]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Always issue new tickets when using TLSv1.3 stateful tickets
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
76fd7a1d
MC		 17#include <openssl/srp.h>
18#include <openssl/txt_db.h>
d0191fe0 19#include <openssl/aes.h>
2cb4b5f6
MC		 20
21#include "ssltestlib.h"
c887104f 22#include "testutil.h"
f297e4ec 23#include "testutil/output.h"
176db6dc 24#include "internal/nelem.h"
ca0413ae 25#include "../ssl/ssl_locl.h"
2cb4b5f6
MC		 26
27static char *cert = NULL;
28static char *privkey = NULL;
76fd7a1d
MC		 29static char *srpvfile = NULL;
30static char *tmpfilename = NULL;
2cb4b5f6 31
cffe973c 32#define LOG_BUFFER_SIZE 2048
6acdd3e5 33static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 34static size_t server_log_buffer_index = 0;
6acdd3e5 35static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 36static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 37static int error_writing_log = 0;
38
8f8c11d8 39#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 40static const unsigned char orespder[] = "Dummy OCSP Response";
41static int ocsp_server_called = 0;
42static int ocsp_client_called = 0;
43
44static int cdummyarg = 1;
45static X509 *ocspcert = NULL;
8f8c11d8 46#endif
ba881d3b 47
84d5549e 48#define NUM_EXTRA_CERTS 40
cf72c757 49#define CLIENT_VERSION_LEN 2
84d5549e 50
f1a5939f
CB		 51/*
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
54 */
55struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
cffe973c 58 unsigned int client_early_secret_count;
f1a5939f
CB		 59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
01a2a654 63 unsigned int early_exporter_secret_count;
6329ce8f 64 unsigned int exporter_secret_count;
f1a5939f
CB		 65};
66
16afd71c
MC		 67
68static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
72};
73
74static unsigned char serverinfov2[] = {
75 0x00, 0x00, 0x00,
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
80};
81
710756a9
RS		 82static void client_keylog_callback(const SSL *ssl, const char *line)
83{
6acdd3e5
CB		 84 int line_length = strlen(line);
85
86 /* If the log doesn't fit, error out. */
710756a9
RS		 87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
6acdd3e5
CB		 89 error_writing_log = 1;
90 return;
91 }
92
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
710756a9 95 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 96}
97
710756a9
RS		 98static void server_keylog_callback(const SSL *ssl, const char *line)
99{
6acdd3e5
CB		 100 int line_length = strlen(line);
101
102 /* If the log doesn't fit, error out. */
710756a9 103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 104 TEST_info("Server log too full");
6acdd3e5
CB		 105 error_writing_log = 1;
106 return;
107 }
108
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
710756a9 111 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 112}
113
114static int compare_hex_encoded_buffer(const char *hex_encoded,
115 size_t hex_length,
116 const uint8_t *raw,
710756a9
RS		 117 size_t raw_length)
118{
119 size_t i, j;
120 char hexed[3];
6acdd3e5 121
710756a9 122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 123 return 1;
6acdd3e5 124
710756a9 125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 126 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 129 return 1;
6acdd3e5
CB		 130 }
131
132 return 0;
133}
134
135static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 136 const SSL_SESSION *session,
710756a9
RS		 137 struct sslapitest_log_counts *expected)
138{
6acdd3e5
CB		 139 char *token = NULL;
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
cffe973c 146 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
01a2a654 151 unsigned int early_exporter_secret_count = 0;
6329ce8f 152 unsigned int exporter_secret_count = 0;
6acdd3e5 153
710756a9
RS		 154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
6acdd3e5 156 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 157 /*
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 159 * hex-encoded encrypted secret, then the hex-encoded pre-master
160 * secret.
161 */
710756a9 162 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 163 return 0;
710756a9 164 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 165 return 0;
710756a9 166 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 167 return 0;
f1a5939f
CB		 168 /*
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
172 */
173 rsa_key_exchange_count++;
6acdd3e5 174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 175 /*
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 177 * client random, then the hex-encoded master secret.
178 */
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
181 SSL3_RANDOM_SIZE);
710756a9 182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 183 return 0;
6acdd3e5 184
710756a9 185 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 186 return 0;
710756a9 187 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 188 return 0;
710756a9
RS		 189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
f1a5939f 192 return 0;
6acdd3e5 193
710756a9 194 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 195 return 0;
6acdd3e5
CB		 196 master_key_size = SSL_SESSION_get_master_key(session,
197 actual_master_key,
198 master_key_size);
710756a9 199 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 200 return 0;
710756a9
RS		 201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
202 actual_master_key,
203 master_key_size)))
f1a5939f 204 return 0;
f1a5939f 205 master_secret_count++;
cffe973c
PW		 206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 212 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 213 /*
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
218 */
cffe973c
PW		 219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
01a2a654
PW		 229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
6329ce8f
PW		 231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
f1a5939f
CB		 233
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
236 SSL3_RANDOM_SIZE);
710756a9 237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 238 return 0;
f1a5939f 239
710756a9 240 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 241 return 0;
710756a9 242 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 243 return 0;
710756a9
RS		 244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
f1a5939f 247 return 0;
6acdd3e5 248
710756a9 249 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 250 return 0;
f1a5939f
CB		 251
252 /*
253 * TODO(TLS1.3): test that application traffic secrets are what
254 * we expect */
6acdd3e5 255 } else {
710756a9 256 TEST_info("Unexpected token %s\n", token);
f1a5939f 257 return 0;
6acdd3e5 258 }
6acdd3e5
CB		 259 }
260
710756a9
RS		 261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
cffe973c
PW		 266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
710756a9
RS		 268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 275 expected->server_application_secret_count)
01a2a654
PW		 276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
6329ce8f
PW		 278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
710756a9
RS		 280 return 0;
281 return 1;
6acdd3e5
CB		 282}
283
c423ecaa 284#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 285static int test_keylog(void)
286{
6acdd3e5
CB		 287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
289 int testresult = 0;
f1a5939f 290 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 291
292 /* Clean up logging space */
710756a9
RS		 293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
298
710756a9
RS		 299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
300 TLS_client_method(),
7d7f6834 301 TLS1_VERSION, TLS_MAX_VERSION,
710756a9 302 &sctx, &cctx, cert, privkey)))
6acdd3e5 303 return 0;
6acdd3e5
CB		 304
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
308
f0deb4d3 309 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 311 goto end;
f0deb4d3 312
cf10df81
RS		 313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 315 goto end;
6acdd3e5 316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
6acdd3e5 319 goto end;
710756a9 320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
6acdd3e5 323 goto end;
6acdd3e5 324
710756a9
RS		 325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
329 SSL_ERROR_NONE))
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 333 goto end;
6acdd3e5 334
f1a5939f
CB		 335 /*
336 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 337 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
6acdd3e5 340 */
f1a5939f
CB		 341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
710756a9
RS		 343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
6acdd3e5 345 goto end;
f1a5939f
CB		 346
347 expected.rsa_key_exchange_count = 0;
710756a9
RS		 348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
6acdd3e5 350 goto end;
6acdd3e5
CB		 351
352 testresult = 1;
353
354end:
355 SSL_free(serverssl);
356 SSL_free(clientssl);
357 SSL_CTX_free(sctx);
358 SSL_CTX_free(cctx);
359
360 return testresult;
361}
c423ecaa 362#endif
6acdd3e5
CB		 363
364#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 365static int test_keylog_no_master_key(void)
366{
6acdd3e5
CB		 367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 369 SSL_SESSION *sess = NULL;
6acdd3e5 370 int testresult = 0;
f1a5939f 371 struct sslapitest_log_counts expected = {0};
cffe973c
PW		 372 unsigned char buf[1];
373 size_t readbytes, written;
6acdd3e5
CB		 374
375 /* Clean up logging space */
710756a9
RS		 376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
381
7d7f6834
RL		 382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
cffe973c
PW		 384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 386 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 387 return 0;
6acdd3e5 388
cf10df81
RS		 389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 391 goto end;
6acdd3e5
CB		 392
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
6acdd3e5 396 goto end;
6acdd3e5 397
710756a9 398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
6acdd3e5 401 goto end;
6acdd3e5 402
710756a9
RS		 403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
407 SSL_ERROR_NONE))
408 || !TEST_false(error_writing_log))
6acdd3e5 409 goto end;
6acdd3e5 410
f1a5939f
CB		 411 /*
412 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 414 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 415 */
f1a5939f
CB		 416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
6329ce8f 420 expected.exporter_secret_count = 1;
710756a9
RS		 421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
425 &expected)))
6acdd3e5 426 goto end;
6acdd3e5 427
cffe973c
PW		 428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
432 SSL_free(serverssl);
433 SSL_free(clientssl);
434 serverssl = clientssl = NULL;
435
436 /* Reset key log */
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
441
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
448 &readbytes),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
453 SSL_ERROR_NONE))
454 || !TEST_true(SSL_session_reused(clientssl)))
455 goto end;
456
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
01a2a654 459 expected.early_exporter_secret_count = 1;
cffe973c
PW		 460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
464 &expected)))
465 goto end;
466
6acdd3e5
CB		 467 testresult = 1;
468
469end:
cffe973c 470 SSL_SESSION_free(sess);
6acdd3e5
CB		 471 SSL_free(serverssl);
472 SSL_free(clientssl);
473 SSL_CTX_free(sctx);
474 SSL_CTX_free(cctx);
475
476 return testresult;
477}
478#endif
479
e9ee6536 480#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 481static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 482{
483 int *ctr = arg;
484 const unsigned char *p;
8ea404fb 485 int *exts;
2afaee51
BK		 486 /* We only configure two ciphers, but the SCSV is added automatically. */
487#ifdef OPENSSL_NO_EC
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
489#else
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
491 0x2c, 0x00, 0xff};
492#endif
8ea404fb
BK		 493 const int expected_extensions[] = {
494#ifndef OPENSSL_NO_EC
495 11, 10,
496#endif
10ed1b72 497 35, 22, 23, 13};
2afaee51
BK		 498 size_t len;
499
500 /* Make sure we can defer processing and get called back. */
501 if ((*ctr)++ == 0)
f1b97da1 502 return SSL_CLIENT_HELLO_RETRY;
2afaee51 503
a9c0d8be 504 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 506 || !TEST_size_t_eq(
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 508 || !TEST_int_eq(*p, 0))
f1b97da1 509 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 511 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 514 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 515 OPENSSL_free(exts);
f1b97da1 516 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 517 }
518 OPENSSL_free(exts);
f1b97da1 519 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 520}
521
a9c0d8be 522static int test_client_hello_cb(void)
710756a9 523{
2afaee51
BK		 524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
527
7d7f6834
RL		 528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
2afaee51 531 goto end;
a9c0d8be 532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 533
2afaee51
BK		 534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 536
710756a9
RS		 537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 543 /*
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
546 * */
a9c0d8be
DB		 547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
550 SSL_ERROR_NONE)))
2afaee51 551 goto end;
2afaee51
BK		 552
553 testresult = 1;
554
555end:
556 SSL_free(serverssl);
557 SSL_free(clientssl);
558 SSL_CTX_free(sctx);
559 SSL_CTX_free(cctx);
560
561 return testresult;
562}
e9ee6536 563#endif
2afaee51 564
84d5549e 565static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
568 int read_ahead)
84d5549e
MC		 569{
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
572 int testresult = 0;
573 int i;
710756a9 574 BIO *certbio = NULL;
84d5549e
MC		 575 X509 *chaincert = NULL;
576 int certlen;
577
710756a9 578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 579 goto end;
84d5549e 580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 581 BIO_free(certbio);
582 certbio = NULL;
710756a9 583 if (!TEST_ptr(chaincert))
fa454945 584 goto end;
84d5549e 585
7d7f6834
RL		 586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
84d5549e 588 goto end;
84d5549e 589
710756a9 590 if (read_ahead) {
7856332e
MC		 591 /*
592 * Test that read_ahead works correctly when dealing with large
593 * records
594 */
595 SSL_CTX_set_read_ahead(cctx, 1);
596 }
597
84d5549e
MC		 598 /*
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
84d5549e
MC		 604 */
605 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 609 if (!X509_up_ref(chaincert))
84d5549e 610 goto end;
84d5549e 611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 612 X509_free(chaincert);
613 goto end;
614 }
615 }
616
710756a9
RS		 617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
618 NULL, NULL))
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
620 SSL_ERROR_NONE)))
84d5549e 621 goto end;
84d5549e 622
4bf08600
MC		 623 /*
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
626 */
710756a9 627 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 628 goto end;
84d5549e 629
4bf08600 630 testresult = 1;
84d5549e
MC		 631 end:
632 X509_free(chaincert);
633 SSL_free(serverssl);
634 SSL_free(clientssl);
635 SSL_CTX_free(sctx);
636 SSL_CTX_free(cctx);
637
638 return testresult;
639}
640
641static int test_large_message_tls(void)
642{
7856332e 643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 644 TLS1_VERSION, TLS_MAX_VERSION,
7856332e
MC		 645 0);
646}
647
648static int test_large_message_tls_read_ahead(void)
649{
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 651 TLS1_VERSION, TLS_MAX_VERSION,
7856332e 652 1);
84d5549e
MC		 653}
654
55386bef 655#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 656static int test_large_message_dtls(void)
657{
7856332e
MC		 658 /*
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
660 * read_ahead is set.
661 */
84d5549e 662 return execute_test_large_message(DTLS_server_method(),
7d7f6834
RL		 663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
665 0);
84d5549e 666}
55386bef 667#endif
84d5549e 668
8f8c11d8 669#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 670static int ocsp_server_cb(SSL *s, void *arg)
671{
672 int *argi = (int *)arg;
710756a9 673 unsigned char *copy = NULL;
ba881d3b
MC		 674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
676
677 if (*argi == 2) {
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
682
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
688 }
689
710756a9 690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 691 return SSL_TLSEXT_ERR_ALERT_FATAL;
692
710756a9 693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 694 ocsp_server_called = 1;
ba881d3b
MC		 695 return SSL_TLSEXT_ERR_OK;
696}
697
698static int ocsp_client_cb(SSL *s, void *arg)
699{
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
702 size_t len;
703
704 if (*argi != 1 && *argi != 2)
705 return 0;
706
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 708 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 709 return 0;
710
711 ocsp_client_called = 1;
ba881d3b
MC		 712 return 1;
713}
714
2cb4b5f6
MC		 715static int test_tlsext_status_type(void)
716{
ba881d3b
MC		 717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 719 int testresult = 0;
ba881d3b
MC		 720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
722 BIO *certbio = NULL;
2cb4b5f6 723
7d7f6834
RL		 724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
ba881d3b 727 return 0;
2cb4b5f6 728
710756a9 729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 730 goto end;
2cb4b5f6 731
ba881d3b 732 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 733
ba881d3b 734 clientssl = SSL_new(cctx);
710756a9
RS		 735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 740 goto end;
2cb4b5f6 741
ba881d3b
MC		 742 SSL_free(clientssl);
743 clientssl = NULL;
2cb4b5f6 744
710756a9
RS		 745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 747 goto end;
2cb4b5f6 748
ba881d3b 749 clientssl = SSL_new(cctx);
710756a9 750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 751 goto end;
ba881d3b
MC		 752 SSL_free(clientssl);
753 clientssl = NULL;
754
755 /*
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
758 */
ba881d3b
MC		 759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
766 SSL_ERROR_NONE))
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
ba881d3b 769 goto end;
ba881d3b
MC		 770 SSL_free(serverssl);
771 SSL_free(clientssl);
772 serverssl = NULL;
773 clientssl = NULL;
774
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
778 cdummyarg = 0;
710756a9
RS		 779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
783 SSL_ERROR_NONE))
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
ba881d3b 786 goto end;
ba881d3b
MC		 787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 serverssl = NULL;
790 clientssl = NULL;
791
792 /*
793 * This time we'll get the client to send an OCSP_RESPID that it will
794 * accept.
795 */
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
798 cdummyarg = 2;
710756a9
RS		 799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
ba881d3b 801 goto end;
ba881d3b
MC		 802
803 /*
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 805 * specific one. We'll use the server cert.
ba881d3b 806 */
710756a9
RS		 807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
811 NULL, NULL, NULL))
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 814 goto end;
ba881d3b
MC		 815 id = NULL;
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
818 ids = NULL;
819
820 BIO_free(certbio);
821 certbio = NULL;
822
710756a9
RS		 823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
824 SSL_ERROR_NONE))
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
ba881d3b 827 goto end;
ba881d3b 828
2cb4b5f6
MC		 829 testresult = 1;
830
831 end:
ba881d3b
MC		 832 SSL_free(serverssl);
833 SSL_free(clientssl);
834 SSL_CTX_free(sctx);
835 SSL_CTX_free(cctx);
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
838 BIO_free(certbio);
839 X509_free(ocspcert);
840 ocspcert = NULL;
2cb4b5f6
MC		 841
842 return testresult;
843}
8f8c11d8 844#endif
2cb4b5f6 845
bf208d95 846#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 847static int new_called, remove_called, get_called;
eaa776da 848
eaa776da
MC		 849static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
850{
851 new_called++;
c0537ebd
MC		 852 /*
853 * sess has been up-refed for us, but we don't actually need it so free it
854 * immediately.
855 */
856 SSL_SESSION_free(sess);
eaa776da
MC		 857 return 1;
858}
859
860static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
861{
862 remove_called++;
863}
864
7a301f08
MC		 865static SSL_SESSION *get_sess_val = NULL;
866
867static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
868 int *copy)
869{
0afca811 870 get_called++;
7a301f08
MC		 871 *copy = 1;
872 return get_sess_val;
873}
874
7a301f08
MC		 875static int execute_test_session(int maxprot, int use_int_cache,
876 int use_ext_cache)
2cb4b5f6
MC		 877{
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 881# ifndef OPENSSL_NO_TLS1_1
eaa776da 882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 883# endif
2cb4b5f6 884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 885 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 886
7e885b7b
P		 887 new_called = remove_called = 0;
888
36ff232c
MC		 889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot == TLS1_3_VERSION)
891 numnewsesstick = 2;
892
7d7f6834
RL		 893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION, TLS_MAX_VERSION,
895 &sctx, &cctx, cert, privkey)))
2cb4b5f6 896 return 0;
2cb4b5f6 897
7a301f08
MC		 898 /*
899 * Only allow the max protocol version so we can force a connection failure
900 * later
901 */
902 SSL_CTX_set_min_proto_version(cctx, maxprot);
903 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 904
905 /* Set up session cache */
7e885b7b 906 if (use_ext_cache) {
eaa776da
MC		 907 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
908 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
909 }
7e885b7b 910 if (use_int_cache) {
eaa776da
MC		 911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
913 } else {
914 SSL_CTX_set_session_cache_mode(cctx,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
917 }
2cb4b5f6 918
710756a9
RS		 919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
920 NULL, NULL))
921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
922 SSL_ERROR_NONE))
923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 924 goto end;
2cb4b5f6 925
710756a9 926 /* Should fail because it should already be in the cache */
7e885b7b 927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 928 goto end;
7a301f08 929 if (use_ext_cache
36ff232c
MC		 930 && (!TEST_int_eq(new_called, numnewsesstick)
931
932 || !TEST_int_eq(remove_called, 0)))
b4982125 933 goto end;
b4982125 934
c0537ebd
MC		 935 new_called = remove_called = 0;
936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
937 &clientssl2, NULL, NULL))
938 || !TEST_true(SSL_set_session(clientssl2, sess1))
939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
940 SSL_ERROR_NONE))
941 || !TEST_true(SSL_session_reused(clientssl2)))
942 goto end;
943
7a301f08
MC		 944 if (maxprot == TLS1_3_VERSION) {
945 /*
946 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 947 * resumed. Since we attempted a resume we should also have removed the
948 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 949 */
950 if (use_ext_cache
951 && (!TEST_int_eq(new_called, 1)
4cb00457 952 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 953 goto end;
954 } else {
955 /*
956 * In TLSv1.2 we expect to have resumed so no sessions added or
957 * removed.
958 */
959 if (use_ext_cache
960 && (!TEST_int_eq(new_called, 0)
961 || !TEST_int_eq(remove_called, 0)))
962 goto end;
963 }
c0537ebd
MC		 964
965 SSL_SESSION_free(sess1);
966 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
967 goto end;
968 shutdown_ssl_connection(serverssl2, clientssl2);
969 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 970
971 new_called = remove_called = 0;
710756a9
RS		 972 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
973 &clientssl2, NULL, NULL))
974 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
975 SSL_ERROR_NONE)))
2cb4b5f6 976 goto end;
2cb4b5f6 977
710756a9 978 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 979 goto end;
2cb4b5f6 980
7a301f08 981 if (use_ext_cache
36ff232c
MC		 982 && (!TEST_int_eq(new_called, numnewsesstick)
983 || !TEST_int_eq(remove_called, 0)))
eaa776da 984 goto end;
eaa776da 985
c0537ebd 986 new_called = remove_called = 0;
2cb4b5f6 987 /*
710756a9
RS		 988 * This should clear sess2 from the cache because it is a "bad" session.
989 * See SSL_set_session() documentation.
2cb4b5f6 990 */
710756a9 991 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 992 goto end;
7a301f08
MC		 993 if (use_ext_cache
994 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 995 goto end;
710756a9 996 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 997 goto end;
2cb4b5f6 998
7e885b7b 999 if (use_int_cache) {
710756a9
RS		 1000 /* Should succeeded because it should not already be in the cache */
1001 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1002 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1003 goto end;
eaa776da
MC		 1004 }
1005
c0537ebd 1006 new_called = remove_called = 0;
eaa776da 1007 /* This shouldn't be in the cache so should fail */
710756a9 1008 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1009 goto end;
2cb4b5f6 1010
7a301f08
MC		 1011 if (use_ext_cache
1012 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1013 goto end;
2cb4b5f6 1014
bf208d95 1015# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1016 new_called = remove_called = 0;
eaa776da
MC		 1017 /* Force a connection failure */
1018 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1019 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1020 &clientssl3, NULL, NULL))
1021 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1022 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1023 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1024 SSL_ERROR_NONE)))
eaa776da 1025 goto end;
b4982125 1026
eaa776da 1027 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1028 if (use_ext_cache
1029 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1030 goto end;
2cb4b5f6 1031
710756a9 1032 /* Should succeed because it should not already be in the cache */
7e885b7b 1033 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1034 goto end;
bf208d95 1035# endif
eaa776da 1036
7a301f08
MC		 1037 /* Now do some tests for server side caching */
1038 if (use_ext_cache) {
1039 SSL_CTX_sess_set_new_cb(cctx, NULL);
1040 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1041 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1042 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1043 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1044 get_sess_val = NULL;
1045 }
1046
1047 SSL_CTX_set_session_cache_mode(cctx, 0);
1048 /* Internal caching is the default on the server side */
1049 if (!use_int_cache)
1050 SSL_CTX_set_session_cache_mode(sctx,
1051 SSL_SESS_CACHE_SERVER
1052 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1053
1054 SSL_free(serverssl1);
1055 SSL_free(clientssl1);
1056 serverssl1 = clientssl1 = NULL;
1057 SSL_free(serverssl2);
1058 SSL_free(clientssl2);
1059 serverssl2 = clientssl2 = NULL;
1060 SSL_SESSION_free(sess1);
1061 sess1 = NULL;
1062 SSL_SESSION_free(sess2);
1063 sess2 = NULL;
1064
1065 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1066 if (maxprot == TLS1_2_VERSION)
1067 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1068 new_called = remove_called = get_called = 0;
7a301f08
MC		 1069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1070 NULL, NULL))
1071 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1072 SSL_ERROR_NONE))
1073 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1074 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1075 goto end;
1076
ee94ec2e
MC		 1077 if (use_int_cache) {
1078 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1079 /*
1080 * In TLSv1.3 it should not have been added to the internal cache,
1081 * except in the case where we also have an external cache (in that
1082 * case it gets added to the cache in order to generate remove
1083 * events after timeout).
1084 */
1085 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1086 goto end;
1087 } else {
1088 /* Should fail because it should already be in the cache */
1089 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1090 goto end;
1091 }
1092 }
7a301f08
MC		 1093
1094 if (use_ext_cache) {
1095 SSL_SESSION *tmp = sess2;
1096
36ff232c 1097 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1098 || !TEST_int_eq(remove_called, 0)
1099 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1100 goto end;
1101 /*
1102 * Delete the session from the internal cache to force a lookup from
1103 * the external cache. We take a copy first because
1104 * SSL_CTX_remove_session() also marks the session as non-resumable.
1105 */
ee94ec2e 1106 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1107 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1108 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1109 goto end;
1110 SSL_SESSION_free(sess2);
1111 }
7a301f08
MC		 1112 sess2 = tmp;
1113 }
1114
0afca811 1115 new_called = remove_called = get_called = 0;
7a301f08
MC		 1116 get_sess_val = sess2;
1117 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1118 &clientssl2, NULL, NULL))
1119 || !TEST_true(SSL_set_session(clientssl2, sess1))
1120 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1121 SSL_ERROR_NONE))
1122 || !TEST_true(SSL_session_reused(clientssl2)))
1123 goto end;
1124
0afca811 1125 if (use_ext_cache) {
32305f88 1126 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1127 goto end;
1128
1129 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1130 if (!TEST_int_eq(new_called, 1)
1131 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1132 goto end;
1133 } else {
32305f88
MC		 1134 if (!TEST_int_eq(new_called, 0)
1135 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1136 goto end;
1137 }
1138 }
7a301f08 1139
2cb4b5f6 1140 testresult = 1;
eaa776da 1141
2cb4b5f6
MC		 1142 end:
1143 SSL_free(serverssl1);
1144 SSL_free(clientssl1);
1145 SSL_free(serverssl2);
1146 SSL_free(clientssl2);
bf208d95 1147# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1148 SSL_free(serverssl3);
1149 SSL_free(clientssl3);
bf208d95 1150# endif
2cb4b5f6
MC		 1151 SSL_SESSION_free(sess1);
1152 SSL_SESSION_free(sess2);
1153 SSL_CTX_free(sctx);
1154 SSL_CTX_free(cctx);
1155
1156 return testresult;
1157}
bf208d95 1158#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1159
7fb4c820
MC		 1160static int test_session_with_only_int_cache(void)
1161{
7a301f08
MC		 1162#ifndef OPENSSL_NO_TLS1_3
1163 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1164 return 0;
1165#endif
1166
1167#ifndef OPENSSL_NO_TLS1_2
1168 return execute_test_session(TLS1_2_VERSION, 1, 0);
1169#else
1170 return 1;
1171#endif
eaa776da
MC		 1172}
1173
7fb4c820
MC		 1174static int test_session_with_only_ext_cache(void)
1175{
7a301f08
MC		 1176#ifndef OPENSSL_NO_TLS1_3
1177 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1178 return 0;
1179#endif
1180
1181#ifndef OPENSSL_NO_TLS1_2
1182 return execute_test_session(TLS1_2_VERSION, 0, 1);
1183#else
1184 return 1;
1185#endif
eaa776da
MC		 1186}
1187
7fb4c820
MC		 1188static int test_session_with_both_cache(void)
1189{
7a301f08
MC		 1190#ifndef OPENSSL_NO_TLS1_3
1191 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1192 return 0;
1193#endif
1194
1195#ifndef OPENSSL_NO_TLS1_2
1196 return execute_test_session(TLS1_2_VERSION, 1, 1);
1197#else
1198 return 1;
1199#endif
eaa776da
MC		 1200}
1201
04225915 1202#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1203static SSL_SESSION *sesscache[6];
1204static int do_cache;
36ff232c
MC		 1205
1206static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1207{
c22365b3
MC		 1208 if (do_cache) {
1209 sesscache[new_called] = sess;
1210 } else {
1211 /* We don't need the reference to the session, so free it */
1212 SSL_SESSION_free(sess);
1213 }
1214 new_called++;
1215
1216 return 1;
1217}
1218
1219static int post_handshake_verify(SSL *sssl, SSL *cssl)
1220{
1221 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1222 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1223 return 0;
1224
1225 /* Start handshake on the server and client */
1226 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1227 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1228 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1229 || !TEST_true(create_ssl_connection(sssl, cssl,
1230 SSL_ERROR_NONE)))
1231 return 0;
36ff232c
MC		 1232
1233 return 1;
1234}
1235
04d7814a 1236static int test_tickets(int stateful, int idx)
36ff232c
MC		 1237{
1238 SSL_CTX *sctx = NULL, *cctx = NULL;
1239 SSL *serverssl = NULL, *clientssl = NULL;
04d7814a 1240 int testresult = 0, sess_id_ctx = 1, i;
36ff232c
MC		 1241 size_t j;
1242
1243 /* idx is the test number, but also the number of tickets we want */
1244
1245 new_called = 0;
c22365b3 1246 do_cache = 1;
36ff232c
MC		 1247
1248 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1249 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1250 &cctx, cert, privkey))
04d7814a
MC		 1251 || !TEST_true(SSL_CTX_set_num_tickets(sctx, idx))
1252 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1253 (void *)&sess_id_ctx,
1254 sizeof(sess_id_ctx))))
36ff232c
MC		 1255 goto end;
1256
04d7814a
MC		 1257 if (stateful)
1258 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
1259
36ff232c
MC		 1260 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1261 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1262 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
1263
1264 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1265 &clientssl, NULL, NULL)))
1266 goto end;
1267
1268 SSL_force_post_handshake_auth(clientssl);
1269
1270 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1271 SSL_ERROR_NONE))
1272 /* Check we got the number of tickets we were expecting */
1273 || !TEST_int_eq(idx, new_called))
1274 goto end;
1275
1276 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1277 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1278 || !TEST_int_eq(idx * 2, new_called))
1279 goto end;
1280
36ff232c
MC		 1281 SSL_shutdown(clientssl);
1282 SSL_shutdown(serverssl);
1283 SSL_free(serverssl);
1284 SSL_free(clientssl);
1285 serverssl = clientssl = NULL;
1286
c22365b3
MC		 1287 /* Stop caching sessions - just count them */
1288 do_cache = 0;
1289
36ff232c 1290 /* Test that we can resume with all the tickets we got given */
c22365b3
MC		 1291 for (i = 0; i < idx * 2; i++) {
1292 new_called = 0;
36ff232c
MC		 1293 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1294 &clientssl, NULL, NULL))
c22365b3
MC		 1295 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1296 goto end;
1297
1298 SSL_force_post_handshake_auth(clientssl);
1299
1300 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
36ff232c 1301 SSL_ERROR_NONE))
c22365b3
MC		 1302 || !TEST_true(SSL_session_reused(clientssl))
1303 /* Following a resumption we only get 1 ticket */
1304 || !TEST_int_eq(new_called, 1))
1305 goto end;
1306
1307 new_called = 0;
1308 /* After a post-handshake authentication we should get 1 new ticket */
1309 if (!post_handshake_verify(serverssl, clientssl)
1310 || !TEST_int_eq(new_called, 1))
36ff232c
MC		 1311 goto end;
1312
1313 SSL_shutdown(clientssl);
1314 SSL_shutdown(serverssl);
1315 SSL_free(serverssl);
1316 SSL_free(clientssl);
1317 serverssl = clientssl = NULL;
1318 SSL_SESSION_free(sesscache[i]);
1319 sesscache[i] = NULL;
1320 }
1321
1322 testresult = 1;
1323
1324 end:
1325 SSL_free(serverssl);
1326 SSL_free(clientssl);
c22365b3 1327 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 1328 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 1329 sesscache[j] = NULL;
1330 }
36ff232c
MC		 1331 SSL_CTX_free(sctx);
1332 SSL_CTX_free(cctx);
1333
1334 return testresult;
1335}
04d7814a
MC		 1336
1337static int test_stateless_tickets(int idx)
1338{
1339 return test_tickets(0, idx);
1340}
1341
1342static int test_stateful_tickets(int idx)
1343{
1344 return test_tickets(1, idx);
1345}
04225915 1346#endif
36ff232c 1347
7d4488bb
MC		 1348#define USE_NULL 0
1349#define USE_BIO_1 1
1350#define USE_BIO_2 2
1351#define USE_DEFAULT 3
1352
1353#define CONNTYPE_CONNECTION_SUCCESS 0
1354#define CONNTYPE_CONNECTION_FAIL 1
1355#define CONNTYPE_NO_CONNECTION 2
1356
1357#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1358#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1359#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1360# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1361#else
1362# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1363#endif
1364
7d4488bb
MC		 1365#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1366 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1367 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1368
1369static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1370{
1371 switch (type) {
1372 case USE_NULL:
1373 *res = NULL;
1374 break;
1375 case USE_BIO_1:
1376 *res = bio1;
1377 break;
1378 case USE_BIO_2:
1379 *res = bio2;
1380 break;
1381 }
1382}
1383
7d4488bb
MC		 1384
1385/*
1386 * Tests calls to SSL_set_bio() under various conditions.
1387 *
1388 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1389 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1390 * then do more tests where we create a successful connection first using our
1391 * standard connection setup functions, and then call SSL_set_bio() with
1392 * various combinations of valid BIOs or NULL. We then repeat these tests
1393 * following a failed connection. In this last case we are looking to check that
1394 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1395 */
7fb4c820
MC		 1396static int test_ssl_set_bio(int idx)
1397{
7d4488bb 1398 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 1399 BIO *bio1 = NULL;
1400 BIO *bio2 = NULL;
0fae8150 1401 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 1402 SSL *serverssl = NULL, *clientssl = NULL;
1403 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 1404 int testresult = 0;
1405
7d4488bb
MC		 1406 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1407 initrbio = idx % 3;
1408 idx /= 3;
1409 initwbio = idx % 3;
1410 idx /= 3;
1411 newrbio = idx % 3;
1412 idx /= 3;
1413 newwbio = idx % 3;
1414 conntype = CONNTYPE_NO_CONNECTION;
1415 } else {
1416 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1417 initrbio = initwbio = USE_DEFAULT;
1418 newrbio = idx % 2;
1419 idx /= 2;
1420 newwbio = idx % 2;
1421 idx /= 2;
1422 conntype = idx % 2;
1423 }
710756a9 1424
7d4488bb
MC		 1425 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1426 TLS1_VERSION, TLS_MAX_VERSION,
1427 &sctx, &cctx, cert, privkey)))
1428 goto end;
1429
1430 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1431 /*
1432 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1433 * because we reduced the number of tests in the definition of
1434 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1435 * mismatched protocol versions we will force a connection failure.
1436 */
1437 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1438 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1439 }
1440
1441 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1442 NULL, NULL)))
710756a9 1443 goto end;
7fb4c820 1444
710756a9
RS		 1445 if (initrbio == USE_BIO_1
1446 || initwbio == USE_BIO_1
1447 || newrbio == USE_BIO_1
7fb4c820 1448 || newwbio == USE_BIO_1) {
710756a9 1449 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1450 goto end;
7fb4c820
MC		 1451 }
1452
710756a9
RS		 1453 if (initrbio == USE_BIO_2
1454 || initwbio == USE_BIO_2
1455 || newrbio == USE_BIO_2
7fb4c820 1456 || newwbio == USE_BIO_2) {
710756a9 1457 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1458 goto end;
7fb4c820
MC		 1459 }
1460
7d4488bb
MC		 1461 if (initrbio != USE_DEFAULT) {
1462 setupbio(&irbio, bio1, bio2, initrbio);
1463 setupbio(&iwbio, bio1, bio2, initwbio);
1464 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 1465
7d4488bb
MC		 1466 /*
1467 * We want to maintain our own refs to these BIO, so do an up ref for
1468 * each BIO that will have ownership transferred in the SSL_set_bio()
1469 * call
1470 */
1471 if (irbio != NULL)
1472 BIO_up_ref(irbio);
1473 if (iwbio != NULL && iwbio != irbio)
1474 BIO_up_ref(iwbio);
1475 }
7fb4c820 1476
7d4488bb
MC		 1477 if (conntype != CONNTYPE_NO_CONNECTION
1478 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1479 SSL_ERROR_NONE)
1480 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1481 goto end;
7fb4c820
MC		 1482
1483 setupbio(&nrbio, bio1, bio2, newrbio);
1484 setupbio(&nwbio, bio1, bio2, newwbio);
1485
1486 /*
1487 * We will (maybe) transfer ownership again so do more up refs.
1488 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1489 * already been set!
1490 */
710756a9
RS		 1491 if (nrbio != NULL
1492 && nrbio != irbio
1493 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1494 BIO_up_ref(nrbio);
710756a9
RS		 1495 if (nwbio != NULL
1496 && nwbio != nrbio
1497 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1498 BIO_up_ref(nwbio);
1499
7d4488bb 1500 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 1501
1502 testresult = 1;
1503
1504 end:
7fb4c820
MC		 1505 BIO_free(bio1);
1506 BIO_free(bio2);
710756a9 1507
7fb4c820
MC		 1508 /*
1509 * This test is checking that the ref counting for SSL_set_bio is correct.
1510 * If we get here and we did too many frees then we will fail in the above
1511 * functions. If we haven't done enough then this will only be detected in
1512 * a crypto-mdebug build
1513 */
7d4488bb
MC		 1514 SSL_free(serverssl);
1515 SSL_free(clientssl);
1516 SSL_CTX_free(sctx);
1517 SSL_CTX_free(cctx);
7fb4c820
MC		 1518 return testresult;
1519}
1520
7e885b7b 1521typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1522
7e885b7b 1523static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1524{
1525 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1526 SSL_CTX *ctx;
9a716987
MC		 1527 SSL *ssl = NULL;
1528 int testresult = 0;
1529
710756a9
RS		 1530 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1531 || !TEST_ptr(ssl = SSL_new(ctx))
1532 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1533 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1534 goto end;
9a716987
MC		 1535
1536 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1537
1538 /*
1539 * If anything goes wrong here then we could leak memory, so this will
1540 * be caught in a crypto-mdebug build
1541 */
1542 BIO_push(sslbio, membio1);
1543
69687aa8 1544 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1545 if (change_bio != NO_BIO_CHANGE) {
710756a9 1546 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1547 goto end;
7e885b7b 1548 if (change_bio == CHANGE_RBIO)
65e2d672 1549 SSL_set0_rbio(ssl, membio2);
9a716987 1550 else
65e2d672 1551 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1552 }
1553 ssl = NULL;
1554
7e885b7b 1555 if (pop_ssl)
9a716987
MC		 1556 BIO_pop(sslbio);
1557 else
1558 BIO_pop(membio1);
1559
1560 testresult = 1;
1561 end:
1562 BIO_free(membio1);
1563 BIO_free(sslbio);
1564 SSL_free(ssl);
1565 SSL_CTX_free(ctx);
1566
1567 return testresult;
1568}
1569
1570static int test_ssl_bio_pop_next_bio(void)
1571{
7e885b7b 1572 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1573}
1574
1575static int test_ssl_bio_pop_ssl_bio(void)
1576{
7e885b7b 1577 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1578}
1579
1580static int test_ssl_bio_change_rbio(void)
1581{
7e885b7b 1582 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1583}
1584
1585static int test_ssl_bio_change_wbio(void)
1586{
7e885b7b 1587 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1588}
1589
c423ecaa 1590#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1591typedef struct {
1592 /* The list of sig algs */
1593 const int *list;
1594 /* The length of the list */
1595 size_t listlen;
1596 /* A sigalgs list in string format */
1597 const char *liststr;
1598 /* Whether setting the list should succeed */
1599 int valid;
1600 /* Whether creating a connection with the list should succeed */
1601 int connsuccess;
1602} sigalgs_list;
1603
1604static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1605# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1606static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1607static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1608# endif
f1b25aae
MC		 1609static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1610static const int invalidlist2[] = {NID_sha256, NID_undef};
1611static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1612static const int invalidlist4[] = {NID_sha256};
1613static const sigalgs_list testsigalgs[] = {
1614 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1615# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1616 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1617 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1618# endif
f1b25aae 1619 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1620# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1621 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1622 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1623# endif
f1b25aae
MC		 1624 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1625 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1626 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1627 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1628 {NULL, 0, "RSA", 0, 0},
1629 {NULL, 0, "SHA256", 0, 0},
1630 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1631 {NULL, 0, "Invalid", 0, 0}
1632};
f1b25aae
MC		 1633
1634static int test_set_sigalgs(int idx)
1635{
1636 SSL_CTX *cctx = NULL, *sctx = NULL;
1637 SSL *clientssl = NULL, *serverssl = NULL;
1638 int testresult = 0;
1639 const sigalgs_list *curr;
1640 int testctx;
1641
1642 /* Should never happen */
710756a9 1643 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1644 return 0;
1645
1646 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1647 curr = testctx ? &testsigalgs[idx]
1648 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1649
7d7f6834
RL		 1650 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1651 TLS1_VERSION, TLS_MAX_VERSION,
1652 &sctx, &cctx, cert, privkey)))
f1b25aae 1653 return 0;
f1b25aae 1654
d2e491f2
MC		 1655 /*
1656 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1657 * for TLSv1.2 for now until we add a new API.
1658 */
1659 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1660
f1b25aae
MC		 1661 if (testctx) {
1662 int ret;
710756a9 1663
f1b25aae
MC		 1664 if (curr->list != NULL)
1665 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1666 else
1667 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1668
1669 if (!ret) {
1670 if (curr->valid)
710756a9 1671 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1672 else
1673 testresult = 1;
1674 goto end;
1675 }
1676 if (!curr->valid) {
710756a9 1677 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1678 goto end;
1679 }
1680 }
1681
710756a9
RS		 1682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1683 &clientssl, NULL, NULL)))
f1b25aae 1684 goto end;
f1b25aae
MC		 1685
1686 if (!testctx) {
1687 int ret;
1688
1689 if (curr->list != NULL)
1690 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1691 else
1692 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1693 if (!ret) {
1694 if (curr->valid)
710756a9 1695 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1696 else
1697 testresult = 1;
1698 goto end;
1699 }
710756a9 1700 if (!curr->valid)
f1b25aae 1701 goto end;
f1b25aae
MC		 1702 }
1703
710756a9
RS		 1704 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1705 SSL_ERROR_NONE),
1706 curr->connsuccess))
f1b25aae 1707 goto end;
f1b25aae
MC		 1708
1709 testresult = 1;
1710
1711 end:
1712 SSL_free(serverssl);
1713 SSL_free(clientssl);
1714 SSL_CTX_free(sctx);
1715 SSL_CTX_free(cctx);
1716
1717 return testresult;
1718}
c423ecaa 1719#endif
f1b25aae 1720
fff202e5
MC		 1721#ifndef OPENSSL_NO_TLS1_3
1722
57dee9bb
MC		 1723static SSL_SESSION *clientpsk = NULL;
1724static SSL_SESSION *serverpsk = NULL;
02a3ed5a
MC		 1725static const char *pskid = "Identity";
1726static const char *srvid;
1727
1728static int use_session_cb_cnt = 0;
1729static int find_session_cb_cnt = 0;
532f9578
MC		 1730static int psk_client_cb_cnt = 0;
1731static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 1732
1733static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1734 size_t *idlen, SSL_SESSION **sess)
1735{
1736 switch (++use_session_cb_cnt) {
1737 case 1:
1738 /* The first call should always have a NULL md */
1739 if (md != NULL)
1740 return 0;
1741 break;
1742
1743 case 2:
1744 /* The second call should always have an md */
1745 if (md == NULL)
1746 return 0;
1747 break;
1748
1749 default:
1750 /* We should only be called a maximum of twice */
1751 return 0;
1752 }
1753
57dee9bb
MC		 1754 if (clientpsk != NULL)
1755 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1756
57dee9bb 1757 *sess = clientpsk;
02a3ed5a
MC		 1758 *id = (const unsigned char *)pskid;
1759 *idlen = strlen(pskid);
1760
1761 return 1;
1762}
1763
c2b290c3 1764#ifndef OPENSSL_NO_PSK
532f9578
MC		 1765static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1766 unsigned int max_id_len,
1767 unsigned char *psk,
1768 unsigned int max_psk_len)
1769{
1770 unsigned int psklen = 0;
1771
1772 psk_client_cb_cnt++;
1773
1774 if (strlen(pskid) + 1 > max_id_len)
1775 return 0;
1776
1777 /* We should only ever be called a maximum of twice per connection */
1778 if (psk_client_cb_cnt > 2)
1779 return 0;
1780
1781 if (clientpsk == NULL)
1782 return 0;
1783
1784 /* We'll reuse the PSK we set up for TLSv1.3 */
1785 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1786 return 0;
1787 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1788 strncpy(id, pskid, max_id_len);
1789
1790 return psklen;
1791}
c2b290c3 1792#endif /* OPENSSL_NO_PSK */
532f9578 1793
02a3ed5a
MC		 1794static int find_session_cb(SSL *ssl, const unsigned char *identity,
1795 size_t identity_len, SSL_SESSION **sess)
1796{
1797 find_session_cb_cnt++;
1798
1799 /* We should only ever be called a maximum of twice per connection */
1800 if (find_session_cb_cnt > 2)
1801 return 0;
1802
57dee9bb 1803 if (serverpsk == NULL)
02a3ed5a
MC		 1804 return 0;
1805
1806 /* Identity should match that set by the client */
1807 if (strlen(srvid) != identity_len
1808 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1809 /* No PSK found, continue but without a PSK */
1810 *sess = NULL;
1811 return 1;
1812 }
1813
57dee9bb
MC		 1814 SSL_SESSION_up_ref(serverpsk);
1815 *sess = serverpsk;
02a3ed5a
MC		 1816
1817 return 1;
1818}
1819
c2b290c3 1820#ifndef OPENSSL_NO_PSK
532f9578
MC		 1821static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1822 unsigned char *psk, unsigned int max_psk_len)
1823{
1824 unsigned int psklen = 0;
1825
1826 psk_server_cb_cnt++;
1827
1828 /* We should only ever be called a maximum of twice per connection */
1829 if (find_session_cb_cnt > 2)
1830 return 0;
1831
1832 if (serverpsk == NULL)
1833 return 0;
1834
1835 /* Identity should match that set by the client */
1836 if (strcmp(srvid, identity) != 0) {
1837 return 0;
1838 }
1839
1840 /* We'll reuse the PSK we set up for TLSv1.3 */
1841 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1842 return 0;
1843 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1844
1845 return psklen;
1846}
c2b290c3 1847#endif /* OPENSSL_NO_PSK */
532f9578 1848
5f982038
MC		 1849#define MSG1 "Hello"
1850#define MSG2 "World."
1851#define MSG3 "This"
1852#define MSG4 "is"
1853#define MSG5 "a"
90049cea
MC		 1854#define MSG6 "test"
1855#define MSG7 "message."
5f982038 1856
02a3ed5a 1857#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 1858#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 1859
5f982038
MC		 1860/*
1861 * Helper method to setup objects for early data test. Caller frees objects on
1862 * error.
1863 */
1864static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 1865 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 1866{
5a421415
MC		 1867 if (*sctx == NULL
1868 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1869 TLS_client_method(),
1870 TLS1_VERSION, TLS_MAX_VERSION,
1871 sctx, cctx, cert, privkey)))
1872 return 0;
1873
1874 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 1875 return 0;
5f982038 1876
02a3ed5a
MC		 1877 if (idx == 1) {
1878 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 1879 SSL_CTX_set_read_ahead(*cctx, 1);
1880 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 1881 } else if (idx == 2) {
1882 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1883 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1884 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1885 use_session_cb_cnt = 0;
1886 find_session_cb_cnt = 0;
1887 srvid = pskid;
3cb47b4e
MC		 1888 }
1889
710756a9 1890 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 1891 NULL, NULL)))
1892 return 0;
1893
141e4709
MC		 1894 /*
1895 * For one of the run throughs (doesn't matter which one), we'll try sending
1896 * some SNI data in the initial ClientHello. This will be ignored (because
1897 * there is no SNI cb set up by the server), so it should not impact
1898 * early_data.
1899 */
1900 if (idx == 1
1901 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1902 return 0;
1903
02a3ed5a
MC		 1904 if (idx == 2) {
1905 /* Create the PSK */
1906 const SSL_CIPHER *cipher = NULL;
1907 const unsigned char key[] = {
1908 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1909 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1910 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1911 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1912 0x2c, 0x2d, 0x2e, 0x2f
1913 };
1914
1915 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 1916 clientpsk = SSL_SESSION_new();
1917 if (!TEST_ptr(clientpsk)
02a3ed5a 1918 || !TEST_ptr(cipher)
57dee9bb 1919 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
02a3ed5a 1920 sizeof(key)))
57dee9bb 1921 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
02a3ed5a 1922 || !TEST_true(
57dee9bb 1923 SSL_SESSION_set_protocol_version(clientpsk,
02a3ed5a
MC		 1924 TLS1_3_VERSION))
1925 /*
1926 * We just choose an arbitrary value for max_early_data which
1927 * should be big enough for testing purposes.
1928 */
57dee9bb
MC		 1929 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1930 0x100))
1931 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1932 SSL_SESSION_free(clientpsk);
1933 clientpsk = NULL;
02a3ed5a
MC		 1934 return 0;
1935 }
57dee9bb 1936 serverpsk = clientpsk;
02a3ed5a 1937
c20e3b28
MC		 1938 if (sess != NULL) {
1939 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1940 SSL_SESSION_free(clientpsk);
1941 SSL_SESSION_free(serverpsk);
1942 clientpsk = serverpsk = NULL;
1943 return 0;
1944 }
57dee9bb 1945 *sess = clientpsk;
c20e3b28 1946 }
02a3ed5a
MC		 1947 return 1;
1948 }
1949
1950 if (sess == NULL)
1951 return 1;
1952
1953 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1954 SSL_ERROR_NONE)))
5f982038 1955 return 0;
5f982038
MC		 1956
1957 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 1958 SSL_shutdown(*clientssl);
1959 SSL_shutdown(*serverssl);
5f982038
MC		 1960 SSL_free(*serverssl);
1961 SSL_free(*clientssl);
1962 *serverssl = *clientssl = NULL;
1963
710756a9
RS		 1964 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1965 clientssl, NULL, NULL))
1966 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 1967 return 0;
5f982038
MC		 1968
1969 return 1;
1970}
1971
3cb47b4e 1972static int test_early_data_read_write(int idx)
5f982038
MC		 1973{
1974 SSL_CTX *cctx = NULL, *sctx = NULL;
1975 SSL *clientssl = NULL, *serverssl = NULL;
1976 int testresult = 0;
1977 SSL_SESSION *sess = NULL;
9b5c865d
MC		 1978 unsigned char buf[20], data[1024];
1979 size_t readbytes, written, eoedlen, rawread, rawwritten;
1980 BIO *rbio;
5f982038 1981
710756a9
RS		 1982 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1983 &serverssl, &sess, idx)))
5f982038
MC		 1984 goto end;
1985
1986 /* Write and read some early data */
710756a9
RS		 1987 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1988 &written))
1989 || !TEST_size_t_eq(written, strlen(MSG1))
1990 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1991 sizeof(buf), &readbytes),
1992 SSL_READ_EARLY_DATA_SUCCESS)
1993 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1994 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1995 SSL_EARLY_DATA_ACCEPTED))
5f982038 1996 goto end;
5f982038
MC		 1997
1998 /*
09f28874 1999 * Server should be able to write data, and client should be able to
5f982038
MC		 2000 * read it.
2001 */
710756a9
RS		 2002 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2003 &written))
2004 || !TEST_size_t_eq(written, strlen(MSG2))
2005 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2006 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2007 goto end;
5f982038
MC		 2008
2009 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 2010 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2011 &written))
2012 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 2013 goto end;
5f982038 2014
09f28874 2015 /* Server should still be able read early data after writing data */
710756a9
RS		 2016 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2017 &readbytes),
2018 SSL_READ_EARLY_DATA_SUCCESS)
2019 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2020 goto end;
5f982038 2021
09f28874 2022 /* Write more data from server and read it from client */
710756a9
RS		 2023 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2024 &written))
2025 || !TEST_size_t_eq(written, strlen(MSG4))
2026 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2027 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2028 goto end;
5f982038
MC		 2029
2030 /*
2031 * If client writes normal data it should mean writing early data is no
2032 * longer possible.
2033 */
710756a9
RS		 2034 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2035 || !TEST_size_t_eq(written, strlen(MSG5))
2036 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2037 SSL_EARLY_DATA_ACCEPTED))
5f982038 2038 goto end;
5f982038 2039
9b5c865d
MC		 2040 /*
2041 * At this point the client has written EndOfEarlyData, ClientFinished and
2042 * normal (fully protected) data. We are going to cause a delay between the
2043 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2044 * in the read BIO, and then just put back the EndOfEarlyData message.
2045 */
2046 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2047 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2048 || !TEST_size_t_lt(rawread, sizeof(data))
2049 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2050 goto end;
710756a9 2051
9b5c865d
MC		 2052 /* Record length is in the 4th and 5th bytes of the record header */
2053 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2054 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2055 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2056 goto end;
9b5c865d 2057
5f982038 2058 /* Server should be told that there is no more early data */
710756a9
RS		 2059 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2060 &readbytes),
2061 SSL_READ_EARLY_DATA_FINISH)
2062 || !TEST_size_t_eq(readbytes, 0))
5f982038 2063 goto end;
5f982038 2064
9b5c865d
MC		 2065 /*
2066 * Server has not finished init yet, so should still be able to write early
2067 * data.
2068 */
710756a9
RS		 2069 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2070 &written))
2071 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2072 goto end;
9b5c865d 2073
f8a303fa 2074 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2075 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2076 &rawwritten))
2077 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2078 goto end;
f8a303fa 2079
5f982038 2080 /* Server should be able to read normal data */
710756a9
RS		 2081 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2082 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2083 goto end;
5f982038 2084
09f28874 2085 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2086 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2087 &written)))
5f982038 2088 goto end;
5f982038 2089 ERR_clear_error();
710756a9
RS		 2090 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2091 &readbytes),
2092 SSL_READ_EARLY_DATA_ERROR))
5f982038 2093 goto end;
5f982038
MC		 2094 ERR_clear_error();
2095
9b5c865d 2096 /* Client should be able to read the data sent by the server */
710756a9
RS		 2097 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2098 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2099 goto end;
710756a9 2100
f8a303fa 2101 /*
36ff232c
MC		 2102 * Make sure we process the two NewSessionTickets. These arrive
2103 * post-handshake. We attempt reads which we do not expect to return any
2104 * data.
f8a303fa 2105 */
36ff232c
MC		 2106 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2107 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2108 &readbytes)))
f8a303fa 2109 goto end;
5f982038 2110
90049cea 2111 /* Server should be able to write normal data */
710756a9
RS		 2112 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2113 || !TEST_size_t_eq(written, strlen(MSG7))
2114 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2115 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2116 goto end;
90049cea 2117
c20e3b28 2118 SSL_SESSION_free(sess);
5f982038 2119 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2120 use_session_cb_cnt = 0;
2121 find_session_cb_cnt = 0;
5f982038
MC		 2122
2123 SSL_shutdown(clientssl);
2124 SSL_shutdown(serverssl);
5f982038
MC		 2125 SSL_free(serverssl);
2126 SSL_free(clientssl);
2127 serverssl = clientssl = NULL;
710756a9
RS		 2128 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2129 &clientssl, NULL, NULL))
2130 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2131 goto end;
5f982038
MC		 2132
2133 /* Write and read some early data */
710756a9
RS		 2134 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2135 &written))
2136 || !TEST_size_t_eq(written, strlen(MSG1))
2137 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2138 &readbytes),
2139 SSL_READ_EARLY_DATA_SUCCESS)
2140 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2141 goto end;
5f982038 2142
710756a9
RS		 2143 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2144 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2145 goto end;
5f982038 2146
09f28874 2147 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2148 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2149 &written)))
5f982038 2150 goto end;
5f982038 2151 ERR_clear_error();
710756a9
RS		 2152 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2153 &readbytes),
2154 SSL_READ_EARLY_DATA_ERROR))
5f982038 2155 goto end;
5f982038
MC		 2156 ERR_clear_error();
2157
2158 /* Client and server should be able to write/read normal data */
710756a9
RS		 2159 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2160 || !TEST_size_t_eq(written, strlen(MSG5))
2161 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2162 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2163 goto end;
5f982038
MC		 2164
2165 testresult = 1;
2166
2167 end:
c20e3b28 2168 SSL_SESSION_free(sess);
57dee9bb
MC		 2169 SSL_SESSION_free(clientpsk);
2170 SSL_SESSION_free(serverpsk);
2171 clientpsk = serverpsk = NULL;
5f982038
MC		 2172 SSL_free(serverssl);
2173 SSL_free(clientssl);
2174 SSL_CTX_free(sctx);
2175 SSL_CTX_free(cctx);
5f982038
MC		 2176 return testresult;
2177}
2178
5a421415
MC		 2179static int allow_ed_cb_called = 0;
2180
2181static int allow_early_data_cb(SSL *s, void *arg)
2182{
2183 int *usecb = (int *)arg;
2184
2185 allow_ed_cb_called++;
2186
2187 if (*usecb == 1)
2188 return 0;
2189
2190 return 1;
2191}
2192
2193/*
2194 * idx == 0: Standard early_data setup
2195 * idx == 1: early_data setup using read_ahead
2196 * usecb == 0: Don't use a custom early data callback
2197 * usecb == 1: Use a custom early data callback and reject the early data
2198 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 2199 * confopt == 0: Configure anti-replay directly
2200 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 2201 */
3bb5e5b0 2202static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 2203{
2204 SSL_CTX *cctx = NULL, *sctx = NULL;
2205 SSL *clientssl = NULL, *serverssl = NULL;
2206 int testresult = 0;
2207 SSL_SESSION *sess = NULL;
5a421415
MC		 2208 size_t readbytes, written;
2209 unsigned char buf[20];
2210
2211 allow_ed_cb_called = 0;
2212
2213 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2214 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
2215 &cctx, cert, privkey)))
2216 return 0;
2217
2218 if (usecb > 0) {
3bb5e5b0
MC		 2219 if (confopt == 0) {
2220 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2221 } else {
2222 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2223
2224 if (!TEST_ptr(confctx))
2225 goto end;
2226 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2227 | SSL_CONF_FLAG_SERVER);
2228 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2229 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2230 2)) {
2231 SSL_CONF_CTX_free(confctx);
2232 goto end;
2233 }
2234 SSL_CONF_CTX_free(confctx);
2235 }
5a421415
MC		 2236 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2237 }
78fb5374
MC		 2238
2239 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2240 &serverssl, &sess, idx)))
2241 goto end;
2242
2243 /*
2244 * The server is configured to accept early data. Create a connection to
2245 * "use up" the ticket
2246 */
2247 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2248 || !TEST_true(SSL_session_reused(clientssl)))
2249 goto end;
2250
2251 SSL_shutdown(clientssl);
2252 SSL_shutdown(serverssl);
2253 SSL_free(serverssl);
2254 SSL_free(clientssl);
2255 serverssl = clientssl = NULL;
2256
2257 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2258 &clientssl, NULL, NULL))
5a421415
MC		 2259 || !TEST_true(SSL_set_session(clientssl, sess)))
2260 goto end;
2261
2262 /* Write and read some early data */
2263 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2264 &written))
2265 || !TEST_size_t_eq(written, strlen(MSG1)))
2266 goto end;
2267
2268 if (usecb <= 1) {
2269 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2270 &readbytes),
2271 SSL_READ_EARLY_DATA_FINISH)
2272 /*
2273 * The ticket was reused, so the we should have rejected the
2274 * early data
2275 */
2276 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2277 SSL_EARLY_DATA_REJECTED))
2278 goto end;
2279 } else {
2280 /* In this case the callback decides to accept the early data */
2281 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2282 &readbytes),
2283 SSL_READ_EARLY_DATA_SUCCESS)
2284 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2285 /*
2286 * Server will have sent its flight so client can now send
2287 * end of early data and complete its half of the handshake
2288 */
2289 || !TEST_int_gt(SSL_connect(clientssl), 0)
2290 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2291 &readbytes),
2292 SSL_READ_EARLY_DATA_FINISH)
2293 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2294 SSL_EARLY_DATA_ACCEPTED))
2295 goto end;
2296 }
2297
2298 /* Complete the connection */
2299 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2300 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2301 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 2302 goto end;
2303
2304 testresult = 1;
2305
2306 end:
c20e3b28 2307 SSL_SESSION_free(sess);
78fb5374
MC		 2308 SSL_SESSION_free(clientpsk);
2309 SSL_SESSION_free(serverpsk);
2310 clientpsk = serverpsk = NULL;
2311 SSL_free(serverssl);
2312 SSL_free(clientssl);
2313 SSL_CTX_free(sctx);
2314 SSL_CTX_free(cctx);
2315 return testresult;
2316}
2317
5a421415
MC		 2318static int test_early_data_replay(int idx)
2319{
3bb5e5b0 2320 int ret = 1, usecb, confopt;
5a421415 2321
3bb5e5b0
MC		 2322 for (usecb = 0; usecb < 3; usecb++) {
2323 for (confopt = 0; confopt < 2; confopt++)
2324 ret &= test_early_data_replay_int(idx, usecb, confopt);
2325 }
5a421415
MC		 2326
2327 return ret;
2328}
2329
710756a9 2330/*
6b84e6bf
MC		 2331 * Helper function to test that a server attempting to read early data can
2332 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 2333 * testtype: 0 == No HRR
2334 * testtype: 1 == HRR
2335 * testtype: 2 == recv_max_early_data set to 0
710756a9 2336 */
0d1b7789 2337static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 2338{
2339 SSL_CTX *cctx = NULL, *sctx = NULL;
2340 SSL *clientssl = NULL, *serverssl = NULL;
2341 int testresult = 0;
018fcbec 2342 SSL_SESSION *sess = NULL;
5f982038
MC		 2343 unsigned char buf[20];
2344 size_t readbytes, written;
2345
710756a9
RS		 2346 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2347 &serverssl, &sess, idx)))
5f982038
MC		 2348 goto end;
2349
0d1b7789 2350 if (testtype == 1) {
6b84e6bf
MC		 2351 /* Force an HRR to occur */
2352 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2353 goto end;
02a3ed5a
MC		 2354 } else if (idx == 2) {
2355 /*
2356 * We force early_data rejection by ensuring the PSK identity is
2357 * unrecognised
2358 */
2359 srvid = "Dummy Identity";
6b84e6bf
MC		 2360 } else {
2361 /*
2362 * Deliberately corrupt the creation time. We take 20 seconds off the
2363 * time. It could be any value as long as it is not within tolerance.
2364 * This should mean the ticket is rejected.
2365 */
5d99881e 2366 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 2367 goto end;
2368 }
5f982038 2369
0d1b7789
MC		 2370 if (testtype == 2
2371 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2372 goto end;
2373
5f982038 2374 /* Write some early data */
710756a9
RS		 2375 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2376 &written))
2377 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 2378 goto end;
5f982038 2379
0d1b7789 2380 /* Server should reject the early data */
710756a9
RS		 2381 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2382 &readbytes),
2383 SSL_READ_EARLY_DATA_FINISH)
2384 || !TEST_size_t_eq(readbytes, 0)
2385 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2386 SSL_EARLY_DATA_REJECTED))
5f982038 2387 goto end;
5f982038 2388
0d1b7789 2389 if (testtype == 1) {
6b84e6bf
MC		 2390 /*
2391 * Finish off the handshake. We perform the same writes and reads as
2392 * further down but we expect them to fail due to the incomplete
2393 * handshake.
2394 */
2395 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2396 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2397 &readbytes)))
2398 goto end;
0d1b7789
MC		 2399 } else if (testtype == 2) {
2400 /*
2401 * This client has sent more early_data than we are willing to skip so
2402 * the connection should abort.
2403 */
2404 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2405 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2406 goto end;
2407
2408 /* Connection has failed - nothing more to do */
2409 testresult = 1;
2410 goto end;
6b84e6bf
MC		 2411 }
2412
0d1b7789
MC		 2413 /*
2414 * Should be able to send normal data despite rejection of early data. The
2415 * early_data should be skipped.
2416 */
710756a9
RS		 2417 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2418 || !TEST_size_t_eq(written, strlen(MSG2))
2419 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2420 SSL_EARLY_DATA_REJECTED)
2421 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2422 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2423 goto end;
5f982038
MC		 2424
2425 testresult = 1;
2426
2427 end:
c20e3b28 2428 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2429 SSL_SESSION_free(serverpsk);
2430 clientpsk = serverpsk = NULL;
5f982038
MC		 2431 SSL_SESSION_free(sess);
2432 SSL_free(serverssl);
2433 SSL_free(clientssl);
2434 SSL_CTX_free(sctx);
2435 SSL_CTX_free(cctx);
5f982038
MC		 2436 return testresult;
2437}
2438
6b84e6bf
MC		 2439/*
2440 * Test that a server attempting to read early data can handle a connection
2441 * from a client where the early data is not acceptable.
2442 */
2443static int test_early_data_skip(int idx)
2444{
2445 return early_data_skip_helper(0, idx);
2446}
2447
2448/*
2449 * Test that a server attempting to read early data can handle a connection
2450 * from a client where an HRR occurs.
2451 */
2452static int test_early_data_skip_hrr(int idx)
2453{
2454 return early_data_skip_helper(1, idx);
2455}
2456
0d1b7789
MC		 2457/*
2458 * Test that a server attempting to read early data will abort if it tries to
2459 * skip over too much.
2460 */
2461static int test_early_data_skip_abort(int idx)
2462{
2463 return early_data_skip_helper(2, idx);
2464}
2465
710756a9
RS		 2466/*
2467 * Test that a server attempting to read early data can handle a connection
2468 * from a client that doesn't send any.
2469 */
3cb47b4e 2470static int test_early_data_not_sent(int idx)
5f982038
MC		 2471{
2472 SSL_CTX *cctx = NULL, *sctx = NULL;
2473 SSL *clientssl = NULL, *serverssl = NULL;
2474 int testresult = 0;
018fcbec 2475 SSL_SESSION *sess = NULL;
5f982038
MC		 2476 unsigned char buf[20];
2477 size_t readbytes, written;
2478
710756a9
RS		 2479 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2480 &serverssl, &sess, idx)))
5f982038
MC		 2481 goto end;
2482
2483 /* Write some data - should block due to handshake with server */
2484 SSL_set_connect_state(clientssl);
710756a9 2485 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2486 goto end;
5f982038
MC		 2487
2488 /* Server should detect that early data has not been sent */
710756a9
RS		 2489 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2490 &readbytes),
2491 SSL_READ_EARLY_DATA_FINISH)
2492 || !TEST_size_t_eq(readbytes, 0)
2493 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2494 SSL_EARLY_DATA_NOT_SENT)
2495 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2496 SSL_EARLY_DATA_NOT_SENT))
5f982038 2497 goto end;
5f982038
MC		 2498
2499 /* Continue writing the message we started earlier */
710756a9
RS		 2500 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2501 || !TEST_size_t_eq(written, strlen(MSG1))
2502 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2503 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2504 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2505 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2506 goto end;
5f982038 2507
710756a9
RS		 2508 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2509 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2510 goto end;
5f982038
MC		 2511
2512 testresult = 1;
2513
2514 end:
5f982038 2515 SSL_SESSION_free(sess);
c20e3b28 2516 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2517 SSL_SESSION_free(serverpsk);
2518 clientpsk = serverpsk = NULL;
5f982038
MC		 2519 SSL_free(serverssl);
2520 SSL_free(clientssl);
2521 SSL_CTX_free(sctx);
2522 SSL_CTX_free(cctx);
5f982038
MC		 2523 return testresult;
2524}
2525
976e5323
MC		 2526static int hostname_cb(SSL *s, int *al, void *arg)
2527{
2528 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2529
281bf233 2530 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2531 return SSL_TLSEXT_ERR_OK;
2532
2533 return SSL_TLSEXT_ERR_NOACK;
2534}
2535
2536static const char *servalpn;
2537
c7558d5b
PY		 2538static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2539 unsigned char *outlen, const unsigned char *in,
2540 unsigned int inlen, void *arg)
976e5323 2541{
c7558d5b 2542 unsigned int protlen = 0;
976e5323
MC		 2543 const unsigned char *prot;
2544
c7558d5b
PY		 2545 for (prot = in; prot < in + inlen; prot += protlen) {
2546 protlen = *prot++;
5d99881e 2547 if (in + inlen < prot + protlen)
976e5323
MC		 2548 return SSL_TLSEXT_ERR_NOACK;
2549
2550 if (protlen == strlen(servalpn)
0bd42fde 2551 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2552 *out = prot;
2553 *outlen = protlen;
2554 return SSL_TLSEXT_ERR_OK;
2555 }
2556 }
2557
2558 return SSL_TLSEXT_ERR_NOACK;
2559}
2560
57dee9bb 2561/* Test that a PSK can be used to send early_data */
976e5323
MC		 2562static int test_early_data_psk(int idx)
2563{
2564 SSL_CTX *cctx = NULL, *sctx = NULL;
2565 SSL *clientssl = NULL, *serverssl = NULL;
2566 int testresult = 0;
2567 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2568 unsigned char alpnlist[] = {
2569 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2570 'l', 'p', 'n'
2571 };
2572#define GOODALPNLEN 9
2573#define BADALPNLEN 8
2574#define GOODALPN (alpnlist)
2575#define BADALPN (alpnlist + GOODALPNLEN)
2576 int err = 0;
976e5323
MC		 2577 unsigned char buf[20];
2578 size_t readbytes, written;
57dee9bb 2579 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2580 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2581
2582 /* We always set this up with a final parameter of "2" for PSK */
2583 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2584 &serverssl, &sess, 2)))
2585 goto end;
2586
976e5323
MC		 2587 servalpn = "goodalpn";
2588
57dee9bb
MC		 2589 /*
2590 * Note: There is no test for inconsistent SNI with late client detection.
2591 * This is because servers do not acknowledge SNI even if they are using
2592 * it in a resumption handshake - so it is not actually possible for a
2593 * client to detect a problem.
2594 */
976e5323
MC		 2595 switch (idx) {
2596 case 0:
57dee9bb 2597 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2598 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2599 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2600 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2601 goto end;
2602 break;
2603
2604 case 1:
57dee9bb 2605 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2606 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2607 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2608 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2609 GOODALPNLEN))
2610 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2611 BADALPNLEN)))
976e5323
MC		 2612 goto end;
2613 break;
2614
2615 case 2:
2616 /*
2617 * Set invalid protocol version. Technically this affects PSKs without
2618 * early_data too, but we test it here because it is similar to the
2619 * SNI/ALPN consistency tests.
2620 */
2621 err = SSL_R_BAD_PSK;
2622 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2623 goto end;
2624 break;
2625
2626 case 3:
2627 /*
2628 * Set inconsistent SNI (server detected). In this case the connection
2629 * will succeed but reject early_data.
2630 */
281bf233
MC		 2631 SSL_SESSION_free(serverpsk);
2632 serverpsk = SSL_SESSION_dup(clientpsk);
2633 if (!TEST_ptr(serverpsk)
2634 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2635 goto end;
976e5323
MC		 2636 edstatus = SSL_EARLY_DATA_REJECTED;
2637 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2638 /* Fall through */
2639 case 4:
2640 /* Set consistent SNI */
976e5323
MC		 2641 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2642 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2643 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2644 hostname_cb)))
2645 goto end;
2646 break;
2647
2648 case 5:
2649 /*
2650 * Set inconsistent ALPN (server detected). In this case the connection
2651 * will succeed but reject early_data.
2652 */
2653 servalpn = "badalpn";
2654 edstatus = SSL_EARLY_DATA_REJECTED;
2655 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2656 /* Fall through */
2657 case 6:
976e5323 2658 /*
57dee9bb 2659 * Set consistent ALPN.
976e5323
MC		 2660 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2661 * accepts a list of protos (each one length prefixed).
2662 * SSL_set1_alpn_selected accepts a single protocol (not length
2663 * prefixed)
2664 */
57dee9bb
MC		 2665 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2666 GOODALPNLEN - 1))
2667 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2668 GOODALPNLEN)))
976e5323
MC		 2669 goto end;
2670
2671 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2672 break;
2673
57dee9bb
MC		 2674 case 7:
2675 /* Set inconsistent ALPN (late client detection) */
2676 SSL_SESSION_free(serverpsk);
2677 serverpsk = SSL_SESSION_dup(clientpsk);
2678 if (!TEST_ptr(serverpsk)
2679 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2680 BADALPN + 1,
2681 BADALPNLEN - 1))
2682 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2683 GOODALPN + 1,
2684 GOODALPNLEN - 1))
2685 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2686 sizeof(alpnlist))))
2687 goto end;
2688 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2689 edstatus = SSL_EARLY_DATA_ACCEPTED;
2690 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2691 /* SSL_connect() call should fail */
2692 connectres = -1;
2693 break;
2694
976e5323
MC		 2695 default:
2696 TEST_error("Bad test index");
2697 goto end;
2698 }
2699
2700 SSL_set_connect_state(clientssl);
2701 if (err != 0) {
2702 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2703 &written))
2704 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2705 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2706 goto end;
2707 } else {
2708 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2709 &written)))
2710 goto end;
2711
2712 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2713 &readbytes), readearlyres)
976e5323
MC		 2714 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2715 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2716 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2717 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2718 goto end;
2719 }
2720
2721 testresult = 1;
2722
2723 end:
c20e3b28 2724 SSL_SESSION_free(sess);
57dee9bb
MC		 2725 SSL_SESSION_free(clientpsk);
2726 SSL_SESSION_free(serverpsk);
2727 clientpsk = serverpsk = NULL;
976e5323
MC		 2728 SSL_free(serverssl);
2729 SSL_free(clientssl);
2730 SSL_CTX_free(sctx);
2731 SSL_CTX_free(cctx);
2732 return testresult;
2733}
2734
710756a9
RS		 2735/*
2736 * Test that a server that doesn't try to read early data can handle a
2737 * client sending some.
2738 */
3cb47b4e 2739static int test_early_data_not_expected(int idx)
5f982038
MC		 2740{
2741 SSL_CTX *cctx = NULL, *sctx = NULL;
2742 SSL *clientssl = NULL, *serverssl = NULL;
2743 int testresult = 0;
018fcbec 2744 SSL_SESSION *sess = NULL;
5f982038
MC		 2745 unsigned char buf[20];
2746 size_t readbytes, written;
2747
710756a9
RS		 2748 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2749 &serverssl, &sess, idx)))
5f982038
MC		 2750 goto end;
2751
2752 /* Write some early data */
710756a9
RS		 2753 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2754 &written)))
5f982038 2755 goto end;
5f982038
MC		 2756
2757 /*
2758 * Server should skip over early data and then block waiting for client to
2759 * continue handshake
2760 */
710756a9
RS		 2761 if (!TEST_int_le(SSL_accept(serverssl), 0)
2762 || !TEST_int_gt(SSL_connect(clientssl), 0)
2763 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2764 SSL_EARLY_DATA_REJECTED)
2765 || !TEST_int_gt(SSL_accept(serverssl), 0)
2766 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2767 SSL_EARLY_DATA_REJECTED))
5f982038 2768 goto end;
5f982038
MC		 2769
2770 /* Send some normal data from client to server */
710756a9
RS		 2771 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2772 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2773 goto end;
5f982038 2774
710756a9
RS		 2775 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2776 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2777 goto end;
5f982038
MC		 2778
2779 testresult = 1;
2780
2781 end:
5f982038 2782 SSL_SESSION_free(sess);
c20e3b28 2783 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2784 SSL_SESSION_free(serverpsk);
2785 clientpsk = serverpsk = NULL;
5f982038
MC		 2786 SSL_free(serverssl);
2787 SSL_free(clientssl);
2788 SSL_CTX_free(sctx);
2789 SSL_CTX_free(cctx);
5f982038
MC		 2790 return testresult;
2791}
2792
2793
2794# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 2795/*
2796 * Test that a server attempting to read early data can handle a connection
2797 * from a TLSv1.2 client.
2798 */
3cb47b4e 2799static int test_early_data_tls1_2(int idx)
5f982038
MC		 2800{
2801 SSL_CTX *cctx = NULL, *sctx = NULL;
2802 SSL *clientssl = NULL, *serverssl = NULL;
2803 int testresult = 0;
2804 unsigned char buf[20];
2805 size_t readbytes, written;
2806
02a3ed5a
MC		 2807 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2808 &serverssl, NULL, idx)))
5f982038 2809 goto end;
5f982038
MC		 2810
2811 /* Write some data - should block due to handshake with server */
2812 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2813 SSL_set_connect_state(clientssl);
710756a9 2814 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2815 goto end;
5f982038
MC		 2816
2817 /*
2818 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 2819 * messages from client after ServerDone. Then SSL_read_early_data should
2820 * finish and detect that early data has not been sent
5f982038 2821 */
710756a9
RS		 2822 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2823 &readbytes),
2824 SSL_READ_EARLY_DATA_ERROR))
5f982038 2825 goto end;
5f982038
MC		 2826
2827 /*
2828 * Continue writing the message we started earlier. Will still block waiting
2829 * for the CCS/Finished from server
2830 */
710756a9
RS		 2831 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2832 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2833 &readbytes),
2834 SSL_READ_EARLY_DATA_FINISH)
2835 || !TEST_size_t_eq(readbytes, 0)
2836 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2837 SSL_EARLY_DATA_NOT_SENT))
5f982038 2838 goto end;
5f982038
MC		 2839
2840 /* Continue writing the message we started earlier */
710756a9
RS		 2841 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2842 || !TEST_size_t_eq(written, strlen(MSG1))
2843 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2844 SSL_EARLY_DATA_NOT_SENT)
2845 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2846 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2847 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2848 || !TEST_size_t_eq(written, strlen(MSG2))
2849 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2850 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2851 goto end;
5f982038
MC		 2852
2853 testresult = 1;
2854
2855 end:
57dee9bb
MC		 2856 SSL_SESSION_free(clientpsk);
2857 SSL_SESSION_free(serverpsk);
2858 clientpsk = serverpsk = NULL;
5f982038
MC		 2859 SSL_free(serverssl);
2860 SSL_free(clientssl);
2861 SSL_CTX_free(sctx);
2862 SSL_CTX_free(cctx);
2863
2864 return testresult;
2865}
ca0413ae
MC		 2866# endif /* OPENSSL_NO_TLS1_2 */
2867
034cb87b
MC		 2868/*
2869 * Test configuring the TLSv1.3 ciphersuites
2870 *
2871 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2872 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2873 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2874 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2875 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2876 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2877 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2878 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2879 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2880 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2881 */
2882static int test_set_ciphersuite(int idx)
2883{
2884 SSL_CTX *cctx = NULL, *sctx = NULL;
2885 SSL *clientssl = NULL, *serverssl = NULL;
2886 int testresult = 0;
2887
2888 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2889 TLS1_VERSION, TLS_MAX_VERSION,
2890 &sctx, &cctx, cert, privkey))
2891 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2892 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2893 goto end;
2894
2895 if (idx >=4 && idx <= 7) {
2896 /* SSL_CTX explicit cipher list */
2897 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2898 goto end;
2899 }
2900
2901 if (idx == 0 || idx == 4) {
2902 /* Default ciphersuite */
2903 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2904 "TLS_AES_128_GCM_SHA256")))
2905 goto end;
2906 } else if (idx == 1 || idx == 5) {
2907 /* Non default ciphersuite */
2908 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2909 "TLS_AES_128_CCM_SHA256")))
2910 goto end;
2911 }
2912
2913 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2914 &clientssl, NULL, NULL)))
2915 goto end;
2916
2917 if (idx == 8 || idx == 9) {
2918 /* SSL explicit cipher list */
2919 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2920 goto end;
2921 }
2922
2923 if (idx == 2 || idx == 6 || idx == 8) {
2924 /* Default ciphersuite */
2925 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2926 "TLS_AES_128_GCM_SHA256")))
2927 goto end;
2928 } else if (idx == 3 || idx == 7 || idx == 9) {
2929 /* Non default ciphersuite */
2930 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2931 "TLS_AES_128_CCM_SHA256")))
2932 goto end;
2933 }
2934
2935 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2936 goto end;
2937
2938 testresult = 1;
2939
2940 end:
2941 SSL_free(serverssl);
2942 SSL_free(clientssl);
2943 SSL_CTX_free(sctx);
2944 SSL_CTX_free(cctx);
2945
2946 return testresult;
2947}
2948
ca0413ae
MC		 2949static int test_ciphersuite_change(void)
2950{
2951 SSL_CTX *cctx = NULL, *sctx = NULL;
2952 SSL *clientssl = NULL, *serverssl = NULL;
2953 SSL_SESSION *clntsess = NULL;
2954 int testresult = 0;
2955 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2956
2957 /* Create a session based on SHA-256 */
7d7f6834
RL		 2958 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2959 TLS1_VERSION, TLS_MAX_VERSION,
2960 &sctx, &cctx, cert, privkey))
f865b081
MC		 2961 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2962 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 2963 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2964 &clientssl, NULL, NULL))
2965 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2966 SSL_ERROR_NONE)))
2967 goto end;
2968
2969 clntsess = SSL_get1_session(clientssl);
2970 /* Save for later */
2971 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2972 SSL_shutdown(clientssl);
2973 SSL_shutdown(serverssl);
2974 SSL_free(serverssl);
2975 SSL_free(clientssl);
2976 serverssl = clientssl = NULL;
2977
71cff963 2978# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 2979 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 2980 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2981 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 2982 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2983 NULL, NULL))
2984 || !TEST_true(SSL_set_session(clientssl, clntsess))
2985 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2986 SSL_ERROR_NONE))
2987 || !TEST_true(SSL_session_reused(clientssl)))
2988 goto end;
2989
2990 SSL_SESSION_free(clntsess);
2991 clntsess = SSL_get1_session(clientssl);
2992 SSL_shutdown(clientssl);
2993 SSL_shutdown(serverssl);
2994 SSL_free(serverssl);
2995 SSL_free(clientssl);
2996 serverssl = clientssl = NULL;
71cff963 2997# endif
ca0413ae
MC		 2998
2999 /*
3000 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 3001 * succeeds but does not resume.
ca0413ae 3002 */
f865b081 3003 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3004 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3005 NULL, NULL))
3006 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 3007 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 3008 SSL_ERROR_SSL))
0de6d66d 3009 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 3010 goto end;
3011
3012 SSL_SESSION_free(clntsess);
3013 clntsess = NULL;
3014 SSL_shutdown(clientssl);
3015 SSL_shutdown(serverssl);
3016 SSL_free(serverssl);
3017 SSL_free(clientssl);
3018 serverssl = clientssl = NULL;
3019
3020 /* Create a session based on SHA384 */
f865b081 3021 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3022 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3023 &clientssl, NULL, NULL))
3024 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3025 SSL_ERROR_NONE)))
3026 goto end;
3027
3028 clntsess = SSL_get1_session(clientssl);
3029 SSL_shutdown(clientssl);
3030 SSL_shutdown(serverssl);
3031 SSL_free(serverssl);
3032 SSL_free(clientssl);
3033 serverssl = clientssl = NULL;
3034
f865b081
MC		 3035 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3036 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3037 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3038 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3039 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3040 NULL, NULL))
3041 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 3042 /*
3043 * We use SSL_ERROR_WANT_READ below so that we can pause the
3044 * connection after the initial ClientHello has been sent to
3045 * enable us to make some session changes.
3046 */
ca0413ae
MC		 3047 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3048 SSL_ERROR_WANT_READ)))
3049 goto end;
3050
3051 /* Trick the client into thinking this session is for a different digest */
3052 clntsess->cipher = aes_128_gcm_sha256;
3053 clntsess->cipher_id = clntsess->cipher->id;
3054
3055 /*
3b0e88d3
MC		 3056 * Continue the previously started connection. Server has selected a SHA-384
3057 * ciphersuite, but client thinks the session is for SHA-256, so it should
3058 * bail out.
ca0413ae
MC		 3059 */
3060 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3061 SSL_ERROR_SSL))
3062 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3063 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3064 goto end;
3065
3066 testresult = 1;
3067
3068 end:
3069 SSL_SESSION_free(clntsess);
3070 SSL_free(serverssl);
3071 SSL_free(clientssl);
3072 SSL_CTX_free(sctx);
3073 SSL_CTX_free(cctx);
3074
3075 return testresult;
3076}
3077
0d8da779
MC		 3078/*
3079 * Test TLSv1.3 PSKs
3080 * Test 0 = Test new style callbacks
3081 * Test 1 = Test both new and old style callbacks
3082 * Test 2 = Test old style callbacks
3083 * Test 3 = Test old style callbacks with no certificate
3084 */
532f9578 3085static int test_tls13_psk(int idx)
ca8c71ba
MC		 3086{
3087 SSL_CTX *sctx = NULL, *cctx = NULL;
3088 SSL *serverssl = NULL, *clientssl = NULL;
3089 const SSL_CIPHER *cipher = NULL;
3090 const unsigned char key[] = {
3091 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3092 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 3093 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3094 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 3095 };
3096 int testresult = 0;
3097
7d7f6834
RL		 3098 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3099 TLS1_VERSION, TLS_MAX_VERSION,
0d8da779
MC		 3100 &sctx, &cctx, idx == 3 ? NULL : cert,
3101 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 3102 goto end;
3103
0d8da779
MC		 3104 if (idx != 3) {
3105 /*
3106 * We use a ciphersuite with SHA256 to ease testing old style PSK
3107 * callbacks which will always default to SHA256. This should not be
3108 * necessary if we have no cert/priv key. In that case the server should
3109 * prefer SHA256 automatically.
3110 */
3111 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3112 "TLS_AES_128_GCM_SHA256")))
3113 goto end;
3114 }
532f9578
MC		 3115
3116 /*
3117 * Test 0: New style callbacks only
3118 * Test 1: New and old style callbacks (only the new ones should be used)
3119 * Test 2: Old style callbacks only
3120 */
3121 if (idx == 0 || idx == 1) {
3122 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3123 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3124 }
c2b290c3 3125#ifndef OPENSSL_NO_PSK
0d8da779 3126 if (idx >= 1) {
532f9578
MC		 3127 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3128 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3129 }
c2b290c3 3130#endif
ca8c71ba 3131 srvid = pskid;
02a3ed5a
MC		 3132 use_session_cb_cnt = 0;
3133 find_session_cb_cnt = 0;
532f9578
MC		 3134 psk_client_cb_cnt = 0;
3135 psk_server_cb_cnt = 0;
ca8c71ba 3136
0d8da779
MC		 3137 if (idx != 3) {
3138 /*
3139 * Check we can create a connection if callback decides not to send a
3140 * PSK
3141 */
3142 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3143 NULL, NULL))
3144 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3145 SSL_ERROR_NONE))
3146 || !TEST_false(SSL_session_reused(clientssl))
3147 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3148 goto end;
532f9578 3149
0d8da779
MC		 3150 if (idx == 0 || idx == 1) {
3151 if (!TEST_true(use_session_cb_cnt == 1)
3152 || !TEST_true(find_session_cb_cnt == 0)
3153 /*
3154 * If no old style callback then below should be 0
3155 * otherwise 1
3156 */
3157 || !TEST_true(psk_client_cb_cnt == idx)
3158 || !TEST_true(psk_server_cb_cnt == 0))
3159 goto end;
3160 } else {
3161 if (!TEST_true(use_session_cb_cnt == 0)
3162 || !TEST_true(find_session_cb_cnt == 0)
3163 || !TEST_true(psk_client_cb_cnt == 1)
3164 || !TEST_true(psk_server_cb_cnt == 0))
3165 goto end;
3166 }
3167
3168 shutdown_ssl_connection(serverssl, clientssl);
3169 serverssl = clientssl = NULL;
3170 use_session_cb_cnt = psk_client_cb_cnt = 0;
3171 }
ca8c71ba
MC		 3172
3173 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3174 NULL, NULL)))
3175 goto end;
3176
3177 /* Create the PSK */
532f9578 3178 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 3179 clientpsk = SSL_SESSION_new();
3180 if (!TEST_ptr(clientpsk)
ca8c71ba 3181 || !TEST_ptr(cipher)
57dee9bb
MC		 3182 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3183 sizeof(key)))
3184 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3185 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3186 TLS1_3_VERSION))
3187 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 3188 goto end;
57dee9bb 3189 serverpsk = clientpsk;
ca8c71ba
MC		 3190
3191 /* Check we can create a connection and the PSK is used */
3192 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3193 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3194 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3195 goto end;
3196
532f9578
MC		 3197 if (idx == 0 || idx == 1) {
3198 if (!TEST_true(use_session_cb_cnt == 1)
3199 || !TEST_true(find_session_cb_cnt == 1)
3200 || !TEST_true(psk_client_cb_cnt == 0)
3201 || !TEST_true(psk_server_cb_cnt == 0))
3202 goto end;
3203 } else {
3204 if (!TEST_true(use_session_cb_cnt == 0)
3205 || !TEST_true(find_session_cb_cnt == 0)
3206 || !TEST_true(psk_client_cb_cnt == 1)
3207 || !TEST_true(psk_server_cb_cnt == 1))
3208 goto end;
3209 }
3210
ca8c71ba
MC		 3211 shutdown_ssl_connection(serverssl, clientssl);
3212 serverssl = clientssl = NULL;
3213 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3214 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 3215
3216 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3217 NULL, NULL)))
3218 goto end;
3219
3220 /* Force an HRR */
3221 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3222 goto end;
3223
3224 /*
3225 * Check we can create a connection, the PSK is used and the callbacks are
3226 * called twice.
3227 */
3228 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3229 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3230 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3231 goto end;
3232
532f9578
MC		 3233 if (idx == 0 || idx == 1) {
3234 if (!TEST_true(use_session_cb_cnt == 2)
3235 || !TEST_true(find_session_cb_cnt == 2)
3236 || !TEST_true(psk_client_cb_cnt == 0)
3237 || !TEST_true(psk_server_cb_cnt == 0))
3238 goto end;
3239 } else {
3240 if (!TEST_true(use_session_cb_cnt == 0)
3241 || !TEST_true(find_session_cb_cnt == 0)
3242 || !TEST_true(psk_client_cb_cnt == 2)
3243 || !TEST_true(psk_server_cb_cnt == 2))
3244 goto end;
3245 }
3246
ca8c71ba
MC		 3247 shutdown_ssl_connection(serverssl, clientssl);
3248 serverssl = clientssl = NULL;
3249 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3250 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 3251
0d8da779
MC		 3252 if (idx != 3) {
3253 /*
3254 * Check that if the server rejects the PSK we can still connect, but with
3255 * a full handshake
3256 */
3257 srvid = "Dummy Identity";
3258 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3259 NULL, NULL))
3260 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3261 SSL_ERROR_NONE))
3262 || !TEST_false(SSL_session_reused(clientssl))
3263 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3264 goto end;
532f9578 3265
0d8da779
MC		 3266 if (idx == 0 || idx == 1) {
3267 if (!TEST_true(use_session_cb_cnt == 1)
3268 || !TEST_true(find_session_cb_cnt == 1)
3269 || !TEST_true(psk_client_cb_cnt == 0)
3270 /*
3271 * If no old style callback then below should be 0
3272 * otherwise 1
3273 */
3274 || !TEST_true(psk_server_cb_cnt == idx))
3275 goto end;
3276 } else {
3277 if (!TEST_true(use_session_cb_cnt == 0)
3278 || !TEST_true(find_session_cb_cnt == 0)
3279 || !TEST_true(psk_client_cb_cnt == 1)
3280 || !TEST_true(psk_server_cb_cnt == 1))
3281 goto end;
3282 }
3283
3284 shutdown_ssl_connection(serverssl, clientssl);
3285 serverssl = clientssl = NULL;
3286 }
ca8c71ba
MC		 3287 testresult = 1;
3288
3289 end:
57dee9bb
MC		 3290 SSL_SESSION_free(clientpsk);
3291 SSL_SESSION_free(serverpsk);
3292 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 3293 SSL_free(serverssl);
3294 SSL_free(clientssl);
3295 SSL_CTX_free(sctx);
3296 SSL_CTX_free(cctx);
3297 return testresult;
3298}
3299
c7b8ff25
MC		 3300static unsigned char cookie_magic_value[] = "cookie magic";
3301
3302static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3303 unsigned int *cookie_len)
3304{
3305 /*
3306 * Not suitable as a real cookie generation function but good enough for
3307 * testing!
3308 */
97ea1e7f
MC		 3309 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3310 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 3311
3312 return 1;
3313}
3314
3315static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3316 unsigned int cookie_len)
3317{
97ea1e7f 3318 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 3319 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3320 return 1;
3321
3322 return 0;
3323}
3324
3fa2812f
BS		 3325static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3326 size_t *cookie_len)
3327{
3328 unsigned int temp;
3329 int res = generate_cookie_callback(ssl, cookie, &temp);
3330 *cookie_len = temp;
3331 return res;
3332}
3333
3334static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3335 size_t cookie_len)
3336{
3337 return verify_cookie_callback(ssl, cookie, cookie_len);
3338}
3339
c7b8ff25
MC		 3340static int test_stateless(void)
3341{
3342 SSL_CTX *sctx = NULL, *cctx = NULL;
3343 SSL *serverssl = NULL, *clientssl = NULL;
3344 int testresult = 0;
3345
7d7f6834
RL		 3346 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3347 TLS1_VERSION, TLS_MAX_VERSION,
3348 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 3349 goto end;
3350
e440f513
MC		 3351 /* The arrival of CCS messages can confuse the test */
3352 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3353
3354 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3355 NULL, NULL))
3356 /* Send the first ClientHello */
3357 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3358 SSL_ERROR_WANT_READ))
3359 /*
3360 * This should fail with a -1 return because we have no callbacks
3361 * set up
3362 */
3363 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3364 goto end;
3365
3366 /* Fatal error so abandon the connection from this client */
3367 SSL_free(clientssl);
3368 clientssl = NULL;
3369
c7b8ff25 3370 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 3371 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3372 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 3373
e440f513
MC		 3374 /*
3375 * Create a new connection from the client (we can reuse the server SSL
3376 * object).
3377 */
c7b8ff25
MC		 3378 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3379 NULL, NULL))
3380 /* Send the first ClientHello */
3381 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3382 SSL_ERROR_WANT_READ))
3383 /* This should fail because there is no cookie */
e440f513 3384 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 3385 goto end;
3386
3387 /* Abandon the connection from this client */
3388 SSL_free(clientssl);
3389 clientssl = NULL;
3390
3391 /*
3392 * Now create a connection from a new client but with the same server SSL
3393 * object
3394 */
3395 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3396 NULL, NULL))
3397 /* Send the first ClientHello */
3398 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3399 SSL_ERROR_WANT_READ))
3400 /* This should fail because there is no cookie */
e440f513 3401 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 3402 /* Send the second ClientHello */
3403 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3404 SSL_ERROR_WANT_READ))
3405 /* This should succeed because a cookie is now present */
e440f513 3406 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 3407 /* Complete the connection */
3408 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3409 SSL_ERROR_NONE)))
3410 goto end;
3411
3412 shutdown_ssl_connection(serverssl, clientssl);
3413 serverssl = clientssl = NULL;
3414 testresult = 1;
3415
3416 end:
3417 SSL_free(serverssl);
3418 SSL_free(clientssl);
3419 SSL_CTX_free(sctx);
3420 SSL_CTX_free(cctx);
3421 return testresult;
3422
3423}
ca0413ae 3424#endif /* OPENSSL_NO_TLS1_3 */
5f982038 3425
a37008d9
MC		 3426static int clntaddoldcb = 0;
3427static int clntparseoldcb = 0;
3428static int srvaddoldcb = 0;
3429static int srvparseoldcb = 0;
3430static int clntaddnewcb = 0;
3431static int clntparsenewcb = 0;
3432static int srvaddnewcb = 0;
3433static int srvparsenewcb = 0;
bb01ef3f 3434static int snicb = 0;
a37008d9
MC		 3435
3436#define TEST_EXT_TYPE1 0xff00
3437
3438static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3439 size_t *outlen, int *al, void *add_arg)
3440{
3441 int *server = (int *)add_arg;
3442 unsigned char *data;
3443
3444 if (SSL_is_server(s))
3445 srvaddoldcb++;
3446 else
3447 clntaddoldcb++;
3448
710756a9
RS		 3449 if (*server != SSL_is_server(s)
3450 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3451 return -1;
3452
3453 *data = 1;
3454 *out = data;
3455 *outlen = sizeof(char);
a37008d9
MC		 3456 return 1;
3457}
3458
3459static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3460 void *add_arg)
3461{
3462 OPENSSL_free((unsigned char *)out);
3463}
3464
3465static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3466 size_t inlen, int *al, void *parse_arg)
3467{
3468 int *server = (int *)parse_arg;
3469
3470 if (SSL_is_server(s))
3471 srvparseoldcb++;
3472 else
3473 clntparseoldcb++;
3474
710756a9
RS		 3475 if (*server != SSL_is_server(s)
3476 || inlen != sizeof(char)
3477 || *in != 1)
a37008d9
MC		 3478 return -1;
3479
3480 return 1;
3481}
3482
3483static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3484 const unsigned char **out, size_t *outlen, X509 *x,
3485 size_t chainidx, int *al, void *add_arg)
3486{
3487 int *server = (int *)add_arg;
3488 unsigned char *data;
3489
3490 if (SSL_is_server(s))
3491 srvaddnewcb++;
3492 else
3493 clntaddnewcb++;
3494
710756a9
RS		 3495 if (*server != SSL_is_server(s)
3496 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3497 return -1;
3498
3499 *data = 1;
3500 *out = data;
710756a9 3501 *outlen = sizeof(*data);
a37008d9
MC		 3502 return 1;
3503}
3504
3505static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3506 const unsigned char *out, void *add_arg)
3507{
3508 OPENSSL_free((unsigned char *)out);
3509}
3510
3511static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3512 const unsigned char *in, size_t inlen, X509 *x,
3513 size_t chainidx, int *al, void *parse_arg)
3514{
3515 int *server = (int *)parse_arg;
3516
3517 if (SSL_is_server(s))
3518 srvparsenewcb++;
3519 else
3520 clntparsenewcb++;
3521
710756a9
RS		 3522 if (*server != SSL_is_server(s)
3523 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 3524 return -1;
3525
3526 return 1;
3527}
bb01ef3f
MC		 3528
3529static int sni_cb(SSL *s, int *al, void *arg)
3530{
3531 SSL_CTX *ctx = (SSL_CTX *)arg;
3532
3533 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3534 *al = SSL_AD_INTERNAL_ERROR;
3535 return SSL_TLSEXT_ERR_ALERT_FATAL;
3536 }
3537 snicb++;
3538 return SSL_TLSEXT_ERR_OK;
3539}
3540
a37008d9
MC		 3541/*
3542 * Custom call back tests.
3543 * Test 0: Old style callbacks in TLSv1.2
3544 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 3545 * Test 2: New style callbacks in TLSv1.2 with SNI
3546 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3547 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 3548 */
710756a9
RS		 3549static int test_custom_exts(int tst)
3550{
bb01ef3f 3551 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 3552 SSL *clientssl = NULL, *serverssl = NULL;
3553 int testresult = 0;
3554 static int server = 1;
3555 static int client = 0;
3556 SSL_SESSION *sess = NULL;
3557 unsigned int context;
3558
c423ecaa
MC		 3559#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3560 /* Skip tests for TLSv1.2 and below in this case */
3561 if (tst < 3)
3562 return 1;
3563#endif
3564
a37008d9
MC		 3565 /* Reset callback counters */
3566 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3567 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 3568 snicb = 0;
a37008d9 3569
7d7f6834
RL		 3570 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3571 TLS1_VERSION, TLS_MAX_VERSION,
3572 &sctx, &cctx, cert, privkey)))
710756a9 3573 goto end;
a37008d9 3574
bb01ef3f 3575 if (tst == 2
7d7f6834
RL		 3576 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3577 TLS1_VERSION, TLS_MAX_VERSION,
3578 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 3579 goto end;
3580
3581
3582 if (tst < 3) {
a37008d9
MC		 3583 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3584 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 3585 if (sctx2 != NULL)
3586 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 3587 }
3588
bb01ef3f 3589 if (tst == 4) {
710756a9
RS		 3590 context = SSL_EXT_CLIENT_HELLO
3591 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3592 | SSL_EXT_TLS1_3_SERVER_HELLO
3593 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3594 | SSL_EXT_TLS1_3_CERTIFICATE
3595 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3596 } else {
710756a9
RS		 3597 context = SSL_EXT_CLIENT_HELLO
3598 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3599 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3600 }
3601
3602 /* Create a client side custom extension */
3603 if (tst == 0) {
710756a9
RS		 3604 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3605 old_add_cb, old_free_cb,
3606 &client, old_parse_cb,
3607 &client)))
3608 goto end;
a37008d9 3609 } else {
710756a9
RS		 3610 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3611 new_add_cb, new_free_cb,
3612 &client, new_parse_cb, &client)))
3613 goto end;
a37008d9
MC		 3614 }
3615
3616 /* Should not be able to add duplicates */
710756a9
RS		 3617 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3618 old_add_cb, old_free_cb,
3619 &client, old_parse_cb,
3620 &client))
3621 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3622 context, new_add_cb,
3623 new_free_cb, &client,
3624 new_parse_cb, &client)))
3625 goto end;
a37008d9
MC		 3626
3627 /* Create a server side custom extension */
3628 if (tst == 0) {
710756a9
RS		 3629 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3630 old_add_cb, old_free_cb,
3631 &server, old_parse_cb,
3632 &server)))
3633 goto end;
a37008d9 3634 } else {
710756a9
RS		 3635 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3636 new_add_cb, new_free_cb,
3637 &server, new_parse_cb, &server)))
3638 goto end;
bb01ef3f
MC		 3639 if (sctx2 != NULL
3640 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3641 context, new_add_cb,
3642 new_free_cb, &server,
3643 new_parse_cb, &server)))
3644 goto end;
a37008d9
MC		 3645 }
3646
3647 /* Should not be able to add duplicates */
710756a9
RS		 3648 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3649 old_add_cb, old_free_cb,
3650 &server, old_parse_cb,
3651 &server))
3652 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3653 context, new_add_cb,
3654 new_free_cb, &server,
3655 new_parse_cb, &server)))
a37008d9 3656 goto end;
a37008d9 3657
bb01ef3f
MC		 3658 if (tst == 2) {
3659 /* Set up SNI */
3660 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3661 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3662 goto end;
3663 }
3664
710756a9
RS		 3665 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3666 &clientssl, NULL, NULL))
3667 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3668 SSL_ERROR_NONE)))
a37008d9 3669 goto end;
a37008d9
MC		 3670
3671 if (tst == 0) {
710756a9
RS		 3672 if (clntaddoldcb != 1
3673 || clntparseoldcb != 1
3674 || srvaddoldcb != 1
3675 || srvparseoldcb != 1)
a37008d9 3676 goto end;
bb01ef3f 3677 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3678 if (clntaddnewcb != 1
3679 || clntparsenewcb != 1
3680 || srvaddnewcb != 1
bb01ef3f
MC		 3681 || srvparsenewcb != 1
3682 || (tst != 2 && snicb != 0)
3683 || (tst == 2 && snicb != 1))
a37008d9 3684 goto end;
a37008d9 3685 } else {
36ff232c 3686 /* In this case there 2 NewSessionTicket messages created */
710756a9 3687 if (clntaddnewcb != 1
36ff232c
MC		 3688 || clntparsenewcb != 5
3689 || srvaddnewcb != 5
710756a9 3690 || srvparsenewcb != 1)
a37008d9 3691 goto end;
a37008d9
MC		 3692 }
3693
3694 sess = SSL_get1_session(clientssl);
a37008d9
MC		 3695 SSL_shutdown(clientssl);
3696 SSL_shutdown(serverssl);
a37008d9
MC		 3697 SSL_free(serverssl);
3698 SSL_free(clientssl);
3699 serverssl = clientssl = NULL;
3700
bb01ef3f
MC		 3701 if (tst == 3) {
3702 /* We don't bother with the resumption aspects for this test */
3703 testresult = 1;
3704 goto end;
3705 }
3706
710756a9
RS		 3707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3708 NULL, NULL))
3709 || !TEST_true(SSL_set_session(clientssl, sess))
3710 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3711 SSL_ERROR_NONE)))
a37008d9 3712 goto end;
a37008d9
MC		 3713
3714 /*
3715 * For a resumed session we expect to add the ClientHello extension. For the
3716 * old style callbacks we ignore it on the server side because they set
3717 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3718 * them.
3719 */
3720 if (tst == 0) {
710756a9
RS		 3721 if (clntaddoldcb != 2
3722 || clntparseoldcb != 1
3723 || srvaddoldcb != 1
3724 || srvparseoldcb != 1)
a37008d9 3725 goto end;
bb01ef3f 3726 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3727 if (clntaddnewcb != 2
3728 || clntparsenewcb != 2
3729 || srvaddnewcb != 2
3730 || srvparsenewcb != 2)
a37008d9 3731 goto end;
a37008d9 3732 } else {
36ff232c
MC		 3733 /*
3734 * No Certificate message extensions in the resumption handshake,
3735 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3736 */
710756a9 3737 if (clntaddnewcb != 2
36ff232c
MC		 3738 || clntparsenewcb != 8
3739 || srvaddnewcb != 8
710756a9 3740 || srvparsenewcb != 2)
a37008d9 3741 goto end;
a37008d9
MC		 3742 }
3743
3744 testresult = 1;
3745
3746end:
3747 SSL_SESSION_free(sess);
3748 SSL_free(serverssl);
3749 SSL_free(clientssl);
bb01ef3f 3750 SSL_CTX_free(sctx2);
a37008d9
MC		 3751 SSL_CTX_free(sctx);
3752 SSL_CTX_free(cctx);
a37008d9
MC		 3753 return testresult;
3754}
3755
16afd71c
MC		 3756/*
3757 * Test loading of serverinfo data in various formats. test_sslmessages actually
3758 * tests to make sure the extensions appear in the handshake
3759 */
3760static int test_serverinfo(int tst)
3761{
3762 unsigned int version;
3763 unsigned char *sibuf;
3764 size_t sibuflen;
3765 int ret, expected, testresult = 0;
3766 SSL_CTX *ctx;
3767
3768 ctx = SSL_CTX_new(TLS_method());
3769 if (!TEST_ptr(ctx))
3770 goto end;
3771
3772 if ((tst & 0x01) == 0x01)
3773 version = SSL_SERVERINFOV2;
3774 else
3775 version = SSL_SERVERINFOV1;
3776
3777 if ((tst & 0x02) == 0x02) {
3778 sibuf = serverinfov2;
3779 sibuflen = sizeof(serverinfov2);
3780 expected = (version == SSL_SERVERINFOV2);
3781 } else {
3782 sibuf = serverinfov1;
3783 sibuflen = sizeof(serverinfov1);
3784 expected = (version == SSL_SERVERINFOV1);
3785 }
3786
3787 if ((tst & 0x04) == 0x04) {
3788 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3789 } else {
3790 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3791
3792 /*
3793 * The version variable is irrelevant in this case - it's what is in the
3794 * buffer that matters
3795 */
3796 if ((tst & 0x02) == 0x02)
3797 expected = 0;
3798 else
3799 expected = 1;
3800 }
3801
3802 if (!TEST_true(ret == expected))
3803 goto end;
3804
3805 testresult = 1;
3806
3807 end:
3808 SSL_CTX_free(ctx);
3809
3810 return testresult;
3811}
3812
2197d1df
MC		 3813/*
3814 * Test that SSL_export_keying_material() produces expected results. There are
3815 * no test vectors so all we do is test that both sides of the communication
3816 * produce the same results for different protocol versions.
3817 */
3818static int test_export_key_mat(int tst)
3819{
a599574b 3820 int testresult = 0;
2197d1df
MC		 3821 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3822 SSL *clientssl = NULL, *serverssl = NULL;
3823 const char label[] = "test label";
3824 const unsigned char context[] = "context";
3825 const unsigned char *emptycontext = NULL;
3826 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3827 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 3828 const int protocols[] = {
3829 TLS1_VERSION,
3830 TLS1_1_VERSION,
3831 TLS1_2_VERSION,
3832 TLS1_3_VERSION
3833 };
2197d1df
MC		 3834
3835#ifdef OPENSSL_NO_TLS1
3836 if (tst == 0)
3837 return 1;
3838#endif
3839#ifdef OPENSSL_NO_TLS1_1
3840 if (tst == 1)
3841 return 1;
3842#endif
3843#ifdef OPENSSL_NO_TLS1_2
3844 if (tst == 2)
3845 return 1;
3846#endif
3847#ifdef OPENSSL_NO_TLS1_3
3848 if (tst == 3)
3849 return 1;
3850#endif
7d7f6834
RL		 3851 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3852 TLS1_VERSION, TLS_MAX_VERSION,
3853 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 3854 goto end;
3855
a599574b
MC		 3856 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3857 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3858 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 3859
3860 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3861 NULL))
3862 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3863 SSL_ERROR_NONE)))
3864 goto end;
3865
3866 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3867 sizeof(ckeymat1), label,
3868 sizeof(label) - 1, context,
3869 sizeof(context) - 1, 1), 1)
3870 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3871 sizeof(ckeymat2), label,
3872 sizeof(label) - 1,
3873 emptycontext,
3874 0, 1), 1)
3875 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3876 sizeof(ckeymat3), label,
3877 sizeof(label) - 1,
3878 NULL, 0, 0), 1)
3879 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3880 sizeof(skeymat1), label,
3881 sizeof(label) - 1,
3882 context,
3883 sizeof(context) -1, 1),
3884 1)
3885 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3886 sizeof(skeymat2), label,
3887 sizeof(label) - 1,
3888 emptycontext,
3889 0, 1), 1)
3890 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3891 sizeof(skeymat3), label,
3892 sizeof(label) - 1,
3893 NULL, 0, 0), 1)
3894 /*
3895 * Check that both sides created the same key material with the
3896 * same context.
3897 */
3898 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3899 sizeof(skeymat1))
3900 /*
3901 * Check that both sides created the same key material with an
3902 * empty context.
3903 */
3904 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3905 sizeof(skeymat2))
3906 /*
3907 * Check that both sides created the same key material without a
3908 * context.
3909 */
3910 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3911 sizeof(skeymat3))
3912 /* Different contexts should produce different results */
3913 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3914 sizeof(ckeymat2)))
3915 goto end;
3916
3917 /*
3918 * Check that an empty context and no context produce different results in
3919 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3920 */
3921 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3922 sizeof(ckeymat3)))
3923 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3924 sizeof(ckeymat3))))
3925 goto end;
3926
3927 testresult = 1;
3928
3929 end:
3930 SSL_free(serverssl);
3931 SSL_free(clientssl);
3932 SSL_CTX_free(sctx2);
3933 SSL_CTX_free(sctx);
3934 SSL_CTX_free(cctx);
3935
3936 return testresult;
3937}
3938
b38ede80
TT		 3939#ifndef OPENSSL_NO_TLS1_3
3940/*
3941 * Test that SSL_export_keying_material_early() produces expected
3942 * results. There are no test vectors so all we do is test that both
3943 * sides of the communication produce the same results for different
3944 * protocol versions.
3945 */
3946static int test_export_key_mat_early(int idx)
3947{
3948 static const char label[] = "test label";
3949 static const unsigned char context[] = "context";
3950 int testresult = 0;
3951 SSL_CTX *cctx = NULL, *sctx = NULL;
3952 SSL *clientssl = NULL, *serverssl = NULL;
3953 SSL_SESSION *sess = NULL;
3954 const unsigned char *emptycontext = NULL;
3955 unsigned char ckeymat1[80], ckeymat2[80];
3956 unsigned char skeymat1[80], skeymat2[80];
3957 unsigned char buf[1];
3958 size_t readbytes, written;
3959
3960 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3961 &sess, idx)))
3962 goto end;
3963
3964 /* Here writing 0 length early data is enough. */
3965 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3966 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3967 &readbytes),
3968 SSL_READ_EARLY_DATA_ERROR)
3969 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3970 SSL_EARLY_DATA_ACCEPTED))
3971 goto end;
3972
3973 if (!TEST_int_eq(SSL_export_keying_material_early(
3974 clientssl, ckeymat1, sizeof(ckeymat1), label,
3975 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3976 || !TEST_int_eq(SSL_export_keying_material_early(
3977 clientssl, ckeymat2, sizeof(ckeymat2), label,
3978 sizeof(label) - 1, emptycontext, 0), 1)
3979 || !TEST_int_eq(SSL_export_keying_material_early(
3980 serverssl, skeymat1, sizeof(skeymat1), label,
3981 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3982 || !TEST_int_eq(SSL_export_keying_material_early(
3983 serverssl, skeymat2, sizeof(skeymat2), label,
3984 sizeof(label) - 1, emptycontext, 0), 1)
3985 /*
3986 * Check that both sides created the same key material with the
3987 * same context.
3988 */
3989 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3990 sizeof(skeymat1))
3991 /*
3992 * Check that both sides created the same key material with an
3993 * empty context.
3994 */
3995 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3996 sizeof(skeymat2))
3997 /* Different contexts should produce different results */
3998 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3999 sizeof(ckeymat2)))
4000 goto end;
4001
4002 testresult = 1;
4003
4004 end:
c20e3b28 4005 SSL_SESSION_free(sess);
b38ede80
TT		 4006 SSL_SESSION_free(clientpsk);
4007 SSL_SESSION_free(serverpsk);
34ff74eb 4008 clientpsk = serverpsk = NULL;
b38ede80
TT		 4009 SSL_free(serverssl);
4010 SSL_free(clientssl);
4011 SSL_CTX_free(sctx);
4012 SSL_CTX_free(cctx);
4013
4014 return testresult;
4015}
4016#endif /* OPENSSL_NO_TLS1_3 */
4017
e11b6aa4
MC		 4018static int test_ssl_clear(int idx)
4019{
4020 SSL_CTX *cctx = NULL, *sctx = NULL;
4021 SSL *clientssl = NULL, *serverssl = NULL;
4022 int testresult = 0;
4023
4024#ifdef OPENSSL_NO_TLS1_2
4025 if (idx == 1)
4026 return 1;
4027#endif
4028
4029 /* Create an initial connection */
7d7f6834
RL		 4030 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4031 TLS1_VERSION, TLS_MAX_VERSION,
4032 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 4033 || (idx == 1
4034 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4035 TLS1_2_VERSION)))
4036 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4037 &clientssl, NULL, NULL))
4038 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4039 SSL_ERROR_NONE)))
4040 goto end;
4041
4042 SSL_shutdown(clientssl);
4043 SSL_shutdown(serverssl);
4044 SSL_free(serverssl);
4045 serverssl = NULL;
4046
4047 /* Clear clientssl - we're going to reuse the object */
4048 if (!TEST_true(SSL_clear(clientssl)))
4049 goto end;
4050
4051 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4052 NULL, NULL))
4053 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4054 SSL_ERROR_NONE))
4055 || !TEST_true(SSL_session_reused(clientssl)))
4056 goto end;
4057
4058 SSL_shutdown(clientssl);
4059 SSL_shutdown(serverssl);
4060
4061 testresult = 1;
4062
4063 end:
4064 SSL_free(serverssl);
4065 SSL_free(clientssl);
4066 SSL_CTX_free(sctx);
4067 SSL_CTX_free(cctx);
4068
4069 return testresult;
4070}
4071
cf72c757
F		 4072/* Parse CH and retrieve any MFL extension value if present */
4073static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4074{
4075 long len;
4076 unsigned char *data;
4077 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4078 unsigned int MFL_code = 0, type = 0;
4079
4080 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4081 goto end;
4082
4083 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4084 /* Skip the record header */
4085 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4086 /* Skip the handshake message header */
4087 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4088 /* Skip client version and random */
4089 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4090 + SSL3_RANDOM_SIZE))
4091 /* Skip session id */
4092 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4093 /* Skip ciphers */
4094 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4095 /* Skip compression */
4096 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4097 /* Extensions len */
4098 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4099 goto end;
4100
4101 /* Loop through all extensions */
4102 while (PACKET_remaining(&pkt2)) {
4103 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4104 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4105 goto end;
4106
4107 if (type == TLSEXT_TYPE_max_fragment_length) {
4108 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4109 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4110 goto end;
4111
4112 *mfl_codemfl_code = MFL_code;
4113 return 1;
4114 }
4115 }
4116
4117 end:
4118 return 0;
4119}
4120
4121/* Maximum-Fragment-Length TLS extension mode to test */
4122static const unsigned char max_fragment_len_test[] = {
4123 TLSEXT_max_fragment_length_512,
4124 TLSEXT_max_fragment_length_1024,
4125 TLSEXT_max_fragment_length_2048,
4126 TLSEXT_max_fragment_length_4096
4127};
4128
4129static int test_max_fragment_len_ext(int idx_tst)
4130{
4131 SSL_CTX *ctx;
4132 SSL *con = NULL;
4133 int testresult = 0, MFL_mode = 0;
4134 BIO *rbio, *wbio;
4135
4136 ctx = SSL_CTX_new(TLS_method());
4137 if (!TEST_ptr(ctx))
4138 goto end;
4139
4140 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4141 ctx, max_fragment_len_test[idx_tst])))
4142 goto end;
4143
4144 con = SSL_new(ctx);
4145 if (!TEST_ptr(con))
4146 goto end;
4147
4148 rbio = BIO_new(BIO_s_mem());
4149 wbio = BIO_new(BIO_s_mem());
4150 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4151 BIO_free(rbio);
4152 BIO_free(wbio);
4153 goto end;
4154 }
4155
4156 SSL_set_bio(con, rbio, wbio);
4157 SSL_set_connect_state(con);
4158
4159 if (!TEST_int_le(SSL_connect(con), 0)) {
4160 /* This shouldn't succeed because we don't have a server! */
4161 goto end;
4162 }
4163
4164 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4165 /* no MFL in client hello */
4166 goto end;
4167 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4168 goto end;
4169
4170 testresult = 1;
4171
4172end:
4173 SSL_free(con);
4174 SSL_CTX_free(ctx);
4175
4176 return testresult;
4177}
4178
9d75dce3
TS		 4179#ifndef OPENSSL_NO_TLS1_3
4180static int test_pha_key_update(void)
4181{
4182 SSL_CTX *cctx = NULL, *sctx = NULL;
4183 SSL *clientssl = NULL, *serverssl = NULL;
4184 int testresult = 0;
4185
7d7f6834
RL		 4186 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4187 TLS1_VERSION, TLS_MAX_VERSION,
9d75dce3
TS		 4188 &sctx, &cctx, cert, privkey)))
4189 return 0;
4190
4191 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4192 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4193 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4194 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4195 goto end;
4196
4197
4198 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4199 NULL, NULL)))
4200 goto end;
4201
4202 SSL_force_post_handshake_auth(clientssl);
4203
4204 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4205 SSL_ERROR_NONE)))
4206 goto end;
4207
4208 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4209 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4210 goto end;
4211
4212 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4213 goto end;
4214
4215 /* Start handshake on the server */
4216 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4217 goto end;
4218
4219 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4220 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4221 SSL_ERROR_NONE)))
4222 goto end;
4223
4224 SSL_shutdown(clientssl);
4225 SSL_shutdown(serverssl);
4226
4227 testresult = 1;
4228
4229 end:
4230 SSL_free(serverssl);
4231 SSL_free(clientssl);
4232 SSL_CTX_free(sctx);
4233 SSL_CTX_free(cctx);
4234 return testresult;
4235}
4236#endif
4237
76fd7a1d
MC		 4238#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4239
4240static SRP_VBASE *vbase = NULL;
4241
4242static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4243{
4244 int ret = SSL3_AL_FATAL;
4245 char *username;
4246 SRP_user_pwd *user = NULL;
4247
4248 username = SSL_get_srp_username(s);
4249 if (username == NULL) {
4250 *ad = SSL_AD_INTERNAL_ERROR;
4251 goto err;
4252 }
4253
4254 user = SRP_VBASE_get1_by_user(vbase, username);
4255 if (user == NULL) {
4256 *ad = SSL_AD_INTERNAL_ERROR;
4257 goto err;
4258 }
4259
4260 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4261 user->info) <= 0) {
4262 *ad = SSL_AD_INTERNAL_ERROR;
4263 goto err;
4264 }
4265
4266 ret = 0;
4267
4268 err:
4269 SRP_user_pwd_free(user);
4270 return ret;
4271}
4272
4273static int create_new_vfile(char *userid, char *password, const char *filename)
4274{
4275 char *gNid = NULL;
4276 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4277 TXT_DB *db = NULL;
4278 int ret = 0;
4279 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4280 size_t i;
4281
4282 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4283 goto end;
4284
4285 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4286 &row[DB_srpverifier], NULL, NULL);
4287 if (!TEST_ptr(gNid))
4288 goto end;
4289
4290 /*
4291 * The only way to create an empty TXT_DB is to provide a BIO with no data
4292 * in it!
4293 */
4294 db = TXT_DB_read(dummy, DB_NUMBER);
4295 if (!TEST_ptr(db))
4296 goto end;
4297
4298 out = BIO_new_file(filename, "w");
4299 if (!TEST_ptr(out))
4300 goto end;
4301
4302 row[DB_srpid] = OPENSSL_strdup(userid);
4303 row[DB_srptype] = OPENSSL_strdup("V");
4304 row[DB_srpgN] = OPENSSL_strdup(gNid);
4305
4306 if (!TEST_ptr(row[DB_srpid])
4307 || !TEST_ptr(row[DB_srptype])
4308 || !TEST_ptr(row[DB_srpgN])
4309 || !TEST_true(TXT_DB_insert(db, row)))
4310 goto end;
4311
4312 row = NULL;
4313
4314 if (!TXT_DB_write(out, db))
4315 goto end;
4316
4317 ret = 1;
4318 end:
4319 if (row != NULL) {
4320 for (i = 0; i < DB_NUMBER; i++)
4321 OPENSSL_free(row[i]);
4322 }
4323 OPENSSL_free(row);
4324 BIO_free(dummy);
4325 BIO_free(out);
4326 TXT_DB_free(db);
4327
4328 return ret;
4329}
4330
4331static int create_new_vbase(char *userid, char *password)
4332{
4333 BIGNUM *verifier = NULL, *salt = NULL;
4334 const SRP_gN *lgN = NULL;
4335 SRP_user_pwd *user_pwd = NULL;
4336 int ret = 0;
4337
4338 lgN = SRP_get_default_gN(NULL);
4339 if (!TEST_ptr(lgN))
4340 goto end;
4341
4342 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4343 lgN->N, lgN->g)))
4344 goto end;
4345
4346 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4347 if (!TEST_ptr(user_pwd))
4348 goto end;
4349
4350 user_pwd->N = lgN->N;
4351 user_pwd->g = lgN->g;
4352 user_pwd->id = OPENSSL_strdup(userid);
4353 if (!TEST_ptr(user_pwd->id))
4354 goto end;
4355
4356 user_pwd->v = verifier;
4357 user_pwd->s = salt;
4358 verifier = salt = NULL;
4359
4360 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4361 goto end;
4362 user_pwd = NULL;
4363
4364 ret = 1;
4365end:
4366 SRP_user_pwd_free(user_pwd);
4367 BN_free(salt);
4368 BN_free(verifier);
4369
4370 return ret;
4371}
4372
4373/*
4374 * SRP tests
4375 *
4376 * Test 0: Simple successful SRP connection, new vbase
4377 * Test 1: Connection failure due to bad password, new vbase
4378 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4379 * Test 3: Connection failure due to bad password, vbase loaded from existing
4380 * file
4381 * Test 4: Simple successful SRP connection, vbase loaded from new file
4382 * Test 5: Connection failure due to bad password, vbase loaded from new file
4383 */
4384static int test_srp(int tst)
4385{
4386 char *userid = "test", *password = "password", *tstsrpfile;
4387 SSL_CTX *cctx = NULL, *sctx = NULL;
4388 SSL *clientssl = NULL, *serverssl = NULL;
4389 int ret, testresult = 0;
4390
4391 vbase = SRP_VBASE_new(NULL);
4392 if (!TEST_ptr(vbase))
4393 goto end;
4394
4395 if (tst == 0 || tst == 1) {
4396 if (!TEST_true(create_new_vbase(userid, password)))
4397 goto end;
4398 } else {
4399 if (tst == 4 || tst == 5) {
4400 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4401 goto end;
4402 tstsrpfile = tmpfilename;
4403 } else {
4404 tstsrpfile = srpvfile;
4405 }
4406 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4407 goto end;
4408 }
4409
4410 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4411 TLS1_VERSION, TLS_MAX_VERSION,
4412 &sctx, &cctx, cert, privkey)))
4413 goto end;
4414
4415 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4416 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4417 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4418 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4419 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4420 goto end;
4421
4422 if (tst % 2 == 1) {
4423 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4424 goto end;
4425 } else {
4426 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4427 goto end;
4428 }
4429
4430 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4431 NULL, NULL)))
4432 goto end;
4433
4434 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4435 if (ret) {
4436 if (!TEST_true(tst % 2 == 0))
4437 goto end;
4438 } else {
4439 if (!TEST_true(tst % 2 == 1))
4440 goto end;
4441 }
4442
4443 testresult = 1;
4444
4445 end:
4446 SRP_VBASE_free(vbase);
4447 vbase = NULL;
4448 SSL_free(serverssl);
4449 SSL_free(clientssl);
4450 SSL_CTX_free(sctx);
4451 SSL_CTX_free(cctx);
4452
4453 return testresult;
4454}
4455#endif
4456
5718fe45
MC		 4457static int info_cb_failed = 0;
4458static int info_cb_offset = 0;
4459static int info_cb_this_state = -1;
4460
4461static struct info_cb_states_st {
4462 int where;
4463 const char *statestr;
4464} info_cb_states[][60] = {
4465 {
4466 /* TLSv1.2 server followed by resumption */
4467 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4468 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4469 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4470 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4471 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4472 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4473 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4474 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4475 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4476 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4477 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4478 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4479 {SSL_CB_EXIT, NULL}, {0, NULL},
4480 }, {
4481 /* TLSv1.2 client followed by resumption */
4482 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4483 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4484 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4485 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4486 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4487 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4488 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4489 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4490 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4491 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4492 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4493 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4494 }, {
4495 /* TLSv1.3 server followed by resumption */
4496 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4497 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4498 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4499 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4500 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4501 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4502 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5718fe45 4503 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
36ff232c
MC		 4504 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4505 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4506 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4507 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4508 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4509 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4510 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4511 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4512 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 4513 }, {
4514 /* TLSv1.3 client followed by resumption */
4515 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4516 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4517 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4518 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4519 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4520 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4521 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4522 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
36ff232c
MC		 4523 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4524 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4525 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 4526 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4527 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4528 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4529 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4530 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4531 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4532 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4533 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4534 }, {
4535 /* TLSv1.3 server, early_data */
4536 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4537 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4538 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4539 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4540 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4541 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4542 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4543 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4544 {SSL_CB_EXIT, NULL}, {0, NULL},
4545 }, {
4546 /* TLSv1.3 client, early_data */
4547 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4548 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4549 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4550 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4551 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4552 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4553 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4554 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4555 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4556 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4557 }, {
4558 {0, NULL},
4559 }
4560};
4561
4562static void sslapi_info_callback(const SSL *s, int where, int ret)
4563{
4564 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4565
4566 /* We do not ever expect a connection to fail in this test */
4567 if (!TEST_false(ret == 0)) {
4568 info_cb_failed = 1;
4569 return;
4570 }
4571
4572 /*
4573 * Do some sanity checks. We never expect these things to happen in this
4574 * test
4575 */
4576 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4577 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4578 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4579 info_cb_failed = 1;
4580 return;
4581 }
4582
4583 /* Now check we're in the right state */
4584 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4585 info_cb_failed = 1;
4586 return;
4587 }
4588 if ((where & SSL_CB_LOOP) != 0
4589 && !TEST_int_eq(strcmp(SSL_state_string(s),
4590 state[info_cb_this_state].statestr), 0)) {
4591 info_cb_failed = 1;
4592 return;
4593 }
033c181b
MC		 4594
4595 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4596 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4597 info_cb_failed = 1;
4598 return;
4599 }
5718fe45
MC		 4600}
4601
4602/*
4603 * Test the info callback gets called when we expect it to.
4604 *
4605 * Test 0: TLSv1.2, server
4606 * Test 1: TLSv1.2, client
4607 * Test 2: TLSv1.3, server
4608 * Test 3: TLSv1.3, client
4609 * Test 4: TLSv1.3, server, early_data
4610 * Test 5: TLSv1.3, client, early_data
4611 */
4612static int test_info_callback(int tst)
4613{
4614 SSL_CTX *cctx = NULL, *sctx = NULL;
4615 SSL *clientssl = NULL, *serverssl = NULL;
4616 SSL_SESSION *clntsess = NULL;
4617 int testresult = 0;
4618 int tlsvers;
4619
4620 if (tst < 2) {
1aac20f5
MC		 4621/* We need either ECDHE or DHE for the TLSv1.2 test to work */
4622#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
4623 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 4624 tlsvers = TLS1_2_VERSION;
4625#else
4626 return 1;
4627#endif
4628 } else {
4629#ifndef OPENSSL_NO_TLS1_3
4630 tlsvers = TLS1_3_VERSION;
4631#else
4632 return 1;
4633#endif
4634 }
4635
4636 /* Reset globals */
4637 info_cb_failed = 0;
4638 info_cb_this_state = -1;
4639 info_cb_offset = tst;
4640
6e07834c 4641#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 4642 if (tst >= 4) {
4643 SSL_SESSION *sess = NULL;
4644 size_t written, readbytes;
4645 unsigned char buf[80];
4646
4647 /* early_data tests */
4648 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4649 &serverssl, &sess, 0)))
4650 goto end;
4651
4652 /* We don't actually need this reference */
4653 SSL_SESSION_free(sess);
4654
4655 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4656 sslapi_info_callback);
4657
4658 /* Write and read some early data and then complete the connection */
4659 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4660 &written))
4661 || !TEST_size_t_eq(written, strlen(MSG1))
4662 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4663 sizeof(buf), &readbytes),
4664 SSL_READ_EARLY_DATA_SUCCESS)
4665 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4666 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4667 SSL_EARLY_DATA_ACCEPTED)
4668 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4669 SSL_ERROR_NONE))
4670 || !TEST_false(info_cb_failed))
4671 goto end;
4672
4673 testresult = 1;
4674 goto end;
4675 }
6e07834c 4676#endif
5718fe45
MC		 4677
4678 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4679 TLS_client_method(),
4680 tlsvers, tlsvers, &sctx, &cctx, cert,
4681 privkey)))
4682 goto end;
4683
4684 /*
4685 * For even numbered tests we check the server callbacks. For odd numbers we
4686 * check the client.
4687 */
4688 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4689 sslapi_info_callback);
4690
4691 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4692 &clientssl, NULL, NULL))
4693 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4694 SSL_ERROR_NONE))
4695 || !TEST_false(info_cb_failed))
4696 goto end;
4697
4698
4699
4700 clntsess = SSL_get1_session(clientssl);
4701 SSL_shutdown(clientssl);
4702 SSL_shutdown(serverssl);
4703 SSL_free(serverssl);
4704 SSL_free(clientssl);
4705 serverssl = clientssl = NULL;
4706
4707 /* Now do a resumption */
4708 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4709 NULL))
4710 || !TEST_true(SSL_set_session(clientssl, clntsess))
4711 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4712 SSL_ERROR_NONE))
4713 || !TEST_true(SSL_session_reused(clientssl))
4714 || !TEST_false(info_cb_failed))
4715 goto end;
4716
4717 testresult = 1;
4718
4719 end:
4720 SSL_free(serverssl);
4721 SSL_free(clientssl);
4722 SSL_SESSION_free(clntsess);
4723 SSL_CTX_free(sctx);
4724 SSL_CTX_free(cctx);
4725 return testresult;
4726}
4727
4a432af8
MC		 4728static int test_ssl_pending(int tst)
4729{
4730 SSL_CTX *cctx = NULL, *sctx = NULL;
4731 SSL *clientssl = NULL, *serverssl = NULL;
4732 int testresult = 0;
4733 char msg[] = "A test message";
4734 char buf[5];
4735 size_t written, readbytes;
4736
4737 if (tst == 0) {
4738 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4739 TLS_client_method(),
4740 TLS1_VERSION, TLS_MAX_VERSION,
4741 &sctx, &cctx, cert, privkey)))
4742 goto end;
4743 } else {
4744#ifndef OPENSSL_NO_DTLS
4745 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4746 DTLS_client_method(),
4747 DTLS1_VERSION, DTLS_MAX_VERSION,
4748 &sctx, &cctx, cert, privkey)))
4749 goto end;
4750#else
4751 return 1;
4752#endif
4753 }
4754
4755 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4756 NULL, NULL))
4757 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4758 SSL_ERROR_NONE)))
4759 goto end;
4760
e8251092
MC		 4761 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4762 || !TEST_false(SSL_has_pending(clientssl))
4763 || !TEST_int_eq(SSL_pending(serverssl), 0)
4764 || !TEST_false(SSL_has_pending(serverssl))
4765 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 4766 || !TEST_size_t_eq(written, sizeof(msg))
4767 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4768 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 4769 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4770 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 4771 goto end;
4772
4773 testresult = 1;
4774
4775 end:
4776 SSL_free(serverssl);
4777 SSL_free(clientssl);
4778 SSL_CTX_free(sctx);
4779 SSL_CTX_free(cctx);
4780
4781 return testresult;
4782}
4783
e401389a
MC		 4784static struct {
4785 unsigned int maxprot;
4786 const char *clntciphers;
4787 const char *clnttls13ciphers;
4788 const char *srvrciphers;
4789 const char *srvrtls13ciphers;
4790 const char *shared;
4791} shared_ciphers_data[] = {
60155b9a
MC		 4792/*
4793 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4794 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4795 */
4796#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 4797 {
4798 TLS1_2_VERSION,
4799 "AES128-SHA:AES256-SHA",
4800 NULL,
4801 "AES256-SHA:DHE-RSA-AES128-SHA",
4802 NULL,
4803 "AES256-SHA"
4804 },
4805 {
4806 TLS1_2_VERSION,
4807 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4808 NULL,
4809 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4810 NULL,
4811 "AES128-SHA:AES256-SHA"
4812 },
4813 {
4814 TLS1_2_VERSION,
4815 "AES128-SHA:AES256-SHA",
4816 NULL,
4817 "AES128-SHA:DHE-RSA-AES128-SHA",
4818 NULL,
4819 "AES128-SHA"
4820 },
60155b9a
MC		 4821#endif
4822/*
4823 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4824 * enabled.
4825 */
4826#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4827 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 4828 {
4829 TLS1_3_VERSION,
4830 "AES128-SHA:AES256-SHA",
4831 NULL,
4832 "AES256-SHA:AES128-SHA256",
4833 NULL,
4834 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4835 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4836 },
60155b9a
MC		 4837#endif
4838#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 4839 {
4840 TLS1_3_VERSION,
4841 "AES128-SHA",
4842 "TLS_AES_256_GCM_SHA384",
4843 "AES256-SHA",
4844 "TLS_AES_256_GCM_SHA384",
4845 "TLS_AES_256_GCM_SHA384"
4846 },
4847#endif
4848};
4849
4850static int test_ssl_get_shared_ciphers(int tst)
4851{
4852 SSL_CTX *cctx = NULL, *sctx = NULL;
4853 SSL *clientssl = NULL, *serverssl = NULL;
4854 int testresult = 0;
4855 char buf[1024];
4856
4857 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4858 TLS_client_method(),
4859 TLS1_VERSION,
4860 shared_ciphers_data[tst].maxprot,
4861 &sctx, &cctx, cert, privkey)))
4862 goto end;
4863
4864 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4865 shared_ciphers_data[tst].clntciphers))
4866 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
4867 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4868 shared_ciphers_data[tst].clnttls13ciphers)))
4869 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
4870 shared_ciphers_data[tst].srvrciphers))
4871 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
4872 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4873 shared_ciphers_data[tst].srvrtls13ciphers))))
4874 goto end;
4875
4876
4877 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4878 NULL, NULL))
4879 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4880 SSL_ERROR_NONE)))
4881 goto end;
4882
4883 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
4884 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
4885 TEST_info("Shared ciphers are: %s\n", buf);
4886 goto end;
4887 }
4888
4889 testresult = 1;
4890
4891 end:
4892 SSL_free(serverssl);
4893 SSL_free(clientssl);
4894 SSL_CTX_free(sctx);
4895 SSL_CTX_free(cctx);
4896
4897 return testresult;
4898}
4899
d0191fe0 4900static const char *appdata = "Hello World";
61fb5923
MC		 4901static int gen_tick_called, dec_tick_called, tick_key_cb_called;
4902static int tick_key_renew = 0;
4903static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 4904
4905static int gen_tick_cb(SSL *s, void *arg)
4906{
4907 gen_tick_called = 1;
4908
4909 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
4910 strlen(appdata));
4911}
4912
4913static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
4914 const unsigned char *keyname,
4915 size_t keyname_length,
61fb5923
MC		 4916 SSL_TICKET_STATUS status,
4917 void *arg)
d0191fe0
MC		 4918{
4919 void *tickdata;
4920 size_t tickdlen;
4921
4922 dec_tick_called = 1;
4923
61fb5923
MC		 4924 if (status == SSL_TICKET_EMPTY)
4925 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 4926
61fb5923
MC		 4927 if (!TEST_true(status == SSL_TICKET_SUCCESS
4928 || status == SSL_TICKET_SUCCESS_RENEW))
4929 return SSL_TICKET_RETURN_ABORT;
4930
4931 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
4932 &tickdlen))
d0191fe0
MC		 4933 || !TEST_size_t_eq(tickdlen, strlen(appdata))
4934 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 4935 return SSL_TICKET_RETURN_ABORT;
d0191fe0 4936
61fb5923
MC		 4937 if (tick_key_cb_called) {
4938 /* Don't change what the ticket key callback wanted to do */
4939 switch (status) {
4940 case SSL_TICKET_NO_DECRYPT:
4941 return SSL_TICKET_RETURN_IGNORE_RENEW;
4942
4943 case SSL_TICKET_SUCCESS:
4944 return SSL_TICKET_RETURN_USE;
d0191fe0 4945
61fb5923
MC		 4946 case SSL_TICKET_SUCCESS_RENEW:
4947 return SSL_TICKET_RETURN_USE_RENEW;
4948
4949 default:
4950 return SSL_TICKET_RETURN_ABORT;
4951 }
4952 }
4953 return tick_dec_ret;
4954
4955}
d0191fe0
MC		 4956
4957static int tick_key_cb(SSL *s, unsigned char key_name[16],
4958 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
4959 HMAC_CTX *hctx, int enc)
4960{
4961 const unsigned char tick_aes_key[16] = "0123456789abcdef";
4962 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
4963
61fb5923 4964 tick_key_cb_called = 1;
d0191fe0
MC		 4965 memset(iv, 0, AES_BLOCK_SIZE);
4966 memset(key_name, 0, 16);
4967 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
4968 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
4969 EVP_sha256(), NULL))
4970 return -1;
4971
61fb5923 4972 return tick_key_renew ? 2 : 1;
d0191fe0
MC		 4973}
4974
4975/*
4976 * Test the various ticket callbacks
61fb5923
MC		 4977 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4978 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4979 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4980 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4981 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4982 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4983 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4984 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4985 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4986 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4987 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4988 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 4989 */
4990static int test_ticket_callbacks(int tst)
4991{
4992 SSL_CTX *cctx = NULL, *sctx = NULL;
4993 SSL *clientssl = NULL, *serverssl = NULL;
4994 SSL_SESSION *clntsess = NULL;
4995 int testresult = 0;
4996
4997#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 4998 if (tst % 2 == 0)
d0191fe0
MC		 4999 return 1;
5000#endif
5001#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 5002 if (tst % 2 == 1)
d0191fe0
MC		 5003 return 1;
5004#endif
5005
61fb5923 5006 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 5007
5008 /* Which tests the ticket key callback should request renewal for */
61fb5923
MC		 5009 if (tst == 10 || tst == 11)
5010 tick_key_renew = 1;
d0191fe0 5011 else
61fb5923
MC		 5012 tick_key_renew = 0;
5013
5014 /* Which tests the decrypt ticket callback should request renewal for */
5015 switch (tst) {
5016 case 0:
5017 case 1:
5018 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5019 break;
5020
5021 case 2:
5022 case 3:
5023 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5024 break;
5025
5026 case 4:
5027 case 5:
5028 tick_dec_ret = SSL_TICKET_RETURN_USE;
5029 break;
5030
5031 case 6:
5032 case 7:
5033 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5034 break;
5035
5036 default:
5037 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5038 }
d0191fe0
MC		 5039
5040 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5041 TLS_client_method(),
5042 TLS1_VERSION,
61fb5923
MC		 5043 ((tst % 2) == 0) ? TLS1_2_VERSION
5044 : TLS1_3_VERSION,
d0191fe0
MC		 5045 &sctx, &cctx, cert, privkey)))
5046 goto end;
5047
61fb5923
MC		 5048 /*
5049 * We only want sessions to resume from tickets - not the session cache. So
5050 * switch the cache off.
5051 */
5052 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5053 goto end;
5054
d0191fe0
MC		 5055 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5056 NULL)))
5057 goto end;
5058
61fb5923 5059 if (tst >= 8
d0191fe0
MC		 5060 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5061 goto end;
5062
5063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5064 NULL, NULL))
5065 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5066 SSL_ERROR_NONE)))
5067 goto end;
5068
61fb5923
MC		 5069 /*
5070 * The decrypt ticket key callback in TLSv1.2 should be called even though
5071 * we have no ticket yet, because it gets called with a status of
5072 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5073 * actually send any ticket data). This does not happen in TLSv1.3 because
5074 * it is not valid to send empty ticket data in TLSv1.3.
5075 */
d0191fe0 5076 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 5077 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 5078 goto end;
5079
5080 gen_tick_called = dec_tick_called = 0;
5081
5082 clntsess = SSL_get1_session(clientssl);
5083 SSL_shutdown(clientssl);
5084 SSL_shutdown(serverssl);
5085 SSL_free(serverssl);
5086 SSL_free(clientssl);
5087 serverssl = clientssl = NULL;
5088
5089 /* Now do a resumption */
5090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5091 NULL))
5092 || !TEST_true(SSL_set_session(clientssl, clntsess))
5093 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 5094 SSL_ERROR_NONE)))
d0191fe0
MC		 5095 goto end;
5096
61fb5923
MC		 5097 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5098 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5099 if (!TEST_false(SSL_session_reused(clientssl)))
5100 goto end;
5101 } else {
5102 if (!TEST_true(SSL_session_reused(clientssl)))
5103 goto end;
5104 }
5105
d0191fe0 5106 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 5107 (tick_key_renew
5108 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5109 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5110 ? 1 : 0)
d0191fe0
MC		 5111 || !TEST_int_eq(dec_tick_called, 1))
5112 goto end;
5113
5114 testresult = 1;
5115
5116 end:
5117 SSL_SESSION_free(clntsess);
5118 SSL_free(serverssl);
5119 SSL_free(clientssl);
5120 SSL_CTX_free(sctx);
5121 SSL_CTX_free(cctx);
5122
5123 return testresult;
5124}
5125
c748834f
MC		 5126/*
5127 * Test bi-directional shutdown.
5128 * Test 0: TLSv1.2
5129 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5130 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5131 * Test 3: TLSv1.3, pending NewSessionTicket messages
5132 * Test 4: TLSv1.3, server continues to read/write after client shutdown, client
5133 * reads it
5134 * Test 5: TLSv1.3, server continues to read/write after client shutdown, client
5135 * doesn't read it
5136 */
5137static int test_shutdown(int tst)
5138{
5139 SSL_CTX *cctx = NULL, *sctx = NULL;
5140 SSL *clientssl = NULL, *serverssl = NULL;
5141 int testresult = 0;
5142 char msg[] = "A test message";
5143 char buf[80];
5144 size_t written, readbytes;
5145
5146#ifdef OPENSSL_NO_TLS1_2
a97d19f7 5147 if (tst <= 1)
c748834f
MC		 5148 return 1;
5149#endif
5150#ifdef OPENSSL_NO_TLS1_3
a97d19f7 5151 if (tst >= 2)
c748834f
MC		 5152 return 1;
5153#endif
5154
5155 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5156 TLS_client_method(),
5157 TLS1_VERSION,
5158 (tst <= 1) ? TLS1_2_VERSION
5159 : TLS1_3_VERSION,
5160 &sctx, &cctx, cert, privkey))
5161 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5162 NULL, NULL)))
5163 goto end;
5164
5165 if (tst == 3) {
5166 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
5167 SSL_ERROR_NONE)))
5168 goto end;
5169 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5170 SSL_ERROR_NONE))) {
5171 goto end;
5172 }
5173
5174 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5175 goto end;
5176
5177 if (tst >= 4) {
5178 /*
5179 * Reading on the server after the client has sent close_notify should
5180 * fail and provide SSL_ERROR_ZERO_RETURN
5181 */
5182 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5183 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5184 SSL_ERROR_ZERO_RETURN)
5185 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5186 SSL_RECEIVED_SHUTDOWN)
5187 /*
5188 * Even though we're shutdown on receive we should still be
5189 * able to write.
5190 */
5191 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))
5192 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5193 goto end;
5194 if (tst == 4) {
5195 /* Should still be able to read data from server */
5196 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5197 &readbytes))
5198 || !TEST_size_t_eq(readbytes, sizeof(msg))
5199 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5200 goto end;
5201 }
5202 }
5203
5204 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 5205 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 5206 goto end;
5207
5208 if (tst < 4) {
5209 /*
5210 * For these tests the client has sent close_notify but it has not yet
5211 * been received by the server. The server has not sent close_notify
5212 * yet.
5213 */
5214 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 5215 /*
5216 * Writing on the server after sending close_notify shouldn't
5217 * be possible.
5218 */
5219 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f
MC		 5220 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
5221 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5222 goto end;
358ffa05 5223 } else if (tst == 4) {
c748834f
MC		 5224 /*
5225 * In this test the client has sent close_notify and it has been
5226 * received by the server which has responded with a close_notify. The
358ffa05 5227 * client needs to read the close_notify sent by the server.
c748834f 5228 */
c748834f
MC		 5229 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
5230 goto end;
358ffa05
MC		 5231 } else {
5232 /*
5233 * tst == 5
5234 *
5235 * The client has sent close_notify and is expecting a close_notify
5236 * back, but instead there is application data first. The shutdown
5237 * should fail with a fatal error.
5238 */
5239 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5240 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5241 goto end;
c748834f
MC		 5242 }
5243
5244 testresult = 1;
5245
5246 end:
5247 SSL_free(serverssl);
5248 SSL_free(clientssl);
5249 SSL_CTX_free(sctx);
5250 SSL_CTX_free(cctx);
5251
5252 return testresult;
5253}
5254
ad887416 5255int setup_tests(void)
2cb4b5f6 5256{
ad887416 5257 if (!TEST_ptr(cert = test_get_argument(0))
76fd7a1d
MC		 5258 || !TEST_ptr(privkey = test_get_argument(1))
5259 || !TEST_ptr(srpvfile = test_get_argument(2))
5260 || !TEST_ptr(tmpfilename = test_get_argument(3)))
710756a9 5261 return 0;
2cb4b5f6 5262
f297e4ec
RS		 5263 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
5264#ifdef OPENSSL_NO_CRYPTO_MDEBUG
5265 TEST_error("not supported in this build");
5266 return 0;
5267#else
5268 int i, mcount, rcount, fcount;
5269
5270 for (i = 0; i < 4; i++)
5271 test_export_key_mat(i);
5272 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
5273 test_printf_stdout("malloc %d realloc %d free %d\n",
5274 mcount, rcount, fcount);
5275 return 1;
5276#endif
5277 }
5278
84d5549e 5279 ADD_TEST(test_large_message_tls);
7856332e 5280 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 5281#ifndef OPENSSL_NO_DTLS
84d5549e 5282 ADD_TEST(test_large_message_dtls);
55386bef 5283#endif
8f8c11d8 5284#ifndef OPENSSL_NO_OCSP
c887104f 5285 ADD_TEST(test_tlsext_status_type);
8f8c11d8 5286#endif
eaa776da
MC		 5287 ADD_TEST(test_session_with_only_int_cache);
5288 ADD_TEST(test_session_with_only_ext_cache);
5289 ADD_TEST(test_session_with_both_cache);
36ff232c 5290#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 5291 ADD_ALL_TESTS(test_stateful_tickets, 3);
5292 ADD_ALL_TESTS(test_stateless_tickets, 3);
36ff232c 5293#endif
7fb4c820 5294 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 5295 ADD_TEST(test_ssl_bio_pop_next_bio);
5296 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5297 ADD_TEST(test_ssl_bio_change_rbio);
5298 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 5299#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 5300 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 5301 ADD_TEST(test_keylog);
c423ecaa 5302#endif
6acdd3e5
CB		 5303#ifndef OPENSSL_NO_TLS1_3
5304 ADD_TEST(test_keylog_no_master_key);
5305#endif
e9ee6536 5306#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 5307 ADD_TEST(test_client_hello_cb);
5f982038
MC		 5308#endif
5309#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 5310 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 5311 /*
5312 * We don't do replay tests for external PSK. Replay protection isn't used
5313 * in that scenario.
5314 */
5315 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 5316 ADD_ALL_TESTS(test_early_data_skip, 3);
5317 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0d1b7789 5318 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 5319 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 5320 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 5321 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 5322# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 5323 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 5324# endif
e9ee6536 5325#endif
a273157a 5326#ifndef OPENSSL_NO_TLS1_3
034cb87b 5327 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 5328 ADD_TEST(test_ciphersuite_change);
c2b290c3
MC		 5329#ifdef OPENSSL_NO_PSK
5330 ADD_ALL_TESTS(test_tls13_psk, 1);
5331#else
0d8da779 5332 ADD_ALL_TESTS(test_tls13_psk, 4);
c2b290c3 5333#endif /* OPENSSL_NO_PSK */
bb01ef3f 5334 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 5335 ADD_TEST(test_stateless);
9d75dce3 5336 ADD_TEST(test_pha_key_update);
a273157a 5337#else
bb01ef3f 5338 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 5339#endif
16afd71c 5340 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 5341 ADD_ALL_TESTS(test_export_key_mat, 4);
b38ede80
TT		 5342#ifndef OPENSSL_NO_TLS1_3
5343 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5344#endif
e11b6aa4 5345 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 5346 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 5347#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5348 ADD_ALL_TESTS(test_srp, 6);
5349#endif
5718fe45 5350 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 5351 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 5352 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
61fb5923 5353 ADD_ALL_TESTS(test_ticket_callbacks, 12);
c748834f 5354 ADD_ALL_TESTS(test_shutdown, 6);
ad887416
P		 5355 return 1;
5356}
2cb4b5f6 5357
ad887416
P		 5358void cleanup_tests(void)
5359{
fa454945 5360 bio_s_mempacket_test_free();
2cb4b5f6 5361}
A mirror of the official openssl repository