method(), TLS1_3_VERSION, 0,
5670 NULL, &cctx, cert, privkey)))
5671 goto end;
5672
5673 SSL_CTX_set_options(cctx, client_options);
5674
5675 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5676 &clientssl, NULL, NULL))
5677 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5678 goto end;
5679
5680 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5681 SSL_ERROR_NONE)))
5682 goto end;
5683
5684 /*
5685 * Make sure, the session was resumed.
5686 */
5687 if (!TEST_true(SSL_session_reused(clientssl)))
5688 goto end;
5689
5690 SSL_shutdown(clientssl);
5691 SSL_shutdown(serverssl);
5692
5693 testresult = 1;
5694
5695 end:
5696 SSL_free(serverssl);
5697 SSL_free(clientssl);
5698 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5699 SSL_SESSION_free(sesscache[j]);
5700 sesscache[j] = NULL;
5701 }
5702 SSL_CTX_free(sctx);
5703 SSL_CTX_free(cctx);
5704
5705 return testresult;
5706}
5707#endif /* OSSL_NO_USABLE_TLS1_3 */
5708
c7b8ff25
MC		 5709static unsigned char cookie_magic_value[] = "cookie magic";
5710
5711static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5712 unsigned int *cookie_len)
5713{
5714 /*
5715 * Not suitable as a real cookie generation function but good enough for
5716 * testing!
5717 */
97ea1e7f
MC		 5718 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5719 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5720
5721 return 1;
5722}
5723
5724static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5725 unsigned int cookie_len)
5726{
97ea1e7f 5727 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5728 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5729 return 1;
5730
5731 return 0;
5732}
5733
3fa2812f
BS		 5734static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5735 size_t *cookie_len)
5736{
5737 unsigned int temp;
5738 int res = generate_cookie_callback(ssl, cookie, &temp);
5739 *cookie_len = temp;
5740 return res;
5741}
5742
5743static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5744 size_t cookie_len)
5745{
5746 return verify_cookie_callback(ssl, cookie, cookie_len);
5747}
5748
c7b8ff25
MC		 5749static int test_stateless(void)
5750{
5751 SSL_CTX *sctx = NULL, *cctx = NULL;
5752 SSL *serverssl = NULL, *clientssl = NULL;
5753 int testresult = 0;
5754
5e30f2fd
MC		 5755 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5756 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5757 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5758 goto end;
5759
e440f513
MC		 5760 /* The arrival of CCS messages can confuse the test */
5761 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5762
5763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5764 NULL, NULL))
5765 /* Send the first ClientHello */
5766 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5767 SSL_ERROR_WANT_READ))
5768 /*
5769 * This should fail with a -1 return because we have no callbacks
5770 * set up
5771 */
5772 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5773 goto end;
5774
5775 /* Fatal error so abandon the connection from this client */
5776 SSL_free(clientssl);
5777 clientssl = NULL;
5778
c7b8ff25 5779 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5780 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5781 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5782
e440f513
MC		 5783 /*
5784 * Create a new connection from the client (we can reuse the server SSL
5785 * object).
5786 */
c7b8ff25
MC		 5787 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5788 NULL, NULL))
5789 /* Send the first ClientHello */
5790 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5791 SSL_ERROR_WANT_READ))
5792 /* This should fail because there is no cookie */
e440f513 5793 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5794 goto end;
5795
5796 /* Abandon the connection from this client */
5797 SSL_free(clientssl);
5798 clientssl = NULL;
5799
5800 /*
5801 * Now create a connection from a new client but with the same server SSL
5802 * object
5803 */
5804 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5805 NULL, NULL))
5806 /* Send the first ClientHello */
5807 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5808 SSL_ERROR_WANT_READ))
5809 /* This should fail because there is no cookie */
e440f513 5810 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5811 /* Send the second ClientHello */
5812 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5813 SSL_ERROR_WANT_READ))
5814 /* This should succeed because a cookie is now present */
e440f513 5815 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5816 /* Complete the connection */
5817 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5818 SSL_ERROR_NONE)))
5819 goto end;
5820
5821 shutdown_ssl_connection(serverssl, clientssl);
5822 serverssl = clientssl = NULL;
5823 testresult = 1;
5824
5825 end:
5826 SSL_free(serverssl);
5827 SSL_free(clientssl);
5828 SSL_CTX_free(sctx);
5829 SSL_CTX_free(cctx);
5830 return testresult;
5831
5832}
a763ca11 5833#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5834
a37008d9
MC		 5835static int clntaddoldcb = 0;
5836static int clntparseoldcb = 0;
5837static int srvaddoldcb = 0;
5838static int srvparseoldcb = 0;
5839static int clntaddnewcb = 0;
5840static int clntparsenewcb = 0;
5841static int srvaddnewcb = 0;
5842static int srvparsenewcb = 0;
bb01ef3f 5843static int snicb = 0;
a37008d9
MC		 5844
5845#define TEST_EXT_TYPE1 0xff00
5846
5847static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5848 size_t *outlen, int *al, void *add_arg)
5849{
5850 int *server = (int *)add_arg;
5851 unsigned char *data;
5852
5853 if (SSL_is_server(s))
5854 srvaddoldcb++;
5855 else
5856 clntaddoldcb++;
5857
710756a9
RS		 5858 if (*server != SSL_is_server(s)
5859 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5860 return -1;
5861
5862 *data = 1;
5863 *out = data;
5864 *outlen = sizeof(char);
a37008d9
MC		 5865 return 1;
5866}
5867
5868static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5869 void *add_arg)
5870{
5871 OPENSSL_free((unsigned char *)out);
5872}
5873
5874static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5875 size_t inlen, int *al, void *parse_arg)
5876{
5877 int *server = (int *)parse_arg;
5878
5879 if (SSL_is_server(s))
5880 srvparseoldcb++;
5881 else
5882 clntparseoldcb++;
5883
710756a9
RS		 5884 if (*server != SSL_is_server(s)
5885 || inlen != sizeof(char)
5886 || *in != 1)
a37008d9
MC		 5887 return -1;
5888
5889 return 1;
5890}
5891
5892static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5893 const unsigned char **out, size_t *outlen, X509 *x,
5894 size_t chainidx, int *al, void *add_arg)
5895{
5896 int *server = (int *)add_arg;
5897 unsigned char *data;
5898
5899 if (SSL_is_server(s))
5900 srvaddnewcb++;
5901 else
5902 clntaddnewcb++;
5903
710756a9
RS		 5904 if (*server != SSL_is_server(s)
5905 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5906 return -1;
5907
5908 *data = 1;
5909 *out = data;
710756a9 5910 *outlen = sizeof(*data);
a37008d9
MC		 5911 return 1;
5912}
5913
5914static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5915 const unsigned char *out, void *add_arg)
5916{
5917 OPENSSL_free((unsigned char *)out);
5918}
5919
5920static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5921 const unsigned char *in, size_t inlen, X509 *x,
5922 size_t chainidx, int *al, void *parse_arg)
5923{
5924 int *server = (int *)parse_arg;
5925
5926 if (SSL_is_server(s))
5927 srvparsenewcb++;
5928 else
5929 clntparsenewcb++;
5930
710756a9
RS		 5931 if (*server != SSL_is_server(s)
5932 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5933 return -1;
5934
5935 return 1;
5936}
bb01ef3f
MC		 5937
5938static int sni_cb(SSL *s, int *al, void *arg)
5939{
5940 SSL_CTX *ctx = (SSL_CTX *)arg;
5941
5942 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5943 *al = SSL_AD_INTERNAL_ERROR;
5944 return SSL_TLSEXT_ERR_ALERT_FATAL;
5945 }
5946 snicb++;
5947 return SSL_TLSEXT_ERR_OK;
5948}
5949
0db3a990
MC		 5950static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5951{
5952 return 1;
5953}
5954
a37008d9
MC		 5955/*
5956 * Custom call back tests.
5957 * Test 0: Old style callbacks in TLSv1.2
5958 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5959 * Test 2: New style callbacks in TLSv1.2 with SNI
5960 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5961 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 5962 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 5963 */
710756a9
RS		 5964static int test_custom_exts(int tst)
5965{
bb01ef3f 5966 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5967 SSL *clientssl = NULL, *serverssl = NULL;
5968 int testresult = 0;
5969 static int server = 1;
5970 static int client = 0;
5971 SSL_SESSION *sess = NULL;
5972 unsigned int context;
5973
a763ca11 5974#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5975 /* Skip tests for TLSv1.2 and below in this case */
5976 if (tst < 3)
5977 return 1;
5978#endif
5979
a37008d9
MC		 5980 /* Reset callback counters */
5981 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5982 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5983 snicb = 0;
a37008d9 5984
5e30f2fd
MC		 5985 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5986 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5987 &sctx, &cctx, cert, privkey)))
710756a9 5988 goto end;
a37008d9 5989
bb01ef3f 5990 if (tst == 2
5e30f2fd 5991 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5992 TLS1_VERSION, 0,
7d7f6834 5993 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5994 goto end;
5995
5996
5997 if (tst < 3) {
a37008d9
MC		 5998 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5999 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 6000 if (sctx2 != NULL)
6001 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 6002 }
6003
0db3a990
MC		 6004 if (tst == 5) {
6005 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6006 | SSL_EXT_TLS1_3_CERTIFICATE;
6007 SSL_CTX_set_verify(sctx,
6008 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6009 verify_cb);
6010 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6011 SSL_FILETYPE_PEM), 1)
6012 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6013 SSL_FILETYPE_PEM), 1)
6014 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6015 goto end;
6016 } else if (tst == 4) {
710756a9
RS		 6017 context = SSL_EXT_CLIENT_HELLO
6018 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 6019 | SSL_EXT_TLS1_3_SERVER_HELLO
6020 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6021 | SSL_EXT_TLS1_3_CERTIFICATE
6022 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6023 } else {
710756a9
RS		 6024 context = SSL_EXT_CLIENT_HELLO
6025 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 6026 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6027 }
6028
6029 /* Create a client side custom extension */
6030 if (tst == 0) {
710756a9
RS		 6031 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6032 old_add_cb, old_free_cb,
6033 &client, old_parse_cb,
6034 &client)))
6035 goto end;
a37008d9 6036 } else {
710756a9
RS		 6037 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6038 new_add_cb, new_free_cb,
6039 &client, new_parse_cb, &client)))
6040 goto end;
a37008d9
MC		 6041 }
6042
6043 /* Should not be able to add duplicates */
710756a9
RS		 6044 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6045 old_add_cb, old_free_cb,
6046 &client, old_parse_cb,
6047 &client))
6048 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6049 context, new_add_cb,
6050 new_free_cb, &client,
6051 new_parse_cb, &client)))
6052 goto end;
a37008d9
MC		 6053
6054 /* Create a server side custom extension */
6055 if (tst == 0) {
710756a9
RS		 6056 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6057 old_add_cb, old_free_cb,
6058 &server, old_parse_cb,
6059 &server)))
6060 goto end;
a37008d9 6061 } else {
710756a9
RS		 6062 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6063 new_add_cb, new_free_cb,
6064 &server, new_parse_cb, &server)))
6065 goto end;
bb01ef3f
MC		 6066 if (sctx2 != NULL
6067 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6068 context, new_add_cb,
6069 new_free_cb, &server,
6070 new_parse_cb, &server)))
6071 goto end;
a37008d9
MC		 6072 }
6073
6074 /* Should not be able to add duplicates */
710756a9
RS		 6075 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6076 old_add_cb, old_free_cb,
6077 &server, old_parse_cb,
6078 &server))
6079 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6080 context, new_add_cb,
6081 new_free_cb, &server,
6082 new_parse_cb, &server)))
a37008d9 6083 goto end;
a37008d9 6084
bb01ef3f
MC		 6085 if (tst == 2) {
6086 /* Set up SNI */
6087 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6088 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6089 goto end;
6090 }
6091
710756a9
RS		 6092 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6093 &clientssl, NULL, NULL))
6094 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6095 SSL_ERROR_NONE)))
a37008d9 6096 goto end;
a37008d9
MC		 6097
6098 if (tst == 0) {
710756a9
RS		 6099 if (clntaddoldcb != 1
6100 || clntparseoldcb != 1
6101 || srvaddoldcb != 1
6102 || srvparseoldcb != 1)
a37008d9 6103 goto end;
bb01ef3f 6104 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 6105 if (clntaddnewcb != 1
6106 || clntparsenewcb != 1
6107 || srvaddnewcb != 1
bb01ef3f
MC		 6108 || srvparsenewcb != 1
6109 || (tst != 2 && snicb != 0)
6110 || (tst == 2 && snicb != 1))
a37008d9 6111 goto end;
0db3a990
MC		 6112 } else if (tst == 5) {
6113 if (clntaddnewcb != 1
6114 || clntparsenewcb != 1
6115 || srvaddnewcb != 1
6116 || srvparsenewcb != 1)
6117 goto end;
a37008d9 6118 } else {
36ff232c 6119 /* In this case there 2 NewSessionTicket messages created */
710756a9 6120 if (clntaddnewcb != 1
36ff232c
MC		 6121 || clntparsenewcb != 5
6122 || srvaddnewcb != 5
710756a9 6123 || srvparsenewcb != 1)
a37008d9 6124 goto end;
a37008d9
MC		 6125 }
6126
6127 sess = SSL_get1_session(clientssl);
a37008d9
MC		 6128 SSL_shutdown(clientssl);
6129 SSL_shutdown(serverssl);
a37008d9
MC		 6130 SSL_free(serverssl);
6131 SSL_free(clientssl);
6132 serverssl = clientssl = NULL;
6133
0db3a990
MC		 6134 if (tst == 3 || tst == 5) {
6135 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 6136 testresult = 1;
6137 goto end;
6138 }
6139
710756a9
RS		 6140 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6141 NULL, NULL))
6142 || !TEST_true(SSL_set_session(clientssl, sess))
6143 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6144 SSL_ERROR_NONE)))
a37008d9 6145 goto end;
a37008d9
MC		 6146
6147 /*
6148 * For a resumed session we expect to add the ClientHello extension. For the
6149 * old style callbacks we ignore it on the server side because they set
6150 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6151 * them.
6152 */
6153 if (tst == 0) {
710756a9
RS		 6154 if (clntaddoldcb != 2
6155 || clntparseoldcb != 1
6156 || srvaddoldcb != 1
6157 || srvparseoldcb != 1)
a37008d9 6158 goto end;
bb01ef3f 6159 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 6160 if (clntaddnewcb != 2
6161 || clntparsenewcb != 2
6162 || srvaddnewcb != 2
6163 || srvparsenewcb != 2)
a37008d9 6164 goto end;
a37008d9 6165 } else {
36ff232c
MC		 6166 /*
6167 * No Certificate message extensions in the resumption handshake,
6168 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6169 */
710756a9 6170 if (clntaddnewcb != 2
36ff232c
MC		 6171 || clntparsenewcb != 8
6172 || srvaddnewcb != 8
710756a9 6173 || srvparsenewcb != 2)
a37008d9 6174 goto end;
a37008d9
MC		 6175 }
6176
6177 testresult = 1;
6178
6179end:
6180 SSL_SESSION_free(sess);
6181 SSL_free(serverssl);
6182 SSL_free(clientssl);
bb01ef3f 6183 SSL_CTX_free(sctx2);
a37008d9
MC		 6184 SSL_CTX_free(sctx);
6185 SSL_CTX_free(cctx);
a37008d9
MC		 6186 return testresult;
6187}
6188
555dd939 6189#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
16afd71c 6190
555dd939
DF		 6191#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6192 | SSL_EXT_CLIENT_HELLO \
6193 | SSL_EXT_TLS1_2_SERVER_HELLO \
6194 | SSL_EXT_IGNORE_ON_RESUMPTION)
16afd71c 6195
555dd939
DF		 6196#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6197 | SSL_EXT_TLS1_2_SERVER_HELLO \
6198 | SSL_EXT_CLIENT_HELLO)
16afd71c 6199
555dd939
DF		 6200#define SERVERINFO_CUSTOM \
6201 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6202 0x00, 0x03, \
6203 0x04, 0x05, 0x06 \
6204
6205static const unsigned char serverinfo_custom_tls13[] = {
6206 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6207 SERVERINFO_CUSTOM
6208};
6209static const unsigned char serverinfo_custom_v2[] = {
6210 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6211 SERVERINFO_CUSTOM
6212};
6213static const unsigned char serverinfo_custom_v1[] = {
6214 SERVERINFO_CUSTOM
6215};
6216static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6217static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6218static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6219
6220static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6221 unsigned int context,
6222 const unsigned char *in,
6223 size_t inlen, X509 *x,
6224 size_t chainidx, int *al,
6225 void *parse_arg)
6226{
6227 const size_t len = serverinfo_custom_v1_len;
6228 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6229 int *p_cb_result = (int*)parse_arg;
6230 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6231 return 1;
6232}
6233
6234static int test_serverinfo_custom(const int idx)
6235{
6236 SSL_CTX *sctx = NULL, *cctx = NULL;
6237 SSL *clientssl = NULL, *serverssl = NULL;
6238 int testresult = 0;
6239 int cb_result = 0;
6240
6241 /*
6242 * Following variables are set in the switch statement
6243 * according to the test iteration.
6244 * Default values do not make much sense: test would fail with them.
6245 */
6246 int serverinfo_version = 0;
6247 int protocol_version = 0;
6248 unsigned int extension_context = 0;
6249 const unsigned char *si = NULL;
6250 size_t si_len = 0;
6251
6252 const int call_use_serverinfo_ex = idx > 0;
6253 switch (idx) {
6254 case 0: /* FALLTHROUGH */
6255 case 1:
6256 serverinfo_version = SSL_SERVERINFOV1;
6257 protocol_version = TLS1_2_VERSION;
6258 extension_context = SYNTHV1CONTEXT;
6259 si = serverinfo_custom_v1;
6260 si_len = serverinfo_custom_v1_len;
6261 break;
6262 case 2:
6263 serverinfo_version = SSL_SERVERINFOV2;
6264 protocol_version = TLS1_2_VERSION;
6265 extension_context = SYNTHV1CONTEXT;
6266 si = serverinfo_custom_v2;
6267 si_len = serverinfo_custom_v2_len;
6268 break;
6269 case 3:
6270 serverinfo_version = SSL_SERVERINFOV2;
6271 protocol_version = TLS1_3_VERSION;
6272 extension_context = TLS13CONTEXT;
6273 si = serverinfo_custom_tls13;
6274 si_len = serverinfo_custom_tls13_len;
6275 break;
16afd71c
MC		 6276 }
6277
555dd939
DF		 6278 if (!TEST_true(create_ssl_ctx_pair(libctx,
6279 TLS_method(),
6280 TLS_method(),
6281 protocol_version,
6282 protocol_version,
6283 &sctx, &cctx, cert, privkey)))
6284 goto end;
16afd71c 6285
555dd939
DF		 6286 if (call_use_serverinfo_ex) {
6287 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6288 si, si_len)))
6289 goto end;
6290 } else {
6291 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6292 goto end;
16afd71c
MC		 6293 }
6294
555dd939
DF		 6295 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6296 extension_context,
6297 NULL, NULL, NULL,
6298 serverinfo_custom_parse_cb,
6299 &cb_result))
6300 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6301 NULL, NULL))
6302 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6303 SSL_ERROR_NONE))
6304 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6305 goto end;
6306
6307 if (!TEST_true(cb_result))
16afd71c
MC		 6308 goto end;
6309
6310 testresult = 1;
6311
6312 end:
555dd939
DF		 6313 SSL_free(serverssl);
6314 SSL_free(clientssl);
6315 SSL_CTX_free(sctx);
6316 SSL_CTX_free(cctx);
16afd71c
MC		 6317
6318 return testresult;
6319}
555dd939 6320#endif
16afd71c 6321
2197d1df
MC		 6322/*
6323 * Test that SSL_export_keying_material() produces expected results. There are
6324 * no test vectors so all we do is test that both sides of the communication
6325 * produce the same results for different protocol versions.
6326 */
0fb2815b
MC		 6327#define SMALL_LABEL_LEN 10
6328#define LONG_LABEL_LEN 249
2197d1df
MC		 6329static int test_export_key_mat(int tst)
6330{
a599574b 6331 int testresult = 0;
2197d1df
MC		 6332 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6333 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 6334 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 6335 const unsigned char context[] = "context";
6336 const unsigned char *emptycontext = NULL;
ef9d8f2f 6337 unsigned char longcontext[1280];
5df160f1 6338 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
ef9d8f2f
DU		 6339 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6340 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
0fb2815b 6341 size_t labellen;
a599574b
MC		 6342 const int protocols[] = {
6343 TLS1_VERSION,
6344 TLS1_1_VERSION,
6345 TLS1_2_VERSION,
0fb2815b
MC		 6346 TLS1_3_VERSION,
6347 TLS1_3_VERSION,
a599574b
MC		 6348 TLS1_3_VERSION
6349 };
2197d1df
MC		 6350
6351#ifdef OPENSSL_NO_TLS1
6352 if (tst == 0)
6353 return 1;
6354#endif
6355#ifdef OPENSSL_NO_TLS1_1
6356 if (tst == 1)
6357 return 1;
6358#endif
4f6c7044
MC		 6359 if (is_fips && (tst == 0 || tst == 1))
6360 return 1;
2197d1df
MC		 6361#ifdef OPENSSL_NO_TLS1_2
6362 if (tst == 2)
6363 return 1;
6364#endif
a763ca11 6365#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 6366 if (tst >= 3)
2197d1df
MC		 6367 return 1;
6368#endif
5e30f2fd
MC		 6369 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6370 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6371 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 6372 goto end;
6373
a599574b
MC		 6374 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6375 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6376 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 6377 if ((protocols[tst] < TLS1_2_VERSION) &&
6378 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6379 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6380 goto end;
2197d1df
MC		 6381
6382 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 6383 NULL)))
6384 goto end;
6385
6386 /*
6387 * Premature call of SSL_export_keying_material should just fail.
6388 */
6389 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6390 sizeof(ckeymat1), label,
6391 SMALL_LABEL_LEN + 1, context,
6392 sizeof(context) - 1, 1), 0))
6393 goto end;
6394
6395 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6396 SSL_ERROR_NONE)))
2197d1df
MC		 6397 goto end;
6398
0fb2815b
MC		 6399 if (tst == 5) {
6400 /*
6401 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6402 * go over that.
6403 */
6404 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6405 sizeof(ckeymat1), label,
6406 LONG_LABEL_LEN + 1, context,
6407 sizeof(context) - 1, 1), 0))
6408 goto end;
6409
6410 testresult = 1;
6411 goto end;
6412 } else if (tst == 4) {
6413 labellen = LONG_LABEL_LEN;
6414 } else {
6415 labellen = SMALL_LABEL_LEN;
6416 }
6417
ef9d8f2f
DU		 6418 memset(longcontext, 1, sizeof(longcontext));
6419
2197d1df
MC		 6420 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6421 sizeof(ckeymat1), label,
0fb2815b 6422 labellen, context,
2197d1df
MC		 6423 sizeof(context) - 1, 1), 1)
6424 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6425 sizeof(ckeymat2), label,
0fb2815b 6426 labellen,
2197d1df
MC		 6427 emptycontext,
6428 0, 1), 1)
6429 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6430 sizeof(ckeymat3), label,
0fb2815b 6431 labellen,
2197d1df 6432 NULL, 0, 0), 1)
5df160f1
TM		 6433 || (test_longcontext
6434 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6435 ckeymat4,
6436 sizeof(ckeymat4), label,
6437 labellen,
6438 longcontext,
6439 sizeof(longcontext), 1),
6440 1))
2197d1df
MC		 6441 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6442 sizeof(skeymat1), label,
0fb2815b 6443 labellen,
2197d1df
MC		 6444 context,
6445 sizeof(context) -1, 1),
6446 1)
6447 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6448 sizeof(skeymat2), label,
0fb2815b 6449 labellen,
2197d1df
MC		 6450 emptycontext,
6451 0, 1), 1)
6452 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6453 sizeof(skeymat3), label,
0fb2815b 6454 labellen,
2197d1df 6455 NULL, 0, 0), 1)
5df160f1
TM		 6456 || (test_longcontext
6457 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6458 sizeof(skeymat4), label,
6459 labellen,
6460 longcontext,
6461 sizeof(longcontext), 1),
6462 1))
2197d1df
MC		 6463 /*
6464 * Check that both sides created the same key material with the
6465 * same context.
6466 */
6467 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6468 sizeof(skeymat1))
6469 /*
6470 * Check that both sides created the same key material with an
6471 * empty context.
6472 */
6473 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6474 sizeof(skeymat2))
6475 /*
6476 * Check that both sides created the same key material without a
6477 * context.
6478 */
6479 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6480 sizeof(skeymat3))
ef9d8f2f
DU		 6481 /*
6482 * Check that both sides created the same key material with a
6483 * long context.
6484 */
5df160f1
TM		 6485 || (test_longcontext
6486 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6487 sizeof(skeymat4)))
2197d1df
MC		 6488 /* Different contexts should produce different results */
6489 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6490 sizeof(ckeymat2)))
6491 goto end;
6492
6493 /*
6494 * Check that an empty context and no context produce different results in
6495 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6496 */
0fb2815b 6497 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6498 sizeof(ckeymat3)))
0fb2815b
MC		 6499 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6500 sizeof(ckeymat3))))
2197d1df
MC		 6501 goto end;
6502
6503 testresult = 1;
6504
6505 end:
6506 SSL_free(serverssl);
6507 SSL_free(clientssl);
6508 SSL_CTX_free(sctx2);
6509 SSL_CTX_free(sctx);
6510 SSL_CTX_free(cctx);
6511
6512 return testresult;
6513}
6514
a763ca11 6515#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6516/*
6517 * Test that SSL_export_keying_material_early() produces expected
6518 * results. There are no test vectors so all we do is test that both
6519 * sides of the communication produce the same results for different
6520 * protocol versions.
6521 */
6522static int test_export_key_mat_early(int idx)
6523{
6524 static const char label[] = "test label";
6525 static const unsigned char context[] = "context";
6526 int testresult = 0;
6527 SSL_CTX *cctx = NULL, *sctx = NULL;
6528 SSL *clientssl = NULL, *serverssl = NULL;
6529 SSL_SESSION *sess = NULL;
6530 const unsigned char *emptycontext = NULL;
6531 unsigned char ckeymat1[80], ckeymat2[80];
6532 unsigned char skeymat1[80], skeymat2[80];
6533 unsigned char buf[1];
6534 size_t readbytes, written;
6535
6536 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
10836921 6537 &sess, idx, SHA384_DIGEST_LENGTH)))
b38ede80
TT		 6538 goto end;
6539
6540 /* Here writing 0 length early data is enough. */
6541 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6542 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6543 &readbytes),
6544 SSL_READ_EARLY_DATA_ERROR)
6545 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6546 SSL_EARLY_DATA_ACCEPTED))
6547 goto end;
6548
6549 if (!TEST_int_eq(SSL_export_keying_material_early(
6550 clientssl, ckeymat1, sizeof(ckeymat1), label,
6551 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6552 || !TEST_int_eq(SSL_export_keying_material_early(
6553 clientssl, ckeymat2, sizeof(ckeymat2), label,
6554 sizeof(label) - 1, emptycontext, 0), 1)
6555 || !TEST_int_eq(SSL_export_keying_material_early(
6556 serverssl, skeymat1, sizeof(skeymat1), label,
6557 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6558 || !TEST_int_eq(SSL_export_keying_material_early(
6559 serverssl, skeymat2, sizeof(skeymat2), label,
6560 sizeof(label) - 1, emptycontext, 0), 1)
6561 /*
6562 * Check that both sides created the same key material with the
6563 * same context.
6564 */
6565 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6566 sizeof(skeymat1))
6567 /*
6568 * Check that both sides created the same key material with an
6569 * empty context.
6570 */
6571 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6572 sizeof(skeymat2))
6573 /* Different contexts should produce different results */
6574 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6575 sizeof(ckeymat2)))
6576 goto end;
6577
6578 testresult = 1;
6579
6580 end:
c20e3b28 6581 SSL_SESSION_free(sess);
b38ede80
TT		 6582 SSL_SESSION_free(clientpsk);
6583 SSL_SESSION_free(serverpsk);
34ff74eb 6584 clientpsk = serverpsk = NULL;
b38ede80
TT		 6585 SSL_free(serverssl);
6586 SSL_free(clientssl);
6587 SSL_CTX_free(sctx);
6588 SSL_CTX_free(cctx);
6589
6590 return testresult;
6591}
3409a5ff
MC		 6592
6593#define NUM_KEY_UPDATE_MESSAGES 40
6594/*
6595 * Test KeyUpdate.
6596 */
6597static int test_key_update(void)
6598{
6599 SSL_CTX *cctx = NULL, *sctx = NULL;
6600 SSL *clientssl = NULL, *serverssl = NULL;
6601 int testresult = 0, i, j;
6602 char buf[20];
6603 static char *mess = "A test message";
6604
5e30f2fd 6605 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6606 TLS_client_method(),
6607 TLS1_3_VERSION,
6608 0,
6609 &sctx, &cctx, cert, privkey))
6610 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6611 NULL, NULL))
6612 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6613 SSL_ERROR_NONE)))
6614 goto end;
6615
6616 for (j = 0; j < 2; j++) {
6617 /* Send lots of KeyUpdate messages */
6618 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6619 if (!TEST_true(SSL_key_update(clientssl,
6620 (j == 0)
6621 ? SSL_KEY_UPDATE_NOT_REQUESTED
6622 : SSL_KEY_UPDATE_REQUESTED))
6623 || !TEST_true(SSL_do_handshake(clientssl)))
6624 goto end;
6625 }
6626
6627 /* Check that sending and receiving app data is ok */
6628 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6629 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6630 strlen(mess)))
6631 goto end;
a77b4dba
MC		 6632
6633 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6634 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6635 strlen(mess)))
6636 goto end;
3409a5ff
MC		 6637 }
6638
6639 testresult = 1;
6640
6641 end:
6642 SSL_free(serverssl);
6643 SSL_free(clientssl);
6644 SSL_CTX_free(sctx);
6645 SSL_CTX_free(cctx);
6646
6647 return testresult;
6648}
a77b4dba
MC		 6649
6650/*
0c48fda8 6651 * Test we can handle a KeyUpdate (update requested) message while
6652 * write data is pending in peer.
a77b4dba
MC		 6653 * Test 0: Client sends KeyUpdate while Server is writing
6654 * Test 1: Server sends KeyUpdate while Client is writing
6655 */
0c48fda8 6656static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6657{
6658 SSL_CTX *cctx = NULL, *sctx = NULL;
6659 SSL *clientssl = NULL, *serverssl = NULL;
6660 int testresult = 0;
6661 char buf[20];
6662 static char *mess = "A test message";
6663 BIO *bretry = BIO_new(bio_s_always_retry());
6664 BIO *tmp = NULL;
6665 SSL *peerupdate = NULL, *peerwrite = NULL;
6666
6667 if (!TEST_ptr(bretry)
5e30f2fd 6668 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6669 TLS_client_method(),
6670 TLS1_3_VERSION,
6671 0,
6672 &sctx, &cctx, cert, privkey))
6673 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6674 NULL, NULL))
6675 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6676 SSL_ERROR_NONE)))
6677 goto end;
6678
6679 peerupdate = tst == 0 ? clientssl : serverssl;
6680 peerwrite = tst == 0 ? serverssl : clientssl;
6681
6682 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6683 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6684 goto end;
6685
6686 /* Swap the writing endpoint's write BIO to force a retry */
6687 tmp = SSL_get_wbio(peerwrite);
6688 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6689 tmp = NULL;
6690 goto end;
6691 }
6692 SSL_set0_wbio(peerwrite, bretry);
6693 bretry = NULL;
6694
6695 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6696 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
7e1b0dc1
HL		 6697 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6698 || !TEST_true(SSL_want_write(peerwrite))
6699 || !TEST_true(SSL_net_write_desired(peerwrite)))
a77b4dba
MC		 6700 goto end;
6701
6702 /* Reinstate the original writing endpoint's write BIO */
6703 SSL_set0_wbio(peerwrite, tmp);
6704 tmp = NULL;
6705
6706 /* Now read some data - we will read the key update */
6707 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
7e1b0dc1
HL		 6708 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6709 || !TEST_true(SSL_want_read(peerwrite))
6710 || !TEST_true(SSL_net_read_desired(peerwrite)))
a77b4dba
MC		 6711 goto end;
6712
6713 /*
6714 * Complete the write we started previously and read it from the other
6715 * endpoint
6716 */
6717 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6718 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6719 goto end;
6720
6721 /* Write more data to ensure we send the KeyUpdate message back */
6722 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6723 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6724 goto end;
6725
7e1b0dc1
HL		 6726 if (!TEST_false(SSL_net_read_desired(peerwrite))
6727 || !TEST_false(SSL_net_write_desired(peerwrite))
6728 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6729 goto end;
6730
a77b4dba
MC		 6731 testresult = 1;
6732
6733 end:
6734 SSL_free(serverssl);
6735 SSL_free(clientssl);
6736 SSL_CTX_free(sctx);
6737 SSL_CTX_free(cctx);
6738 BIO_free(bretry);
6739 BIO_free(tmp);
6740
6741 return testresult;
6742}
0c48fda8 6743
6744/*
6745 * Test we can handle a KeyUpdate (update requested) message while
6746 * peer read data is pending after peer accepted keyupdate(the msg header
6747 * had been read 5 bytes).
6748 * Test 0: Client sends KeyUpdate while Server is reading
6749 * Test 1: Server sends KeyUpdate while Client is reading
6750 */
6751static int test_key_update_peer_in_read(int tst)
6752{
6753 SSL_CTX *cctx = NULL, *sctx = NULL;
6754 SSL *clientssl = NULL, *serverssl = NULL;
6755 int testresult = 0;
6756 char prbuf[515], lwbuf[515] = {0};
6757 static char *mess = "A test message";
6758 BIO *lbio = NULL, *pbio = NULL;
6759 SSL *local = NULL, *peer = NULL;
6760
6761 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6762 TLS_client_method(),
6763 TLS1_3_VERSION,
6764 0,
6765 &sctx, &cctx, cert, privkey))
6766 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6767 NULL, NULL))
6768 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6769 SSL_ERROR_NONE)))
6770 goto end;
6771
6772 local = tst == 0 ? clientssl : serverssl;
6773 peer = tst == 0 ? serverssl : clientssl;
6774
6775 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6776 goto end;
6777
6778 SSL_set_bio(local, lbio, lbio);
6779 SSL_set_bio(peer, pbio, pbio);
6780
6781 /*
6782 * we first write keyupdate msg then appdata in local
6783 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6784 * lwbuf app data msg size + key updata msg size > 512(the size of
6785 * the bio pair buffer)
6786 */
6787 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6788 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6789 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6790 goto end;
6791
6792 /*
6793 * first read keyupdate msg in peer in peer
6794 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6795 */
6796 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6797 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6798 goto end;
6799
6800 /* Now write some data in peer - we will write the key update */
6801 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6802 goto end;
6803
6804 /*
6805 * write data in local previously that we will complete
6806 * read data in peer previously that we will complete
6807 */
6808 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6809 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6810 goto end;
6811
6812 /* check that sending and receiving appdata ok */
6813 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6814 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6815 goto end;
6816
6817 testresult = 1;
6818
6819 end:
6820 SSL_free(serverssl);
6821 SSL_free(clientssl);
6822 SSL_CTX_free(sctx);
6823 SSL_CTX_free(cctx);
6824
6825 return testresult;
6826}
6827
6828/*
6829 * Test we can't send a KeyUpdate (update requested) message while
6830 * local write data is pending.
6831 * Test 0: Client sends KeyUpdate while Client is writing
6832 * Test 1: Server sends KeyUpdate while Server is writing
6833 */
6834static int test_key_update_local_in_write(int tst)
6835{
6836 SSL_CTX *cctx = NULL, *sctx = NULL;
6837 SSL *clientssl = NULL, *serverssl = NULL;
6838 int testresult = 0;
6839 char buf[20];
6840 static char *mess = "A test message";
6841 BIO *bretry = BIO_new(bio_s_always_retry());
6842 BIO *tmp = NULL;
6843 SSL *local = NULL, *peer = NULL;
6844
6845 if (!TEST_ptr(bretry)
6846 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6847 TLS_client_method(),
6848 TLS1_3_VERSION,
6849 0,
6850 &sctx, &cctx, cert, privkey))
6851 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6852 NULL, NULL))
6853 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6854 SSL_ERROR_NONE)))
6855 goto end;
6856
6857 local = tst == 0 ? clientssl : serverssl;
6858 peer = tst == 0 ? serverssl : clientssl;
6859
6860 /* Swap the writing endpoint's write BIO to force a retry */
6861 tmp = SSL_get_wbio(local);
6862 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6863 tmp = NULL;
6864 goto end;
6865 }
6866 SSL_set0_wbio(local, bretry);
6867 bretry = NULL;
6868
6869 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6870 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6871 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6872 goto end;
6873
6874 /* Reinstate the original writing endpoint's write BIO */
6875 SSL_set0_wbio(local, tmp);
6876 tmp = NULL;
6877
6878 /* SSL_key_update will fail, because writing in local*/
6879 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6880 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6881 goto end;
6882
6883 ERR_clear_error();
6884 /* write data in local previously that we will complete */
6885 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6886 goto end;
6887
6888 /* SSL_key_update will succeed because there is no pending write data */
6889 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6890 || !TEST_int_eq(SSL_do_handshake(local), 1))
6891 goto end;
6892
6893 /*
6894 * we write some appdata in local
6895 * read data in peer - we will read the keyupdate msg
6896 */
6897 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6898 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6899 goto end;
6900
6901 /* Write more peer more data to ensure we send the keyupdate message back */
6902 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6903 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6904 goto end;
6905
6906 testresult = 1;
6907
6908 end:
6909 SSL_free(serverssl);
6910 SSL_free(clientssl);
6911 SSL_CTX_free(sctx);
6912 SSL_CTX_free(cctx);
6913 BIO_free(bretry);
6914 BIO_free(tmp);
6915
6916 return testresult;
6917}
6918
6919/*
6920 * Test we can handle a KeyUpdate (update requested) message while
6921 * local read data is pending(the msg header had been read 5 bytes).
6922 * Test 0: Client sends KeyUpdate while Client is reading
6923 * Test 1: Server sends KeyUpdate while Server is reading
6924 */
6925static int test_key_update_local_in_read(int tst)
6926{
6927 SSL_CTX *cctx = NULL, *sctx = NULL;
6928 SSL *clientssl = NULL, *serverssl = NULL;
6929 int testresult = 0;
6930 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6931 static char *mess = "A test message";
6932 BIO *lbio = NULL, *pbio = NULL;
6933 SSL *local = NULL, *peer = NULL;
6934
6935 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6936 TLS_client_method(),
6937 TLS1_3_VERSION,
6938 0,
6939 &sctx, &cctx, cert, privkey))
6940 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6941 NULL, NULL))
6942 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6943 SSL_ERROR_NONE)))
6944 goto end;
6945
6946 local = tst == 0 ? clientssl : serverssl;
6947 peer = tst == 0 ? serverssl : clientssl;
6948
6949 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6950 goto end;
6951
6952 SSL_set_bio(local, lbio, lbio);
6953 SSL_set_bio(peer, pbio, pbio);
6954
6955 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6956 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6957 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6958 goto end;
6959
6960 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6961 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6962 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6963 goto end;
6964
6965 /* SSL_do_handshake will send keyupdate msg */
6966 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6967 || !TEST_int_eq(SSL_do_handshake(local), 1))
6968 goto end;
6969
6970 /*
6971 * write data in peer previously that we will complete
6972 * read data in local previously that we will complete
6973 */
6974 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6975 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6976 goto end;
6977
6978 /*
6979 * write data in local
6980 * read data in peer - we will read the key update
6981 */
6982 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6983 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6984 goto end;
6985
6986 /* Write more peer data to ensure we send the keyupdate message back */
6987 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6988 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6989 goto end;
6990
6991 testresult = 1;
6992
6993 end:
6994 SSL_free(serverssl);
6995 SSL_free(clientssl);
6996 SSL_CTX_free(sctx);
6997 SSL_CTX_free(cctx);
6998
6999 return testresult;
7000}
a763ca11 7001#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 7002
e11b6aa4
MC		 7003static int test_ssl_clear(int idx)
7004{
7005 SSL_CTX *cctx = NULL, *sctx = NULL;
7006 SSL *clientssl = NULL, *serverssl = NULL;
7007 int testresult = 0;
7008
7009#ifdef OPENSSL_NO_TLS1_2
7010 if (idx == 1)
7011 return 1;
7012#endif
7013
7014 /* Create an initial connection */
5e30f2fd
MC		 7015 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7016 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 7017 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 7018 || (idx == 1
7019 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7020 TLS1_2_VERSION)))
7021 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7022 &clientssl, NULL, NULL))
7023 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7024 SSL_ERROR_NONE)))
7025 goto end;
7026
7027 SSL_shutdown(clientssl);
7028 SSL_shutdown(serverssl);
7029 SSL_free(serverssl);
7030 serverssl = NULL;
7031
7032 /* Clear clientssl - we're going to reuse the object */
7033 if (!TEST_true(SSL_clear(clientssl)))
7034 goto end;
7035
7036 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7037 NULL, NULL))
7038 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7039 SSL_ERROR_NONE))
7040 || !TEST_true(SSL_session_reused(clientssl)))
7041 goto end;
7042
7043 SSL_shutdown(clientssl);
7044 SSL_shutdown(serverssl);
7045
7046 testresult = 1;
7047
7048 end:
7049 SSL_free(serverssl);
7050 SSL_free(clientssl);
7051 SSL_CTX_free(sctx);
7052 SSL_CTX_free(cctx);
7053
7054 return testresult;
7055}
7056
cf72c757
F		 7057/* Parse CH and retrieve any MFL extension value if present */
7058static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7059{
7060 long len;
7061 unsigned char *data;
72962d02 7062 PACKET pkt, pkt2, pkt3;
cf72c757
F		 7063 unsigned int MFL_code = 0, type = 0;
7064
1287dabd 7065 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 7066 goto end;
7067
72962d02
P		 7068 memset(&pkt, 0, sizeof(pkt));
7069 memset(&pkt2, 0, sizeof(pkt2));
7070 memset(&pkt3, 0, sizeof(pkt3));
7071
9ba18520 7072 if (!TEST_long_gt(len, 0)
1287dabd 7073 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 7074 /* Skip the record header */
7075 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7076 /* Skip the handshake message header */
7077 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7078 /* Skip client version and random */
7079 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7080 + SSL3_RANDOM_SIZE))
7081 /* Skip session id */
7082 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7083 /* Skip ciphers */
7084 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7085 /* Skip compression */
7086 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7087 /* Extensions len */
7088 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7089 goto end;
7090
7091 /* Loop through all extensions */
7092 while (PACKET_remaining(&pkt2)) {
7093 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7094 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7095 goto end;
7096
7097 if (type == TLSEXT_TYPE_max_fragment_length) {
7098 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7099 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7100 goto end;
7101
7102 *mfl_codemfl_code = MFL_code;
7103 return 1;
7104 }
7105 }
7106
7107 end:
7108 return 0;
7109}
7110
7111/* Maximum-Fragment-Length TLS extension mode to test */
7112static const unsigned char max_fragment_len_test[] = {
7113 TLSEXT_max_fragment_length_512,
7114 TLSEXT_max_fragment_length_1024,
7115 TLSEXT_max_fragment_length_2048,
7116 TLSEXT_max_fragment_length_4096
7117};
7118
7119static int test_max_fragment_len_ext(int idx_tst)
7120{
a763ca11 7121 SSL_CTX *ctx = NULL;
cf72c757
F		 7122 SSL *con = NULL;
7123 int testresult = 0, MFL_mode = 0;
7124 BIO *rbio, *wbio;
7125
a763ca11
MC		 7126 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7127 TLS1_VERSION, 0, NULL, &ctx, NULL,
7128 NULL)))
7129 return 0;
cf72c757
F		 7130
7131 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7132 ctx, max_fragment_len_test[idx_tst])))
7133 goto end;
7134
7135 con = SSL_new(ctx);
7136 if (!TEST_ptr(con))
7137 goto end;
7138
7139 rbio = BIO_new(BIO_s_mem());
7140 wbio = BIO_new(BIO_s_mem());
7141 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7142 BIO_free(rbio);
7143 BIO_free(wbio);
7144 goto end;
7145 }
7146
7147 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 7148
7149 if (!TEST_int_le(SSL_connect(con), 0)) {
7150 /* This shouldn't succeed because we don't have a server! */
7151 goto end;
7152 }
7153
7154 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7155 /* no MFL in client hello */
7156 goto end;
7157 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7158 goto end;
7159
7160 testresult = 1;
7161
7162end:
7163 SSL_free(con);
7164 SSL_CTX_free(ctx);
7165
7166 return testresult;
7167}
7168
a763ca11 7169#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 7170static int test_pha_key_update(void)
7171{
7172 SSL_CTX *cctx = NULL, *sctx = NULL;
7173 SSL *clientssl = NULL, *serverssl = NULL;
7174 int testresult = 0;
7175
5e30f2fd
MC		 7176 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7177 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 7178 &sctx, &cctx, cert, privkey)))
7179 return 0;
7180
7181 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7182 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7183 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7184 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7185 goto end;
7186
e97be718 7187 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 7188
7189 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7190 NULL, NULL)))
7191 goto end;
7192
9d75dce3
TS		 7193 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7194 SSL_ERROR_NONE)))
7195 goto end;
7196
7197 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7198 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7199 goto end;
7200
7201 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7202 goto end;
7203
7204 /* Start handshake on the server */
7205 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7206 goto end;
7207
7208 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7209 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7210 SSL_ERROR_NONE)))
7211 goto end;
7212
7213 SSL_shutdown(clientssl);
7214 SSL_shutdown(serverssl);
7215
7216 testresult = 1;
7217
7218 end:
7219 SSL_free(serverssl);
7220 SSL_free(clientssl);
7221 SSL_CTX_free(sctx);
7222 SSL_CTX_free(cctx);
7223 return testresult;
7224}
7225#endif
7226
76fd7a1d
MC		 7227#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7228
7229static SRP_VBASE *vbase = NULL;
7230
7231static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7232{
7233 int ret = SSL3_AL_FATAL;
7234 char *username;
7235 SRP_user_pwd *user = NULL;
7236
7237 username = SSL_get_srp_username(s);
7238 if (username == NULL) {
7239 *ad = SSL_AD_INTERNAL_ERROR;
7240 goto err;
7241 }
7242
7243 user = SRP_VBASE_get1_by_user(vbase, username);
7244 if (user == NULL) {
7245 *ad = SSL_AD_INTERNAL_ERROR;
7246 goto err;
7247 }
7248
7249 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7250 user->info) <= 0) {
7251 *ad = SSL_AD_INTERNAL_ERROR;
7252 goto err;
7253 }
7254
7255 ret = 0;
7256
7257 err:
7258 SRP_user_pwd_free(user);
7259 return ret;
7260}
7261
7262static int create_new_vfile(char *userid, char *password, const char *filename)
7263{
7264 char *gNid = NULL;
7265 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7266 TXT_DB *db = NULL;
7267 int ret = 0;
7268 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7269 size_t i;
7270
7271 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7272 goto end;
7273
20c00d0a 7274 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 7275 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 7276 if (!TEST_ptr(gNid))
7277 goto end;
7278
7279 /*
7280 * The only way to create an empty TXT_DB is to provide a BIO with no data
7281 * in it!
7282 */
7283 db = TXT_DB_read(dummy, DB_NUMBER);
7284 if (!TEST_ptr(db))
7285 goto end;
7286
7287 out = BIO_new_file(filename, "w");
7288 if (!TEST_ptr(out))
7289 goto end;
7290
7291 row[DB_srpid] = OPENSSL_strdup(userid);
7292 row[DB_srptype] = OPENSSL_strdup("V");
7293 row[DB_srpgN] = OPENSSL_strdup(gNid);
7294
7295 if (!TEST_ptr(row[DB_srpid])
7296 || !TEST_ptr(row[DB_srptype])
7297 || !TEST_ptr(row[DB_srpgN])
7298 || !TEST_true(TXT_DB_insert(db, row)))
7299 goto end;
7300
7301 row = NULL;
7302
aba9943f 7303 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 7304 goto end;
7305
7306 ret = 1;
7307 end:
7308 if (row != NULL) {
7309 for (i = 0; i < DB_NUMBER; i++)
7310 OPENSSL_free(row[i]);
7311 }
7312 OPENSSL_free(row);
7313 BIO_free(dummy);
7314 BIO_free(out);
7315 TXT_DB_free(db);
7316
7317 return ret;
7318}
7319
7320static int create_new_vbase(char *userid, char *password)
7321{
7322 BIGNUM *verifier = NULL, *salt = NULL;
7323 const SRP_gN *lgN = NULL;
7324 SRP_user_pwd *user_pwd = NULL;
7325 int ret = 0;
7326
7327 lgN = SRP_get_default_gN(NULL);
7328 if (!TEST_ptr(lgN))
7329 goto end;
7330
20c00d0a 7331 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 7332 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 7333 goto end;
7334
7335 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7336 if (!TEST_ptr(user_pwd))
7337 goto end;
7338
7339 user_pwd->N = lgN->N;
7340 user_pwd->g = lgN->g;
7341 user_pwd->id = OPENSSL_strdup(userid);
7342 if (!TEST_ptr(user_pwd->id))
7343 goto end;
7344
7345 user_pwd->v = verifier;
7346 user_pwd->s = salt;
7347 verifier = salt = NULL;
7348
7349 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7350 goto end;
7351 user_pwd = NULL;
7352
7353 ret = 1;
7354end:
7355 SRP_user_pwd_free(user_pwd);
7356 BN_free(salt);
7357 BN_free(verifier);
7358
7359 return ret;
7360}
7361
7362/*
7363 * SRP tests
7364 *
7365 * Test 0: Simple successful SRP connection, new vbase
7366 * Test 1: Connection failure due to bad password, new vbase
7367 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7368 * Test 3: Connection failure due to bad password, vbase loaded from existing
7369 * file
7370 * Test 4: Simple successful SRP connection, vbase loaded from new file
7371 * Test 5: Connection failure due to bad password, vbase loaded from new file
7372 */
7373static int test_srp(int tst)
7374{
7375 char *userid = "test", *password = "password", *tstsrpfile;
7376 SSL_CTX *cctx = NULL, *sctx = NULL;
7377 SSL *clientssl = NULL, *serverssl = NULL;
7378 int ret, testresult = 0;
7379
7380 vbase = SRP_VBASE_new(NULL);
7381 if (!TEST_ptr(vbase))
7382 goto end;
7383
7384 if (tst == 0 || tst == 1) {
7385 if (!TEST_true(create_new_vbase(userid, password)))
7386 goto end;
7387 } else {
7388 if (tst == 4 || tst == 5) {
7389 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7390 goto end;
7391 tstsrpfile = tmpfilename;
7392 } else {
7393 tstsrpfile = srpvfile;
7394 }
7395 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7396 goto end;
7397 }
7398
5e30f2fd
MC		 7399 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7400 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 7401 &sctx, &cctx, cert, privkey)))
7402 goto end;
7403
7404 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7405 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7406 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7407 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7408 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7409 goto end;
7410
7411 if (tst % 2 == 1) {
7412 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7413 goto end;
7414 } else {
7415 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7416 goto end;
7417 }
7418
7419 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7420 NULL, NULL)))
7421 goto end;
7422
7423 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7424 if (ret) {
7425 if (!TEST_true(tst % 2 == 0))
7426 goto end;
7427 } else {
7428 if (!TEST_true(tst % 2 == 1))
7429 goto end;
7430 }
7431
7432 testresult = 1;
7433
7434 end:
7435 SRP_VBASE_free(vbase);
7436 vbase = NULL;
7437 SSL_free(serverssl);
7438 SSL_free(clientssl);
7439 SSL_CTX_free(sctx);
7440 SSL_CTX_free(cctx);
7441
7442 return testresult;
7443}
7444#endif
7445
5718fe45
MC		 7446static int info_cb_failed = 0;
7447static int info_cb_offset = 0;
7448static int info_cb_this_state = -1;
7449
7450static struct info_cb_states_st {
7451 int where;
7452 const char *statestr;
7453} info_cb_states[][60] = {
7454 {
7455 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 7456 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7457 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7458 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7459 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7460 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7461 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7462 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7463 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7464 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 7465 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7466 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7467 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7468 {SSL_CB_EXIT, NULL}, {0, NULL},
7469 }, {
7470 /* TLSv1.2 client followed by resumption */
e0f69c35 7471 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7472 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7473 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7474 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7475 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7476 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7477 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 7478 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7479 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7480 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7481 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7482 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7483 }, {
7484 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 7485 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7486 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 7487 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 7488 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 7489 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 7490 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7491 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 7492 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7493 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 7494 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7495 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7496 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7497 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7498 }, {
7499 /* TLSv1.3 client followed by resumption */
e0f69c35 7500 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7501 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7502 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7503 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7504 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7505 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7506 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7507 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7508 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7509 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7510 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7511 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7512 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7513 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7514 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7515 }, {
7516 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7517 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7518 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7519 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7520 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7521 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7522 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7523 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7524 {SSL_CB_EXIT, NULL}, {0, NULL},
7525 }, {
7526 /* TLSv1.3 client, early_data */
e0f69c35 7527 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7528 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7529 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7530 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7531 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7532 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7533 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7534 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7535 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
b67cb09f
TS		 7536 }, {
7537 /* TLSv1.3 server, certificate compression, followed by resumption */
7538 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7539 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7540 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7541 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7542 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7543 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7544 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7545 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7546 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7547 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7548 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7549 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7550 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7551 }, {
7552 /* TLSv1.3 client, certificate compression, followed by resumption */
7553 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7554 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7555 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7556 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7557 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7558 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7559 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7560 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7561 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7562 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7563 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7564 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7565 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7566 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7567 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7568 }, {
7569 {0, NULL},
7570 }
7571};
7572
7573static void sslapi_info_callback(const SSL *s, int where, int ret)
7574{
7575 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7576
7577 /* We do not ever expect a connection to fail in this test */
7578 if (!TEST_false(ret == 0)) {
7579 info_cb_failed = 1;
7580 return;
7581 }
7582
7583 /*
7584 * Do some sanity checks. We never expect these things to happen in this
7585 * test
7586 */
7587 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7588 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7589 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7590 info_cb_failed = 1;
7591 return;
7592 }
7593
7594 /* Now check we're in the right state */
7595 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7596 info_cb_failed = 1;
7597 return;
7598 }
7599 if ((where & SSL_CB_LOOP) != 0
7600 && !TEST_int_eq(strcmp(SSL_state_string(s),
7601 state[info_cb_this_state].statestr), 0)) {
7602 info_cb_failed = 1;
7603 return;
7604 }
033c181b 7605
4af5836b
MC		 7606 /*
7607 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7608 */
7609 if ((where & SSL_CB_HANDSHAKE_DONE)
7610 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7611 info_cb_failed = 1;
7612 return;
7613 }
5718fe45
MC		 7614}
7615
7616/*
7617 * Test the info callback gets called when we expect it to.
7618 *
7619 * Test 0: TLSv1.2, server
7620 * Test 1: TLSv1.2, client
7621 * Test 2: TLSv1.3, server
7622 * Test 3: TLSv1.3, client
7623 * Test 4: TLSv1.3, server, early_data
7624 * Test 5: TLSv1.3, client, early_data
b67cb09f
TS		 7625 * Test 6: TLSv1.3, server, compressed certificate
7626 * Test 7: TLSv1.3, client, compressed certificate
5718fe45
MC		 7627 */
7628static int test_info_callback(int tst)
7629{
7630 SSL_CTX *cctx = NULL, *sctx = NULL;
7631 SSL *clientssl = NULL, *serverssl = NULL;
7632 SSL_SESSION *clntsess = NULL;
7633 int testresult = 0;
7634 int tlsvers;
7635
7636 if (tst < 2) {
1aac20f5
MC		 7637/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7638#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7639 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7640 tlsvers = TLS1_2_VERSION;
7641#else
7642 return 1;
7643#endif
7644 } else {
a763ca11 7645#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7646 tlsvers = TLS1_3_VERSION;
7647#else
7648 return 1;
7649#endif
7650 }
7651
7652 /* Reset globals */
7653 info_cb_failed = 0;
7654 info_cb_this_state = -1;
7655 info_cb_offset = tst;
7656
a763ca11 7657#ifndef OSSL_NO_USABLE_TLS1_3
b67cb09f 7658 if (tst >= 4 && tst < 6) {
5718fe45
MC		 7659 SSL_SESSION *sess = NULL;
7660 size_t written, readbytes;
7661 unsigned char buf[80];
7662
7663 /* early_data tests */
7664 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 7665 &serverssl, &sess, 0,
7666 SHA384_DIGEST_LENGTH)))
5718fe45
MC		 7667 goto end;
7668
7669 /* We don't actually need this reference */
7670 SSL_SESSION_free(sess);
7671
7672 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7673 sslapi_info_callback);
7674
7675 /* Write and read some early data and then complete the connection */
7676 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7677 &written))
7678 || !TEST_size_t_eq(written, strlen(MSG1))
7679 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7680 sizeof(buf), &readbytes),
7681 SSL_READ_EARLY_DATA_SUCCESS)
7682 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7683 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7684 SSL_EARLY_DATA_ACCEPTED)
7685 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7686 SSL_ERROR_NONE))
7687 || !TEST_false(info_cb_failed))
7688 goto end;
7689
7690 testresult = 1;
7691 goto end;
7692 }
6e07834c 7693#endif
5718fe45 7694
5e30f2fd 7695 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7696 TLS_client_method(),
7697 tlsvers, tlsvers, &sctx, &cctx, cert,
7698 privkey)))
7699 goto end;
7700
33c39a06
MC		 7701 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7702 goto end;
7703
5718fe45
MC		 7704 /*
7705 * For even numbered tests we check the server callbacks. For odd numbers we
7706 * check the client.
7707 */
7708 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7709 sslapi_info_callback);
b67cb09f
TS		 7710 if (tst >= 6) {
7711 if (!SSL_CTX_compress_certs(sctx, 0))
7712 goto end;
7713 }
5718fe45
MC		 7714
7715 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7716 &clientssl, NULL, NULL))
7717 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7718 SSL_ERROR_NONE))
7719 || !TEST_false(info_cb_failed))
7720 goto end;
7721
7722
7723
7724 clntsess = SSL_get1_session(clientssl);
7725 SSL_shutdown(clientssl);
7726 SSL_shutdown(serverssl);
7727 SSL_free(serverssl);
7728 SSL_free(clientssl);
7729 serverssl = clientssl = NULL;
7730
7731 /* Now do a resumption */
7732 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7733 NULL))
7734 || !TEST_true(SSL_set_session(clientssl, clntsess))
7735 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7736 SSL_ERROR_NONE))
7737 || !TEST_true(SSL_session_reused(clientssl))
7738 || !TEST_false(info_cb_failed))
7739 goto end;
7740
7741 testresult = 1;
7742
7743 end:
7744 SSL_free(serverssl);
7745 SSL_free(clientssl);
7746 SSL_SESSION_free(clntsess);
7747 SSL_CTX_free(sctx);
7748 SSL_CTX_free(cctx);
7749 return testresult;
7750}
7751
4a432af8
MC		 7752static int test_ssl_pending(int tst)
7753{
7754 SSL_CTX *cctx = NULL, *sctx = NULL;
7755 SSL *clientssl = NULL, *serverssl = NULL;
7756 int testresult = 0;
7757 char msg[] = "A test message";
7758 char buf[5];
7759 size_t written, readbytes;
7760
7761 if (tst == 0) {
5e30f2fd 7762 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7763 TLS_client_method(),
5c587fb6 7764 TLS1_VERSION, 0,
4a432af8
MC		 7765 &sctx, &cctx, cert, privkey)))
7766 goto end;
7767 } else {
7768#ifndef OPENSSL_NO_DTLS
5e30f2fd 7769 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7770 DTLS_client_method(),
5c587fb6 7771 DTLS1_VERSION, 0,
4a432af8
MC		 7772 &sctx, &cctx, cert, privkey)))
7773 goto end;
8ce390e1
MC		 7774
7775# ifdef OPENSSL_NO_DTLS1_2
7776 /* Not supported in the FIPS provider */
7777 if (is_fips) {
7778 testresult = 1;
7779 goto end;
7780 };
7781 /*
7782 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7783 * level 0
7784 */
7785 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7786 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7787 "DEFAULT:@SECLEVEL=0")))
7788 goto end;
7789# endif
4a432af8
MC		 7790#else
7791 return 1;
7792#endif
7793 }
7794
7795 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7796 NULL, NULL))
7797 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7798 SSL_ERROR_NONE)))
7799 goto end;
7800
e8251092
MC		 7801 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7802 || !TEST_false(SSL_has_pending(clientssl))
7803 || !TEST_int_eq(SSL_pending(serverssl), 0)
7804 || !TEST_false(SSL_has_pending(serverssl))
7805 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 7806 || !TEST_size_t_eq(written, sizeof(msg))
7807 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7808 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 7809 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7810 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 7811 goto end;
7812
7813 testresult = 1;
7814
7815 end:
7816 SSL_free(serverssl);
7817 SSL_free(clientssl);
7818 SSL_CTX_free(sctx);
7819 SSL_CTX_free(cctx);
7820
7821 return testresult;
7822}
7823
e401389a
MC		 7824static struct {
7825 unsigned int maxprot;
7826 const char *clntciphers;
7827 const char *clnttls13ciphers;
7828 const char *srvrciphers;
7829 const char *srvrtls13ciphers;
7830 const char *shared;
a96e6c34 7831 const char *fipsshared;
e401389a 7832} shared_ciphers_data[] = {
60155b9a
MC		 7833/*
7834 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7835 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7836 */
a763ca11 7837#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 7838 {
7839 TLS1_2_VERSION,
7840 "AES128-SHA:AES256-SHA",
7841 NULL,
7842 "AES256-SHA:DHE-RSA-AES128-SHA",
7843 NULL,
a96e6c34 7844 "AES256-SHA",
e401389a
MC		 7845 "AES256-SHA"
7846 },
a96e6c34
MC		 7847# if !defined(OPENSSL_NO_CHACHA) \
7848 && !defined(OPENSSL_NO_POLY1305) \
7849 && !defined(OPENSSL_NO_EC)
7850 {
7851 TLS1_2_VERSION,
7852 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7853 NULL,
7854 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7855 NULL,
7856 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7857 "AES128-SHA"
7858 },
7859# endif
e401389a
MC		 7860 {
7861 TLS1_2_VERSION,
7862 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7863 NULL,
7864 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7865 NULL,
a96e6c34 7866 "AES128-SHA:AES256-SHA",
e401389a
MC		 7867 "AES128-SHA:AES256-SHA"
7868 },
7869 {
7870 TLS1_2_VERSION,
7871 "AES128-SHA:AES256-SHA",
7872 NULL,
7873 "AES128-SHA:DHE-RSA-AES128-SHA",
7874 NULL,
a96e6c34 7875 "AES128-SHA",
e401389a
MC		 7876 "AES128-SHA"
7877 },
60155b9a
MC		 7878#endif
7879/*
7880 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7881 * enabled.
7882 */
a763ca11 7883#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7884 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7885 {
7886 TLS1_3_VERSION,
7887 "AES128-SHA:AES256-SHA",
7888 NULL,
7889 "AES256-SHA:AES128-SHA256",
7890 NULL,
7891 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 7892 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7893 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 7894 },
60155b9a 7895#endif
a763ca11 7896#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 7897 {
7898 TLS1_3_VERSION,
7899 "AES128-SHA",
7900 "TLS_AES_256_GCM_SHA384",
7901 "AES256-SHA",
7902 "TLS_AES_256_GCM_SHA384",
a96e6c34 7903 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 7904 "TLS_AES_256_GCM_SHA384"
7905 },
7906#endif
7907};
7908
a96e6c34 7909static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 7910{
7911 SSL_CTX *cctx = NULL, *sctx = NULL;
7912 SSL *clientssl = NULL, *serverssl = NULL;
7913 int testresult = 0;
7914 char buf[1024];
b4250010 7915 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 7916
7917 if (!TEST_ptr(tmplibctx))
7918 goto end;
7919
7920 /*
7921 * Regardless of whether we're testing with the FIPS provider loaded into
7922 * libctx, we want one peer to always use the full set of ciphersuites
7923 * available. Therefore we use a separate libctx with the default provider
7924 * loaded into it. We run the same tests twice - once with the client side
7925 * having the full set of ciphersuites and once with the server side.
7926 */
7927 if (clnt) {
d8652be0 7928 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 7929 if (!TEST_ptr(cctx))
7930 goto end;
7931 } else {
d8652be0 7932 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 7933 if (!TEST_ptr(sctx))
7934 goto end;
7935 }
e401389a 7936
5e30f2fd 7937 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 7938 TLS_client_method(),
7939 TLS1_VERSION,
7940 shared_ciphers_data[tst].maxprot,
7941 &sctx, &cctx, cert, privkey)))
7942 goto end;
7943
7944 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7945 shared_ciphers_data[tst].clntciphers))
7946 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7947 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7948 shared_ciphers_data[tst].clnttls13ciphers)))
7949 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7950 shared_ciphers_data[tst].srvrciphers))
7951 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7952 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7953 shared_ciphers_data[tst].srvrtls13ciphers))))
7954 goto end;
7955
7956
7957 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7958 NULL, NULL))
7959 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7960 SSL_ERROR_NONE)))
7961 goto end;
7962
7963 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 7964 || !TEST_int_eq(strcmp(buf,
7965 is_fips
7966 ? shared_ciphers_data[tst].fipsshared
7967 : shared_ciphers_data[tst].shared),
7968 0)) {
e401389a
MC		 7969 TEST_info("Shared ciphers are: %s\n", buf);
7970 goto end;
7971 }
7972
7973 testresult = 1;
7974
7975 end:
7976 SSL_free(serverssl);
7977 SSL_free(clientssl);
7978 SSL_CTX_free(sctx);
7979 SSL_CTX_free(cctx);
b4250010 7980 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 7981
7982 return testresult;
7983}
7984
a96e6c34
MC		 7985static int test_ssl_get_shared_ciphers(int tst)
7986{
7987 return int_test_ssl_get_shared_ciphers(tst, 0)
7988 && int_test_ssl_get_shared_ciphers(tst, 1);
7989}
7990
7991
d0191fe0 7992static const char *appdata = "Hello World";
61fb5923
MC		 7993static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7994static int tick_key_renew = 0;
7995static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 7996
7997static int gen_tick_cb(SSL *s, void *arg)
7998{
7999 gen_tick_called = 1;
8000
8001 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8002 strlen(appdata));
8003}
8004
8005static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8006 const unsigned char *keyname,
8007 size_t keyname_length,
61fb5923
MC		 8008 SSL_TICKET_STATUS status,
8009 void *arg)
d0191fe0
MC		 8010{
8011 void *tickdata;
8012 size_t tickdlen;
8013
8014 dec_tick_called = 1;
8015
61fb5923
MC		 8016 if (status == SSL_TICKET_EMPTY)
8017 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 8018
61fb5923
MC		 8019 if (!TEST_true(status == SSL_TICKET_SUCCESS
8020 || status == SSL_TICKET_SUCCESS_RENEW))
8021 return SSL_TICKET_RETURN_ABORT;
8022
8023 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8024 &tickdlen))
d0191fe0
MC		 8025 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8026 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 8027 return SSL_TICKET_RETURN_ABORT;
d0191fe0 8028
61fb5923
MC		 8029 if (tick_key_cb_called) {
8030 /* Don't change what the ticket key callback wanted to do */
8031 switch (status) {
8032 case SSL_TICKET_NO_DECRYPT:
8033 return SSL_TICKET_RETURN_IGNORE_RENEW;
8034
8035 case SSL_TICKET_SUCCESS:
8036 return SSL_TICKET_RETURN_USE;
d0191fe0 8037
61fb5923
MC		 8038 case SSL_TICKET_SUCCESS_RENEW:
8039 return SSL_TICKET_RETURN_USE_RENEW;
8040
8041 default:
8042 return SSL_TICKET_RETURN_ABORT;
8043 }
8044 }
8045 return tick_dec_ret;
8046
8047}
d0191fe0 8048
a76ce286 8049#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 8050static int tick_key_cb(SSL *s, unsigned char key_name[16],
8051 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8052 HMAC_CTX *hctx, int enc)
8053{
8054 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8055 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
3b7a3241
MC		 8056 EVP_CIPHER *aes128cbc;
8057 EVP_MD *sha256;
5e30f2fd 8058 int ret;
d0191fe0 8059
61fb5923 8060 tick_key_cb_called = 1;
3b7a3241
MC		 8061
8062 if (tick_key_renew == -1)
8063 return 0;
8064
8065 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8066 if (!TEST_ptr(aes128cbc))
8067 return 0;
8068 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8069 if (!TEST_ptr(sha256)) {
8070 EVP_CIPHER_free(aes128cbc);
8071 return 0;
8072 }
8073
d0191fe0
MC		 8074 memset(iv, 0, AES_BLOCK_SIZE);
8075 memset(key_name, 0, 16);
5e30f2fd
MC		 8076 if (aes128cbc == NULL
8077 || sha256 == NULL
8078 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8079 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8080 NULL))
8081 ret = -1;
8082 else
8083 ret = tick_key_renew ? 2 : 1;
d0191fe0 8084
5e30f2fd
MC		 8085 EVP_CIPHER_free(aes128cbc);
8086 EVP_MD_free(sha256);
8087
8088 return ret;
d0191fe0 8089}
a76ce286
P		 8090#endif
8091
8092static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8093 unsigned char iv[EVP_MAX_IV_LENGTH],
8094 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8095{
8096 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8097 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 8098 OSSL_PARAM params[2];
3b7a3241 8099 EVP_CIPHER *aes128cbc;
5e30f2fd 8100 int ret;
a76ce286
P		 8101
8102 tick_key_cb_called = 1;
3b7a3241
MC		 8103
8104 if (tick_key_renew == -1)
8105 return 0;
8106
8107 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8108 if (!TEST_ptr(aes128cbc))
8109 return 0;
8110
a76ce286
P		 8111 memset(iv, 0, AES_BLOCK_SIZE);
8112 memset(key_name, 0, 16);
8113 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8114 "SHA256", 0);
77e4ae58 8115 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 8116 if (aes128cbc == NULL
8117 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 8118 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8119 params))
5e30f2fd
MC		 8120 ret = -1;
8121 else
8122 ret = tick_key_renew ? 2 : 1;
8123
8124 EVP_CIPHER_free(aes128cbc);
a76ce286 8125
5e30f2fd 8126 return ret;
a76ce286 8127}
d0191fe0
MC		 8128
8129/*
8130 * Test the various ticket callbacks
61fb5923
MC		 8131 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8132 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8133 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8134 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8135 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8136 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8137 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8138 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 8139 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8140 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8141 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8142 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
3b7a3241
MC		 8143 * Test 12: TLSv1.2, old ticket key callback, no ticket
8144 * Test 13: TLSv1.3, old ticket key callback, no ticket
8145 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8146 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8147 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8148 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8149 * Test 18: TLSv1.2, ticket key callback, no ticket
8150 * Test 19: TLSv1.3, ticket key callback, no ticket
d0191fe0
MC		 8151 */
8152static int test_ticket_callbacks(int tst)
8153{
8154 SSL_CTX *cctx = NULL, *sctx = NULL;
8155 SSL *clientssl = NULL, *serverssl = NULL;
8156 SSL_SESSION *clntsess = NULL;
8157 int testresult = 0;
8158
8159#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 8160 if (tst % 2 == 0)
d0191fe0
MC		 8161 return 1;
8162#endif
a763ca11 8163#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 8164 if (tst % 2 == 1)
d0191fe0
MC		 8165 return 1;
8166#endif
a76ce286 8167#ifdef OPENSSL_NO_DEPRECATED_3_0
3b7a3241 8168 if (tst >= 8 && tst <= 13)
a76ce286
P		 8169 return 1;
8170#endif
d0191fe0 8171
61fb5923 8172 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 8173
8174 /* Which tests the ticket key callback should request renewal for */
3c95ef22 8175
3b7a3241 8176 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
61fb5923 8177 tick_key_renew = 1;
3b7a3241
MC		 8178 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8179 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
d0191fe0 8180 else
61fb5923
MC		 8181 tick_key_renew = 0;
8182
8183 /* Which tests the decrypt ticket callback should request renewal for */
8184 switch (tst) {
8185 case 0:
8186 case 1:
8187 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8188 break;
8189
8190 case 2:
8191 case 3:
8192 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8193 break;
8194
8195 case 4:
8196 case 5:
8197 tick_dec_ret = SSL_TICKET_RETURN_USE;
8198 break;
8199
8200 case 6:
8201 case 7:
8202 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8203 break;
8204
8205 default:
8206 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8207 }
d0191fe0 8208
5e30f2fd 8209 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 8210 TLS_client_method(),
8211 TLS1_VERSION,
61fb5923
MC		 8212 ((tst % 2) == 0) ? TLS1_2_VERSION
8213 : TLS1_3_VERSION,
d0191fe0
MC		 8214 &sctx, &cctx, cert, privkey)))
8215 goto end;
8216
61fb5923
MC		 8217 /*
8218 * We only want sessions to resume from tickets - not the session cache. So
8219 * switch the cache off.
8220 */
8221 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8222 goto end;
8223
d0191fe0
MC		 8224 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8225 NULL)))
8226 goto end;
8227
3b7a3241 8228 if (tst >= 14) {
a76ce286
P		 8229 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8230 goto end;
8231#ifndef OPENSSL_NO_DEPRECATED_3_0
8232 } else if (tst >= 8) {
8233 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8234 goto end;
8235#endif
8236 }
d0191fe0
MC		 8237
8238 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8239 NULL, NULL))
8240 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8241 SSL_ERROR_NONE)))
8242 goto end;
8243
61fb5923
MC		 8244 /*
8245 * The decrypt ticket key callback in TLSv1.2 should be called even though
8246 * we have no ticket yet, because it gets called with a status of
8247 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8248 * actually send any ticket data). This does not happen in TLSv1.3 because
8249 * it is not valid to send empty ticket data in TLSv1.3.
8250 */
d0191fe0 8251 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 8252 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 8253 goto end;
8254
8255 gen_tick_called = dec_tick_called = 0;
8256
8257 clntsess = SSL_get1_session(clientssl);
8258 SSL_shutdown(clientssl);
8259 SSL_shutdown(serverssl);
8260 SSL_free(serverssl);
8261 SSL_free(clientssl);
8262 serverssl = clientssl = NULL;
8263
8264 /* Now do a resumption */
8265 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8266 NULL))
8267 || !TEST_true(SSL_set_session(clientssl, clntsess))
8268 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 8269 SSL_ERROR_NONE)))
d0191fe0
MC		 8270 goto end;
8271
61fb5923 8272 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
3b7a3241
MC		 8273 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8274 || tick_key_renew == -1) {
61fb5923
MC		 8275 if (!TEST_false(SSL_session_reused(clientssl)))
8276 goto end;
8277 } else {
8278 if (!TEST_true(SSL_session_reused(clientssl)))
8279 goto end;
8280 }
8281
d0191fe0 8282 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 8283 (tick_key_renew
8284 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8285 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8286 ? 1 : 0)
3b7a3241
MC		 8287 /* There is no ticket to decrypt in tests 13 and 19 */
8288 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
d0191fe0
MC		 8289 goto end;
8290
8291 testresult = 1;
8292
8293 end:
8294 SSL_SESSION_free(clntsess);
8295 SSL_free(serverssl);
8296 SSL_free(clientssl);
8297 SSL_CTX_free(sctx);
8298 SSL_CTX_free(cctx);
8299
8300 return testresult;
8301}
8302
e638112e
DB		 8303/*
8304 * Test incorrect shutdown.
8305 * Test 0: client does not shutdown properly,
8306 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8307 * server should get SSL_ERROR_SSL
8308 * Test 1: client does not shutdown properly,
8309 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8310 * server should get SSL_ERROR_ZERO_RETURN
8311 */
8312static int test_incorrect_shutdown(int tst)
8313{
8314 SSL_CTX *cctx = NULL, *sctx = NULL;
8315 SSL *clientssl = NULL, *serverssl = NULL;
8316 int testresult = 0;
8317 char buf[80];
8318 BIO *c2s;
8319
8320 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8321 TLS_client_method(), 0, 0,
8322 &sctx, &cctx, cert, privkey)))
8323 goto end;
8324
8325 if (tst == 1)
8326 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8327
8328 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8329 NULL, NULL)))
8330 goto end;
8331
8332 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8333 SSL_ERROR_NONE)))
8334 goto end;
8335
8336 c2s = SSL_get_rbio(serverssl);
8337 BIO_set_mem_eof_return(c2s, 0);
8338
8339 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8340 goto end;
8341
8342 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8343 goto end;
8344 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8345 goto end;
8346
8347 testresult = 1;
8348
8349 end:
8350 SSL_free(serverssl);
8351 SSL_free(clientssl);
8352 SSL_CTX_free(sctx);
8353 SSL_CTX_free(cctx);
8354
8355 return testresult;
8356}
8357
c748834f
MC		 8358/*
8359 * Test bi-directional shutdown.
8360 * Test 0: TLSv1.2
8361 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8362 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8363 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 8364 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8365 * sends key update, client reads it
57d7b988
MC		 8366 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8367 * sends CertificateRequest, client reads and ignores it
8368 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 8369 * doesn't read it
8370 */
8371static int test_shutdown(int tst)
8372{
8373 SSL_CTX *cctx = NULL, *sctx = NULL;
8374 SSL *clientssl = NULL, *serverssl = NULL;
8375 int testresult = 0;
8376 char msg[] = "A test message";
8377 char buf[80];
8378 size_t written, readbytes;
80eff008 8379 SSL_SESSION *sess;
c748834f
MC		 8380
8381#ifdef OPENSSL_NO_TLS1_2
a97d19f7 8382 if (tst <= 1)
c748834f
MC		 8383 return 1;
8384#endif
a763ca11 8385#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 8386 if (tst >= 2)
c748834f
MC		 8387 return 1;
8388#endif
8389
5e30f2fd 8390 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 8391 TLS_client_method(),
8392 TLS1_VERSION,
8393 (tst <= 1) ? TLS1_2_VERSION
8394 : TLS1_3_VERSION,
57d7b988
MC		 8395 &sctx, &cctx, cert, privkey)))
8396 goto end;
8397
8398 if (tst == 5)
8399 SSL_CTX_set_post_handshake_auth(cctx, 1);
8400
8401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 8402 NULL, NULL)))
8403 goto end;
8404
8405 if (tst == 3) {
8406 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
26dad42e 8407 SSL_ERROR_NONE, 1, 0))
80eff008
KR		 8408 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8409 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 8410 goto end;
8411 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 8412 SSL_ERROR_NONE))
8413 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8414 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 8415 goto end;
8416 }
8417
8418 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8419 goto end;
8420
8421 if (tst >= 4) {
8422 /*
8423 * Reading on the server after the client has sent close_notify should
8424 * fail and provide SSL_ERROR_ZERO_RETURN
8425 */
8426 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8427 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8428 SSL_ERROR_ZERO_RETURN)
8429 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8430 SSL_RECEIVED_SHUTDOWN)
8431 /*
8432 * Even though we're shutdown on receive we should still be
8433 * able to write.
8434 */
80eff008
KR		 8435 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8436 goto end;
57d7b988
MC		 8437 if (tst == 4
8438 && !TEST_true(SSL_key_update(serverssl,
8439 SSL_KEY_UPDATE_REQUESTED)))
8440 goto end;
8441 if (tst == 5) {
8442 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8443 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8444 goto end;
8445 }
8446 if ((tst == 4 || tst == 5)
8447 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 8448 goto end;
8449 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 8450 goto end;
57d7b988 8451 if (tst == 4 || tst == 5) {
80eff008 8452 /* Should still be able to read data from server */
c748834f 8453 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 8454 &readbytes))
8455 || !TEST_size_t_eq(readbytes, sizeof(msg))
8456 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8457 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8458 &readbytes))
c748834f
MC		 8459 || !TEST_size_t_eq(readbytes, sizeof(msg))
8460 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8461 goto end;
8462 }
8463 }
8464
8465 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 8466 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 8467 goto end;
8468
8469 if (tst < 4) {
8470 /*
8471 * For these tests the client has sent close_notify but it has not yet
8472 * been received by the server. The server has not sent close_notify
8473 * yet.
8474 */
8475 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 8476 /*
8477 * Writing on the server after sending close_notify shouldn't
8478 * be possible.
8479 */
8480 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 8481 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 8482 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8483 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 8484 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8485 goto end;
57d7b988 8486 } else if (tst == 4 || tst == 5) {
c748834f
MC		 8487 /*
8488 * In this test the client has sent close_notify and it has been
8489 * received by the server which has responded with a close_notify. The
358ffa05 8490 * client needs to read the close_notify sent by the server.
c748834f 8491 */
80eff008
KR		 8492 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8493 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8494 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 8495 goto end;
358ffa05
MC		 8496 } else {
8497 /*
57d7b988 8498 * tst == 6
358ffa05
MC		 8499 *
8500 * The client has sent close_notify and is expecting a close_notify
8501 * back, but instead there is application data first. The shutdown
8502 * should fail with a fatal error.
8503 */
8504 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8505 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8506 goto end;
c748834f
MC		 8507 }
8508
8509 testresult = 1;
8510
8511 end:
8512 SSL_free(serverssl);
8513 SSL_free(clientssl);
8514 SSL_CTX_free(sctx);
8515 SSL_CTX_free(cctx);
8516
8517 return testresult;
8518}
8519
cbf965b4
MC		 8520/*
8521 * Test that sending close_notify alerts works correctly in the case of a
8522 * retryable write failure.
8523 */
8524static int test_async_shutdown(void)
8525{
8526 SSL_CTX *cctx = NULL, *sctx = NULL;
8527 SSL *clientssl = NULL, *serverssl = NULL;
8528 int testresult = 0;
8529 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8530
8531 if (!TEST_ptr(bretry))
8532 goto end;
8533
8534 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8535 TLS_client_method(),
8536 0, 0,
8537 &sctx, &cctx, cert, privkey)))
8538 goto end;
8539
8540 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8541 NULL)))
8542 goto end;
8543
8544 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8545 goto end;
8546
8547 /* Close write side of clientssl */
8548 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8549 goto end;
8550
8551 tmp = SSL_get_wbio(serverssl);
8552 if (!TEST_true(BIO_up_ref(tmp))) {
8553 tmp = NULL;
8554 goto end;
8555 }
8556 SSL_set0_wbio(serverssl, bretry);
8557 bretry = NULL;
8558
8559 /* First server shutdown should fail because of a retrable write failure */
8560 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8561 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8562 goto end;
8563
8564 /* Second server shutdown should fail for the same reason */
8565 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8566 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8567 goto end;
8568
8569 SSL_set0_wbio(serverssl, tmp);
8570 tmp = NULL;
8571
8572 /* Third server shutdown should send close_notify */
8573 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8574 goto end;
8575
8576 /* Fourth server shutdown should read close_notify from client and finish */
8577 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8578 goto end;
8579
8580 /* Client should also successfully fully shutdown */
8581 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8582 goto end;
8583
8584 testresult = 1;
8585 end:
8586 SSL_free(serverssl);
8587 SSL_free(clientssl);
8588 SSL_CTX_free(sctx);
8589 SSL_CTX_free(cctx);
8590 BIO_free(bretry);
8591 BIO_free(tmp);
8592
8593 return testresult;
8594}
8595
a763ca11 8596#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 8597static int cert_cb_cnt;
8598
8599static int cert_cb(SSL *s, void *arg)
8600{
8601 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 8602 BIO *in = NULL;
8603 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 8604 X509 *x509 = NULL, *rootx = NULL;
8605 STACK_OF(X509) *chain = NULL;
8606 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8607 int ret = 0;
cd6fe29f
MC		 8608
8609 if (cert_cb_cnt == 0) {
8610 /* Suspend the handshake */
8611 cert_cb_cnt++;
8612 return -1;
8613 } else if (cert_cb_cnt == 1) {
8614 /*
8615 * Update the SSL_CTX, set the certificate and private key and then
8616 * continue the handshake normally.
8617 */
8618 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8619 return 0;
8620
8621 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8622 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8623 SSL_FILETYPE_PEM))
8624 || !TEST_true(SSL_check_private_key(s)))
8625 return 0;
8626 cert_cb_cnt++;
8627 return 1;
7cb8fb07
BK		 8628 } else if (cert_cb_cnt == 3) {
8629 int rv;
1a2a3a42
MC		 8630
8631 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8632 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8633 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8634 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8635 goto out;
8636 chain = sk_X509_new_null();
8637 if (!TEST_ptr(chain))
8638 goto out;
7cb8fb07 8639 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8640 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 8641 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 8642 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8643 || !TEST_true(sk_X509_push(chain, rootx)))
8644 goto out;
8645 rootx = NULL;
8646 BIO_free(in);
8647 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8648 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8649 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8650 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8651 goto out;
8652 BIO_free(in);
8653 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8654 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8655 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8656 NULL, NULL,
8657 libctx, NULL)))
7cb8fb07 8658 goto out;
1a2a3a42 8659 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8660 /*
8661 * If the cert doesn't show as valid here (e.g., because we don't
8662 * have any shared sigalgs), then we will not set it, and there will
8663 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8664 * will cause tls_choose_sigalgs() to fail the connection.
8665 */
1a2a3a42
MC		 8666 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8667 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8668 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8669 goto out;
8670 }
1a2a3a42
MC		 8671
8672 ret = 1;
cd6fe29f
MC		 8673 }
8674
8675 /* Abort the handshake */
7cb8fb07 8676 out:
1a2a3a42
MC		 8677 OPENSSL_free(ecdsacert);
8678 OPENSSL_free(ecdsakey);
8679 OPENSSL_free(rootfile);
7cb8fb07
BK		 8680 BIO_free(in);
8681 EVP_PKEY_free(pkey);
8682 X509_free(x509);
1a2a3a42 8683 X509_free(rootx);
79b2a2f2 8684 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8685 return ret;
cd6fe29f
MC		 8686}
8687
8688/*
8689 * Test the certificate callback.
8690 * Test 0: Callback fails
8691 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8692 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8693 * Test 3: Success - Call SSL_check_chain from the callback
8694 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8695 * chain
8696 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8697 */
8698static int test_cert_cb_int(int prot, int tst)
8699{
8700 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8701 SSL *clientssl = NULL, *serverssl = NULL;
8702 int testresult = 0, ret;
8703
1a2a3a42
MC		 8704#ifdef OPENSSL_NO_EC
8705 /* We use an EC cert in these tests, so we skip in a no-ec build */
8706 if (tst >= 3)
8707 return 1;
8708#endif
8709
5e30f2fd 8710 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8711 TLS_client_method(),
8712 TLS1_VERSION,
8713 prot,
8714 &sctx, &cctx, NULL, NULL)))
8715 goto end;
8716
8717 if (tst == 0)
8718 cert_cb_cnt = -1;
1a2a3a42 8719 else if (tst >= 3)
7cb8fb07 8720 cert_cb_cnt = 3;
cd6fe29f
MC		 8721 else
8722 cert_cb_cnt = 0;
1a2a3a42 8723
b0317df2 8724 if (tst == 2) {
7e1eda48 8725 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
b0317df2
JJ		 8726 if (!TEST_ptr(snictx))
8727 goto end;
8728 }
8729
cd6fe29f
MC		 8730 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8731
8732 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8733 NULL, NULL)))
8734 goto end;
8735
1a2a3a42
MC		 8736 if (tst == 4) {
8737 /*
8738 * We cause SSL_check_chain() to fail by specifying sig_algs that
8739 * the chain doesn't meet (the root uses an RSA cert)
8740 */
8741 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8742 "ecdsa_secp256r1_sha256")))
8743 goto end;
8744 } else if (tst == 5) {
8745 /*
8746 * We cause SSL_check_chain() to fail by specifying sig_algs that
8747 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8748 */
8749 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8750 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8751 goto end;
8752 }
8753
cd6fe29f 8754 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8755 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8756 || (tst > 0
8757 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8758 goto end;
8759 }
8760
8761 testresult = 1;
8762
8763 end:
8764 SSL_free(serverssl);
8765 SSL_free(clientssl);
8766 SSL_CTX_free(sctx);
8767 SSL_CTX_free(cctx);
8768 SSL_CTX_free(snictx);
8769
8770 return testresult;
8771}
7f1d923a 8772#endif
cd6fe29f
MC		 8773
8774static int test_cert_cb(int tst)
8775{
8776 int testresult = 1;
8777
8778#ifndef OPENSSL_NO_TLS1_2
8779 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8780#endif
a763ca11 8781#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8782 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8783#endif
8784
8785 return testresult;
8786}
8787
6e46c065
MC		 8788static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8789{
8c2bfd25 8790 X509 *xcert;
6e46c065
MC		 8791 EVP_PKEY *privpkey;
8792 BIO *in = NULL;
6725682d 8793 BIO *priv_in = NULL;
6e46c065 8794
8c2bfd25
TS		 8795 /* Check that SSL_get0_peer_certificate() returns something sensible */
8796 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8797 return 0;
6e46c065
MC		 8798
8799 in = BIO_new_file(cert, "r");
8800 if (!TEST_ptr(in))
8801 return 0;
8802
d8652be0 8803 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 8804 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8805 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 8806 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8807 NULL, NULL,
8808 libctx, NULL)))
6725682d 8809 goto err;
6e46c065
MC		 8810
8811 *x509 = xcert;
8812 *pkey = privpkey;
8813
6725682d
SL		 8814 BIO_free(in);
8815 BIO_free(priv_in);
6e46c065 8816 return 1;
6725682d
SL		 8817err:
8818 X509_free(xcert);
8819 BIO_free(in);
8820 BIO_free(priv_in);
8821 return 0;
6e46c065
MC		 8822}
8823
6e46c065
MC		 8824static int test_client_cert_cb(int tst)
8825{
8826 SSL_CTX *cctx = NULL, *sctx = NULL;
8827 SSL *clientssl = NULL, *serverssl = NULL;
8828 int testresult = 0;
8829
8830#ifdef OPENSSL_NO_TLS1_2
8831 if (tst == 0)
8832 return 1;
8833#endif
a763ca11 8834#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 8835 if (tst == 1)
8836 return 1;
8837#endif
8838
5e30f2fd 8839 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 8840 TLS_client_method(),
8841 TLS1_VERSION,
8842 tst == 0 ? TLS1_2_VERSION
8843 : TLS1_3_VERSION,
8844 &sctx, &cctx, cert, privkey)))
8845 goto end;
8846
8847 /*
8848 * Test that setting a client_cert_cb results in a client certificate being
8849 * sent.
8850 */
8851 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8852 SSL_CTX_set_verify(sctx,
8853 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8854 verify_cb);
fb8c8359
MC		 8855
8856 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8857 NULL, NULL))
8858 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8859 SSL_ERROR_NONE)))
8860 goto end;
8861
8862 testresult = 1;
8863
8864 end:
8865 SSL_free(serverssl);
8866 SSL_free(clientssl);
8867 SSL_CTX_free(sctx);
8868 SSL_CTX_free(cctx);
8869
8870 return testresult;
8871}
8872
a763ca11 8873#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 8874/*
8875 * Test setting certificate authorities on both client and server.
8876 *
8877 * Test 0: SSL_CTX_set0_CA_list() only
8878 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8879 * Test 2: Only SSL_CTX_set_client_CA_list()
8880 */
8881static int test_ca_names_int(int prot, int tst)
8882{
8883 SSL_CTX *cctx = NULL, *sctx = NULL;
8884 SSL *clientssl = NULL, *serverssl = NULL;
8885 int testresult = 0;
8886 size_t i;
8887 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8888 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8889 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8890 const STACK_OF(X509_NAME) *sktmp = NULL;
8891
8892 for (i = 0; i < OSSL_NELEM(name); i++) {
8893 name[i] = X509_NAME_new();
8894 if (!TEST_ptr(name[i])
8895 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8896 MBSTRING_ASC,
8897 (unsigned char *)
8898 strnames[i],
8899 -1, -1, 0)))
8900 goto end;
8901 }
8902
5e30f2fd 8903 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 8904 TLS_client_method(),
8905 TLS1_VERSION,
8906 prot,
8907 &sctx, &cctx, cert, privkey)))
8908 goto end;
8909
8910 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8911
8912 if (tst == 0 || tst == 1) {
8913 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8914 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8915 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8916 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8917 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8918 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8919 goto end;
8920
8921 SSL_CTX_set0_CA_list(sctx, sk1);
8922 SSL_CTX_set0_CA_list(cctx, sk2);
8923 sk1 = sk2 = NULL;
8924 }
8925 if (tst == 1 || tst == 2) {
8926 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8927 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8928 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8929 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8930 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8931 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8932 goto end;
8933
8934 SSL_CTX_set_client_CA_list(sctx, sk1);
8935 SSL_CTX_set_client_CA_list(cctx, sk2);
8936 sk1 = sk2 = NULL;
8937 }
8938
6e46c065
MC		 8939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8940 NULL, NULL))
8941 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8942 SSL_ERROR_NONE)))
8943 goto end;
8944
fb8c8359
MC		 8945 /*
8946 * We only expect certificate authorities to have been sent to the server
8947 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8948 */
8949 sktmp = SSL_get0_peer_CA_list(serverssl);
8950 if (prot == TLS1_3_VERSION
8951 && (tst == 0 || tst == 1)) {
8952 if (!TEST_ptr(sktmp)
8953 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8954 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8955 name[0]), 0)
8956 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8957 name[1]), 0))
8958 goto end;
8959 } else if (!TEST_ptr_null(sktmp)) {
8960 goto end;
8961 }
8962
8963 /*
8964 * In all tests we expect certificate authorities to have been sent to the
8965 * client. However, SSL_set_client_CA_list() should override
8966 * SSL_set0_CA_list()
8967 */
8968 sktmp = SSL_get0_peer_CA_list(clientssl);
8969 if (!TEST_ptr(sktmp)
8970 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8971 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8972 name[tst == 0 ? 0 : 2]), 0)
8973 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8974 name[tst == 0 ? 1 : 3]), 0))
8975 goto end;
8976
6e46c065
MC		 8977 testresult = 1;
8978
8979 end:
8980 SSL_free(serverssl);
8981 SSL_free(clientssl);
8982 SSL_CTX_free(sctx);
8983 SSL_CTX_free(cctx);
fb8c8359
MC		 8984 for (i = 0; i < OSSL_NELEM(name); i++)
8985 X509_NAME_free(name[i]);
8986 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8987 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8988
8989 return testresult;
8990}
8991#endif
8992
8993static int test_ca_names(int tst)
8994{
8995 int testresult = 1;
8996
8997#ifndef OPENSSL_NO_TLS1_2
8998 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8999#endif
a763ca11 9000#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 9001 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9002#endif
6e46c065
MC		 9003
9004 return testresult;
9005}
9006
0d2bfe52
SL		 9007#ifndef OPENSSL_NO_TLS1_2
9008static const char *multiblock_cipherlist_data[]=
9009{
9010 "AES128-SHA",
9011 "AES128-SHA256",
9012 "AES256-SHA",
9013 "AES256-SHA256",
9014};
9015
9016/* Reduce the fragment size - so the multiblock test buffer can be small */
9017# define MULTIBLOCK_FRAGSIZE 512
9018
9019static int test_multiblock_write(int test_index)
9020{
9021 static const char *fetchable_ciphers[]=
9022 {
9023 "AES-128-CBC-HMAC-SHA1",
9024 "AES-128-CBC-HMAC-SHA256",
9025 "AES-256-CBC-HMAC-SHA1",
9026 "AES-256-CBC-HMAC-SHA256"
9027 };
9028 const char *cipherlist = multiblock_cipherlist_data[test_index];
9029 const SSL_METHOD *smeth = TLS_server_method();
9030 const SSL_METHOD *cmeth = TLS_client_method();
9031 int min_version = TLS1_VERSION;
9032 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9033 SSL_CTX *cctx = NULL, *sctx = NULL;
9034 SSL *clientssl = NULL, *serverssl = NULL;
9035 int testresult = 0;
9036
9037 /*
9038 * Choose a buffer large enough to perform a multi-block operation
9039 * i.e: write_len >= 4 * frag_size
9040 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9041 */
9042 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9043 unsigned char buf[sizeof(msg)], *p = buf;
9044 size_t readbytes, written, len;
9045 EVP_CIPHER *ciph = NULL;
9046
9047 /*
9048 * Check if the cipher exists before attempting to use it since it only has
9049 * a hardware specific implementation.
9050 */
7c82a7a8 9051 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
0d2bfe52
SL		 9052 if (ciph == NULL) {
9053 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9054 return 1;
9055 }
9056 EVP_CIPHER_free(ciph);
9057
9058 /* Set up a buffer with some data that will be sent to the client */
9059 RAND_bytes(msg, sizeof(msg));
9060
5e30f2fd
MC		 9061 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9062 max_version, &sctx, &cctx, cert,
9063 privkey)))
0d2bfe52
SL		 9064 goto end;
9065
9066 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9067 goto end;
9068
9069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9070 NULL, NULL)))
9071 goto end;
9072
9073 /* settings to force it to use AES-CBC-HMAC_SHA */
9074 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9075 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9076 goto end;
9077
9078 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9079 goto end;
9080
9081 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9082 || !TEST_size_t_eq(written, sizeof(msg)))
9083 goto end;
9084
9085 len = written;
9086 while (len > 0) {
9087 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9088 goto end;
9089 p += readbytes;
9090 len -= readbytes;
9091 }
9092 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9093 goto end;
9094
9095 testresult = 1;
9096end:
9097 SSL_free(serverssl);
9098 SSL_free(clientssl);
9099 SSL_CTX_free(sctx);
9100 SSL_CTX_free(cctx);
9101
9102 return testresult;
9103}
9104#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 9105
25959e04
TS		 9106static int test_session_timeout(int test)
9107{
9108 /*
9109 * Test session ordering and timeout
9110 * Can't explicitly test performance of the new code,
9111 * but can test to see if the ordering of the sessions
ad31628c 9112 * are correct, and they are removed as expected
25959e04
TS		 9113 */
9114 SSL_SESSION *early = NULL;
9115 SSL_SESSION *middle = NULL;
9116 SSL_SESSION *late = NULL;
9117 SSL_CTX *ctx;
9118 int testresult = 0;
9119 long now = (long)time(NULL);
9120#define TIMEOUT 10
9121
9122 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9123 || !TEST_ptr(early = SSL_SESSION_new())
9124 || !TEST_ptr(middle = SSL_SESSION_new())
9125 || !TEST_ptr(late = SSL_SESSION_new()))
9126 goto end;
9127
9128 /* assign unique session ids */
9129 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9130 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9131 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9132 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9133 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9134 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9135
9136 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9137 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9138 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9139 goto end;
9140
9141 /* Make sure they are all added */
9142 if (!TEST_ptr(early->prev)
9143 || !TEST_ptr(middle->prev)
9144 || !TEST_ptr(late->prev))
9145 goto end;
9146
9147 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9148 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9149 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9150 goto end;
9151
9152 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9153 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9154 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9155 goto end;
9156
9157 /* Make sure they are all still there */
9158 if (!TEST_ptr(early->prev)
9159 || !TEST_ptr(middle->prev)
9160 || !TEST_ptr(late->prev))
9161 goto end;
9162
9163 /* Make sure they are in the expected order */
9164 if (!TEST_ptr_eq(late->next, middle)
9165 || !TEST_ptr_eq(middle->next, early)
9166 || !TEST_ptr_eq(early->prev, middle)
9167 || !TEST_ptr_eq(middle->prev, late))
9168 goto end;
9169
9170 /* This should remove "early" */
9171 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9172 if (!TEST_ptr_null(early->prev)
9173 || !TEST_ptr(middle->prev)
9174 || !TEST_ptr(late->prev))
9175 goto end;
9176
9177 /* This should remove "middle" */
9178 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9179 if (!TEST_ptr_null(early->prev)
9180 || !TEST_ptr_null(middle->prev)
9181 || !TEST_ptr(late->prev))
9182 goto end;
9183
9184 /* This should remove "late" */
9185 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9186 if (!TEST_ptr_null(early->prev)
9187 || !TEST_ptr_null(middle->prev)
9188 || !TEST_ptr_null(late->prev))
9189 goto end;
9190
9191 /* Add them back in again */
9192 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9193 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9194 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9195 goto end;
9196
9197 /* Make sure they are all added */
9198 if (!TEST_ptr(early->prev)
9199 || !TEST_ptr(middle->prev)
9200 || !TEST_ptr(late->prev))
9201 goto end;
9202
9203 /* This should remove all of them */
9204 SSL_CTX_flush_sessions(ctx, 0);
9205 if (!TEST_ptr_null(early->prev)
9206 || !TEST_ptr_null(middle->prev)
9207 || !TEST_ptr_null(late->prev))
9208 goto end;
9209
9210 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9211 | SSL_CTX_get_session_cache_mode(ctx));
9212
9213 /* make sure |now| is NOT equal to the current time */
9214 now -= 10;
9215 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9216 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9217 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9218 goto end;
9219
9220 testresult = 1;
9221 end:
9222 SSL_CTX_free(ctx);
9223 SSL_SESSION_free(early);
9224 SSL_SESSION_free(middle);
9225 SSL_SESSION_free(late);
9226 return testresult;
9227}
9228
49ef3d07
MC		 9229/*
9230 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9231 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9232 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9233 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9234 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9235 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9236 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9237 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9238 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9239 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9240 */
9241static int test_servername(int tst)
9242{
9243 SSL_CTX *cctx = NULL, *sctx = NULL;
9244 SSL *clientssl = NULL, *serverssl = NULL;
9245 int testresult = 0;
9246 SSL_SESSION *sess = NULL;
9247 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9248
9249#ifdef OPENSSL_NO_TLS1_2
9250 if (tst <= 4)
9251 return 1;
9252#endif
a763ca11 9253#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 9254 if (tst >= 5)
9255 return 1;
9256#endif
9257
5e30f2fd 9258 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 9259 TLS_client_method(),
9260 TLS1_VERSION,
9261 (tst <= 4) ? TLS1_2_VERSION
9262 : TLS1_3_VERSION,
9263 &sctx, &cctx, cert, privkey))
9264 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9265 NULL, NULL)))
9266 goto end;
9267
9268 if (tst != 1 && tst != 6) {
9269 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9270 hostname_cb)))
9271 goto end;
9272 }
9273
9274 if (tst != 3 && tst != 8) {
9275 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9276 goto end;
9277 sexpectedhost = cexpectedhost = "goodhost";
9278 }
9279
9280 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9281 goto end;
9282
9283 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9284 cexpectedhost)
9285 || !TEST_str_eq(SSL_get_servername(serverssl,
9286 TLSEXT_NAMETYPE_host_name),
9287 sexpectedhost))
9288 goto end;
9289
9290 /* Now repeat with a resumption handshake */
9291
9292 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9293 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9294 || !TEST_true(SSL_SESSION_is_resumable(sess))
9295 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9296 goto end;
9297
9298 SSL_free(clientssl);
9299 SSL_free(serverssl);
9300 clientssl = serverssl = NULL;
9301
9302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9303 NULL)))
9304 goto end;
9305
9306 if (!TEST_true(SSL_set_session(clientssl, sess)))
9307 goto end;
9308
9309 sexpectedhost = cexpectedhost = "goodhost";
9310 if (tst == 2 || tst == 7) {
9311 /* Set an inconsistent hostname */
9312 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9313 goto end;
9314 /*
9315 * In TLSv1.2 we expect the hostname from the original handshake, in
9316 * TLSv1.3 we expect the hostname from this handshake
9317 */
9318 if (tst == 7)
9319 sexpectedhost = cexpectedhost = "altgoodhost";
9320
9321 if (!TEST_str_eq(SSL_get_servername(clientssl,
9322 TLSEXT_NAMETYPE_host_name),
9323 "altgoodhost"))
9324 goto end;
9325 } else if (tst == 4 || tst == 9) {
9326 /*
9327 * A TLSv1.3 session does not associate a session with a servername,
9328 * but a TLSv1.2 session does.
9329 */
9330 if (tst == 9)
9331 sexpectedhost = cexpectedhost = NULL;
9332
9333 if (!TEST_str_eq(SSL_get_servername(clientssl,
9334 TLSEXT_NAMETYPE_host_name),
9335 cexpectedhost))
9336 goto end;
9337 } else {
9338 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9339 goto end;
9340 /*
9341 * In a TLSv1.2 resumption where the hostname was not acknowledged
9342 * we expect the hostname on the server to be empty. On the client we
9343 * return what was requested in this case.
9344 *
9345 * Similarly if the client didn't set a hostname on an original TLSv1.2
9346 * session but is now, the server hostname will be empty, but the client
9347 * is as we set it.
9348 */
9349 if (tst == 1 || tst == 3)
9350 sexpectedhost = NULL;
9351
9352 if (!TEST_str_eq(SSL_get_servername(clientssl,
9353 TLSEXT_NAMETYPE_host_name),
9354 "goodhost"))
9355 goto end;
9356 }
9357
9358 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9359 goto end;
9360
9361 if (!TEST_true(SSL_session_reused(clientssl))
9362 || !TEST_true(SSL_session_reused(serverssl))
9363 || !TEST_str_eq(SSL_get_servername(clientssl,
9364 TLSEXT_NAMETYPE_host_name),
9365 cexpectedhost)
9366 || !TEST_str_eq(SSL_get_servername(serverssl,
9367 TLSEXT_NAMETYPE_host_name),
9368 sexpectedhost))
9369 goto end;
9370
9371 testresult = 1;
9372
9373 end:
9374 SSL_SESSION_free(sess);
9375 SSL_free(serverssl);
9376 SSL_free(clientssl);
9377 SSL_CTX_free(sctx);
9378 SSL_CTX_free(cctx);
9379
9380 return testresult;
9381}
9382
b1fdbc68 9383#if !defined(OPENSSL_NO_EC) \
a763ca11 9384 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 9385/*
9386 * Test that if signature algorithms are not available, then we do not offer or
9387 * accept them.
9388 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9389 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9390 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9391 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9392 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9393 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9394 */
9395static int test_sigalgs_available(int idx)
9396{
9397 SSL_CTX *cctx = NULL, *sctx = NULL;
9398 SSL *clientssl = NULL, *serverssl = NULL;
9399 int testresult = 0;
b4250010
DMSP		 9400 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9401 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 9402 OSSL_PROVIDER *filterprov = NULL;
9403 int sig, hash;
9404
9405 if (!TEST_ptr(tmpctx))
9406 goto end;
9407
9408 if (idx != 0 && idx != 3) {
9409 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9410 filter_provider_init)))
9411 goto end;
9412
9413 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9414 if (!TEST_ptr(filterprov))
9415 goto end;
9416
9417 if (idx < 3) {
9418 /*
9419 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9420 * or accepted for the peer that uses this libctx. Note that libssl
9421 * *requires* SHA2-256 to be available so we cannot disable that. We
9422 * also need SHA1 for our certificate.
9423 */
9424 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9425 "SHA2-256:SHA1")))
9426 goto end;
9427 } else {
9428 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9429 "ECDSA"))
4032cd9a
YL		 9430# ifdef OPENSSL_NO_ECX
9431 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9432# else
b3842539 9433 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
4032cd9a
YL		 9434 "EC:X25519:X448"))
9435# endif
9436 )
b3842539
MC		 9437 goto end;
9438 }
9439
9440 if (idx == 1 || idx == 4)
9441 clientctx = tmpctx;
9442 else
9443 serverctx = tmpctx;
9444 }
9445
d8652be0
MC		 9446 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9447 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 9448 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9449 goto end;
b3842539 9450
b4c4a2c6
TM		 9451 if (idx != 5) {
9452 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9453 TLS_client_method(),
9454 TLS1_VERSION,
9455 0,
9456 &sctx, &cctx, cert, privkey)))
9457 goto end;
9458 } else {
9459 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9460 TLS_client_method(),
9461 TLS1_VERSION,
9462 0,
9463 &sctx, &cctx, cert2, privkey2)))
9464 goto end;
9465 }
b3842539 9466
b1fdbc68
MC		 9467 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9468 if (idx < 4) {
9469 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9470 "ECDHE-RSA-AES128-GCM-SHA256")))
9471 goto end;
9472 } else {
9473 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9474 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9475 goto end;
9476 }
9477
b3842539
MC		 9478 if (idx < 3) {
9479 if (!SSL_CTX_set1_sigalgs_list(cctx,
9480 "rsa_pss_rsae_sha384"
9481 ":rsa_pss_rsae_sha256")
9482 || !SSL_CTX_set1_sigalgs_list(sctx,
9483 "rsa_pss_rsae_sha384"
9484 ":rsa_pss_rsae_sha256"))
9485 goto end;
9486 } else {
9487 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9488 || !SSL_CTX_set1_sigalgs_list(sctx,
9489 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9490 goto end;
9491 }
9492
b4c4a2c6
TM		 9493 if (idx != 5
9494 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9495 SSL_FILETYPE_PEM), 1)
b3842539
MC		 9496 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9497 privkey2,
9498 SSL_FILETYPE_PEM), 1)
b4c4a2c6 9499 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 9500 goto end;
9501
9502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 9503 NULL, NULL)))
b3842539
MC		 9504 goto end;
9505
9506 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9507 goto end;
9508
9509 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9510 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9511 NULL, NULL),
9512 (idx == 0 || idx == 3) ? 2 : 1))
9513 goto end;
9514
9515 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9516 goto end;
9517
9518 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9519 : NID_rsassaPss))
9520 goto end;
9521
b0001d0c 9522 testresult = filter_provider_check_clean_finish();
b3842539
MC		 9523
9524 end:
9525 SSL_free(serverssl);
9526 SSL_free(clientssl);
9527 SSL_CTX_free(sctx);
9528 SSL_CTX_free(cctx);
9529 OSSL_PROVIDER_unload(filterprov);
b4250010 9530 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 9531
9532 return testresult;
9533}
b1fdbc68
MC		 9534#endif /*
9535 * !defined(OPENSSL_NO_EC) \
a763ca11 9536 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 9537 */
b3842539 9538
0c13cdf8 9539#ifndef OPENSSL_NO_TLS1_3
a763ca11 9540/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 9541static int test_pluggable_group(int idx)
0c13cdf8
MC		 9542{
9543 SSL_CTX *cctx = NULL, *sctx = NULL;
9544 SSL *clientssl = NULL, *serverssl = NULL;
9545 int testresult = 0;
9546 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 9547 /* Check that we are not impacted by a provider without any groups */
9548 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 9549 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 9550
5ae54dba 9551 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 9552 goto end;
9553
5ae54dba
MC		 9554 if (legacyprov == NULL) {
9555 /*
9556 * In this case we assume we've been built with "no-legacy" and skip
9557 * this test (there is no OPENSSL_NO_LEGACY)
9558 */
9559 testresult = 1;
9560 goto end;
9561 }
9562
0c13cdf8
MC		 9563 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9564 TLS_client_method(),
9565 TLS1_3_VERSION,
9566 TLS1_3_VERSION,
9567 &sctx, &cctx, cert, privkey))
9568 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9569 NULL, NULL)))
9570 goto end;
9571
c8e3a4c6
NT		 9572 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9573 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 9574 goto end;
9575
9576 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9577 goto end;
9578
becbacd7
MB		 9579 if (!TEST_str_eq(group_name,
9580 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9581 goto end;
9582
68668243
AB		 9583 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9584 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9585 goto end;
9586
0c13cdf8
MC		 9587 testresult = 1;
9588
9589 end:
9590 SSL_free(serverssl);
9591 SSL_free(clientssl);
9592 SSL_CTX_free(sctx);
9593 SSL_CTX_free(cctx);
9594 OSSL_PROVIDER_unload(tlsprov);
146aebc6 9595 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 9596
9597 return testresult;
9598}
ee58915c
MB		 9599
9600/*
9601 * This function triggers encode, decode and sign functions
9602 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9603 * creating private key and certificate files for use in TLS testing.
9604 */
9605static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9606{
bbaeadb0 9607 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
ee58915c
MB		 9608 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9609 EVP_PKEY *pkey = NULL;
9610 X509 *x509 = X509_new();
9611 X509_NAME *name = NULL;
9612 BIO *keybio = NULL, *certbio = NULL;
9613 int ret = 1;
9614
9615 if (!TEST_ptr(evpctx)
9616 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9617 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9618 || !TEST_ptr(pkey)
9619 || !TEST_ptr(x509)
9620 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9621 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9622 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9623 || !TEST_true(X509_set_pubkey(x509, pkey))
9624 || !TEST_ptr(name = X509_get_subject_name(x509))
9625 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9626 (unsigned char *)"CH", -1, -1, 0))
9627 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9628 (unsigned char *)"test.org", -1, -1, 0))
9629 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9630 (unsigned char *)"localhost", -1, -1, 0))
9631 || !TEST_true(X509_set_issuer_name(x509, name))
9632 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9633 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9634 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9635 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9636 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9637 ret = 0;
9638
9639 EVP_PKEY_free(pkey);
9640 X509_free(x509);
9641 EVP_PKEY_CTX_free(evpctx);
9642 BIO_free(keybio);
9643 BIO_free(certbio);
9644 return ret;
9645}
9646
9647/*
9648 * Test that signature algorithms loaded via the provider interface can
9649 * correctly establish a TLS (1.3) connection.
9650 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9651 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
3c95ef22
TS		 9652 * Test 2: Test 0 using RPK
9653 * Test 3: Test 1 using RPK
ee58915c
MB		 9654 */
9655static int test_pluggable_signature(int idx)
9656{
3c95ef22 9657 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
ee58915c
MB		 9658 SSL_CTX *cctx = NULL, *sctx = NULL;
9659 SSL *clientssl = NULL, *serverssl = NULL;
9660 int testresult = 0;
9661 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9662 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9663 char *certfilename = "tls-prov-cert.pem";
9664 char *privkeyfilename = "tls-prov-key.pem";
3c95ef22
TS		 9665 int sigidx = idx % 2;
9666 int rpkidx = idx / 2;
ee58915c
MB		 9667
9668 /* create key and certificate for the different algorithm types */
9669 if (!TEST_ptr(tlsprov)
3c95ef22 9670 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
ee58915c
MB		 9671 goto end;
9672
9673 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9674 TLS_client_method(),
9675 TLS1_3_VERSION,
9676 TLS1_3_VERSION,
9677 &sctx, &cctx, certfilename, privkeyfilename))
9678 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9679 NULL, NULL)))
9680 goto end;
9681
3c95ef22
TS		 9682 /* Enable RPK for server cert */
9683 if (rpkidx) {
9684 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
9685 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
9686 goto end;
9687 }
9688
ee58915c
MB		 9689 /* This is necessary to pass minimal setup w/o other groups configured */
9690 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9691 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9692 goto end;
9693
9694 /*
9695 * If this connection gets established, it must have been completed
9696 * via the tls-provider-implemented "hmacsig" algorithm, testing
9697 * both sign and verify functions during handshake.
9698 */
9699 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9700 goto end;
9701
3c95ef22
TS		 9702 /* If using RPK, make sure we got one */
9703 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
9704 goto end;
9705
ee58915c
MB		 9706 testresult = 1;
9707
9708 end:
9709 SSL_free(serverssl);
9710 SSL_free(clientssl);
9711 SSL_CTX_free(sctx);
9712 SSL_CTX_free(cctx);
9713 OSSL_PROVIDER_unload(tlsprov);
9714 OSSL_PROVIDER_unload(defaultprov);
9715
9716 return testresult;
9717}
0c13cdf8 9718#endif
b3842539 9719
49a36a52
MC		 9720#ifndef OPENSSL_NO_TLS1_2
9721static int test_ssl_dup(void)
9722{
9723 SSL_CTX *cctx = NULL, *sctx = NULL;
9724 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9725 int testresult = 0;
9726 BIO *rbio = NULL, *wbio = NULL;
9727
9728 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9729 TLS_client_method(),
9730 0,
9731 0,
9732 &sctx, &cctx, cert, privkey)))
9733 goto end;
9734
9735 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9736 NULL, NULL)))
9737 goto end;
9738
9739 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9740 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9741 goto end;
9742
9743 client2ssl = SSL_dup(clientssl);
9744 rbio = SSL_get_rbio(clientssl);
9745 if (!TEST_ptr(rbio)
9746 || !TEST_true(BIO_up_ref(rbio)))
9747 goto end;
9748 SSL_set0_rbio(client2ssl, rbio);
9749 rbio = NULL;
9750
9751 wbio = SSL_get_wbio(clientssl);
9752 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9753 goto end;
9754 SSL_set0_wbio(client2ssl, wbio);
9755 rbio = NULL;
9756
9757 if (!TEST_ptr(client2ssl)
9758 /* Handshake not started so pointers should be different */
9759 || !TEST_ptr_ne(clientssl, client2ssl))
9760 goto end;
9761
9762 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9763 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9764 goto end;
9765
9766 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9767 goto end;
9768
9769 SSL_free(clientssl);
9770 clientssl = SSL_dup(client2ssl);
9771 if (!TEST_ptr(clientssl)
9772 /* Handshake has finished so pointers should be the same */
9773 || !TEST_ptr_eq(clientssl, client2ssl))
9774 goto end;
9775
9776 testresult = 1;
9777
9778 end:
9779 SSL_free(serverssl);
9780 SSL_free(clientssl);
9781 SSL_free(client2ssl);
9782 SSL_CTX_free(sctx);
9783 SSL_CTX_free(cctx);
9784
9785 return testresult;
9786}
33c39a06
MC		 9787
9788# ifndef OPENSSL_NO_DH
9789
9790static EVP_PKEY *tmp_dh_params = NULL;
9791
9792/* Helper function for the test_set_tmp_dh() tests */
9793static EVP_PKEY *get_tmp_dh_params(void)
9794{
9795 if (tmp_dh_params == NULL) {
9796 BIGNUM *p = NULL;
9797 OSSL_PARAM_BLD *tmpl = NULL;
9798 EVP_PKEY_CTX *pctx = NULL;
9799 OSSL_PARAM *params = NULL;
9800 EVP_PKEY *dhpkey = NULL;
9801
9802 p = BN_get_rfc3526_prime_2048(NULL);
9803 if (!TEST_ptr(p))
9804 goto end;
9805
9806 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9807 if (!TEST_ptr(pctx)
884400d7 9808 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 9809 goto end;
9810
9811 tmpl = OSSL_PARAM_BLD_new();
9812 if (!TEST_ptr(tmpl)
9813 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9814 OSSL_PKEY_PARAM_FFC_P,
9815 p))
9816 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9817 OSSL_PKEY_PARAM_FFC_G,
9818 2)))
9819 goto end;
9820
9821 params = OSSL_PARAM_BLD_to_param(tmpl);
9822 if (!TEST_ptr(params)
884400d7 9823 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9824 EVP_PKEY_KEY_PARAMETERS,
9825 params), 1))
33c39a06
MC		 9826 goto end;
9827
9828 tmp_dh_params = dhpkey;
9829 end:
9830 BN_free(p);
9831 EVP_PKEY_CTX_free(pctx);
9832 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 9833 OSSL_PARAM_free(params);
33c39a06
MC		 9834 }
9835
f1619160 9836 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 9837 return NULL;
9838
9839 return tmp_dh_params;
9840}
9841
39f3427d 9842# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 9843/* Callback used by test_set_tmp_dh() */
9844static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9845{
9846 EVP_PKEY *dhpkey = get_tmp_dh_params();
9847 DH *ret = NULL;
9848
9849 if (!TEST_ptr(dhpkey))
9850 return NULL;
9851
7bc0fdd3
MC		 9852 /*
9853 * libssl does not free the returned DH, so we free it now knowing that even
9854 * after we free dhpkey, there will still be a reference to the owning
9855 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9856 * of time we need it for.
9857 */
9858 ret = EVP_PKEY_get1_DH(dhpkey);
9859 DH_free(ret);
33c39a06
MC		 9860
9861 EVP_PKEY_free(dhpkey);
9862
9863 return ret;
9864}
9865# endif
9866
9867/*
9868 * Test the various methods for setting temporary DH parameters
9869 *
9870 * Test 0: Default (no auto) setting
9871 * Test 1: Explicit SSL_CTX auto off
9872 * Test 2: Explicit SSL auto off
9873 * Test 3: Explicit SSL_CTX auto on
9874 * Test 4: Explicit SSL auto on
9875 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9876 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9877 *
9878 * The following are testing deprecated APIs, so we only run them if available
9879 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9880 * Test 8: Explicit SSL auto off, custom DH params via DH
9881 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9882 * Test 10: Explicit SSL auto off, custom DH params via callback
9883 */
9884static int test_set_tmp_dh(int idx)
9885{
9886 SSL_CTX *cctx = NULL, *sctx = NULL;
9887 SSL *clientssl = NULL, *serverssl = NULL;
9888 int testresult = 0;
9889 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9890 int expected = (idx <= 2) ? 0 : 1;
9891 EVP_PKEY *dhpkey = NULL;
9892# ifndef OPENSSL_NO_DEPRECATED_3_0
9893 DH *dh = NULL;
9894# else
9895
9896 if (idx >= 7)
9897 return 1;
9898# endif
9899
9900 if (idx >= 5 && idx <= 8) {
9901 dhpkey = get_tmp_dh_params();
9902 if (!TEST_ptr(dhpkey))
9903 goto end;
9904 }
9905# ifndef OPENSSL_NO_DEPRECATED_3_0
9906 if (idx == 7 || idx == 8) {
7bc0fdd3 9907 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 9908 if (!TEST_ptr(dh))
9909 goto end;
9910 }
9911# endif
9912
9913 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9914 TLS_client_method(),
9915 0,
9916 0,
9917 &sctx, &cctx, cert, privkey)))
9918 goto end;
9919
9920 if ((idx & 1) == 1) {
9921 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9922 goto end;
9923 }
9924
9925 if (idx == 5) {
9926 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9927 goto end;
9928 dhpkey = NULL;
9929 }
9930# ifndef OPENSSL_NO_DEPRECATED_3_0
9931 else if (idx == 7) {
9932 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9933 goto end;
9934 } else if (idx == 9) {
9935 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9936 }
9937# endif
9938
9939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9940 NULL, NULL)))
9941 goto end;
9942
9943 if ((idx & 1) == 0 && idx != 0) {
9944 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9945 goto end;
9946 }
9947 if (idx == 6) {
9948 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9949 goto end;
9950 dhpkey = NULL;
9951 }
9952# ifndef OPENSSL_NO_DEPRECATED_3_0
9953 else if (idx == 8) {
9954 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9955 goto end;
9956 } else if (idx == 10) {
9957 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9958 }
9959# endif
9960
9961 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9962 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9963 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9964 goto end;
9965
9966 /*
9967 * If autoon then we should succeed. Otherwise we expect failure because
9968 * there are no parameters
9969 */
9970 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9971 SSL_ERROR_NONE), expected))
9972 goto end;
9973
9974 testresult = 1;
9975
9976 end:
7bc0fdd3
MC		 9977# ifndef OPENSSL_NO_DEPRECATED_3_0
9978 DH_free(dh);
9979# endif
33c39a06
MC		 9980 SSL_free(serverssl);
9981 SSL_free(clientssl);
9982 SSL_CTX_free(sctx);
9983 SSL_CTX_free(cctx);
9984 EVP_PKEY_free(dhpkey);
9985
9986 return testresult;
9987}
3105d846
MC		 9988
9989/*
9990 * Test the auto DH keys are appropriately sized
9991 */
9992static int test_dh_auto(int idx)
9993{
61cab650
MC		 9994 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9995 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 9996 SSL *clientssl = NULL, *serverssl = NULL;
9997 int testresult = 0;
9998 EVP_PKEY *tmpkey = NULL;
9999 char *thiscert = NULL, *thiskey = NULL;
10000 size_t expdhsize = 0;
10001 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10002
61cab650
MC		 10003 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10004 goto end;
10005
3105d846
MC		 10006 switch (idx) {
10007 case 0:
10008 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 10009 if (is_fips) {
10010 testresult = 1;
10011 goto end;
10012 }
3105d846
MC		 10013 thiscert = cert1024;
10014 thiskey = privkey1024;
10015 expdhsize = 1024;
61cab650
MC		 10016 SSL_CTX_set_security_level(sctx, 1);
10017 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 10018 break;
10019 case 1:
10020 /* 2048 bit prime */
10021 thiscert = cert;
10022 thiskey = privkey;
10023 expdhsize = 2048;
10024 break;
10025 case 2:
10026 thiscert = cert3072;
10027 thiskey = privkey3072;
10028 expdhsize = 3072;
10029 break;
10030 case 3:
10031 thiscert = cert4096;
10032 thiskey = privkey4096;
10033 expdhsize = 4096;
10034 break;
10035 case 4:
10036 thiscert = cert8192;
10037 thiskey = privkey8192;
10038 expdhsize = 8192;
10039 break;
10040 /* No certificate cases */
10041 case 5:
10042 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 10043 if (is_fips) {
10044 testresult = 1;
10045 goto end;
10046 }
3105d846
MC		 10047 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10048 expdhsize = 1024;
10049 break;
10050 case 6:
10051 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10052 expdhsize = 3072;
10053 break;
10054 default:
10055 TEST_error("Invalid text index");
10056 goto end;
10057 }
10058
61cab650
MC		 10059 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10060 NULL,
3105d846
MC		 10061 0,
10062 0,
10063 &sctx, &cctx, thiscert, thiskey)))
10064 goto end;
10065
10066 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10067 NULL, NULL)))
10068 goto end;
10069
10070 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10071 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10072 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10073 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10074 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10075 goto end;
10076
10077 /*
10078 * Send the server's first flight. At this point the server has created the
10079 * temporary DH key but hasn't finished using it yet. Once used it is
10080 * removed, so we cannot test it.
10081 */
10082 if (!TEST_int_le(SSL_connect(clientssl), 0)
10083 || !TEST_int_le(SSL_accept(serverssl), 0))
10084 goto end;
10085
10086 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10087 goto end;
ed576acd 10088 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 10089 goto end;
10090
10091 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10092 goto end;
10093
10094 testresult = 1;
10095
10096 end:
10097 SSL_free(serverssl);
10098 SSL_free(clientssl);
10099 SSL_CTX_free(sctx);
10100 SSL_CTX_free(cctx);
10101 EVP_PKEY_free(tmpkey);
10102
10103 return testresult;
10104
10105}
33c39a06
MC		 10106# endif /* OPENSSL_NO_DH */
10107#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 10108
a763ca11 10109#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 10110/*
10111 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10112 * that it works even without a certificate configured for the original
10113 * SSL_CTX
10114 */
10115static int test_sni_tls13(void)
10116{
10117 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10118 SSL *clientssl = NULL, *serverssl = NULL;
10119 int testresult = 0;
10120
10121 /* Reset callback counter */
10122 snicb = 0;
10123
10124 /* Create an initial SSL_CTX with no certificate configured */
10125 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10126 if (!TEST_ptr(sctx))
10127 goto end;
10128 /* Require TLSv1.3 as a minimum */
10129 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10130 TLS_client_method(), TLS1_3_VERSION, 0,
10131 &sctx2, &cctx, cert, privkey)))
10132 goto end;
10133
10134 /* Set up SNI */
10135 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10136 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10137 goto end;
10138
10139 /*
10140 * Connection should still succeed because the final SSL_CTX has the right
10141 * certificates configured.
10142 */
10143 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10144 &clientssl, NULL, NULL))
10145 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10146 SSL_ERROR_NONE)))
10147 goto end;
10148
10149 /* We should have had the SNI callback called exactly once */
10150 if (!TEST_int_eq(snicb, 1))
10151 goto end;
10152
10153 testresult = 1;
10154
10155end:
10156 SSL_free(serverssl);
10157 SSL_free(clientssl);
10158 SSL_CTX_free(sctx2);
10159 SSL_CTX_free(sctx);
10160 SSL_CTX_free(cctx);
10161 return testresult;
10162}
0089cc7f
TS		 10163
10164/*
10165 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10166 * 0 = TLSv1.2
10167 * 1 = TLSv1.3
10168 */
10169static int test_ticket_lifetime(int idx)
10170{
10171 SSL_CTX *cctx = NULL, *sctx = NULL;
10172 SSL *clientssl = NULL, *serverssl = NULL;
10173 int testresult = 0;
10174 int version = TLS1_3_VERSION;
10175
10176#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10177#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10178
10179 if (idx == 0) {
40fb5a4c
TS		 10180#ifdef OPENSSL_NO_TLS1_2
10181 return TEST_skip("TLS 1.2 is disabled.");
10182#else
0089cc7f 10183 version = TLS1_2_VERSION;
40fb5a4c 10184#endif
0089cc7f
TS		 10185 }
10186
10187 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10188 TLS_client_method(), version, version,
10189 &sctx, &cctx, cert, privkey)))
10190 goto end;
10191
10192 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10193 &clientssl, NULL, NULL)))
10194 goto end;
10195
10196 /*
10197 * Set the timeout to be more than 1 week
10198 * make sure the returned value is the default
10199 */
10200 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10201 SSL_get_default_timeout(serverssl)))
10202 goto end;
10203
10204 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10205 goto end;
10206
10207 if (idx == 0) {
10208 /* TLSv1.2 uses the set value */
10209 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10210 goto end;
10211 } else {
10212 /* TLSv1.3 uses the limited value */
10213 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10214 goto end;
10215 }
10216 testresult = 1;
10217
10218end:
10219 SSL_free(serverssl);
10220 SSL_free(clientssl);
10221 SSL_CTX_free(sctx);
10222 SSL_CTX_free(cctx);
10223 return testresult;
10224}
6582661f 10225#endif
feba11cf
TS		 10226/*
10227 * Test that setting an ALPN does not violate RFC
10228 */
10229static int test_set_alpn(void)
10230{
10231 SSL_CTX *ctx = NULL;
10232 SSL *ssl = NULL;
10233 int testresult = 0;
10234
10235 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10236 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10237 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10238 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10239 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10240 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10241
10242 /* Create an initial SSL_CTX with no certificate configured */
10243 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10244 if (!TEST_ptr(ctx))
10245 goto end;
10246
10247 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10248 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10249 goto end;
10250 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10251 goto end;
10252 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10253 goto end;
10254 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10255 goto end;
10256 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10257 goto end;
10258 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10259 goto end;
10260 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10261 goto end;
10262 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10263 goto end;
10264 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10265 goto end;
10266
10267 ssl = SSL_new(ctx);
10268 if (!TEST_ptr(ssl))
10269 goto end;
10270
10271 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10272 goto end;
10273 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10274 goto end;
10275 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10276 goto end;
10277 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10278 goto end;
10279 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10280 goto end;
10281 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10282 goto end;
10283 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10284 goto end;
10285 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10286 goto end;
10287 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10288 goto end;
10289
10290 testresult = 1;
10291
10292end:
10293 SSL_free(ssl);
10294 SSL_CTX_free(ctx);
10295 return testresult;
10296}
6582661f 10297
948cf521
HL		 10298/*
10299 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10300 */
10301static int test_set_verify_cert_store_ssl_ctx(void)
10302{
10303 SSL_CTX *ctx = NULL;
10304 int testresult = 0;
10305 X509_STORE *store = NULL, *new_store = NULL,
10306 *cstore = NULL, *new_cstore = NULL;
10307
10308 /* Create an initial SSL_CTX. */
10309 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10310 if (!TEST_ptr(ctx))
10311 goto end;
10312
10313 /* Retrieve verify store pointer. */
10314 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10315 goto end;
10316
10317 /* Retrieve chain store pointer. */
10318 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10319 goto end;
10320
10321 /* We haven't set any yet, so this should be NULL. */
10322 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10323 goto end;
10324
10325 /* Create stores. We use separate stores so pointers are different. */
10326 new_store = X509_STORE_new();
10327 if (!TEST_ptr(new_store))
10328 goto end;
10329
10330 new_cstore = X509_STORE_new();
10331 if (!TEST_ptr(new_cstore))
10332 goto end;
10333
10334 /* Set stores. */
10335 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10336 goto end;
10337
10338 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10339 goto end;
10340
10341 /* Should be able to retrieve the same pointer. */
10342 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10343 goto end;
10344
10345 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10346 goto end;
10347
10348 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10349 goto end;
10350
10351 /* Should be able to unset again. */
10352 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10353 goto end;
10354
10355 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10356 goto end;
10357
10358 /* Should now be NULL. */
10359 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10360 goto end;
10361
10362 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10363 goto end;
10364
10365 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10366 goto end;
10367
10368 testresult = 1;
10369
10370end:
10371 X509_STORE_free(new_store);
10372 X509_STORE_free(new_cstore);
10373 SSL_CTX_free(ctx);
10374 return testresult;
10375}
10376
10377/*
10378 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10379 */
10380static int test_set_verify_cert_store_ssl(void)
10381{
10382 SSL_CTX *ctx = NULL;
10383 SSL *ssl = NULL;
10384 int testresult = 0;
10385 X509_STORE *store = NULL, *new_store = NULL,
10386 *cstore = NULL, *new_cstore = NULL;
10387
10388 /* Create an initial SSL_CTX. */
10389 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10390 if (!TEST_ptr(ctx))
10391 goto end;
10392
10393 /* Create an SSL object. */
10394 ssl = SSL_new(ctx);
10395 if (!TEST_ptr(ssl))
10396 goto end;
10397
10398 /* Retrieve verify store pointer. */
10399 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10400 goto end;
10401
10402 /* Retrieve chain store pointer. */
10403 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10404 goto end;
10405
10406 /* We haven't set any yet, so this should be NULL. */
10407 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10408 goto end;
10409
10410 /* Create stores. We use separate stores so pointers are different. */
10411 new_store = X509_STORE_new();
10412 if (!TEST_ptr(new_store))
10413 goto end;
10414
10415 new_cstore = X509_STORE_new();
10416 if (!TEST_ptr(new_cstore))
10417 goto end;
10418
10419 /* Set stores. */
10420 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10421 goto end;
10422
10423 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10424 goto end;
10425
10426 /* Should be able to retrieve the same pointer. */
10427 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10428 goto end;
10429
10430 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10431 goto end;
10432
10433 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10434 goto end;
10435
10436 /* Should be able to unset again. */
10437 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10438 goto end;
10439
10440 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10441 goto end;
10442
10443 /* Should now be NULL. */
10444 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10445 goto end;
10446
10447 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10448 goto end;
10449
10450 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10451 goto end;
10452
10453 testresult = 1;
10454
10455end:
10456 X509_STORE_free(new_store);
10457 X509_STORE_free(new_cstore);
10458 SSL_free(ssl);
10459 SSL_CTX_free(ctx);
10460 return testresult;
10461}
10462
10463
dfccfde0
CH		 10464static int test_inherit_verify_param(void)
10465{
10466 int testresult = 0;
10467
10468 SSL_CTX *ctx = NULL;
10469 X509_VERIFY_PARAM *cp = NULL;
10470 SSL *ssl = NULL;
10471 X509_VERIFY_PARAM *sp = NULL;
10472 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10473
10474 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10475 if (!TEST_ptr(ctx))
10476 goto end;
10477
10478 cp = SSL_CTX_get0_param(ctx);
10479 if (!TEST_ptr(cp))
10480 goto end;
10481 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10482 goto end;
10483
10484 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10485
10486 ssl = SSL_new(ctx);
10487 if (!TEST_ptr(ssl))
10488 goto end;
10489
10490 sp = SSL_get0_param(ssl);
10491 if (!TEST_ptr(sp))
10492 goto end;
10493 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10494 goto end;
10495
10496 testresult = 1;
10497
10498 end:
10499 SSL_free(ssl);
10500 SSL_CTX_free(ctx);
10501
10502 return testresult;
10503}
10504
b2b8d188
DF		 10505static int test_load_dhfile(void)
10506{
10507#ifndef OPENSSL_NO_DH
10508 int testresult = 0;
10509
10510 SSL_CTX *ctx = NULL;
10511 SSL_CONF_CTX *cctx = NULL;
10512
10513 if (dhfile == NULL)
10514 return 1;
10515
10516 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10517 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10518 goto end;
10519
10520 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10521 SSL_CONF_CTX_set_flags(cctx,
10522 SSL_CONF_FLAG_CERTIFICATE
10523 | SSL_CONF_FLAG_SERVER
10524 | SSL_CONF_FLAG_FILE);
10525
10526 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10527 goto end;
10528
10529 testresult = 1;
10530end:
10531 SSL_CONF_CTX_free(cctx);
10532 SSL_CTX_free(ctx);
10533
10534 return testresult;
10535#else
10536 return TEST_skip("DH not supported by this build");
10537#endif
10538}
10539
f7565348
MC		 10540#ifndef OSSL_NO_USABLE_TLS1_3
10541/* Test that read_ahead works across a key change */
10542static int test_read_ahead_key_change(void)
10543{
10544 SSL_CTX *cctx = NULL, *sctx = NULL;
10545 SSL *clientssl = NULL, *serverssl = NULL;
10546 int testresult = 0;
10547 char *msg = "Hello World";
10548 size_t written, readbytes;
10549 char buf[80];
10550 int i;
10551
10552 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10553 TLS_client_method(), TLS1_3_VERSION, 0,
10554 &sctx, &cctx, cert, privkey)))
10555 goto end;
10556
10557 SSL_CTX_set_read_ahead(sctx, 1);
10558
10559 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10560 &clientssl, NULL, NULL)))
10561 goto end;
10562
10563 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10564 goto end;
10565
10566 /* Write some data, send a key update, write more data */
10567 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10568 || !TEST_size_t_eq(written, strlen(msg)))
10569 goto end;
10570
10571 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10572 goto end;
10573
10574 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10575 || !TEST_size_t_eq(written, strlen(msg)))
10576 goto end;
10577
10578 /*
10579 * Since read_ahead is on the first read below should read the record with
10580 * the first app data, the second record with the key update message, and
10581 * the third record with the app data all in one go. We should be able to
10582 * still process the read_ahead data correctly even though it crosses
10583 * epochs
10584 */
10585 for (i = 0; i < 2; i++) {
10586 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10587 &readbytes)))
10588 goto end;
10589
10590 buf[readbytes] = '\0';
10591 if (!TEST_str_eq(buf, msg))
10592 goto end;
10593 }
10594
10595 testresult = 1;
10596
10597end:
10598 SSL_free(serverssl);
10599 SSL_free(clientssl);
10600 SSL_CTX_free(sctx);
10601 SSL_CTX_free(cctx);
10602 return testresult;
10603}
f3f8e53c
MC		 10604
10605static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10606{
10607 int *called = arg;
10608
10609 switch ((*called)++) {
10610 case 0:
10611 /* Add some padding to first record */
10612 return 512;
10613 case 1:
10614 /* Maximally pad the second record */
10615 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10616 case 2:
10617 /*
10618 * Exceeding the maximum padding should be fine. It should just pad to
10619 * the maximum anyway
10620 */
10621 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10622 case 3:
10623 /*
10624 * Very large padding should also be ok. Should just pad to the maximum
10625 * allowed
10626 */
10627 return SIZE_MAX;
10628 default:
10629 return 0;
10630 }
10631}
10632
10633/*
10634 * Test that setting record padding in TLSv1.3 works as expected
10635 * Test 0: Record padding callback on the SSL_CTX
10636 * Test 1: Record padding callback on the SSL
10637 * Test 2: Record block padding on the SSL_CTX
10638 * Test 3: Record block padding on the SSL
10639 */
10640static int test_tls13_record_padding(int idx)
10641{
10642 SSL_CTX *cctx = NULL, *sctx = NULL;
10643 SSL *clientssl = NULL, *serverssl = NULL;
10644 int testresult = 0;
10645 char *msg = "Hello World";
10646 size_t written, readbytes;
10647 char buf[80];
10648 int i;
10649 int called = 0;
10650
10651 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10652 TLS_client_method(), TLS1_3_VERSION, 0,
10653 &sctx, &cctx, cert, privkey)))
10654 goto end;
10655
10656 if (idx == 0) {
10657 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10658 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10659 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10660 goto end;
10661 } else if (idx == 2) {
10662 /* Exceeding the max plain length should fail */
10663 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10664 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10665 goto end;
10666 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10667 goto end;
10668 }
10669
10670 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10671 &clientssl, NULL, NULL)))
10672 goto end;
10673
10674 if (idx == 1) {
10675 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10676 SSL_set_record_padding_callback_arg(clientssl, &called);
10677 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10678 goto end;
10679 } else if (idx == 3) {
10680 /* Exceeding the max plain length should fail */
10681 if (!TEST_false(SSL_set_block_padding(clientssl,
10682 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10683 goto end;
10684 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10685 goto end;
10686 }
10687
10688 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10689 goto end;
10690
10691 called = 0;
10692 /*
10693 * Write some data, then check we can read it. Do this four times to check
10694 * we can continue to write and read padded data after the initial record
10695 * padding has been added. We don't actually check that the padding has
10696 * been applied to the record - just that we can continue to communicate
10697 * normally and that the callback has been called (if appropriate).
10698 */
10699 for (i = 0; i < 4; i++) {
10700 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10701 || !TEST_size_t_eq(written, strlen(msg)))
10702 goto end;
10703
10704 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10705 &readbytes))
10706 || !TEST_size_t_eq(written, readbytes))
10707 goto end;
10708
10709 buf[readbytes] = '\0';
10710 if (!TEST_str_eq(buf, msg))
10711 goto end;
10712 }
10713
10714 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10715 goto end;
10716
10717 testresult = 1;
10718end:
10719 SSL_free(serverssl);
10720 SSL_free(clientssl);
10721 SSL_CTX_free(sctx);
10722 SSL_CTX_free(cctx);
10723 return testresult;
10724}
f7565348
MC		 10725#endif /* OSSL_NO_USABLE_TLS1_3 */
10726
b718f6fc 10727#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
7765d25f
MC		 10728
10729static ENGINE *load_dasync(void)
10730{
10731 ENGINE *e;
10732
10733 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10734 return NULL;
10735
10736 if (!TEST_true(ENGINE_init(e))) {
10737 ENGINE_free(e);
10738 return NULL;
10739 }
10740
10741 if (!TEST_true(ENGINE_register_ciphers(e))) {
10742 ENGINE_free(e);
10743 return NULL;
10744 }
10745
10746 return e;
10747}
10748
b718f6fc
MC		 10749/*
10750 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10751 * support this yet. The only pipeline capable cipher that we have is in the
10752 * dasync engine (providers don't support this yet), so we have to use
10753 * deprecated APIs for this test.
10754 *
10755 * Test 0: Client has pipelining enabled, server does not
10756 * Test 1: Server has pipelining enabled, client does not
10757 * Test 2: Client has pipelining enabled, server does not: not enough data to
10758 * fill all the pipelines
10759 * Test 3: Client has pipelining enabled, server does not: not enough data to
10760 * fill all the pipelines by more than a full pipeline's worth
10761 * Test 4: Client has pipelining enabled, server does not: more data than all
10762 * the available pipelines can take
10763 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
7765d25f
MC		 10764 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
10765 * is created)
b718f6fc
MC		 10766 */
10767static int test_pipelining(int idx)
10768{
10769 SSL_CTX *cctx = NULL, *sctx = NULL;
10770 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10771 int testresult = 0, numreads;
10772 /* A 55 byte message */
10773 unsigned char *msg = (unsigned char *)
10774 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10775 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10776 size_t expectedreads;
10777 unsigned char *buf = NULL;
7765d25f 10778 ENGINE *e = NULL;
b718f6fc 10779
7765d25f
MC		 10780 if (idx != 6) {
10781 e = load_dasync();
10782 if (e == NULL)
10783 return 0;
b718f6fc
MC		 10784 }
10785
b718f6fc
MC		 10786 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10787 TLS_client_method(), 0,
10788 TLS1_2_VERSION, &sctx, &cctx, cert,
10789 privkey)))
10790 goto end;
10791
7765d25f
MC		 10792 if (idx == 6) {
10793 e = load_dasync();
10794 if (e == NULL)
10795 goto end;
10796 /* Now act like test 0 */
10797 idx = 0;
10798 }
10799
b718f6fc
MC		 10800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10801 &clientssl, NULL, NULL)))
10802 goto end;
10803
10804 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10805 goto end;
10806
10807 /* peera is always configured for pipelining, while peerb is not. */
10808 if (idx == 1) {
10809 peera = serverssl;
10810 peerb = clientssl;
10811
10812 } else {
10813 peera = clientssl;
10814 peerb = serverssl;
10815 }
10816
10817 if (idx == 5) {
10818 numpipes = 2;
10819 /* Maximum allowed fragment size */
10820 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10821 msglen = fragsize * numpipes;
10822 msg = OPENSSL_malloc(msglen);
10823 if (!TEST_ptr(msg))
10824 goto end;
10825 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10826 goto end;
10827 } else if (idx == 4) {
10828 msglen = 55;
10829 } else {
10830 msglen = 50;
10831 }
10832 if (idx == 2)
10833 msglen -= 2; /* Send 2 less bytes */
10834 else if (idx == 3)
10835 msglen -= 12; /* Send 12 less bytes */
10836
10837 buf = OPENSSL_malloc(msglen);
10838 if (!TEST_ptr(buf))
10839 goto end;
10840
10841 if (idx == 5) {
10842 /*
10843 * Test that setting a split send fragment longer than the maximum
10844 * allowed fails
10845 */
10846 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
10847 goto end;
10848 }
10849
10850 /*
10851 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
10852 * (50 bytes in total). This is a ridiculously small number of bytes -
10853 * but sufficient for our purposes
10854 */
10855 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
10856 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
10857 goto end;
10858
10859 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10860 goto end;
10861
10862 /* Write some data from peera to peerb */
10863 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
10864 || !TEST_size_t_eq(written, msglen))
10865 goto end;
10866
10867 /*
10868 * If the pipelining code worked, then we expect all |numpipes| pipelines to
10869 * have been used - except in test 3 where only |numpipes - 1| pipelines
10870 * will be used. This will result in |numpipes| records (|numpipes - 1| for
10871 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
10872 * expect this to be read in |numpipes| or |numpipes - 1| separate
10873 * SSL_read_ex calls. In the case of test 4, there is then one additional
10874 * read for left over data that couldn't fit in the previous pipelines
10875 */
10876 for (offset = 0, numreads = 0;
10877 offset < msglen;
10878 offset += readbytes, numreads++) {
10879 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
10880 msglen - offset, &readbytes)))
10881 goto end;
10882 }
10883
10884 expectedreads = idx == 4 ? numpipes + 1
10885 : (idx == 3 ? numpipes - 1 : numpipes);
10886 if (!TEST_mem_eq(msg, msglen, buf, offset)
10887 || !TEST_int_eq(numreads, expectedreads))
10888 goto end;
10889
10890 /*
10891 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
10892 * chunks to exercise the read pipelining code on peera.
10893 */
10894 for (offset = 0; offset < msglen; offset += fragsize) {
10895 size_t sendlen = msglen - offset;
10896
10897 if (sendlen > fragsize)
10898 sendlen = fragsize;
10899 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
10900 || !TEST_size_t_eq(written, sendlen))
10901 goto end;
10902 }
10903
10904 /*
10905 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
10906 * separate chunks (depending on which test we are running). If the
10907 * pipelining is working then we expect peera to read up to numpipes chunks
10908 * and process them in parallel, giving back the complete result in a single
10909 * call to SSL_read_ex
10910 */
10911 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
10912 || !TEST_size_t_le(readbytes, msglen))
10913 goto end;
10914
10915 if (idx == 4) {
10916 size_t readbytes2;
10917
10918 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
10919 msglen - readbytes, &readbytes2)))
10920 goto end;
10921 readbytes += readbytes2;
10922 if (!TEST_size_t_le(readbytes, msglen))
10923 goto end;
10924 }
10925
10926 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
10927 goto end;
10928
10929 testresult = 1;
10930end:
10931 SSL_free(serverssl);
10932 SSL_free(clientssl);
10933 SSL_CTX_free(sctx);
10934 SSL_CTX_free(cctx);
7765d25f
MC		 10935 if (e != NULL) {
10936 ENGINE_unregister_ciphers(e);
10937 ENGINE_finish(e);
10938 ENGINE_free(e);
10939 }
b718f6fc 10940 OPENSSL_free(buf);
06a0d403 10941 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
b718f6fc
MC		 10942 OPENSSL_free(msg);
10943 return testresult;
10944}
10945#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
10946
843f6e27
MC		 10947static int check_version_string(SSL *s, int version)
10948{
10949 const char *verstr = NULL;
10950
10951 switch (version) {
10952 case SSL3_VERSION:
10953 verstr = "SSLv3";
10954 break;
10955 case TLS1_VERSION:
10956 verstr = "TLSv1";
10957 break;
10958 case TLS1_1_VERSION:
10959 verstr = "TLSv1.1";
10960 break;
10961 case TLS1_2_VERSION:
10962 verstr = "TLSv1.2";
10963 break;
10964 case TLS1_3_VERSION:
10965 verstr = "TLSv1.3";
10966 break;
10967 case DTLS1_VERSION:
10968 verstr = "DTLSv1";
10969 break;
10970 case DTLS1_2_VERSION:
10971 verstr = "DTLSv1.2";
10972 }
10973
10974 return TEST_str_eq(verstr, SSL_get_version(s));
10975}
10976
10977/*
10978 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
10979 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
10980 * test_version() in quicapitest.c which does the same thing for QUIC
10981 * connections.
10982 */
10983static int test_version(int idx)
10984{
10985 SSL_CTX *cctx = NULL, *sctx = NULL;
10986 SSL *clientssl = NULL, *serverssl = NULL;
10987 int testresult = 0, version;
10988 const SSL_METHOD *servmeth = TLS_server_method();
10989 const SSL_METHOD *clientmeth = TLS_client_method();
10990
10991 switch (idx) {
10992#if !defined(OPENSSL_NO_SSL3)
10993 case 0:
10994 version = SSL3_VERSION;
10995 break;
10996#endif
10997#if !defined(OPENSSL_NO_TLS1)
10998 case 1:
10999 version = TLS1_VERSION;
11000 break;
11001#endif
11002#if !defined(OPENSSL_NO_TLS1_2)
11003 case 2:
11004 version = TLS1_2_VERSION;
11005 break;
11006#endif
11007#if !defined(OSSL_NO_USABLE_TLS1_3)
11008 case 3:
11009 version = TLS1_3_VERSION;
11010 break;
11011#endif
11012#if !defined(OPENSSL_NO_DTLS1)
11013 case 4:
11014 version = DTLS1_VERSION;
11015 break;
11016#endif
11017#if !defined(OPENSSL_NO_DTLS1_2)
11018 case 5:
11019 version = DTLS1_2_VERSION;
11020 break;
11021#endif
11022 /*
11023 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11024 * We also don't support DTLS1_BAD_VER since we have no server support for
11025 * that.
11026 */
11027 default:
11028 TEST_skip("Unsupported protocol version");
11029 return 1;
11030 }
11031
11032 if (is_fips
11033 && (version == SSL3_VERSION
11034 || version == TLS1_VERSION
11035 || version == DTLS1_VERSION)) {
11036 TEST_skip("Protocol version not supported with FIPS");
11037 return 1;
11038 }
11039
11040#if !defined(OPENSSL_NO_DTLS)
11041 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11042 servmeth = DTLS_server_method();
11043 clientmeth = DTLS_client_method();
11044 }
11045#endif
11046
11047 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11048 version, &sctx, &cctx, cert, privkey)))
11049 goto end;
11050
11051 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11052 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11053 "DEFAULT:@SECLEVEL=0")))
11054 goto end;
11055
11056 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11057 &clientssl, NULL, NULL)))
11058 goto end;
11059
11060 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11061 goto end;
11062
11063 if (!TEST_int_eq(SSL_version(serverssl), version)
11064 || !TEST_int_eq(SSL_version(clientssl), version)
11065 || !TEST_true(check_version_string(serverssl, version))
11066 || !TEST_true(check_version_string(clientssl, version)))
11067 goto end;
11068
11069 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11070 if (!TEST_true(SSL_is_dtls(serverssl))
11071 || !TEST_true(SSL_is_dtls(clientssl))
11072 || !TEST_false(SSL_is_tls(serverssl))
11073 || !TEST_false(SSL_is_tls(clientssl))
11074 || !TEST_false(SSL_is_quic(serverssl))
11075 || !TEST_false(SSL_is_quic(clientssl)))
11076 goto end;
11077 } else {
11078 if (!TEST_true(SSL_is_tls(serverssl))
11079 || !TEST_true(SSL_is_tls(clientssl))
11080 || !TEST_false(SSL_is_dtls(serverssl))
11081 || !TEST_false(SSL_is_dtls(clientssl))
11082 || !TEST_false(SSL_is_quic(serverssl))
11083 || !TEST_false(SSL_is_quic(clientssl)))
11084 goto end;
11085 }
11086
11087 testresult = 1;
11088end:
11089 SSL_free(serverssl);
11090 SSL_free(clientssl);
11091 SSL_CTX_free(sctx);
11092 SSL_CTX_free(cctx);
11093 return testresult;
11094}
11095
79ee0172
MC		 11096/*
11097 * Test that the SSL_rstate_string*() APIs return sane results
11098 */
11099static int test_rstate_string(void)
11100{
11101 SSL_CTX *cctx = NULL, *sctx = NULL;
11102 SSL *clientssl = NULL, *serverssl = NULL;
11103 int testresult = 0, version;
11104 const SSL_METHOD *servmeth = TLS_server_method();
11105 const SSL_METHOD *clientmeth = TLS_client_method();
11106 size_t written, readbytes;
11107 unsigned char buf[2];
11108 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11109 SSL3_RT_APPLICATION_DATA,
11110 TLS1_2_VERSION_MAJOR,
11111 0, /* To be filled in later */
11112 0,
11113 1
11114 };
11115
11116 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11117 0, &sctx, &cctx, cert, privkey)))
11118 goto end;
11119
11120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11121 &clientssl, NULL, NULL)))
11122 goto end;
11123
11124 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11125 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11126 goto end;
11127
11128 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11129 goto end;
11130
11131 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11132 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11133 goto end;
11134
11135 /* Fill in the correct version for the record header */
11136 version = SSL_version(serverssl);
11137 if (version == TLS1_3_VERSION)
11138 version = TLS1_2_VERSION;
11139 dummyheader[2] = version & 0xff;
11140
11141 /*
11142 * Send a dummy header. If we continued to read the body as well this
11143 * would fail with a bad record mac, but we're not going to go that far.
11144 */
11145 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11146 sizeof(dummyheader), &written))
11147 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11148 goto end;
11149
11150 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11151 goto end;
11152
11153 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11154 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11155 goto end;
11156
11157 testresult = 1;
11158end:
11159 SSL_free(serverssl);
11160 SSL_free(clientssl);
11161 SSL_CTX_free(sctx);
11162 SSL_CTX_free(cctx);
11163 return testresult;
11164}
11165
149c4f98
MC		 11166/*
11167 * Force a write retry during handshaking. We test various combinations of
11168 * scenarios. We test a large certificate message which will fill the buffering
11169 * BIO used in the handshake. We try with client auth on and off. Finally we
11170 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11171 * to indicate retry via -1 - but sometimes BIOs don't do that.
11172 *
11173 * Test 0: Standard certificate message
11174 * Test 1: Large certificate message
11175 * Test 2: Standard cert, verify peer
11176 * Test 3: Large cert, verify peer
11177 * Test 4: Standard cert, BIO returns 0 on retry
11178 * Test 5: Large cert, BIO returns 0 on retry
11179 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11180 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11181 * Test 8-15: Repeat of above with TLSv1.2
11182 */
11183static int test_handshake_retry(int idx)
11184{
11185 SSL_CTX *cctx = NULL, *sctx = NULL;
11186 SSL *clientssl = NULL, *serverssl = NULL;
11187 int testresult = 0;
11188 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11189 int maxversion = 0;
11190
11191 if (!TEST_ptr(bretry))
11192 goto end;
11193
11194#ifndef OPENSSL_NO_TLS1_2
11195 if ((idx & 8) == 8)
11196 maxversion = TLS1_2_VERSION;
11197#else
11198 if ((idx & 8) == 8)
11199 return TEST_skip("No TLSv1.2");
11200#endif
11201
11202 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11203 TLS_client_method(), 0, maxversion,
11204 &sctx, &cctx, cert, privkey)))
11205 goto end;
11206
11207 /*
11208 * Add a large amount of data to fill the buffering BIO used by the SSL
11209 * object
11210 */
3860ef2a 11211 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
149c4f98
MC		 11212 goto end;
11213
11214 /*
11215 * We don't actually configure a client cert, but neither do we fail if one
11216 * isn't present.
11217 */
11218 if ((idx & 2) == 2)
11219 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11220
11221 if ((idx & 4) == 4)
11222 set_always_retry_err_val(0);
11223
11224 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11225 &clientssl, NULL, NULL)))
11226 goto end;
11227
11228 tmp = SSL_get_wbio(serverssl);
11229 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11230 tmp = NULL;
11231 goto end;
11232 }
11233 SSL_set0_wbio(serverssl, bretry);
11234 bretry = NULL;
11235
11236 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11237 goto end;
11238
11239 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11240 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11241 goto end;
11242
11243 /* Restore a BIO that will let the write succeed */
11244 SSL_set0_wbio(serverssl, tmp);
11245 tmp = NULL;
11246
11247 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11248 goto end;
11249
11250 testresult = 1;
11251end:
11252 SSL_free(serverssl);
11253 SSL_free(clientssl);
11254 SSL_CTX_free(sctx);
11255 SSL_CTX_free(cctx);
11256 BIO_free(bretry);
11257 BIO_free(tmp);
11258 set_always_retry_err_val(-1);
11259 return testresult;
11260}
11261
dbbdb940
MC		 11262/*
11263 * Test that receiving retries when writing application data works as expected
11264 */
11265static int test_data_retry(void)
11266{
11267 SSL_CTX *cctx = NULL, *sctx = NULL;
11268 SSL *clientssl = NULL, *serverssl = NULL;
11269 int testresult = 0;
11270 unsigned char inbuf[1200], outbuf[1200];
11271 size_t i;
11272 BIO *tmp = NULL;
11273 BIO *bretry = BIO_new(bio_s_maybe_retry());
11274 size_t written, readbytes, totread = 0;
11275
11276 if (!TEST_ptr(bretry))
11277 goto end;
11278
11279 for (i = 0; i < sizeof(inbuf); i++)
74efc547 11280 inbuf[i] = (unsigned char)(0xff & i);
dbbdb940
MC		 11281 memset(outbuf, 0, sizeof(outbuf));
11282
11283 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11284 TLS_client_method(), 0, 0, &sctx, &cctx,
11285 cert, privkey)))
11286 goto end;
11287
11288 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11289 NULL)))
11290 goto end;
11291
11292 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11293 goto end;
11294
11295 /* Smallest possible max send fragment is 512 */
11296 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11297 goto end;
11298
11299 tmp = SSL_get_wbio(clientssl);
11300 if (!TEST_ptr(tmp))
11301 goto end;
11302 if (!TEST_true(BIO_up_ref(tmp)))
11303 goto end;
11304 BIO_push(bretry, tmp);
11305 tmp = NULL;
11306 SSL_set0_wbio(clientssl, bretry);
11307 if (!BIO_up_ref(bretry)) {
11308 bretry = NULL;
11309 goto end;
11310 }
11311
11312 for (i = 0; i < 3; i++) {
11313 /* We expect this call to make no progress and indicate retry */
11314 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11315 goto end;
11316 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11317 goto end;
11318
11319 /* Allow one write to progess, but the next one to signal retry */
11320 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
11321 NULL)))
11322 goto end;
11323
11324 if (i == 2)
11325 break;
11326
11327 /*
11328 * This call will hopefully make progress but will still indicate retry
11329 * because there is more data than will fit into a single record.
11330 */
11331 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11332 goto end;
11333 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11334 goto end;
11335 }
11336
11337 /* The final call should write the last chunk of data and succeed */
11338 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11339 goto end;
11340 /* Read all the data available */
11341 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
11342 &readbytes))
11343 totread += readbytes;
11344 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
11345 goto end;
11346
11347 testresult = 1;
11348end:
11349 SSL_free(serverssl);
11350 SSL_free(clientssl);
11351 SSL_CTX_free(sctx);
11352 SSL_CTX_free(cctx);
11353 BIO_free_all(bretry);
11354 BIO_free(tmp);
11355 return testresult;
11356}
11357
b2b8d188 11358OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
a43ce58f 11359
ad887416 11360int setup_tests(void)
2cb4b5f6 11361{
5e30f2fd
MC		 11362 char *modulename;
11363 char *configfile;
11364
b4250010 11365 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 11366 if (!TEST_ptr(libctx))
11367 return 0;
11368
11369 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11370
11371 /*
11372 * Verify that the default and fips providers in the default libctx are not
11373 * available
11374 */
11375 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11376 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11377 return 0;
11378
8d242823
MC		 11379 if (!test_skip_common_options()) {
11380 TEST_error("Error parsing test options\n");
11381 return 0;
11382 }
11383
1a2a3a42
MC		 11384 if (!TEST_ptr(certsdir = test_get_argument(0))
11385 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 11386 || !TEST_ptr(tmpfilename = test_get_argument(2))
11387 || !TEST_ptr(modulename = test_get_argument(3))
b2b8d188
DF		 11388 || !TEST_ptr(configfile = test_get_argument(4))
11389 || !TEST_ptr(dhfile = test_get_argument(5)))
5e30f2fd
MC		 11390 return 0;
11391
b4250010 11392 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 11393 return 0;
11394
11395 /* Check we have the expected provider available */
11396 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11397 return 0;
11398
11399 /* Check the default provider is not available */
11400 if (strcmp(modulename, "default") != 0
11401 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 11402 return 0;
2cb4b5f6 11403
50ea5cdc 11404 if (strcmp(modulename, "fips") == 0) {
11405 OSSL_PROVIDER *prov = NULL;
11406 OSSL_PARAM params[2];
11407
4f6c7044
MC		 11408 is_fips = 1;
11409
50ea5cdc 11410 prov = OSSL_PROVIDER_load(libctx, "fips");
11411 if (prov != NULL) {
11412 /* Query the fips provider to check if the check ems option is enabled */
11413 params[0] =
11414 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11415 &fips_ems_check);
11416 params[1] = OSSL_PARAM_construct_end();
11417 OSSL_PROVIDER_get_params(prov, params);
11418 OSSL_PROVIDER_unload(prov);
11419 }
11420 }
11421
0c13cdf8
MC		 11422 /*
11423 * We add, but don't load the test "tls-provider". We'll load it when we
11424 * need it.
11425 */
11426 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11427 tls_provider_init)))
11428 return 0;
11429
11430
f297e4ec
RS		 11431 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11432#ifdef OPENSSL_NO_CRYPTO_MDEBUG
11433 TEST_error("not supported in this build");
11434 return 0;
11435#else
11436 int i, mcount, rcount, fcount;
11437
11438 for (i = 0; i < 4; i++)
11439 test_export_key_mat(i);
11440 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11441 test_printf_stdout("malloc %d realloc %d free %d\n",
11442 mcount, rcount, fcount);
11443 return 1;
11444#endif
11445 }
11446
1a2a3a42
MC		 11447 cert = test_mk_file_path(certsdir, "servercert.pem");
11448 if (cert == NULL)
b3842539 11449 goto err;
1a2a3a42
MC		 11450
11451 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 11452 if (privkey == NULL)
11453 goto err;
11454
11455 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11456 if (cert2 == NULL)
11457 goto err;
11458
11459 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11460 if (privkey2 == NULL)
11461 goto err;
1a2a3a42 11462
3105d846
MC		 11463 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11464 if (cert1024 == NULL)
11465 goto err;
11466
11467 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11468 if (privkey1024 == NULL)
11469 goto err;
11470
11471 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11472 if (cert3072 == NULL)
11473 goto err;
11474
11475 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11476 if (privkey3072 == NULL)
11477 goto err;
11478
11479 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11480 if (cert4096 == NULL)
11481 goto err;
11482
11483 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11484 if (privkey4096 == NULL)
11485 goto err;
11486
11487 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11488 if (cert8192 == NULL)
11489 goto err;
11490
11491 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11492 if (privkey8192 == NULL)
11493 goto err;
11494
50ea5cdc 11495 if (fips_ems_check) {
11496#ifndef OPENSSL_NO_TLS1_2
11497 ADD_TEST(test_no_ems);
11498#endif
11499 return 1;
11500 }
da4db160 11501#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 11502# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526 11503 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
cd715b7e 11504 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
c8e3a4c6 11505# endif
fe5d9450 11506#endif
84d5549e 11507 ADD_TEST(test_large_message_tls);
7856332e 11508 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 11509#ifndef OPENSSL_NO_DTLS
84d5549e 11510 ADD_TEST(test_large_message_dtls);
55386bef 11511#endif
2fda45d5 11512 ADD_ALL_TESTS(test_large_app_data, 28);
163b8016 11513 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 11514#ifndef OPENSSL_NO_OCSP
c887104f 11515 ADD_TEST(test_tlsext_status_type);
8f8c11d8 11516#endif
eaa776da
MC		 11517 ADD_TEST(test_session_with_only_int_cache);
11518 ADD_TEST(test_session_with_only_ext_cache);
11519 ADD_TEST(test_session_with_both_cache);
90fc2c26 11520 ADD_TEST(test_session_wo_ca_names);
a763ca11 11521#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 11522 ADD_ALL_TESTS(test_stateful_tickets, 3);
11523 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 11524 ADD_TEST(test_psk_tickets);
f0049b86 11525 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 11526#endif
7fb4c820 11527 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 11528 ADD_TEST(test_ssl_bio_pop_next_bio);
11529 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11530 ADD_TEST(test_ssl_bio_change_rbio);
11531 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 11532#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 11533 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 11534 ADD_TEST(test_keylog);
c423ecaa 11535#endif
a763ca11 11536#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 11537 ADD_TEST(test_keylog_no_master_key);
11538#endif
0c3eb279 11539 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 11540 ADD_TEST(test_ssl_build_cert_chain);
11541 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 11542#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 11543 ADD_TEST(test_client_hello_cb);
088dfa13 11544 ADD_TEST(test_no_ems);
3cd14e5e 11545 ADD_TEST(test_ccs_change_cipher);
5f982038 11546#endif
a763ca11 11547#ifndef OSSL_NO_USABLE_TLS1_3
10836921 11548 ADD_ALL_TESTS(test_early_data_read_write, 6);
78fb5374
MC		 11549 /*
11550 * We don't do replay tests for external PSK. Replay protection isn't used
11551 * in that scenario.
11552 */
11553 ADD_ALL_TESTS(test_early_data_replay, 2);
10836921
MC		 11554 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11555 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11556 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11557 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
02a3ed5a 11558 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 11559 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 11560 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 11561 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 11562# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 11563 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 11564# endif
e9ee6536 11565#endif
a763ca11 11566#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 11567 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 11568 ADD_TEST(test_ciphersuite_change);
5bf2eade 11569 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11570# ifdef OPENSSL_NO_PSK
c2b290c3 11571 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 11572# else
0d8da779 11573 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 11574# endif /* OPENSSL_NO_PSK */
71583393
MM		 11575#ifndef OSSL_NO_USABLE_TLS1_3
11576 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
11577#endif /* OSSL_NO_USABLE_TLS1_3 */
5bf2eade 11578# ifndef OPENSSL_NO_TLS1_2
11579 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 11580 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 11581# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11582 ADD_ALL_TESTS(test_negotiated_group,
11583 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11584 + OSSL_NELEM(ffdhe_kexch_groups)));
11585# endif
5bf2eade 11586# else
11587 /* Test with only TLSv1.3 versions */
11588 ADD_ALL_TESTS(test_key_exchange, 12);
11589# endif
0db3a990 11590 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 11591 ADD_TEST(test_stateless);
9d75dce3 11592 ADD_TEST(test_pha_key_update);
a273157a 11593#else
bb01ef3f 11594 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 11595#endif
0fb2815b 11596 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 11597#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 11598 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 11599 ADD_TEST(test_key_update);
0c48fda8 11600 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11601 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11602 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11603 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 11604#endif
e11b6aa4 11605 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 11606 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 11607#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11608 ADD_ALL_TESTS(test_srp, 6);
11609#endif
b67cb09f
TS		 11610#if !defined(OPENSSL_NO_COMP_ALG)
11611 /* Add compression case */
11612 ADD_ALL_TESTS(test_info_callback, 8);
11613#else
5718fe45 11614 ADD_ALL_TESTS(test_info_callback, 6);
b67cb09f 11615#endif
4a432af8 11616 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 11617 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
3b7a3241 11618 ADD_ALL_TESTS(test_ticket_callbacks, 20);
57d7b988 11619 ADD_ALL_TESTS(test_shutdown, 7);
cbf965b4 11620 ADD_TEST(test_async_shutdown);
e638112e 11621 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 11622 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 11623 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 11624 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 11625#ifndef OPENSSL_NO_TLS1_2
11626 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11627#endif
49ef3d07 11628 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 11629#if !defined(OPENSSL_NO_EC) \
a763ca11 11630 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 11631 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 11632#endif
11633#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 11634 ADD_ALL_TESTS(test_pluggable_group, 2);
3c95ef22 11635 ADD_ALL_TESTS(test_pluggable_signature, 4);
49a36a52
MC		 11636#endif
11637#ifndef OPENSSL_NO_TLS1_2
11638 ADD_TEST(test_ssl_dup);
33c39a06
MC		 11639# ifndef OPENSSL_NO_DH
11640 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 11641 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 11642# endif
6582661f 11643#endif
a763ca11 11644#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 11645 ADD_TEST(test_sni_tls13);
0089cc7f 11646 ADD_ALL_TESTS(test_ticket_lifetime, 2);
b3842539 11647#endif
dfccfde0 11648 ADD_TEST(test_inherit_verify_param);
feba11cf 11649 ADD_TEST(test_set_alpn);
948cf521
HL		 11650 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11651 ADD_TEST(test_set_verify_cert_store_ssl);
25959e04 11652 ADD_ALL_TESTS(test_session_timeout, 1);
b2b8d188 11653 ADD_TEST(test_load_dhfile);
f7565348
MC		 11654#ifndef OSSL_NO_USABLE_TLS1_3
11655 ADD_TEST(test_read_ahead_key_change);
f3f8e53c 11656 ADD_ALL_TESTS(test_tls13_record_padding, 4);
555dd939
DF		 11657#endif
11658#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11659 ADD_ALL_TESTS(test_serverinfo_custom, 4);
b718f6fc
MC		 11660#endif
11661#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
7765d25f 11662 ADD_ALL_TESTS(test_pipelining, 7);
f7565348 11663#endif
843f6e27 11664 ADD_ALL_TESTS(test_version, 6);
79ee0172 11665 ADD_TEST(test_rstate_string);
149c4f98 11666 ADD_ALL_TESTS(test_handshake_retry, 16);
dbbdb940 11667 ADD_TEST(test_data_retry);
ad887416 11668 return 1;
b3842539
MC		 11669
11670 err:
11671 OPENSSL_free(cert);
11672 OPENSSL_free(privkey);
11673 OPENSSL_free(cert2);
11674 OPENSSL_free(privkey2);
11675 return 0;
ad887416 11676}
2cb4b5f6 11677
ad887416
P		 11678void cleanup_tests(void)
11679{
8778f0eb 11680# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 11681 EVP_PKEY_free(tmp_dh_params);
11682#endif
1a2a3a42
MC		 11683 OPENSSL_free(cert);
11684 OPENSSL_free(privkey);
b3842539
MC		 11685 OPENSSL_free(cert2);
11686 OPENSSL_free(privkey2);
3105d846
MC		 11687 OPENSSL_free(cert1024);
11688 OPENSSL_free(privkey1024);
11689 OPENSSL_free(cert3072);
11690 OPENSSL_free(privkey3072);
11691 OPENSSL_free(cert4096);
11692 OPENSSL_free(privkey4096);
11693 OPENSSL_free(cert8192);
11694 OPENSSL_free(privkey8192);
fa454945 11695 bio_s_mempacket_test_free();
a77b4dba 11696 bio_s_always_retry_free();
dbbdb940 11697 bio_s_maybe_retry_free();
5e30f2fd 11698 OSSL_PROVIDER_unload(defctxnull);
b4250010 11699 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 11700}
A mirror of the official openssl repository