]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add X509 related libctx changes.
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
33388b44 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
2cb4b5f6
MC		 33
34#include "ssltestlib.h"
c887104f 35#include "testutil.h"
f297e4ec 36#include "testutil/output.h"
176db6dc 37#include "internal/nelem.h"
fe5d9450 38#include "internal/ktls.h"
706457b7 39#include "../ssl/ssl_local.h"
2cb4b5f6 40
b3842539
MC		 41/* Defined in filterprov.c */
42OSSL_provider_init_fn filter_provider_init;
43int filter_provider_set_filter(int operation, const char *name);
44
0c13cdf8
MC		 45/* Defined in tls-provider.c */
46int tls_provider_init(const OSSL_CORE_HANDLE *handle,
47 const OSSL_DISPATCH *in,
48 const OSSL_DISPATCH **out,
49 void **provctx);
852c2ed2
RS		 50DEFINE_STACK_OF(OCSP_RESPID)
51DEFINE_STACK_OF(X509)
52DEFINE_STACK_OF(X509_NAME)
53
5e30f2fd
MC		 54static OPENSSL_CTX *libctx = NULL;
55static OSSL_PROVIDER *defctxnull = NULL;
56
8614a4eb
MC		 57#ifndef OPENSSL_NO_TLS1_3
58
59static SSL_SESSION *clientpsk = NULL;
60static SSL_SESSION *serverpsk = NULL;
61static const char *pskid = "Identity";
62static const char *srvid;
63
64static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
65 size_t *idlen, SSL_SESSION **sess);
66static int find_session_cb(SSL *ssl, const unsigned char *identity,
67 size_t identity_len, SSL_SESSION **sess);
68
69static int use_session_cb_cnt = 0;
70static int find_session_cb_cnt = 0;
71
72static SSL_SESSION *create_a_psk(SSL *ssl);
73#endif
74
1a2a3a42 75static char *certsdir = NULL;
2cb4b5f6
MC		 76static char *cert = NULL;
77static char *privkey = NULL;
b3842539
MC		 78static char *cert2 = NULL;
79static char *privkey2 = NULL;
76fd7a1d
MC		 80static char *srpvfile = NULL;
81static char *tmpfilename = NULL;
2cb4b5f6 82
4f6c7044
MC		 83static int is_fips = 0;
84
cffe973c 85#define LOG_BUFFER_SIZE 2048
6acdd3e5 86static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 87static size_t server_log_buffer_index = 0;
6acdd3e5 88static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 89static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 90static int error_writing_log = 0;
91
8f8c11d8 92#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 93static const unsigned char orespder[] = "Dummy OCSP Response";
94static int ocsp_server_called = 0;
95static int ocsp_client_called = 0;
96
97static int cdummyarg = 1;
98static X509 *ocspcert = NULL;
8f8c11d8 99#endif
ba881d3b 100
84d5549e 101#define NUM_EXTRA_CERTS 40
cf72c757 102#define CLIENT_VERSION_LEN 2
84d5549e 103
f1a5939f
CB		 104/*
105 * This structure is used to validate that the correct number of log messages
106 * of various types are emitted when emitting secret logs.
107 */
108struct sslapitest_log_counts {
109 unsigned int rsa_key_exchange_count;
110 unsigned int master_secret_count;
cffe973c 111 unsigned int client_early_secret_count;
f1a5939f
CB		 112 unsigned int client_handshake_secret_count;
113 unsigned int server_handshake_secret_count;
114 unsigned int client_application_secret_count;
115 unsigned int server_application_secret_count;
01a2a654 116 unsigned int early_exporter_secret_count;
6329ce8f 117 unsigned int exporter_secret_count;
f1a5939f
CB		 118};
119
16afd71c
MC		 120
121static unsigned char serverinfov1[] = {
122 0xff, 0xff, /* Dummy extension type */
123 0x00, 0x01, /* Extension length is 1 byte */
124 0xff /* Dummy extension data */
125};
126
127static unsigned char serverinfov2[] = {
128 0x00, 0x00, 0x00,
129 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
130 0xff, 0xff, /* Dummy extension type */
131 0x00, 0x01, /* Extension length is 1 byte */
132 0xff /* Dummy extension data */
133};
134
104a733d
MC		 135static int hostname_cb(SSL *s, int *al, void *arg)
136{
137 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
138
139 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
140 || strcmp(hostname, "altgoodhost") == 0))
141 return SSL_TLSEXT_ERR_OK;
142
143 return SSL_TLSEXT_ERR_NOACK;
144}
145
710756a9
RS		 146static void client_keylog_callback(const SSL *ssl, const char *line)
147{
6acdd3e5
CB		 148 int line_length = strlen(line);
149
150 /* If the log doesn't fit, error out. */
710756a9
RS		 151 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
152 TEST_info("Client log too full");
6acdd3e5
CB		 153 error_writing_log = 1;
154 return;
155 }
156
157 strcat(client_log_buffer, line);
158 client_log_buffer_index += line_length;
710756a9 159 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 160}
161
710756a9
RS		 162static void server_keylog_callback(const SSL *ssl, const char *line)
163{
6acdd3e5
CB		 164 int line_length = strlen(line);
165
166 /* If the log doesn't fit, error out. */
710756a9 167 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 168 TEST_info("Server log too full");
6acdd3e5
CB		 169 error_writing_log = 1;
170 return;
171 }
172
173 strcat(server_log_buffer, line);
174 server_log_buffer_index += line_length;
710756a9 175 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 176}
177
178static int compare_hex_encoded_buffer(const char *hex_encoded,
179 size_t hex_length,
180 const uint8_t *raw,
710756a9
RS		 181 size_t raw_length)
182{
183 size_t i, j;
184 char hexed[3];
6acdd3e5 185
710756a9 186 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 187 return 1;
6acdd3e5 188
710756a9 189 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 190 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 191 if (!TEST_int_eq(hexed[0], hex_encoded[j])
192 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 193 return 1;
6acdd3e5
CB		 194 }
195
196 return 0;
197}
198
199static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 200 const SSL_SESSION *session,
710756a9
RS		 201 struct sslapitest_log_counts *expected)
202{
6acdd3e5
CB		 203 char *token = NULL;
204 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
205 size_t client_random_size = SSL3_RANDOM_SIZE;
206 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
207 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 208 unsigned int rsa_key_exchange_count = 0;
209 unsigned int master_secret_count = 0;
cffe973c 210 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 211 unsigned int client_handshake_secret_count = 0;
212 unsigned int server_handshake_secret_count = 0;
213 unsigned int client_application_secret_count = 0;
214 unsigned int server_application_secret_count = 0;
01a2a654 215 unsigned int early_exporter_secret_count = 0;
6329ce8f 216 unsigned int exporter_secret_count = 0;
6acdd3e5 217
710756a9
RS		 218 for (token = strtok(buffer, " \n"); token != NULL;
219 token = strtok(NULL, " \n")) {
6acdd3e5 220 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 221 /*
222 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 223 * hex-encoded encrypted secret, then the hex-encoded pre-master
224 * secret.
225 */
710756a9 226 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 227 return 0;
710756a9 228 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 229 return 0;
710756a9 230 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 231 return 0;
f1a5939f
CB		 232 /*
233 * We can't sensibly check the log because the premaster secret is
234 * transient, and OpenSSL doesn't keep hold of it once the master
235 * secret is generated.
236 */
237 rsa_key_exchange_count++;
6acdd3e5 238 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 239 /*
240 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 241 * client random, then the hex-encoded master secret.
242 */
243 client_random_size = SSL_get_client_random(ssl,
244 actual_client_random,
245 SSL3_RANDOM_SIZE);
710756a9 246 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 247 return 0;
6acdd3e5 248
710756a9 249 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 250 return 0;
710756a9 251 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 252 return 0;
710756a9
RS		 253 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
254 actual_client_random,
255 client_random_size)))
f1a5939f 256 return 0;
6acdd3e5 257
710756a9 258 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 259 return 0;
6acdd3e5
CB		 260 master_key_size = SSL_SESSION_get_master_key(session,
261 actual_master_key,
262 master_key_size);
710756a9 263 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 264 return 0;
710756a9
RS		 265 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
266 actual_master_key,
267 master_key_size)))
f1a5939f 268 return 0;
f1a5939f 269 master_secret_count++;
cffe973c
PW		 270 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
271 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 272 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
273 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 274 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 275 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 276 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 277 /*
278 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
279 * client random, and then the hex-encoded secret. In this case,
280 * we treat all of these secrets identically and then just
281 * distinguish between them when counting what we saw.
282 */
cffe973c
PW		 283 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
284 client_early_secret_count++;
285 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 286 client_handshake_secret_count++;
287 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
288 server_handshake_secret_count++;
289 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
290 client_application_secret_count++;
291 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
292 server_application_secret_count++;
01a2a654
PW		 293 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
294 early_exporter_secret_count++;
6329ce8f
PW		 295 else if (strcmp(token, "EXPORTER_SECRET") == 0)
296 exporter_secret_count++;
f1a5939f
CB		 297
298 client_random_size = SSL_get_client_random(ssl,
299 actual_client_random,
300 SSL3_RANDOM_SIZE);
710756a9 301 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 302 return 0;
f1a5939f 303
710756a9 304 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 305 return 0;
710756a9 306 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 307 return 0;
710756a9
RS		 308 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
309 actual_client_random,
310 client_random_size)))
f1a5939f 311 return 0;
6acdd3e5 312
710756a9 313 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 314 return 0;
f1a5939f
CB		 315
316 /*
317 * TODO(TLS1.3): test that application traffic secrets are what
318 * we expect */
6acdd3e5 319 } else {
710756a9 320 TEST_info("Unexpected token %s\n", token);
f1a5939f 321 return 0;
6acdd3e5 322 }
6acdd3e5
CB		 323 }
324
710756a9
RS		 325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
cffe973c
PW		 330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
710756a9
RS		 332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 339 expected->server_application_secret_count)
01a2a654
PW		 340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
6329ce8f
PW		 342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
710756a9
RS		 344 return 0;
345 return 1;
6acdd3e5
CB		 346}
347
c423ecaa 348#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 349static int test_keylog(void)
350{
6acdd3e5
CB		 351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
353 int testresult = 0;
6fc1e624 354 struct sslapitest_log_counts expected;
6acdd3e5
CB		 355
356 /* Clean up logging space */
6fc1e624 357 memset(&expected, 0, sizeof(expected));
710756a9
RS		 358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
363
5e30f2fd 364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 365 TLS_client_method(),
5c587fb6 366 TLS1_VERSION, 0,
710756a9 367 &sctx, &cctx, cert, privkey)))
6acdd3e5 368 return 0;
6acdd3e5
CB		 369
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373
f0deb4d3 374 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 376 goto end;
f0deb4d3 377
cf10df81
RS		 378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 380 goto end;
6acdd3e5 381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
6acdd3e5 384 goto end;
710756a9 385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
6acdd3e5 388 goto end;
6acdd3e5 389
710756a9
RS		 390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 SSL_ERROR_NONE))
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 398 goto end;
6acdd3e5 399
f1a5939f
CB		 400 /*
401 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 402 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see a RSA key exchange.
6acdd3e5 405 */
f1a5939f
CB		 406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
710756a9
RS		 408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
6acdd3e5 410 goto end;
f1a5939f
CB		 411
412 expected.rsa_key_exchange_count = 0;
710756a9
RS		 413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
6acdd3e5 415 goto end;
6acdd3e5
CB		 416
417 testresult = 1;
418
419end:
420 SSL_free(serverssl);
421 SSL_free(clientssl);
422 SSL_CTX_free(sctx);
423 SSL_CTX_free(cctx);
424
425 return testresult;
426}
c423ecaa 427#endif
6acdd3e5
CB		 428
429#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 430static int test_keylog_no_master_key(void)
431{
6acdd3e5
CB		 432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 434 SSL_SESSION *sess = NULL;
6acdd3e5 435 int testresult = 0;
6fc1e624 436 struct sslapitest_log_counts expected;
cffe973c
PW		 437 unsigned char buf[1];
438 size_t readbytes, written;
6acdd3e5
CB		 439
440 /* Clean up logging space */
6fc1e624 441 memset(&expected, 0, sizeof(expected));
710756a9
RS		 442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
447
5e30f2fd
MC		 448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 452 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 453 return 0;
6acdd3e5 454
cf10df81
RS		 455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 457 goto end;
6acdd3e5
CB		 458
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
6acdd3e5 462 goto end;
6acdd3e5 463
710756a9 464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
6acdd3e5 467 goto end;
6acdd3e5 468
710756a9
RS		 469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 SSL_ERROR_NONE))
474 || !TEST_false(error_writing_log))
6acdd3e5 475 goto end;
6acdd3e5 476
f1a5939f
CB		 477 /*
478 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 480 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 481 */
f1a5939f
CB		 482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
6329ce8f 486 expected.exporter_secret_count = 1;
710756a9
RS		 487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
491 &expected)))
6acdd3e5 492 goto end;
6acdd3e5 493
cffe973c
PW		 494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
498 SSL_free(serverssl);
499 SSL_free(clientssl);
500 serverssl = clientssl = NULL;
501
502 /* Reset key log */
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
507
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 &readbytes),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 SSL_ERROR_NONE))
520 || !TEST_true(SSL_session_reused(clientssl)))
521 goto end;
522
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
01a2a654 525 expected.early_exporter_secret_count = 1;
cffe973c
PW		 526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
530 &expected)))
531 goto end;
532
6acdd3e5
CB		 533 testresult = 1;
534
535end:
cffe973c 536 SSL_SESSION_free(sess);
6acdd3e5
CB		 537 SSL_free(serverssl);
538 SSL_free(clientssl);
539 SSL_CTX_free(sctx);
540 SSL_CTX_free(cctx);
541
542 return testresult;
543}
544#endif
545
e9ee6536 546#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 547static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 548{
549 int *ctr = arg;
550 const unsigned char *p;
8ea404fb 551 int *exts;
2afaee51
BK		 552 /* We only configure two ciphers, but the SCSV is added automatically. */
553#ifdef OPENSSL_NO_EC
554 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
555#else
556 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
557 0x2c, 0x00, 0xff};
558#endif
8ea404fb
BK		 559 const int expected_extensions[] = {
560#ifndef OPENSSL_NO_EC
561 11, 10,
562#endif
10ed1b72 563 35, 22, 23, 13};
2afaee51
BK		 564 size_t len;
565
566 /* Make sure we can defer processing and get called back. */
567 if ((*ctr)++ == 0)
f1b97da1 568 return SSL_CLIENT_HELLO_RETRY;
2afaee51 569
a9c0d8be 570 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 571 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 572 || !TEST_size_t_eq(
573 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 574 || !TEST_int_eq(*p, 0))
f1b97da1 575 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 576 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 577 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 578 if (len != OSSL_NELEM(expected_extensions) ||
579 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 580 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 581 OPENSSL_free(exts);
f1b97da1 582 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 583 }
584 OPENSSL_free(exts);
f1b97da1 585 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 586}
587
a9c0d8be 588static int test_client_hello_cb(void)
710756a9 589{
2afaee51
BK		 590 SSL_CTX *cctx = NULL, *sctx = NULL;
591 SSL *clientssl = NULL, *serverssl = NULL;
592 int testctr = 0, testresult = 0;
593
5e30f2fd
MC		 594 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
595 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 596 &sctx, &cctx, cert, privkey)))
2afaee51 597 goto end;
a9c0d8be 598 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 599
2afaee51
BK		 600 /* The gimpy cipher list we configure can't do TLS 1.3. */
601 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 602
710756a9
RS		 603 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
604 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
605 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
606 &clientssl, NULL, NULL))
607 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 608 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 609 /*
610 * Passing a -1 literal is a hack since
611 * the real value was lost.
612 * */
a9c0d8be
DB		 613 || !TEST_int_eq(SSL_get_error(serverssl, -1),
614 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 615 || !TEST_true(create_ssl_connection(serverssl, clientssl,
616 SSL_ERROR_NONE)))
2afaee51 617 goto end;
2afaee51
BK		 618
619 testresult = 1;
620
088dfa13
TS		 621end:
622 SSL_free(serverssl);
623 SSL_free(clientssl);
624 SSL_CTX_free(sctx);
625 SSL_CTX_free(cctx);
626
627 return testresult;
628}
629
630static int test_no_ems(void)
631{
632 SSL_CTX *cctx = NULL, *sctx = NULL;
633 SSL *clientssl = NULL, *serverssl = NULL;
634 int testresult = 0;
635
5e30f2fd 636 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 637 TLS1_VERSION, TLS1_2_VERSION,
638 &sctx, &cctx, cert, privkey)) {
639 printf("Unable to create SSL_CTX pair\n");
640 goto end;
641 }
642
643 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
644
645 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
646 printf("Unable to create SSL objects\n");
647 goto end;
648 }
649
650 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
651 printf("Creating SSL connection failed\n");
652 goto end;
653 }
654
655 if (SSL_get_extms_support(serverssl)) {
656 printf("Server reports Extended Master Secret support\n");
657 goto end;
658 }
659
660 if (SSL_get_extms_support(clientssl)) {
661 printf("Client reports Extended Master Secret support\n");
662 goto end;
663 }
664 testresult = 1;
665
2afaee51
BK		 666end:
667 SSL_free(serverssl);
668 SSL_free(clientssl);
669 SSL_CTX_free(sctx);
670 SSL_CTX_free(cctx);
671
672 return testresult;
673}
674
3cd14e5e
BK		 675/*
676 * Very focused test to exercise a single case in the server-side state
677 * machine, when the ChangeCipherState message needs to actually change
678 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 679 * encryption to real encryption).
3cd14e5e
BK		 680 */
681static int test_ccs_change_cipher(void)
682{
683 SSL_CTX *cctx = NULL, *sctx = NULL;
684 SSL *clientssl = NULL, *serverssl = NULL;
685 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
686 int testresult = 0;
687 int i;
688 unsigned char buf;
689 size_t readbytes;
690
691 /*
692 * Create a conection so we can resume and potentially (but not) use
693 * a different cipher in the second connection.
694 */
5e30f2fd 695 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 696 TLS_client_method(),
697 TLS1_VERSION, TLS1_2_VERSION,
698 &sctx, &cctx, cert, privkey))
699 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
700 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
701 NULL, NULL))
702 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
704 SSL_ERROR_NONE))
705 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
706 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
707 goto end;
708
709 shutdown_ssl_connection(serverssl, clientssl);
710 serverssl = clientssl = NULL;
711
712 /* Resume, preferring a different cipher. Our server will force the
713 * same cipher to be used as the initial handshake. */
714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
715 NULL, NULL))
716 || !TEST_true(SSL_set_session(clientssl, sess))
717 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
718 || !TEST_true(create_ssl_connection(serverssl, clientssl,
719 SSL_ERROR_NONE))
720 || !TEST_true(SSL_session_reused(clientssl))
721 || !TEST_true(SSL_session_reused(serverssl))
722 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
723 || !TEST_ptr_eq(sesspre, sesspost)
724 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
725 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
726 goto end;
727 shutdown_ssl_connection(serverssl, clientssl);
728 serverssl = clientssl = NULL;
729
730 /*
731 * Now create a fresh connection and try to renegotiate a different
732 * cipher on it.
733 */
b3e6d666
BK		 734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
735 NULL, NULL))
3cd14e5e
BK		 736 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
737 || !TEST_true(create_ssl_connection(serverssl, clientssl,
738 SSL_ERROR_NONE))
739 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
740 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
741 || !TEST_true(SSL_renegotiate(clientssl))
742 || !TEST_true(SSL_renegotiate_pending(clientssl)))
743 goto end;
744 /* Actually drive the renegotiation. */
745 for (i = 0; i < 3; i++) {
746 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
747 if (!TEST_ulong_eq(readbytes, 0))
748 goto end;
749 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
750 SSL_ERROR_WANT_READ)) {
751 goto end;
752 }
753 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
754 if (!TEST_ulong_eq(readbytes, 0))
755 goto end;
756 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
757 SSL_ERROR_WANT_READ)) {
758 goto end;
759 }
760 }
761 /* sesspre and sesspost should be different since the cipher changed. */
762 if (!TEST_false(SSL_renegotiate_pending(clientssl))
763 || !TEST_false(SSL_session_reused(clientssl))
764 || !TEST_false(SSL_session_reused(serverssl))
765 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
766 || !TEST_ptr_ne(sesspre, sesspost)
767 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
768 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
769 goto end;
770
771 shutdown_ssl_connection(serverssl, clientssl);
772 serverssl = clientssl = NULL;
773
774 testresult = 1;
775
776end:
777 SSL_free(serverssl);
778 SSL_free(clientssl);
779 SSL_CTX_free(sctx);
780 SSL_CTX_free(cctx);
781 SSL_SESSION_free(sess);
782
783 return testresult;
784}
fb121631 785#endif
3cd14e5e 786
84d5549e 787static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 788 const SSL_METHOD *cmeth,
789 int min_version, int max_version,
790 int read_ahead)
84d5549e
MC		 791{
792 SSL_CTX *cctx = NULL, *sctx = NULL;
793 SSL *clientssl = NULL, *serverssl = NULL;
794 int testresult = 0;
795 int i;
710756a9 796 BIO *certbio = NULL;
84d5549e
MC		 797 X509 *chaincert = NULL;
798 int certlen;
799
710756a9 800 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 801 goto end;
6725682d
SL		 802
803 if (!TEST_ptr(chaincert = X509_new_with_libctx(libctx, NULL)))
804 goto end;
805
806 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
807 goto end;
fa454945
MC		 808 BIO_free(certbio);
809 certbio = NULL;
84d5549e 810
5e30f2fd
MC		 811 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
812 max_version, &sctx, &cctx, cert,
813 privkey)))
84d5549e 814 goto end;
84d5549e 815
710756a9 816 if (read_ahead) {
7856332e
MC		 817 /*
818 * Test that read_ahead works correctly when dealing with large
819 * records
820 */
821 SSL_CTX_set_read_ahead(cctx, 1);
822 }
823
84d5549e
MC		 824 /*
825 * We assume the supplied certificate is big enough so that if we add
826 * NUM_EXTRA_CERTS it will make the overall message large enough. The
827 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 828 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
829 * test we need to have a message larger than that.
84d5549e
MC		 830 */
831 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 832 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
833 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 834 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 835 if (!X509_up_ref(chaincert))
84d5549e 836 goto end;
84d5549e 837 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 838 X509_free(chaincert);
839 goto end;
840 }
841 }
842
710756a9
RS		 843 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
844 NULL, NULL))
845 || !TEST_true(create_ssl_connection(serverssl, clientssl,
846 SSL_ERROR_NONE)))
84d5549e 847 goto end;
84d5549e 848
4bf08600
MC		 849 /*
850 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 851 * doesn't leak.
4bf08600 852 */
710756a9 853 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 854 goto end;
84d5549e 855
4bf08600 856 testresult = 1;
84d5549e 857 end:
6725682d 858 BIO_free(certbio);
84d5549e
MC		 859 X509_free(chaincert);
860 SSL_free(serverssl);
861 SSL_free(clientssl);
862 SSL_CTX_free(sctx);
863 SSL_CTX_free(cctx);
864
865 return testresult;
866}
867
da4db160
VF		 868#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
869 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
870#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
fe5d9450
BP		 871/* sock must be connected */
872static int ktls_chk_platform(int sock)
873{
874 if (!ktls_enable(sock))
875 return 0;
876 return 1;
877}
878
da4db160 879static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
fe5d9450
BP		 880{
881 static char count = 1;
882 unsigned char cbuf[16000] = {0};
883 unsigned char sbuf[16000];
884 size_t err = 0;
da4db160
VF		 885 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
886 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
887 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
888 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
889 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
890 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
891 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
892 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
fe5d9450
BP		 893
894 cbuf[0] = count++;
da4db160
VF		 895 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
896 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
897 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
898 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 899
900 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
901 goto end;
902
903 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
904 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
905 goto end;
906 }
907 }
908
909 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
910 goto end;
911
912 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
913 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
914 goto end;
915 }
916 }
917
da4db160
VF		 918 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
919 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
920 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
921 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 922
923 /* verify the payload */
924 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
925 goto end;
926
927 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
928 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 929 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
930 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 931 goto end;
932 } else {
da4db160
VF		 933 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
934 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 935 goto end;
936 }
937
938 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 939 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
940 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 941 goto end;
942 } else {
da4db160
VF		 943 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
944 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 945 goto end;
946 }
947
2fab79af 948 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 949 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
950 crec_rseq_after, rec_seq_size))
2fab79af
BP		 951 goto end;
952 } else {
da4db160
VF		 953 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
954 crec_rseq_after, rec_seq_size))
2fab79af
BP		 955 goto end;
956 }
957
958 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 959 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
960 srec_rseq_after, rec_seq_size))
2fab79af
BP		 961 goto end;
962 } else {
da4db160
VF		 963 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
964 srec_rseq_after, rec_seq_size))
2fab79af
BP		 965 goto end;
966 }
fe5d9450
BP		 967
968 return 1;
969end:
970 return 0;
971}
972
2fab79af 973static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
da4db160
VF		 974 int sis_ktls_tx, int sis_ktls_rx,
975 int tls_version, const char *cipher,
976 int rec_seq_size)
fe5d9450
BP		 977{
978 SSL_CTX *cctx = NULL, *sctx = NULL;
979 SSL *clientssl = NULL, *serverssl = NULL;
980 int testresult = 0;
981 int cfd, sfd;
982
983 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
984 goto end;
985
986 /* Skip this test if the platform does not support ktls */
987 if (!ktls_chk_platform(cfd))
988 return 1;
989
990 /* Create a session based on SHA-256 */
5e30f2fd 991 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 992 TLS_client_method(),
da4db160 993 tls_version, tls_version,
fe5d9450 994 &sctx, &cctx, cert, privkey))
da4db160 995 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
fe5d9450
BP		 996 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
997 &clientssl, sfd, cfd)))
998 goto end;
999
1000 if (!cis_ktls_tx) {
1001 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1002 goto end;
1003 }
1004
1005 if (!sis_ktls_tx) {
1006 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1007 goto end;
1008 }
1009
2fab79af
BP		 1010 if (!cis_ktls_rx) {
1011 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1012 goto end;
1013 }
1014
1015 if (!sis_ktls_rx) {
1016 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1017 goto end;
1018 }
1019
fe5d9450
BP		 1020 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1021 SSL_ERROR_NONE)))
1022 goto end;
1023
1024 if (!cis_ktls_tx) {
1025 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1026 goto end;
1027 } else {
1028 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1029 goto end;
1030 }
1031
1032 if (!sis_ktls_tx) {
1033 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1034 goto end;
1035 } else {
1036 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1037 goto end;
1038 }
1039
2fab79af
BP		 1040 if (!cis_ktls_rx) {
1041 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1042 goto end;
1043 } else {
1044 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1045 goto end;
1046 }
1047
1048 if (!sis_ktls_rx) {
1049 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1050 goto end;
1051 } else {
1052 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1053 goto end;
1054 }
1055
da4db160
VF		 1056 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1057 rec_seq_size)))
fe5d9450
BP		 1058 goto end;
1059
1060 testresult = 1;
1061end:
1062 if (clientssl) {
1063 SSL_shutdown(clientssl);
1064 SSL_free(clientssl);
1065 }
1066 if (serverssl) {
1067 SSL_shutdown(serverssl);
1068 SSL_free(serverssl);
1069 }
1070 SSL_CTX_free(sctx);
1071 SSL_CTX_free(cctx);
1072 serverssl = clientssl = NULL;
1073 return testresult;
1074}
1075
7c3a7561
BP		 1076#define SENDFILE_SZ (16 * 4096)
1077#define SENDFILE_CHUNK (4 * 4096)
1078#define min(a,b) ((a) > (b) ? (b) : (a))
1079
da4db160 1080static int test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1081{
1082 SSL_CTX *cctx = NULL, *sctx = NULL;
1083 SSL *clientssl = NULL, *serverssl = NULL;
1084 unsigned char *buf, *buf_dst;
1085 BIO *out = NULL, *in = NULL;
1086 int cfd, sfd, ffd, err;
1087 ssize_t chunk_size = 0;
1088 off_t chunk_off = 0;
1089 int testresult = 0;
1090 FILE *ffdp;
1091
1092 buf = OPENSSL_zalloc(SENDFILE_SZ);
1093 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1094 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1095 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1096 goto end;
1097
1098 /* Skip this test if the platform does not support ktls */
1099 if (!ktls_chk_platform(sfd)) {
1100 testresult = 1;
1101 goto end;
1102 }
1103
1104 /* Create a session based on SHA-256 */
5e30f2fd 1105 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1106 TLS_client_method(),
da4db160 1107 tls_version, tls_version,
7c3a7561 1108 &sctx, &cctx, cert, privkey))
da4db160 1109 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
7c3a7561
BP		 1110 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1111 &clientssl, sfd, cfd)))
1112 goto end;
1113
1114 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1115 SSL_ERROR_NONE))
1116 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1117 goto end;
1118
1119 RAND_bytes(buf, SENDFILE_SZ);
1120 out = BIO_new_file(tmpfilename, "wb");
1121 if (!TEST_ptr(out))
1122 goto end;
1123
1124 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1125 goto end;
1126
1127 BIO_free(out);
1128 out = NULL;
1129 in = BIO_new_file(tmpfilename, "rb");
1130 BIO_get_fp(in, &ffdp);
1131 ffd = fileno(ffdp);
1132
1133 while (chunk_off < SENDFILE_SZ) {
1134 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1135 while ((err = SSL_sendfile(serverssl,
1136 ffd,
1137 chunk_off,
1138 chunk_size,
1139 0)) != chunk_size) {
1140 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1141 goto end;
1142 }
1143 while ((err = SSL_read(clientssl,
1144 buf_dst + chunk_off,
1145 chunk_size)) != chunk_size) {
1146 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1147 goto end;
1148 }
1149
1150 /* verify the payload */
1151 if (!TEST_mem_eq(buf_dst + chunk_off,
1152 chunk_size,
1153 buf + chunk_off,
1154 chunk_size))
1155 goto end;
1156
1157 chunk_off += chunk_size;
1158 }
1159
1160 testresult = 1;
1161end:
1162 if (clientssl) {
1163 SSL_shutdown(clientssl);
1164 SSL_free(clientssl);
1165 }
1166 if (serverssl) {
1167 SSL_shutdown(serverssl);
1168 SSL_free(serverssl);
1169 }
1170 SSL_CTX_free(sctx);
1171 SSL_CTX_free(cctx);
1172 serverssl = clientssl = NULL;
1173 BIO_free(out);
1174 BIO_free(in);
1175 OPENSSL_free(buf);
1176 OPENSSL_free(buf_dst);
1177 return testresult;
1178}
1179
da4db160 1180static int test_ktls_no_txrx_client_no_txrx_server(int tlsver)
2fab79af 1181{
da4db160
VF		 1182 int testresult = 1;
1183
1184#ifdef OPENSSL_KTLS_AES_GCM_128
1185 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1186 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1187#endif
1188#ifdef OPENSSL_KTLS_AES_CCM_128
1189 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1190 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1191#endif
1192#ifdef OPENSSL_KTLS_AES_GCM_256
1193 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1194 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1195#endif
1196 return testresult;
2fab79af
BP		 1197}
1198
da4db160 1199static int test_ktls_no_rx_client_no_txrx_server(int tlsver)
2fab79af 1200{
da4db160
VF		 1201 int testresult = 1;
1202
1203#ifdef OPENSSL_KTLS_AES_GCM_128
1204 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1205 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1206#endif
1207#ifdef OPENSSL_KTLS_AES_CCM_128
1208 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1209 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1210#endif
1211#ifdef OPENSSL_KTLS_AES_GCM_256
1212 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1213 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1214#endif
1215 return testresult;
2fab79af
BP		 1216}
1217
da4db160 1218static int test_ktls_no_tx_client_no_txrx_server(int tlsver)
2fab79af 1219{
da4db160
VF		 1220 int testresult = 1;
1221
1222#ifdef OPENSSL_KTLS_AES_GCM_128
1223 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1224 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1225#endif
1226#ifdef OPENSSL_KTLS_AES_CCM_128
1227 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1228 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1229#endif
1230#ifdef OPENSSL_KTLS_AES_GCM_256
1231 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1232 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1233#endif
1234 return testresult;
2fab79af
BP		 1235}
1236
da4db160 1237static int test_ktls_client_no_txrx_server(int tlsver)
2fab79af 1238{
da4db160
VF		 1239 int testresult = 1;
1240
1241#ifdef OPENSSL_KTLS_AES_GCM_128
1242 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1243 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1244#endif
1245#ifdef OPENSSL_KTLS_AES_CCM_128
1246 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1247 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1248#endif
1249#ifdef OPENSSL_KTLS_AES_GCM_256
1250 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1251 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1252#endif
1253 return testresult;
2fab79af
BP		 1254}
1255
da4db160 1256static int test_ktls_no_txrx_client_no_rx_server(int tlsver)
2fab79af 1257{
da4db160
VF		 1258 int testresult = 1;
1259
1260#ifdef OPENSSL_KTLS_AES_GCM_128
1261 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1262 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1263#endif
1264#ifdef OPENSSL_KTLS_AES_CCM_128
1265 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1266 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1267#endif
1268#ifdef OPENSSL_KTLS_AES_GCM_256
1269 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1270 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1271#endif
1272 return testresult;
2fab79af
BP		 1273}
1274
da4db160 1275static int test_ktls_no_rx_client_no_rx_server(int tlsver)
2fab79af 1276{
da4db160
VF		 1277 int testresult = 1;
1278
1279#ifdef OPENSSL_KTLS_AES_GCM_128
1280 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1281 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1282#endif
1283#ifdef OPENSSL_KTLS_AES_CCM_128
1284 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1285 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1286#endif
1287#ifdef OPENSSL_KTLS_AES_GCM_256
1288 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1289 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1290#endif
1291 return testresult;
2fab79af
BP		 1292}
1293
da4db160 1294static int test_ktls_no_tx_client_no_rx_server(int tlsver)
2fab79af 1295{
da4db160
VF		 1296 int testresult = 1;
1297
1298#ifdef OPENSSL_KTLS_AES_GCM_128
1299 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1300 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1301#endif
1302#ifdef OPENSSL_KTLS_AES_CCM_128
1303 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1304 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1305#endif
1306#ifdef OPENSSL_KTLS_AES_GCM_256
1307 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1308 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1309#endif
1310 return testresult;
2fab79af
BP		 1311}
1312
da4db160 1313static int test_ktls_client_no_rx_server(int tlsver)
fe5d9450 1314{
da4db160
VF		 1315 int testresult = 1;
1316
1317#ifdef OPENSSL_KTLS_AES_GCM_128
1318 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1319 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1320#endif
1321#ifdef OPENSSL_KTLS_AES_CCM_128
1322 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1323 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1324#endif
1325#ifdef OPENSSL_KTLS_AES_GCM_256
1326 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1327 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1328#endif
1329 return testresult;
fe5d9450
BP		 1330}
1331
da4db160 1332static int test_ktls_no_txrx_client_no_tx_server(int tlsver)
fe5d9450 1333{
da4db160
VF		 1334 int testresult = 1;
1335
1336#ifdef OPENSSL_KTLS_AES_GCM_128
1337 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1338 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1339#endif
1340#ifdef OPENSSL_KTLS_AES_CCM_128
1341 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1342 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1343#endif
1344#ifdef OPENSSL_KTLS_AES_GCM_256
1345 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1346 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1347#endif
1348 return testresult;
fe5d9450
BP		 1349}
1350
da4db160 1351static int test_ktls_no_rx_client_no_tx_server(int tlsver)
fe5d9450 1352{
da4db160
VF		 1353 int testresult = 1;
1354
1355#ifdef OPENSSL_KTLS_AES_GCM_128
1356 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1357 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1358#endif
1359#ifdef OPENSSL_KTLS_AES_CCM_128
1360 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1361 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1362#endif
1363#ifdef OPENSSL_KTLS_AES_GCM_256
1364 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1365 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1366#endif
1367 return testresult;
fe5d9450
BP		 1368}
1369
da4db160 1370static int test_ktls_no_tx_client_no_tx_server(int tlsver)
2fab79af 1371{
da4db160
VF		 1372 int testresult = 1;
1373
1374#ifdef OPENSSL_KTLS_AES_GCM_128
1375 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1376 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1377#endif
1378#ifdef OPENSSL_KTLS_AES_CCM_128
1379 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1380 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1381#endif
1382#ifdef OPENSSL_KTLS_AES_GCM_256
1383 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1384 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1385#endif
1386 return testresult;
2fab79af
BP		 1387}
1388
da4db160 1389static int test_ktls_client_no_tx_server(int tlsver)
2fab79af 1390{
da4db160
VF		 1391 int testresult = 1;
1392
1393#ifdef OPENSSL_KTLS_AES_GCM_128
1394 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1395 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1396#endif
1397#ifdef OPENSSL_KTLS_AES_CCM_128
1398 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1399 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1400#endif
1401#ifdef OPENSSL_KTLS_AES_GCM_256
1402 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1403 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1404#endif
1405 return testresult;
2fab79af
BP		 1406}
1407
da4db160 1408static int test_ktls_no_txrx_client_server(int tlsver)
2fab79af 1409{
da4db160
VF		 1410 int testresult = 1;
1411
1412#ifdef OPENSSL_KTLS_AES_GCM_128
1413 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1414 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1415#endif
1416#ifdef OPENSSL_KTLS_AES_CCM_128
1417 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1418 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1419#endif
1420#ifdef OPENSSL_KTLS_AES_GCM_256
1421 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1422 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1423#endif
1424 return testresult;
2fab79af
BP		 1425}
1426
da4db160 1427static int test_ktls_no_rx_client_server(int tlsver)
2fab79af 1428{
da4db160
VF		 1429 int testresult = 1;
1430
1431#ifdef OPENSSL_KTLS_AES_GCM_128
1432 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1433 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1434#endif
1435#ifdef OPENSSL_KTLS_AES_CCM_128
1436 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1437 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1438#endif
1439#ifdef OPENSSL_KTLS_AES_GCM_256
1440 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1441 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1442#endif
1443 return testresult;
2fab79af
BP		 1444}
1445
da4db160 1446static int test_ktls_no_tx_client_server(int tlsver)
2fab79af 1447{
da4db160
VF		 1448 int testresult = 1;
1449
1450#ifdef OPENSSL_KTLS_AES_GCM_128
1451 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1452 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1453#endif
1454#ifdef OPENSSL_KTLS_AES_CCM_128
1455 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1456 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1457#endif
1458#ifdef OPENSSL_KTLS_AES_GCM_256
1459 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1460 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1461#endif
1462 return testresult;
1463}
1464
1465static int test_ktls_client_server(int tlsver)
1466{
1467 int testresult = 1;
1468
1469#ifdef OPENSSL_KTLS_AES_GCM_128
1470 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1471 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1472#endif
1473#ifdef OPENSSL_KTLS_AES_CCM_128
1474 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1475 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1476#endif
1477#ifdef OPENSSL_KTLS_AES_GCM_256
1478 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1479 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1480#endif
1481 return testresult;
1482}
1483
1484#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1485static int test_ktls(int test)
1486{
1487 int tlsver;
1488
1489 if (test > 15) {
1490#if defined(OPENSSL_NO_TLS1_3)
1491 return 1;
1492#else
1493 test -= 16;
1494 tlsver = TLS1_3_VERSION;
1495#endif
1496 } else {
1497#if defined(OPENSSL_NO_TLS1_2)
1498 return 1;
1499#else
1500 tlsver = TLS1_2_VERSION;
1501#endif
1502 }
1503
1504 switch(test) {
1505 case 0:
1506 return test_ktls_no_txrx_client_no_txrx_server(tlsver);
1507 case 1:
1508 return test_ktls_no_rx_client_no_txrx_server(tlsver);
1509 case 2:
1510 return test_ktls_no_tx_client_no_txrx_server(tlsver);
1511 case 3:
1512 return test_ktls_client_no_txrx_server(tlsver);
1513 case 4:
1514 return test_ktls_no_txrx_client_no_rx_server(tlsver);
1515 case 5:
1516 return test_ktls_no_rx_client_no_rx_server(tlsver);
1517 case 6:
1518 return test_ktls_no_tx_client_no_rx_server(tlsver);
1519 case 7:
1520 return test_ktls_client_no_rx_server(tlsver);
1521 case 8:
1522 return test_ktls_no_txrx_client_no_tx_server(tlsver);
1523 case 9:
1524 return test_ktls_no_rx_client_no_tx_server(tlsver);
1525 case 10:
1526 return test_ktls_no_tx_client_no_tx_server(tlsver);
1527 case 11:
1528 return test_ktls_client_no_tx_server(tlsver);
1529 case 12:
1530 return test_ktls_no_txrx_client_server(tlsver);
1531 case 13:
1532 return test_ktls_no_rx_client_server(tlsver);
1533 case 14:
1534 return test_ktls_no_tx_client_server(tlsver);
1535 case 15:
1536 return test_ktls_client_server(tlsver);
1537 default:
1538 return 0;
1539 }
2fab79af
BP		 1540}
1541
da4db160 1542static int test_ktls_sendfile_anytls(int tst)
fe5d9450 1543{
da4db160
VF		 1544 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM-SHA256","AES256-GCM-SHA384"};
1545 int tlsver;
1546
1547 if (tst > 2) {
1548#if defined(OPENSSL_NO_TLS1_3)
1549 return 1;
1550#else
1551 tst -= 3;
1552 tlsver = TLS1_3_VERSION;
1553#endif
1554 } else {
1555#if defined(OPENSSL_NO_TLS1_2)
1556 return 1;
1557#else
1558 tlsver = TLS1_2_VERSION;
1559#endif
1560 }
1561
1562#ifndef OPENSSL_KTLS_AES_GCM_128
1563 if(tst == 0) return 1;
1564#endif
1565#ifndef OPENSSL_KTLS_AES_CCM_128
1566 if(tst == 1) return 1;
1567#endif
1568#ifndef OPENSSL_KTLS_AES_GCM_256
1569 if(tst == 2) return 1;
1570#endif
1571 return test_ktls_sendfile(tlsver, cipher[tst]);
fe5d9450 1572}
da4db160
VF		 1573
1574#endif
fe5d9450
BP		 1575#endif
1576
84d5549e
MC		 1577static int test_large_message_tls(void)
1578{
7856332e 1579 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1580 TLS1_VERSION, 0, 0);
7856332e
MC		 1581}
1582
1583static int test_large_message_tls_read_ahead(void)
1584{
1585 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1586 TLS1_VERSION, 0, 1);
84d5549e
MC		 1587}
1588
55386bef 1589#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1590static int test_large_message_dtls(void)
1591{
7856332e
MC		 1592 /*
1593 * read_ahead is not relevant to DTLS because DTLS always acts as if
1594 * read_ahead is set.
1595 */
84d5549e 1596 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1597 DTLS_client_method(),
5c587fb6 1598 DTLS1_VERSION, 0, 0);
84d5549e 1599}
55386bef 1600#endif
84d5549e 1601
163b8016
ME		 1602static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1603 const SSL_METHOD *cmeth,
1604 int min_version, int max_version)
1605{
1606 size_t i;
1607 SSL_CTX *cctx = NULL, *sctx = NULL;
1608 SSL *clientssl = NULL, *serverssl = NULL;
1609 int testresult = 0;
1610 SSL3_RECORD *rr;
1611 void *zbuf;
1612
1613 static unsigned char cbuf[16000];
1614 static unsigned char sbuf[16000];
1615
1616 if (!TEST_true(create_ssl_ctx_pair(libctx,
1617 smeth, cmeth,
1618 min_version, max_version,
1619 &sctx, &cctx, cert,
1620 privkey)))
1621 goto end;
1622
1623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1624 NULL, NULL)))
1625 goto end;
1626
1627 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1628 goto end;
1629
1630 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1631 SSL_ERROR_NONE)))
1632 goto end;
1633
1634 for (i = 0; i < sizeof(cbuf); i++) {
1635 cbuf[i] = i & 0xff;
1636 }
1637
1638 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1639 goto end;
1640
1641 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1642 goto end;
1643
1644 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1645 goto end;
1646
1647 /*
1648 * Since we called SSL_peek(), we know the data in the record
1649 * layer is a plaintext record. We can gather the pointer to check
1650 * for zeroization after SSL_read().
1651 */
1652 rr = serverssl->rlayer.rrec;
1653 zbuf = &rr->data[rr->off];
1654 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1655 goto end;
1656
1657 /*
1658 * After SSL_peek() the plaintext must still be stored in the
1659 * record.
1660 */
1661 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1662 goto end;
1663
1664 memset(sbuf, 0, sizeof(sbuf));
1665 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1666 goto end;
1667
1668 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1669 goto end;
1670
1671 /* Check if rbuf is cleansed */
1672 memset(cbuf, 0, sizeof(cbuf));
1673 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1674 goto end;
1675
1676 testresult = 1;
1677 end:
1678 SSL_free(serverssl);
1679 SSL_free(clientssl);
1680 SSL_CTX_free(sctx);
1681 SSL_CTX_free(cctx);
1682
1683 return testresult;
1684}
1685
1686static int test_cleanse_plaintext(void)
1687{
1688#if !defined(OPENSSL_NO_TLS1_2)
1689 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1690 TLS_client_method(),
1691 TLS1_2_VERSION,
1692 TLS1_2_VERSION)))
1693 return 0;
1694
1695#endif
1696
1697#if !defined(OPENSSL_NO_TLS1_3)
1698 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1699 TLS_client_method(),
1700 TLS1_3_VERSION,
1701 TLS1_3_VERSION)))
1702 return 0;
1703#endif
1704
1705#if !defined(OPENSSL_NO_DTLS)
1706 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1707 DTLS_client_method(),
1708 DTLS1_VERSION,
1709 0)))
1710 return 0;
1711#endif
1712 return 1;
1713}
1714
8f8c11d8 1715#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1716static int ocsp_server_cb(SSL *s, void *arg)
1717{
1718 int *argi = (int *)arg;
710756a9 1719 unsigned char *copy = NULL;
ba881d3b
MC		 1720 STACK_OF(OCSP_RESPID) *ids = NULL;
1721 OCSP_RESPID *id = NULL;
1722
1723 if (*argi == 2) {
1724 /* In this test we are expecting exactly 1 OCSP_RESPID */
1725 SSL_get_tlsext_status_ids(s, &ids);
1726 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1727 return SSL_TLSEXT_ERR_ALERT_FATAL;
1728
1729 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1730 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1731 return SSL_TLSEXT_ERR_ALERT_FATAL;
1732 } else if (*argi != 1) {
1733 return SSL_TLSEXT_ERR_ALERT_FATAL;
1734 }
1735
710756a9 1736 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1737 return SSL_TLSEXT_ERR_ALERT_FATAL;
1738
710756a9 1739 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1740 ocsp_server_called = 1;
ba881d3b
MC		 1741 return SSL_TLSEXT_ERR_OK;
1742}
1743
1744static int ocsp_client_cb(SSL *s, void *arg)
1745{
1746 int *argi = (int *)arg;
1747 const unsigned char *respderin;
1748 size_t len;
1749
1750 if (*argi != 1 && *argi != 2)
1751 return 0;
1752
1753 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1754 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1755 return 0;
1756
1757 ocsp_client_called = 1;
ba881d3b
MC		 1758 return 1;
1759}
1760
2cb4b5f6
MC		 1761static int test_tlsext_status_type(void)
1762{
ba881d3b
MC		 1763 SSL_CTX *cctx = NULL, *sctx = NULL;
1764 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1765 int testresult = 0;
ba881d3b
MC		 1766 STACK_OF(OCSP_RESPID) *ids = NULL;
1767 OCSP_RESPID *id = NULL;
1768 BIO *certbio = NULL;
2cb4b5f6 1769
5e30f2fd 1770 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1771 TLS1_VERSION, 0,
7d7f6834 1772 &sctx, &cctx, cert, privkey))
ba881d3b 1773 return 0;
2cb4b5f6 1774
710756a9 1775 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1776 goto end;
2cb4b5f6 1777
ba881d3b 1778 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1779
ba881d3b 1780 clientssl = SSL_new(cctx);
710756a9
RS		 1781 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1782 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1783 TLSEXT_STATUSTYPE_ocsp))
1784 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1785 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1786 goto end;
2cb4b5f6 1787
ba881d3b
MC		 1788 SSL_free(clientssl);
1789 clientssl = NULL;
2cb4b5f6 1790
710756a9
RS		 1791 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1792 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1793 goto end;
2cb4b5f6 1794
ba881d3b 1795 clientssl = SSL_new(cctx);
710756a9 1796 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1797 goto end;
ba881d3b
MC		 1798 SSL_free(clientssl);
1799 clientssl = NULL;
1800
1801 /*
1802 * Now actually do a handshake and check OCSP information is exchanged and
1803 * the callbacks get called
1804 */
ba881d3b
MC		 1805 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1806 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1807 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1808 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1809 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1810 &clientssl, NULL, NULL))
1811 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1812 SSL_ERROR_NONE))
1813 || !TEST_true(ocsp_client_called)
1814 || !TEST_true(ocsp_server_called))
ba881d3b 1815 goto end;
ba881d3b
MC		 1816 SSL_free(serverssl);
1817 SSL_free(clientssl);
1818 serverssl = NULL;
1819 clientssl = NULL;
1820
1821 /* Try again but this time force the server side callback to fail */
1822 ocsp_client_called = 0;
1823 ocsp_server_called = 0;
1824 cdummyarg = 0;
710756a9
RS		 1825 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1826 &clientssl, NULL, NULL))
1827 /* This should fail because the callback will fail */
1828 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1829 SSL_ERROR_NONE))
1830 || !TEST_false(ocsp_client_called)
1831 || !TEST_false(ocsp_server_called))
ba881d3b 1832 goto end;
ba881d3b
MC		 1833 SSL_free(serverssl);
1834 SSL_free(clientssl);
1835 serverssl = NULL;
1836 clientssl = NULL;
1837
1838 /*
1839 * This time we'll get the client to send an OCSP_RESPID that it will
1840 * accept.
1841 */
1842 ocsp_client_called = 0;
1843 ocsp_server_called = 0;
1844 cdummyarg = 2;
710756a9
RS		 1845 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1846 &clientssl, NULL, NULL)))
ba881d3b 1847 goto end;
ba881d3b
MC		 1848
1849 /*
1850 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1851 * specific one. We'll use the server cert.
ba881d3b 1852 */
710756a9
RS		 1853 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1854 || !TEST_ptr(id = OCSP_RESPID_new())
1855 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
6725682d
SL		 1856 || !TEST_ptr(ocspcert = X509_new_with_libctx(libctx, NULL))
1857 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1858 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1859 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1860 goto end;
ba881d3b
MC		 1861 id = NULL;
1862 SSL_set_tlsext_status_ids(clientssl, ids);
1863 /* Control has been transferred */
1864 ids = NULL;
1865
1866 BIO_free(certbio);
1867 certbio = NULL;
1868
710756a9
RS		 1869 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1870 SSL_ERROR_NONE))
1871 || !TEST_true(ocsp_client_called)
1872 || !TEST_true(ocsp_server_called))
ba881d3b 1873 goto end;
ba881d3b 1874
2cb4b5f6
MC		 1875 testresult = 1;
1876
1877 end:
ba881d3b
MC		 1878 SSL_free(serverssl);
1879 SSL_free(clientssl);
1880 SSL_CTX_free(sctx);
1881 SSL_CTX_free(cctx);
1882 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1883 OCSP_RESPID_free(id);
1884 BIO_free(certbio);
1885 X509_free(ocspcert);
1886 ocspcert = NULL;
2cb4b5f6
MC		 1887
1888 return testresult;
1889}
8f8c11d8 1890#endif
2cb4b5f6 1891
bf208d95 1892#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1893static int new_called, remove_called, get_called;
eaa776da 1894
eaa776da
MC		 1895static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1896{
1897 new_called++;
c0537ebd
MC		 1898 /*
1899 * sess has been up-refed for us, but we don't actually need it so free it
1900 * immediately.
1901 */
1902 SSL_SESSION_free(sess);
eaa776da
MC		 1903 return 1;
1904}
1905
1906static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1907{
1908 remove_called++;
1909}
1910
7a301f08
MC		 1911static SSL_SESSION *get_sess_val = NULL;
1912
1913static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1914 int *copy)
1915{
0afca811 1916 get_called++;
7a301f08
MC		 1917 *copy = 1;
1918 return get_sess_val;
1919}
1920
7a301f08 1921static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1922 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1923{
1924 SSL_CTX *sctx = NULL, *cctx = NULL;
1925 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1926 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1927# ifndef OPENSSL_NO_TLS1_1
eaa776da 1928 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1929# endif
2cb4b5f6 1930 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1931 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1932
7e885b7b
P		 1933 new_called = remove_called = 0;
1934
36ff232c
MC		 1935 /* TLSv1.3 sends 2 NewSessionTickets */
1936 if (maxprot == TLS1_3_VERSION)
1937 numnewsesstick = 2;
1938
5e30f2fd
MC		 1939 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1940 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1941 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1942 return 0;
2cb4b5f6 1943
7a301f08
MC		 1944 /*
1945 * Only allow the max protocol version so we can force a connection failure
1946 * later
1947 */
1948 SSL_CTX_set_min_proto_version(cctx, maxprot);
1949 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1950
1951 /* Set up session cache */
7e885b7b 1952 if (use_ext_cache) {
eaa776da
MC		 1953 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1954 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1955 }
7e885b7b 1956 if (use_int_cache) {
eaa776da
MC		 1957 /* Also covers instance where both are set */
1958 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1959 } else {
1960 SSL_CTX_set_session_cache_mode(cctx,
1961 SSL_SESS_CACHE_CLIENT
1962 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1963 }
2cb4b5f6 1964
90fc2c26
NM		 1965 if (s_options) {
1966 SSL_CTX_set_options(sctx, s_options);
1967 }
1968
710756a9
RS		 1969 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1970 NULL, NULL))
1971 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1972 SSL_ERROR_NONE))
1973 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1974 goto end;
2cb4b5f6 1975
710756a9 1976 /* Should fail because it should already be in the cache */
7e885b7b 1977 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1978 goto end;
7a301f08 1979 if (use_ext_cache
36ff232c
MC		 1980 && (!TEST_int_eq(new_called, numnewsesstick)
1981
1982 || !TEST_int_eq(remove_called, 0)))
b4982125 1983 goto end;
b4982125 1984
c0537ebd
MC		 1985 new_called = remove_called = 0;
1986 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1987 &clientssl2, NULL, NULL))
1988 || !TEST_true(SSL_set_session(clientssl2, sess1))
1989 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1990 SSL_ERROR_NONE))
1991 || !TEST_true(SSL_session_reused(clientssl2)))
1992 goto end;
1993
7a301f08
MC		 1994 if (maxprot == TLS1_3_VERSION) {
1995 /*
1996 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1997 * resumed. Since we attempted a resume we should also have removed the
1998 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1999 */
2000 if (use_ext_cache
2001 && (!TEST_int_eq(new_called, 1)
4cb00457 2002 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 2003 goto end;
2004 } else {
2005 /*
2006 * In TLSv1.2 we expect to have resumed so no sessions added or
2007 * removed.
2008 */
2009 if (use_ext_cache
2010 && (!TEST_int_eq(new_called, 0)
2011 || !TEST_int_eq(remove_called, 0)))
2012 goto end;
2013 }
c0537ebd
MC		 2014
2015 SSL_SESSION_free(sess1);
2016 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2017 goto end;
2018 shutdown_ssl_connection(serverssl2, clientssl2);
2019 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 2020
2021 new_called = remove_called = 0;
710756a9
RS		 2022 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2023 &clientssl2, NULL, NULL))
2024 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2025 SSL_ERROR_NONE)))
2cb4b5f6 2026 goto end;
2cb4b5f6 2027
710756a9 2028 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 2029 goto end;
2cb4b5f6 2030
7a301f08 2031 if (use_ext_cache
36ff232c
MC		 2032 && (!TEST_int_eq(new_called, numnewsesstick)
2033 || !TEST_int_eq(remove_called, 0)))
eaa776da 2034 goto end;
eaa776da 2035
c0537ebd 2036 new_called = remove_called = 0;
2cb4b5f6 2037 /*
710756a9
RS		 2038 * This should clear sess2 from the cache because it is a "bad" session.
2039 * See SSL_set_session() documentation.
2cb4b5f6 2040 */
710756a9 2041 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 2042 goto end;
7a301f08
MC		 2043 if (use_ext_cache
2044 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 2045 goto end;
710756a9 2046 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 2047 goto end;
2cb4b5f6 2048
7e885b7b 2049 if (use_int_cache) {
710756a9
RS		 2050 /* Should succeeded because it should not already be in the cache */
2051 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2052 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 2053 goto end;
eaa776da
MC		 2054 }
2055
c0537ebd 2056 new_called = remove_called = 0;
eaa776da 2057 /* This shouldn't be in the cache so should fail */
710756a9 2058 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2059 goto end;
2cb4b5f6 2060
7a301f08
MC		 2061 if (use_ext_cache
2062 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2063 goto end;
2cb4b5f6 2064
bf208d95 2065# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2066 new_called = remove_called = 0;
eaa776da
MC		 2067 /* Force a connection failure */
2068 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2070 &clientssl3, NULL, NULL))
2071 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2072 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2073 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2074 SSL_ERROR_NONE)))
eaa776da 2075 goto end;
b4982125 2076
eaa776da 2077 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2078 if (use_ext_cache
2079 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2080 goto end;
2cb4b5f6 2081
710756a9 2082 /* Should succeed because it should not already be in the cache */
7e885b7b 2083 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2084 goto end;
bf208d95 2085# endif
eaa776da 2086
7a301f08
MC		 2087 /* Now do some tests for server side caching */
2088 if (use_ext_cache) {
2089 SSL_CTX_sess_set_new_cb(cctx, NULL);
2090 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2091 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2092 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2093 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2094 get_sess_val = NULL;
2095 }
2096
2097 SSL_CTX_set_session_cache_mode(cctx, 0);
2098 /* Internal caching is the default on the server side */
2099 if (!use_int_cache)
2100 SSL_CTX_set_session_cache_mode(sctx,
2101 SSL_SESS_CACHE_SERVER
2102 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2103
2104 SSL_free(serverssl1);
2105 SSL_free(clientssl1);
2106 serverssl1 = clientssl1 = NULL;
2107 SSL_free(serverssl2);
2108 SSL_free(clientssl2);
2109 serverssl2 = clientssl2 = NULL;
2110 SSL_SESSION_free(sess1);
2111 sess1 = NULL;
2112 SSL_SESSION_free(sess2);
2113 sess2 = NULL;
2114
2115 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2116 if (maxprot == TLS1_2_VERSION)
2117 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2118 new_called = remove_called = get_called = 0;
7a301f08
MC		 2119 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2120 NULL, NULL))
2121 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2122 SSL_ERROR_NONE))
2123 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2124 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2125 goto end;
2126
ee94ec2e
MC		 2127 if (use_int_cache) {
2128 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2129 /*
2130 * In TLSv1.3 it should not have been added to the internal cache,
2131 * except in the case where we also have an external cache (in that
2132 * case it gets added to the cache in order to generate remove
2133 * events after timeout).
2134 */
2135 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2136 goto end;
2137 } else {
2138 /* Should fail because it should already be in the cache */
2139 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2140 goto end;
2141 }
2142 }
7a301f08
MC		 2143
2144 if (use_ext_cache) {
2145 SSL_SESSION *tmp = sess2;
2146
36ff232c 2147 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2148 || !TEST_int_eq(remove_called, 0)
2149 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2150 goto end;
2151 /*
2152 * Delete the session from the internal cache to force a lookup from
2153 * the external cache. We take a copy first because
2154 * SSL_CTX_remove_session() also marks the session as non-resumable.
2155 */
ee94ec2e 2156 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2157 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2158 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2159 goto end;
2160 SSL_SESSION_free(sess2);
2161 }
7a301f08
MC		 2162 sess2 = tmp;
2163 }
2164
0afca811 2165 new_called = remove_called = get_called = 0;
7a301f08
MC		 2166 get_sess_val = sess2;
2167 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2168 &clientssl2, NULL, NULL))
2169 || !TEST_true(SSL_set_session(clientssl2, sess1))
2170 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2171 SSL_ERROR_NONE))
2172 || !TEST_true(SSL_session_reused(clientssl2)))
2173 goto end;
2174
0afca811 2175 if (use_ext_cache) {
32305f88 2176 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2177 goto end;
2178
2179 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2180 if (!TEST_int_eq(new_called, 1)
2181 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2182 goto end;
2183 } else {
32305f88
MC		 2184 if (!TEST_int_eq(new_called, 0)
2185 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2186 goto end;
2187 }
2188 }
7a301f08 2189
2cb4b5f6 2190 testresult = 1;
eaa776da 2191
2cb4b5f6
MC		 2192 end:
2193 SSL_free(serverssl1);
2194 SSL_free(clientssl1);
2195 SSL_free(serverssl2);
2196 SSL_free(clientssl2);
bf208d95 2197# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2198 SSL_free(serverssl3);
2199 SSL_free(clientssl3);
bf208d95 2200# endif
2cb4b5f6
MC		 2201 SSL_SESSION_free(sess1);
2202 SSL_SESSION_free(sess2);
2203 SSL_CTX_free(sctx);
2204 SSL_CTX_free(cctx);
2205
2206 return testresult;
2207}
bf208d95 2208#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2209
7fb4c820
MC		 2210static int test_session_with_only_int_cache(void)
2211{
7a301f08 2212#ifndef OPENSSL_NO_TLS1_3
90fc2c26 2213 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2214 return 0;
2215#endif
2216
2217#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2218 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2219#else
2220 return 1;
2221#endif
eaa776da
MC		 2222}
2223
7fb4c820
MC		 2224static int test_session_with_only_ext_cache(void)
2225{
7a301f08 2226#ifndef OPENSSL_NO_TLS1_3
90fc2c26 2227 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2228 return 0;
2229#endif
2230
2231#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2232 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2233#else
2234 return 1;
2235#endif
eaa776da
MC		 2236}
2237
7fb4c820
MC		 2238static int test_session_with_both_cache(void)
2239{
7a301f08 2240#ifndef OPENSSL_NO_TLS1_3
90fc2c26
NM		 2241 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2242 return 0;
2243#endif
2244
2245#ifndef OPENSSL_NO_TLS1_2
2246 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2247#else
2248 return 1;
2249#endif
2250}
2251
2252static int test_session_wo_ca_names(void)
2253{
2254#ifndef OPENSSL_NO_TLS1_3
2255 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2256 return 0;
2257#endif
2258
2259#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2260 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2261#else
2262 return 1;
2263#endif
eaa776da
MC		 2264}
2265
90fc2c26 2266
04225915 2267#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 2268static SSL_SESSION *sesscache[6];
2269static int do_cache;
36ff232c
MC		 2270
2271static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2272{
c22365b3
MC		 2273 if (do_cache) {
2274 sesscache[new_called] = sess;
2275 } else {
2276 /* We don't need the reference to the session, so free it */
2277 SSL_SESSION_free(sess);
2278 }
2279 new_called++;
2280
2281 return 1;
2282}
2283
2284static int post_handshake_verify(SSL *sssl, SSL *cssl)
2285{
2286 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2287 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2288 return 0;
2289
2290 /* Start handshake on the server and client */
2291 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2292 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2293 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2294 || !TEST_true(create_ssl_connection(sssl, cssl,
2295 SSL_ERROR_NONE)))
2296 return 0;
36ff232c
MC		 2297
2298 return 1;
2299}
2300
fbe9dafd 2301static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2302 SSL_CTX **cctx)
2303{
2304 int sess_id_ctx = 1;
2305
5e30f2fd
MC		 2306 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2307 TLS_client_method(), TLS1_VERSION, 0,
2308 sctx, cctx, cert, privkey))
03cdf559
MC		 2309 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2310 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2311 (void *)&sess_id_ctx,
2312 sizeof(sess_id_ctx))))
2313 return 0;
2314
2315 if (stateful)
2316 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2317
2318 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2319 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2320 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2321
2322 return 1;
2323}
2324
2325static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2326{
2327 SSL *serverssl = NULL, *clientssl = NULL;
2328 int i;
2329
2330 /* Test that we can resume with all the tickets we got given */
2331 for (i = 0; i < idx * 2; i++) {
2332 new_called = 0;
2333 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2334 &clientssl, NULL, NULL))
2335 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2336 goto end;
2337
32097b33 2338 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2339
2340 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2341 SSL_ERROR_NONE)))
2342 goto end;
2343
2344 /*
2345 * Following a successful resumption we only get 1 ticket. After a
2346 * failed one we should get idx tickets.
2347 */
2348 if (succ) {
2349 if (!TEST_true(SSL_session_reused(clientssl))
2350 || !TEST_int_eq(new_called, 1))
2351 goto end;
2352 } else {
2353 if (!TEST_false(SSL_session_reused(clientssl))
2354 || !TEST_int_eq(new_called, idx))
2355 goto end;
2356 }
2357
2358 new_called = 0;
2359 /* After a post-handshake authentication we should get 1 new ticket */
2360 if (succ
2361 && (!post_handshake_verify(serverssl, clientssl)
2362 || !TEST_int_eq(new_called, 1)))
2363 goto end;
2364
2365 SSL_shutdown(clientssl);
2366 SSL_shutdown(serverssl);
2367 SSL_free(serverssl);
2368 SSL_free(clientssl);
2369 serverssl = clientssl = NULL;
2370 SSL_SESSION_free(sesscache[i]);
2371 sesscache[i] = NULL;
2372 }
2373
2374 return 1;
2375
2376 end:
2377 SSL_free(clientssl);
2378 SSL_free(serverssl);
2379 return 0;
2380}
2381
04d7814a 2382static int test_tickets(int stateful, int idx)
36ff232c
MC		 2383{
2384 SSL_CTX *sctx = NULL, *cctx = NULL;
2385 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2386 int testresult = 0;
36ff232c
MC		 2387 size_t j;
2388
2389 /* idx is the test number, but also the number of tickets we want */
2390
2391 new_called = 0;
c22365b3 2392 do_cache = 1;
36ff232c 2393
fbe9dafd 2394 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2395 goto end;
2396
03cdf559
MC		 2397 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2398 &clientssl, NULL, NULL)))
2399 goto end;
2400
2401 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2402 SSL_ERROR_NONE))
2403 /* Check we got the number of tickets we were expecting */
2404 || !TEST_int_eq(idx, new_called))
2405 goto end;
04d7814a 2406
03cdf559
MC		 2407 SSL_shutdown(clientssl);
2408 SSL_shutdown(serverssl);
2409 SSL_free(serverssl);
2410 SSL_free(clientssl);
2411 SSL_CTX_free(sctx);
2412 SSL_CTX_free(cctx);
2413 clientssl = serverssl = NULL;
2414 sctx = cctx = NULL;
2415
2416 /*
2417 * Now we try to resume with the tickets we previously created. The
2418 * resumption attempt is expected to fail (because we're now using a new
2419 * SSL_CTX). We should see idx number of tickets issued again.
2420 */
2421
2422 /* Stop caching sessions - just count them */
2423 do_cache = 0;
2424
fbe9dafd 2425 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2426 goto end;
2427
2428 if (!check_resumption(idx, sctx, cctx, 0))
2429 goto end;
2430
2431 /* Start again with caching sessions */
2432 new_called = 0;
2433 do_cache = 1;
fbe9dafd
MC		 2434 SSL_CTX_free(sctx);
2435 SSL_CTX_free(cctx);
2436 sctx = cctx = NULL;
03cdf559 2437
fbe9dafd 2438 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2439 goto end;
36ff232c
MC		 2440
2441 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2442 &clientssl, NULL, NULL)))
2443 goto end;
2444
32097b33 2445 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2446
2447 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2448 SSL_ERROR_NONE))
2449 /* Check we got the number of tickets we were expecting */
2450 || !TEST_int_eq(idx, new_called))
2451 goto end;
2452
2453 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2454 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2455 || !TEST_int_eq(idx * 2, new_called))
2456 goto end;
2457
36ff232c
MC		 2458 SSL_shutdown(clientssl);
2459 SSL_shutdown(serverssl);
2460 SSL_free(serverssl);
2461 SSL_free(clientssl);
2462 serverssl = clientssl = NULL;
2463
c22365b3
MC		 2464 /* Stop caching sessions - just count them */
2465 do_cache = 0;
2466
03cdf559
MC		 2467 /*
2468 * Check we can resume with all the tickets we created. This time around the
2469 * resumptions should all be successful.
2470 */
2471 if (!check_resumption(idx, sctx, cctx, 1))
2472 goto end;
36ff232c
MC		 2473
2474 testresult = 1;
2475
2476 end:
2477 SSL_free(serverssl);
2478 SSL_free(clientssl);
c22365b3 2479 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2480 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2481 sesscache[j] = NULL;
2482 }
36ff232c
MC		 2483 SSL_CTX_free(sctx);
2484 SSL_CTX_free(cctx);
2485
2486 return testresult;
2487}
04d7814a
MC		 2488
2489static int test_stateless_tickets(int idx)
2490{
2491 return test_tickets(0, idx);
2492}
2493
2494static int test_stateful_tickets(int idx)
2495{
2496 return test_tickets(1, idx);
2497}
8614a4eb
MC		 2498
2499static int test_psk_tickets(void)
2500{
2501 SSL_CTX *sctx = NULL, *cctx = NULL;
2502 SSL *serverssl = NULL, *clientssl = NULL;
2503 int testresult = 0;
2504 int sess_id_ctx = 1;
2505
5e30f2fd
MC		 2506 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2507 TLS_client_method(), TLS1_VERSION, 0,
2508 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2509 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2510 (void *)&sess_id_ctx,
2511 sizeof(sess_id_ctx))))
2512 goto end;
2513
2514 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2515 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2516 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2517 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2518 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2519 use_session_cb_cnt = 0;
2520 find_session_cb_cnt = 0;
2521 srvid = pskid;
2522 new_called = 0;
2523
2524 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2525 NULL, NULL)))
2526 goto end;
2527 clientpsk = serverpsk = create_a_psk(clientssl);
2528 if (!TEST_ptr(clientpsk))
2529 goto end;
2530 SSL_SESSION_up_ref(clientpsk);
2531
2532 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2533 SSL_ERROR_NONE))
2534 || !TEST_int_eq(1, find_session_cb_cnt)
2535 || !TEST_int_eq(1, use_session_cb_cnt)
2536 /* We should always get 1 ticket when using external PSK */
2537 || !TEST_int_eq(1, new_called))
2538 goto end;
2539
2540 testresult = 1;
2541
2542 end:
2543 SSL_free(serverssl);
2544 SSL_free(clientssl);
2545 SSL_CTX_free(sctx);
2546 SSL_CTX_free(cctx);
2547 SSL_SESSION_free(clientpsk);
2548 SSL_SESSION_free(serverpsk);
2549 clientpsk = serverpsk = NULL;
2550
2551 return testresult;
2552}
f0049b86
BK		 2553
2554static int test_extra_tickets(int idx)
2555{
2556 SSL_CTX *sctx = NULL, *cctx = NULL;
2557 SSL *serverssl = NULL, *clientssl = NULL;
2558 BIO *bretry = BIO_new(bio_s_always_retry());
2559 BIO *tmp = NULL;
2560 int testresult = 0;
2561 int stateful = 0;
2562 size_t nbytes;
2563 unsigned char c, buf[1];
2564
2565 new_called = 0;
2566 do_cache = 1;
2567
2568 if (idx >= 3) {
2569 idx -= 3;
2570 stateful = 1;
2571 }
2572
2573 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2574 goto end;
2575 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2576 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2577 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2578
2579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2580 &clientssl, NULL, NULL)))
2581 goto end;
2582
2583 /*
2584 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2585 * incremented by both client and server.
2586 */
2587 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2588 SSL_ERROR_NONE))
2589 /* Check we got the number of tickets we were expecting */
2590 || !TEST_int_eq(idx * 2, new_called)
2591 || !TEST_true(SSL_new_session_ticket(serverssl))
2592 || !TEST_true(SSL_new_session_ticket(serverssl))
2593 || !TEST_int_eq(idx * 2, new_called))
2594 goto end;
2595
2596 /* Now try a (real) write to actually send the tickets */
2597 c = '1';
2598 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2599 || !TEST_size_t_eq(1, nbytes)
2600 || !TEST_int_eq(idx * 2 + 2, new_called)
2601 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2602 || !TEST_int_eq(idx * 2 + 4, new_called)
2603 || !TEST_int_eq(sizeof(buf), nbytes)
2604 || !TEST_int_eq(c, buf[0])
2605 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2606 goto end;
2607
2608 /* Try with only requesting one new ticket, too */
2609 c = '2';
2610 new_called = 0;
2611 if (!TEST_true(SSL_new_session_ticket(serverssl))
2612 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2613 || !TEST_size_t_eq(sizeof(c), nbytes)
2614 || !TEST_int_eq(1, new_called)
2615 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2616 || !TEST_int_eq(2, new_called)
2617 || !TEST_size_t_eq(sizeof(buf), nbytes)
2618 || !TEST_int_eq(c, buf[0]))
2619 goto end;
2620
2621 /* Do it again but use dummy writes to drive the ticket generation */
2622 c = '3';
2623 new_called = 0;
2624 if (!TEST_true(SSL_new_session_ticket(serverssl))
2625 || !TEST_true(SSL_new_session_ticket(serverssl))
2626 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2627 || !TEST_size_t_eq(0, nbytes)
2628 || !TEST_int_eq(2, new_called)
2629 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2630 || !TEST_int_eq(4, new_called))
2631 goto end;
2632
2633 /*
2634 * Use the always-retry BIO to exercise the logic that forces ticket
2635 * generation to wait until a record boundary.
2636 */
2637 c = '4';
2638 new_called = 0;
2639 tmp = SSL_get_wbio(serverssl);
2640 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2641 tmp = NULL;
2642 goto end;
2643 }
2644 SSL_set0_wbio(serverssl, bretry);
2645 bretry = NULL;
2646 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2647 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2648 || !TEST_size_t_eq(nbytes, 0))
2649 goto end;
2650 /* Restore a BIO that will let the write succeed */
2651 SSL_set0_wbio(serverssl, tmp);
2652 tmp = NULL;
2653 /* These calls should just queue the request and not send anything. */
2654 if (!TEST_true(SSL_new_session_ticket(serverssl))
2655 || !TEST_true(SSL_new_session_ticket(serverssl))
2656 || !TEST_int_eq(0, new_called))
2657 goto end;
2658 /* Re-do the write; still no tickets sent */
2659 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2660 || !TEST_size_t_eq(1, nbytes)
2661 || !TEST_int_eq(0, new_called)
2662 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2663 || !TEST_int_eq(0, new_called)
2664 || !TEST_int_eq(sizeof(buf), nbytes)
2665 || !TEST_int_eq(c, buf[0])
2666 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2667 goto end;
2668 /* Now the *next* write should send the tickets */
2669 c = '5';
2670 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2671 || !TEST_size_t_eq(1, nbytes)
2672 || !TEST_int_eq(2, new_called)
2673 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2674 || !TEST_int_eq(4, new_called)
2675 || !TEST_int_eq(sizeof(buf), nbytes)
2676 || !TEST_int_eq(c, buf[0])
2677 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2678 goto end;
2679
2680 SSL_shutdown(clientssl);
2681 SSL_shutdown(serverssl);
2682 testresult = 1;
2683
2684 end:
2685 BIO_free(bretry);
2686 BIO_free(tmp);
2687 SSL_free(serverssl);
2688 SSL_free(clientssl);
2689 SSL_CTX_free(sctx);
2690 SSL_CTX_free(cctx);
2691 clientssl = serverssl = NULL;
2692 sctx = cctx = NULL;
2693 return testresult;
2694}
04225915 2695#endif
36ff232c 2696
7d4488bb
MC		 2697#define USE_NULL 0
2698#define USE_BIO_1 1
2699#define USE_BIO_2 2
2700#define USE_DEFAULT 3
2701
2702#define CONNTYPE_CONNECTION_SUCCESS 0
2703#define CONNTYPE_CONNECTION_FAIL 1
2704#define CONNTYPE_NO_CONNECTION 2
2705
2706#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2707#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2708#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2709# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2710#else
2711# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2712#endif
2713
7d4488bb
MC		 2714#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2715 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2716 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2717
2718static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2719{
2720 switch (type) {
2721 case USE_NULL:
2722 *res = NULL;
2723 break;
2724 case USE_BIO_1:
2725 *res = bio1;
2726 break;
2727 case USE_BIO_2:
2728 *res = bio2;
2729 break;
2730 }
2731}
2732
7d4488bb
MC		 2733
2734/*
2735 * Tests calls to SSL_set_bio() under various conditions.
2736 *
2737 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2738 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2739 * then do more tests where we create a successful connection first using our
2740 * standard connection setup functions, and then call SSL_set_bio() with
2741 * various combinations of valid BIOs or NULL. We then repeat these tests
2742 * following a failed connection. In this last case we are looking to check that
2743 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2744 */
7fb4c820
MC		 2745static int test_ssl_set_bio(int idx)
2746{
7d4488bb 2747 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2748 BIO *bio1 = NULL;
2749 BIO *bio2 = NULL;
0fae8150 2750 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2751 SSL *serverssl = NULL, *clientssl = NULL;
2752 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2753 int testresult = 0;
2754
7d4488bb
MC		 2755 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2756 initrbio = idx % 3;
2757 idx /= 3;
2758 initwbio = idx % 3;
2759 idx /= 3;
2760 newrbio = idx % 3;
2761 idx /= 3;
2762 newwbio = idx % 3;
2763 conntype = CONNTYPE_NO_CONNECTION;
2764 } else {
2765 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2766 initrbio = initwbio = USE_DEFAULT;
2767 newrbio = idx % 2;
2768 idx /= 2;
2769 newwbio = idx % 2;
2770 idx /= 2;
2771 conntype = idx % 2;
2772 }
710756a9 2773
5e30f2fd
MC		 2774 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2775 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2776 &sctx, &cctx, cert, privkey)))
2777 goto end;
2778
2779 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2780 /*
2781 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2782 * because we reduced the number of tests in the definition of
2783 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2784 * mismatched protocol versions we will force a connection failure.
2785 */
2786 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2787 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2788 }
2789
2790 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2791 NULL, NULL)))
710756a9 2792 goto end;
7fb4c820 2793
710756a9
RS		 2794 if (initrbio == USE_BIO_1
2795 || initwbio == USE_BIO_1
2796 || newrbio == USE_BIO_1
7fb4c820 2797 || newwbio == USE_BIO_1) {
710756a9 2798 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2799 goto end;
7fb4c820
MC		 2800 }
2801
710756a9
RS		 2802 if (initrbio == USE_BIO_2
2803 || initwbio == USE_BIO_2
2804 || newrbio == USE_BIO_2
7fb4c820 2805 || newwbio == USE_BIO_2) {
710756a9 2806 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2807 goto end;
7fb4c820
MC		 2808 }
2809
7d4488bb
MC		 2810 if (initrbio != USE_DEFAULT) {
2811 setupbio(&irbio, bio1, bio2, initrbio);
2812 setupbio(&iwbio, bio1, bio2, initwbio);
2813 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2814
7d4488bb
MC		 2815 /*
2816 * We want to maintain our own refs to these BIO, so do an up ref for
2817 * each BIO that will have ownership transferred in the SSL_set_bio()
2818 * call
2819 */
2820 if (irbio != NULL)
2821 BIO_up_ref(irbio);
2822 if (iwbio != NULL && iwbio != irbio)
2823 BIO_up_ref(iwbio);
2824 }
7fb4c820 2825
7d4488bb
MC		 2826 if (conntype != CONNTYPE_NO_CONNECTION
2827 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2828 SSL_ERROR_NONE)
2829 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2830 goto end;
7fb4c820
MC		 2831
2832 setupbio(&nrbio, bio1, bio2, newrbio);
2833 setupbio(&nwbio, bio1, bio2, newwbio);
2834
2835 /*
2836 * We will (maybe) transfer ownership again so do more up refs.
2837 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2838 * already been set!
2839 */
710756a9
RS		 2840 if (nrbio != NULL
2841 && nrbio != irbio
2842 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2843 BIO_up_ref(nrbio);
710756a9
RS		 2844 if (nwbio != NULL
2845 && nwbio != nrbio
2846 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2847 BIO_up_ref(nwbio);
2848
7d4488bb 2849 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2850
2851 testresult = 1;
2852
2853 end:
7fb4c820
MC		 2854 BIO_free(bio1);
2855 BIO_free(bio2);
710756a9 2856
7fb4c820
MC		 2857 /*
2858 * This test is checking that the ref counting for SSL_set_bio is correct.
2859 * If we get here and we did too many frees then we will fail in the above
742ccab3 2860 * functions.
7fb4c820 2861 */
7d4488bb
MC		 2862 SSL_free(serverssl);
2863 SSL_free(clientssl);
2864 SSL_CTX_free(sctx);
2865 SSL_CTX_free(cctx);
7fb4c820
MC		 2866 return testresult;
2867}
2868
7e885b7b 2869typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2870
7e885b7b 2871static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2872{
2873 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2874 SSL_CTX *ctx;
9a716987
MC		 2875 SSL *ssl = NULL;
2876 int testresult = 0;
2877
5e30f2fd 2878 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
710756a9
RS		 2879 || !TEST_ptr(ssl = SSL_new(ctx))
2880 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2881 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2882 goto end;
9a716987
MC		 2883
2884 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2885
2886 /*
742ccab3 2887 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2888 */
2889 BIO_push(sslbio, membio1);
2890
69687aa8 2891 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2892 if (change_bio != NO_BIO_CHANGE) {
710756a9 2893 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2894 goto end;
7e885b7b 2895 if (change_bio == CHANGE_RBIO)
65e2d672 2896 SSL_set0_rbio(ssl, membio2);
9a716987 2897 else
65e2d672 2898 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2899 }
2900 ssl = NULL;
2901
7e885b7b 2902 if (pop_ssl)
9a716987
MC		 2903 BIO_pop(sslbio);
2904 else
2905 BIO_pop(membio1);
2906
2907 testresult = 1;
2908 end:
2909 BIO_free(membio1);
2910 BIO_free(sslbio);
2911 SSL_free(ssl);
2912 SSL_CTX_free(ctx);
2913
2914 return testresult;
2915}
2916
2917static int test_ssl_bio_pop_next_bio(void)
2918{
7e885b7b 2919 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2920}
2921
2922static int test_ssl_bio_pop_ssl_bio(void)
2923{
7e885b7b 2924 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2925}
2926
2927static int test_ssl_bio_change_rbio(void)
2928{
7e885b7b 2929 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2930}
2931
2932static int test_ssl_bio_change_wbio(void)
2933{
7e885b7b 2934 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2935}
2936
c423ecaa 2937#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2938typedef struct {
2939 /* The list of sig algs */
2940 const int *list;
2941 /* The length of the list */
2942 size_t listlen;
2943 /* A sigalgs list in string format */
2944 const char *liststr;
2945 /* Whether setting the list should succeed */
2946 int valid;
2947 /* Whether creating a connection with the list should succeed */
2948 int connsuccess;
2949} sigalgs_list;
2950
2951static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2952# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2953static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2954static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2955# endif
f1b25aae
MC		 2956static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2957static const int invalidlist2[] = {NID_sha256, NID_undef};
2958static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2959static const int invalidlist4[] = {NID_sha256};
2960static const sigalgs_list testsigalgs[] = {
2961 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2962# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2963 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2964 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2965# endif
f1b25aae 2966 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2967# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2968 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2969 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2970# endif
f1b25aae
MC		 2971 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2972 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2973 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2974 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2975 {NULL, 0, "RSA", 0, 0},
2976 {NULL, 0, "SHA256", 0, 0},
2977 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2978 {NULL, 0, "Invalid", 0, 0}
2979};
f1b25aae
MC		 2980
2981static int test_set_sigalgs(int idx)
2982{
2983 SSL_CTX *cctx = NULL, *sctx = NULL;
2984 SSL *clientssl = NULL, *serverssl = NULL;
2985 int testresult = 0;
2986 const sigalgs_list *curr;
2987 int testctx;
2988
2989 /* Should never happen */
710756a9 2990 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2991 return 0;
2992
2993 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2994 curr = testctx ? &testsigalgs[idx]
2995 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2996
5e30f2fd
MC		 2997 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2998 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2999 &sctx, &cctx, cert, privkey)))
f1b25aae 3000 return 0;
f1b25aae 3001
d2e491f2
MC		 3002 /*
3003 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
3004 * for TLSv1.2 for now until we add a new API.
3005 */
3006 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3007
f1b25aae
MC		 3008 if (testctx) {
3009 int ret;
710756a9 3010
f1b25aae
MC		 3011 if (curr->list != NULL)
3012 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3013 else
3014 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3015
3016 if (!ret) {
3017 if (curr->valid)
710756a9 3018 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3019 else
3020 testresult = 1;
3021 goto end;
3022 }
3023 if (!curr->valid) {
710756a9 3024 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3025 goto end;
3026 }
3027 }
3028
710756a9
RS		 3029 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3030 &clientssl, NULL, NULL)))
f1b25aae 3031 goto end;
f1b25aae
MC		 3032
3033 if (!testctx) {
3034 int ret;
3035
3036 if (curr->list != NULL)
3037 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3038 else
3039 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3040 if (!ret) {
3041 if (curr->valid)
710756a9 3042 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3043 else
3044 testresult = 1;
3045 goto end;
3046 }
710756a9 3047 if (!curr->valid)
f1b25aae 3048 goto end;
f1b25aae
MC		 3049 }
3050
710756a9
RS		 3051 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3052 SSL_ERROR_NONE),
3053 curr->connsuccess))
f1b25aae 3054 goto end;
f1b25aae
MC		 3055
3056 testresult = 1;
3057
3058 end:
3059 SSL_free(serverssl);
3060 SSL_free(clientssl);
3061 SSL_CTX_free(sctx);
3062 SSL_CTX_free(cctx);
3063
3064 return testresult;
3065}
c423ecaa 3066#endif
f1b25aae 3067
fff202e5 3068#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 3069static int psk_client_cb_cnt = 0;
3070static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3071
3072static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3073 size_t *idlen, SSL_SESSION **sess)
3074{
3075 switch (++use_session_cb_cnt) {
3076 case 1:
3077 /* The first call should always have a NULL md */
3078 if (md != NULL)
3079 return 0;
3080 break;
3081
3082 case 2:
3083 /* The second call should always have an md */
3084 if (md == NULL)
3085 return 0;
3086 break;
3087
3088 default:
3089 /* We should only be called a maximum of twice */
3090 return 0;
3091 }
3092
57dee9bb
MC		 3093 if (clientpsk != NULL)
3094 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3095
57dee9bb 3096 *sess = clientpsk;
02a3ed5a
MC		 3097 *id = (const unsigned char *)pskid;
3098 *idlen = strlen(pskid);
3099
3100 return 1;
3101}
3102
c2b290c3 3103#ifndef OPENSSL_NO_PSK
532f9578
MC		 3104static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3105 unsigned int max_id_len,
3106 unsigned char *psk,
3107 unsigned int max_psk_len)
3108{
3109 unsigned int psklen = 0;
3110
3111 psk_client_cb_cnt++;
3112
3113 if (strlen(pskid) + 1 > max_id_len)
3114 return 0;
3115
3116 /* We should only ever be called a maximum of twice per connection */
3117 if (psk_client_cb_cnt > 2)
3118 return 0;
3119
3120 if (clientpsk == NULL)
3121 return 0;
3122
3123 /* We'll reuse the PSK we set up for TLSv1.3 */
3124 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3125 return 0;
3126 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3127 strncpy(id, pskid, max_id_len);
3128
3129 return psklen;
3130}
c2b290c3 3131#endif /* OPENSSL_NO_PSK */
532f9578 3132
02a3ed5a
MC		 3133static int find_session_cb(SSL *ssl, const unsigned char *identity,
3134 size_t identity_len, SSL_SESSION **sess)
3135{
3136 find_session_cb_cnt++;
3137
3138 /* We should only ever be called a maximum of twice per connection */
3139 if (find_session_cb_cnt > 2)
3140 return 0;
3141
57dee9bb 3142 if (serverpsk == NULL)
02a3ed5a
MC		 3143 return 0;
3144
3145 /* Identity should match that set by the client */
3146 if (strlen(srvid) != identity_len
3147 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3148 /* No PSK found, continue but without a PSK */
3149 *sess = NULL;
3150 return 1;
3151 }
3152
57dee9bb
MC		 3153 SSL_SESSION_up_ref(serverpsk);
3154 *sess = serverpsk;
02a3ed5a
MC		 3155
3156 return 1;
3157}
3158
c2b290c3 3159#ifndef OPENSSL_NO_PSK
532f9578
MC		 3160static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3161 unsigned char *psk, unsigned int max_psk_len)
3162{
3163 unsigned int psklen = 0;
3164
3165 psk_server_cb_cnt++;
3166
3167 /* We should only ever be called a maximum of twice per connection */
3168 if (find_session_cb_cnt > 2)
3169 return 0;
3170
3171 if (serverpsk == NULL)
3172 return 0;
3173
3174 /* Identity should match that set by the client */
3175 if (strcmp(srvid, identity) != 0) {
3176 return 0;
3177 }
3178
3179 /* We'll reuse the PSK we set up for TLSv1.3 */
3180 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3181 return 0;
3182 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3183
3184 return psklen;
3185}
c2b290c3 3186#endif /* OPENSSL_NO_PSK */
532f9578 3187
5f982038
MC		 3188#define MSG1 "Hello"
3189#define MSG2 "World."
3190#define MSG3 "This"
3191#define MSG4 "is"
3192#define MSG5 "a"
90049cea
MC		 3193#define MSG6 "test"
3194#define MSG7 "message."
5f982038 3195
532f9578 3196#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3197#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3198#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3199#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3200#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3201
8614a4eb
MC		 3202
3203static SSL_SESSION *create_a_psk(SSL *ssl)
3204{
3205 const SSL_CIPHER *cipher = NULL;
3206 const unsigned char key[] = {
3207 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3208 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3209 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3210 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3211 0x2c, 0x2d, 0x2e, 0x2f
3212 };
3213 SSL_SESSION *sess = NULL;
3214
3215 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3216 sess = SSL_SESSION_new();
3217 if (!TEST_ptr(sess)
3218 || !TEST_ptr(cipher)
3219 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3220 sizeof(key)))
3221 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3222 || !TEST_true(
3223 SSL_SESSION_set_protocol_version(sess,
3224 TLS1_3_VERSION))) {
3225 SSL_SESSION_free(sess);
3226 return NULL;
3227 }
3228 return sess;
3229}
3230
5f982038
MC		 3231/*
3232 * Helper method to setup objects for early data test. Caller frees objects on
3233 * error.
3234 */
3235static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3236 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3237{
5a421415 3238 if (*sctx == NULL
5e30f2fd 3239 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3240 TLS_client_method(),
5c587fb6 3241 TLS1_VERSION, 0,
5a421415
MC		 3242 sctx, cctx, cert, privkey)))
3243 return 0;
3244
3245 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3246 return 0;
5f982038 3247
02a3ed5a
MC		 3248 if (idx == 1) {
3249 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3250 SSL_CTX_set_read_ahead(*cctx, 1);
3251 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3252 } else if (idx == 2) {
3253 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3254 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3255 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3256 use_session_cb_cnt = 0;
3257 find_session_cb_cnt = 0;
3258 srvid = pskid;
3cb47b4e
MC		 3259 }
3260
710756a9 3261 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3262 NULL, NULL)))
3263 return 0;
3264
141e4709
MC		 3265 /*
3266 * For one of the run throughs (doesn't matter which one), we'll try sending
3267 * some SNI data in the initial ClientHello. This will be ignored (because
3268 * there is no SNI cb set up by the server), so it should not impact
3269 * early_data.
3270 */
3271 if (idx == 1
3272 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3273 return 0;
3274
02a3ed5a 3275 if (idx == 2) {
8614a4eb 3276 clientpsk = create_a_psk(*clientssl);
57dee9bb 3277 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3278 /*
3279 * We just choose an arbitrary value for max_early_data which
3280 * should be big enough for testing purposes.
3281 */
57dee9bb
MC		 3282 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3283 0x100))
3284 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3285 SSL_SESSION_free(clientpsk);
3286 clientpsk = NULL;
02a3ed5a
MC		 3287 return 0;
3288 }
57dee9bb 3289 serverpsk = clientpsk;
02a3ed5a 3290
c20e3b28
MC		 3291 if (sess != NULL) {
3292 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3293 SSL_SESSION_free(clientpsk);
3294 SSL_SESSION_free(serverpsk);
3295 clientpsk = serverpsk = NULL;
3296 return 0;
3297 }
57dee9bb 3298 *sess = clientpsk;
c20e3b28 3299 }
02a3ed5a
MC		 3300 return 1;
3301 }
3302
3303 if (sess == NULL)
3304 return 1;
3305
3306 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3307 SSL_ERROR_NONE)))
5f982038 3308 return 0;
5f982038
MC		 3309
3310 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3311 SSL_shutdown(*clientssl);
3312 SSL_shutdown(*serverssl);
5f982038
MC		 3313 SSL_free(*serverssl);
3314 SSL_free(*clientssl);
3315 *serverssl = *clientssl = NULL;
3316
710756a9
RS		 3317 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3318 clientssl, NULL, NULL))
3319 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3320 return 0;
5f982038
MC		 3321
3322 return 1;
3323}
3324
3cb47b4e 3325static int test_early_data_read_write(int idx)
5f982038
MC		 3326{
3327 SSL_CTX *cctx = NULL, *sctx = NULL;
3328 SSL *clientssl = NULL, *serverssl = NULL;
3329 int testresult = 0;
3330 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3331 unsigned char buf[20], data[1024];
3332 size_t readbytes, written, eoedlen, rawread, rawwritten;
3333 BIO *rbio;
5f982038 3334
710756a9
RS		 3335 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3336 &serverssl, &sess, idx)))
5f982038
MC		 3337 goto end;
3338
3339 /* Write and read some early data */
710756a9
RS		 3340 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3341 &written))
3342 || !TEST_size_t_eq(written, strlen(MSG1))
3343 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3344 sizeof(buf), &readbytes),
3345 SSL_READ_EARLY_DATA_SUCCESS)
3346 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3347 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3348 SSL_EARLY_DATA_ACCEPTED))
5f982038 3349 goto end;
5f982038
MC		 3350
3351 /*
09f28874 3352 * Server should be able to write data, and client should be able to
5f982038
MC		 3353 * read it.
3354 */
710756a9
RS		 3355 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3356 &written))
3357 || !TEST_size_t_eq(written, strlen(MSG2))
3358 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3359 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3360 goto end;
5f982038
MC		 3361
3362 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3363 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3364 &written))
3365 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3366 goto end;
5f982038 3367
09f28874 3368 /* Server should still be able read early data after writing data */
710756a9
RS		 3369 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3370 &readbytes),
3371 SSL_READ_EARLY_DATA_SUCCESS)
3372 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3373 goto end;
5f982038 3374
09f28874 3375 /* Write more data from server and read it from client */
710756a9
RS		 3376 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3377 &written))
3378 || !TEST_size_t_eq(written, strlen(MSG4))
3379 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3380 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3381 goto end;
5f982038
MC		 3382
3383 /*
3384 * If client writes normal data it should mean writing early data is no
3385 * longer possible.
3386 */
710756a9
RS		 3387 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3388 || !TEST_size_t_eq(written, strlen(MSG5))
3389 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3390 SSL_EARLY_DATA_ACCEPTED))
5f982038 3391 goto end;
5f982038 3392
9b5c865d
MC		 3393 /*
3394 * At this point the client has written EndOfEarlyData, ClientFinished and
3395 * normal (fully protected) data. We are going to cause a delay between the
3396 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3397 * in the read BIO, and then just put back the EndOfEarlyData message.
3398 */
3399 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3400 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3401 || !TEST_size_t_lt(rawread, sizeof(data))
3402 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3403 goto end;
710756a9 3404
9b5c865d
MC		 3405 /* Record length is in the 4th and 5th bytes of the record header */
3406 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3407 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3408 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3409 goto end;
9b5c865d 3410
5f982038 3411 /* Server should be told that there is no more early data */
710756a9
RS		 3412 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3413 &readbytes),
3414 SSL_READ_EARLY_DATA_FINISH)
3415 || !TEST_size_t_eq(readbytes, 0))
5f982038 3416 goto end;
5f982038 3417
9b5c865d
MC		 3418 /*
3419 * Server has not finished init yet, so should still be able to write early
3420 * data.
3421 */
710756a9
RS		 3422 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3423 &written))
3424 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3425 goto end;
9b5c865d 3426
f8a303fa 3427 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3428 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3429 &rawwritten))
3430 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3431 goto end;
f8a303fa 3432
5f982038 3433 /* Server should be able to read normal data */
710756a9
RS		 3434 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3435 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3436 goto end;
5f982038 3437
09f28874 3438 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3439 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3440 &written)))
5f982038 3441 goto end;
5f982038 3442 ERR_clear_error();
710756a9
RS		 3443 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3444 &readbytes),
3445 SSL_READ_EARLY_DATA_ERROR))
5f982038 3446 goto end;
5f982038
MC		 3447 ERR_clear_error();
3448
9b5c865d 3449 /* Client should be able to read the data sent by the server */
710756a9
RS		 3450 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3451 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3452 goto end;
710756a9 3453
f8a303fa 3454 /*
36ff232c
MC		 3455 * Make sure we process the two NewSessionTickets. These arrive
3456 * post-handshake. We attempt reads which we do not expect to return any
3457 * data.
f8a303fa 3458 */
36ff232c
MC		 3459 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3460 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3461 &readbytes)))
f8a303fa 3462 goto end;
5f982038 3463
90049cea 3464 /* Server should be able to write normal data */
710756a9
RS		 3465 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3466 || !TEST_size_t_eq(written, strlen(MSG7))
3467 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3468 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3469 goto end;
90049cea 3470
c20e3b28 3471 SSL_SESSION_free(sess);
5f982038 3472 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3473 use_session_cb_cnt = 0;
3474 find_session_cb_cnt = 0;
5f982038
MC		 3475
3476 SSL_shutdown(clientssl);
3477 SSL_shutdown(serverssl);
5f982038
MC		 3478 SSL_free(serverssl);
3479 SSL_free(clientssl);
3480 serverssl = clientssl = NULL;
710756a9
RS		 3481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3482 &clientssl, NULL, NULL))
3483 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3484 goto end;
5f982038
MC		 3485
3486 /* Write and read some early data */
710756a9
RS		 3487 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3488 &written))
3489 || !TEST_size_t_eq(written, strlen(MSG1))
3490 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3491 &readbytes),
3492 SSL_READ_EARLY_DATA_SUCCESS)
3493 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3494 goto end;
5f982038 3495
710756a9
RS		 3496 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3497 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3498 goto end;
5f982038 3499
09f28874 3500 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3501 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3502 &written)))
5f982038 3503 goto end;
5f982038 3504 ERR_clear_error();
710756a9
RS		 3505 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3506 &readbytes),
3507 SSL_READ_EARLY_DATA_ERROR))
5f982038 3508 goto end;
5f982038
MC		 3509 ERR_clear_error();
3510
3511 /* Client and server should be able to write/read normal data */
710756a9
RS		 3512 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3513 || !TEST_size_t_eq(written, strlen(MSG5))
3514 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3515 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3516 goto end;
5f982038
MC		 3517
3518 testresult = 1;
3519
3520 end:
c20e3b28 3521 SSL_SESSION_free(sess);
57dee9bb
MC		 3522 SSL_SESSION_free(clientpsk);
3523 SSL_SESSION_free(serverpsk);
3524 clientpsk = serverpsk = NULL;
5f982038
MC		 3525 SSL_free(serverssl);
3526 SSL_free(clientssl);
3527 SSL_CTX_free(sctx);
3528 SSL_CTX_free(cctx);
5f982038
MC		 3529 return testresult;
3530}
3531
5a421415
MC		 3532static int allow_ed_cb_called = 0;
3533
3534static int allow_early_data_cb(SSL *s, void *arg)
3535{
3536 int *usecb = (int *)arg;
3537
3538 allow_ed_cb_called++;
3539
3540 if (*usecb == 1)
3541 return 0;
3542
3543 return 1;
3544}
3545
3546/*
3547 * idx == 0: Standard early_data setup
3548 * idx == 1: early_data setup using read_ahead
3549 * usecb == 0: Don't use a custom early data callback
3550 * usecb == 1: Use a custom early data callback and reject the early data
3551 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3552 * confopt == 0: Configure anti-replay directly
3553 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3554 */
3bb5e5b0 3555static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3556{
3557 SSL_CTX *cctx = NULL, *sctx = NULL;
3558 SSL *clientssl = NULL, *serverssl = NULL;
3559 int testresult = 0;
3560 SSL_SESSION *sess = NULL;
5a421415
MC		 3561 size_t readbytes, written;
3562 unsigned char buf[20];
3563
3564 allow_ed_cb_called = 0;
3565
5e30f2fd
MC		 3566 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3567 TLS_client_method(), TLS1_VERSION, 0,
3568 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3569 return 0;
3570
3571 if (usecb > 0) {
3bb5e5b0
MC		 3572 if (confopt == 0) {
3573 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3574 } else {
3575 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3576
3577 if (!TEST_ptr(confctx))
3578 goto end;
3579 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3580 | SSL_CONF_FLAG_SERVER);
3581 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3582 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3583 2)) {
3584 SSL_CONF_CTX_free(confctx);
3585 goto end;
3586 }
3587 SSL_CONF_CTX_free(confctx);
3588 }
5a421415
MC		 3589 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3590 }
78fb5374
MC		 3591
3592 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3593 &serverssl, &sess, idx)))
3594 goto end;
3595
3596 /*
3597 * The server is configured to accept early data. Create a connection to
3598 * "use up" the ticket
3599 */
3600 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3601 || !TEST_true(SSL_session_reused(clientssl)))
3602 goto end;
3603
3604 SSL_shutdown(clientssl);
3605 SSL_shutdown(serverssl);
3606 SSL_free(serverssl);
3607 SSL_free(clientssl);
3608 serverssl = clientssl = NULL;
3609
3610 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3611 &clientssl, NULL, NULL))
5a421415
MC		 3612 || !TEST_true(SSL_set_session(clientssl, sess)))
3613 goto end;
3614
3615 /* Write and read some early data */
3616 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3617 &written))
3618 || !TEST_size_t_eq(written, strlen(MSG1)))
3619 goto end;
3620
3621 if (usecb <= 1) {
3622 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3623 &readbytes),
3624 SSL_READ_EARLY_DATA_FINISH)
3625 /*
3626 * The ticket was reused, so the we should have rejected the
3627 * early data
3628 */
3629 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3630 SSL_EARLY_DATA_REJECTED))
3631 goto end;
3632 } else {
3633 /* In this case the callback decides to accept the early data */
3634 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3635 &readbytes),
3636 SSL_READ_EARLY_DATA_SUCCESS)
3637 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3638 /*
3639 * Server will have sent its flight so client can now send
3640 * end of early data and complete its half of the handshake
3641 */
3642 || !TEST_int_gt(SSL_connect(clientssl), 0)
3643 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3644 &readbytes),
3645 SSL_READ_EARLY_DATA_FINISH)
3646 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3647 SSL_EARLY_DATA_ACCEPTED))
3648 goto end;
3649 }
3650
3651 /* Complete the connection */
3652 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3653 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3654 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3655 goto end;
3656
3657 testresult = 1;
3658
3659 end:
c20e3b28 3660 SSL_SESSION_free(sess);
78fb5374
MC		 3661 SSL_SESSION_free(clientpsk);
3662 SSL_SESSION_free(serverpsk);
3663 clientpsk = serverpsk = NULL;
3664 SSL_free(serverssl);
3665 SSL_free(clientssl);
3666 SSL_CTX_free(sctx);
3667 SSL_CTX_free(cctx);
3668 return testresult;
3669}
3670
5a421415
MC		 3671static int test_early_data_replay(int idx)
3672{
3bb5e5b0 3673 int ret = 1, usecb, confopt;
5a421415 3674
3bb5e5b0
MC		 3675 for (usecb = 0; usecb < 3; usecb++) {
3676 for (confopt = 0; confopt < 2; confopt++)
3677 ret &= test_early_data_replay_int(idx, usecb, confopt);
3678 }
5a421415
MC		 3679
3680 return ret;
3681}
3682
710756a9 3683/*
6b84e6bf
MC		 3684 * Helper function to test that a server attempting to read early data can
3685 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3686 * testtype: 0 == No HRR
3687 * testtype: 1 == HRR
0efa0ba4
MC		 3688 * testtype: 2 == HRR, invalid early_data sent after HRR
3689 * testtype: 3 == recv_max_early_data set to 0
710756a9 3690 */
0d1b7789 3691static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3692{
3693 SSL_CTX *cctx = NULL, *sctx = NULL;
3694 SSL *clientssl = NULL, *serverssl = NULL;
3695 int testresult = 0;
018fcbec 3696 SSL_SESSION *sess = NULL;
5f982038
MC		 3697 unsigned char buf[20];
3698 size_t readbytes, written;
3699
710756a9
RS		 3700 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3701 &serverssl, &sess, idx)))
5f982038
MC		 3702 goto end;
3703
0efa0ba4 3704 if (testtype == 1 || testtype == 2) {
6b84e6bf 3705 /* Force an HRR to occur */
dbc6268f
MC		 3706#if defined(OPENSSL_NO_EC)
3707 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3708 goto end;
3709#else
6b84e6bf
MC		 3710 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3711 goto end;
dbc6268f 3712#endif
02a3ed5a
MC		 3713 } else if (idx == 2) {
3714 /*
3715 * We force early_data rejection by ensuring the PSK identity is
3716 * unrecognised
3717 */
3718 srvid = "Dummy Identity";
6b84e6bf
MC		 3719 } else {
3720 /*
3721 * Deliberately corrupt the creation time. We take 20 seconds off the
3722 * time. It could be any value as long as it is not within tolerance.
3723 * This should mean the ticket is rejected.
3724 */
5d99881e 3725 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3726 goto end;
3727 }
5f982038 3728
0efa0ba4 3729 if (testtype == 3
0d1b7789
MC		 3730 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3731 goto end;
3732
5f982038 3733 /* Write some early data */
710756a9
RS		 3734 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3735 &written))
3736 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3737 goto end;
5f982038 3738
0d1b7789 3739 /* Server should reject the early data */
710756a9
RS		 3740 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3741 &readbytes),
3742 SSL_READ_EARLY_DATA_FINISH)
3743 || !TEST_size_t_eq(readbytes, 0)
3744 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3745 SSL_EARLY_DATA_REJECTED))
5f982038 3746 goto end;
5f982038 3747
0efa0ba4
MC		 3748 switch (testtype) {
3749 case 0:
3750 /* Nothing to do */
3751 break;
3752
3753 case 1:
6b84e6bf
MC		 3754 /*
3755 * Finish off the handshake. We perform the same writes and reads as
3756 * further down but we expect them to fail due to the incomplete
3757 * handshake.
3758 */
3759 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3760 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3761 &readbytes)))
3762 goto end;
0efa0ba4
MC		 3763 break;
3764
3765 case 2:
3766 {
3767 BIO *wbio = SSL_get_wbio(clientssl);
3768 /* A record that will appear as bad early_data */
3769 const unsigned char bad_early_data[] = {
3770 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3771 };
3772
3773 /*
3774 * We force the client to attempt a write. This will fail because
3775 * we're still in the handshake. It will cause the second
3776 * ClientHello to be sent.
3777 */
3778 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3779 &written)))
3780 goto end;
3781
3782 /*
3783 * Inject some early_data after the second ClientHello. This should
3784 * cause the server to fail
3785 */
3786 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3787 sizeof(bad_early_data), &written)))
3788 goto end;
3789 }
3790 /* fallthrough */
3791
3792 case 3:
0d1b7789 3793 /*
0efa0ba4
MC		 3794 * This client has sent more early_data than we are willing to skip
3795 * (case 3) or sent invalid early_data (case 2) so the connection should
3796 * abort.
0d1b7789
MC		 3797 */
3798 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3799 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3800 goto end;
3801
3802 /* Connection has failed - nothing more to do */
3803 testresult = 1;
3804 goto end;
0efa0ba4
MC		 3805
3806 default:
3807 TEST_error("Invalid test type");
3808 goto end;
6b84e6bf
MC		 3809 }
3810
0d1b7789
MC		 3811 /*
3812 * Should be able to send normal data despite rejection of early data. The
3813 * early_data should be skipped.
3814 */
710756a9
RS		 3815 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3816 || !TEST_size_t_eq(written, strlen(MSG2))
3817 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3818 SSL_EARLY_DATA_REJECTED)
3819 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3820 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3821 goto end;
5f982038
MC		 3822
3823 testresult = 1;
3824
3825 end:
c20e3b28 3826 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3827 SSL_SESSION_free(serverpsk);
3828 clientpsk = serverpsk = NULL;
5f982038
MC		 3829 SSL_SESSION_free(sess);
3830 SSL_free(serverssl);
3831 SSL_free(clientssl);
3832 SSL_CTX_free(sctx);
3833 SSL_CTX_free(cctx);
5f982038
MC		 3834 return testresult;
3835}
3836
6b84e6bf
MC		 3837/*
3838 * Test that a server attempting to read early data can handle a connection
3839 * from a client where the early data is not acceptable.
3840 */
3841static int test_early_data_skip(int idx)
3842{
3843 return early_data_skip_helper(0, idx);
3844}
3845
3846/*
3847 * Test that a server attempting to read early data can handle a connection
3848 * from a client where an HRR occurs.
3849 */
3850static int test_early_data_skip_hrr(int idx)
3851{
3852 return early_data_skip_helper(1, idx);
3853}
3854
0efa0ba4
MC		 3855/*
3856 * Test that a server attempting to read early data can handle a connection
3857 * from a client where an HRR occurs and correctly fails if early_data is sent
3858 * after the HRR
3859 */
3860static int test_early_data_skip_hrr_fail(int idx)
3861{
3862 return early_data_skip_helper(2, idx);
3863}
3864
0d1b7789
MC		 3865/*
3866 * Test that a server attempting to read early data will abort if it tries to
3867 * skip over too much.
3868 */
3869static int test_early_data_skip_abort(int idx)
3870{
0efa0ba4 3871 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3872}
3873
710756a9
RS		 3874/*
3875 * Test that a server attempting to read early data can handle a connection
3876 * from a client that doesn't send any.
3877 */
3cb47b4e 3878static int test_early_data_not_sent(int idx)
5f982038
MC		 3879{
3880 SSL_CTX *cctx = NULL, *sctx = NULL;
3881 SSL *clientssl = NULL, *serverssl = NULL;
3882 int testresult = 0;
018fcbec 3883 SSL_SESSION *sess = NULL;
5f982038
MC		 3884 unsigned char buf[20];
3885 size_t readbytes, written;
3886
710756a9
RS		 3887 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3888 &serverssl, &sess, idx)))
5f982038
MC		 3889 goto end;
3890
3891 /* Write some data - should block due to handshake with server */
3892 SSL_set_connect_state(clientssl);
710756a9 3893 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3894 goto end;
5f982038
MC		 3895
3896 /* Server should detect that early data has not been sent */
710756a9
RS		 3897 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3898 &readbytes),
3899 SSL_READ_EARLY_DATA_FINISH)
3900 || !TEST_size_t_eq(readbytes, 0)
3901 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3902 SSL_EARLY_DATA_NOT_SENT)
3903 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3904 SSL_EARLY_DATA_NOT_SENT))
5f982038 3905 goto end;
5f982038
MC		 3906
3907 /* Continue writing the message we started earlier */
710756a9
RS		 3908 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3909 || !TEST_size_t_eq(written, strlen(MSG1))
3910 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3911 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3912 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3913 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3914 goto end;
5f982038 3915
710756a9
RS		 3916 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3917 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3918 goto end;
5f982038
MC		 3919
3920 testresult = 1;
3921
3922 end:
5f982038 3923 SSL_SESSION_free(sess);
c20e3b28 3924 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3925 SSL_SESSION_free(serverpsk);
3926 clientpsk = serverpsk = NULL;
5f982038
MC		 3927 SSL_free(serverssl);
3928 SSL_free(clientssl);
3929 SSL_CTX_free(sctx);
3930 SSL_CTX_free(cctx);
5f982038
MC		 3931 return testresult;
3932}
3933
976e5323
MC		 3934static const char *servalpn;
3935
c7558d5b
PY		 3936static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3937 unsigned char *outlen, const unsigned char *in,
3938 unsigned int inlen, void *arg)
976e5323 3939{
c7558d5b 3940 unsigned int protlen = 0;
976e5323
MC		 3941 const unsigned char *prot;
3942
c7558d5b
PY		 3943 for (prot = in; prot < in + inlen; prot += protlen) {
3944 protlen = *prot++;
5d99881e 3945 if (in + inlen < prot + protlen)
976e5323
MC		 3946 return SSL_TLSEXT_ERR_NOACK;
3947
3948 if (protlen == strlen(servalpn)
0bd42fde 3949 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3950 *out = prot;
3951 *outlen = protlen;
3952 return SSL_TLSEXT_ERR_OK;
3953 }
3954 }
3955
3956 return SSL_TLSEXT_ERR_NOACK;
3957}
3958
57dee9bb 3959/* Test that a PSK can be used to send early_data */
976e5323
MC		 3960static int test_early_data_psk(int idx)
3961{
3962 SSL_CTX *cctx = NULL, *sctx = NULL;
3963 SSL *clientssl = NULL, *serverssl = NULL;
3964 int testresult = 0;
3965 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3966 unsigned char alpnlist[] = {
3967 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3968 'l', 'p', 'n'
3969 };
3970#define GOODALPNLEN 9
3971#define BADALPNLEN 8
3972#define GOODALPN (alpnlist)
3973#define BADALPN (alpnlist + GOODALPNLEN)
3974 int err = 0;
976e5323
MC		 3975 unsigned char buf[20];
3976 size_t readbytes, written;
57dee9bb 3977 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3978 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3979
3980 /* We always set this up with a final parameter of "2" for PSK */
3981 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3982 &serverssl, &sess, 2)))
3983 goto end;
3984
976e5323
MC		 3985 servalpn = "goodalpn";
3986
57dee9bb
MC		 3987 /*
3988 * Note: There is no test for inconsistent SNI with late client detection.
3989 * This is because servers do not acknowledge SNI even if they are using
3990 * it in a resumption handshake - so it is not actually possible for a
3991 * client to detect a problem.
3992 */
976e5323
MC		 3993 switch (idx) {
3994 case 0:
57dee9bb 3995 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3996 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3997 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3998 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3999 goto end;
4000 break;
4001
4002 case 1:
57dee9bb 4003 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 4004 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4005 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 4006 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4007 GOODALPNLEN))
4008 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4009 BADALPNLEN)))
976e5323
MC		 4010 goto end;
4011 break;
4012
4013 case 2:
4014 /*
4015 * Set invalid protocol version. Technically this affects PSKs without
4016 * early_data too, but we test it here because it is similar to the
4017 * SNI/ALPN consistency tests.
4018 */
4019 err = SSL_R_BAD_PSK;
4020 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4021 goto end;
4022 break;
4023
4024 case 3:
4025 /*
49ef3d07
MC		 4026 * Set inconsistent SNI (server side). In this case the connection
4027 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4028 * is associated with each handshake - not the session. Therefore it
4029 * should not matter that we used a different server name last time.
976e5323 4030 */
281bf233
MC		 4031 SSL_SESSION_free(serverpsk);
4032 serverpsk = SSL_SESSION_dup(clientpsk);
4033 if (!TEST_ptr(serverpsk)
4034 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4035 goto end;
976e5323
MC		 4036 /* Fall through */
4037 case 4:
4038 /* Set consistent SNI */
976e5323
MC		 4039 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4040 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4041 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4042 hostname_cb)))
4043 goto end;
4044 break;
4045
4046 case 5:
4047 /*
4048 * Set inconsistent ALPN (server detected). In this case the connection
4049 * will succeed but reject early_data.
4050 */
4051 servalpn = "badalpn";
4052 edstatus = SSL_EARLY_DATA_REJECTED;
4053 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4054 /* Fall through */
4055 case 6:
976e5323 4056 /*
57dee9bb 4057 * Set consistent ALPN.
976e5323
MC		 4058 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4059 * accepts a list of protos (each one length prefixed).
4060 * SSL_set1_alpn_selected accepts a single protocol (not length
4061 * prefixed)
4062 */
57dee9bb
MC		 4063 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4064 GOODALPNLEN - 1))
4065 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4066 GOODALPNLEN)))
976e5323
MC		 4067 goto end;
4068
4069 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4070 break;
4071
57dee9bb
MC		 4072 case 7:
4073 /* Set inconsistent ALPN (late client detection) */
4074 SSL_SESSION_free(serverpsk);
4075 serverpsk = SSL_SESSION_dup(clientpsk);
4076 if (!TEST_ptr(serverpsk)
4077 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4078 BADALPN + 1,
4079 BADALPNLEN - 1))
4080 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4081 GOODALPN + 1,
4082 GOODALPNLEN - 1))
4083 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4084 sizeof(alpnlist))))
4085 goto end;
4086 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4087 edstatus = SSL_EARLY_DATA_ACCEPTED;
4088 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4089 /* SSL_connect() call should fail */
4090 connectres = -1;
4091 break;
4092
976e5323
MC		 4093 default:
4094 TEST_error("Bad test index");
4095 goto end;
4096 }
4097
4098 SSL_set_connect_state(clientssl);
4099 if (err != 0) {
4100 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4101 &written))
4102 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4103 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4104 goto end;
4105 } else {
4106 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4107 &written)))
4108 goto end;
4109
4110 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4111 &readbytes), readearlyres)
976e5323
MC		 4112 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4113 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4114 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4115 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4116 goto end;
4117 }
4118
4119 testresult = 1;
4120
4121 end:
c20e3b28 4122 SSL_SESSION_free(sess);
57dee9bb
MC		 4123 SSL_SESSION_free(clientpsk);
4124 SSL_SESSION_free(serverpsk);
4125 clientpsk = serverpsk = NULL;
976e5323
MC		 4126 SSL_free(serverssl);
4127 SSL_free(clientssl);
4128 SSL_CTX_free(sctx);
4129 SSL_CTX_free(cctx);
4130 return testresult;
4131}
4132
0b2b0be9 4133/*
4134 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4135 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4136 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4137 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4138 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4139 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4140 */
4141static int test_early_data_psk_with_all_ciphers(int idx)
4142{
4143 SSL_CTX *cctx = NULL, *sctx = NULL;
4144 SSL *clientssl = NULL, *serverssl = NULL;
4145 int testresult = 0;
4146 SSL_SESSION *sess = NULL;
4147 unsigned char buf[20];
4148 size_t readbytes, written;
4149 const SSL_CIPHER *cipher;
4150 const char *cipher_str[] = {
4151 TLS1_3_RFC_AES_128_GCM_SHA256,
4152 TLS1_3_RFC_AES_256_GCM_SHA384,
4153# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4154 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4155# else
4156 NULL,
4157# endif
4158 TLS1_3_RFC_AES_128_CCM_SHA256,
4159 TLS1_3_RFC_AES_128_CCM_8_SHA256
4160 };
4161 const unsigned char *cipher_bytes[] = {
4162 TLS13_AES_128_GCM_SHA256_BYTES,
4163 TLS13_AES_256_GCM_SHA384_BYTES,
4164# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4165 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4166# else
4167 NULL,
4168# endif
4169 TLS13_AES_128_CCM_SHA256_BYTES,
4170 TLS13_AES_128_CCM_8_SHA256_BYTES
4171 };
4172
4173 if (cipher_str[idx] == NULL)
4174 return 1;
4175 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4176 if (idx == 2 && is_fips == 1)
4177 return 1;
4178
4179 /* We always set this up with a final parameter of "2" for PSK */
4180 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4181 &serverssl, &sess, 2)))
4182 goto end;
4183
4184 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4185 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4186 goto end;
4187
4188 /*
4189 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4190 * and assigns to both client and server with incremented reference
4191 * and the same instance is updated in 'sess'.
4192 * So updating ciphersuite in 'sess' which will get reflected in
4193 * PSK handshake using psk use sess and find sess cb.
4194 */
4195 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4196 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4197 goto end;
4198
4199 SSL_set_connect_state(clientssl);
4200 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4201 &written)))
4202 goto end;
4203
4204 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4205 &readbytes),
4206 SSL_READ_EARLY_DATA_SUCCESS)
4207 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4208 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4209 SSL_EARLY_DATA_ACCEPTED)
4210 || !TEST_int_eq(SSL_connect(clientssl), 1)
4211 || !TEST_int_eq(SSL_accept(serverssl), 1))
4212 goto end;
4213
4214 /* Send some normal data from client to server */
4215 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4216 || !TEST_size_t_eq(written, strlen(MSG2)))
4217 goto end;
4218
4219 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4220 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4221 goto end;
4222
4223 testresult = 1;
4224 end:
4225 SSL_SESSION_free(sess);
4226 SSL_SESSION_free(clientpsk);
4227 SSL_SESSION_free(serverpsk);
4228 clientpsk = serverpsk = NULL;
4229 if (clientssl != NULL)
4230 SSL_shutdown(clientssl);
4231 if (serverssl != NULL)
4232 SSL_shutdown(serverssl);
4233 SSL_free(serverssl);
4234 SSL_free(clientssl);
4235 SSL_CTX_free(sctx);
4236 SSL_CTX_free(cctx);
4237 return testresult;
4238}
4239
710756a9
RS		 4240/*
4241 * Test that a server that doesn't try to read early data can handle a
4242 * client sending some.
4243 */
3cb47b4e 4244static int test_early_data_not_expected(int idx)
5f982038
MC		 4245{
4246 SSL_CTX *cctx = NULL, *sctx = NULL;
4247 SSL *clientssl = NULL, *serverssl = NULL;
4248 int testresult = 0;
018fcbec 4249 SSL_SESSION *sess = NULL;
5f982038
MC		 4250 unsigned char buf[20];
4251 size_t readbytes, written;
4252
710756a9
RS		 4253 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4254 &serverssl, &sess, idx)))
5f982038
MC		 4255 goto end;
4256
4257 /* Write some early data */
710756a9
RS		 4258 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4259 &written)))
5f982038 4260 goto end;
5f982038
MC		 4261
4262 /*
4263 * Server should skip over early data and then block waiting for client to
4264 * continue handshake
4265 */
710756a9
RS		 4266 if (!TEST_int_le(SSL_accept(serverssl), 0)
4267 || !TEST_int_gt(SSL_connect(clientssl), 0)
4268 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4269 SSL_EARLY_DATA_REJECTED)
4270 || !TEST_int_gt(SSL_accept(serverssl), 0)
4271 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4272 SSL_EARLY_DATA_REJECTED))
5f982038 4273 goto end;
5f982038
MC		 4274
4275 /* Send some normal data from client to server */
710756a9
RS		 4276 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4277 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4278 goto end;
5f982038 4279
710756a9
RS		 4280 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4281 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4282 goto end;
5f982038
MC		 4283
4284 testresult = 1;
4285
4286 end:
5f982038 4287 SSL_SESSION_free(sess);
c20e3b28 4288 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4289 SSL_SESSION_free(serverpsk);
4290 clientpsk = serverpsk = NULL;
5f982038
MC		 4291 SSL_free(serverssl);
4292 SSL_free(clientssl);
4293 SSL_CTX_free(sctx);
4294 SSL_CTX_free(cctx);
5f982038
MC		 4295 return testresult;
4296}
4297
4298
4299# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4300/*
4301 * Test that a server attempting to read early data can handle a connection
4302 * from a TLSv1.2 client.
4303 */
3cb47b4e 4304static int test_early_data_tls1_2(int idx)
5f982038
MC		 4305{
4306 SSL_CTX *cctx = NULL, *sctx = NULL;
4307 SSL *clientssl = NULL, *serverssl = NULL;
4308 int testresult = 0;
4309 unsigned char buf[20];
4310 size_t readbytes, written;
4311
02a3ed5a
MC		 4312 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4313 &serverssl, NULL, idx)))
5f982038 4314 goto end;
5f982038
MC		 4315
4316 /* Write some data - should block due to handshake with server */
4317 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4318 SSL_set_connect_state(clientssl);
710756a9 4319 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4320 goto end;
5f982038
MC		 4321
4322 /*
4323 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4324 * messages from client after ServerDone. Then SSL_read_early_data should
4325 * finish and detect that early data has not been sent
5f982038 4326 */
710756a9
RS		 4327 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4328 &readbytes),
4329 SSL_READ_EARLY_DATA_ERROR))
5f982038 4330 goto end;
5f982038
MC		 4331
4332 /*
4333 * Continue writing the message we started earlier. Will still block waiting
4334 * for the CCS/Finished from server
4335 */
710756a9
RS		 4336 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4337 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4338 &readbytes),
4339 SSL_READ_EARLY_DATA_FINISH)
4340 || !TEST_size_t_eq(readbytes, 0)
4341 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4342 SSL_EARLY_DATA_NOT_SENT))
5f982038 4343 goto end;
5f982038
MC		 4344
4345 /* Continue writing the message we started earlier */
710756a9
RS		 4346 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4347 || !TEST_size_t_eq(written, strlen(MSG1))
4348 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4349 SSL_EARLY_DATA_NOT_SENT)
4350 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4351 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4352 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4353 || !TEST_size_t_eq(written, strlen(MSG2))
4354 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4355 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4356 goto end;
5f982038
MC		 4357
4358 testresult = 1;
4359
4360 end:
57dee9bb
MC		 4361 SSL_SESSION_free(clientpsk);
4362 SSL_SESSION_free(serverpsk);
4363 clientpsk = serverpsk = NULL;
5f982038
MC		 4364 SSL_free(serverssl);
4365 SSL_free(clientssl);
4366 SSL_CTX_free(sctx);
4367 SSL_CTX_free(cctx);
4368
4369 return testresult;
4370}
ca0413ae
MC		 4371# endif /* OPENSSL_NO_TLS1_2 */
4372
034cb87b
MC		 4373/*
4374 * Test configuring the TLSv1.3 ciphersuites
4375 *
4376 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4377 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4378 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4379 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4380 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4381 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4382 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4383 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4384 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4385 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4386 */
4387static int test_set_ciphersuite(int idx)
4388{
4389 SSL_CTX *cctx = NULL, *sctx = NULL;
4390 SSL *clientssl = NULL, *serverssl = NULL;
4391 int testresult = 0;
4392
5e30f2fd
MC		 4393 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4394 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4395 &sctx, &cctx, cert, privkey))
4396 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4397 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4398 goto end;
4399
4400 if (idx >=4 && idx <= 7) {
4401 /* SSL_CTX explicit cipher list */
4402 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4403 goto end;
4404 }
4405
4406 if (idx == 0 || idx == 4) {
4407 /* Default ciphersuite */
4408 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4409 "TLS_AES_128_GCM_SHA256")))
4410 goto end;
4411 } else if (idx == 1 || idx == 5) {
4412 /* Non default ciphersuite */
4413 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4414 "TLS_AES_128_CCM_SHA256")))
4415 goto end;
4416 }
4417
4418 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4419 &clientssl, NULL, NULL)))
4420 goto end;
4421
4422 if (idx == 8 || idx == 9) {
4423 /* SSL explicit cipher list */
4424 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4425 goto end;
4426 }
4427
4428 if (idx == 2 || idx == 6 || idx == 8) {
4429 /* Default ciphersuite */
4430 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4431 "TLS_AES_128_GCM_SHA256")))
4432 goto end;
4433 } else if (idx == 3 || idx == 7 || idx == 9) {
4434 /* Non default ciphersuite */
4435 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4436 "TLS_AES_128_CCM_SHA256")))
4437 goto end;
4438 }
4439
4440 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4441 goto end;
4442
4443 testresult = 1;
4444
4445 end:
4446 SSL_free(serverssl);
4447 SSL_free(clientssl);
4448 SSL_CTX_free(sctx);
4449 SSL_CTX_free(cctx);
4450
4451 return testresult;
4452}
4453
ca0413ae
MC		 4454static int test_ciphersuite_change(void)
4455{
4456 SSL_CTX *cctx = NULL, *sctx = NULL;
4457 SSL *clientssl = NULL, *serverssl = NULL;
4458 SSL_SESSION *clntsess = NULL;
4459 int testresult = 0;
4460 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4461
4462 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4463 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4464 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4465 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4466 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4467 "TLS_AES_128_GCM_SHA256:"
4468 "TLS_AES_256_GCM_SHA384:"
4469 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 4470 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4471 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 4472 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4473 &clientssl, NULL, NULL))
4474 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4475 SSL_ERROR_NONE)))
4476 goto end;
4477
4478 clntsess = SSL_get1_session(clientssl);
4479 /* Save for later */
4480 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4481 SSL_shutdown(clientssl);
4482 SSL_shutdown(serverssl);
4483 SSL_free(serverssl);
4484 SSL_free(clientssl);
4485 serverssl = clientssl = NULL;
4486
4487 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4488 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4489 "TLS_AES_128_CCM_SHA256"))
4490 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4491 &clientssl, NULL, NULL))
ca0413ae
MC		 4492 || !TEST_true(SSL_set_session(clientssl, clntsess))
4493 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4494 SSL_ERROR_NONE))
4495 || !TEST_true(SSL_session_reused(clientssl)))
4496 goto end;
4497
4498 SSL_SESSION_free(clntsess);
4499 clntsess = SSL_get1_session(clientssl);
4500 SSL_shutdown(clientssl);
4501 SSL_shutdown(serverssl);
4502 SSL_free(serverssl);
4503 SSL_free(clientssl);
4504 serverssl = clientssl = NULL;
4505
4506 /*
4507 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4508 * succeeds but does not resume.
ca0413ae 4509 */
f865b081 4510 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4511 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4512 NULL, NULL))
4513 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4514 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4515 SSL_ERROR_SSL))
0de6d66d 4516 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4517 goto end;
4518
4519 SSL_SESSION_free(clntsess);
4520 clntsess = NULL;
4521 SSL_shutdown(clientssl);
4522 SSL_shutdown(serverssl);
4523 SSL_free(serverssl);
4524 SSL_free(clientssl);
4525 serverssl = clientssl = NULL;
4526
4527 /* Create a session based on SHA384 */
f865b081 4528 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4529 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4530 &clientssl, NULL, NULL))
4531 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4532 SSL_ERROR_NONE)))
4533 goto end;
4534
4535 clntsess = SSL_get1_session(clientssl);
4536 SSL_shutdown(clientssl);
4537 SSL_shutdown(serverssl);
4538 SSL_free(serverssl);
4539 SSL_free(clientssl);
4540 serverssl = clientssl = NULL;
4541
f865b081
MC		 4542 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4543 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4544 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4545 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4546 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4547 NULL, NULL))
4548 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4549 /*
4550 * We use SSL_ERROR_WANT_READ below so that we can pause the
4551 * connection after the initial ClientHello has been sent to
4552 * enable us to make some session changes.
4553 */
ca0413ae
MC		 4554 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4555 SSL_ERROR_WANT_READ)))
4556 goto end;
4557
4558 /* Trick the client into thinking this session is for a different digest */
4559 clntsess->cipher = aes_128_gcm_sha256;
4560 clntsess->cipher_id = clntsess->cipher->id;
4561
4562 /*
3b0e88d3
MC		 4563 * Continue the previously started connection. Server has selected a SHA-384
4564 * ciphersuite, but client thinks the session is for SHA-256, so it should
4565 * bail out.
ca0413ae
MC		 4566 */
4567 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4568 SSL_ERROR_SSL))
4569 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4570 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4571 goto end;
4572
4573 testresult = 1;
4574
4575 end:
4576 SSL_SESSION_free(clntsess);
4577 SSL_free(serverssl);
4578 SSL_free(clientssl);
4579 SSL_CTX_free(sctx);
4580 SSL_CTX_free(cctx);
4581
4582 return testresult;
4583}
4584
8e63900a 4585/*
5bf2eade 4586 * Test TLSv1.3 Key exchange
4587 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4588 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4589 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4590 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4591 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4592 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4593 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4594 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4595 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4596 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4597 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4598 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4599 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4600 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4601 */
db26ec80 4602static int test_key_exchange(int idx)
8e63900a 4603{
4604 SSL_CTX *sctx = NULL, *cctx = NULL;
4605 SSL *serverssl = NULL, *clientssl = NULL;
4606 int testresult = 0;
5bf2eade 4607# ifndef OPENSSL_NO_EC
4608 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4609 NID_secp521r1, NID_X25519, NID_X448};
4610# endif
4611# ifndef OPENSSL_NO_DH
8e63900a 4612 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4613 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 4614# endif
fb8c6db4 4615 int kexch_alg;
4616 int *kexch_groups = &kexch_alg;
4617 int kexch_groups_size = 1;
8e63900a 4618 int max_version = TLS1_3_VERSION;
8e63900a 4619
4620 switch (idx) {
5bf2eade 4621# ifndef OPENSSL_NO_EC
db26ec80 4622# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4623 case 12:
fb8c6db4 4624 max_version = TLS1_2_VERSION;
db26ec80 4625# endif
fb8c6db4 4626 /* Fall through */
4627 case 0:
4628 kexch_groups = ecdhe_kexch_groups;
4629 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4630 break;
5bf2eade 4631 case 1:
fb8c6db4 4632 kexch_alg = NID_X9_62_prime256v1;
4633 break;
5bf2eade 4634 case 2:
fb8c6db4 4635 kexch_alg = NID_secp384r1;
4636 break;
5bf2eade 4637 case 3:
fb8c6db4 4638 kexch_alg = NID_secp521r1;
4639 break;
5bf2eade 4640 case 4:
fb8c6db4 4641 kexch_alg = NID_X25519;
4642 break;
5bf2eade 4643 case 5:
fb8c6db4 4644 kexch_alg = NID_X448;
4645 break;
5bf2eade 4646# endif
4647# ifndef OPENSSL_NO_DH
db26ec80 4648# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4649 case 13:
dbc6268f 4650 max_version = TLS1_2_VERSION;
db26ec80 4651# endif
dbc6268f 4652 /* Fall through */
5bf2eade 4653 case 6:
8e63900a 4654 kexch_groups = ffdhe_kexch_groups;
4655 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4656 break;
5bf2eade 4657 case 7:
fb8c6db4 4658 kexch_alg = NID_ffdhe2048;
4659 break;
5bf2eade 4660 case 8:
fb8c6db4 4661 kexch_alg = NID_ffdhe3072;
4662 break;
5bf2eade 4663 case 9:
fb8c6db4 4664 kexch_alg = NID_ffdhe4096;
4665 break;
5bf2eade 4666 case 10:
fb8c6db4 4667 kexch_alg = NID_ffdhe6144;
4668 break;
5bf2eade 4669 case 11:
fb8c6db4 4670 kexch_alg = NID_ffdhe8192;
8e63900a 4671 break;
5bf2eade 4672# endif
6597d62b
MC		 4673 default:
4674 /* We're skipping this test */
4675 return 1;
8e63900a 4676 }
4677
5e30f2fd
MC		 4678 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4679 TLS_client_method(), TLS1_VERSION,
4680 max_version, &sctx, &cctx, cert,
4681 privkey)))
8e63900a 4682 goto end;
4683
5bf2eade 4684 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4685 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4686 goto end;
4687
5bf2eade 4688 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4689 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4690 goto end;
4691
5bf2eade 4692 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4693 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4694 goto end;
4695
dbc6268f
MC		 4696 /*
4697 * Must include an EC ciphersuite so that we send supported groups in
4698 * TLSv1.2
4699 */
5bf2eade 4700# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 4701 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4702 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4703 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4704 goto end;
5bf2eade 4705# endif
8e63900a 4706
4707 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4708 NULL, NULL)))
4709 goto end;
4710
4711 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4712 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4713 goto end;
4714
5bf2eade 4715 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4716 goto end;
8e63900a 4717
dbc6268f 4718 /*
5bf2eade 4719 * If Handshake succeeds the negotiated kexch alg should be the first one in
4720 * configured, except in the case of FFDHE groups (idx 13), which are
4721 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4722 */
4723 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4724 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4725 goto end;
fb8c6db4 4726 if (max_version == TLS1_3_VERSION) {
4727 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4728 goto end;
4729 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4730 goto end;
4731 }
8e63900a 4732
4733 testresult = 1;
4734 end:
4735 SSL_free(serverssl);
4736 SSL_free(clientssl);
4737 SSL_CTX_free(sctx);
4738 SSL_CTX_free(cctx);
4739 return testresult;
4740}
4741
5bf2eade 4742/*
4743 * Test TLSv1.3 Cipher Suite
4744 * Test 0 = Set TLS1.3 cipher on context
4745 * Test 1 = Set TLS1.3 cipher on SSL
4746 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4747 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4748 */
4749static int test_tls13_ciphersuite(int idx)
4750{
4751 SSL_CTX *sctx = NULL, *cctx = NULL;
4752 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4753 static const struct {
4754 const char *ciphername;
4755 int fipscapable;
4756 } t13_ciphers[] = {
4757 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4758 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4759 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4760# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4761 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4762 { TLS1_3_RFC_AES_256_GCM_SHA384
4763 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4764# endif
4f6c7044 4765 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4766 };
4767 const char *t13_cipher = NULL;
4768 const char *t12_cipher = NULL;
4769 const char *negotiated_scipher;
4770 const char *negotiated_ccipher;
4771 int set_at_ctx = 0;
4772 int set_at_ssl = 0;
4773 int testresult = 0;
4774 int max_ver;
4775 size_t i;
4776
4777 switch (idx) {
4778 case 0:
4779 set_at_ctx = 1;
4780 break;
4781 case 1:
4782 set_at_ssl = 1;
4783 break;
4784 case 2:
4785 set_at_ctx = 1;
2d900758 4786 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4787 break;
4788 case 3:
4789 set_at_ssl = 1;
2d900758 4790 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4791 break;
4792 }
4793
4794 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4795# ifdef OPENSSL_NO_TLS1_2
4796 if (max_ver == TLS1_2_VERSION)
4797 continue;
4798# endif
4799 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4800 if (is_fips && !t13_ciphers[i].fipscapable)
4801 continue;
4802 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4803 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4804 TLS_client_method(),
4805 TLS1_VERSION, max_ver,
4806 &sctx, &cctx, cert, privkey)))
4807 goto end;
4808
4809 if (set_at_ctx) {
4810 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4811 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4812 goto end;
4813 if (t12_cipher != NULL) {
4814 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4815 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4816 t12_cipher)))
4817 goto end;
4818 }
4819 }
4820
4821 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4822 &clientssl, NULL, NULL)))
4823 goto end;
4824
4825 if (set_at_ssl) {
4826 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4827 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4828 goto end;
4829 if (t12_cipher != NULL) {
4830 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4831 || !TEST_true(SSL_set_cipher_list(clientssl,
4832 t12_cipher)))
4833 goto end;
4834 }
4835 }
4836
4837 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4838 SSL_ERROR_NONE)))
4839 goto end;
4840
4841 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4842 serverssl));
4843 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4844 clientssl));
4845 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4846 goto end;
4847
4848 /*
4849 * TEST_strn_eq is used below because t13_cipher can contain
4850 * multiple ciphersuites
4851 */
4852 if (max_ver == TLS1_3_VERSION
4853 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4854 strlen(negotiated_scipher)))
4855 goto end;
4856
4857# ifndef OPENSSL_NO_TLS1_2
4858 /* Below validation is not done when t12_cipher is NULL */
4859 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4860 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4861 goto end;
4862# endif
4863
4864 SSL_free(serverssl);
4865 serverssl = NULL;
4866 SSL_free(clientssl);
4867 clientssl = NULL;
4868 SSL_CTX_free(sctx);
4869 sctx = NULL;
4870 SSL_CTX_free(cctx);
4871 cctx = NULL;
4872 }
4873 }
4874
4875 testresult = 1;
4876 end:
4877 SSL_free(serverssl);
4878 SSL_free(clientssl);
4879 SSL_CTX_free(sctx);
4880 SSL_CTX_free(cctx);
4881 return testresult;
4882}
4883
0d8da779
MC		 4884/*
4885 * Test TLSv1.3 PSKs
4886 * Test 0 = Test new style callbacks
4887 * Test 1 = Test both new and old style callbacks
4888 * Test 2 = Test old style callbacks
4889 * Test 3 = Test old style callbacks with no certificate
4890 */
532f9578 4891static int test_tls13_psk(int idx)
ca8c71ba
MC		 4892{
4893 SSL_CTX *sctx = NULL, *cctx = NULL;
4894 SSL *serverssl = NULL, *clientssl = NULL;
4895 const SSL_CIPHER *cipher = NULL;
4896 const unsigned char key[] = {
4897 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4898 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4899 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4900 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4901 };
4902 int testresult = 0;
4903
5e30f2fd
MC		 4904 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4905 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 4906 &sctx, &cctx, idx == 3 ? NULL : cert,
4907 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4908 goto end;
4909
0d8da779
MC		 4910 if (idx != 3) {
4911 /*
4912 * We use a ciphersuite with SHA256 to ease testing old style PSK
4913 * callbacks which will always default to SHA256. This should not be
4914 * necessary if we have no cert/priv key. In that case the server should
4915 * prefer SHA256 automatically.
4916 */
4917 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4918 "TLS_AES_128_GCM_SHA256")))
4919 goto end;
4f6c7044
MC		 4920 } else {
4921 /*
4922 * As noted above the server should prefer SHA256 automatically. However
4923 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4924 * code works even if we are testing with only the FIPS provider loaded.
4925 */
4926 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4927 "TLS_AES_256_GCM_SHA384:"
4928 "TLS_AES_128_GCM_SHA256")))
4929 goto end;
0d8da779 4930 }
532f9578
MC		 4931
4932 /*
4933 * Test 0: New style callbacks only
4934 * Test 1: New and old style callbacks (only the new ones should be used)
4935 * Test 2: Old style callbacks only
4936 */
4937 if (idx == 0 || idx == 1) {
4938 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4939 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4940 }
c2b290c3 4941#ifndef OPENSSL_NO_PSK
0d8da779 4942 if (idx >= 1) {
532f9578
MC		 4943 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4944 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4945 }
c2b290c3 4946#endif
ca8c71ba 4947 srvid = pskid;
02a3ed5a
MC		 4948 use_session_cb_cnt = 0;
4949 find_session_cb_cnt = 0;
532f9578
MC		 4950 psk_client_cb_cnt = 0;
4951 psk_server_cb_cnt = 0;
ca8c71ba 4952
0d8da779
MC		 4953 if (idx != 3) {
4954 /*
4955 * Check we can create a connection if callback decides not to send a
4956 * PSK
4957 */
4958 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4959 NULL, NULL))
4960 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4961 SSL_ERROR_NONE))
4962 || !TEST_false(SSL_session_reused(clientssl))
4963 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4964 goto end;
532f9578 4965
0d8da779
MC		 4966 if (idx == 0 || idx == 1) {
4967 if (!TEST_true(use_session_cb_cnt == 1)
4968 || !TEST_true(find_session_cb_cnt == 0)
4969 /*
4970 * If no old style callback then below should be 0
4971 * otherwise 1
4972 */
4973 || !TEST_true(psk_client_cb_cnt == idx)
4974 || !TEST_true(psk_server_cb_cnt == 0))
4975 goto end;
4976 } else {
4977 if (!TEST_true(use_session_cb_cnt == 0)
4978 || !TEST_true(find_session_cb_cnt == 0)
4979 || !TEST_true(psk_client_cb_cnt == 1)
4980 || !TEST_true(psk_server_cb_cnt == 0))
4981 goto end;
4982 }
4983
4984 shutdown_ssl_connection(serverssl, clientssl);
4985 serverssl = clientssl = NULL;
4986 use_session_cb_cnt = psk_client_cb_cnt = 0;
4987 }
ca8c71ba
MC		 4988
4989 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4990 NULL, NULL)))
4991 goto end;
4992
4993 /* Create the PSK */
532f9578 4994 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4995 clientpsk = SSL_SESSION_new();
4996 if (!TEST_ptr(clientpsk)
ca8c71ba 4997 || !TEST_ptr(cipher)
57dee9bb
MC		 4998 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4999 sizeof(key)))
5000 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5001 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5002 TLS1_3_VERSION))
5003 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5004 goto end;
57dee9bb 5005 serverpsk = clientpsk;
ca8c71ba
MC		 5006
5007 /* Check we can create a connection and the PSK is used */
5008 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5009 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5010 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5011 goto end;
5012
532f9578
MC		 5013 if (idx == 0 || idx == 1) {
5014 if (!TEST_true(use_session_cb_cnt == 1)
5015 || !TEST_true(find_session_cb_cnt == 1)
5016 || !TEST_true(psk_client_cb_cnt == 0)
5017 || !TEST_true(psk_server_cb_cnt == 0))
5018 goto end;
5019 } else {
5020 if (!TEST_true(use_session_cb_cnt == 0)
5021 || !TEST_true(find_session_cb_cnt == 0)
5022 || !TEST_true(psk_client_cb_cnt == 1)
5023 || !TEST_true(psk_server_cb_cnt == 1))
5024 goto end;
5025 }
5026
ca8c71ba
MC		 5027 shutdown_ssl_connection(serverssl, clientssl);
5028 serverssl = clientssl = NULL;
5029 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5030 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5031
5032 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5033 NULL, NULL)))
5034 goto end;
5035
5036 /* Force an HRR */
dbc6268f
MC		 5037#if defined(OPENSSL_NO_EC)
5038 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5039 goto end;
5040#else
ca8c71ba
MC		 5041 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5042 goto end;
dbc6268f 5043#endif
ca8c71ba
MC		 5044
5045 /*
5046 * Check we can create a connection, the PSK is used and the callbacks are
5047 * called twice.
5048 */
5049 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5050 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5051 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5052 goto end;
5053
532f9578
MC		 5054 if (idx == 0 || idx == 1) {
5055 if (!TEST_true(use_session_cb_cnt == 2)
5056 || !TEST_true(find_session_cb_cnt == 2)
5057 || !TEST_true(psk_client_cb_cnt == 0)
5058 || !TEST_true(psk_server_cb_cnt == 0))
5059 goto end;
5060 } else {
5061 if (!TEST_true(use_session_cb_cnt == 0)
5062 || !TEST_true(find_session_cb_cnt == 0)
5063 || !TEST_true(psk_client_cb_cnt == 2)
5064 || !TEST_true(psk_server_cb_cnt == 2))
5065 goto end;
5066 }
5067
ca8c71ba
MC		 5068 shutdown_ssl_connection(serverssl, clientssl);
5069 serverssl = clientssl = NULL;
5070 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5071 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5072
0d8da779
MC		 5073 if (idx != 3) {
5074 /*
5075 * Check that if the server rejects the PSK we can still connect, but with
5076 * a full handshake
5077 */
5078 srvid = "Dummy Identity";
5079 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5080 NULL, NULL))
5081 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5082 SSL_ERROR_NONE))
5083 || !TEST_false(SSL_session_reused(clientssl))
5084 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5085 goto end;
532f9578 5086
0d8da779
MC		 5087 if (idx == 0 || idx == 1) {
5088 if (!TEST_true(use_session_cb_cnt == 1)
5089 || !TEST_true(find_session_cb_cnt == 1)
5090 || !TEST_true(psk_client_cb_cnt == 0)
5091 /*
5092 * If no old style callback then below should be 0
5093 * otherwise 1
5094 */
5095 || !TEST_true(psk_server_cb_cnt == idx))
5096 goto end;
5097 } else {
5098 if (!TEST_true(use_session_cb_cnt == 0)
5099 || !TEST_true(find_session_cb_cnt == 0)
5100 || !TEST_true(psk_client_cb_cnt == 1)
5101 || !TEST_true(psk_server_cb_cnt == 1))
5102 goto end;
5103 }
5104
5105 shutdown_ssl_connection(serverssl, clientssl);
5106 serverssl = clientssl = NULL;
5107 }
ca8c71ba
MC		 5108 testresult = 1;
5109
5110 end:
57dee9bb
MC		 5111 SSL_SESSION_free(clientpsk);
5112 SSL_SESSION_free(serverpsk);
5113 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5114 SSL_free(serverssl);
5115 SSL_free(clientssl);
5116 SSL_CTX_free(sctx);
5117 SSL_CTX_free(cctx);
5118 return testresult;
5119}
5120
c7b8ff25
MC		 5121static unsigned char cookie_magic_value[] = "cookie magic";
5122
5123static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5124 unsigned int *cookie_len)
5125{
5126 /*
5127 * Not suitable as a real cookie generation function but good enough for
5128 * testing!
5129 */
97ea1e7f
MC		 5130 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5131 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5132
5133 return 1;
5134}
5135
5136static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5137 unsigned int cookie_len)
5138{
97ea1e7f 5139 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5140 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5141 return 1;
5142
5143 return 0;
5144}
5145
3fa2812f
BS		 5146static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5147 size_t *cookie_len)
5148{
5149 unsigned int temp;
5150 int res = generate_cookie_callback(ssl, cookie, &temp);
5151 *cookie_len = temp;
5152 return res;
5153}
5154
5155static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5156 size_t cookie_len)
5157{
5158 return verify_cookie_callback(ssl, cookie, cookie_len);
5159}
5160
c7b8ff25
MC		 5161static int test_stateless(void)
5162{
5163 SSL_CTX *sctx = NULL, *cctx = NULL;
5164 SSL *serverssl = NULL, *clientssl = NULL;
5165 int testresult = 0;
5166
5e30f2fd
MC		 5167 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5168 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5169 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5170 goto end;
5171
e440f513
MC		 5172 /* The arrival of CCS messages can confuse the test */
5173 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5174
5175 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5176 NULL, NULL))
5177 /* Send the first ClientHello */
5178 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5179 SSL_ERROR_WANT_READ))
5180 /*
5181 * This should fail with a -1 return because we have no callbacks
5182 * set up
5183 */
5184 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5185 goto end;
5186
5187 /* Fatal error so abandon the connection from this client */
5188 SSL_free(clientssl);
5189 clientssl = NULL;
5190
c7b8ff25 5191 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5192 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5193 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5194
e440f513
MC		 5195 /*
5196 * Create a new connection from the client (we can reuse the server SSL
5197 * object).
5198 */
c7b8ff25
MC		 5199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5200 NULL, NULL))
5201 /* Send the first ClientHello */
5202 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5203 SSL_ERROR_WANT_READ))
5204 /* This should fail because there is no cookie */
e440f513 5205 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5206 goto end;
5207
5208 /* Abandon the connection from this client */
5209 SSL_free(clientssl);
5210 clientssl = NULL;
5211
5212 /*
5213 * Now create a connection from a new client but with the same server SSL
5214 * object
5215 */
5216 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5217 NULL, NULL))
5218 /* Send the first ClientHello */
5219 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5220 SSL_ERROR_WANT_READ))
5221 /* This should fail because there is no cookie */
e440f513 5222 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5223 /* Send the second ClientHello */
5224 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5225 SSL_ERROR_WANT_READ))
5226 /* This should succeed because a cookie is now present */
e440f513 5227 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5228 /* Complete the connection */
5229 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5230 SSL_ERROR_NONE)))
5231 goto end;
5232
5233 shutdown_ssl_connection(serverssl, clientssl);
5234 serverssl = clientssl = NULL;
5235 testresult = 1;
5236
5237 end:
5238 SSL_free(serverssl);
5239 SSL_free(clientssl);
5240 SSL_CTX_free(sctx);
5241 SSL_CTX_free(cctx);
5242 return testresult;
5243
5244}
ca0413ae 5245#endif /* OPENSSL_NO_TLS1_3 */
5f982038 5246
a37008d9
MC		 5247static int clntaddoldcb = 0;
5248static int clntparseoldcb = 0;
5249static int srvaddoldcb = 0;
5250static int srvparseoldcb = 0;
5251static int clntaddnewcb = 0;
5252static int clntparsenewcb = 0;
5253static int srvaddnewcb = 0;
5254static int srvparsenewcb = 0;
bb01ef3f 5255static int snicb = 0;
a37008d9
MC		 5256
5257#define TEST_EXT_TYPE1 0xff00
5258
5259static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5260 size_t *outlen, int *al, void *add_arg)
5261{
5262 int *server = (int *)add_arg;
5263 unsigned char *data;
5264
5265 if (SSL_is_server(s))
5266 srvaddoldcb++;
5267 else
5268 clntaddoldcb++;
5269
710756a9
RS		 5270 if (*server != SSL_is_server(s)
5271 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5272 return -1;
5273
5274 *data = 1;
5275 *out = data;
5276 *outlen = sizeof(char);
a37008d9
MC		 5277 return 1;
5278}
5279
5280static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5281 void *add_arg)
5282{
5283 OPENSSL_free((unsigned char *)out);
5284}
5285
5286static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5287 size_t inlen, int *al, void *parse_arg)
5288{
5289 int *server = (int *)parse_arg;
5290
5291 if (SSL_is_server(s))
5292 srvparseoldcb++;
5293 else
5294 clntparseoldcb++;
5295
710756a9
RS		 5296 if (*server != SSL_is_server(s)
5297 || inlen != sizeof(char)
5298 || *in != 1)
a37008d9
MC		 5299 return -1;
5300
5301 return 1;
5302}
5303
5304static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5305 const unsigned char **out, size_t *outlen, X509 *x,
5306 size_t chainidx, int *al, void *add_arg)
5307{
5308 int *server = (int *)add_arg;
5309 unsigned char *data;
5310
5311 if (SSL_is_server(s))
5312 srvaddnewcb++;
5313 else
5314 clntaddnewcb++;
5315
710756a9
RS		 5316 if (*server != SSL_is_server(s)
5317 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5318 return -1;
5319
5320 *data = 1;
5321 *out = data;
710756a9 5322 *outlen = sizeof(*data);
a37008d9
MC		 5323 return 1;
5324}
5325
5326static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5327 const unsigned char *out, void *add_arg)
5328{
5329 OPENSSL_free((unsigned char *)out);
5330}
5331
5332static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5333 const unsigned char *in, size_t inlen, X509 *x,
5334 size_t chainidx, int *al, void *parse_arg)
5335{
5336 int *server = (int *)parse_arg;
5337
5338 if (SSL_is_server(s))
5339 srvparsenewcb++;
5340 else
5341 clntparsenewcb++;
5342
710756a9
RS		 5343 if (*server != SSL_is_server(s)
5344 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5345 return -1;
5346
5347 return 1;
5348}
bb01ef3f
MC		 5349
5350static int sni_cb(SSL *s, int *al, void *arg)
5351{
5352 SSL_CTX *ctx = (SSL_CTX *)arg;
5353
5354 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5355 *al = SSL_AD_INTERNAL_ERROR;
5356 return SSL_TLSEXT_ERR_ALERT_FATAL;
5357 }
5358 snicb++;
5359 return SSL_TLSEXT_ERR_OK;
5360}
5361
a37008d9
MC		 5362/*
5363 * Custom call back tests.
5364 * Test 0: Old style callbacks in TLSv1.2
5365 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5366 * Test 2: New style callbacks in TLSv1.2 with SNI
5367 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5368 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 5369 */
710756a9
RS		 5370static int test_custom_exts(int tst)
5371{
bb01ef3f 5372 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5373 SSL *clientssl = NULL, *serverssl = NULL;
5374 int testresult = 0;
5375 static int server = 1;
5376 static int client = 0;
5377 SSL_SESSION *sess = NULL;
5378 unsigned int context;
5379
c423ecaa
MC		 5380#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5381 /* Skip tests for TLSv1.2 and below in this case */
5382 if (tst < 3)
5383 return 1;
5384#endif
5385
a37008d9
MC		 5386 /* Reset callback counters */
5387 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5388 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5389 snicb = 0;
a37008d9 5390
5e30f2fd
MC		 5391 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5392 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5393 &sctx, &cctx, cert, privkey)))
710756a9 5394 goto end;
a37008d9 5395
bb01ef3f 5396 if (tst == 2
5e30f2fd 5397 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5398 TLS1_VERSION, 0,
7d7f6834 5399 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5400 goto end;
5401
5402
5403 if (tst < 3) {
a37008d9
MC		 5404 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5405 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5406 if (sctx2 != NULL)
5407 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5408 }
5409
bb01ef3f 5410 if (tst == 4) {
710756a9
RS		 5411 context = SSL_EXT_CLIENT_HELLO
5412 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5413 | SSL_EXT_TLS1_3_SERVER_HELLO
5414 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5415 | SSL_EXT_TLS1_3_CERTIFICATE
5416 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5417 } else {
710756a9
RS		 5418 context = SSL_EXT_CLIENT_HELLO
5419 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5420 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5421 }
5422
5423 /* Create a client side custom extension */
5424 if (tst == 0) {
710756a9
RS		 5425 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5426 old_add_cb, old_free_cb,
5427 &client, old_parse_cb,
5428 &client)))
5429 goto end;
a37008d9 5430 } else {
710756a9
RS		 5431 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5432 new_add_cb, new_free_cb,
5433 &client, new_parse_cb, &client)))
5434 goto end;
a37008d9
MC		 5435 }
5436
5437 /* Should not be able to add duplicates */
710756a9
RS		 5438 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5439 old_add_cb, old_free_cb,
5440 &client, old_parse_cb,
5441 &client))
5442 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5443 context, new_add_cb,
5444 new_free_cb, &client,
5445 new_parse_cb, &client)))
5446 goto end;
a37008d9
MC		 5447
5448 /* Create a server side custom extension */
5449 if (tst == 0) {
710756a9
RS		 5450 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5451 old_add_cb, old_free_cb,
5452 &server, old_parse_cb,
5453 &server)))
5454 goto end;
a37008d9 5455 } else {
710756a9
RS		 5456 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5457 new_add_cb, new_free_cb,
5458 &server, new_parse_cb, &server)))
5459 goto end;
bb01ef3f
MC		 5460 if (sctx2 != NULL
5461 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5462 context, new_add_cb,
5463 new_free_cb, &server,
5464 new_parse_cb, &server)))
5465 goto end;
a37008d9
MC		 5466 }
5467
5468 /* Should not be able to add duplicates */
710756a9
RS		 5469 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5470 old_add_cb, old_free_cb,
5471 &server, old_parse_cb,
5472 &server))
5473 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5474 context, new_add_cb,
5475 new_free_cb, &server,
5476 new_parse_cb, &server)))
a37008d9 5477 goto end;
a37008d9 5478
bb01ef3f
MC		 5479 if (tst == 2) {
5480 /* Set up SNI */
5481 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5482 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5483 goto end;
5484 }
5485
710756a9
RS		 5486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5487 &clientssl, NULL, NULL))
5488 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5489 SSL_ERROR_NONE)))
a37008d9 5490 goto end;
a37008d9
MC		 5491
5492 if (tst == 0) {
710756a9
RS		 5493 if (clntaddoldcb != 1
5494 || clntparseoldcb != 1
5495 || srvaddoldcb != 1
5496 || srvparseoldcb != 1)
a37008d9 5497 goto end;
bb01ef3f 5498 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5499 if (clntaddnewcb != 1
5500 || clntparsenewcb != 1
5501 || srvaddnewcb != 1
bb01ef3f
MC		 5502 || srvparsenewcb != 1
5503 || (tst != 2 && snicb != 0)
5504 || (tst == 2 && snicb != 1))
a37008d9 5505 goto end;
a37008d9 5506 } else {
36ff232c 5507 /* In this case there 2 NewSessionTicket messages created */
710756a9 5508 if (clntaddnewcb != 1
36ff232c
MC		 5509 || clntparsenewcb != 5
5510 || srvaddnewcb != 5
710756a9 5511 || srvparsenewcb != 1)
a37008d9 5512 goto end;
a37008d9
MC		 5513 }
5514
5515 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5516 SSL_shutdown(clientssl);
5517 SSL_shutdown(serverssl);
a37008d9
MC		 5518 SSL_free(serverssl);
5519 SSL_free(clientssl);
5520 serverssl = clientssl = NULL;
5521
bb01ef3f
MC		 5522 if (tst == 3) {
5523 /* We don't bother with the resumption aspects for this test */
5524 testresult = 1;
5525 goto end;
5526 }
5527
710756a9
RS		 5528 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5529 NULL, NULL))
5530 || !TEST_true(SSL_set_session(clientssl, sess))
5531 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5532 SSL_ERROR_NONE)))
a37008d9 5533 goto end;
a37008d9
MC		 5534
5535 /*
5536 * For a resumed session we expect to add the ClientHello extension. For the
5537 * old style callbacks we ignore it on the server side because they set
5538 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5539 * them.
5540 */
5541 if (tst == 0) {
710756a9
RS		 5542 if (clntaddoldcb != 2
5543 || clntparseoldcb != 1
5544 || srvaddoldcb != 1
5545 || srvparseoldcb != 1)
a37008d9 5546 goto end;
bb01ef3f 5547 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5548 if (clntaddnewcb != 2
5549 || clntparsenewcb != 2
5550 || srvaddnewcb != 2
5551 || srvparsenewcb != 2)
a37008d9 5552 goto end;
a37008d9 5553 } else {
36ff232c
MC		 5554 /*
5555 * No Certificate message extensions in the resumption handshake,
5556 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5557 */
710756a9 5558 if (clntaddnewcb != 2
36ff232c
MC		 5559 || clntparsenewcb != 8
5560 || srvaddnewcb != 8
710756a9 5561 || srvparsenewcb != 2)
a37008d9 5562 goto end;
a37008d9
MC		 5563 }
5564
5565 testresult = 1;
5566
5567end:
5568 SSL_SESSION_free(sess);
5569 SSL_free(serverssl);
5570 SSL_free(clientssl);
bb01ef3f 5571 SSL_CTX_free(sctx2);
a37008d9
MC		 5572 SSL_CTX_free(sctx);
5573 SSL_CTX_free(cctx);
a37008d9
MC		 5574 return testresult;
5575}
5576
16afd71c
MC		 5577/*
5578 * Test loading of serverinfo data in various formats. test_sslmessages actually
5579 * tests to make sure the extensions appear in the handshake
5580 */
5581static int test_serverinfo(int tst)
5582{
5583 unsigned int version;
5584 unsigned char *sibuf;
5585 size_t sibuflen;
5586 int ret, expected, testresult = 0;
5587 SSL_CTX *ctx;
5588
5e30f2fd 5589 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
16afd71c
MC		 5590 if (!TEST_ptr(ctx))
5591 goto end;
5592
5593 if ((tst & 0x01) == 0x01)
5594 version = SSL_SERVERINFOV2;
5595 else
5596 version = SSL_SERVERINFOV1;
5597
5598 if ((tst & 0x02) == 0x02) {
5599 sibuf = serverinfov2;
5600 sibuflen = sizeof(serverinfov2);
5601 expected = (version == SSL_SERVERINFOV2);
5602 } else {
5603 sibuf = serverinfov1;
5604 sibuflen = sizeof(serverinfov1);
5605 expected = (version == SSL_SERVERINFOV1);
5606 }
5607
5608 if ((tst & 0x04) == 0x04) {
5609 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5610 } else {
5611 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5612
5613 /*
5614 * The version variable is irrelevant in this case - it's what is in the
5615 * buffer that matters
5616 */
5617 if ((tst & 0x02) == 0x02)
5618 expected = 0;
5619 else
5620 expected = 1;
5621 }
5622
5623 if (!TEST_true(ret == expected))
5624 goto end;
5625
5626 testresult = 1;
5627
5628 end:
5629 SSL_CTX_free(ctx);
5630
5631 return testresult;
5632}
5633
2197d1df
MC		 5634/*
5635 * Test that SSL_export_keying_material() produces expected results. There are
5636 * no test vectors so all we do is test that both sides of the communication
5637 * produce the same results for different protocol versions.
5638 */
0fb2815b
MC		 5639#define SMALL_LABEL_LEN 10
5640#define LONG_LABEL_LEN 249
2197d1df
MC		 5641static int test_export_key_mat(int tst)
5642{
a599574b 5643 int testresult = 0;
2197d1df
MC		 5644 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5645 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5646 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5647 const unsigned char context[] = "context";
5648 const unsigned char *emptycontext = NULL;
5649 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5650 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5651 size_t labellen;
a599574b
MC		 5652 const int protocols[] = {
5653 TLS1_VERSION,
5654 TLS1_1_VERSION,
5655 TLS1_2_VERSION,
0fb2815b
MC		 5656 TLS1_3_VERSION,
5657 TLS1_3_VERSION,
a599574b
MC		 5658 TLS1_3_VERSION
5659 };
2197d1df
MC		 5660
5661#ifdef OPENSSL_NO_TLS1
5662 if (tst == 0)
5663 return 1;
5664#endif
5665#ifdef OPENSSL_NO_TLS1_1
5666 if (tst == 1)
5667 return 1;
5668#endif
4f6c7044
MC		 5669 if (is_fips && (tst == 0 || tst == 1))
5670 return 1;
2197d1df
MC		 5671#ifdef OPENSSL_NO_TLS1_2
5672 if (tst == 2)
5673 return 1;
5674#endif
5675#ifdef OPENSSL_NO_TLS1_3
0fb2815b 5676 if (tst >= 3)
2197d1df
MC		 5677 return 1;
5678#endif
5e30f2fd
MC		 5679 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5680 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5681 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5682 goto end;
5683
a599574b
MC		 5684 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5685 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5686 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5687 if ((protocols[tst] < TLS1_2_VERSION) &&
5688 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5689 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5690 goto end;
2197d1df
MC		 5691
5692 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5693 NULL))
5694 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5695 SSL_ERROR_NONE)))
5696 goto end;
5697
0fb2815b
MC		 5698 if (tst == 5) {
5699 /*
5700 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5701 * go over that.
5702 */
5703 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5704 sizeof(ckeymat1), label,
5705 LONG_LABEL_LEN + 1, context,
5706 sizeof(context) - 1, 1), 0))
5707 goto end;
5708
5709 testresult = 1;
5710 goto end;
5711 } else if (tst == 4) {
5712 labellen = LONG_LABEL_LEN;
5713 } else {
5714 labellen = SMALL_LABEL_LEN;
5715 }
5716
2197d1df
MC		 5717 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5718 sizeof(ckeymat1), label,
0fb2815b 5719 labellen, context,
2197d1df
MC		 5720 sizeof(context) - 1, 1), 1)
5721 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5722 sizeof(ckeymat2), label,
0fb2815b 5723 labellen,
2197d1df
MC		 5724 emptycontext,
5725 0, 1), 1)
5726 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5727 sizeof(ckeymat3), label,
0fb2815b 5728 labellen,
2197d1df
MC		 5729 NULL, 0, 0), 1)
5730 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5731 sizeof(skeymat1), label,
0fb2815b 5732 labellen,
2197d1df
MC		 5733 context,
5734 sizeof(context) -1, 1),
5735 1)
5736 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5737 sizeof(skeymat2), label,
0fb2815b 5738 labellen,
2197d1df
MC		 5739 emptycontext,
5740 0, 1), 1)
5741 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5742 sizeof(skeymat3), label,
0fb2815b 5743 labellen,
2197d1df
MC		 5744 NULL, 0, 0), 1)
5745 /*
5746 * Check that both sides created the same key material with the
5747 * same context.
5748 */
5749 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5750 sizeof(skeymat1))
5751 /*
5752 * Check that both sides created the same key material with an
5753 * empty context.
5754 */
5755 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5756 sizeof(skeymat2))
5757 /*
5758 * Check that both sides created the same key material without a
5759 * context.
5760 */
5761 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5762 sizeof(skeymat3))
5763 /* Different contexts should produce different results */
5764 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5765 sizeof(ckeymat2)))
5766 goto end;
5767
5768 /*
5769 * Check that an empty context and no context produce different results in
5770 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5771 */
0fb2815b 5772 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5773 sizeof(ckeymat3)))
0fb2815b
MC		 5774 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5775 sizeof(ckeymat3))))
2197d1df
MC		 5776 goto end;
5777
5778 testresult = 1;
5779
5780 end:
5781 SSL_free(serverssl);
5782 SSL_free(clientssl);
5783 SSL_CTX_free(sctx2);
5784 SSL_CTX_free(sctx);
5785 SSL_CTX_free(cctx);
5786
5787 return testresult;
5788}
5789
b38ede80
TT		 5790#ifndef OPENSSL_NO_TLS1_3
5791/*
5792 * Test that SSL_export_keying_material_early() produces expected
5793 * results. There are no test vectors so all we do is test that both
5794 * sides of the communication produce the same results for different
5795 * protocol versions.
5796 */
5797static int test_export_key_mat_early(int idx)
5798{
5799 static const char label[] = "test label";
5800 static const unsigned char context[] = "context";
5801 int testresult = 0;
5802 SSL_CTX *cctx = NULL, *sctx = NULL;
5803 SSL *clientssl = NULL, *serverssl = NULL;
5804 SSL_SESSION *sess = NULL;
5805 const unsigned char *emptycontext = NULL;
5806 unsigned char ckeymat1[80], ckeymat2[80];
5807 unsigned char skeymat1[80], skeymat2[80];
5808 unsigned char buf[1];
5809 size_t readbytes, written;
5810
5811 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5812 &sess, idx)))
5813 goto end;
5814
5815 /* Here writing 0 length early data is enough. */
5816 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5817 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5818 &readbytes),
5819 SSL_READ_EARLY_DATA_ERROR)
5820 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5821 SSL_EARLY_DATA_ACCEPTED))
5822 goto end;
5823
5824 if (!TEST_int_eq(SSL_export_keying_material_early(
5825 clientssl, ckeymat1, sizeof(ckeymat1), label,
5826 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5827 || !TEST_int_eq(SSL_export_keying_material_early(
5828 clientssl, ckeymat2, sizeof(ckeymat2), label,
5829 sizeof(label) - 1, emptycontext, 0), 1)
5830 || !TEST_int_eq(SSL_export_keying_material_early(
5831 serverssl, skeymat1, sizeof(skeymat1), label,
5832 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5833 || !TEST_int_eq(SSL_export_keying_material_early(
5834 serverssl, skeymat2, sizeof(skeymat2), label,
5835 sizeof(label) - 1, emptycontext, 0), 1)
5836 /*
5837 * Check that both sides created the same key material with the
5838 * same context.
5839 */
5840 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5841 sizeof(skeymat1))
5842 /*
5843 * Check that both sides created the same key material with an
5844 * empty context.
5845 */
5846 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5847 sizeof(skeymat2))
5848 /* Different contexts should produce different results */
5849 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5850 sizeof(ckeymat2)))
5851 goto end;
5852
5853 testresult = 1;
5854
5855 end:
c20e3b28 5856 SSL_SESSION_free(sess);
b38ede80
TT		 5857 SSL_SESSION_free(clientpsk);
5858 SSL_SESSION_free(serverpsk);
34ff74eb 5859 clientpsk = serverpsk = NULL;
b38ede80
TT		 5860 SSL_free(serverssl);
5861 SSL_free(clientssl);
5862 SSL_CTX_free(sctx);
5863 SSL_CTX_free(cctx);
5864
5865 return testresult;
5866}
3409a5ff
MC		 5867
5868#define NUM_KEY_UPDATE_MESSAGES 40
5869/*
5870 * Test KeyUpdate.
5871 */
5872static int test_key_update(void)
5873{
5874 SSL_CTX *cctx = NULL, *sctx = NULL;
5875 SSL *clientssl = NULL, *serverssl = NULL;
5876 int testresult = 0, i, j;
5877 char buf[20];
5878 static char *mess = "A test message";
5879
5e30f2fd 5880 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 5881 TLS_client_method(),
5882 TLS1_3_VERSION,
5883 0,
5884 &sctx, &cctx, cert, privkey))
5885 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5886 NULL, NULL))
5887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5888 SSL_ERROR_NONE)))
5889 goto end;
5890
5891 for (j = 0; j < 2; j++) {
5892 /* Send lots of KeyUpdate messages */
5893 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5894 if (!TEST_true(SSL_key_update(clientssl,
5895 (j == 0)
5896 ? SSL_KEY_UPDATE_NOT_REQUESTED
5897 : SSL_KEY_UPDATE_REQUESTED))
5898 || !TEST_true(SSL_do_handshake(clientssl)))
5899 goto end;
5900 }
5901
5902 /* Check that sending and receiving app data is ok */
5903 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5904 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5905 strlen(mess)))
5906 goto end;
a77b4dba
MC		 5907
5908 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5909 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5910 strlen(mess)))
5911 goto end;
3409a5ff
MC		 5912 }
5913
5914 testresult = 1;
5915
5916 end:
5917 SSL_free(serverssl);
5918 SSL_free(clientssl);
5919 SSL_CTX_free(sctx);
5920 SSL_CTX_free(cctx);
5921
5922 return testresult;
5923}
a77b4dba
MC		 5924
5925/*
5926 * Test we can handle a KeyUpdate (update requested) message while write data
5927 * is pending.
5928 * Test 0: Client sends KeyUpdate while Server is writing
5929 * Test 1: Server sends KeyUpdate while Client is writing
5930 */
5931static int test_key_update_in_write(int tst)
5932{
5933 SSL_CTX *cctx = NULL, *sctx = NULL;
5934 SSL *clientssl = NULL, *serverssl = NULL;
5935 int testresult = 0;
5936 char buf[20];
5937 static char *mess = "A test message";
5938 BIO *bretry = BIO_new(bio_s_always_retry());
5939 BIO *tmp = NULL;
5940 SSL *peerupdate = NULL, *peerwrite = NULL;
5941
5942 if (!TEST_ptr(bretry)
5e30f2fd 5943 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 5944 TLS_client_method(),
5945 TLS1_3_VERSION,
5946 0,
5947 &sctx, &cctx, cert, privkey))
5948 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5949 NULL, NULL))
5950 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5951 SSL_ERROR_NONE)))
5952 goto end;
5953
5954 peerupdate = tst == 0 ? clientssl : serverssl;
5955 peerwrite = tst == 0 ? serverssl : clientssl;
5956
5957 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5958 || !TEST_true(SSL_do_handshake(peerupdate)))
5959 goto end;
5960
5961 /* Swap the writing endpoint's write BIO to force a retry */
5962 tmp = SSL_get_wbio(peerwrite);
5963 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5964 tmp = NULL;
5965 goto end;
5966 }
5967 SSL_set0_wbio(peerwrite, bretry);
5968 bretry = NULL;
5969
5970 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5971 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5972 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5973 goto end;
5974
5975 /* Reinstate the original writing endpoint's write BIO */
5976 SSL_set0_wbio(peerwrite, tmp);
5977 tmp = NULL;
5978
5979 /* Now read some data - we will read the key update */
5980 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5981 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5982 goto end;
5983
5984 /*
5985 * Complete the write we started previously and read it from the other
5986 * endpoint
5987 */
5988 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5989 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5990 goto end;
5991
5992 /* Write more data to ensure we send the KeyUpdate message back */
5993 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5994 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5995 goto end;
5996
5997 testresult = 1;
5998
5999 end:
6000 SSL_free(serverssl);
6001 SSL_free(clientssl);
6002 SSL_CTX_free(sctx);
6003 SSL_CTX_free(cctx);
6004 BIO_free(bretry);
6005 BIO_free(tmp);
6006
6007 return testresult;
6008}
b38ede80
TT		 6009#endif /* OPENSSL_NO_TLS1_3 */
6010
e11b6aa4
MC		 6011static int test_ssl_clear(int idx)
6012{
6013 SSL_CTX *cctx = NULL, *sctx = NULL;
6014 SSL *clientssl = NULL, *serverssl = NULL;
6015 int testresult = 0;
6016
6017#ifdef OPENSSL_NO_TLS1_2
6018 if (idx == 1)
6019 return 1;
6020#endif
6021
6022 /* Create an initial connection */
5e30f2fd
MC		 6023 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6024 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6025 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 6026 || (idx == 1
6027 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6028 TLS1_2_VERSION)))
6029 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6030 &clientssl, NULL, NULL))
6031 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6032 SSL_ERROR_NONE)))
6033 goto end;
6034
6035 SSL_shutdown(clientssl);
6036 SSL_shutdown(serverssl);
6037 SSL_free(serverssl);
6038 serverssl = NULL;
6039
6040 /* Clear clientssl - we're going to reuse the object */
6041 if (!TEST_true(SSL_clear(clientssl)))
6042 goto end;
6043
6044 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6045 NULL, NULL))
6046 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6047 SSL_ERROR_NONE))
6048 || !TEST_true(SSL_session_reused(clientssl)))
6049 goto end;
6050
6051 SSL_shutdown(clientssl);
6052 SSL_shutdown(serverssl);
6053
6054 testresult = 1;
6055
6056 end:
6057 SSL_free(serverssl);
6058 SSL_free(clientssl);
6059 SSL_CTX_free(sctx);
6060 SSL_CTX_free(cctx);
6061
6062 return testresult;
6063}
6064
cf72c757
F		 6065/* Parse CH and retrieve any MFL extension value if present */
6066static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6067{
6068 long len;
6069 unsigned char *data;
72962d02 6070 PACKET pkt, pkt2, pkt3;
cf72c757
F		 6071 unsigned int MFL_code = 0, type = 0;
6072
6073 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6074 goto end;
6075
72962d02
P		 6076 memset(&pkt, 0, sizeof(pkt));
6077 memset(&pkt2, 0, sizeof(pkt2));
6078 memset(&pkt3, 0, sizeof(pkt3));
6079
cf72c757
F		 6080 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
6081 /* Skip the record header */
6082 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6083 /* Skip the handshake message header */
6084 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6085 /* Skip client version and random */
6086 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6087 + SSL3_RANDOM_SIZE))
6088 /* Skip session id */
6089 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6090 /* Skip ciphers */
6091 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6092 /* Skip compression */
6093 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6094 /* Extensions len */
6095 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6096 goto end;
6097
6098 /* Loop through all extensions */
6099 while (PACKET_remaining(&pkt2)) {
6100 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6101 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6102 goto end;
6103
6104 if (type == TLSEXT_TYPE_max_fragment_length) {
6105 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6106 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6107 goto end;
6108
6109 *mfl_codemfl_code = MFL_code;
6110 return 1;
6111 }
6112 }
6113
6114 end:
6115 return 0;
6116}
6117
6118/* Maximum-Fragment-Length TLS extension mode to test */
6119static const unsigned char max_fragment_len_test[] = {
6120 TLSEXT_max_fragment_length_512,
6121 TLSEXT_max_fragment_length_1024,
6122 TLSEXT_max_fragment_length_2048,
6123 TLSEXT_max_fragment_length_4096
6124};
6125
6126static int test_max_fragment_len_ext(int idx_tst)
6127{
6128 SSL_CTX *ctx;
6129 SSL *con = NULL;
6130 int testresult = 0, MFL_mode = 0;
6131 BIO *rbio, *wbio;
6132
5e30f2fd 6133 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
cf72c757
F		 6134 if (!TEST_ptr(ctx))
6135 goto end;
6136
6137 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6138 ctx, max_fragment_len_test[idx_tst])))
6139 goto end;
6140
6141 con = SSL_new(ctx);
6142 if (!TEST_ptr(con))
6143 goto end;
6144
6145 rbio = BIO_new(BIO_s_mem());
6146 wbio = BIO_new(BIO_s_mem());
6147 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6148 BIO_free(rbio);
6149 BIO_free(wbio);
6150 goto end;
6151 }
6152
6153 SSL_set_bio(con, rbio, wbio);
6154 SSL_set_connect_state(con);
6155
6156 if (!TEST_int_le(SSL_connect(con), 0)) {
6157 /* This shouldn't succeed because we don't have a server! */
6158 goto end;
6159 }
6160
6161 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6162 /* no MFL in client hello */
6163 goto end;
6164 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6165 goto end;
6166
6167 testresult = 1;
6168
6169end:
6170 SSL_free(con);
6171 SSL_CTX_free(ctx);
6172
6173 return testresult;
6174}
6175
9d75dce3
TS		 6176#ifndef OPENSSL_NO_TLS1_3
6177static int test_pha_key_update(void)
6178{
6179 SSL_CTX *cctx = NULL, *sctx = NULL;
6180 SSL *clientssl = NULL, *serverssl = NULL;
6181 int testresult = 0;
6182
5e30f2fd
MC		 6183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6184 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6185 &sctx, &cctx, cert, privkey)))
6186 return 0;
6187
6188 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6189 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6190 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6191 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6192 goto end;
6193
e97be718 6194 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6195
6196 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6197 NULL, NULL)))
6198 goto end;
6199
9d75dce3
TS		 6200 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6201 SSL_ERROR_NONE)))
6202 goto end;
6203
6204 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6205 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6206 goto end;
6207
6208 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6209 goto end;
6210
6211 /* Start handshake on the server */
6212 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6213 goto end;
6214
6215 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6216 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6217 SSL_ERROR_NONE)))
6218 goto end;
6219
6220 SSL_shutdown(clientssl);
6221 SSL_shutdown(serverssl);
6222
6223 testresult = 1;
6224
6225 end:
6226 SSL_free(serverssl);
6227 SSL_free(clientssl);
6228 SSL_CTX_free(sctx);
6229 SSL_CTX_free(cctx);
6230 return testresult;
6231}
6232#endif
6233
76fd7a1d
MC		 6234#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6235
6236static SRP_VBASE *vbase = NULL;
6237
852c2ed2
RS		 6238DEFINE_STACK_OF(SRP_user_pwd)
6239
76fd7a1d
MC		 6240static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6241{
6242 int ret = SSL3_AL_FATAL;
6243 char *username;
6244 SRP_user_pwd *user = NULL;
6245
6246 username = SSL_get_srp_username(s);
6247 if (username == NULL) {
6248 *ad = SSL_AD_INTERNAL_ERROR;
6249 goto err;
6250 }
6251
6252 user = SRP_VBASE_get1_by_user(vbase, username);
6253 if (user == NULL) {
6254 *ad = SSL_AD_INTERNAL_ERROR;
6255 goto err;
6256 }
6257
6258 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6259 user->info) <= 0) {
6260 *ad = SSL_AD_INTERNAL_ERROR;
6261 goto err;
6262 }
6263
6264 ret = 0;
6265
6266 err:
6267 SRP_user_pwd_free(user);
6268 return ret;
6269}
6270
6271static int create_new_vfile(char *userid, char *password, const char *filename)
6272{
6273 char *gNid = NULL;
6274 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6275 TXT_DB *db = NULL;
6276 int ret = 0;
6277 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6278 size_t i;
6279
6280 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6281 goto end;
6282
20c00d0a 6283 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6284 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6285 if (!TEST_ptr(gNid))
6286 goto end;
6287
6288 /*
6289 * The only way to create an empty TXT_DB is to provide a BIO with no data
6290 * in it!
6291 */
6292 db = TXT_DB_read(dummy, DB_NUMBER);
6293 if (!TEST_ptr(db))
6294 goto end;
6295
6296 out = BIO_new_file(filename, "w");
6297 if (!TEST_ptr(out))
6298 goto end;
6299
6300 row[DB_srpid] = OPENSSL_strdup(userid);
6301 row[DB_srptype] = OPENSSL_strdup("V");
6302 row[DB_srpgN] = OPENSSL_strdup(gNid);
6303
6304 if (!TEST_ptr(row[DB_srpid])
6305 || !TEST_ptr(row[DB_srptype])
6306 || !TEST_ptr(row[DB_srpgN])
6307 || !TEST_true(TXT_DB_insert(db, row)))
6308 goto end;
6309
6310 row = NULL;
6311
6312 if (!TXT_DB_write(out, db))
6313 goto end;
6314
6315 ret = 1;
6316 end:
6317 if (row != NULL) {
6318 for (i = 0; i < DB_NUMBER; i++)
6319 OPENSSL_free(row[i]);
6320 }
6321 OPENSSL_free(row);
6322 BIO_free(dummy);
6323 BIO_free(out);
6324 TXT_DB_free(db);
6325
6326 return ret;
6327}
6328
6329static int create_new_vbase(char *userid, char *password)
6330{
6331 BIGNUM *verifier = NULL, *salt = NULL;
6332 const SRP_gN *lgN = NULL;
6333 SRP_user_pwd *user_pwd = NULL;
6334 int ret = 0;
6335
6336 lgN = SRP_get_default_gN(NULL);
6337 if (!TEST_ptr(lgN))
6338 goto end;
6339
20c00d0a 6340 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6341 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6342 goto end;
6343
6344 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6345 if (!TEST_ptr(user_pwd))
6346 goto end;
6347
6348 user_pwd->N = lgN->N;
6349 user_pwd->g = lgN->g;
6350 user_pwd->id = OPENSSL_strdup(userid);
6351 if (!TEST_ptr(user_pwd->id))
6352 goto end;
6353
6354 user_pwd->v = verifier;
6355 user_pwd->s = salt;
6356 verifier = salt = NULL;
6357
6358 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6359 goto end;
6360 user_pwd = NULL;
6361
6362 ret = 1;
6363end:
6364 SRP_user_pwd_free(user_pwd);
6365 BN_free(salt);
6366 BN_free(verifier);
6367
6368 return ret;
6369}
6370
6371/*
6372 * SRP tests
6373 *
6374 * Test 0: Simple successful SRP connection, new vbase
6375 * Test 1: Connection failure due to bad password, new vbase
6376 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6377 * Test 3: Connection failure due to bad password, vbase loaded from existing
6378 * file
6379 * Test 4: Simple successful SRP connection, vbase loaded from new file
6380 * Test 5: Connection failure due to bad password, vbase loaded from new file
6381 */
6382static int test_srp(int tst)
6383{
6384 char *userid = "test", *password = "password", *tstsrpfile;
6385 SSL_CTX *cctx = NULL, *sctx = NULL;
6386 SSL *clientssl = NULL, *serverssl = NULL;
6387 int ret, testresult = 0;
6388
6389 vbase = SRP_VBASE_new(NULL);
6390 if (!TEST_ptr(vbase))
6391 goto end;
6392
6393 if (tst == 0 || tst == 1) {
6394 if (!TEST_true(create_new_vbase(userid, password)))
6395 goto end;
6396 } else {
6397 if (tst == 4 || tst == 5) {
6398 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6399 goto end;
6400 tstsrpfile = tmpfilename;
6401 } else {
6402 tstsrpfile = srpvfile;
6403 }
6404 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6405 goto end;
6406 }
6407
5e30f2fd
MC		 6408 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6409 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6410 &sctx, &cctx, cert, privkey)))
6411 goto end;
6412
6413 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6414 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6415 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6416 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6417 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6418 goto end;
6419
6420 if (tst % 2 == 1) {
6421 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6422 goto end;
6423 } else {
6424 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6425 goto end;
6426 }
6427
6428 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6429 NULL, NULL)))
6430 goto end;
6431
6432 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6433 if (ret) {
6434 if (!TEST_true(tst % 2 == 0))
6435 goto end;
6436 } else {
6437 if (!TEST_true(tst % 2 == 1))
6438 goto end;
6439 }
6440
6441 testresult = 1;
6442
6443 end:
6444 SRP_VBASE_free(vbase);
6445 vbase = NULL;
6446 SSL_free(serverssl);
6447 SSL_free(clientssl);
6448 SSL_CTX_free(sctx);
6449 SSL_CTX_free(cctx);
6450
6451 return testresult;
6452}
6453#endif
6454
5718fe45
MC		 6455static int info_cb_failed = 0;
6456static int info_cb_offset = 0;
6457static int info_cb_this_state = -1;
6458
6459static struct info_cb_states_st {
6460 int where;
6461 const char *statestr;
6462} info_cb_states[][60] = {
6463 {
6464 /* TLSv1.2 server followed by resumption */
6465 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6466 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6467 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6468 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6469 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6470 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6471 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6472 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6473 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6474 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6475 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6476 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6477 {SSL_CB_EXIT, NULL}, {0, NULL},
6478 }, {
6479 /* TLSv1.2 client followed by resumption */
6480 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6481 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6482 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6483 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6484 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6485 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6486 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6487 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6488 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6489 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6490 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6491 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6492 }, {
6493 /* TLSv1.3 server followed by resumption */
6494 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6495 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6496 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6497 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6498 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6499 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6500 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6501 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6502 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6503 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6504 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6505 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6506 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6507 }, {
6508 /* TLSv1.3 client followed by resumption */
6509 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6510 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6511 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6512 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6513 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6514 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6515 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6516 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 6517 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6518 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6519 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6520 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6521 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 6522 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6523 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6524 }, {
6525 /* TLSv1.3 server, early_data */
6526 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6527 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6528 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6529 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6530 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6531 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 6532 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 6533 {SSL_CB_EXIT, NULL}, {0, NULL},
6534 }, {
6535 /* TLSv1.3 client, early_data */
6536 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6537 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6538 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6539 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6540 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6541 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6542 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6543 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6544 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6545 }, {
6546 {0, NULL},
6547 }
6548};
6549
6550static void sslapi_info_callback(const SSL *s, int where, int ret)
6551{
6552 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6553
6554 /* We do not ever expect a connection to fail in this test */
6555 if (!TEST_false(ret == 0)) {
6556 info_cb_failed = 1;
6557 return;
6558 }
6559
6560 /*
6561 * Do some sanity checks. We never expect these things to happen in this
6562 * test
6563 */
6564 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6565 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6566 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6567 info_cb_failed = 1;
6568 return;
6569 }
6570
6571 /* Now check we're in the right state */
6572 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6573 info_cb_failed = 1;
6574 return;
6575 }
6576 if ((where & SSL_CB_LOOP) != 0
6577 && !TEST_int_eq(strcmp(SSL_state_string(s),
6578 state[info_cb_this_state].statestr), 0)) {
6579 info_cb_failed = 1;
6580 return;
6581 }
033c181b 6582
4af5836b
MC		 6583 /*
6584 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6585 */
6586 if ((where & SSL_CB_HANDSHAKE_DONE)
6587 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 6588 info_cb_failed = 1;
6589 return;
6590 }
5718fe45
MC		 6591}
6592
6593/*
6594 * Test the info callback gets called when we expect it to.
6595 *
6596 * Test 0: TLSv1.2, server
6597 * Test 1: TLSv1.2, client
6598 * Test 2: TLSv1.3, server
6599 * Test 3: TLSv1.3, client
6600 * Test 4: TLSv1.3, server, early_data
6601 * Test 5: TLSv1.3, client, early_data
6602 */
6603static int test_info_callback(int tst)
6604{
6605 SSL_CTX *cctx = NULL, *sctx = NULL;
6606 SSL *clientssl = NULL, *serverssl = NULL;
6607 SSL_SESSION *clntsess = NULL;
6608 int testresult = 0;
6609 int tlsvers;
6610
6611 if (tst < 2) {
1aac20f5
MC		 6612/* We need either ECDHE or DHE for the TLSv1.2 test to work */
6613#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6614 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 6615 tlsvers = TLS1_2_VERSION;
6616#else
6617 return 1;
6618#endif
6619 } else {
6620#ifndef OPENSSL_NO_TLS1_3
6621 tlsvers = TLS1_3_VERSION;
6622#else
6623 return 1;
6624#endif
6625 }
6626
6627 /* Reset globals */
6628 info_cb_failed = 0;
6629 info_cb_this_state = -1;
6630 info_cb_offset = tst;
6631
6e07834c 6632#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 6633 if (tst >= 4) {
6634 SSL_SESSION *sess = NULL;
6635 size_t written, readbytes;
6636 unsigned char buf[80];
6637
6638 /* early_data tests */
6639 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6640 &serverssl, &sess, 0)))
6641 goto end;
6642
6643 /* We don't actually need this reference */
6644 SSL_SESSION_free(sess);
6645
6646 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6647 sslapi_info_callback);
6648
6649 /* Write and read some early data and then complete the connection */
6650 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6651 &written))
6652 || !TEST_size_t_eq(written, strlen(MSG1))
6653 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6654 sizeof(buf), &readbytes),
6655 SSL_READ_EARLY_DATA_SUCCESS)
6656 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6657 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6658 SSL_EARLY_DATA_ACCEPTED)
6659 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6660 SSL_ERROR_NONE))
6661 || !TEST_false(info_cb_failed))
6662 goto end;
6663
6664 testresult = 1;
6665 goto end;
6666 }
6e07834c 6667#endif
5718fe45 6668
5e30f2fd 6669 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 6670 TLS_client_method(),
6671 tlsvers, tlsvers, &sctx, &cctx, cert,
6672 privkey)))
6673 goto end;
6674
6675 /*
6676 * For even numbered tests we check the server callbacks. For odd numbers we
6677 * check the client.
6678 */
6679 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6680 sslapi_info_callback);
6681
6682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6683 &clientssl, NULL, NULL))
6684 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6685 SSL_ERROR_NONE))
6686 || !TEST_false(info_cb_failed))
6687 goto end;
6688
6689
6690
6691 clntsess = SSL_get1_session(clientssl);
6692 SSL_shutdown(clientssl);
6693 SSL_shutdown(serverssl);
6694 SSL_free(serverssl);
6695 SSL_free(clientssl);
6696 serverssl = clientssl = NULL;
6697
6698 /* Now do a resumption */
6699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6700 NULL))
6701 || !TEST_true(SSL_set_session(clientssl, clntsess))
6702 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6703 SSL_ERROR_NONE))
6704 || !TEST_true(SSL_session_reused(clientssl))
6705 || !TEST_false(info_cb_failed))
6706 goto end;
6707
6708 testresult = 1;
6709
6710 end:
6711 SSL_free(serverssl);
6712 SSL_free(clientssl);
6713 SSL_SESSION_free(clntsess);
6714 SSL_CTX_free(sctx);
6715 SSL_CTX_free(cctx);
6716 return testresult;
6717}
6718
4a432af8
MC		 6719static int test_ssl_pending(int tst)
6720{
6721 SSL_CTX *cctx = NULL, *sctx = NULL;
6722 SSL *clientssl = NULL, *serverssl = NULL;
6723 int testresult = 0;
6724 char msg[] = "A test message";
6725 char buf[5];
6726 size_t written, readbytes;
6727
6728 if (tst == 0) {
5e30f2fd 6729 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6730 TLS_client_method(),
5c587fb6 6731 TLS1_VERSION, 0,
4a432af8
MC		 6732 &sctx, &cctx, cert, privkey)))
6733 goto end;
6734 } else {
6735#ifndef OPENSSL_NO_DTLS
5e30f2fd 6736 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6737 DTLS_client_method(),
5c587fb6 6738 DTLS1_VERSION, 0,
4a432af8
MC		 6739 &sctx, &cctx, cert, privkey)))
6740 goto end;
6741#else
6742 return 1;
6743#endif
6744 }
6745
6746 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6747 NULL, NULL))
6748 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6749 SSL_ERROR_NONE)))
6750 goto end;
6751
e8251092
MC		 6752 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6753 || !TEST_false(SSL_has_pending(clientssl))
6754 || !TEST_int_eq(SSL_pending(serverssl), 0)
6755 || !TEST_false(SSL_has_pending(serverssl))
6756 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6757 || !TEST_size_t_eq(written, sizeof(msg))
6758 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6759 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6760 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6761 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6762 goto end;
6763
6764 testresult = 1;
6765
6766 end:
6767 SSL_free(serverssl);
6768 SSL_free(clientssl);
6769 SSL_CTX_free(sctx);
6770 SSL_CTX_free(cctx);
6771
6772 return testresult;
6773}
6774
e401389a
MC		 6775static struct {
6776 unsigned int maxprot;
6777 const char *clntciphers;
6778 const char *clnttls13ciphers;
6779 const char *srvrciphers;
6780 const char *srvrtls13ciphers;
6781 const char *shared;
a96e6c34 6782 const char *fipsshared;
e401389a 6783} shared_ciphers_data[] = {
60155b9a
MC		 6784/*
6785 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6786 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6787 */
6788#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6789 {
6790 TLS1_2_VERSION,
6791 "AES128-SHA:AES256-SHA",
6792 NULL,
6793 "AES256-SHA:DHE-RSA-AES128-SHA",
6794 NULL,
a96e6c34 6795 "AES256-SHA",
e401389a
MC		 6796 "AES256-SHA"
6797 },
a96e6c34
MC		 6798# if !defined(OPENSSL_NO_CHACHA) \
6799 && !defined(OPENSSL_NO_POLY1305) \
6800 && !defined(OPENSSL_NO_EC)
6801 {
6802 TLS1_2_VERSION,
6803 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6804 NULL,
6805 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6806 NULL,
6807 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6808 "AES128-SHA"
6809 },
6810# endif
e401389a
MC		 6811 {
6812 TLS1_2_VERSION,
6813 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6814 NULL,
6815 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6816 NULL,
a96e6c34 6817 "AES128-SHA:AES256-SHA",
e401389a
MC		 6818 "AES128-SHA:AES256-SHA"
6819 },
6820 {
6821 TLS1_2_VERSION,
6822 "AES128-SHA:AES256-SHA",
6823 NULL,
6824 "AES128-SHA:DHE-RSA-AES128-SHA",
6825 NULL,
a96e6c34 6826 "AES128-SHA",
e401389a
MC		 6827 "AES128-SHA"
6828 },
60155b9a
MC		 6829#endif
6830/*
6831 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6832 * enabled.
6833 */
6834#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6835 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6836 {
6837 TLS1_3_VERSION,
6838 "AES128-SHA:AES256-SHA",
6839 NULL,
6840 "AES256-SHA:AES128-SHA256",
6841 NULL,
6842 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 6843 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6844 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 6845 },
60155b9a
MC		 6846#endif
6847#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 6848 {
6849 TLS1_3_VERSION,
6850 "AES128-SHA",
6851 "TLS_AES_256_GCM_SHA384",
6852 "AES256-SHA",
6853 "TLS_AES_256_GCM_SHA384",
a96e6c34 6854 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 6855 "TLS_AES_256_GCM_SHA384"
6856 },
6857#endif
6858};
6859
a96e6c34 6860static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 6861{
6862 SSL_CTX *cctx = NULL, *sctx = NULL;
6863 SSL *clientssl = NULL, *serverssl = NULL;
6864 int testresult = 0;
6865 char buf[1024];
a96e6c34
MC		 6866 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6867
6868 if (!TEST_ptr(tmplibctx))
6869 goto end;
6870
6871 /*
6872 * Regardless of whether we're testing with the FIPS provider loaded into
6873 * libctx, we want one peer to always use the full set of ciphersuites
6874 * available. Therefore we use a separate libctx with the default provider
6875 * loaded into it. We run the same tests twice - once with the client side
6876 * having the full set of ciphersuites and once with the server side.
6877 */
6878 if (clnt) {
6879 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6880 if (!TEST_ptr(cctx))
6881 goto end;
6882 } else {
6883 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6884 if (!TEST_ptr(sctx))
6885 goto end;
6886 }
e401389a 6887
5e30f2fd 6888 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 6889 TLS_client_method(),
6890 TLS1_VERSION,
6891 shared_ciphers_data[tst].maxprot,
6892 &sctx, &cctx, cert, privkey)))
6893 goto end;
6894
6895 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6896 shared_ciphers_data[tst].clntciphers))
6897 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6898 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6899 shared_ciphers_data[tst].clnttls13ciphers)))
6900 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6901 shared_ciphers_data[tst].srvrciphers))
6902 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6903 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6904 shared_ciphers_data[tst].srvrtls13ciphers))))
6905 goto end;
6906
6907
6908 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6909 NULL, NULL))
6910 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6911 SSL_ERROR_NONE)))
6912 goto end;
6913
6914 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 6915 || !TEST_int_eq(strcmp(buf,
6916 is_fips
6917 ? shared_ciphers_data[tst].fipsshared
6918 : shared_ciphers_data[tst].shared),
6919 0)) {
e401389a
MC		 6920 TEST_info("Shared ciphers are: %s\n", buf);
6921 goto end;
6922 }
6923
6924 testresult = 1;
6925
6926 end:
6927 SSL_free(serverssl);
6928 SSL_free(clientssl);
6929 SSL_CTX_free(sctx);
6930 SSL_CTX_free(cctx);
a96e6c34 6931 OPENSSL_CTX_free(tmplibctx);
e401389a
MC		 6932
6933 return testresult;
6934}
6935
a96e6c34
MC		 6936static int test_ssl_get_shared_ciphers(int tst)
6937{
6938 return int_test_ssl_get_shared_ciphers(tst, 0)
6939 && int_test_ssl_get_shared_ciphers(tst, 1);
6940}
6941
6942
d0191fe0 6943static const char *appdata = "Hello World";
61fb5923
MC		 6944static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6945static int tick_key_renew = 0;
6946static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6947
6948static int gen_tick_cb(SSL *s, void *arg)
6949{
6950 gen_tick_called = 1;
6951
6952 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6953 strlen(appdata));
6954}
6955
6956static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6957 const unsigned char *keyname,
6958 size_t keyname_length,
61fb5923
MC		 6959 SSL_TICKET_STATUS status,
6960 void *arg)
d0191fe0
MC		 6961{
6962 void *tickdata;
6963 size_t tickdlen;
6964
6965 dec_tick_called = 1;
6966
61fb5923
MC		 6967 if (status == SSL_TICKET_EMPTY)
6968 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6969
61fb5923
MC		 6970 if (!TEST_true(status == SSL_TICKET_SUCCESS
6971 || status == SSL_TICKET_SUCCESS_RENEW))
6972 return SSL_TICKET_RETURN_ABORT;
6973
6974 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6975 &tickdlen))
d0191fe0
MC		 6976 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6977 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6978 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6979
61fb5923
MC		 6980 if (tick_key_cb_called) {
6981 /* Don't change what the ticket key callback wanted to do */
6982 switch (status) {
6983 case SSL_TICKET_NO_DECRYPT:
6984 return SSL_TICKET_RETURN_IGNORE_RENEW;
6985
6986 case SSL_TICKET_SUCCESS:
6987 return SSL_TICKET_RETURN_USE;
d0191fe0 6988
61fb5923
MC		 6989 case SSL_TICKET_SUCCESS_RENEW:
6990 return SSL_TICKET_RETURN_USE_RENEW;
6991
6992 default:
6993 return SSL_TICKET_RETURN_ABORT;
6994 }
6995 }
6996 return tick_dec_ret;
6997
6998}
d0191fe0 6999
a76ce286 7000#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 7001static int tick_key_cb(SSL *s, unsigned char key_name[16],
7002 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7003 HMAC_CTX *hctx, int enc)
7004{
7005 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7006 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 7007 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7008 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7009 int ret;
d0191fe0 7010
61fb5923 7011 tick_key_cb_called = 1;
d0191fe0
MC		 7012 memset(iv, 0, AES_BLOCK_SIZE);
7013 memset(key_name, 0, 16);
5e30f2fd
MC		 7014 if (aes128cbc == NULL
7015 || sha256 == NULL
7016 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7017 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7018 NULL))
7019 ret = -1;
7020 else
7021 ret = tick_key_renew ? 2 : 1;
d0191fe0 7022
5e30f2fd
MC		 7023 EVP_CIPHER_free(aes128cbc);
7024 EVP_MD_free(sha256);
7025
7026 return ret;
d0191fe0 7027}
a76ce286
P		 7028#endif
7029
7030static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7031 unsigned char iv[EVP_MAX_IV_LENGTH],
7032 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7033{
7034 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7035 unsigned char tick_hmac_key[16] = "0123456789abcdef";
7036 OSSL_PARAM params[3];
5e30f2fd
MC		 7037 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7038 int ret;
a76ce286
P		 7039
7040 tick_key_cb_called = 1;
7041 memset(iv, 0, AES_BLOCK_SIZE);
7042 memset(key_name, 0, 16);
7043 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7044 "SHA256", 0);
7045 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
7046 tick_hmac_key,
7047 sizeof(tick_hmac_key));
7048 params[2] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 7049 if (aes128cbc == NULL
7050 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
865adf97 7051 || !EVP_MAC_CTX_set_params(hctx, params)
a76ce286 7052 || !EVP_MAC_init(hctx))
5e30f2fd
MC		 7053 ret = -1;
7054 else
7055 ret = tick_key_renew ? 2 : 1;
7056
7057 EVP_CIPHER_free(aes128cbc);
a76ce286 7058
5e30f2fd 7059 return ret;
a76ce286 7060}
d0191fe0
MC		 7061
7062/*
7063 * Test the various ticket callbacks
61fb5923
MC		 7064 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7065 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7066 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7067 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7068 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7069 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7070 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7071 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 7072 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7073 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7074 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7075 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7076 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7077 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7078 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7079 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 7080 */
7081static int test_ticket_callbacks(int tst)
7082{
7083 SSL_CTX *cctx = NULL, *sctx = NULL;
7084 SSL *clientssl = NULL, *serverssl = NULL;
7085 SSL_SESSION *clntsess = NULL;
7086 int testresult = 0;
7087
7088#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 7089 if (tst % 2 == 0)
d0191fe0
MC		 7090 return 1;
7091#endif
7092#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 7093 if (tst % 2 == 1)
d0191fe0
MC		 7094 return 1;
7095#endif
a76ce286
P		 7096#ifdef OPENSSL_NO_DEPRECATED_3_0
7097 if (tst >= 8 && tst <= 11)
7098 return 1;
7099#endif
d0191fe0 7100
61fb5923 7101 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 7102
7103 /* Which tests the ticket key callback should request renewal for */
a76ce286 7104 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 7105 tick_key_renew = 1;
d0191fe0 7106 else
61fb5923
MC		 7107 tick_key_renew = 0;
7108
7109 /* Which tests the decrypt ticket callback should request renewal for */
7110 switch (tst) {
7111 case 0:
7112 case 1:
7113 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7114 break;
7115
7116 case 2:
7117 case 3:
7118 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7119 break;
7120
7121 case 4:
7122 case 5:
7123 tick_dec_ret = SSL_TICKET_RETURN_USE;
7124 break;
7125
7126 case 6:
7127 case 7:
7128 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7129 break;
7130
7131 default:
7132 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7133 }
d0191fe0 7134
5e30f2fd 7135 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 7136 TLS_client_method(),
7137 TLS1_VERSION,
61fb5923
MC		 7138 ((tst % 2) == 0) ? TLS1_2_VERSION
7139 : TLS1_3_VERSION,
d0191fe0
MC		 7140 &sctx, &cctx, cert, privkey)))
7141 goto end;
7142
61fb5923
MC		 7143 /*
7144 * We only want sessions to resume from tickets - not the session cache. So
7145 * switch the cache off.
7146 */
7147 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7148 goto end;
7149
d0191fe0
MC		 7150 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7151 NULL)))
7152 goto end;
7153
a76ce286
P		 7154 if (tst >= 12) {
7155 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7156 goto end;
7157#ifndef OPENSSL_NO_DEPRECATED_3_0
7158 } else if (tst >= 8) {
7159 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7160 goto end;
7161#endif
7162 }
d0191fe0
MC		 7163
7164 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7165 NULL, NULL))
7166 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7167 SSL_ERROR_NONE)))
7168 goto end;
7169
61fb5923
MC		 7170 /*
7171 * The decrypt ticket key callback in TLSv1.2 should be called even though
7172 * we have no ticket yet, because it gets called with a status of
7173 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7174 * actually send any ticket data). This does not happen in TLSv1.3 because
7175 * it is not valid to send empty ticket data in TLSv1.3.
7176 */
d0191fe0 7177 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7178 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7179 goto end;
7180
7181 gen_tick_called = dec_tick_called = 0;
7182
7183 clntsess = SSL_get1_session(clientssl);
7184 SSL_shutdown(clientssl);
7185 SSL_shutdown(serverssl);
7186 SSL_free(serverssl);
7187 SSL_free(clientssl);
7188 serverssl = clientssl = NULL;
7189
7190 /* Now do a resumption */
7191 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7192 NULL))
7193 || !TEST_true(SSL_set_session(clientssl, clntsess))
7194 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7195 SSL_ERROR_NONE)))
d0191fe0
MC		 7196 goto end;
7197
61fb5923
MC		 7198 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7199 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7200 if (!TEST_false(SSL_session_reused(clientssl)))
7201 goto end;
7202 } else {
7203 if (!TEST_true(SSL_session_reused(clientssl)))
7204 goto end;
7205 }
7206
d0191fe0 7207 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7208 (tick_key_renew
7209 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7210 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7211 ? 1 : 0)
d0191fe0
MC		 7212 || !TEST_int_eq(dec_tick_called, 1))
7213 goto end;
7214
7215 testresult = 1;
7216
7217 end:
7218 SSL_SESSION_free(clntsess);
7219 SSL_free(serverssl);
7220 SSL_free(clientssl);
7221 SSL_CTX_free(sctx);
7222 SSL_CTX_free(cctx);
7223
7224 return testresult;
7225}
7226
e638112e
DB		 7227/*
7228 * Test incorrect shutdown.
7229 * Test 0: client does not shutdown properly,
7230 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7231 * server should get SSL_ERROR_SSL
7232 * Test 1: client does not shutdown properly,
7233 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7234 * server should get SSL_ERROR_ZERO_RETURN
7235 */
7236static int test_incorrect_shutdown(int tst)
7237{
7238 SSL_CTX *cctx = NULL, *sctx = NULL;
7239 SSL *clientssl = NULL, *serverssl = NULL;
7240 int testresult = 0;
7241 char buf[80];
7242 BIO *c2s;
7243
7244 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7245 TLS_client_method(), 0, 0,
7246 &sctx, &cctx, cert, privkey)))
7247 goto end;
7248
7249 if (tst == 1)
7250 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7251
7252 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7253 NULL, NULL)))
7254 goto end;
7255
7256 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7257 SSL_ERROR_NONE)))
7258 goto end;
7259
7260 c2s = SSL_get_rbio(serverssl);
7261 BIO_set_mem_eof_return(c2s, 0);
7262
7263 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7264 goto end;
7265
7266 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7267 goto end;
7268 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7269 goto end;
7270
7271 testresult = 1;
7272
7273 end:
7274 SSL_free(serverssl);
7275 SSL_free(clientssl);
7276 SSL_CTX_free(sctx);
7277 SSL_CTX_free(cctx);
7278
7279 return testresult;
7280}
7281
c748834f
MC		 7282/*
7283 * Test bi-directional shutdown.
7284 * Test 0: TLSv1.2
7285 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7286 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7287 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7288 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7289 * sends key update, client reads it
57d7b988
MC		 7290 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7291 * sends CertificateRequest, client reads and ignores it
7292 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7293 * doesn't read it
7294 */
7295static int test_shutdown(int tst)
7296{
7297 SSL_CTX *cctx = NULL, *sctx = NULL;
7298 SSL *clientssl = NULL, *serverssl = NULL;
7299 int testresult = 0;
7300 char msg[] = "A test message";
7301 char buf[80];
7302 size_t written, readbytes;
80eff008 7303 SSL_SESSION *sess;
c748834f
MC		 7304
7305#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7306 if (tst <= 1)
c748834f
MC		 7307 return 1;
7308#endif
7309#ifdef OPENSSL_NO_TLS1_3
a97d19f7 7310 if (tst >= 2)
c748834f
MC		 7311 return 1;
7312#endif
7313
5e30f2fd 7314 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7315 TLS_client_method(),
7316 TLS1_VERSION,
7317 (tst <= 1) ? TLS1_2_VERSION
7318 : TLS1_3_VERSION,
57d7b988
MC		 7319 &sctx, &cctx, cert, privkey)))
7320 goto end;
7321
7322 if (tst == 5)
7323 SSL_CTX_set_post_handshake_auth(cctx, 1);
7324
7325 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7326 NULL, NULL)))
7327 goto end;
7328
7329 if (tst == 3) {
7330 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7331 SSL_ERROR_NONE, 1))
80eff008
KR		 7332 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7333 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7334 goto end;
7335 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7336 SSL_ERROR_NONE))
7337 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7338 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7339 goto end;
7340 }
7341
7342 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7343 goto end;
7344
7345 if (tst >= 4) {
7346 /*
7347 * Reading on the server after the client has sent close_notify should
7348 * fail and provide SSL_ERROR_ZERO_RETURN
7349 */
7350 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7351 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7352 SSL_ERROR_ZERO_RETURN)
7353 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7354 SSL_RECEIVED_SHUTDOWN)
7355 /*
7356 * Even though we're shutdown on receive we should still be
7357 * able to write.
7358 */
80eff008
KR		 7359 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7360 goto end;
57d7b988
MC		 7361 if (tst == 4
7362 && !TEST_true(SSL_key_update(serverssl,
7363 SSL_KEY_UPDATE_REQUESTED)))
7364 goto end;
7365 if (tst == 5) {
7366 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7367 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7368 goto end;
7369 }
7370 if ((tst == 4 || tst == 5)
7371 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7372 goto end;
7373 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7374 goto end;
57d7b988 7375 if (tst == 4 || tst == 5) {
80eff008 7376 /* Should still be able to read data from server */
c748834f 7377 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7378 &readbytes))
7379 || !TEST_size_t_eq(readbytes, sizeof(msg))
7380 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7381 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7382 &readbytes))
c748834f
MC		 7383 || !TEST_size_t_eq(readbytes, sizeof(msg))
7384 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7385 goto end;
7386 }
7387 }
7388
7389 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7390 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7391 goto end;
7392
7393 if (tst < 4) {
7394 /*
7395 * For these tests the client has sent close_notify but it has not yet
7396 * been received by the server. The server has not sent close_notify
7397 * yet.
7398 */
7399 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7400 /*
7401 * Writing on the server after sending close_notify shouldn't
7402 * be possible.
7403 */
7404 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7405 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7406 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7407 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7408 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7409 goto end;
57d7b988 7410 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7411 /*
7412 * In this test the client has sent close_notify and it has been
7413 * received by the server which has responded with a close_notify. The
358ffa05 7414 * client needs to read the close_notify sent by the server.
c748834f 7415 */
80eff008
KR		 7416 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7417 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7418 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7419 goto end;
358ffa05
MC		 7420 } else {
7421 /*
57d7b988 7422 * tst == 6
358ffa05
MC		 7423 *
7424 * The client has sent close_notify and is expecting a close_notify
7425 * back, but instead there is application data first. The shutdown
7426 * should fail with a fatal error.
7427 */
7428 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7429 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7430 goto end;
c748834f
MC		 7431 }
7432
7433 testresult = 1;
7434
7435 end:
7436 SSL_free(serverssl);
7437 SSL_free(clientssl);
7438 SSL_CTX_free(sctx);
7439 SSL_CTX_free(cctx);
7440
7441 return testresult;
7442}
7443
7f1d923a 7444#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 7445static int cert_cb_cnt;
7446
7447static int cert_cb(SSL *s, void *arg)
7448{
7449 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7450 BIO *in = NULL;
7451 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7452 X509 *x509 = NULL, *rootx = NULL;
7453 STACK_OF(X509) *chain = NULL;
7454 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7455 int ret = 0;
cd6fe29f
MC		 7456
7457 if (cert_cb_cnt == 0) {
7458 /* Suspend the handshake */
7459 cert_cb_cnt++;
7460 return -1;
7461 } else if (cert_cb_cnt == 1) {
7462 /*
7463 * Update the SSL_CTX, set the certificate and private key and then
7464 * continue the handshake normally.
7465 */
7466 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7467 return 0;
7468
7469 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7470 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7471 SSL_FILETYPE_PEM))
7472 || !TEST_true(SSL_check_private_key(s)))
7473 return 0;
7474 cert_cb_cnt++;
7475 return 1;
7cb8fb07
BK		 7476 } else if (cert_cb_cnt == 3) {
7477 int rv;
1a2a3a42
MC		 7478
7479 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7480 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7481 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7482 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7483 goto out;
7484 chain = sk_X509_new_null();
7485 if (!TEST_ptr(chain))
7486 goto out;
7cb8fb07 7487 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7488 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
6725682d
SL		 7489 || !TEST_ptr(rootx = X509_new_with_libctx(libctx, NULL))
7490 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 7491 || !TEST_true(sk_X509_push(chain, rootx)))
7492 goto out;
7493 rootx = NULL;
7494 BIO_free(in);
7495 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7496 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
6725682d
SL		 7497 || !TEST_ptr(x509 = X509_new_with_libctx(libctx, NULL))
7498 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 7499 goto out;
7500 BIO_free(in);
7501 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7502 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7cb8fb07
BK		 7503 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
7504 goto out;
1a2a3a42 7505 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 7506 /*
7507 * If the cert doesn't show as valid here (e.g., because we don't
7508 * have any shared sigalgs), then we will not set it, and there will
7509 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7510 * will cause tls_choose_sigalgs() to fail the connection.
7511 */
1a2a3a42
MC		 7512 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7513 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 7514 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7515 goto out;
7516 }
1a2a3a42
MC		 7517
7518 ret = 1;
cd6fe29f
MC		 7519 }
7520
7521 /* Abort the handshake */
7cb8fb07 7522 out:
1a2a3a42
MC		 7523 OPENSSL_free(ecdsacert);
7524 OPENSSL_free(ecdsakey);
7525 OPENSSL_free(rootfile);
7cb8fb07
BK		 7526 BIO_free(in);
7527 EVP_PKEY_free(pkey);
7528 X509_free(x509);
1a2a3a42
MC		 7529 X509_free(rootx);
7530 sk_X509_pop_free(chain, X509_free);
7531 return ret;
cd6fe29f
MC		 7532}
7533
7534/*
7535 * Test the certificate callback.
7536 * Test 0: Callback fails
7537 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7538 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 7539 * Test 3: Success - Call SSL_check_chain from the callback
7540 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7541 * chain
7542 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 7543 */
7544static int test_cert_cb_int(int prot, int tst)
7545{
7546 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7547 SSL *clientssl = NULL, *serverssl = NULL;
7548 int testresult = 0, ret;
7549
1a2a3a42
MC		 7550#ifdef OPENSSL_NO_EC
7551 /* We use an EC cert in these tests, so we skip in a no-ec build */
7552 if (tst >= 3)
7553 return 1;
7554#endif
7555
5e30f2fd 7556 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 7557 TLS_client_method(),
7558 TLS1_VERSION,
7559 prot,
7560 &sctx, &cctx, NULL, NULL)))
7561 goto end;
7562
7563 if (tst == 0)
7564 cert_cb_cnt = -1;
1a2a3a42 7565 else if (tst >= 3)
7cb8fb07 7566 cert_cb_cnt = 3;
cd6fe29f
MC		 7567 else
7568 cert_cb_cnt = 0;
1a2a3a42 7569
cd6fe29f
MC		 7570 if (tst == 2)
7571 snictx = SSL_CTX_new(TLS_server_method());
7572 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7573
7574 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7575 NULL, NULL)))
7576 goto end;
7577
1a2a3a42
MC		 7578 if (tst == 4) {
7579 /*
7580 * We cause SSL_check_chain() to fail by specifying sig_algs that
7581 * the chain doesn't meet (the root uses an RSA cert)
7582 */
7583 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7584 "ecdsa_secp256r1_sha256")))
7585 goto end;
7586 } else if (tst == 5) {
7587 /*
7588 * We cause SSL_check_chain() to fail by specifying sig_algs that
7589 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7590 */
7591 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7592 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7593 goto end;
7594 }
7595
cd6fe29f 7596 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 7597 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 7598 || (tst > 0
7599 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 7600 goto end;
7601 }
7602
7603 testresult = 1;
7604
7605 end:
7606 SSL_free(serverssl);
7607 SSL_free(clientssl);
7608 SSL_CTX_free(sctx);
7609 SSL_CTX_free(cctx);
7610 SSL_CTX_free(snictx);
7611
7612 return testresult;
7613}
7f1d923a 7614#endif
cd6fe29f
MC		 7615
7616static int test_cert_cb(int tst)
7617{
7618 int testresult = 1;
7619
7620#ifndef OPENSSL_NO_TLS1_2
7621 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7622#endif
7f1d923a 7623#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 7624 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7625#endif
7626
7627 return testresult;
7628}
7629
6e46c065
MC		 7630static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7631{
8c2bfd25 7632 X509 *xcert;
6e46c065
MC		 7633 EVP_PKEY *privpkey;
7634 BIO *in = NULL;
6725682d 7635 BIO *priv_in = NULL;
6e46c065 7636
8c2bfd25
TS		 7637 /* Check that SSL_get0_peer_certificate() returns something sensible */
7638 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 7639 return 0;
6e46c065
MC		 7640
7641 in = BIO_new_file(cert, "r");
7642 if (!TEST_ptr(in))
7643 return 0;
7644
6725682d
SL		 7645 if (!TEST_ptr(xcert = X509_new_with_libctx(libctx, NULL))
7646 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7647 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
7648 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey(priv_in, NULL, NULL,
7649 NULL)))
7650 goto err;
6e46c065
MC		 7651
7652 *x509 = xcert;
7653 *pkey = privpkey;
7654
6725682d
SL		 7655 BIO_free(in);
7656 BIO_free(priv_in);
6e46c065 7657 return 1;
6725682d
SL		 7658err:
7659 X509_free(xcert);
7660 BIO_free(in);
7661 BIO_free(priv_in);
7662 return 0;
6e46c065
MC		 7663}
7664
7665static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7666{
7667 return 1;
7668}
7669
7670static int test_client_cert_cb(int tst)
7671{
7672 SSL_CTX *cctx = NULL, *sctx = NULL;
7673 SSL *clientssl = NULL, *serverssl = NULL;
7674 int testresult = 0;
7675
7676#ifdef OPENSSL_NO_TLS1_2
7677 if (tst == 0)
7678 return 1;
7679#endif
7680#ifdef OPENSSL_NO_TLS1_3
7681 if (tst == 1)
7682 return 1;
7683#endif
7684
5e30f2fd 7685 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 7686 TLS_client_method(),
7687 TLS1_VERSION,
7688 tst == 0 ? TLS1_2_VERSION
7689 : TLS1_3_VERSION,
7690 &sctx, &cctx, cert, privkey)))
7691 goto end;
7692
7693 /*
7694 * Test that setting a client_cert_cb results in a client certificate being
7695 * sent.
7696 */
7697 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7698 SSL_CTX_set_verify(sctx,
7699 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7700 verify_cb);
fb8c8359
MC		 7701
7702 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7703 NULL, NULL))
7704 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7705 SSL_ERROR_NONE)))
7706 goto end;
7707
7708 testresult = 1;
7709
7710 end:
7711 SSL_free(serverssl);
7712 SSL_free(clientssl);
7713 SSL_CTX_free(sctx);
7714 SSL_CTX_free(cctx);
7715
7716 return testresult;
7717}
7718
7719#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7720/*
7721 * Test setting certificate authorities on both client and server.
7722 *
7723 * Test 0: SSL_CTX_set0_CA_list() only
7724 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7725 * Test 2: Only SSL_CTX_set_client_CA_list()
7726 */
7727static int test_ca_names_int(int prot, int tst)
7728{
7729 SSL_CTX *cctx = NULL, *sctx = NULL;
7730 SSL *clientssl = NULL, *serverssl = NULL;
7731 int testresult = 0;
7732 size_t i;
7733 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7734 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7735 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7736 const STACK_OF(X509_NAME) *sktmp = NULL;
7737
7738 for (i = 0; i < OSSL_NELEM(name); i++) {
7739 name[i] = X509_NAME_new();
7740 if (!TEST_ptr(name[i])
7741 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7742 MBSTRING_ASC,
7743 (unsigned char *)
7744 strnames[i],
7745 -1, -1, 0)))
7746 goto end;
7747 }
7748
5e30f2fd 7749 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 7750 TLS_client_method(),
7751 TLS1_VERSION,
7752 prot,
7753 &sctx, &cctx, cert, privkey)))
7754 goto end;
7755
7756 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7757
7758 if (tst == 0 || tst == 1) {
7759 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7760 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7761 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7762 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7763 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7764 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7765 goto end;
7766
7767 SSL_CTX_set0_CA_list(sctx, sk1);
7768 SSL_CTX_set0_CA_list(cctx, sk2);
7769 sk1 = sk2 = NULL;
7770 }
7771 if (tst == 1 || tst == 2) {
7772 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7773 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7774 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7775 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7776 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7777 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7778 goto end;
7779
7780 SSL_CTX_set_client_CA_list(sctx, sk1);
7781 SSL_CTX_set_client_CA_list(cctx, sk2);
7782 sk1 = sk2 = NULL;
7783 }
7784
6e46c065
MC		 7785 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7786 NULL, NULL))
7787 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7788 SSL_ERROR_NONE)))
7789 goto end;
7790
fb8c8359
MC		 7791 /*
7792 * We only expect certificate authorities to have been sent to the server
7793 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7794 */
7795 sktmp = SSL_get0_peer_CA_list(serverssl);
7796 if (prot == TLS1_3_VERSION
7797 && (tst == 0 || tst == 1)) {
7798 if (!TEST_ptr(sktmp)
7799 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7800 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7801 name[0]), 0)
7802 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7803 name[1]), 0))
7804 goto end;
7805 } else if (!TEST_ptr_null(sktmp)) {
7806 goto end;
7807 }
7808
7809 /*
7810 * In all tests we expect certificate authorities to have been sent to the
7811 * client. However, SSL_set_client_CA_list() should override
7812 * SSL_set0_CA_list()
7813 */
7814 sktmp = SSL_get0_peer_CA_list(clientssl);
7815 if (!TEST_ptr(sktmp)
7816 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7817 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7818 name[tst == 0 ? 0 : 2]), 0)
7819 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7820 name[tst == 0 ? 1 : 3]), 0))
7821 goto end;
7822
6e46c065
MC		 7823 testresult = 1;
7824
7825 end:
7826 SSL_free(serverssl);
7827 SSL_free(clientssl);
7828 SSL_CTX_free(sctx);
7829 SSL_CTX_free(cctx);
fb8c8359
MC		 7830 for (i = 0; i < OSSL_NELEM(name); i++)
7831 X509_NAME_free(name[i]);
7832 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7833 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7834
7835 return testresult;
7836}
7837#endif
7838
7839static int test_ca_names(int tst)
7840{
7841 int testresult = 1;
7842
7843#ifndef OPENSSL_NO_TLS1_2
7844 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7845#endif
7846#ifndef OPENSSL_NO_TLS1_3
7847 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7848#endif
6e46c065
MC		 7849
7850 return testresult;
7851}
7852
0d2bfe52
SL		 7853#ifndef OPENSSL_NO_TLS1_2
7854static const char *multiblock_cipherlist_data[]=
7855{
7856 "AES128-SHA",
7857 "AES128-SHA256",
7858 "AES256-SHA",
7859 "AES256-SHA256",
7860};
7861
7862/* Reduce the fragment size - so the multiblock test buffer can be small */
7863# define MULTIBLOCK_FRAGSIZE 512
7864
7865static int test_multiblock_write(int test_index)
7866{
7867 static const char *fetchable_ciphers[]=
7868 {
7869 "AES-128-CBC-HMAC-SHA1",
7870 "AES-128-CBC-HMAC-SHA256",
7871 "AES-256-CBC-HMAC-SHA1",
7872 "AES-256-CBC-HMAC-SHA256"
7873 };
7874 const char *cipherlist = multiblock_cipherlist_data[test_index];
7875 const SSL_METHOD *smeth = TLS_server_method();
7876 const SSL_METHOD *cmeth = TLS_client_method();
7877 int min_version = TLS1_VERSION;
7878 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7879 SSL_CTX *cctx = NULL, *sctx = NULL;
7880 SSL *clientssl = NULL, *serverssl = NULL;
7881 int testresult = 0;
7882
7883 /*
7884 * Choose a buffer large enough to perform a multi-block operation
7885 * i.e: write_len >= 4 * frag_size
7886 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7887 */
7888 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7889 unsigned char buf[sizeof(msg)], *p = buf;
7890 size_t readbytes, written, len;
7891 EVP_CIPHER *ciph = NULL;
7892
7893 /*
7894 * Check if the cipher exists before attempting to use it since it only has
7895 * a hardware specific implementation.
7896 */
7897 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7898 if (ciph == NULL) {
7899 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7900 return 1;
7901 }
7902 EVP_CIPHER_free(ciph);
7903
7904 /* Set up a buffer with some data that will be sent to the client */
7905 RAND_bytes(msg, sizeof(msg));
7906
5e30f2fd
MC		 7907 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7908 max_version, &sctx, &cctx, cert,
7909 privkey)))
0d2bfe52
SL		 7910 goto end;
7911
7912 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7913 goto end;
7914
7915 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7916 NULL, NULL)))
7917 goto end;
7918
7919 /* settings to force it to use AES-CBC-HMAC_SHA */
7920 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7921 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7922 goto end;
7923
7924 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7925 goto end;
7926
7927 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7928 || !TEST_size_t_eq(written, sizeof(msg)))
7929 goto end;
7930
7931 len = written;
7932 while (len > 0) {
7933 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7934 goto end;
7935 p += readbytes;
7936 len -= readbytes;
7937 }
7938 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7939 goto end;
7940
7941 testresult = 1;
7942end:
7943 SSL_free(serverssl);
7944 SSL_free(clientssl);
7945 SSL_CTX_free(sctx);
7946 SSL_CTX_free(cctx);
7947
7948 return testresult;
7949}
7950#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7951
49ef3d07
MC		 7952/*
7953 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7954 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7955 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7956 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7957 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7958 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7959 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7960 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7961 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7962 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7963 */
7964static int test_servername(int tst)
7965{
7966 SSL_CTX *cctx = NULL, *sctx = NULL;
7967 SSL *clientssl = NULL, *serverssl = NULL;
7968 int testresult = 0;
7969 SSL_SESSION *sess = NULL;
7970 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7971
7972#ifdef OPENSSL_NO_TLS1_2
7973 if (tst <= 4)
7974 return 1;
7975#endif
7976#ifdef OPENSSL_NO_TLS1_3
7977 if (tst >= 5)
7978 return 1;
7979#endif
7980
5e30f2fd 7981 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 7982 TLS_client_method(),
7983 TLS1_VERSION,
7984 (tst <= 4) ? TLS1_2_VERSION
7985 : TLS1_3_VERSION,
7986 &sctx, &cctx, cert, privkey))
7987 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7988 NULL, NULL)))
7989 goto end;
7990
7991 if (tst != 1 && tst != 6) {
7992 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7993 hostname_cb)))
7994 goto end;
7995 }
7996
7997 if (tst != 3 && tst != 8) {
7998 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7999 goto end;
8000 sexpectedhost = cexpectedhost = "goodhost";
8001 }
8002
8003 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8004 goto end;
8005
8006 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8007 cexpectedhost)
8008 || !TEST_str_eq(SSL_get_servername(serverssl,
8009 TLSEXT_NAMETYPE_host_name),
8010 sexpectedhost))
8011 goto end;
8012
8013 /* Now repeat with a resumption handshake */
8014
8015 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8016 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8017 || !TEST_true(SSL_SESSION_is_resumable(sess))
8018 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8019 goto end;
8020
8021 SSL_free(clientssl);
8022 SSL_free(serverssl);
8023 clientssl = serverssl = NULL;
8024
8025 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8026 NULL)))
8027 goto end;
8028
8029 if (!TEST_true(SSL_set_session(clientssl, sess)))
8030 goto end;
8031
8032 sexpectedhost = cexpectedhost = "goodhost";
8033 if (tst == 2 || tst == 7) {
8034 /* Set an inconsistent hostname */
8035 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8036 goto end;
8037 /*
8038 * In TLSv1.2 we expect the hostname from the original handshake, in
8039 * TLSv1.3 we expect the hostname from this handshake
8040 */
8041 if (tst == 7)
8042 sexpectedhost = cexpectedhost = "altgoodhost";
8043
8044 if (!TEST_str_eq(SSL_get_servername(clientssl,
8045 TLSEXT_NAMETYPE_host_name),
8046 "altgoodhost"))
8047 goto end;
8048 } else if (tst == 4 || tst == 9) {
8049 /*
8050 * A TLSv1.3 session does not associate a session with a servername,
8051 * but a TLSv1.2 session does.
8052 */
8053 if (tst == 9)
8054 sexpectedhost = cexpectedhost = NULL;
8055
8056 if (!TEST_str_eq(SSL_get_servername(clientssl,
8057 TLSEXT_NAMETYPE_host_name),
8058 cexpectedhost))
8059 goto end;
8060 } else {
8061 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8062 goto end;
8063 /*
8064 * In a TLSv1.2 resumption where the hostname was not acknowledged
8065 * we expect the hostname on the server to be empty. On the client we
8066 * return what was requested in this case.
8067 *
8068 * Similarly if the client didn't set a hostname on an original TLSv1.2
8069 * session but is now, the server hostname will be empty, but the client
8070 * is as we set it.
8071 */
8072 if (tst == 1 || tst == 3)
8073 sexpectedhost = NULL;
8074
8075 if (!TEST_str_eq(SSL_get_servername(clientssl,
8076 TLSEXT_NAMETYPE_host_name),
8077 "goodhost"))
8078 goto end;
8079 }
8080
8081 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8082 goto end;
8083
8084 if (!TEST_true(SSL_session_reused(clientssl))
8085 || !TEST_true(SSL_session_reused(serverssl))
8086 || !TEST_str_eq(SSL_get_servername(clientssl,
8087 TLSEXT_NAMETYPE_host_name),
8088 cexpectedhost)
8089 || !TEST_str_eq(SSL_get_servername(serverssl,
8090 TLSEXT_NAMETYPE_host_name),
8091 sexpectedhost))
8092 goto end;
8093
8094 testresult = 1;
8095
8096 end:
8097 SSL_SESSION_free(sess);
8098 SSL_free(serverssl);
8099 SSL_free(clientssl);
8100 SSL_CTX_free(sctx);
8101 SSL_CTX_free(cctx);
8102
8103 return testresult;
8104}
8105
b3842539
MC		 8106#ifndef OPENSSL_NO_EC
8107/*
8108 * Test that if signature algorithms are not available, then we do not offer or
8109 * accept them.
8110 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8111 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8112 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8113 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8114 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8115 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8116 */
8117static int test_sigalgs_available(int idx)
8118{
8119 SSL_CTX *cctx = NULL, *sctx = NULL;
8120 SSL *clientssl = NULL, *serverssl = NULL;
8121 int testresult = 0;
8122 OPENSSL_CTX *tmpctx = OPENSSL_CTX_new();
8123 OPENSSL_CTX *clientctx = libctx, *serverctx = libctx;
8124 OSSL_PROVIDER *filterprov = NULL;
8125 int sig, hash;
8126
8127 if (!TEST_ptr(tmpctx))
8128 goto end;
8129
8130 if (idx != 0 && idx != 3) {
8131 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8132 filter_provider_init)))
8133 goto end;
8134
8135 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8136 if (!TEST_ptr(filterprov))
8137 goto end;
8138
8139 if (idx < 3) {
8140 /*
8141 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8142 * or accepted for the peer that uses this libctx. Note that libssl
8143 * *requires* SHA2-256 to be available so we cannot disable that. We
8144 * also need SHA1 for our certificate.
8145 */
8146 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8147 "SHA2-256:SHA1")))
8148 goto end;
8149 } else {
8150 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8151 "ECDSA"))
8152 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8153 "EC:X25519:X448")))
8154 goto end;
8155 }
8156
8157 if (idx == 1 || idx == 4)
8158 clientctx = tmpctx;
8159 else
8160 serverctx = tmpctx;
8161 }
8162
8163 cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method());
8164 sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 8165 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8166 goto end;
b3842539
MC		 8167
8168 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8169 TLS_client_method(),
8170 TLS1_VERSION,
8171 0,
8172 &sctx, &cctx, cert, privkey)))
8173 goto end;
8174
8175 if (idx < 3) {
8176 if (!SSL_CTX_set1_sigalgs_list(cctx,
8177 "rsa_pss_rsae_sha384"
8178 ":rsa_pss_rsae_sha256")
8179 || !SSL_CTX_set1_sigalgs_list(sctx,
8180 "rsa_pss_rsae_sha384"
8181 ":rsa_pss_rsae_sha256"))
8182 goto end;
8183 } else {
8184 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8185 || !SSL_CTX_set1_sigalgs_list(sctx,
8186 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8187 goto end;
8188 }
8189
8190 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8191 SSL_FILETYPE_PEM), 1)
8192 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8193 privkey2,
8194 SSL_FILETYPE_PEM), 1)
8195 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8196 goto end;
8197
8198 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8199 NULL, NULL)))
8200 goto end;
8201
8202 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8203 goto end;
8204
8205 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8206 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8207 NULL, NULL),
8208 (idx == 0 || idx == 3) ? 2 : 1))
8209 goto end;
8210
8211 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8212 goto end;
8213
8214 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8215 : NID_rsassaPss))
8216 goto end;
8217
8218 testresult = 1;
8219
8220 end:
8221 SSL_free(serverssl);
8222 SSL_free(clientssl);
8223 SSL_CTX_free(sctx);
8224 SSL_CTX_free(cctx);
8225 OSSL_PROVIDER_unload(filterprov);
8226 OPENSSL_CTX_free(tmpctx);
8227
8228 return testresult;
8229}
8230#endif /* OPENSSL_NO_EC */
8231
0c13cdf8
MC		 8232#ifndef OPENSSL_NO_TLS1_3
8233static int test_pluggable_group(void)
8234{
8235 SSL_CTX *cctx = NULL, *sctx = NULL;
8236 SSL *clientssl = NULL, *serverssl = NULL;
8237 int testresult = 0;
8238 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 8239 /* Check that we are not impacted by a provider without any groups */
8240 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
0c13cdf8 8241
146aebc6 8242 if (!TEST_ptr(tlsprov) || !TEST_ptr(legacyprov))
0c13cdf8
MC		 8243 goto end;
8244
8245 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8246 TLS_client_method(),
8247 TLS1_3_VERSION,
8248 TLS1_3_VERSION,
8249 &sctx, &cctx, cert, privkey))
8250 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8251 NULL, NULL)))
8252 goto end;
8253
8254 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
8255 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
8256 goto end;
8257
8258 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8259 goto end;
8260
8261 testresult = 1;
8262
8263 end:
8264 SSL_free(serverssl);
8265 SSL_free(clientssl);
8266 SSL_CTX_free(sctx);
8267 SSL_CTX_free(cctx);
8268 OSSL_PROVIDER_unload(tlsprov);
146aebc6 8269 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 8270
8271 return testresult;
8272}
8273#endif
b3842539 8274
49a36a52
MC		 8275#ifndef OPENSSL_NO_TLS1_2
8276static int test_ssl_dup(void)
8277{
8278 SSL_CTX *cctx = NULL, *sctx = NULL;
8279 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8280 int testresult = 0;
8281 BIO *rbio = NULL, *wbio = NULL;
8282
8283 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8284 TLS_client_method(),
8285 0,
8286 0,
8287 &sctx, &cctx, cert, privkey)))
8288 goto end;
8289
8290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8291 NULL, NULL)))
8292 goto end;
8293
8294 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8295 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8296 goto end;
8297
8298 client2ssl = SSL_dup(clientssl);
8299 rbio = SSL_get_rbio(clientssl);
8300 if (!TEST_ptr(rbio)
8301 || !TEST_true(BIO_up_ref(rbio)))
8302 goto end;
8303 SSL_set0_rbio(client2ssl, rbio);
8304 rbio = NULL;
8305
8306 wbio = SSL_get_wbio(clientssl);
8307 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8308 goto end;
8309 SSL_set0_wbio(client2ssl, wbio);
8310 rbio = NULL;
8311
8312 if (!TEST_ptr(client2ssl)
8313 /* Handshake not started so pointers should be different */
8314 || !TEST_ptr_ne(clientssl, client2ssl))
8315 goto end;
8316
8317 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8318 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8319 goto end;
8320
8321 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8322 goto end;
8323
8324 SSL_free(clientssl);
8325 clientssl = SSL_dup(client2ssl);
8326 if (!TEST_ptr(clientssl)
8327 /* Handshake has finished so pointers should be the same */
8328 || !TEST_ptr_eq(clientssl, client2ssl))
8329 goto end;
8330
8331 testresult = 1;
8332
8333 end:
8334 SSL_free(serverssl);
8335 SSL_free(clientssl);
8336 SSL_free(client2ssl);
8337 SSL_CTX_free(sctx);
8338 SSL_CTX_free(cctx);
8339
8340 return testresult;
8341}
8342#endif
8343
5e30f2fd 8344OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 8345
ad887416 8346int setup_tests(void)
2cb4b5f6 8347{
5e30f2fd
MC		 8348 char *modulename;
8349 char *configfile;
8350
8351 libctx = OPENSSL_CTX_new();
8352 if (!TEST_ptr(libctx))
8353 return 0;
8354
8355 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8356
8357 /*
8358 * Verify that the default and fips providers in the default libctx are not
8359 * available
8360 */
8361 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8362 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8363 return 0;
8364
8d242823
MC		 8365 if (!test_skip_common_options()) {
8366 TEST_error("Error parsing test options\n");
8367 return 0;
8368 }
8369
1a2a3a42
MC		 8370 if (!TEST_ptr(certsdir = test_get_argument(0))
8371 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 8372 || !TEST_ptr(tmpfilename = test_get_argument(2))
8373 || !TEST_ptr(modulename = test_get_argument(3))
8374 || !TEST_ptr(configfile = test_get_argument(4)))
8375 return 0;
8376
8377 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
8378 return 0;
8379
8380 /* Check we have the expected provider available */
8381 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8382 return 0;
8383
8384 /* Check the default provider is not available */
8385 if (strcmp(modulename, "default") != 0
8386 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 8387 return 0;
2cb4b5f6 8388
4f6c7044
MC		 8389 if (strcmp(modulename, "fips") == 0)
8390 is_fips = 1;
8391
0c13cdf8
MC		 8392 /*
8393 * We add, but don't load the test "tls-provider". We'll load it when we
8394 * need it.
8395 */
8396 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8397 tls_provider_init)))
8398 return 0;
8399
8400
f297e4ec
RS		 8401 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8402#ifdef OPENSSL_NO_CRYPTO_MDEBUG
8403 TEST_error("not supported in this build");
8404 return 0;
8405#else
8406 int i, mcount, rcount, fcount;
8407
8408 for (i = 0; i < 4; i++)
8409 test_export_key_mat(i);
8410 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8411 test_printf_stdout("malloc %d realloc %d free %d\n",
8412 mcount, rcount, fcount);
8413 return 1;
8414#endif
8415 }
8416
1a2a3a42
MC		 8417 cert = test_mk_file_path(certsdir, "servercert.pem");
8418 if (cert == NULL)
b3842539 8419 goto err;
1a2a3a42
MC		 8420
8421 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 8422 if (privkey == NULL)
8423 goto err;
8424
8425 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8426 if (cert2 == NULL)
8427 goto err;
8428
8429 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8430 if (privkey2 == NULL)
8431 goto err;
1a2a3a42 8432
da4db160
VF		 8433#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8434#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8435 ADD_ALL_TESTS(test_ktls, 32);
8436 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8437#endif
fe5d9450 8438#endif
84d5549e 8439 ADD_TEST(test_large_message_tls);
7856332e 8440 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 8441#ifndef OPENSSL_NO_DTLS
84d5549e 8442 ADD_TEST(test_large_message_dtls);
55386bef 8443#endif
163b8016 8444 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 8445#ifndef OPENSSL_NO_OCSP
c887104f 8446 ADD_TEST(test_tlsext_status_type);
8f8c11d8 8447#endif
eaa776da
MC		 8448 ADD_TEST(test_session_with_only_int_cache);
8449 ADD_TEST(test_session_with_only_ext_cache);
8450 ADD_TEST(test_session_with_both_cache);
90fc2c26 8451 ADD_TEST(test_session_wo_ca_names);
36ff232c 8452#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 8453 ADD_ALL_TESTS(test_stateful_tickets, 3);
8454 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 8455 ADD_TEST(test_psk_tickets);
f0049b86 8456 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 8457#endif
7fb4c820 8458 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 8459 ADD_TEST(test_ssl_bio_pop_next_bio);
8460 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8461 ADD_TEST(test_ssl_bio_change_rbio);
8462 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 8463#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 8464 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 8465 ADD_TEST(test_keylog);
c423ecaa 8466#endif
6acdd3e5
CB		 8467#ifndef OPENSSL_NO_TLS1_3
8468 ADD_TEST(test_keylog_no_master_key);
8469#endif
e9ee6536 8470#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 8471 ADD_TEST(test_client_hello_cb);
088dfa13 8472 ADD_TEST(test_no_ems);
3cd14e5e 8473 ADD_TEST(test_ccs_change_cipher);
5f982038
MC		 8474#endif
8475#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 8476 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 8477 /*
8478 * We don't do replay tests for external PSK. Replay protection isn't used
8479 * in that scenario.
8480 */
8481 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 8482 ADD_ALL_TESTS(test_early_data_skip, 3);
8483 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 8484 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 8485 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 8486 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 8487 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 8488 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 8489 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 8490# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 8491 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 8492# endif
e9ee6536 8493#endif
a273157a 8494#ifndef OPENSSL_NO_TLS1_3
034cb87b 8495 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 8496 ADD_TEST(test_ciphersuite_change);
5bf2eade 8497 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8498# ifdef OPENSSL_NO_PSK
c2b290c3 8499 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 8500# else
0d8da779 8501 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 8502# endif /* OPENSSL_NO_PSK */
8503# ifndef OPENSSL_NO_TLS1_2
8504 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 8505 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 8506# else
8507 /* Test with only TLSv1.3 versions */
8508 ADD_ALL_TESTS(test_key_exchange, 12);
8509# endif
bb01ef3f 8510 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 8511 ADD_TEST(test_stateless);
9d75dce3 8512 ADD_TEST(test_pha_key_update);
a273157a 8513#else
bb01ef3f 8514 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 8515#endif
16afd71c 8516 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 8517 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 8518#ifndef OPENSSL_NO_TLS1_3
8519 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 8520 ADD_TEST(test_key_update);
a77b4dba 8521 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 8522#endif
e11b6aa4 8523 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 8524 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 8525#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8526 ADD_ALL_TESTS(test_srp, 6);
8527#endif
5718fe45 8528 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 8529 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 8530 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 8531 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 8532 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 8533 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 8534 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 8535 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 8536 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 8537#ifndef OPENSSL_NO_TLS1_2
8538 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8539#endif
49ef3d07 8540 ADD_ALL_TESTS(test_servername, 10);
b3842539
MC		 8541#ifndef OPENSSL_NO_EC
8542 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 8543#endif
8544#ifndef OPENSSL_NO_TLS1_3
8545 ADD_TEST(test_pluggable_group);
49a36a52
MC		 8546#endif
8547#ifndef OPENSSL_NO_TLS1_2
8548 ADD_TEST(test_ssl_dup);
b3842539 8549#endif
ad887416 8550 return 1;
b3842539
MC		 8551
8552 err:
8553 OPENSSL_free(cert);
8554 OPENSSL_free(privkey);
8555 OPENSSL_free(cert2);
8556 OPENSSL_free(privkey2);
8557 return 0;
ad887416 8558}
2cb4b5f6 8559
ad887416
P		 8560void cleanup_tests(void)
8561{
1a2a3a42
MC		 8562 OPENSSL_free(cert);
8563 OPENSSL_free(privkey);
b3842539
MC		 8564 OPENSSL_free(cert2);
8565 OPENSSL_free(privkey2);
fa454945 8566 bio_s_mempacket_test_free();
a77b4dba 8567 bio_s_always_retry_free();
5e30f2fd
MC		 8568 OSSL_PROVIDER_unload(defctxnull);
8569 OPENSSL_CTX_free(libctx);
2cb4b5f6 8570}
A mirror of the official openssl repository