]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Don't attempt to duplicate the BIO state in SSL_dup
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
33388b44 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
b3842539 31#include <openssl/core_numbers.h>
5e30f2fd 32#include <openssl/provider.h>
2cb4b5f6
MC		 33
34#include "ssltestlib.h"
c887104f 35#include "testutil.h"
f297e4ec 36#include "testutil/output.h"
176db6dc 37#include "internal/nelem.h"
fe5d9450 38#include "internal/ktls.h"
706457b7 39#include "../ssl/ssl_local.h"
2cb4b5f6 40
b3842539
MC		 41/* Defined in filterprov.c */
42OSSL_provider_init_fn filter_provider_init;
43int filter_provider_set_filter(int operation, const char *name);
44
0c13cdf8
MC		 45/* Defined in tls-provider.c */
46int tls_provider_init(const OSSL_CORE_HANDLE *handle,
47 const OSSL_DISPATCH *in,
48 const OSSL_DISPATCH **out,
49 void **provctx);
852c2ed2
RS		 50DEFINE_STACK_OF(OCSP_RESPID)
51DEFINE_STACK_OF(X509)
52DEFINE_STACK_OF(X509_NAME)
53
5e30f2fd
MC		 54static OPENSSL_CTX *libctx = NULL;
55static OSSL_PROVIDER *defctxnull = NULL;
56
8614a4eb
MC		 57#ifndef OPENSSL_NO_TLS1_3
58
59static SSL_SESSION *clientpsk = NULL;
60static SSL_SESSION *serverpsk = NULL;
61static const char *pskid = "Identity";
62static const char *srvid;
63
64static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
65 size_t *idlen, SSL_SESSION **sess);
66static int find_session_cb(SSL *ssl, const unsigned char *identity,
67 size_t identity_len, SSL_SESSION **sess);
68
69static int use_session_cb_cnt = 0;
70static int find_session_cb_cnt = 0;
71
72static SSL_SESSION *create_a_psk(SSL *ssl);
73#endif
74
1a2a3a42 75static char *certsdir = NULL;
2cb4b5f6
MC		 76static char *cert = NULL;
77static char *privkey = NULL;
b3842539
MC		 78static char *cert2 = NULL;
79static char *privkey2 = NULL;
76fd7a1d
MC		 80static char *srpvfile = NULL;
81static char *tmpfilename = NULL;
2cb4b5f6 82
4f6c7044
MC		 83static int is_fips = 0;
84
cffe973c 85#define LOG_BUFFER_SIZE 2048
6acdd3e5 86static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 87static size_t server_log_buffer_index = 0;
6acdd3e5 88static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 89static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 90static int error_writing_log = 0;
91
8f8c11d8 92#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 93static const unsigned char orespder[] = "Dummy OCSP Response";
94static int ocsp_server_called = 0;
95static int ocsp_client_called = 0;
96
97static int cdummyarg = 1;
98static X509 *ocspcert = NULL;
8f8c11d8 99#endif
ba881d3b 100
84d5549e 101#define NUM_EXTRA_CERTS 40
cf72c757 102#define CLIENT_VERSION_LEN 2
84d5549e 103
f1a5939f
CB		 104/*
105 * This structure is used to validate that the correct number of log messages
106 * of various types are emitted when emitting secret logs.
107 */
108struct sslapitest_log_counts {
109 unsigned int rsa_key_exchange_count;
110 unsigned int master_secret_count;
cffe973c 111 unsigned int client_early_secret_count;
f1a5939f
CB		 112 unsigned int client_handshake_secret_count;
113 unsigned int server_handshake_secret_count;
114 unsigned int client_application_secret_count;
115 unsigned int server_application_secret_count;
01a2a654 116 unsigned int early_exporter_secret_count;
6329ce8f 117 unsigned int exporter_secret_count;
f1a5939f
CB		 118};
119
16afd71c
MC		 120
121static unsigned char serverinfov1[] = {
122 0xff, 0xff, /* Dummy extension type */
123 0x00, 0x01, /* Extension length is 1 byte */
124 0xff /* Dummy extension data */
125};
126
127static unsigned char serverinfov2[] = {
128 0x00, 0x00, 0x00,
129 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
130 0xff, 0xff, /* Dummy extension type */
131 0x00, 0x01, /* Extension length is 1 byte */
132 0xff /* Dummy extension data */
133};
134
104a733d
MC		 135static int hostname_cb(SSL *s, int *al, void *arg)
136{
137 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
138
139 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
140 || strcmp(hostname, "altgoodhost") == 0))
141 return SSL_TLSEXT_ERR_OK;
142
143 return SSL_TLSEXT_ERR_NOACK;
144}
145
710756a9
RS		 146static void client_keylog_callback(const SSL *ssl, const char *line)
147{
6acdd3e5
CB		 148 int line_length = strlen(line);
149
150 /* If the log doesn't fit, error out. */
710756a9
RS		 151 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
152 TEST_info("Client log too full");
6acdd3e5
CB		 153 error_writing_log = 1;
154 return;
155 }
156
157 strcat(client_log_buffer, line);
158 client_log_buffer_index += line_length;
710756a9 159 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 160}
161
710756a9
RS		 162static void server_keylog_callback(const SSL *ssl, const char *line)
163{
6acdd3e5
CB		 164 int line_length = strlen(line);
165
166 /* If the log doesn't fit, error out. */
710756a9 167 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 168 TEST_info("Server log too full");
6acdd3e5
CB		 169 error_writing_log = 1;
170 return;
171 }
172
173 strcat(server_log_buffer, line);
174 server_log_buffer_index += line_length;
710756a9 175 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 176}
177
178static int compare_hex_encoded_buffer(const char *hex_encoded,
179 size_t hex_length,
180 const uint8_t *raw,
710756a9
RS		 181 size_t raw_length)
182{
183 size_t i, j;
184 char hexed[3];
6acdd3e5 185
710756a9 186 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 187 return 1;
6acdd3e5 188
710756a9 189 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 190 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 191 if (!TEST_int_eq(hexed[0], hex_encoded[j])
192 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 193 return 1;
6acdd3e5
CB		 194 }
195
196 return 0;
197}
198
199static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 200 const SSL_SESSION *session,
710756a9
RS		 201 struct sslapitest_log_counts *expected)
202{
6acdd3e5
CB		 203 char *token = NULL;
204 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
205 size_t client_random_size = SSL3_RANDOM_SIZE;
206 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
207 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 208 unsigned int rsa_key_exchange_count = 0;
209 unsigned int master_secret_count = 0;
cffe973c 210 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 211 unsigned int client_handshake_secret_count = 0;
212 unsigned int server_handshake_secret_count = 0;
213 unsigned int client_application_secret_count = 0;
214 unsigned int server_application_secret_count = 0;
01a2a654 215 unsigned int early_exporter_secret_count = 0;
6329ce8f 216 unsigned int exporter_secret_count = 0;
6acdd3e5 217
710756a9
RS		 218 for (token = strtok(buffer, " \n"); token != NULL;
219 token = strtok(NULL, " \n")) {
6acdd3e5 220 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 221 /*
222 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 223 * hex-encoded encrypted secret, then the hex-encoded pre-master
224 * secret.
225 */
710756a9 226 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 227 return 0;
710756a9 228 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 229 return 0;
710756a9 230 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 231 return 0;
f1a5939f
CB		 232 /*
233 * We can't sensibly check the log because the premaster secret is
234 * transient, and OpenSSL doesn't keep hold of it once the master
235 * secret is generated.
236 */
237 rsa_key_exchange_count++;
6acdd3e5 238 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 239 /*
240 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 241 * client random, then the hex-encoded master secret.
242 */
243 client_random_size = SSL_get_client_random(ssl,
244 actual_client_random,
245 SSL3_RANDOM_SIZE);
710756a9 246 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 247 return 0;
6acdd3e5 248
710756a9 249 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 250 return 0;
710756a9 251 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 252 return 0;
710756a9
RS		 253 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
254 actual_client_random,
255 client_random_size)))
f1a5939f 256 return 0;
6acdd3e5 257
710756a9 258 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 259 return 0;
6acdd3e5
CB		 260 master_key_size = SSL_SESSION_get_master_key(session,
261 actual_master_key,
262 master_key_size);
710756a9 263 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 264 return 0;
710756a9
RS		 265 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
266 actual_master_key,
267 master_key_size)))
f1a5939f 268 return 0;
f1a5939f 269 master_secret_count++;
cffe973c
PW		 270 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
271 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 272 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
273 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 274 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 275 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 276 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 277 /*
278 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
279 * client random, and then the hex-encoded secret. In this case,
280 * we treat all of these secrets identically and then just
281 * distinguish between them when counting what we saw.
282 */
cffe973c
PW		 283 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
284 client_early_secret_count++;
285 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 286 client_handshake_secret_count++;
287 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
288 server_handshake_secret_count++;
289 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
290 client_application_secret_count++;
291 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
292 server_application_secret_count++;
01a2a654
PW		 293 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
294 early_exporter_secret_count++;
6329ce8f
PW		 295 else if (strcmp(token, "EXPORTER_SECRET") == 0)
296 exporter_secret_count++;
f1a5939f
CB		 297
298 client_random_size = SSL_get_client_random(ssl,
299 actual_client_random,
300 SSL3_RANDOM_SIZE);
710756a9 301 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 302 return 0;
f1a5939f 303
710756a9 304 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 305 return 0;
710756a9 306 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 307 return 0;
710756a9
RS		 308 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
309 actual_client_random,
310 client_random_size)))
f1a5939f 311 return 0;
6acdd3e5 312
710756a9 313 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 314 return 0;
f1a5939f
CB		 315
316 /*
317 * TODO(TLS1.3): test that application traffic secrets are what
318 * we expect */
6acdd3e5 319 } else {
710756a9 320 TEST_info("Unexpected token %s\n", token);
f1a5939f 321 return 0;
6acdd3e5 322 }
6acdd3e5
CB		 323 }
324
710756a9
RS		 325 /* Got what we expected? */
326 if (!TEST_size_t_eq(rsa_key_exchange_count,
327 expected->rsa_key_exchange_count)
328 || !TEST_size_t_eq(master_secret_count,
329 expected->master_secret_count)
cffe973c
PW		 330 || !TEST_size_t_eq(client_early_secret_count,
331 expected->client_early_secret_count)
710756a9
RS		 332 || !TEST_size_t_eq(client_handshake_secret_count,
333 expected->client_handshake_secret_count)
334 || !TEST_size_t_eq(server_handshake_secret_count,
335 expected->server_handshake_secret_count)
336 || !TEST_size_t_eq(client_application_secret_count,
337 expected->client_application_secret_count)
338 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 339 expected->server_application_secret_count)
01a2a654
PW		 340 || !TEST_size_t_eq(early_exporter_secret_count,
341 expected->early_exporter_secret_count)
6329ce8f
PW		 342 || !TEST_size_t_eq(exporter_secret_count,
343 expected->exporter_secret_count))
710756a9
RS		 344 return 0;
345 return 1;
6acdd3e5
CB		 346}
347
c423ecaa 348#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 349static int test_keylog(void)
350{
6acdd3e5
CB		 351 SSL_CTX *cctx = NULL, *sctx = NULL;
352 SSL *clientssl = NULL, *serverssl = NULL;
353 int testresult = 0;
6fc1e624 354 struct sslapitest_log_counts expected;
6acdd3e5
CB		 355
356 /* Clean up logging space */
6fc1e624 357 memset(&expected, 0, sizeof(expected));
710756a9
RS		 358 memset(client_log_buffer, 0, sizeof(client_log_buffer));
359 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 360 client_log_buffer_index = 0;
361 server_log_buffer_index = 0;
362 error_writing_log = 0;
363
5e30f2fd 364 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 365 TLS_client_method(),
5c587fb6 366 TLS1_VERSION, 0,
710756a9 367 &sctx, &cctx, cert, privkey)))
6acdd3e5 368 return 0;
6acdd3e5
CB		 369
370 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
371 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
372 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
373
f0deb4d3 374 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 375 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 376 goto end;
f0deb4d3 377
cf10df81
RS		 378 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
379 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 380 goto end;
6acdd3e5 381 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 382 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
383 == client_keylog_callback))
6acdd3e5 384 goto end;
710756a9 385 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 386 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
387 == server_keylog_callback))
6acdd3e5 388 goto end;
6acdd3e5 389
710756a9
RS		 390 /* Now do a handshake and check that the logs have been written to. */
391 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
392 &clientssl, NULL, NULL))
393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
394 SSL_ERROR_NONE))
395 || !TEST_false(error_writing_log)
396 || !TEST_int_gt(client_log_buffer_index, 0)
397 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 398 goto end;
6acdd3e5 399
f1a5939f
CB		 400 /*
401 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 402 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 403 * data we expect. For both client and server, we expect to see one master
404 * secret. The client should also see a RSA key exchange.
6acdd3e5 405 */
f1a5939f
CB		 406 expected.rsa_key_exchange_count = 1;
407 expected.master_secret_count = 1;
710756a9
RS		 408 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
409 SSL_get_session(clientssl), &expected)))
6acdd3e5 410 goto end;
f1a5939f
CB		 411
412 expected.rsa_key_exchange_count = 0;
710756a9
RS		 413 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
414 SSL_get_session(serverssl), &expected)))
6acdd3e5 415 goto end;
6acdd3e5
CB		 416
417 testresult = 1;
418
419end:
420 SSL_free(serverssl);
421 SSL_free(clientssl);
422 SSL_CTX_free(sctx);
423 SSL_CTX_free(cctx);
424
425 return testresult;
426}
c423ecaa 427#endif
6acdd3e5
CB		 428
429#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 430static int test_keylog_no_master_key(void)
431{
6acdd3e5
CB		 432 SSL_CTX *cctx = NULL, *sctx = NULL;
433 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 434 SSL_SESSION *sess = NULL;
6acdd3e5 435 int testresult = 0;
6fc1e624 436 struct sslapitest_log_counts expected;
cffe973c
PW		 437 unsigned char buf[1];
438 size_t readbytes, written;
6acdd3e5
CB		 439
440 /* Clean up logging space */
6fc1e624 441 memset(&expected, 0, sizeof(expected));
710756a9
RS		 442 memset(client_log_buffer, 0, sizeof(client_log_buffer));
443 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 444 client_log_buffer_index = 0;
445 server_log_buffer_index = 0;
446 error_writing_log = 0;
447
5e30f2fd
MC		 448 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
449 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 450 &sctx, &cctx, cert, privkey))
451 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 452 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 453 return 0;
6acdd3e5 454
cf10df81
RS		 455 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
456 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 457 goto end;
6acdd3e5
CB		 458
459 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 460 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
461 == client_keylog_callback))
6acdd3e5 462 goto end;
6acdd3e5 463
710756a9 464 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 465 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
466 == server_keylog_callback))
6acdd3e5 467 goto end;
6acdd3e5 468
710756a9
RS		 469 /* Now do a handshake and check that the logs have been written to. */
470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
471 &clientssl, NULL, NULL))
472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 SSL_ERROR_NONE))
474 || !TEST_false(error_writing_log))
6acdd3e5 475 goto end;
6acdd3e5 476
f1a5939f
CB		 477 /*
478 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 479 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 480 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 481 */
f1a5939f
CB		 482 expected.client_handshake_secret_count = 1;
483 expected.server_handshake_secret_count = 1;
484 expected.client_application_secret_count = 1;
485 expected.server_application_secret_count = 1;
6329ce8f 486 expected.exporter_secret_count = 1;
710756a9
RS		 487 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
488 SSL_get_session(clientssl), &expected))
489 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
490 SSL_get_session(serverssl),
491 &expected)))
6acdd3e5 492 goto end;
6acdd3e5 493
cffe973c
PW		 494 /* Terminate old session and resume with early data. */
495 sess = SSL_get1_session(clientssl);
496 SSL_shutdown(clientssl);
497 SSL_shutdown(serverssl);
498 SSL_free(serverssl);
499 SSL_free(clientssl);
500 serverssl = clientssl = NULL;
501
502 /* Reset key log */
503 memset(client_log_buffer, 0, sizeof(client_log_buffer));
504 memset(server_log_buffer, 0, sizeof(server_log_buffer));
505 client_log_buffer_index = 0;
506 server_log_buffer_index = 0;
507
508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
509 &clientssl, NULL, NULL))
510 || !TEST_true(SSL_set_session(clientssl, sess))
511 /* Here writing 0 length early data is enough. */
512 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
513 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
514 &readbytes),
515 SSL_READ_EARLY_DATA_ERROR)
516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
517 SSL_EARLY_DATA_ACCEPTED)
518 || !TEST_true(create_ssl_connection(serverssl, clientssl,
519 SSL_ERROR_NONE))
520 || !TEST_true(SSL_session_reused(clientssl)))
521 goto end;
522
523 /* In addition to the previous entries, expect early secrets. */
524 expected.client_early_secret_count = 1;
01a2a654 525 expected.early_exporter_secret_count = 1;
cffe973c
PW		 526 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
527 SSL_get_session(clientssl), &expected))
528 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
529 SSL_get_session(serverssl),
530 &expected)))
531 goto end;
532
6acdd3e5
CB		 533 testresult = 1;
534
535end:
cffe973c 536 SSL_SESSION_free(sess);
6acdd3e5
CB		 537 SSL_free(serverssl);
538 SSL_free(clientssl);
539 SSL_CTX_free(sctx);
540 SSL_CTX_free(cctx);
541
542 return testresult;
543}
544#endif
545
e9ee6536 546#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 547static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 548{
549 int *ctr = arg;
550 const unsigned char *p;
8ea404fb 551 int *exts;
2afaee51
BK		 552 /* We only configure two ciphers, but the SCSV is added automatically. */
553#ifdef OPENSSL_NO_EC
554 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
555#else
556 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
557 0x2c, 0x00, 0xff};
558#endif
8ea404fb
BK		 559 const int expected_extensions[] = {
560#ifndef OPENSSL_NO_EC
561 11, 10,
562#endif
10ed1b72 563 35, 22, 23, 13};
2afaee51
BK		 564 size_t len;
565
566 /* Make sure we can defer processing and get called back. */
567 if ((*ctr)++ == 0)
f1b97da1 568 return SSL_CLIENT_HELLO_RETRY;
2afaee51 569
a9c0d8be 570 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 571 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 572 || !TEST_size_t_eq(
573 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 574 || !TEST_int_eq(*p, 0))
f1b97da1 575 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 576 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 577 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 578 if (len != OSSL_NELEM(expected_extensions) ||
579 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 580 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 581 OPENSSL_free(exts);
f1b97da1 582 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 583 }
584 OPENSSL_free(exts);
f1b97da1 585 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 586}
587
a9c0d8be 588static int test_client_hello_cb(void)
710756a9 589{
2afaee51
BK		 590 SSL_CTX *cctx = NULL, *sctx = NULL;
591 SSL *clientssl = NULL, *serverssl = NULL;
592 int testctr = 0, testresult = 0;
593
5e30f2fd
MC		 594 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
595 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 596 &sctx, &cctx, cert, privkey)))
2afaee51 597 goto end;
a9c0d8be 598 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 599
2afaee51
BK		 600 /* The gimpy cipher list we configure can't do TLS 1.3. */
601 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 602
710756a9
RS		 603 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
604 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
605 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
606 &clientssl, NULL, NULL))
607 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 608 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 609 /*
610 * Passing a -1 literal is a hack since
611 * the real value was lost.
612 * */
a9c0d8be
DB		 613 || !TEST_int_eq(SSL_get_error(serverssl, -1),
614 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 615 || !TEST_true(create_ssl_connection(serverssl, clientssl,
616 SSL_ERROR_NONE)))
2afaee51 617 goto end;
2afaee51
BK		 618
619 testresult = 1;
620
088dfa13
TS		 621end:
622 SSL_free(serverssl);
623 SSL_free(clientssl);
624 SSL_CTX_free(sctx);
625 SSL_CTX_free(cctx);
626
627 return testresult;
628}
629
630static int test_no_ems(void)
631{
632 SSL_CTX *cctx = NULL, *sctx = NULL;
633 SSL *clientssl = NULL, *serverssl = NULL;
634 int testresult = 0;
635
5e30f2fd 636 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 637 TLS1_VERSION, TLS1_2_VERSION,
638 &sctx, &cctx, cert, privkey)) {
639 printf("Unable to create SSL_CTX pair\n");
640 goto end;
641 }
642
643 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
644
645 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
646 printf("Unable to create SSL objects\n");
647 goto end;
648 }
649
650 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
651 printf("Creating SSL connection failed\n");
652 goto end;
653 }
654
655 if (SSL_get_extms_support(serverssl)) {
656 printf("Server reports Extended Master Secret support\n");
657 goto end;
658 }
659
660 if (SSL_get_extms_support(clientssl)) {
661 printf("Client reports Extended Master Secret support\n");
662 goto end;
663 }
664 testresult = 1;
665
2afaee51
BK		 666end:
667 SSL_free(serverssl);
668 SSL_free(clientssl);
669 SSL_CTX_free(sctx);
670 SSL_CTX_free(cctx);
671
672 return testresult;
673}
674
3cd14e5e
BK		 675/*
676 * Very focused test to exercise a single case in the server-side state
677 * machine, when the ChangeCipherState message needs to actually change
678 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 679 * encryption to real encryption).
3cd14e5e
BK		 680 */
681static int test_ccs_change_cipher(void)
682{
683 SSL_CTX *cctx = NULL, *sctx = NULL;
684 SSL *clientssl = NULL, *serverssl = NULL;
685 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
686 int testresult = 0;
687 int i;
688 unsigned char buf;
689 size_t readbytes;
690
691 /*
692 * Create a conection so we can resume and potentially (but not) use
693 * a different cipher in the second connection.
694 */
5e30f2fd 695 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 696 TLS_client_method(),
697 TLS1_VERSION, TLS1_2_VERSION,
698 &sctx, &cctx, cert, privkey))
699 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
700 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
701 NULL, NULL))
702 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
703 || !TEST_true(create_ssl_connection(serverssl, clientssl,
704 SSL_ERROR_NONE))
705 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
706 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
707 goto end;
708
709 shutdown_ssl_connection(serverssl, clientssl);
710 serverssl = clientssl = NULL;
711
712 /* Resume, preferring a different cipher. Our server will force the
713 * same cipher to be used as the initial handshake. */
714 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
715 NULL, NULL))
716 || !TEST_true(SSL_set_session(clientssl, sess))
717 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
718 || !TEST_true(create_ssl_connection(serverssl, clientssl,
719 SSL_ERROR_NONE))
720 || !TEST_true(SSL_session_reused(clientssl))
721 || !TEST_true(SSL_session_reused(serverssl))
722 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
723 || !TEST_ptr_eq(sesspre, sesspost)
724 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
725 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
726 goto end;
727 shutdown_ssl_connection(serverssl, clientssl);
728 serverssl = clientssl = NULL;
729
730 /*
731 * Now create a fresh connection and try to renegotiate a different
732 * cipher on it.
733 */
b3e6d666
BK		 734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
735 NULL, NULL))
3cd14e5e
BK		 736 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
737 || !TEST_true(create_ssl_connection(serverssl, clientssl,
738 SSL_ERROR_NONE))
739 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
740 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
741 || !TEST_true(SSL_renegotiate(clientssl))
742 || !TEST_true(SSL_renegotiate_pending(clientssl)))
743 goto end;
744 /* Actually drive the renegotiation. */
745 for (i = 0; i < 3; i++) {
746 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
747 if (!TEST_ulong_eq(readbytes, 0))
748 goto end;
749 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
750 SSL_ERROR_WANT_READ)) {
751 goto end;
752 }
753 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
754 if (!TEST_ulong_eq(readbytes, 0))
755 goto end;
756 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
757 SSL_ERROR_WANT_READ)) {
758 goto end;
759 }
760 }
761 /* sesspre and sesspost should be different since the cipher changed. */
762 if (!TEST_false(SSL_renegotiate_pending(clientssl))
763 || !TEST_false(SSL_session_reused(clientssl))
764 || !TEST_false(SSL_session_reused(serverssl))
765 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
766 || !TEST_ptr_ne(sesspre, sesspost)
767 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
768 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
769 goto end;
770
771 shutdown_ssl_connection(serverssl, clientssl);
772 serverssl = clientssl = NULL;
773
774 testresult = 1;
775
776end:
777 SSL_free(serverssl);
778 SSL_free(clientssl);
779 SSL_CTX_free(sctx);
780 SSL_CTX_free(cctx);
781 SSL_SESSION_free(sess);
782
783 return testresult;
784}
fb121631 785#endif
3cd14e5e 786
84d5549e 787static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 788 const SSL_METHOD *cmeth,
789 int min_version, int max_version,
790 int read_ahead)
84d5549e
MC		 791{
792 SSL_CTX *cctx = NULL, *sctx = NULL;
793 SSL *clientssl = NULL, *serverssl = NULL;
794 int testresult = 0;
795 int i;
710756a9 796 BIO *certbio = NULL;
84d5549e
MC		 797 X509 *chaincert = NULL;
798 int certlen;
799
710756a9 800 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 801 goto end;
84d5549e 802 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 803 BIO_free(certbio);
804 certbio = NULL;
710756a9 805 if (!TEST_ptr(chaincert))
fa454945 806 goto end;
84d5549e 807
5e30f2fd
MC		 808 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
809 max_version, &sctx, &cctx, cert,
810 privkey)))
84d5549e 811 goto end;
84d5549e 812
710756a9 813 if (read_ahead) {
7856332e
MC		 814 /*
815 * Test that read_ahead works correctly when dealing with large
816 * records
817 */
818 SSL_CTX_set_read_ahead(cctx, 1);
819 }
820
84d5549e
MC		 821 /*
822 * We assume the supplied certificate is big enough so that if we add
823 * NUM_EXTRA_CERTS it will make the overall message large enough. The
824 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 825 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
826 * test we need to have a message larger than that.
84d5549e
MC		 827 */
828 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 829 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
830 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 831 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 832 if (!X509_up_ref(chaincert))
84d5549e 833 goto end;
84d5549e 834 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 835 X509_free(chaincert);
836 goto end;
837 }
838 }
839
710756a9
RS		 840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
841 NULL, NULL))
842 || !TEST_true(create_ssl_connection(serverssl, clientssl,
843 SSL_ERROR_NONE)))
84d5549e 844 goto end;
84d5549e 845
4bf08600
MC		 846 /*
847 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 848 * doesn't leak.
4bf08600 849 */
710756a9 850 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 851 goto end;
84d5549e 852
4bf08600 853 testresult = 1;
84d5549e
MC		 854 end:
855 X509_free(chaincert);
856 SSL_free(serverssl);
857 SSL_free(clientssl);
858 SSL_CTX_free(sctx);
859 SSL_CTX_free(cctx);
860
861 return testresult;
862}
863
da4db160
VF		 864#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
865 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
866#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
fe5d9450
BP		 867/* sock must be connected */
868static int ktls_chk_platform(int sock)
869{
870 if (!ktls_enable(sock))
871 return 0;
872 return 1;
873}
874
da4db160 875static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
fe5d9450
BP		 876{
877 static char count = 1;
878 unsigned char cbuf[16000] = {0};
879 unsigned char sbuf[16000];
880 size_t err = 0;
da4db160
VF		 881 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
882 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
883 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
884 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
885 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
886 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
887 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
888 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
fe5d9450
BP		 889
890 cbuf[0] = count++;
da4db160
VF		 891 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
892 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
893 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
894 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 895
896 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
897 goto end;
898
899 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
900 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
901 goto end;
902 }
903 }
904
905 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
906 goto end;
907
908 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
909 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
910 goto end;
911 }
912 }
913
da4db160
VF		 914 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
915 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
916 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
917 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 918
919 /* verify the payload */
920 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
921 goto end;
922
923 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
924 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 925 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
926 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 927 goto end;
928 } else {
da4db160
VF		 929 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
930 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 931 goto end;
932 }
933
934 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 935 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
936 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 937 goto end;
938 } else {
da4db160
VF		 939 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
940 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 941 goto end;
942 }
943
2fab79af 944 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 945 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
946 crec_rseq_after, rec_seq_size))
2fab79af
BP		 947 goto end;
948 } else {
da4db160
VF		 949 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
950 crec_rseq_after, rec_seq_size))
2fab79af
BP		 951 goto end;
952 }
953
954 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 955 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
956 srec_rseq_after, rec_seq_size))
2fab79af
BP		 957 goto end;
958 } else {
da4db160
VF		 959 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
960 srec_rseq_after, rec_seq_size))
2fab79af
BP		 961 goto end;
962 }
fe5d9450
BP		 963
964 return 1;
965end:
966 return 0;
967}
968
2fab79af 969static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
da4db160
VF		 970 int sis_ktls_tx, int sis_ktls_rx,
971 int tls_version, const char *cipher,
972 int rec_seq_size)
fe5d9450
BP		 973{
974 SSL_CTX *cctx = NULL, *sctx = NULL;
975 SSL *clientssl = NULL, *serverssl = NULL;
976 int testresult = 0;
977 int cfd, sfd;
978
979 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
980 goto end;
981
982 /* Skip this test if the platform does not support ktls */
983 if (!ktls_chk_platform(cfd))
984 return 1;
985
986 /* Create a session based on SHA-256 */
5e30f2fd 987 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 988 TLS_client_method(),
da4db160 989 tls_version, tls_version,
fe5d9450 990 &sctx, &cctx, cert, privkey))
da4db160 991 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
fe5d9450
BP		 992 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
993 &clientssl, sfd, cfd)))
994 goto end;
995
996 if (!cis_ktls_tx) {
997 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
998 goto end;
999 }
1000
1001 if (!sis_ktls_tx) {
1002 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1003 goto end;
1004 }
1005
2fab79af
BP		 1006 if (!cis_ktls_rx) {
1007 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1008 goto end;
1009 }
1010
1011 if (!sis_ktls_rx) {
1012 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1013 goto end;
1014 }
1015
fe5d9450
BP		 1016 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1017 SSL_ERROR_NONE)))
1018 goto end;
1019
1020 if (!cis_ktls_tx) {
1021 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1022 goto end;
1023 } else {
1024 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1025 goto end;
1026 }
1027
1028 if (!sis_ktls_tx) {
1029 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1030 goto end;
1031 } else {
1032 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1033 goto end;
1034 }
1035
2fab79af
BP		 1036 if (!cis_ktls_rx) {
1037 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1038 goto end;
1039 } else {
1040 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1041 goto end;
1042 }
1043
1044 if (!sis_ktls_rx) {
1045 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1046 goto end;
1047 } else {
1048 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1049 goto end;
1050 }
1051
da4db160
VF		 1052 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1053 rec_seq_size)))
fe5d9450
BP		 1054 goto end;
1055
1056 testresult = 1;
1057end:
1058 if (clientssl) {
1059 SSL_shutdown(clientssl);
1060 SSL_free(clientssl);
1061 }
1062 if (serverssl) {
1063 SSL_shutdown(serverssl);
1064 SSL_free(serverssl);
1065 }
1066 SSL_CTX_free(sctx);
1067 SSL_CTX_free(cctx);
1068 serverssl = clientssl = NULL;
1069 return testresult;
1070}
1071
7c3a7561
BP		 1072#define SENDFILE_SZ (16 * 4096)
1073#define SENDFILE_CHUNK (4 * 4096)
1074#define min(a,b) ((a) > (b) ? (b) : (a))
1075
da4db160 1076static int test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1077{
1078 SSL_CTX *cctx = NULL, *sctx = NULL;
1079 SSL *clientssl = NULL, *serverssl = NULL;
1080 unsigned char *buf, *buf_dst;
1081 BIO *out = NULL, *in = NULL;
1082 int cfd, sfd, ffd, err;
1083 ssize_t chunk_size = 0;
1084 off_t chunk_off = 0;
1085 int testresult = 0;
1086 FILE *ffdp;
1087
1088 buf = OPENSSL_zalloc(SENDFILE_SZ);
1089 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1090 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1091 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1092 goto end;
1093
1094 /* Skip this test if the platform does not support ktls */
1095 if (!ktls_chk_platform(sfd)) {
1096 testresult = 1;
1097 goto end;
1098 }
1099
1100 /* Create a session based on SHA-256 */
5e30f2fd 1101 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1102 TLS_client_method(),
da4db160 1103 tls_version, tls_version,
7c3a7561 1104 &sctx, &cctx, cert, privkey))
da4db160 1105 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
7c3a7561
BP		 1106 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1107 &clientssl, sfd, cfd)))
1108 goto end;
1109
1110 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1111 SSL_ERROR_NONE))
1112 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1113 goto end;
1114
1115 RAND_bytes(buf, SENDFILE_SZ);
1116 out = BIO_new_file(tmpfilename, "wb");
1117 if (!TEST_ptr(out))
1118 goto end;
1119
1120 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1121 goto end;
1122
1123 BIO_free(out);
1124 out = NULL;
1125 in = BIO_new_file(tmpfilename, "rb");
1126 BIO_get_fp(in, &ffdp);
1127 ffd = fileno(ffdp);
1128
1129 while (chunk_off < SENDFILE_SZ) {
1130 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1131 while ((err = SSL_sendfile(serverssl,
1132 ffd,
1133 chunk_off,
1134 chunk_size,
1135 0)) != chunk_size) {
1136 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1137 goto end;
1138 }
1139 while ((err = SSL_read(clientssl,
1140 buf_dst + chunk_off,
1141 chunk_size)) != chunk_size) {
1142 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1143 goto end;
1144 }
1145
1146 /* verify the payload */
1147 if (!TEST_mem_eq(buf_dst + chunk_off,
1148 chunk_size,
1149 buf + chunk_off,
1150 chunk_size))
1151 goto end;
1152
1153 chunk_off += chunk_size;
1154 }
1155
1156 testresult = 1;
1157end:
1158 if (clientssl) {
1159 SSL_shutdown(clientssl);
1160 SSL_free(clientssl);
1161 }
1162 if (serverssl) {
1163 SSL_shutdown(serverssl);
1164 SSL_free(serverssl);
1165 }
1166 SSL_CTX_free(sctx);
1167 SSL_CTX_free(cctx);
1168 serverssl = clientssl = NULL;
1169 BIO_free(out);
1170 BIO_free(in);
1171 OPENSSL_free(buf);
1172 OPENSSL_free(buf_dst);
1173 return testresult;
1174}
1175
da4db160 1176static int test_ktls_no_txrx_client_no_txrx_server(int tlsver)
2fab79af 1177{
da4db160
VF		 1178 int testresult = 1;
1179
1180#ifdef OPENSSL_KTLS_AES_GCM_128
1181 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1182 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1183#endif
1184#ifdef OPENSSL_KTLS_AES_CCM_128
1185 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1186 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1187#endif
1188#ifdef OPENSSL_KTLS_AES_GCM_256
1189 testresult &= execute_test_ktls(0, 0, 0, 0, tlsver,
1190 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1191#endif
1192 return testresult;
2fab79af
BP		 1193}
1194
da4db160 1195static int test_ktls_no_rx_client_no_txrx_server(int tlsver)
2fab79af 1196{
da4db160
VF		 1197 int testresult = 1;
1198
1199#ifdef OPENSSL_KTLS_AES_GCM_128
1200 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1201 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1202#endif
1203#ifdef OPENSSL_KTLS_AES_CCM_128
1204 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1205 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1206#endif
1207#ifdef OPENSSL_KTLS_AES_GCM_256
1208 testresult &= execute_test_ktls(1, 0, 0, 0, tlsver,
1209 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1210#endif
1211 return testresult;
2fab79af
BP		 1212}
1213
da4db160 1214static int test_ktls_no_tx_client_no_txrx_server(int tlsver)
2fab79af 1215{
da4db160
VF		 1216 int testresult = 1;
1217
1218#ifdef OPENSSL_KTLS_AES_GCM_128
1219 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1220 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1221#endif
1222#ifdef OPENSSL_KTLS_AES_CCM_128
1223 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1224 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1225#endif
1226#ifdef OPENSSL_KTLS_AES_GCM_256
1227 testresult &= execute_test_ktls(0, 1, 0, 0, tlsver,
1228 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1229#endif
1230 return testresult;
2fab79af
BP		 1231}
1232
da4db160 1233static int test_ktls_client_no_txrx_server(int tlsver)
2fab79af 1234{
da4db160
VF		 1235 int testresult = 1;
1236
1237#ifdef OPENSSL_KTLS_AES_GCM_128
1238 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1239 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1240#endif
1241#ifdef OPENSSL_KTLS_AES_CCM_128
1242 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1243 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1244#endif
1245#ifdef OPENSSL_KTLS_AES_GCM_256
1246 testresult &= execute_test_ktls(1, 1, 0, 0, tlsver,
1247 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1248#endif
1249 return testresult;
2fab79af
BP		 1250}
1251
da4db160 1252static int test_ktls_no_txrx_client_no_rx_server(int tlsver)
2fab79af 1253{
da4db160
VF		 1254 int testresult = 1;
1255
1256#ifdef OPENSSL_KTLS_AES_GCM_128
1257 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1258 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1259#endif
1260#ifdef OPENSSL_KTLS_AES_CCM_128
1261 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1262 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1263#endif
1264#ifdef OPENSSL_KTLS_AES_GCM_256
1265 testresult &= execute_test_ktls(0, 0, 1, 0, tlsver,
1266 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1267#endif
1268 return testresult;
2fab79af
BP		 1269}
1270
da4db160 1271static int test_ktls_no_rx_client_no_rx_server(int tlsver)
2fab79af 1272{
da4db160
VF		 1273 int testresult = 1;
1274
1275#ifdef OPENSSL_KTLS_AES_GCM_128
1276 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1277 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1278#endif
1279#ifdef OPENSSL_KTLS_AES_CCM_128
1280 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1281 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1282#endif
1283#ifdef OPENSSL_KTLS_AES_GCM_256
1284 testresult &= execute_test_ktls(1, 0, 1, 0, tlsver,
1285 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1286#endif
1287 return testresult;
2fab79af
BP		 1288}
1289
da4db160 1290static int test_ktls_no_tx_client_no_rx_server(int tlsver)
2fab79af 1291{
da4db160
VF		 1292 int testresult = 1;
1293
1294#ifdef OPENSSL_KTLS_AES_GCM_128
1295 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1296 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1297#endif
1298#ifdef OPENSSL_KTLS_AES_CCM_128
1299 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1300 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1301#endif
1302#ifdef OPENSSL_KTLS_AES_GCM_256
1303 testresult &= execute_test_ktls(0, 1, 1, 0, tlsver,
1304 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1305#endif
1306 return testresult;
2fab79af
BP		 1307}
1308
da4db160 1309static int test_ktls_client_no_rx_server(int tlsver)
fe5d9450 1310{
da4db160
VF		 1311 int testresult = 1;
1312
1313#ifdef OPENSSL_KTLS_AES_GCM_128
1314 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1315 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1316#endif
1317#ifdef OPENSSL_KTLS_AES_CCM_128
1318 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1319 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1320#endif
1321#ifdef OPENSSL_KTLS_AES_GCM_256
1322 testresult &= execute_test_ktls(1, 1, 1, 0, tlsver,
1323 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1324#endif
1325 return testresult;
fe5d9450
BP		 1326}
1327
da4db160 1328static int test_ktls_no_txrx_client_no_tx_server(int tlsver)
fe5d9450 1329{
da4db160
VF		 1330 int testresult = 1;
1331
1332#ifdef OPENSSL_KTLS_AES_GCM_128
1333 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1334 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1335#endif
1336#ifdef OPENSSL_KTLS_AES_CCM_128
1337 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1338 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1339#endif
1340#ifdef OPENSSL_KTLS_AES_GCM_256
1341 testresult &= execute_test_ktls(0, 0, 0, 1, tlsver,
1342 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1343#endif
1344 return testresult;
fe5d9450
BP		 1345}
1346
da4db160 1347static int test_ktls_no_rx_client_no_tx_server(int tlsver)
fe5d9450 1348{
da4db160
VF		 1349 int testresult = 1;
1350
1351#ifdef OPENSSL_KTLS_AES_GCM_128
1352 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1353 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1354#endif
1355#ifdef OPENSSL_KTLS_AES_CCM_128
1356 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1357 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1358#endif
1359#ifdef OPENSSL_KTLS_AES_GCM_256
1360 testresult &= execute_test_ktls(1, 0, 0, 1, tlsver,
1361 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1362#endif
1363 return testresult;
fe5d9450
BP		 1364}
1365
da4db160 1366static int test_ktls_no_tx_client_no_tx_server(int tlsver)
2fab79af 1367{
da4db160
VF		 1368 int testresult = 1;
1369
1370#ifdef OPENSSL_KTLS_AES_GCM_128
1371 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1372 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1373#endif
1374#ifdef OPENSSL_KTLS_AES_CCM_128
1375 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1376 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1377#endif
1378#ifdef OPENSSL_KTLS_AES_GCM_256
1379 testresult &= execute_test_ktls(0, 1, 0, 1, tlsver,
1380 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1381#endif
1382 return testresult;
2fab79af
BP		 1383}
1384
da4db160 1385static int test_ktls_client_no_tx_server(int tlsver)
2fab79af 1386{
da4db160
VF		 1387 int testresult = 1;
1388
1389#ifdef OPENSSL_KTLS_AES_GCM_128
1390 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1391 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1392#endif
1393#ifdef OPENSSL_KTLS_AES_CCM_128
1394 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1395 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1396#endif
1397#ifdef OPENSSL_KTLS_AES_GCM_256
1398 testresult &= execute_test_ktls(1, 1, 0, 1, tlsver,
1399 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1400#endif
1401 return testresult;
2fab79af
BP		 1402}
1403
da4db160 1404static int test_ktls_no_txrx_client_server(int tlsver)
2fab79af 1405{
da4db160
VF		 1406 int testresult = 1;
1407
1408#ifdef OPENSSL_KTLS_AES_GCM_128
1409 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1410 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1411#endif
1412#ifdef OPENSSL_KTLS_AES_CCM_128
1413 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1414 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1415#endif
1416#ifdef OPENSSL_KTLS_AES_GCM_256
1417 testresult &= execute_test_ktls(0, 0, 1, 1, tlsver,
1418 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1419#endif
1420 return testresult;
2fab79af
BP		 1421}
1422
da4db160 1423static int test_ktls_no_rx_client_server(int tlsver)
2fab79af 1424{
da4db160
VF		 1425 int testresult = 1;
1426
1427#ifdef OPENSSL_KTLS_AES_GCM_128
1428 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1429 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1430#endif
1431#ifdef OPENSSL_KTLS_AES_CCM_128
1432 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1433 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1434#endif
1435#ifdef OPENSSL_KTLS_AES_GCM_256
1436 testresult &= execute_test_ktls(1, 0, 1, 1, tlsver,
1437 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1438#endif
1439 return testresult;
2fab79af
BP		 1440}
1441
da4db160 1442static int test_ktls_no_tx_client_server(int tlsver)
2fab79af 1443{
da4db160
VF		 1444 int testresult = 1;
1445
1446#ifdef OPENSSL_KTLS_AES_GCM_128
1447 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1448 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1449#endif
1450#ifdef OPENSSL_KTLS_AES_CCM_128
1451 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1452 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1453#endif
1454#ifdef OPENSSL_KTLS_AES_GCM_256
1455 testresult &= execute_test_ktls(0, 1, 1, 1, tlsver,
1456 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1457#endif
1458 return testresult;
1459}
1460
1461static int test_ktls_client_server(int tlsver)
1462{
1463 int testresult = 1;
1464
1465#ifdef OPENSSL_KTLS_AES_GCM_128
1466 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1467 "AES128-GCM-SHA256", TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1468#endif
1469#ifdef OPENSSL_KTLS_AES_CCM_128
1470 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1471 "AES128-CCM-SHA256", TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1472#endif
1473#ifdef OPENSSL_KTLS_AES_GCM_256
1474 testresult &= execute_test_ktls(1, 1, 1, 1, tlsver,
1475 "AES256-GCM-SHA384", TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1476#endif
1477 return testresult;
1478}
1479
1480#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1481static int test_ktls(int test)
1482{
1483 int tlsver;
1484
1485 if (test > 15) {
1486#if defined(OPENSSL_NO_TLS1_3)
1487 return 1;
1488#else
1489 test -= 16;
1490 tlsver = TLS1_3_VERSION;
1491#endif
1492 } else {
1493#if defined(OPENSSL_NO_TLS1_2)
1494 return 1;
1495#else
1496 tlsver = TLS1_2_VERSION;
1497#endif
1498 }
1499
1500 switch(test) {
1501 case 0:
1502 return test_ktls_no_txrx_client_no_txrx_server(tlsver);
1503 case 1:
1504 return test_ktls_no_rx_client_no_txrx_server(tlsver);
1505 case 2:
1506 return test_ktls_no_tx_client_no_txrx_server(tlsver);
1507 case 3:
1508 return test_ktls_client_no_txrx_server(tlsver);
1509 case 4:
1510 return test_ktls_no_txrx_client_no_rx_server(tlsver);
1511 case 5:
1512 return test_ktls_no_rx_client_no_rx_server(tlsver);
1513 case 6:
1514 return test_ktls_no_tx_client_no_rx_server(tlsver);
1515 case 7:
1516 return test_ktls_client_no_rx_server(tlsver);
1517 case 8:
1518 return test_ktls_no_txrx_client_no_tx_server(tlsver);
1519 case 9:
1520 return test_ktls_no_rx_client_no_tx_server(tlsver);
1521 case 10:
1522 return test_ktls_no_tx_client_no_tx_server(tlsver);
1523 case 11:
1524 return test_ktls_client_no_tx_server(tlsver);
1525 case 12:
1526 return test_ktls_no_txrx_client_server(tlsver);
1527 case 13:
1528 return test_ktls_no_rx_client_server(tlsver);
1529 case 14:
1530 return test_ktls_no_tx_client_server(tlsver);
1531 case 15:
1532 return test_ktls_client_server(tlsver);
1533 default:
1534 return 0;
1535 }
2fab79af
BP		 1536}
1537
da4db160 1538static int test_ktls_sendfile_anytls(int tst)
fe5d9450 1539{
da4db160
VF		 1540 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM-SHA256","AES256-GCM-SHA384"};
1541 int tlsver;
1542
1543 if (tst > 2) {
1544#if defined(OPENSSL_NO_TLS1_3)
1545 return 1;
1546#else
1547 tst -= 3;
1548 tlsver = TLS1_3_VERSION;
1549#endif
1550 } else {
1551#if defined(OPENSSL_NO_TLS1_2)
1552 return 1;
1553#else
1554 tlsver = TLS1_2_VERSION;
1555#endif
1556 }
1557
1558#ifndef OPENSSL_KTLS_AES_GCM_128
1559 if(tst == 0) return 1;
1560#endif
1561#ifndef OPENSSL_KTLS_AES_CCM_128
1562 if(tst == 1) return 1;
1563#endif
1564#ifndef OPENSSL_KTLS_AES_GCM_256
1565 if(tst == 2) return 1;
1566#endif
1567 return test_ktls_sendfile(tlsver, cipher[tst]);
fe5d9450 1568}
da4db160
VF		 1569
1570#endif
fe5d9450
BP		 1571#endif
1572
84d5549e
MC		 1573static int test_large_message_tls(void)
1574{
7856332e 1575 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1576 TLS1_VERSION, 0, 0);
7856332e
MC		 1577}
1578
1579static int test_large_message_tls_read_ahead(void)
1580{
1581 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1582 TLS1_VERSION, 0, 1);
84d5549e
MC		 1583}
1584
55386bef 1585#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1586static int test_large_message_dtls(void)
1587{
7856332e
MC		 1588 /*
1589 * read_ahead is not relevant to DTLS because DTLS always acts as if
1590 * read_ahead is set.
1591 */
84d5549e 1592 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1593 DTLS_client_method(),
5c587fb6 1594 DTLS1_VERSION, 0, 0);
84d5549e 1595}
55386bef 1596#endif
84d5549e 1597
8f8c11d8 1598#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1599static int ocsp_server_cb(SSL *s, void *arg)
1600{
1601 int *argi = (int *)arg;
710756a9 1602 unsigned char *copy = NULL;
ba881d3b
MC		 1603 STACK_OF(OCSP_RESPID) *ids = NULL;
1604 OCSP_RESPID *id = NULL;
1605
1606 if (*argi == 2) {
1607 /* In this test we are expecting exactly 1 OCSP_RESPID */
1608 SSL_get_tlsext_status_ids(s, &ids);
1609 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1610 return SSL_TLSEXT_ERR_ALERT_FATAL;
1611
1612 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1613 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1614 return SSL_TLSEXT_ERR_ALERT_FATAL;
1615 } else if (*argi != 1) {
1616 return SSL_TLSEXT_ERR_ALERT_FATAL;
1617 }
1618
710756a9 1619 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1620 return SSL_TLSEXT_ERR_ALERT_FATAL;
1621
710756a9 1622 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1623 ocsp_server_called = 1;
ba881d3b
MC		 1624 return SSL_TLSEXT_ERR_OK;
1625}
1626
1627static int ocsp_client_cb(SSL *s, void *arg)
1628{
1629 int *argi = (int *)arg;
1630 const unsigned char *respderin;
1631 size_t len;
1632
1633 if (*argi != 1 && *argi != 2)
1634 return 0;
1635
1636 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1637 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1638 return 0;
1639
1640 ocsp_client_called = 1;
ba881d3b
MC		 1641 return 1;
1642}
1643
2cb4b5f6
MC		 1644static int test_tlsext_status_type(void)
1645{
ba881d3b
MC		 1646 SSL_CTX *cctx = NULL, *sctx = NULL;
1647 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1648 int testresult = 0;
ba881d3b
MC		 1649 STACK_OF(OCSP_RESPID) *ids = NULL;
1650 OCSP_RESPID *id = NULL;
1651 BIO *certbio = NULL;
2cb4b5f6 1652
5e30f2fd 1653 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1654 TLS1_VERSION, 0,
7d7f6834 1655 &sctx, &cctx, cert, privkey))
ba881d3b 1656 return 0;
2cb4b5f6 1657
710756a9 1658 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1659 goto end;
2cb4b5f6 1660
ba881d3b 1661 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1662
ba881d3b 1663 clientssl = SSL_new(cctx);
710756a9
RS		 1664 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1665 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1666 TLSEXT_STATUSTYPE_ocsp))
1667 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1668 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1669 goto end;
2cb4b5f6 1670
ba881d3b
MC		 1671 SSL_free(clientssl);
1672 clientssl = NULL;
2cb4b5f6 1673
710756a9
RS		 1674 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1675 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1676 goto end;
2cb4b5f6 1677
ba881d3b 1678 clientssl = SSL_new(cctx);
710756a9 1679 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1680 goto end;
ba881d3b
MC		 1681 SSL_free(clientssl);
1682 clientssl = NULL;
1683
1684 /*
1685 * Now actually do a handshake and check OCSP information is exchanged and
1686 * the callbacks get called
1687 */
ba881d3b
MC		 1688 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1689 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1690 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1691 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1692 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1693 &clientssl, NULL, NULL))
1694 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1695 SSL_ERROR_NONE))
1696 || !TEST_true(ocsp_client_called)
1697 || !TEST_true(ocsp_server_called))
ba881d3b 1698 goto end;
ba881d3b
MC		 1699 SSL_free(serverssl);
1700 SSL_free(clientssl);
1701 serverssl = NULL;
1702 clientssl = NULL;
1703
1704 /* Try again but this time force the server side callback to fail */
1705 ocsp_client_called = 0;
1706 ocsp_server_called = 0;
1707 cdummyarg = 0;
710756a9
RS		 1708 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1709 &clientssl, NULL, NULL))
1710 /* This should fail because the callback will fail */
1711 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1712 SSL_ERROR_NONE))
1713 || !TEST_false(ocsp_client_called)
1714 || !TEST_false(ocsp_server_called))
ba881d3b 1715 goto end;
ba881d3b
MC		 1716 SSL_free(serverssl);
1717 SSL_free(clientssl);
1718 serverssl = NULL;
1719 clientssl = NULL;
1720
1721 /*
1722 * This time we'll get the client to send an OCSP_RESPID that it will
1723 * accept.
1724 */
1725 ocsp_client_called = 0;
1726 ocsp_server_called = 0;
1727 cdummyarg = 2;
710756a9
RS		 1728 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1729 &clientssl, NULL, NULL)))
ba881d3b 1730 goto end;
ba881d3b
MC		 1731
1732 /*
1733 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1734 * specific one. We'll use the server cert.
ba881d3b 1735 */
710756a9
RS		 1736 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1737 || !TEST_ptr(id = OCSP_RESPID_new())
1738 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1739 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1740 NULL, NULL, NULL))
5e30f2fd 1741 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1742 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1743 goto end;
ba881d3b
MC		 1744 id = NULL;
1745 SSL_set_tlsext_status_ids(clientssl, ids);
1746 /* Control has been transferred */
1747 ids = NULL;
1748
1749 BIO_free(certbio);
1750 certbio = NULL;
1751
710756a9
RS		 1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1753 SSL_ERROR_NONE))
1754 || !TEST_true(ocsp_client_called)
1755 || !TEST_true(ocsp_server_called))
ba881d3b 1756 goto end;
ba881d3b 1757
2cb4b5f6
MC		 1758 testresult = 1;
1759
1760 end:
ba881d3b
MC		 1761 SSL_free(serverssl);
1762 SSL_free(clientssl);
1763 SSL_CTX_free(sctx);
1764 SSL_CTX_free(cctx);
1765 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1766 OCSP_RESPID_free(id);
1767 BIO_free(certbio);
1768 X509_free(ocspcert);
1769 ocspcert = NULL;
2cb4b5f6
MC		 1770
1771 return testresult;
1772}
8f8c11d8 1773#endif
2cb4b5f6 1774
bf208d95 1775#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1776static int new_called, remove_called, get_called;
eaa776da 1777
eaa776da
MC		 1778static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1779{
1780 new_called++;
c0537ebd
MC		 1781 /*
1782 * sess has been up-refed for us, but we don't actually need it so free it
1783 * immediately.
1784 */
1785 SSL_SESSION_free(sess);
eaa776da
MC		 1786 return 1;
1787}
1788
1789static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1790{
1791 remove_called++;
1792}
1793
7a301f08
MC		 1794static SSL_SESSION *get_sess_val = NULL;
1795
1796static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1797 int *copy)
1798{
0afca811 1799 get_called++;
7a301f08
MC		 1800 *copy = 1;
1801 return get_sess_val;
1802}
1803
7a301f08 1804static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1805 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1806{
1807 SSL_CTX *sctx = NULL, *cctx = NULL;
1808 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1809 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1810# ifndef OPENSSL_NO_TLS1_1
eaa776da 1811 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1812# endif
2cb4b5f6 1813 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1814 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1815
7e885b7b
P		 1816 new_called = remove_called = 0;
1817
36ff232c
MC		 1818 /* TLSv1.3 sends 2 NewSessionTickets */
1819 if (maxprot == TLS1_3_VERSION)
1820 numnewsesstick = 2;
1821
5e30f2fd
MC		 1822 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1823 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1824 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1825 return 0;
2cb4b5f6 1826
7a301f08
MC		 1827 /*
1828 * Only allow the max protocol version so we can force a connection failure
1829 * later
1830 */
1831 SSL_CTX_set_min_proto_version(cctx, maxprot);
1832 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1833
1834 /* Set up session cache */
7e885b7b 1835 if (use_ext_cache) {
eaa776da
MC		 1836 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1837 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1838 }
7e885b7b 1839 if (use_int_cache) {
eaa776da
MC		 1840 /* Also covers instance where both are set */
1841 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1842 } else {
1843 SSL_CTX_set_session_cache_mode(cctx,
1844 SSL_SESS_CACHE_CLIENT
1845 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1846 }
2cb4b5f6 1847
90fc2c26
NM		 1848 if (s_options) {
1849 SSL_CTX_set_options(sctx, s_options);
1850 }
1851
710756a9
RS		 1852 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1853 NULL, NULL))
1854 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1855 SSL_ERROR_NONE))
1856 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1857 goto end;
2cb4b5f6 1858
710756a9 1859 /* Should fail because it should already be in the cache */
7e885b7b 1860 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1861 goto end;
7a301f08 1862 if (use_ext_cache
36ff232c
MC		 1863 && (!TEST_int_eq(new_called, numnewsesstick)
1864
1865 || !TEST_int_eq(remove_called, 0)))
b4982125 1866 goto end;
b4982125 1867
c0537ebd
MC		 1868 new_called = remove_called = 0;
1869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1870 &clientssl2, NULL, NULL))
1871 || !TEST_true(SSL_set_session(clientssl2, sess1))
1872 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1873 SSL_ERROR_NONE))
1874 || !TEST_true(SSL_session_reused(clientssl2)))
1875 goto end;
1876
7a301f08
MC		 1877 if (maxprot == TLS1_3_VERSION) {
1878 /*
1879 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1880 * resumed. Since we attempted a resume we should also have removed the
1881 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1882 */
1883 if (use_ext_cache
1884 && (!TEST_int_eq(new_called, 1)
4cb00457 1885 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1886 goto end;
1887 } else {
1888 /*
1889 * In TLSv1.2 we expect to have resumed so no sessions added or
1890 * removed.
1891 */
1892 if (use_ext_cache
1893 && (!TEST_int_eq(new_called, 0)
1894 || !TEST_int_eq(remove_called, 0)))
1895 goto end;
1896 }
c0537ebd
MC		 1897
1898 SSL_SESSION_free(sess1);
1899 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1900 goto end;
1901 shutdown_ssl_connection(serverssl2, clientssl2);
1902 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1903
1904 new_called = remove_called = 0;
710756a9
RS		 1905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1906 &clientssl2, NULL, NULL))
1907 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1908 SSL_ERROR_NONE)))
2cb4b5f6 1909 goto end;
2cb4b5f6 1910
710756a9 1911 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1912 goto end;
2cb4b5f6 1913
7a301f08 1914 if (use_ext_cache
36ff232c
MC		 1915 && (!TEST_int_eq(new_called, numnewsesstick)
1916 || !TEST_int_eq(remove_called, 0)))
eaa776da 1917 goto end;
eaa776da 1918
c0537ebd 1919 new_called = remove_called = 0;
2cb4b5f6 1920 /*
710756a9
RS		 1921 * This should clear sess2 from the cache because it is a "bad" session.
1922 * See SSL_set_session() documentation.
2cb4b5f6 1923 */
710756a9 1924 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1925 goto end;
7a301f08
MC		 1926 if (use_ext_cache
1927 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1928 goto end;
710756a9 1929 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1930 goto end;
2cb4b5f6 1931
7e885b7b 1932 if (use_int_cache) {
710756a9
RS		 1933 /* Should succeeded because it should not already be in the cache */
1934 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1935 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1936 goto end;
eaa776da
MC		 1937 }
1938
c0537ebd 1939 new_called = remove_called = 0;
eaa776da 1940 /* This shouldn't be in the cache so should fail */
710756a9 1941 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1942 goto end;
2cb4b5f6 1943
7a301f08
MC		 1944 if (use_ext_cache
1945 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1946 goto end;
2cb4b5f6 1947
bf208d95 1948# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1949 new_called = remove_called = 0;
eaa776da
MC		 1950 /* Force a connection failure */
1951 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1952 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1953 &clientssl3, NULL, NULL))
1954 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1955 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1956 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1957 SSL_ERROR_NONE)))
eaa776da 1958 goto end;
b4982125 1959
eaa776da 1960 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1961 if (use_ext_cache
1962 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1963 goto end;
2cb4b5f6 1964
710756a9 1965 /* Should succeed because it should not already be in the cache */
7e885b7b 1966 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1967 goto end;
bf208d95 1968# endif
eaa776da 1969
7a301f08
MC		 1970 /* Now do some tests for server side caching */
1971 if (use_ext_cache) {
1972 SSL_CTX_sess_set_new_cb(cctx, NULL);
1973 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1974 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1975 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1976 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1977 get_sess_val = NULL;
1978 }
1979
1980 SSL_CTX_set_session_cache_mode(cctx, 0);
1981 /* Internal caching is the default on the server side */
1982 if (!use_int_cache)
1983 SSL_CTX_set_session_cache_mode(sctx,
1984 SSL_SESS_CACHE_SERVER
1985 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1986
1987 SSL_free(serverssl1);
1988 SSL_free(clientssl1);
1989 serverssl1 = clientssl1 = NULL;
1990 SSL_free(serverssl2);
1991 SSL_free(clientssl2);
1992 serverssl2 = clientssl2 = NULL;
1993 SSL_SESSION_free(sess1);
1994 sess1 = NULL;
1995 SSL_SESSION_free(sess2);
1996 sess2 = NULL;
1997
1998 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1999 if (maxprot == TLS1_2_VERSION)
2000 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2001 new_called = remove_called = get_called = 0;
7a301f08
MC		 2002 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2003 NULL, NULL))
2004 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2005 SSL_ERROR_NONE))
2006 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2007 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2008 goto end;
2009
ee94ec2e
MC		 2010 if (use_int_cache) {
2011 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2012 /*
2013 * In TLSv1.3 it should not have been added to the internal cache,
2014 * except in the case where we also have an external cache (in that
2015 * case it gets added to the cache in order to generate remove
2016 * events after timeout).
2017 */
2018 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2019 goto end;
2020 } else {
2021 /* Should fail because it should already be in the cache */
2022 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2023 goto end;
2024 }
2025 }
7a301f08
MC		 2026
2027 if (use_ext_cache) {
2028 SSL_SESSION *tmp = sess2;
2029
36ff232c 2030 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2031 || !TEST_int_eq(remove_called, 0)
2032 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2033 goto end;
2034 /*
2035 * Delete the session from the internal cache to force a lookup from
2036 * the external cache. We take a copy first because
2037 * SSL_CTX_remove_session() also marks the session as non-resumable.
2038 */
ee94ec2e 2039 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2040 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2041 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2042 goto end;
2043 SSL_SESSION_free(sess2);
2044 }
7a301f08
MC		 2045 sess2 = tmp;
2046 }
2047
0afca811 2048 new_called = remove_called = get_called = 0;
7a301f08
MC		 2049 get_sess_val = sess2;
2050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2051 &clientssl2, NULL, NULL))
2052 || !TEST_true(SSL_set_session(clientssl2, sess1))
2053 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2054 SSL_ERROR_NONE))
2055 || !TEST_true(SSL_session_reused(clientssl2)))
2056 goto end;
2057
0afca811 2058 if (use_ext_cache) {
32305f88 2059 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2060 goto end;
2061
2062 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2063 if (!TEST_int_eq(new_called, 1)
2064 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2065 goto end;
2066 } else {
32305f88
MC		 2067 if (!TEST_int_eq(new_called, 0)
2068 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2069 goto end;
2070 }
2071 }
7a301f08 2072
2cb4b5f6 2073 testresult = 1;
eaa776da 2074
2cb4b5f6
MC		 2075 end:
2076 SSL_free(serverssl1);
2077 SSL_free(clientssl1);
2078 SSL_free(serverssl2);
2079 SSL_free(clientssl2);
bf208d95 2080# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2081 SSL_free(serverssl3);
2082 SSL_free(clientssl3);
bf208d95 2083# endif
2cb4b5f6
MC		 2084 SSL_SESSION_free(sess1);
2085 SSL_SESSION_free(sess2);
2086 SSL_CTX_free(sctx);
2087 SSL_CTX_free(cctx);
2088
2089 return testresult;
2090}
bf208d95 2091#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2092
7fb4c820
MC		 2093static int test_session_with_only_int_cache(void)
2094{
7a301f08 2095#ifndef OPENSSL_NO_TLS1_3
90fc2c26 2096 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2097 return 0;
2098#endif
2099
2100#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2101 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2102#else
2103 return 1;
2104#endif
eaa776da
MC		 2105}
2106
7fb4c820
MC		 2107static int test_session_with_only_ext_cache(void)
2108{
7a301f08 2109#ifndef OPENSSL_NO_TLS1_3
90fc2c26 2110 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2111 return 0;
2112#endif
2113
2114#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2115 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2116#else
2117 return 1;
2118#endif
eaa776da
MC		 2119}
2120
7fb4c820
MC		 2121static int test_session_with_both_cache(void)
2122{
7a301f08 2123#ifndef OPENSSL_NO_TLS1_3
90fc2c26
NM		 2124 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2125 return 0;
2126#endif
2127
2128#ifndef OPENSSL_NO_TLS1_2
2129 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2130#else
2131 return 1;
2132#endif
2133}
2134
2135static int test_session_wo_ca_names(void)
2136{
2137#ifndef OPENSSL_NO_TLS1_3
2138 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2139 return 0;
2140#endif
2141
2142#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2143 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2144#else
2145 return 1;
2146#endif
eaa776da
MC		 2147}
2148
90fc2c26 2149
04225915 2150#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 2151static SSL_SESSION *sesscache[6];
2152static int do_cache;
36ff232c
MC		 2153
2154static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2155{
c22365b3
MC		 2156 if (do_cache) {
2157 sesscache[new_called] = sess;
2158 } else {
2159 /* We don't need the reference to the session, so free it */
2160 SSL_SESSION_free(sess);
2161 }
2162 new_called++;
2163
2164 return 1;
2165}
2166
2167static int post_handshake_verify(SSL *sssl, SSL *cssl)
2168{
2169 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2170 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2171 return 0;
2172
2173 /* Start handshake on the server and client */
2174 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2175 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2176 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2177 || !TEST_true(create_ssl_connection(sssl, cssl,
2178 SSL_ERROR_NONE)))
2179 return 0;
36ff232c
MC		 2180
2181 return 1;
2182}
2183
fbe9dafd 2184static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2185 SSL_CTX **cctx)
2186{
2187 int sess_id_ctx = 1;
2188
5e30f2fd
MC		 2189 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2190 TLS_client_method(), TLS1_VERSION, 0,
2191 sctx, cctx, cert, privkey))
03cdf559
MC		 2192 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2193 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2194 (void *)&sess_id_ctx,
2195 sizeof(sess_id_ctx))))
2196 return 0;
2197
2198 if (stateful)
2199 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2200
2201 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2202 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2203 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2204
2205 return 1;
2206}
2207
2208static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2209{
2210 SSL *serverssl = NULL, *clientssl = NULL;
2211 int i;
2212
2213 /* Test that we can resume with all the tickets we got given */
2214 for (i = 0; i < idx * 2; i++) {
2215 new_called = 0;
2216 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2217 &clientssl, NULL, NULL))
2218 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2219 goto end;
2220
32097b33 2221 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2222
2223 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2224 SSL_ERROR_NONE)))
2225 goto end;
2226
2227 /*
2228 * Following a successful resumption we only get 1 ticket. After a
2229 * failed one we should get idx tickets.
2230 */
2231 if (succ) {
2232 if (!TEST_true(SSL_session_reused(clientssl))
2233 || !TEST_int_eq(new_called, 1))
2234 goto end;
2235 } else {
2236 if (!TEST_false(SSL_session_reused(clientssl))
2237 || !TEST_int_eq(new_called, idx))
2238 goto end;
2239 }
2240
2241 new_called = 0;
2242 /* After a post-handshake authentication we should get 1 new ticket */
2243 if (succ
2244 && (!post_handshake_verify(serverssl, clientssl)
2245 || !TEST_int_eq(new_called, 1)))
2246 goto end;
2247
2248 SSL_shutdown(clientssl);
2249 SSL_shutdown(serverssl);
2250 SSL_free(serverssl);
2251 SSL_free(clientssl);
2252 serverssl = clientssl = NULL;
2253 SSL_SESSION_free(sesscache[i]);
2254 sesscache[i] = NULL;
2255 }
2256
2257 return 1;
2258
2259 end:
2260 SSL_free(clientssl);
2261 SSL_free(serverssl);
2262 return 0;
2263}
2264
04d7814a 2265static int test_tickets(int stateful, int idx)
36ff232c
MC		 2266{
2267 SSL_CTX *sctx = NULL, *cctx = NULL;
2268 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2269 int testresult = 0;
36ff232c
MC		 2270 size_t j;
2271
2272 /* idx is the test number, but also the number of tickets we want */
2273
2274 new_called = 0;
c22365b3 2275 do_cache = 1;
36ff232c 2276
fbe9dafd 2277 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2278 goto end;
2279
03cdf559
MC		 2280 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2281 &clientssl, NULL, NULL)))
2282 goto end;
2283
2284 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2285 SSL_ERROR_NONE))
2286 /* Check we got the number of tickets we were expecting */
2287 || !TEST_int_eq(idx, new_called))
2288 goto end;
04d7814a 2289
03cdf559
MC		 2290 SSL_shutdown(clientssl);
2291 SSL_shutdown(serverssl);
2292 SSL_free(serverssl);
2293 SSL_free(clientssl);
2294 SSL_CTX_free(sctx);
2295 SSL_CTX_free(cctx);
2296 clientssl = serverssl = NULL;
2297 sctx = cctx = NULL;
2298
2299 /*
2300 * Now we try to resume with the tickets we previously created. The
2301 * resumption attempt is expected to fail (because we're now using a new
2302 * SSL_CTX). We should see idx number of tickets issued again.
2303 */
2304
2305 /* Stop caching sessions - just count them */
2306 do_cache = 0;
2307
fbe9dafd 2308 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2309 goto end;
2310
2311 if (!check_resumption(idx, sctx, cctx, 0))
2312 goto end;
2313
2314 /* Start again with caching sessions */
2315 new_called = 0;
2316 do_cache = 1;
fbe9dafd
MC		 2317 SSL_CTX_free(sctx);
2318 SSL_CTX_free(cctx);
2319 sctx = cctx = NULL;
03cdf559 2320
fbe9dafd 2321 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2322 goto end;
36ff232c
MC		 2323
2324 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2325 &clientssl, NULL, NULL)))
2326 goto end;
2327
32097b33 2328 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2329
2330 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2331 SSL_ERROR_NONE))
2332 /* Check we got the number of tickets we were expecting */
2333 || !TEST_int_eq(idx, new_called))
2334 goto end;
2335
2336 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2337 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2338 || !TEST_int_eq(idx * 2, new_called))
2339 goto end;
2340
36ff232c
MC		 2341 SSL_shutdown(clientssl);
2342 SSL_shutdown(serverssl);
2343 SSL_free(serverssl);
2344 SSL_free(clientssl);
2345 serverssl = clientssl = NULL;
2346
c22365b3
MC		 2347 /* Stop caching sessions - just count them */
2348 do_cache = 0;
2349
03cdf559
MC		 2350 /*
2351 * Check we can resume with all the tickets we created. This time around the
2352 * resumptions should all be successful.
2353 */
2354 if (!check_resumption(idx, sctx, cctx, 1))
2355 goto end;
36ff232c
MC		 2356
2357 testresult = 1;
2358
2359 end:
2360 SSL_free(serverssl);
2361 SSL_free(clientssl);
c22365b3 2362 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2363 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2364 sesscache[j] = NULL;
2365 }
36ff232c
MC		 2366 SSL_CTX_free(sctx);
2367 SSL_CTX_free(cctx);
2368
2369 return testresult;
2370}
04d7814a
MC		 2371
2372static int test_stateless_tickets(int idx)
2373{
2374 return test_tickets(0, idx);
2375}
2376
2377static int test_stateful_tickets(int idx)
2378{
2379 return test_tickets(1, idx);
2380}
8614a4eb
MC		 2381
2382static int test_psk_tickets(void)
2383{
2384 SSL_CTX *sctx = NULL, *cctx = NULL;
2385 SSL *serverssl = NULL, *clientssl = NULL;
2386 int testresult = 0;
2387 int sess_id_ctx = 1;
2388
5e30f2fd
MC		 2389 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2390 TLS_client_method(), TLS1_VERSION, 0,
2391 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2392 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2393 (void *)&sess_id_ctx,
2394 sizeof(sess_id_ctx))))
2395 goto end;
2396
2397 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2398 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2399 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2400 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2401 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2402 use_session_cb_cnt = 0;
2403 find_session_cb_cnt = 0;
2404 srvid = pskid;
2405 new_called = 0;
2406
2407 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2408 NULL, NULL)))
2409 goto end;
2410 clientpsk = serverpsk = create_a_psk(clientssl);
2411 if (!TEST_ptr(clientpsk))
2412 goto end;
2413 SSL_SESSION_up_ref(clientpsk);
2414
2415 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2416 SSL_ERROR_NONE))
2417 || !TEST_int_eq(1, find_session_cb_cnt)
2418 || !TEST_int_eq(1, use_session_cb_cnt)
2419 /* We should always get 1 ticket when using external PSK */
2420 || !TEST_int_eq(1, new_called))
2421 goto end;
2422
2423 testresult = 1;
2424
2425 end:
2426 SSL_free(serverssl);
2427 SSL_free(clientssl);
2428 SSL_CTX_free(sctx);
2429 SSL_CTX_free(cctx);
2430 SSL_SESSION_free(clientpsk);
2431 SSL_SESSION_free(serverpsk);
2432 clientpsk = serverpsk = NULL;
2433
2434 return testresult;
2435}
f0049b86
BK		 2436
2437static int test_extra_tickets(int idx)
2438{
2439 SSL_CTX *sctx = NULL, *cctx = NULL;
2440 SSL *serverssl = NULL, *clientssl = NULL;
2441 BIO *bretry = BIO_new(bio_s_always_retry());
2442 BIO *tmp = NULL;
2443 int testresult = 0;
2444 int stateful = 0;
2445 size_t nbytes;
2446 unsigned char c, buf[1];
2447
2448 new_called = 0;
2449 do_cache = 1;
2450
2451 if (idx >= 3) {
2452 idx -= 3;
2453 stateful = 1;
2454 }
2455
2456 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2457 goto end;
2458 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2459 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2460 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2461
2462 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2463 &clientssl, NULL, NULL)))
2464 goto end;
2465
2466 /*
2467 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2468 * incremented by both client and server.
2469 */
2470 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2471 SSL_ERROR_NONE))
2472 /* Check we got the number of tickets we were expecting */
2473 || !TEST_int_eq(idx * 2, new_called)
2474 || !TEST_true(SSL_new_session_ticket(serverssl))
2475 || !TEST_true(SSL_new_session_ticket(serverssl))
2476 || !TEST_int_eq(idx * 2, new_called))
2477 goto end;
2478
2479 /* Now try a (real) write to actually send the tickets */
2480 c = '1';
2481 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2482 || !TEST_size_t_eq(1, nbytes)
2483 || !TEST_int_eq(idx * 2 + 2, new_called)
2484 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2485 || !TEST_int_eq(idx * 2 + 4, new_called)
2486 || !TEST_int_eq(sizeof(buf), nbytes)
2487 || !TEST_int_eq(c, buf[0])
2488 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2489 goto end;
2490
2491 /* Try with only requesting one new ticket, too */
2492 c = '2';
2493 new_called = 0;
2494 if (!TEST_true(SSL_new_session_ticket(serverssl))
2495 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2496 || !TEST_size_t_eq(sizeof(c), nbytes)
2497 || !TEST_int_eq(1, new_called)
2498 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2499 || !TEST_int_eq(2, new_called)
2500 || !TEST_size_t_eq(sizeof(buf), nbytes)
2501 || !TEST_int_eq(c, buf[0]))
2502 goto end;
2503
2504 /* Do it again but use dummy writes to drive the ticket generation */
2505 c = '3';
2506 new_called = 0;
2507 if (!TEST_true(SSL_new_session_ticket(serverssl))
2508 || !TEST_true(SSL_new_session_ticket(serverssl))
2509 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2510 || !TEST_size_t_eq(0, nbytes)
2511 || !TEST_int_eq(2, new_called)
2512 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2513 || !TEST_int_eq(4, new_called))
2514 goto end;
2515
2516 /*
2517 * Use the always-retry BIO to exercise the logic that forces ticket
2518 * generation to wait until a record boundary.
2519 */
2520 c = '4';
2521 new_called = 0;
2522 tmp = SSL_get_wbio(serverssl);
2523 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2524 tmp = NULL;
2525 goto end;
2526 }
2527 SSL_set0_wbio(serverssl, bretry);
2528 bretry = NULL;
2529 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2530 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2531 || !TEST_size_t_eq(nbytes, 0))
2532 goto end;
2533 /* Restore a BIO that will let the write succeed */
2534 SSL_set0_wbio(serverssl, tmp);
2535 tmp = NULL;
2536 /* These calls should just queue the request and not send anything. */
2537 if (!TEST_true(SSL_new_session_ticket(serverssl))
2538 || !TEST_true(SSL_new_session_ticket(serverssl))
2539 || !TEST_int_eq(0, new_called))
2540 goto end;
2541 /* Re-do the write; still no tickets sent */
2542 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2543 || !TEST_size_t_eq(1, nbytes)
2544 || !TEST_int_eq(0, new_called)
2545 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2546 || !TEST_int_eq(0, new_called)
2547 || !TEST_int_eq(sizeof(buf), nbytes)
2548 || !TEST_int_eq(c, buf[0])
2549 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2550 goto end;
2551 /* Now the *next* write should send the tickets */
2552 c = '5';
2553 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2554 || !TEST_size_t_eq(1, nbytes)
2555 || !TEST_int_eq(2, new_called)
2556 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2557 || !TEST_int_eq(4, new_called)
2558 || !TEST_int_eq(sizeof(buf), nbytes)
2559 || !TEST_int_eq(c, buf[0])
2560 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2561 goto end;
2562
2563 SSL_shutdown(clientssl);
2564 SSL_shutdown(serverssl);
2565 testresult = 1;
2566
2567 end:
2568 BIO_free(bretry);
2569 BIO_free(tmp);
2570 SSL_free(serverssl);
2571 SSL_free(clientssl);
2572 SSL_CTX_free(sctx);
2573 SSL_CTX_free(cctx);
2574 clientssl = serverssl = NULL;
2575 sctx = cctx = NULL;
2576 return testresult;
2577}
04225915 2578#endif
36ff232c 2579
7d4488bb
MC		 2580#define USE_NULL 0
2581#define USE_BIO_1 1
2582#define USE_BIO_2 2
2583#define USE_DEFAULT 3
2584
2585#define CONNTYPE_CONNECTION_SUCCESS 0
2586#define CONNTYPE_CONNECTION_FAIL 1
2587#define CONNTYPE_NO_CONNECTION 2
2588
2589#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2590#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2591#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2592# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2593#else
2594# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2595#endif
2596
7d4488bb
MC		 2597#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2598 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2599 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2600
2601static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2602{
2603 switch (type) {
2604 case USE_NULL:
2605 *res = NULL;
2606 break;
2607 case USE_BIO_1:
2608 *res = bio1;
2609 break;
2610 case USE_BIO_2:
2611 *res = bio2;
2612 break;
2613 }
2614}
2615
7d4488bb
MC		 2616
2617/*
2618 * Tests calls to SSL_set_bio() under various conditions.
2619 *
2620 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2621 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2622 * then do more tests where we create a successful connection first using our
2623 * standard connection setup functions, and then call SSL_set_bio() with
2624 * various combinations of valid BIOs or NULL. We then repeat these tests
2625 * following a failed connection. In this last case we are looking to check that
2626 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2627 */
7fb4c820
MC		 2628static int test_ssl_set_bio(int idx)
2629{
7d4488bb 2630 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2631 BIO *bio1 = NULL;
2632 BIO *bio2 = NULL;
0fae8150 2633 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2634 SSL *serverssl = NULL, *clientssl = NULL;
2635 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2636 int testresult = 0;
2637
7d4488bb
MC		 2638 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2639 initrbio = idx % 3;
2640 idx /= 3;
2641 initwbio = idx % 3;
2642 idx /= 3;
2643 newrbio = idx % 3;
2644 idx /= 3;
2645 newwbio = idx % 3;
2646 conntype = CONNTYPE_NO_CONNECTION;
2647 } else {
2648 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2649 initrbio = initwbio = USE_DEFAULT;
2650 newrbio = idx % 2;
2651 idx /= 2;
2652 newwbio = idx % 2;
2653 idx /= 2;
2654 conntype = idx % 2;
2655 }
710756a9 2656
5e30f2fd
MC		 2657 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2658 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2659 &sctx, &cctx, cert, privkey)))
2660 goto end;
2661
2662 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2663 /*
2664 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2665 * because we reduced the number of tests in the definition of
2666 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2667 * mismatched protocol versions we will force a connection failure.
2668 */
2669 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2670 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2671 }
2672
2673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2674 NULL, NULL)))
710756a9 2675 goto end;
7fb4c820 2676
710756a9
RS		 2677 if (initrbio == USE_BIO_1
2678 || initwbio == USE_BIO_1
2679 || newrbio == USE_BIO_1
7fb4c820 2680 || newwbio == USE_BIO_1) {
710756a9 2681 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2682 goto end;
7fb4c820
MC		 2683 }
2684
710756a9
RS		 2685 if (initrbio == USE_BIO_2
2686 || initwbio == USE_BIO_2
2687 || newrbio == USE_BIO_2
7fb4c820 2688 || newwbio == USE_BIO_2) {
710756a9 2689 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2690 goto end;
7fb4c820
MC		 2691 }
2692
7d4488bb
MC		 2693 if (initrbio != USE_DEFAULT) {
2694 setupbio(&irbio, bio1, bio2, initrbio);
2695 setupbio(&iwbio, bio1, bio2, initwbio);
2696 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2697
7d4488bb
MC		 2698 /*
2699 * We want to maintain our own refs to these BIO, so do an up ref for
2700 * each BIO that will have ownership transferred in the SSL_set_bio()
2701 * call
2702 */
2703 if (irbio != NULL)
2704 BIO_up_ref(irbio);
2705 if (iwbio != NULL && iwbio != irbio)
2706 BIO_up_ref(iwbio);
2707 }
7fb4c820 2708
7d4488bb
MC		 2709 if (conntype != CONNTYPE_NO_CONNECTION
2710 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2711 SSL_ERROR_NONE)
2712 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2713 goto end;
7fb4c820
MC		 2714
2715 setupbio(&nrbio, bio1, bio2, newrbio);
2716 setupbio(&nwbio, bio1, bio2, newwbio);
2717
2718 /*
2719 * We will (maybe) transfer ownership again so do more up refs.
2720 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2721 * already been set!
2722 */
710756a9
RS		 2723 if (nrbio != NULL
2724 && nrbio != irbio
2725 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2726 BIO_up_ref(nrbio);
710756a9
RS		 2727 if (nwbio != NULL
2728 && nwbio != nrbio
2729 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2730 BIO_up_ref(nwbio);
2731
7d4488bb 2732 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2733
2734 testresult = 1;
2735
2736 end:
7fb4c820
MC		 2737 BIO_free(bio1);
2738 BIO_free(bio2);
710756a9 2739
7fb4c820
MC		 2740 /*
2741 * This test is checking that the ref counting for SSL_set_bio is correct.
2742 * If we get here and we did too many frees then we will fail in the above
742ccab3 2743 * functions.
7fb4c820 2744 */
7d4488bb
MC		 2745 SSL_free(serverssl);
2746 SSL_free(clientssl);
2747 SSL_CTX_free(sctx);
2748 SSL_CTX_free(cctx);
7fb4c820
MC		 2749 return testresult;
2750}
2751
7e885b7b 2752typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2753
7e885b7b 2754static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2755{
2756 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2757 SSL_CTX *ctx;
9a716987
MC		 2758 SSL *ssl = NULL;
2759 int testresult = 0;
2760
5e30f2fd 2761 if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
710756a9
RS		 2762 || !TEST_ptr(ssl = SSL_new(ctx))
2763 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2764 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2765 goto end;
9a716987
MC		 2766
2767 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2768
2769 /*
742ccab3 2770 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2771 */
2772 BIO_push(sslbio, membio1);
2773
69687aa8 2774 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2775 if (change_bio != NO_BIO_CHANGE) {
710756a9 2776 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2777 goto end;
7e885b7b 2778 if (change_bio == CHANGE_RBIO)
65e2d672 2779 SSL_set0_rbio(ssl, membio2);
9a716987 2780 else
65e2d672 2781 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2782 }
2783 ssl = NULL;
2784
7e885b7b 2785 if (pop_ssl)
9a716987
MC		 2786 BIO_pop(sslbio);
2787 else
2788 BIO_pop(membio1);
2789
2790 testresult = 1;
2791 end:
2792 BIO_free(membio1);
2793 BIO_free(sslbio);
2794 SSL_free(ssl);
2795 SSL_CTX_free(ctx);
2796
2797 return testresult;
2798}
2799
2800static int test_ssl_bio_pop_next_bio(void)
2801{
7e885b7b 2802 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2803}
2804
2805static int test_ssl_bio_pop_ssl_bio(void)
2806{
7e885b7b 2807 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2808}
2809
2810static int test_ssl_bio_change_rbio(void)
2811{
7e885b7b 2812 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2813}
2814
2815static int test_ssl_bio_change_wbio(void)
2816{
7e885b7b 2817 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2818}
2819
c423ecaa 2820#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2821typedef struct {
2822 /* The list of sig algs */
2823 const int *list;
2824 /* The length of the list */
2825 size_t listlen;
2826 /* A sigalgs list in string format */
2827 const char *liststr;
2828 /* Whether setting the list should succeed */
2829 int valid;
2830 /* Whether creating a connection with the list should succeed */
2831 int connsuccess;
2832} sigalgs_list;
2833
2834static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2835# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2836static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2837static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2838# endif
f1b25aae
MC		 2839static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2840static const int invalidlist2[] = {NID_sha256, NID_undef};
2841static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2842static const int invalidlist4[] = {NID_sha256};
2843static const sigalgs_list testsigalgs[] = {
2844 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2845# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2846 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2847 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2848# endif
f1b25aae 2849 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2850# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2851 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2852 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2853# endif
f1b25aae
MC		 2854 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2855 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2856 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2857 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2858 {NULL, 0, "RSA", 0, 0},
2859 {NULL, 0, "SHA256", 0, 0},
2860 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2861 {NULL, 0, "Invalid", 0, 0}
2862};
f1b25aae
MC		 2863
2864static int test_set_sigalgs(int idx)
2865{
2866 SSL_CTX *cctx = NULL, *sctx = NULL;
2867 SSL *clientssl = NULL, *serverssl = NULL;
2868 int testresult = 0;
2869 const sigalgs_list *curr;
2870 int testctx;
2871
2872 /* Should never happen */
710756a9 2873 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2874 return 0;
2875
2876 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2877 curr = testctx ? &testsigalgs[idx]
2878 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2879
5e30f2fd
MC		 2880 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2881 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2882 &sctx, &cctx, cert, privkey)))
f1b25aae 2883 return 0;
f1b25aae 2884
d2e491f2
MC		 2885 /*
2886 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2887 * for TLSv1.2 for now until we add a new API.
2888 */
2889 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2890
f1b25aae
MC		 2891 if (testctx) {
2892 int ret;
710756a9 2893
f1b25aae
MC		 2894 if (curr->list != NULL)
2895 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2896 else
2897 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2898
2899 if (!ret) {
2900 if (curr->valid)
710756a9 2901 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2902 else
2903 testresult = 1;
2904 goto end;
2905 }
2906 if (!curr->valid) {
710756a9 2907 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2908 goto end;
2909 }
2910 }
2911
710756a9
RS		 2912 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2913 &clientssl, NULL, NULL)))
f1b25aae 2914 goto end;
f1b25aae
MC		 2915
2916 if (!testctx) {
2917 int ret;
2918
2919 if (curr->list != NULL)
2920 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2921 else
2922 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2923 if (!ret) {
2924 if (curr->valid)
710756a9 2925 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2926 else
2927 testresult = 1;
2928 goto end;
2929 }
710756a9 2930 if (!curr->valid)
f1b25aae 2931 goto end;
f1b25aae
MC		 2932 }
2933
710756a9
RS		 2934 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2935 SSL_ERROR_NONE),
2936 curr->connsuccess))
f1b25aae 2937 goto end;
f1b25aae
MC		 2938
2939 testresult = 1;
2940
2941 end:
2942 SSL_free(serverssl);
2943 SSL_free(clientssl);
2944 SSL_CTX_free(sctx);
2945 SSL_CTX_free(cctx);
2946
2947 return testresult;
2948}
c423ecaa 2949#endif
f1b25aae 2950
fff202e5 2951#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2952static int psk_client_cb_cnt = 0;
2953static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2954
2955static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2956 size_t *idlen, SSL_SESSION **sess)
2957{
2958 switch (++use_session_cb_cnt) {
2959 case 1:
2960 /* The first call should always have a NULL md */
2961 if (md != NULL)
2962 return 0;
2963 break;
2964
2965 case 2:
2966 /* The second call should always have an md */
2967 if (md == NULL)
2968 return 0;
2969 break;
2970
2971 default:
2972 /* We should only be called a maximum of twice */
2973 return 0;
2974 }
2975
57dee9bb
MC		 2976 if (clientpsk != NULL)
2977 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2978
57dee9bb 2979 *sess = clientpsk;
02a3ed5a
MC		 2980 *id = (const unsigned char *)pskid;
2981 *idlen = strlen(pskid);
2982
2983 return 1;
2984}
2985
c2b290c3 2986#ifndef OPENSSL_NO_PSK
532f9578
MC		 2987static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2988 unsigned int max_id_len,
2989 unsigned char *psk,
2990 unsigned int max_psk_len)
2991{
2992 unsigned int psklen = 0;
2993
2994 psk_client_cb_cnt++;
2995
2996 if (strlen(pskid) + 1 > max_id_len)
2997 return 0;
2998
2999 /* We should only ever be called a maximum of twice per connection */
3000 if (psk_client_cb_cnt > 2)
3001 return 0;
3002
3003 if (clientpsk == NULL)
3004 return 0;
3005
3006 /* We'll reuse the PSK we set up for TLSv1.3 */
3007 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3008 return 0;
3009 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3010 strncpy(id, pskid, max_id_len);
3011
3012 return psklen;
3013}
c2b290c3 3014#endif /* OPENSSL_NO_PSK */
532f9578 3015
02a3ed5a
MC		 3016static int find_session_cb(SSL *ssl, const unsigned char *identity,
3017 size_t identity_len, SSL_SESSION **sess)
3018{
3019 find_session_cb_cnt++;
3020
3021 /* We should only ever be called a maximum of twice per connection */
3022 if (find_session_cb_cnt > 2)
3023 return 0;
3024
57dee9bb 3025 if (serverpsk == NULL)
02a3ed5a
MC		 3026 return 0;
3027
3028 /* Identity should match that set by the client */
3029 if (strlen(srvid) != identity_len
3030 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3031 /* No PSK found, continue but without a PSK */
3032 *sess = NULL;
3033 return 1;
3034 }
3035
57dee9bb
MC		 3036 SSL_SESSION_up_ref(serverpsk);
3037 *sess = serverpsk;
02a3ed5a
MC		 3038
3039 return 1;
3040}
3041
c2b290c3 3042#ifndef OPENSSL_NO_PSK
532f9578
MC		 3043static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3044 unsigned char *psk, unsigned int max_psk_len)
3045{
3046 unsigned int psklen = 0;
3047
3048 psk_server_cb_cnt++;
3049
3050 /* We should only ever be called a maximum of twice per connection */
3051 if (find_session_cb_cnt > 2)
3052 return 0;
3053
3054 if (serverpsk == NULL)
3055 return 0;
3056
3057 /* Identity should match that set by the client */
3058 if (strcmp(srvid, identity) != 0) {
3059 return 0;
3060 }
3061
3062 /* We'll reuse the PSK we set up for TLSv1.3 */
3063 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3064 return 0;
3065 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3066
3067 return psklen;
3068}
c2b290c3 3069#endif /* OPENSSL_NO_PSK */
532f9578 3070
5f982038
MC		 3071#define MSG1 "Hello"
3072#define MSG2 "World."
3073#define MSG3 "This"
3074#define MSG4 "is"
3075#define MSG5 "a"
90049cea
MC		 3076#define MSG6 "test"
3077#define MSG7 "message."
5f982038 3078
532f9578 3079#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3080#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3081#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3082#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3083#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3084
8614a4eb
MC		 3085
3086static SSL_SESSION *create_a_psk(SSL *ssl)
3087{
3088 const SSL_CIPHER *cipher = NULL;
3089 const unsigned char key[] = {
3090 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3091 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3092 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3093 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3094 0x2c, 0x2d, 0x2e, 0x2f
3095 };
3096 SSL_SESSION *sess = NULL;
3097
3098 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3099 sess = SSL_SESSION_new();
3100 if (!TEST_ptr(sess)
3101 || !TEST_ptr(cipher)
3102 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3103 sizeof(key)))
3104 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3105 || !TEST_true(
3106 SSL_SESSION_set_protocol_version(sess,
3107 TLS1_3_VERSION))) {
3108 SSL_SESSION_free(sess);
3109 return NULL;
3110 }
3111 return sess;
3112}
3113
5f982038
MC		 3114/*
3115 * Helper method to setup objects for early data test. Caller frees objects on
3116 * error.
3117 */
3118static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3119 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3120{
5a421415 3121 if (*sctx == NULL
5e30f2fd 3122 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3123 TLS_client_method(),
5c587fb6 3124 TLS1_VERSION, 0,
5a421415
MC		 3125 sctx, cctx, cert, privkey)))
3126 return 0;
3127
3128 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3129 return 0;
5f982038 3130
02a3ed5a
MC		 3131 if (idx == 1) {
3132 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3133 SSL_CTX_set_read_ahead(*cctx, 1);
3134 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3135 } else if (idx == 2) {
3136 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3137 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3138 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3139 use_session_cb_cnt = 0;
3140 find_session_cb_cnt = 0;
3141 srvid = pskid;
3cb47b4e
MC		 3142 }
3143
710756a9 3144 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3145 NULL, NULL)))
3146 return 0;
3147
141e4709
MC		 3148 /*
3149 * For one of the run throughs (doesn't matter which one), we'll try sending
3150 * some SNI data in the initial ClientHello. This will be ignored (because
3151 * there is no SNI cb set up by the server), so it should not impact
3152 * early_data.
3153 */
3154 if (idx == 1
3155 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3156 return 0;
3157
02a3ed5a 3158 if (idx == 2) {
8614a4eb 3159 clientpsk = create_a_psk(*clientssl);
57dee9bb 3160 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3161 /*
3162 * We just choose an arbitrary value for max_early_data which
3163 * should be big enough for testing purposes.
3164 */
57dee9bb
MC		 3165 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3166 0x100))
3167 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3168 SSL_SESSION_free(clientpsk);
3169 clientpsk = NULL;
02a3ed5a
MC		 3170 return 0;
3171 }
57dee9bb 3172 serverpsk = clientpsk;
02a3ed5a 3173
c20e3b28
MC		 3174 if (sess != NULL) {
3175 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3176 SSL_SESSION_free(clientpsk);
3177 SSL_SESSION_free(serverpsk);
3178 clientpsk = serverpsk = NULL;
3179 return 0;
3180 }
57dee9bb 3181 *sess = clientpsk;
c20e3b28 3182 }
02a3ed5a
MC		 3183 return 1;
3184 }
3185
3186 if (sess == NULL)
3187 return 1;
3188
3189 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3190 SSL_ERROR_NONE)))
5f982038 3191 return 0;
5f982038
MC		 3192
3193 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3194 SSL_shutdown(*clientssl);
3195 SSL_shutdown(*serverssl);
5f982038
MC		 3196 SSL_free(*serverssl);
3197 SSL_free(*clientssl);
3198 *serverssl = *clientssl = NULL;
3199
710756a9
RS		 3200 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3201 clientssl, NULL, NULL))
3202 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3203 return 0;
5f982038
MC		 3204
3205 return 1;
3206}
3207
3cb47b4e 3208static int test_early_data_read_write(int idx)
5f982038
MC		 3209{
3210 SSL_CTX *cctx = NULL, *sctx = NULL;
3211 SSL *clientssl = NULL, *serverssl = NULL;
3212 int testresult = 0;
3213 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3214 unsigned char buf[20], data[1024];
3215 size_t readbytes, written, eoedlen, rawread, rawwritten;
3216 BIO *rbio;
5f982038 3217
710756a9
RS		 3218 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3219 &serverssl, &sess, idx)))
5f982038
MC		 3220 goto end;
3221
3222 /* Write and read some early data */
710756a9
RS		 3223 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3224 &written))
3225 || !TEST_size_t_eq(written, strlen(MSG1))
3226 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3227 sizeof(buf), &readbytes),
3228 SSL_READ_EARLY_DATA_SUCCESS)
3229 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3230 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3231 SSL_EARLY_DATA_ACCEPTED))
5f982038 3232 goto end;
5f982038
MC		 3233
3234 /*
09f28874 3235 * Server should be able to write data, and client should be able to
5f982038
MC		 3236 * read it.
3237 */
710756a9
RS		 3238 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3239 &written))
3240 || !TEST_size_t_eq(written, strlen(MSG2))
3241 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3242 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3243 goto end;
5f982038
MC		 3244
3245 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3246 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3247 &written))
3248 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3249 goto end;
5f982038 3250
09f28874 3251 /* Server should still be able read early data after writing data */
710756a9
RS		 3252 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3253 &readbytes),
3254 SSL_READ_EARLY_DATA_SUCCESS)
3255 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3256 goto end;
5f982038 3257
09f28874 3258 /* Write more data from server and read it from client */
710756a9
RS		 3259 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3260 &written))
3261 || !TEST_size_t_eq(written, strlen(MSG4))
3262 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3263 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3264 goto end;
5f982038
MC		 3265
3266 /*
3267 * If client writes normal data it should mean writing early data is no
3268 * longer possible.
3269 */
710756a9
RS		 3270 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3271 || !TEST_size_t_eq(written, strlen(MSG5))
3272 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3273 SSL_EARLY_DATA_ACCEPTED))
5f982038 3274 goto end;
5f982038 3275
9b5c865d
MC		 3276 /*
3277 * At this point the client has written EndOfEarlyData, ClientFinished and
3278 * normal (fully protected) data. We are going to cause a delay between the
3279 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3280 * in the read BIO, and then just put back the EndOfEarlyData message.
3281 */
3282 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3283 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3284 || !TEST_size_t_lt(rawread, sizeof(data))
3285 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3286 goto end;
710756a9 3287
9b5c865d
MC		 3288 /* Record length is in the 4th and 5th bytes of the record header */
3289 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3290 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3291 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3292 goto end;
9b5c865d 3293
5f982038 3294 /* Server should be told that there is no more early data */
710756a9
RS		 3295 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3296 &readbytes),
3297 SSL_READ_EARLY_DATA_FINISH)
3298 || !TEST_size_t_eq(readbytes, 0))
5f982038 3299 goto end;
5f982038 3300
9b5c865d
MC		 3301 /*
3302 * Server has not finished init yet, so should still be able to write early
3303 * data.
3304 */
710756a9
RS		 3305 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3306 &written))
3307 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3308 goto end;
9b5c865d 3309
f8a303fa 3310 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3311 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3312 &rawwritten))
3313 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3314 goto end;
f8a303fa 3315
5f982038 3316 /* Server should be able to read normal data */
710756a9
RS		 3317 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3318 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3319 goto end;
5f982038 3320
09f28874 3321 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3322 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3323 &written)))
5f982038 3324 goto end;
5f982038 3325 ERR_clear_error();
710756a9
RS		 3326 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3327 &readbytes),
3328 SSL_READ_EARLY_DATA_ERROR))
5f982038 3329 goto end;
5f982038
MC		 3330 ERR_clear_error();
3331
9b5c865d 3332 /* Client should be able to read the data sent by the server */
710756a9
RS		 3333 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3334 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3335 goto end;
710756a9 3336
f8a303fa 3337 /*
36ff232c
MC		 3338 * Make sure we process the two NewSessionTickets. These arrive
3339 * post-handshake. We attempt reads which we do not expect to return any
3340 * data.
f8a303fa 3341 */
36ff232c
MC		 3342 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3343 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3344 &readbytes)))
f8a303fa 3345 goto end;
5f982038 3346
90049cea 3347 /* Server should be able to write normal data */
710756a9
RS		 3348 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3349 || !TEST_size_t_eq(written, strlen(MSG7))
3350 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3351 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3352 goto end;
90049cea 3353
c20e3b28 3354 SSL_SESSION_free(sess);
5f982038 3355 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3356 use_session_cb_cnt = 0;
3357 find_session_cb_cnt = 0;
5f982038
MC		 3358
3359 SSL_shutdown(clientssl);
3360 SSL_shutdown(serverssl);
5f982038
MC		 3361 SSL_free(serverssl);
3362 SSL_free(clientssl);
3363 serverssl = clientssl = NULL;
710756a9
RS		 3364 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3365 &clientssl, NULL, NULL))
3366 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3367 goto end;
5f982038
MC		 3368
3369 /* Write and read some early data */
710756a9
RS		 3370 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3371 &written))
3372 || !TEST_size_t_eq(written, strlen(MSG1))
3373 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3374 &readbytes),
3375 SSL_READ_EARLY_DATA_SUCCESS)
3376 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3377 goto end;
5f982038 3378
710756a9
RS		 3379 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3380 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3381 goto end;
5f982038 3382
09f28874 3383 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3384 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3385 &written)))
5f982038 3386 goto end;
5f982038 3387 ERR_clear_error();
710756a9
RS		 3388 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3389 &readbytes),
3390 SSL_READ_EARLY_DATA_ERROR))
5f982038 3391 goto end;
5f982038
MC		 3392 ERR_clear_error();
3393
3394 /* Client and server should be able to write/read normal data */
710756a9
RS		 3395 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3396 || !TEST_size_t_eq(written, strlen(MSG5))
3397 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3398 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3399 goto end;
5f982038
MC		 3400
3401 testresult = 1;
3402
3403 end:
c20e3b28 3404 SSL_SESSION_free(sess);
57dee9bb
MC		 3405 SSL_SESSION_free(clientpsk);
3406 SSL_SESSION_free(serverpsk);
3407 clientpsk = serverpsk = NULL;
5f982038
MC		 3408 SSL_free(serverssl);
3409 SSL_free(clientssl);
3410 SSL_CTX_free(sctx);
3411 SSL_CTX_free(cctx);
5f982038
MC		 3412 return testresult;
3413}
3414
5a421415
MC		 3415static int allow_ed_cb_called = 0;
3416
3417static int allow_early_data_cb(SSL *s, void *arg)
3418{
3419 int *usecb = (int *)arg;
3420
3421 allow_ed_cb_called++;
3422
3423 if (*usecb == 1)
3424 return 0;
3425
3426 return 1;
3427}
3428
3429/*
3430 * idx == 0: Standard early_data setup
3431 * idx == 1: early_data setup using read_ahead
3432 * usecb == 0: Don't use a custom early data callback
3433 * usecb == 1: Use a custom early data callback and reject the early data
3434 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3435 * confopt == 0: Configure anti-replay directly
3436 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3437 */
3bb5e5b0 3438static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3439{
3440 SSL_CTX *cctx = NULL, *sctx = NULL;
3441 SSL *clientssl = NULL, *serverssl = NULL;
3442 int testresult = 0;
3443 SSL_SESSION *sess = NULL;
5a421415
MC		 3444 size_t readbytes, written;
3445 unsigned char buf[20];
3446
3447 allow_ed_cb_called = 0;
3448
5e30f2fd
MC		 3449 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3450 TLS_client_method(), TLS1_VERSION, 0,
3451 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3452 return 0;
3453
3454 if (usecb > 0) {
3bb5e5b0
MC		 3455 if (confopt == 0) {
3456 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3457 } else {
3458 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3459
3460 if (!TEST_ptr(confctx))
3461 goto end;
3462 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3463 | SSL_CONF_FLAG_SERVER);
3464 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3465 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3466 2)) {
3467 SSL_CONF_CTX_free(confctx);
3468 goto end;
3469 }
3470 SSL_CONF_CTX_free(confctx);
3471 }
5a421415
MC		 3472 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3473 }
78fb5374
MC		 3474
3475 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3476 &serverssl, &sess, idx)))
3477 goto end;
3478
3479 /*
3480 * The server is configured to accept early data. Create a connection to
3481 * "use up" the ticket
3482 */
3483 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3484 || !TEST_true(SSL_session_reused(clientssl)))
3485 goto end;
3486
3487 SSL_shutdown(clientssl);
3488 SSL_shutdown(serverssl);
3489 SSL_free(serverssl);
3490 SSL_free(clientssl);
3491 serverssl = clientssl = NULL;
3492
3493 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3494 &clientssl, NULL, NULL))
5a421415
MC		 3495 || !TEST_true(SSL_set_session(clientssl, sess)))
3496 goto end;
3497
3498 /* Write and read some early data */
3499 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3500 &written))
3501 || !TEST_size_t_eq(written, strlen(MSG1)))
3502 goto end;
3503
3504 if (usecb <= 1) {
3505 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3506 &readbytes),
3507 SSL_READ_EARLY_DATA_FINISH)
3508 /*
3509 * The ticket was reused, so the we should have rejected the
3510 * early data
3511 */
3512 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3513 SSL_EARLY_DATA_REJECTED))
3514 goto end;
3515 } else {
3516 /* In this case the callback decides to accept the early data */
3517 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3518 &readbytes),
3519 SSL_READ_EARLY_DATA_SUCCESS)
3520 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3521 /*
3522 * Server will have sent its flight so client can now send
3523 * end of early data and complete its half of the handshake
3524 */
3525 || !TEST_int_gt(SSL_connect(clientssl), 0)
3526 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3527 &readbytes),
3528 SSL_READ_EARLY_DATA_FINISH)
3529 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3530 SSL_EARLY_DATA_ACCEPTED))
3531 goto end;
3532 }
3533
3534 /* Complete the connection */
3535 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3536 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3537 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3538 goto end;
3539
3540 testresult = 1;
3541
3542 end:
c20e3b28 3543 SSL_SESSION_free(sess);
78fb5374
MC		 3544 SSL_SESSION_free(clientpsk);
3545 SSL_SESSION_free(serverpsk);
3546 clientpsk = serverpsk = NULL;
3547 SSL_free(serverssl);
3548 SSL_free(clientssl);
3549 SSL_CTX_free(sctx);
3550 SSL_CTX_free(cctx);
3551 return testresult;
3552}
3553
5a421415
MC		 3554static int test_early_data_replay(int idx)
3555{
3bb5e5b0 3556 int ret = 1, usecb, confopt;
5a421415 3557
3bb5e5b0
MC		 3558 for (usecb = 0; usecb < 3; usecb++) {
3559 for (confopt = 0; confopt < 2; confopt++)
3560 ret &= test_early_data_replay_int(idx, usecb, confopt);
3561 }
5a421415
MC		 3562
3563 return ret;
3564}
3565
710756a9 3566/*
6b84e6bf
MC		 3567 * Helper function to test that a server attempting to read early data can
3568 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3569 * testtype: 0 == No HRR
3570 * testtype: 1 == HRR
0efa0ba4
MC		 3571 * testtype: 2 == HRR, invalid early_data sent after HRR
3572 * testtype: 3 == recv_max_early_data set to 0
710756a9 3573 */
0d1b7789 3574static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3575{
3576 SSL_CTX *cctx = NULL, *sctx = NULL;
3577 SSL *clientssl = NULL, *serverssl = NULL;
3578 int testresult = 0;
018fcbec 3579 SSL_SESSION *sess = NULL;
5f982038
MC		 3580 unsigned char buf[20];
3581 size_t readbytes, written;
3582
710756a9
RS		 3583 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3584 &serverssl, &sess, idx)))
5f982038
MC		 3585 goto end;
3586
0efa0ba4 3587 if (testtype == 1 || testtype == 2) {
6b84e6bf 3588 /* Force an HRR to occur */
dbc6268f
MC		 3589#if defined(OPENSSL_NO_EC)
3590 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3591 goto end;
3592#else
6b84e6bf
MC		 3593 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3594 goto end;
dbc6268f 3595#endif
02a3ed5a
MC		 3596 } else if (idx == 2) {
3597 /*
3598 * We force early_data rejection by ensuring the PSK identity is
3599 * unrecognised
3600 */
3601 srvid = "Dummy Identity";
6b84e6bf
MC		 3602 } else {
3603 /*
3604 * Deliberately corrupt the creation time. We take 20 seconds off the
3605 * time. It could be any value as long as it is not within tolerance.
3606 * This should mean the ticket is rejected.
3607 */
5d99881e 3608 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3609 goto end;
3610 }
5f982038 3611
0efa0ba4 3612 if (testtype == 3
0d1b7789
MC		 3613 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3614 goto end;
3615
5f982038 3616 /* Write some early data */
710756a9
RS		 3617 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3618 &written))
3619 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3620 goto end;
5f982038 3621
0d1b7789 3622 /* Server should reject the early data */
710756a9
RS		 3623 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3624 &readbytes),
3625 SSL_READ_EARLY_DATA_FINISH)
3626 || !TEST_size_t_eq(readbytes, 0)
3627 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3628 SSL_EARLY_DATA_REJECTED))
5f982038 3629 goto end;
5f982038 3630
0efa0ba4
MC		 3631 switch (testtype) {
3632 case 0:
3633 /* Nothing to do */
3634 break;
3635
3636 case 1:
6b84e6bf
MC		 3637 /*
3638 * Finish off the handshake. We perform the same writes and reads as
3639 * further down but we expect them to fail due to the incomplete
3640 * handshake.
3641 */
3642 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3643 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3644 &readbytes)))
3645 goto end;
0efa0ba4
MC		 3646 break;
3647
3648 case 2:
3649 {
3650 BIO *wbio = SSL_get_wbio(clientssl);
3651 /* A record that will appear as bad early_data */
3652 const unsigned char bad_early_data[] = {
3653 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3654 };
3655
3656 /*
3657 * We force the client to attempt a write. This will fail because
3658 * we're still in the handshake. It will cause the second
3659 * ClientHello to be sent.
3660 */
3661 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3662 &written)))
3663 goto end;
3664
3665 /*
3666 * Inject some early_data after the second ClientHello. This should
3667 * cause the server to fail
3668 */
3669 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3670 sizeof(bad_early_data), &written)))
3671 goto end;
3672 }
3673 /* fallthrough */
3674
3675 case 3:
0d1b7789 3676 /*
0efa0ba4
MC		 3677 * This client has sent more early_data than we are willing to skip
3678 * (case 3) or sent invalid early_data (case 2) so the connection should
3679 * abort.
0d1b7789
MC		 3680 */
3681 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3682 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3683 goto end;
3684
3685 /* Connection has failed - nothing more to do */
3686 testresult = 1;
3687 goto end;
0efa0ba4
MC		 3688
3689 default:
3690 TEST_error("Invalid test type");
3691 goto end;
6b84e6bf
MC		 3692 }
3693
0d1b7789
MC		 3694 /*
3695 * Should be able to send normal data despite rejection of early data. The
3696 * early_data should be skipped.
3697 */
710756a9
RS		 3698 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3699 || !TEST_size_t_eq(written, strlen(MSG2))
3700 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3701 SSL_EARLY_DATA_REJECTED)
3702 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3703 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3704 goto end;
5f982038
MC		 3705
3706 testresult = 1;
3707
3708 end:
c20e3b28 3709 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3710 SSL_SESSION_free(serverpsk);
3711 clientpsk = serverpsk = NULL;
5f982038
MC		 3712 SSL_SESSION_free(sess);
3713 SSL_free(serverssl);
3714 SSL_free(clientssl);
3715 SSL_CTX_free(sctx);
3716 SSL_CTX_free(cctx);
5f982038
MC		 3717 return testresult;
3718}
3719
6b84e6bf
MC		 3720/*
3721 * Test that a server attempting to read early data can handle a connection
3722 * from a client where the early data is not acceptable.
3723 */
3724static int test_early_data_skip(int idx)
3725{
3726 return early_data_skip_helper(0, idx);
3727}
3728
3729/*
3730 * Test that a server attempting to read early data can handle a connection
3731 * from a client where an HRR occurs.
3732 */
3733static int test_early_data_skip_hrr(int idx)
3734{
3735 return early_data_skip_helper(1, idx);
3736}
3737
0efa0ba4
MC		 3738/*
3739 * Test that a server attempting to read early data can handle a connection
3740 * from a client where an HRR occurs and correctly fails if early_data is sent
3741 * after the HRR
3742 */
3743static int test_early_data_skip_hrr_fail(int idx)
3744{
3745 return early_data_skip_helper(2, idx);
3746}
3747
0d1b7789
MC		 3748/*
3749 * Test that a server attempting to read early data will abort if it tries to
3750 * skip over too much.
3751 */
3752static int test_early_data_skip_abort(int idx)
3753{
0efa0ba4 3754 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3755}
3756
710756a9
RS		 3757/*
3758 * Test that a server attempting to read early data can handle a connection
3759 * from a client that doesn't send any.
3760 */
3cb47b4e 3761static int test_early_data_not_sent(int idx)
5f982038
MC		 3762{
3763 SSL_CTX *cctx = NULL, *sctx = NULL;
3764 SSL *clientssl = NULL, *serverssl = NULL;
3765 int testresult = 0;
018fcbec 3766 SSL_SESSION *sess = NULL;
5f982038
MC		 3767 unsigned char buf[20];
3768 size_t readbytes, written;
3769
710756a9
RS		 3770 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3771 &serverssl, &sess, idx)))
5f982038
MC		 3772 goto end;
3773
3774 /* Write some data - should block due to handshake with server */
3775 SSL_set_connect_state(clientssl);
710756a9 3776 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3777 goto end;
5f982038
MC		 3778
3779 /* Server should detect that early data has not been sent */
710756a9
RS		 3780 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3781 &readbytes),
3782 SSL_READ_EARLY_DATA_FINISH)
3783 || !TEST_size_t_eq(readbytes, 0)
3784 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3785 SSL_EARLY_DATA_NOT_SENT)
3786 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3787 SSL_EARLY_DATA_NOT_SENT))
5f982038 3788 goto end;
5f982038
MC		 3789
3790 /* Continue writing the message we started earlier */
710756a9
RS		 3791 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3792 || !TEST_size_t_eq(written, strlen(MSG1))
3793 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3794 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3795 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3796 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3797 goto end;
5f982038 3798
710756a9
RS		 3799 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3800 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3801 goto end;
5f982038
MC		 3802
3803 testresult = 1;
3804
3805 end:
5f982038 3806 SSL_SESSION_free(sess);
c20e3b28 3807 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3808 SSL_SESSION_free(serverpsk);
3809 clientpsk = serverpsk = NULL;
5f982038
MC		 3810 SSL_free(serverssl);
3811 SSL_free(clientssl);
3812 SSL_CTX_free(sctx);
3813 SSL_CTX_free(cctx);
5f982038
MC		 3814 return testresult;
3815}
3816
976e5323
MC		 3817static const char *servalpn;
3818
c7558d5b
PY		 3819static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3820 unsigned char *outlen, const unsigned char *in,
3821 unsigned int inlen, void *arg)
976e5323 3822{
c7558d5b 3823 unsigned int protlen = 0;
976e5323
MC		 3824 const unsigned char *prot;
3825
c7558d5b
PY		 3826 for (prot = in; prot < in + inlen; prot += protlen) {
3827 protlen = *prot++;
5d99881e 3828 if (in + inlen < prot + protlen)
976e5323
MC		 3829 return SSL_TLSEXT_ERR_NOACK;
3830
3831 if (protlen == strlen(servalpn)
0bd42fde 3832 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3833 *out = prot;
3834 *outlen = protlen;
3835 return SSL_TLSEXT_ERR_OK;
3836 }
3837 }
3838
3839 return SSL_TLSEXT_ERR_NOACK;
3840}
3841
57dee9bb 3842/* Test that a PSK can be used to send early_data */
976e5323
MC		 3843static int test_early_data_psk(int idx)
3844{
3845 SSL_CTX *cctx = NULL, *sctx = NULL;
3846 SSL *clientssl = NULL, *serverssl = NULL;
3847 int testresult = 0;
3848 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3849 unsigned char alpnlist[] = {
3850 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3851 'l', 'p', 'n'
3852 };
3853#define GOODALPNLEN 9
3854#define BADALPNLEN 8
3855#define GOODALPN (alpnlist)
3856#define BADALPN (alpnlist + GOODALPNLEN)
3857 int err = 0;
976e5323
MC		 3858 unsigned char buf[20];
3859 size_t readbytes, written;
57dee9bb 3860 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3861 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3862
3863 /* We always set this up with a final parameter of "2" for PSK */
3864 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3865 &serverssl, &sess, 2)))
3866 goto end;
3867
976e5323
MC		 3868 servalpn = "goodalpn";
3869
57dee9bb
MC		 3870 /*
3871 * Note: There is no test for inconsistent SNI with late client detection.
3872 * This is because servers do not acknowledge SNI even if they are using
3873 * it in a resumption handshake - so it is not actually possible for a
3874 * client to detect a problem.
3875 */
976e5323
MC		 3876 switch (idx) {
3877 case 0:
57dee9bb 3878 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3879 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3880 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3881 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3882 goto end;
3883 break;
3884
3885 case 1:
57dee9bb 3886 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3887 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3888 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3889 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3890 GOODALPNLEN))
3891 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3892 BADALPNLEN)))
976e5323
MC		 3893 goto end;
3894 break;
3895
3896 case 2:
3897 /*
3898 * Set invalid protocol version. Technically this affects PSKs without
3899 * early_data too, but we test it here because it is similar to the
3900 * SNI/ALPN consistency tests.
3901 */
3902 err = SSL_R_BAD_PSK;
3903 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3904 goto end;
3905 break;
3906
3907 case 3:
3908 /*
49ef3d07
MC		 3909 * Set inconsistent SNI (server side). In this case the connection
3910 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3911 * is associated with each handshake - not the session. Therefore it
3912 * should not matter that we used a different server name last time.
976e5323 3913 */
281bf233
MC		 3914 SSL_SESSION_free(serverpsk);
3915 serverpsk = SSL_SESSION_dup(clientpsk);
3916 if (!TEST_ptr(serverpsk)
3917 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3918 goto end;
976e5323
MC		 3919 /* Fall through */
3920 case 4:
3921 /* Set consistent SNI */
976e5323
MC		 3922 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3923 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3924 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3925 hostname_cb)))
3926 goto end;
3927 break;
3928
3929 case 5:
3930 /*
3931 * Set inconsistent ALPN (server detected). In this case the connection
3932 * will succeed but reject early_data.
3933 */
3934 servalpn = "badalpn";
3935 edstatus = SSL_EARLY_DATA_REJECTED;
3936 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3937 /* Fall through */
3938 case 6:
976e5323 3939 /*
57dee9bb 3940 * Set consistent ALPN.
976e5323
MC		 3941 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3942 * accepts a list of protos (each one length prefixed).
3943 * SSL_set1_alpn_selected accepts a single protocol (not length
3944 * prefixed)
3945 */
57dee9bb
MC		 3946 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3947 GOODALPNLEN - 1))
3948 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3949 GOODALPNLEN)))
976e5323
MC		 3950 goto end;
3951
3952 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3953 break;
3954
57dee9bb
MC		 3955 case 7:
3956 /* Set inconsistent ALPN (late client detection) */
3957 SSL_SESSION_free(serverpsk);
3958 serverpsk = SSL_SESSION_dup(clientpsk);
3959 if (!TEST_ptr(serverpsk)
3960 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3961 BADALPN + 1,
3962 BADALPNLEN - 1))
3963 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3964 GOODALPN + 1,
3965 GOODALPNLEN - 1))
3966 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3967 sizeof(alpnlist))))
3968 goto end;
3969 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3970 edstatus = SSL_EARLY_DATA_ACCEPTED;
3971 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3972 /* SSL_connect() call should fail */
3973 connectres = -1;
3974 break;
3975
976e5323
MC		 3976 default:
3977 TEST_error("Bad test index");
3978 goto end;
3979 }
3980
3981 SSL_set_connect_state(clientssl);
3982 if (err != 0) {
3983 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3984 &written))
3985 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3986 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3987 goto end;
3988 } else {
3989 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3990 &written)))
3991 goto end;
3992
3993 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3994 &readbytes), readearlyres)
976e5323
MC		 3995 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3996 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3997 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3998 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3999 goto end;
4000 }
4001
4002 testresult = 1;
4003
4004 end:
c20e3b28 4005 SSL_SESSION_free(sess);
57dee9bb
MC		 4006 SSL_SESSION_free(clientpsk);
4007 SSL_SESSION_free(serverpsk);
4008 clientpsk = serverpsk = NULL;
976e5323
MC		 4009 SSL_free(serverssl);
4010 SSL_free(clientssl);
4011 SSL_CTX_free(sctx);
4012 SSL_CTX_free(cctx);
4013 return testresult;
4014}
4015
0b2b0be9 4016/*
4017 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4018 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4019 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4020 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4021 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4022 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4023 */
4024static int test_early_data_psk_with_all_ciphers(int idx)
4025{
4026 SSL_CTX *cctx = NULL, *sctx = NULL;
4027 SSL *clientssl = NULL, *serverssl = NULL;
4028 int testresult = 0;
4029 SSL_SESSION *sess = NULL;
4030 unsigned char buf[20];
4031 size_t readbytes, written;
4032 const SSL_CIPHER *cipher;
4033 const char *cipher_str[] = {
4034 TLS1_3_RFC_AES_128_GCM_SHA256,
4035 TLS1_3_RFC_AES_256_GCM_SHA384,
4036# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4037 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4038# else
4039 NULL,
4040# endif
4041 TLS1_3_RFC_AES_128_CCM_SHA256,
4042 TLS1_3_RFC_AES_128_CCM_8_SHA256
4043 };
4044 const unsigned char *cipher_bytes[] = {
4045 TLS13_AES_128_GCM_SHA256_BYTES,
4046 TLS13_AES_256_GCM_SHA384_BYTES,
4047# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4048 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4049# else
4050 NULL,
4051# endif
4052 TLS13_AES_128_CCM_SHA256_BYTES,
4053 TLS13_AES_128_CCM_8_SHA256_BYTES
4054 };
4055
4056 if (cipher_str[idx] == NULL)
4057 return 1;
4058 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4059 if (idx == 2 && is_fips == 1)
4060 return 1;
4061
4062 /* We always set this up with a final parameter of "2" for PSK */
4063 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4064 &serverssl, &sess, 2)))
4065 goto end;
4066
4067 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4068 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4069 goto end;
4070
4071 /*
4072 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4073 * and assigns to both client and server with incremented reference
4074 * and the same instance is updated in 'sess'.
4075 * So updating ciphersuite in 'sess' which will get reflected in
4076 * PSK handshake using psk use sess and find sess cb.
4077 */
4078 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4079 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4080 goto end;
4081
4082 SSL_set_connect_state(clientssl);
4083 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4084 &written)))
4085 goto end;
4086
4087 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4088 &readbytes),
4089 SSL_READ_EARLY_DATA_SUCCESS)
4090 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4091 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4092 SSL_EARLY_DATA_ACCEPTED)
4093 || !TEST_int_eq(SSL_connect(clientssl), 1)
4094 || !TEST_int_eq(SSL_accept(serverssl), 1))
4095 goto end;
4096
4097 /* Send some normal data from client to server */
4098 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4099 || !TEST_size_t_eq(written, strlen(MSG2)))
4100 goto end;
4101
4102 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4103 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4104 goto end;
4105
4106 testresult = 1;
4107 end:
4108 SSL_SESSION_free(sess);
4109 SSL_SESSION_free(clientpsk);
4110 SSL_SESSION_free(serverpsk);
4111 clientpsk = serverpsk = NULL;
4112 if (clientssl != NULL)
4113 SSL_shutdown(clientssl);
4114 if (serverssl != NULL)
4115 SSL_shutdown(serverssl);
4116 SSL_free(serverssl);
4117 SSL_free(clientssl);
4118 SSL_CTX_free(sctx);
4119 SSL_CTX_free(cctx);
4120 return testresult;
4121}
4122
710756a9
RS		 4123/*
4124 * Test that a server that doesn't try to read early data can handle a
4125 * client sending some.
4126 */
3cb47b4e 4127static int test_early_data_not_expected(int idx)
5f982038
MC		 4128{
4129 SSL_CTX *cctx = NULL, *sctx = NULL;
4130 SSL *clientssl = NULL, *serverssl = NULL;
4131 int testresult = 0;
018fcbec 4132 SSL_SESSION *sess = NULL;
5f982038
MC		 4133 unsigned char buf[20];
4134 size_t readbytes, written;
4135
710756a9
RS		 4136 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4137 &serverssl, &sess, idx)))
5f982038
MC		 4138 goto end;
4139
4140 /* Write some early data */
710756a9
RS		 4141 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4142 &written)))
5f982038 4143 goto end;
5f982038
MC		 4144
4145 /*
4146 * Server should skip over early data and then block waiting for client to
4147 * continue handshake
4148 */
710756a9
RS		 4149 if (!TEST_int_le(SSL_accept(serverssl), 0)
4150 || !TEST_int_gt(SSL_connect(clientssl), 0)
4151 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4152 SSL_EARLY_DATA_REJECTED)
4153 || !TEST_int_gt(SSL_accept(serverssl), 0)
4154 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4155 SSL_EARLY_DATA_REJECTED))
5f982038 4156 goto end;
5f982038
MC		 4157
4158 /* Send some normal data from client to server */
710756a9
RS		 4159 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4160 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4161 goto end;
5f982038 4162
710756a9
RS		 4163 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4164 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4165 goto end;
5f982038
MC		 4166
4167 testresult = 1;
4168
4169 end:
5f982038 4170 SSL_SESSION_free(sess);
c20e3b28 4171 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4172 SSL_SESSION_free(serverpsk);
4173 clientpsk = serverpsk = NULL;
5f982038
MC		 4174 SSL_free(serverssl);
4175 SSL_free(clientssl);
4176 SSL_CTX_free(sctx);
4177 SSL_CTX_free(cctx);
5f982038
MC		 4178 return testresult;
4179}
4180
4181
4182# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4183/*
4184 * Test that a server attempting to read early data can handle a connection
4185 * from a TLSv1.2 client.
4186 */
3cb47b4e 4187static int test_early_data_tls1_2(int idx)
5f982038
MC		 4188{
4189 SSL_CTX *cctx = NULL, *sctx = NULL;
4190 SSL *clientssl = NULL, *serverssl = NULL;
4191 int testresult = 0;
4192 unsigned char buf[20];
4193 size_t readbytes, written;
4194
02a3ed5a
MC		 4195 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4196 &serverssl, NULL, idx)))
5f982038 4197 goto end;
5f982038
MC		 4198
4199 /* Write some data - should block due to handshake with server */
4200 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4201 SSL_set_connect_state(clientssl);
710756a9 4202 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4203 goto end;
5f982038
MC		 4204
4205 /*
4206 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4207 * messages from client after ServerDone. Then SSL_read_early_data should
4208 * finish and detect that early data has not been sent
5f982038 4209 */
710756a9
RS		 4210 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4211 &readbytes),
4212 SSL_READ_EARLY_DATA_ERROR))
5f982038 4213 goto end;
5f982038
MC		 4214
4215 /*
4216 * Continue writing the message we started earlier. Will still block waiting
4217 * for the CCS/Finished from server
4218 */
710756a9
RS		 4219 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4220 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4221 &readbytes),
4222 SSL_READ_EARLY_DATA_FINISH)
4223 || !TEST_size_t_eq(readbytes, 0)
4224 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4225 SSL_EARLY_DATA_NOT_SENT))
5f982038 4226 goto end;
5f982038
MC		 4227
4228 /* Continue writing the message we started earlier */
710756a9
RS		 4229 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4230 || !TEST_size_t_eq(written, strlen(MSG1))
4231 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4232 SSL_EARLY_DATA_NOT_SENT)
4233 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4234 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4235 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4236 || !TEST_size_t_eq(written, strlen(MSG2))
4237 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4238 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4239 goto end;
5f982038
MC		 4240
4241 testresult = 1;
4242
4243 end:
57dee9bb
MC		 4244 SSL_SESSION_free(clientpsk);
4245 SSL_SESSION_free(serverpsk);
4246 clientpsk = serverpsk = NULL;
5f982038
MC		 4247 SSL_free(serverssl);
4248 SSL_free(clientssl);
4249 SSL_CTX_free(sctx);
4250 SSL_CTX_free(cctx);
4251
4252 return testresult;
4253}
ca0413ae
MC		 4254# endif /* OPENSSL_NO_TLS1_2 */
4255
034cb87b
MC		 4256/*
4257 * Test configuring the TLSv1.3 ciphersuites
4258 *
4259 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4260 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4261 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4262 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4263 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4264 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4265 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4266 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4267 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4268 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4269 */
4270static int test_set_ciphersuite(int idx)
4271{
4272 SSL_CTX *cctx = NULL, *sctx = NULL;
4273 SSL *clientssl = NULL, *serverssl = NULL;
4274 int testresult = 0;
4275
5e30f2fd
MC		 4276 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4277 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4278 &sctx, &cctx, cert, privkey))
4279 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4280 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4281 goto end;
4282
4283 if (idx >=4 && idx <= 7) {
4284 /* SSL_CTX explicit cipher list */
4285 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4286 goto end;
4287 }
4288
4289 if (idx == 0 || idx == 4) {
4290 /* Default ciphersuite */
4291 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4292 "TLS_AES_128_GCM_SHA256")))
4293 goto end;
4294 } else if (idx == 1 || idx == 5) {
4295 /* Non default ciphersuite */
4296 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4297 "TLS_AES_128_CCM_SHA256")))
4298 goto end;
4299 }
4300
4301 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4302 &clientssl, NULL, NULL)))
4303 goto end;
4304
4305 if (idx == 8 || idx == 9) {
4306 /* SSL explicit cipher list */
4307 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4308 goto end;
4309 }
4310
4311 if (idx == 2 || idx == 6 || idx == 8) {
4312 /* Default ciphersuite */
4313 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4314 "TLS_AES_128_GCM_SHA256")))
4315 goto end;
4316 } else if (idx == 3 || idx == 7 || idx == 9) {
4317 /* Non default ciphersuite */
4318 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4319 "TLS_AES_128_CCM_SHA256")))
4320 goto end;
4321 }
4322
4323 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4324 goto end;
4325
4326 testresult = 1;
4327
4328 end:
4329 SSL_free(serverssl);
4330 SSL_free(clientssl);
4331 SSL_CTX_free(sctx);
4332 SSL_CTX_free(cctx);
4333
4334 return testresult;
4335}
4336
ca0413ae
MC		 4337static int test_ciphersuite_change(void)
4338{
4339 SSL_CTX *cctx = NULL, *sctx = NULL;
4340 SSL *clientssl = NULL, *serverssl = NULL;
4341 SSL_SESSION *clntsess = NULL;
4342 int testresult = 0;
4343 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4344
4345 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4346 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4347 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4348 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4349 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4350 "TLS_AES_128_GCM_SHA256:"
4351 "TLS_AES_256_GCM_SHA384:"
4352 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 4353 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4354 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 4355 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4356 &clientssl, NULL, NULL))
4357 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4358 SSL_ERROR_NONE)))
4359 goto end;
4360
4361 clntsess = SSL_get1_session(clientssl);
4362 /* Save for later */
4363 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4364 SSL_shutdown(clientssl);
4365 SSL_shutdown(serverssl);
4366 SSL_free(serverssl);
4367 SSL_free(clientssl);
4368 serverssl = clientssl = NULL;
4369
4370 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4371 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4372 "TLS_AES_128_CCM_SHA256"))
4373 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4374 &clientssl, NULL, NULL))
ca0413ae
MC		 4375 || !TEST_true(SSL_set_session(clientssl, clntsess))
4376 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4377 SSL_ERROR_NONE))
4378 || !TEST_true(SSL_session_reused(clientssl)))
4379 goto end;
4380
4381 SSL_SESSION_free(clntsess);
4382 clntsess = SSL_get1_session(clientssl);
4383 SSL_shutdown(clientssl);
4384 SSL_shutdown(serverssl);
4385 SSL_free(serverssl);
4386 SSL_free(clientssl);
4387 serverssl = clientssl = NULL;
4388
4389 /*
4390 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4391 * succeeds but does not resume.
ca0413ae 4392 */
f865b081 4393 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4394 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4395 NULL, NULL))
4396 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4397 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4398 SSL_ERROR_SSL))
0de6d66d 4399 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4400 goto end;
4401
4402 SSL_SESSION_free(clntsess);
4403 clntsess = NULL;
4404 SSL_shutdown(clientssl);
4405 SSL_shutdown(serverssl);
4406 SSL_free(serverssl);
4407 SSL_free(clientssl);
4408 serverssl = clientssl = NULL;
4409
4410 /* Create a session based on SHA384 */
f865b081 4411 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4412 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4413 &clientssl, NULL, NULL))
4414 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4415 SSL_ERROR_NONE)))
4416 goto end;
4417
4418 clntsess = SSL_get1_session(clientssl);
4419 SSL_shutdown(clientssl);
4420 SSL_shutdown(serverssl);
4421 SSL_free(serverssl);
4422 SSL_free(clientssl);
4423 serverssl = clientssl = NULL;
4424
f865b081
MC		 4425 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4426 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4427 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4428 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4429 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4430 NULL, NULL))
4431 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4432 /*
4433 * We use SSL_ERROR_WANT_READ below so that we can pause the
4434 * connection after the initial ClientHello has been sent to
4435 * enable us to make some session changes.
4436 */
ca0413ae
MC		 4437 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4438 SSL_ERROR_WANT_READ)))
4439 goto end;
4440
4441 /* Trick the client into thinking this session is for a different digest */
4442 clntsess->cipher = aes_128_gcm_sha256;
4443 clntsess->cipher_id = clntsess->cipher->id;
4444
4445 /*
3b0e88d3
MC		 4446 * Continue the previously started connection. Server has selected a SHA-384
4447 * ciphersuite, but client thinks the session is for SHA-256, so it should
4448 * bail out.
ca0413ae
MC		 4449 */
4450 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4451 SSL_ERROR_SSL))
4452 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4453 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4454 goto end;
4455
4456 testresult = 1;
4457
4458 end:
4459 SSL_SESSION_free(clntsess);
4460 SSL_free(serverssl);
4461 SSL_free(clientssl);
4462 SSL_CTX_free(sctx);
4463 SSL_CTX_free(cctx);
4464
4465 return testresult;
4466}
4467
8e63900a 4468/*
5bf2eade 4469 * Test TLSv1.3 Key exchange
4470 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4471 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4472 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4473 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4474 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4475 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4476 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4477 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4478 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4479 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4480 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4481 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4482 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4483 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4484 */
db26ec80 4485static int test_key_exchange(int idx)
8e63900a 4486{
4487 SSL_CTX *sctx = NULL, *cctx = NULL;
4488 SSL *serverssl = NULL, *clientssl = NULL;
4489 int testresult = 0;
5bf2eade 4490# ifndef OPENSSL_NO_EC
4491 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4492 NID_secp521r1, NID_X25519, NID_X448};
4493# endif
4494# ifndef OPENSSL_NO_DH
8e63900a 4495 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4496 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 4497# endif
fb8c6db4 4498 int kexch_alg;
4499 int *kexch_groups = &kexch_alg;
4500 int kexch_groups_size = 1;
8e63900a 4501 int max_version = TLS1_3_VERSION;
8e63900a 4502
4503 switch (idx) {
5bf2eade 4504# ifndef OPENSSL_NO_EC
db26ec80 4505# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4506 case 12:
fb8c6db4 4507 max_version = TLS1_2_VERSION;
db26ec80 4508# endif
fb8c6db4 4509 /* Fall through */
4510 case 0:
4511 kexch_groups = ecdhe_kexch_groups;
4512 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4513 break;
5bf2eade 4514 case 1:
fb8c6db4 4515 kexch_alg = NID_X9_62_prime256v1;
4516 break;
5bf2eade 4517 case 2:
fb8c6db4 4518 kexch_alg = NID_secp384r1;
4519 break;
5bf2eade 4520 case 3:
fb8c6db4 4521 kexch_alg = NID_secp521r1;
4522 break;
5bf2eade 4523 case 4:
fb8c6db4 4524 kexch_alg = NID_X25519;
4525 break;
5bf2eade 4526 case 5:
fb8c6db4 4527 kexch_alg = NID_X448;
4528 break;
5bf2eade 4529# endif
4530# ifndef OPENSSL_NO_DH
db26ec80 4531# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4532 case 13:
dbc6268f 4533 max_version = TLS1_2_VERSION;
db26ec80 4534# endif
dbc6268f 4535 /* Fall through */
5bf2eade 4536 case 6:
8e63900a 4537 kexch_groups = ffdhe_kexch_groups;
4538 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4539 break;
5bf2eade 4540 case 7:
fb8c6db4 4541 kexch_alg = NID_ffdhe2048;
4542 break;
5bf2eade 4543 case 8:
fb8c6db4 4544 kexch_alg = NID_ffdhe3072;
4545 break;
5bf2eade 4546 case 9:
fb8c6db4 4547 kexch_alg = NID_ffdhe4096;
4548 break;
5bf2eade 4549 case 10:
fb8c6db4 4550 kexch_alg = NID_ffdhe6144;
4551 break;
5bf2eade 4552 case 11:
fb8c6db4 4553 kexch_alg = NID_ffdhe8192;
8e63900a 4554 break;
5bf2eade 4555# endif
6597d62b
MC		 4556 default:
4557 /* We're skipping this test */
4558 return 1;
8e63900a 4559 }
4560
5e30f2fd
MC		 4561 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4562 TLS_client_method(), TLS1_VERSION,
4563 max_version, &sctx, &cctx, cert,
4564 privkey)))
8e63900a 4565 goto end;
4566
5bf2eade 4567 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4568 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4569 goto end;
4570
5bf2eade 4571 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4572 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4573 goto end;
4574
5bf2eade 4575 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4576 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4577 goto end;
4578
dbc6268f
MC		 4579 /*
4580 * Must include an EC ciphersuite so that we send supported groups in
4581 * TLSv1.2
4582 */
5bf2eade 4583# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 4584 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4585 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4586 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4587 goto end;
5bf2eade 4588# endif
8e63900a 4589
4590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4591 NULL, NULL)))
4592 goto end;
4593
4594 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4595 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4596 goto end;
4597
5bf2eade 4598 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4599 goto end;
8e63900a 4600
dbc6268f 4601 /*
5bf2eade 4602 * If Handshake succeeds the negotiated kexch alg should be the first one in
4603 * configured, except in the case of FFDHE groups (idx 13), which are
4604 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4605 */
4606 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4607 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4608 goto end;
fb8c6db4 4609 if (max_version == TLS1_3_VERSION) {
4610 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4611 goto end;
4612 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4613 goto end;
4614 }
8e63900a 4615
4616 testresult = 1;
4617 end:
4618 SSL_free(serverssl);
4619 SSL_free(clientssl);
4620 SSL_CTX_free(sctx);
4621 SSL_CTX_free(cctx);
4622 return testresult;
4623}
4624
5bf2eade 4625/*
4626 * Test TLSv1.3 Cipher Suite
4627 * Test 0 = Set TLS1.3 cipher on context
4628 * Test 1 = Set TLS1.3 cipher on SSL
4629 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4630 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4631 */
4632static int test_tls13_ciphersuite(int idx)
4633{
4634 SSL_CTX *sctx = NULL, *cctx = NULL;
4635 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4636 static const struct {
4637 const char *ciphername;
4638 int fipscapable;
4639 } t13_ciphers[] = {
4640 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4641 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4642 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4643# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4644 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4645 { TLS1_3_RFC_AES_256_GCM_SHA384
4646 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4647# endif
4f6c7044 4648 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4649 };
4650 const char *t13_cipher = NULL;
4651 const char *t12_cipher = NULL;
4652 const char *negotiated_scipher;
4653 const char *negotiated_ccipher;
4654 int set_at_ctx = 0;
4655 int set_at_ssl = 0;
4656 int testresult = 0;
4657 int max_ver;
4658 size_t i;
4659
4660 switch (idx) {
4661 case 0:
4662 set_at_ctx = 1;
4663 break;
4664 case 1:
4665 set_at_ssl = 1;
4666 break;
4667 case 2:
4668 set_at_ctx = 1;
2d900758 4669 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4670 break;
4671 case 3:
4672 set_at_ssl = 1;
2d900758 4673 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4674 break;
4675 }
4676
4677 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4678# ifdef OPENSSL_NO_TLS1_2
4679 if (max_ver == TLS1_2_VERSION)
4680 continue;
4681# endif
4682 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4683 if (is_fips && !t13_ciphers[i].fipscapable)
4684 continue;
4685 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4686 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4687 TLS_client_method(),
4688 TLS1_VERSION, max_ver,
4689 &sctx, &cctx, cert, privkey)))
4690 goto end;
4691
4692 if (set_at_ctx) {
4693 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4694 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4695 goto end;
4696 if (t12_cipher != NULL) {
4697 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4698 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4699 t12_cipher)))
4700 goto end;
4701 }
4702 }
4703
4704 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4705 &clientssl, NULL, NULL)))
4706 goto end;
4707
4708 if (set_at_ssl) {
4709 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4710 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4711 goto end;
4712 if (t12_cipher != NULL) {
4713 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4714 || !TEST_true(SSL_set_cipher_list(clientssl,
4715 t12_cipher)))
4716 goto end;
4717 }
4718 }
4719
4720 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4721 SSL_ERROR_NONE)))
4722 goto end;
4723
4724 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4725 serverssl));
4726 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4727 clientssl));
4728 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4729 goto end;
4730
4731 /*
4732 * TEST_strn_eq is used below because t13_cipher can contain
4733 * multiple ciphersuites
4734 */
4735 if (max_ver == TLS1_3_VERSION
4736 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4737 strlen(negotiated_scipher)))
4738 goto end;
4739
4740# ifndef OPENSSL_NO_TLS1_2
4741 /* Below validation is not done when t12_cipher is NULL */
4742 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4743 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4744 goto end;
4745# endif
4746
4747 SSL_free(serverssl);
4748 serverssl = NULL;
4749 SSL_free(clientssl);
4750 clientssl = NULL;
4751 SSL_CTX_free(sctx);
4752 sctx = NULL;
4753 SSL_CTX_free(cctx);
4754 cctx = NULL;
4755 }
4756 }
4757
4758 testresult = 1;
4759 end:
4760 SSL_free(serverssl);
4761 SSL_free(clientssl);
4762 SSL_CTX_free(sctx);
4763 SSL_CTX_free(cctx);
4764 return testresult;
4765}
4766
0d8da779
MC		 4767/*
4768 * Test TLSv1.3 PSKs
4769 * Test 0 = Test new style callbacks
4770 * Test 1 = Test both new and old style callbacks
4771 * Test 2 = Test old style callbacks
4772 * Test 3 = Test old style callbacks with no certificate
4773 */
532f9578 4774static int test_tls13_psk(int idx)
ca8c71ba
MC		 4775{
4776 SSL_CTX *sctx = NULL, *cctx = NULL;
4777 SSL *serverssl = NULL, *clientssl = NULL;
4778 const SSL_CIPHER *cipher = NULL;
4779 const unsigned char key[] = {
4780 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4781 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4782 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4783 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4784 };
4785 int testresult = 0;
4786
5e30f2fd
MC		 4787 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4788 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 4789 &sctx, &cctx, idx == 3 ? NULL : cert,
4790 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4791 goto end;
4792
0d8da779
MC		 4793 if (idx != 3) {
4794 /*
4795 * We use a ciphersuite with SHA256 to ease testing old style PSK
4796 * callbacks which will always default to SHA256. This should not be
4797 * necessary if we have no cert/priv key. In that case the server should
4798 * prefer SHA256 automatically.
4799 */
4800 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4801 "TLS_AES_128_GCM_SHA256")))
4802 goto end;
4f6c7044
MC		 4803 } else {
4804 /*
4805 * As noted above the server should prefer SHA256 automatically. However
4806 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4807 * code works even if we are testing with only the FIPS provider loaded.
4808 */
4809 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4810 "TLS_AES_256_GCM_SHA384:"
4811 "TLS_AES_128_GCM_SHA256")))
4812 goto end;
0d8da779 4813 }
532f9578
MC		 4814
4815 /*
4816 * Test 0: New style callbacks only
4817 * Test 1: New and old style callbacks (only the new ones should be used)
4818 * Test 2: Old style callbacks only
4819 */
4820 if (idx == 0 || idx == 1) {
4821 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4822 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4823 }
c2b290c3 4824#ifndef OPENSSL_NO_PSK
0d8da779 4825 if (idx >= 1) {
532f9578
MC		 4826 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4827 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4828 }
c2b290c3 4829#endif
ca8c71ba 4830 srvid = pskid;
02a3ed5a
MC		 4831 use_session_cb_cnt = 0;
4832 find_session_cb_cnt = 0;
532f9578
MC		 4833 psk_client_cb_cnt = 0;
4834 psk_server_cb_cnt = 0;
ca8c71ba 4835
0d8da779
MC		 4836 if (idx != 3) {
4837 /*
4838 * Check we can create a connection if callback decides not to send a
4839 * PSK
4840 */
4841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4842 NULL, NULL))
4843 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4844 SSL_ERROR_NONE))
4845 || !TEST_false(SSL_session_reused(clientssl))
4846 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4847 goto end;
532f9578 4848
0d8da779
MC		 4849 if (idx == 0 || idx == 1) {
4850 if (!TEST_true(use_session_cb_cnt == 1)
4851 || !TEST_true(find_session_cb_cnt == 0)
4852 /*
4853 * If no old style callback then below should be 0
4854 * otherwise 1
4855 */
4856 || !TEST_true(psk_client_cb_cnt == idx)
4857 || !TEST_true(psk_server_cb_cnt == 0))
4858 goto end;
4859 } else {
4860 if (!TEST_true(use_session_cb_cnt == 0)
4861 || !TEST_true(find_session_cb_cnt == 0)
4862 || !TEST_true(psk_client_cb_cnt == 1)
4863 || !TEST_true(psk_server_cb_cnt == 0))
4864 goto end;
4865 }
4866
4867 shutdown_ssl_connection(serverssl, clientssl);
4868 serverssl = clientssl = NULL;
4869 use_session_cb_cnt = psk_client_cb_cnt = 0;
4870 }
ca8c71ba
MC		 4871
4872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4873 NULL, NULL)))
4874 goto end;
4875
4876 /* Create the PSK */
532f9578 4877 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4878 clientpsk = SSL_SESSION_new();
4879 if (!TEST_ptr(clientpsk)
ca8c71ba 4880 || !TEST_ptr(cipher)
57dee9bb
MC		 4881 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4882 sizeof(key)))
4883 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4884 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4885 TLS1_3_VERSION))
4886 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4887 goto end;
57dee9bb 4888 serverpsk = clientpsk;
ca8c71ba
MC		 4889
4890 /* Check we can create a connection and the PSK is used */
4891 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4892 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4893 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4894 goto end;
4895
532f9578
MC		 4896 if (idx == 0 || idx == 1) {
4897 if (!TEST_true(use_session_cb_cnt == 1)
4898 || !TEST_true(find_session_cb_cnt == 1)
4899 || !TEST_true(psk_client_cb_cnt == 0)
4900 || !TEST_true(psk_server_cb_cnt == 0))
4901 goto end;
4902 } else {
4903 if (!TEST_true(use_session_cb_cnt == 0)
4904 || !TEST_true(find_session_cb_cnt == 0)
4905 || !TEST_true(psk_client_cb_cnt == 1)
4906 || !TEST_true(psk_server_cb_cnt == 1))
4907 goto end;
4908 }
4909
ca8c71ba
MC		 4910 shutdown_ssl_connection(serverssl, clientssl);
4911 serverssl = clientssl = NULL;
4912 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4913 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4914
4915 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4916 NULL, NULL)))
4917 goto end;
4918
4919 /* Force an HRR */
dbc6268f
MC		 4920#if defined(OPENSSL_NO_EC)
4921 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4922 goto end;
4923#else
ca8c71ba
MC		 4924 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4925 goto end;
dbc6268f 4926#endif
ca8c71ba
MC		 4927
4928 /*
4929 * Check we can create a connection, the PSK is used and the callbacks are
4930 * called twice.
4931 */
4932 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4933 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4934 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4935 goto end;
4936
532f9578
MC		 4937 if (idx == 0 || idx == 1) {
4938 if (!TEST_true(use_session_cb_cnt == 2)
4939 || !TEST_true(find_session_cb_cnt == 2)
4940 || !TEST_true(psk_client_cb_cnt == 0)
4941 || !TEST_true(psk_server_cb_cnt == 0))
4942 goto end;
4943 } else {
4944 if (!TEST_true(use_session_cb_cnt == 0)
4945 || !TEST_true(find_session_cb_cnt == 0)
4946 || !TEST_true(psk_client_cb_cnt == 2)
4947 || !TEST_true(psk_server_cb_cnt == 2))
4948 goto end;
4949 }
4950
ca8c71ba
MC		 4951 shutdown_ssl_connection(serverssl, clientssl);
4952 serverssl = clientssl = NULL;
4953 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4954 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4955
0d8da779
MC		 4956 if (idx != 3) {
4957 /*
4958 * Check that if the server rejects the PSK we can still connect, but with
4959 * a full handshake
4960 */
4961 srvid = "Dummy Identity";
4962 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4963 NULL, NULL))
4964 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4965 SSL_ERROR_NONE))
4966 || !TEST_false(SSL_session_reused(clientssl))
4967 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4968 goto end;
532f9578 4969
0d8da779
MC		 4970 if (idx == 0 || idx == 1) {
4971 if (!TEST_true(use_session_cb_cnt == 1)
4972 || !TEST_true(find_session_cb_cnt == 1)
4973 || !TEST_true(psk_client_cb_cnt == 0)
4974 /*
4975 * If no old style callback then below should be 0
4976 * otherwise 1
4977 */
4978 || !TEST_true(psk_server_cb_cnt == idx))
4979 goto end;
4980 } else {
4981 if (!TEST_true(use_session_cb_cnt == 0)
4982 || !TEST_true(find_session_cb_cnt == 0)
4983 || !TEST_true(psk_client_cb_cnt == 1)
4984 || !TEST_true(psk_server_cb_cnt == 1))
4985 goto end;
4986 }
4987
4988 shutdown_ssl_connection(serverssl, clientssl);
4989 serverssl = clientssl = NULL;
4990 }
ca8c71ba
MC		 4991 testresult = 1;
4992
4993 end:
57dee9bb
MC		 4994 SSL_SESSION_free(clientpsk);
4995 SSL_SESSION_free(serverpsk);
4996 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4997 SSL_free(serverssl);
4998 SSL_free(clientssl);
4999 SSL_CTX_free(sctx);
5000 SSL_CTX_free(cctx);
5001 return testresult;
5002}
5003
c7b8ff25
MC		 5004static unsigned char cookie_magic_value[] = "cookie magic";
5005
5006static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5007 unsigned int *cookie_len)
5008{
5009 /*
5010 * Not suitable as a real cookie generation function but good enough for
5011 * testing!
5012 */
97ea1e7f
MC		 5013 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5014 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5015
5016 return 1;
5017}
5018
5019static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5020 unsigned int cookie_len)
5021{
97ea1e7f 5022 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5023 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5024 return 1;
5025
5026 return 0;
5027}
5028
3fa2812f
BS		 5029static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5030 size_t *cookie_len)
5031{
5032 unsigned int temp;
5033 int res = generate_cookie_callback(ssl, cookie, &temp);
5034 *cookie_len = temp;
5035 return res;
5036}
5037
5038static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5039 size_t cookie_len)
5040{
5041 return verify_cookie_callback(ssl, cookie, cookie_len);
5042}
5043
c7b8ff25
MC		 5044static int test_stateless(void)
5045{
5046 SSL_CTX *sctx = NULL, *cctx = NULL;
5047 SSL *serverssl = NULL, *clientssl = NULL;
5048 int testresult = 0;
5049
5e30f2fd
MC		 5050 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5051 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5052 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5053 goto end;
5054
e440f513
MC		 5055 /* The arrival of CCS messages can confuse the test */
5056 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5057
5058 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5059 NULL, NULL))
5060 /* Send the first ClientHello */
5061 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5062 SSL_ERROR_WANT_READ))
5063 /*
5064 * This should fail with a -1 return because we have no callbacks
5065 * set up
5066 */
5067 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5068 goto end;
5069
5070 /* Fatal error so abandon the connection from this client */
5071 SSL_free(clientssl);
5072 clientssl = NULL;
5073
c7b8ff25 5074 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5075 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5076 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5077
e440f513
MC		 5078 /*
5079 * Create a new connection from the client (we can reuse the server SSL
5080 * object).
5081 */
c7b8ff25
MC		 5082 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5083 NULL, NULL))
5084 /* Send the first ClientHello */
5085 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5086 SSL_ERROR_WANT_READ))
5087 /* This should fail because there is no cookie */
e440f513 5088 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5089 goto end;
5090
5091 /* Abandon the connection from this client */
5092 SSL_free(clientssl);
5093 clientssl = NULL;
5094
5095 /*
5096 * Now create a connection from a new client but with the same server SSL
5097 * object
5098 */
5099 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5100 NULL, NULL))
5101 /* Send the first ClientHello */
5102 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5103 SSL_ERROR_WANT_READ))
5104 /* This should fail because there is no cookie */
e440f513 5105 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5106 /* Send the second ClientHello */
5107 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5108 SSL_ERROR_WANT_READ))
5109 /* This should succeed because a cookie is now present */
e440f513 5110 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5111 /* Complete the connection */
5112 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5113 SSL_ERROR_NONE)))
5114 goto end;
5115
5116 shutdown_ssl_connection(serverssl, clientssl);
5117 serverssl = clientssl = NULL;
5118 testresult = 1;
5119
5120 end:
5121 SSL_free(serverssl);
5122 SSL_free(clientssl);
5123 SSL_CTX_free(sctx);
5124 SSL_CTX_free(cctx);
5125 return testresult;
5126
5127}
ca0413ae 5128#endif /* OPENSSL_NO_TLS1_3 */
5f982038 5129
a37008d9
MC		 5130static int clntaddoldcb = 0;
5131static int clntparseoldcb = 0;
5132static int srvaddoldcb = 0;
5133static int srvparseoldcb = 0;
5134static int clntaddnewcb = 0;
5135static int clntparsenewcb = 0;
5136static int srvaddnewcb = 0;
5137static int srvparsenewcb = 0;
bb01ef3f 5138static int snicb = 0;
a37008d9
MC		 5139
5140#define TEST_EXT_TYPE1 0xff00
5141
5142static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5143 size_t *outlen, int *al, void *add_arg)
5144{
5145 int *server = (int *)add_arg;
5146 unsigned char *data;
5147
5148 if (SSL_is_server(s))
5149 srvaddoldcb++;
5150 else
5151 clntaddoldcb++;
5152
710756a9
RS		 5153 if (*server != SSL_is_server(s)
5154 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5155 return -1;
5156
5157 *data = 1;
5158 *out = data;
5159 *outlen = sizeof(char);
a37008d9
MC		 5160 return 1;
5161}
5162
5163static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5164 void *add_arg)
5165{
5166 OPENSSL_free((unsigned char *)out);
5167}
5168
5169static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5170 size_t inlen, int *al, void *parse_arg)
5171{
5172 int *server = (int *)parse_arg;
5173
5174 if (SSL_is_server(s))
5175 srvparseoldcb++;
5176 else
5177 clntparseoldcb++;
5178
710756a9
RS		 5179 if (*server != SSL_is_server(s)
5180 || inlen != sizeof(char)
5181 || *in != 1)
a37008d9
MC		 5182 return -1;
5183
5184 return 1;
5185}
5186
5187static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5188 const unsigned char **out, size_t *outlen, X509 *x,
5189 size_t chainidx, int *al, void *add_arg)
5190{
5191 int *server = (int *)add_arg;
5192 unsigned char *data;
5193
5194 if (SSL_is_server(s))
5195 srvaddnewcb++;
5196 else
5197 clntaddnewcb++;
5198
710756a9
RS		 5199 if (*server != SSL_is_server(s)
5200 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5201 return -1;
5202
5203 *data = 1;
5204 *out = data;
710756a9 5205 *outlen = sizeof(*data);
a37008d9
MC		 5206 return 1;
5207}
5208
5209static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5210 const unsigned char *out, void *add_arg)
5211{
5212 OPENSSL_free((unsigned char *)out);
5213}
5214
5215static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5216 const unsigned char *in, size_t inlen, X509 *x,
5217 size_t chainidx, int *al, void *parse_arg)
5218{
5219 int *server = (int *)parse_arg;
5220
5221 if (SSL_is_server(s))
5222 srvparsenewcb++;
5223 else
5224 clntparsenewcb++;
5225
710756a9
RS		 5226 if (*server != SSL_is_server(s)
5227 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5228 return -1;
5229
5230 return 1;
5231}
bb01ef3f
MC		 5232
5233static int sni_cb(SSL *s, int *al, void *arg)
5234{
5235 SSL_CTX *ctx = (SSL_CTX *)arg;
5236
5237 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5238 *al = SSL_AD_INTERNAL_ERROR;
5239 return SSL_TLSEXT_ERR_ALERT_FATAL;
5240 }
5241 snicb++;
5242 return SSL_TLSEXT_ERR_OK;
5243}
5244
a37008d9
MC		 5245/*
5246 * Custom call back tests.
5247 * Test 0: Old style callbacks in TLSv1.2
5248 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5249 * Test 2: New style callbacks in TLSv1.2 with SNI
5250 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5251 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 5252 */
710756a9
RS		 5253static int test_custom_exts(int tst)
5254{
bb01ef3f 5255 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5256 SSL *clientssl = NULL, *serverssl = NULL;
5257 int testresult = 0;
5258 static int server = 1;
5259 static int client = 0;
5260 SSL_SESSION *sess = NULL;
5261 unsigned int context;
5262
c423ecaa
MC		 5263#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5264 /* Skip tests for TLSv1.2 and below in this case */
5265 if (tst < 3)
5266 return 1;
5267#endif
5268
a37008d9
MC		 5269 /* Reset callback counters */
5270 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5271 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5272 snicb = 0;
a37008d9 5273
5e30f2fd
MC		 5274 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5275 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5276 &sctx, &cctx, cert, privkey)))
710756a9 5277 goto end;
a37008d9 5278
bb01ef3f 5279 if (tst == 2
5e30f2fd 5280 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5281 TLS1_VERSION, 0,
7d7f6834 5282 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5283 goto end;
5284
5285
5286 if (tst < 3) {
a37008d9
MC		 5287 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5288 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5289 if (sctx2 != NULL)
5290 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5291 }
5292
bb01ef3f 5293 if (tst == 4) {
710756a9
RS		 5294 context = SSL_EXT_CLIENT_HELLO
5295 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5296 | SSL_EXT_TLS1_3_SERVER_HELLO
5297 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5298 | SSL_EXT_TLS1_3_CERTIFICATE
5299 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5300 } else {
710756a9
RS		 5301 context = SSL_EXT_CLIENT_HELLO
5302 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5303 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5304 }
5305
5306 /* Create a client side custom extension */
5307 if (tst == 0) {
710756a9
RS		 5308 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5309 old_add_cb, old_free_cb,
5310 &client, old_parse_cb,
5311 &client)))
5312 goto end;
a37008d9 5313 } else {
710756a9
RS		 5314 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5315 new_add_cb, new_free_cb,
5316 &client, new_parse_cb, &client)))
5317 goto end;
a37008d9
MC		 5318 }
5319
5320 /* Should not be able to add duplicates */
710756a9
RS		 5321 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5322 old_add_cb, old_free_cb,
5323 &client, old_parse_cb,
5324 &client))
5325 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5326 context, new_add_cb,
5327 new_free_cb, &client,
5328 new_parse_cb, &client)))
5329 goto end;
a37008d9
MC		 5330
5331 /* Create a server side custom extension */
5332 if (tst == 0) {
710756a9
RS		 5333 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5334 old_add_cb, old_free_cb,
5335 &server, old_parse_cb,
5336 &server)))
5337 goto end;
a37008d9 5338 } else {
710756a9
RS		 5339 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5340 new_add_cb, new_free_cb,
5341 &server, new_parse_cb, &server)))
5342 goto end;
bb01ef3f
MC		 5343 if (sctx2 != NULL
5344 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5345 context, new_add_cb,
5346 new_free_cb, &server,
5347 new_parse_cb, &server)))
5348 goto end;
a37008d9
MC		 5349 }
5350
5351 /* Should not be able to add duplicates */
710756a9
RS		 5352 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5353 old_add_cb, old_free_cb,
5354 &server, old_parse_cb,
5355 &server))
5356 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5357 context, new_add_cb,
5358 new_free_cb, &server,
5359 new_parse_cb, &server)))
a37008d9 5360 goto end;
a37008d9 5361
bb01ef3f
MC		 5362 if (tst == 2) {
5363 /* Set up SNI */
5364 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5365 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5366 goto end;
5367 }
5368
710756a9
RS		 5369 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5370 &clientssl, NULL, NULL))
5371 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5372 SSL_ERROR_NONE)))
a37008d9 5373 goto end;
a37008d9
MC		 5374
5375 if (tst == 0) {
710756a9
RS		 5376 if (clntaddoldcb != 1
5377 || clntparseoldcb != 1
5378 || srvaddoldcb != 1
5379 || srvparseoldcb != 1)
a37008d9 5380 goto end;
bb01ef3f 5381 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5382 if (clntaddnewcb != 1
5383 || clntparsenewcb != 1
5384 || srvaddnewcb != 1
bb01ef3f
MC		 5385 || srvparsenewcb != 1
5386 || (tst != 2 && snicb != 0)
5387 || (tst == 2 && snicb != 1))
a37008d9 5388 goto end;
a37008d9 5389 } else {
36ff232c 5390 /* In this case there 2 NewSessionTicket messages created */
710756a9 5391 if (clntaddnewcb != 1
36ff232c
MC		 5392 || clntparsenewcb != 5
5393 || srvaddnewcb != 5
710756a9 5394 || srvparsenewcb != 1)
a37008d9 5395 goto end;
a37008d9
MC		 5396 }
5397
5398 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5399 SSL_shutdown(clientssl);
5400 SSL_shutdown(serverssl);
a37008d9
MC		 5401 SSL_free(serverssl);
5402 SSL_free(clientssl);
5403 serverssl = clientssl = NULL;
5404
bb01ef3f
MC		 5405 if (tst == 3) {
5406 /* We don't bother with the resumption aspects for this test */
5407 testresult = 1;
5408 goto end;
5409 }
5410
710756a9
RS		 5411 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5412 NULL, NULL))
5413 || !TEST_true(SSL_set_session(clientssl, sess))
5414 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5415 SSL_ERROR_NONE)))
a37008d9 5416 goto end;
a37008d9
MC		 5417
5418 /*
5419 * For a resumed session we expect to add the ClientHello extension. For the
5420 * old style callbacks we ignore it on the server side because they set
5421 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5422 * them.
5423 */
5424 if (tst == 0) {
710756a9
RS		 5425 if (clntaddoldcb != 2
5426 || clntparseoldcb != 1
5427 || srvaddoldcb != 1
5428 || srvparseoldcb != 1)
a37008d9 5429 goto end;
bb01ef3f 5430 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5431 if (clntaddnewcb != 2
5432 || clntparsenewcb != 2
5433 || srvaddnewcb != 2
5434 || srvparsenewcb != 2)
a37008d9 5435 goto end;
a37008d9 5436 } else {
36ff232c
MC		 5437 /*
5438 * No Certificate message extensions in the resumption handshake,
5439 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5440 */
710756a9 5441 if (clntaddnewcb != 2
36ff232c
MC		 5442 || clntparsenewcb != 8
5443 || srvaddnewcb != 8
710756a9 5444 || srvparsenewcb != 2)
a37008d9 5445 goto end;
a37008d9
MC		 5446 }
5447
5448 testresult = 1;
5449
5450end:
5451 SSL_SESSION_free(sess);
5452 SSL_free(serverssl);
5453 SSL_free(clientssl);
bb01ef3f 5454 SSL_CTX_free(sctx2);
a37008d9
MC		 5455 SSL_CTX_free(sctx);
5456 SSL_CTX_free(cctx);
a37008d9
MC		 5457 return testresult;
5458}
5459
16afd71c
MC		 5460/*
5461 * Test loading of serverinfo data in various formats. test_sslmessages actually
5462 * tests to make sure the extensions appear in the handshake
5463 */
5464static int test_serverinfo(int tst)
5465{
5466 unsigned int version;
5467 unsigned char *sibuf;
5468 size_t sibuflen;
5469 int ret, expected, testresult = 0;
5470 SSL_CTX *ctx;
5471
5e30f2fd 5472 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
16afd71c
MC		 5473 if (!TEST_ptr(ctx))
5474 goto end;
5475
5476 if ((tst & 0x01) == 0x01)
5477 version = SSL_SERVERINFOV2;
5478 else
5479 version = SSL_SERVERINFOV1;
5480
5481 if ((tst & 0x02) == 0x02) {
5482 sibuf = serverinfov2;
5483 sibuflen = sizeof(serverinfov2);
5484 expected = (version == SSL_SERVERINFOV2);
5485 } else {
5486 sibuf = serverinfov1;
5487 sibuflen = sizeof(serverinfov1);
5488 expected = (version == SSL_SERVERINFOV1);
5489 }
5490
5491 if ((tst & 0x04) == 0x04) {
5492 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5493 } else {
5494 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5495
5496 /*
5497 * The version variable is irrelevant in this case - it's what is in the
5498 * buffer that matters
5499 */
5500 if ((tst & 0x02) == 0x02)
5501 expected = 0;
5502 else
5503 expected = 1;
5504 }
5505
5506 if (!TEST_true(ret == expected))
5507 goto end;
5508
5509 testresult = 1;
5510
5511 end:
5512 SSL_CTX_free(ctx);
5513
5514 return testresult;
5515}
5516
2197d1df
MC		 5517/*
5518 * Test that SSL_export_keying_material() produces expected results. There are
5519 * no test vectors so all we do is test that both sides of the communication
5520 * produce the same results for different protocol versions.
5521 */
0fb2815b
MC		 5522#define SMALL_LABEL_LEN 10
5523#define LONG_LABEL_LEN 249
2197d1df
MC		 5524static int test_export_key_mat(int tst)
5525{
a599574b 5526 int testresult = 0;
2197d1df
MC		 5527 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5528 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5529 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5530 const unsigned char context[] = "context";
5531 const unsigned char *emptycontext = NULL;
5532 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5533 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5534 size_t labellen;
a599574b
MC		 5535 const int protocols[] = {
5536 TLS1_VERSION,
5537 TLS1_1_VERSION,
5538 TLS1_2_VERSION,
0fb2815b
MC		 5539 TLS1_3_VERSION,
5540 TLS1_3_VERSION,
a599574b
MC		 5541 TLS1_3_VERSION
5542 };
2197d1df
MC		 5543
5544#ifdef OPENSSL_NO_TLS1
5545 if (tst == 0)
5546 return 1;
5547#endif
5548#ifdef OPENSSL_NO_TLS1_1
5549 if (tst == 1)
5550 return 1;
5551#endif
4f6c7044
MC		 5552 if (is_fips && (tst == 0 || tst == 1))
5553 return 1;
2197d1df
MC		 5554#ifdef OPENSSL_NO_TLS1_2
5555 if (tst == 2)
5556 return 1;
5557#endif
5558#ifdef OPENSSL_NO_TLS1_3
0fb2815b 5559 if (tst >= 3)
2197d1df
MC		 5560 return 1;
5561#endif
5e30f2fd
MC		 5562 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5563 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5564 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5565 goto end;
5566
a599574b
MC		 5567 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5568 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5569 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 5570
5571 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5572 NULL))
5573 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5574 SSL_ERROR_NONE)))
5575 goto end;
5576
0fb2815b
MC		 5577 if (tst == 5) {
5578 /*
5579 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5580 * go over that.
5581 */
5582 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5583 sizeof(ckeymat1), label,
5584 LONG_LABEL_LEN + 1, context,
5585 sizeof(context) - 1, 1), 0))
5586 goto end;
5587
5588 testresult = 1;
5589 goto end;
5590 } else if (tst == 4) {
5591 labellen = LONG_LABEL_LEN;
5592 } else {
5593 labellen = SMALL_LABEL_LEN;
5594 }
5595
2197d1df
MC		 5596 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5597 sizeof(ckeymat1), label,
0fb2815b 5598 labellen, context,
2197d1df
MC		 5599 sizeof(context) - 1, 1), 1)
5600 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5601 sizeof(ckeymat2), label,
0fb2815b 5602 labellen,
2197d1df
MC		 5603 emptycontext,
5604 0, 1), 1)
5605 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5606 sizeof(ckeymat3), label,
0fb2815b 5607 labellen,
2197d1df
MC		 5608 NULL, 0, 0), 1)
5609 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5610 sizeof(skeymat1), label,
0fb2815b 5611 labellen,
2197d1df
MC		 5612 context,
5613 sizeof(context) -1, 1),
5614 1)
5615 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5616 sizeof(skeymat2), label,
0fb2815b 5617 labellen,
2197d1df
MC		 5618 emptycontext,
5619 0, 1), 1)
5620 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5621 sizeof(skeymat3), label,
0fb2815b 5622 labellen,
2197d1df
MC		 5623 NULL, 0, 0), 1)
5624 /*
5625 * Check that both sides created the same key material with the
5626 * same context.
5627 */
5628 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5629 sizeof(skeymat1))
5630 /*
5631 * Check that both sides created the same key material with an
5632 * empty context.
5633 */
5634 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5635 sizeof(skeymat2))
5636 /*
5637 * Check that both sides created the same key material without a
5638 * context.
5639 */
5640 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5641 sizeof(skeymat3))
5642 /* Different contexts should produce different results */
5643 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5644 sizeof(ckeymat2)))
5645 goto end;
5646
5647 /*
5648 * Check that an empty context and no context produce different results in
5649 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5650 */
0fb2815b 5651 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5652 sizeof(ckeymat3)))
0fb2815b
MC		 5653 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5654 sizeof(ckeymat3))))
2197d1df
MC		 5655 goto end;
5656
5657 testresult = 1;
5658
5659 end:
5660 SSL_free(serverssl);
5661 SSL_free(clientssl);
5662 SSL_CTX_free(sctx2);
5663 SSL_CTX_free(sctx);
5664 SSL_CTX_free(cctx);
5665
5666 return testresult;
5667}
5668
b38ede80
TT		 5669#ifndef OPENSSL_NO_TLS1_3
5670/*
5671 * Test that SSL_export_keying_material_early() produces expected
5672 * results. There are no test vectors so all we do is test that both
5673 * sides of the communication produce the same results for different
5674 * protocol versions.
5675 */
5676static int test_export_key_mat_early(int idx)
5677{
5678 static const char label[] = "test label";
5679 static const unsigned char context[] = "context";
5680 int testresult = 0;
5681 SSL_CTX *cctx = NULL, *sctx = NULL;
5682 SSL *clientssl = NULL, *serverssl = NULL;
5683 SSL_SESSION *sess = NULL;
5684 const unsigned char *emptycontext = NULL;
5685 unsigned char ckeymat1[80], ckeymat2[80];
5686 unsigned char skeymat1[80], skeymat2[80];
5687 unsigned char buf[1];
5688 size_t readbytes, written;
5689
5690 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5691 &sess, idx)))
5692 goto end;
5693
5694 /* Here writing 0 length early data is enough. */
5695 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5696 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5697 &readbytes),
5698 SSL_READ_EARLY_DATA_ERROR)
5699 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5700 SSL_EARLY_DATA_ACCEPTED))
5701 goto end;
5702
5703 if (!TEST_int_eq(SSL_export_keying_material_early(
5704 clientssl, ckeymat1, sizeof(ckeymat1), label,
5705 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5706 || !TEST_int_eq(SSL_export_keying_material_early(
5707 clientssl, ckeymat2, sizeof(ckeymat2), label,
5708 sizeof(label) - 1, emptycontext, 0), 1)
5709 || !TEST_int_eq(SSL_export_keying_material_early(
5710 serverssl, skeymat1, sizeof(skeymat1), label,
5711 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5712 || !TEST_int_eq(SSL_export_keying_material_early(
5713 serverssl, skeymat2, sizeof(skeymat2), label,
5714 sizeof(label) - 1, emptycontext, 0), 1)
5715 /*
5716 * Check that both sides created the same key material with the
5717 * same context.
5718 */
5719 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5720 sizeof(skeymat1))
5721 /*
5722 * Check that both sides created the same key material with an
5723 * empty context.
5724 */
5725 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5726 sizeof(skeymat2))
5727 /* Different contexts should produce different results */
5728 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5729 sizeof(ckeymat2)))
5730 goto end;
5731
5732 testresult = 1;
5733
5734 end:
c20e3b28 5735 SSL_SESSION_free(sess);
b38ede80
TT		 5736 SSL_SESSION_free(clientpsk);
5737 SSL_SESSION_free(serverpsk);
34ff74eb 5738 clientpsk = serverpsk = NULL;
b38ede80
TT		 5739 SSL_free(serverssl);
5740 SSL_free(clientssl);
5741 SSL_CTX_free(sctx);
5742 SSL_CTX_free(cctx);
5743
5744 return testresult;
5745}
3409a5ff
MC		 5746
5747#define NUM_KEY_UPDATE_MESSAGES 40
5748/*
5749 * Test KeyUpdate.
5750 */
5751static int test_key_update(void)
5752{
5753 SSL_CTX *cctx = NULL, *sctx = NULL;
5754 SSL *clientssl = NULL, *serverssl = NULL;
5755 int testresult = 0, i, j;
5756 char buf[20];
5757 static char *mess = "A test message";
5758
5e30f2fd 5759 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 5760 TLS_client_method(),
5761 TLS1_3_VERSION,
5762 0,
5763 &sctx, &cctx, cert, privkey))
5764 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5765 NULL, NULL))
5766 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5767 SSL_ERROR_NONE)))
5768 goto end;
5769
5770 for (j = 0; j < 2; j++) {
5771 /* Send lots of KeyUpdate messages */
5772 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5773 if (!TEST_true(SSL_key_update(clientssl,
5774 (j == 0)
5775 ? SSL_KEY_UPDATE_NOT_REQUESTED
5776 : SSL_KEY_UPDATE_REQUESTED))
5777 || !TEST_true(SSL_do_handshake(clientssl)))
5778 goto end;
5779 }
5780
5781 /* Check that sending and receiving app data is ok */
5782 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5783 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5784 strlen(mess)))
5785 goto end;
a77b4dba
MC		 5786
5787 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5788 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5789 strlen(mess)))
5790 goto end;
3409a5ff
MC		 5791 }
5792
5793 testresult = 1;
5794
5795 end:
5796 SSL_free(serverssl);
5797 SSL_free(clientssl);
5798 SSL_CTX_free(sctx);
5799 SSL_CTX_free(cctx);
5800
5801 return testresult;
5802}
a77b4dba
MC		 5803
5804/*
5805 * Test we can handle a KeyUpdate (update requested) message while write data
5806 * is pending.
5807 * Test 0: Client sends KeyUpdate while Server is writing
5808 * Test 1: Server sends KeyUpdate while Client is writing
5809 */
5810static int test_key_update_in_write(int tst)
5811{
5812 SSL_CTX *cctx = NULL, *sctx = NULL;
5813 SSL *clientssl = NULL, *serverssl = NULL;
5814 int testresult = 0;
5815 char buf[20];
5816 static char *mess = "A test message";
5817 BIO *bretry = BIO_new(bio_s_always_retry());
5818 BIO *tmp = NULL;
5819 SSL *peerupdate = NULL, *peerwrite = NULL;
5820
5821 if (!TEST_ptr(bretry)
5e30f2fd 5822 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 5823 TLS_client_method(),
5824 TLS1_3_VERSION,
5825 0,
5826 &sctx, &cctx, cert, privkey))
5827 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5828 NULL, NULL))
5829 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5830 SSL_ERROR_NONE)))
5831 goto end;
5832
5833 peerupdate = tst == 0 ? clientssl : serverssl;
5834 peerwrite = tst == 0 ? serverssl : clientssl;
5835
5836 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5837 || !TEST_true(SSL_do_handshake(peerupdate)))
5838 goto end;
5839
5840 /* Swap the writing endpoint's write BIO to force a retry */
5841 tmp = SSL_get_wbio(peerwrite);
5842 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5843 tmp = NULL;
5844 goto end;
5845 }
5846 SSL_set0_wbio(peerwrite, bretry);
5847 bretry = NULL;
5848
5849 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5850 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5851 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5852 goto end;
5853
5854 /* Reinstate the original writing endpoint's write BIO */
5855 SSL_set0_wbio(peerwrite, tmp);
5856 tmp = NULL;
5857
5858 /* Now read some data - we will read the key update */
5859 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5860 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5861 goto end;
5862
5863 /*
5864 * Complete the write we started previously and read it from the other
5865 * endpoint
5866 */
5867 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5868 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5869 goto end;
5870
5871 /* Write more data to ensure we send the KeyUpdate message back */
5872 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5873 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5874 goto end;
5875
5876 testresult = 1;
5877
5878 end:
5879 SSL_free(serverssl);
5880 SSL_free(clientssl);
5881 SSL_CTX_free(sctx);
5882 SSL_CTX_free(cctx);
5883 BIO_free(bretry);
5884 BIO_free(tmp);
5885
5886 return testresult;
5887}
b38ede80
TT		 5888#endif /* OPENSSL_NO_TLS1_3 */
5889
e11b6aa4
MC		 5890static int test_ssl_clear(int idx)
5891{
5892 SSL_CTX *cctx = NULL, *sctx = NULL;
5893 SSL *clientssl = NULL, *serverssl = NULL;
5894 int testresult = 0;
5895
5896#ifdef OPENSSL_NO_TLS1_2
5897 if (idx == 1)
5898 return 1;
5899#endif
5900
5901 /* Create an initial connection */
5e30f2fd
MC		 5902 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5903 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5904 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5905 || (idx == 1
5906 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5907 TLS1_2_VERSION)))
5908 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5909 &clientssl, NULL, NULL))
5910 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5911 SSL_ERROR_NONE)))
5912 goto end;
5913
5914 SSL_shutdown(clientssl);
5915 SSL_shutdown(serverssl);
5916 SSL_free(serverssl);
5917 serverssl = NULL;
5918
5919 /* Clear clientssl - we're going to reuse the object */
5920 if (!TEST_true(SSL_clear(clientssl)))
5921 goto end;
5922
5923 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5924 NULL, NULL))
5925 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5926 SSL_ERROR_NONE))
5927 || !TEST_true(SSL_session_reused(clientssl)))
5928 goto end;
5929
5930 SSL_shutdown(clientssl);
5931 SSL_shutdown(serverssl);
5932
5933 testresult = 1;
5934
5935 end:
5936 SSL_free(serverssl);
5937 SSL_free(clientssl);
5938 SSL_CTX_free(sctx);
5939 SSL_CTX_free(cctx);
5940
5941 return testresult;
5942}
5943
cf72c757
F		 5944/* Parse CH and retrieve any MFL extension value if present */
5945static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5946{
5947 long len;
5948 unsigned char *data;
72962d02 5949 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5950 unsigned int MFL_code = 0, type = 0;
5951
5952 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5953 goto end;
5954
72962d02
P		 5955 memset(&pkt, 0, sizeof(pkt));
5956 memset(&pkt2, 0, sizeof(pkt2));
5957 memset(&pkt3, 0, sizeof(pkt3));
5958
cf72c757
F		 5959 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5960 /* Skip the record header */
5961 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5962 /* Skip the handshake message header */
5963 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5964 /* Skip client version and random */
5965 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5966 + SSL3_RANDOM_SIZE))
5967 /* Skip session id */
5968 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5969 /* Skip ciphers */
5970 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5971 /* Skip compression */
5972 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5973 /* Extensions len */
5974 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5975 goto end;
5976
5977 /* Loop through all extensions */
5978 while (PACKET_remaining(&pkt2)) {
5979 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5980 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5981 goto end;
5982
5983 if (type == TLSEXT_TYPE_max_fragment_length) {
5984 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5985 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5986 goto end;
5987
5988 *mfl_codemfl_code = MFL_code;
5989 return 1;
5990 }
5991 }
5992
5993 end:
5994 return 0;
5995}
5996
5997/* Maximum-Fragment-Length TLS extension mode to test */
5998static const unsigned char max_fragment_len_test[] = {
5999 TLSEXT_max_fragment_length_512,
6000 TLSEXT_max_fragment_length_1024,
6001 TLSEXT_max_fragment_length_2048,
6002 TLSEXT_max_fragment_length_4096
6003};
6004
6005static int test_max_fragment_len_ext(int idx_tst)
6006{
6007 SSL_CTX *ctx;
6008 SSL *con = NULL;
6009 int testresult = 0, MFL_mode = 0;
6010 BIO *rbio, *wbio;
6011
5e30f2fd 6012 ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
cf72c757
F		 6013 if (!TEST_ptr(ctx))
6014 goto end;
6015
6016 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6017 ctx, max_fragment_len_test[idx_tst])))
6018 goto end;
6019
6020 con = SSL_new(ctx);
6021 if (!TEST_ptr(con))
6022 goto end;
6023
6024 rbio = BIO_new(BIO_s_mem());
6025 wbio = BIO_new(BIO_s_mem());
6026 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6027 BIO_free(rbio);
6028 BIO_free(wbio);
6029 goto end;
6030 }
6031
6032 SSL_set_bio(con, rbio, wbio);
6033 SSL_set_connect_state(con);
6034
6035 if (!TEST_int_le(SSL_connect(con), 0)) {
6036 /* This shouldn't succeed because we don't have a server! */
6037 goto end;
6038 }
6039
6040 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6041 /* no MFL in client hello */
6042 goto end;
6043 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6044 goto end;
6045
6046 testresult = 1;
6047
6048end:
6049 SSL_free(con);
6050 SSL_CTX_free(ctx);
6051
6052 return testresult;
6053}
6054
9d75dce3
TS		 6055#ifndef OPENSSL_NO_TLS1_3
6056static int test_pha_key_update(void)
6057{
6058 SSL_CTX *cctx = NULL, *sctx = NULL;
6059 SSL *clientssl = NULL, *serverssl = NULL;
6060 int testresult = 0;
6061
5e30f2fd
MC		 6062 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6063 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6064 &sctx, &cctx, cert, privkey)))
6065 return 0;
6066
6067 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6068 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6069 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6070 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6071 goto end;
6072
e97be718 6073 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6074
6075 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6076 NULL, NULL)))
6077 goto end;
6078
9d75dce3
TS		 6079 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6080 SSL_ERROR_NONE)))
6081 goto end;
6082
6083 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6084 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6085 goto end;
6086
6087 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6088 goto end;
6089
6090 /* Start handshake on the server */
6091 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6092 goto end;
6093
6094 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6095 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6096 SSL_ERROR_NONE)))
6097 goto end;
6098
6099 SSL_shutdown(clientssl);
6100 SSL_shutdown(serverssl);
6101
6102 testresult = 1;
6103
6104 end:
6105 SSL_free(serverssl);
6106 SSL_free(clientssl);
6107 SSL_CTX_free(sctx);
6108 SSL_CTX_free(cctx);
6109 return testresult;
6110}
6111#endif
6112
76fd7a1d
MC		 6113#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6114
6115static SRP_VBASE *vbase = NULL;
6116
852c2ed2
RS		 6117DEFINE_STACK_OF(SRP_user_pwd)
6118
76fd7a1d
MC		 6119static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6120{
6121 int ret = SSL3_AL_FATAL;
6122 char *username;
6123 SRP_user_pwd *user = NULL;
6124
6125 username = SSL_get_srp_username(s);
6126 if (username == NULL) {
6127 *ad = SSL_AD_INTERNAL_ERROR;
6128 goto err;
6129 }
6130
6131 user = SRP_VBASE_get1_by_user(vbase, username);
6132 if (user == NULL) {
6133 *ad = SSL_AD_INTERNAL_ERROR;
6134 goto err;
6135 }
6136
6137 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6138 user->info) <= 0) {
6139 *ad = SSL_AD_INTERNAL_ERROR;
6140 goto err;
6141 }
6142
6143 ret = 0;
6144
6145 err:
6146 SRP_user_pwd_free(user);
6147 return ret;
6148}
6149
6150static int create_new_vfile(char *userid, char *password, const char *filename)
6151{
6152 char *gNid = NULL;
6153 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6154 TXT_DB *db = NULL;
6155 int ret = 0;
6156 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6157 size_t i;
6158
6159 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6160 goto end;
6161
20c00d0a 6162 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6163 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6164 if (!TEST_ptr(gNid))
6165 goto end;
6166
6167 /*
6168 * The only way to create an empty TXT_DB is to provide a BIO with no data
6169 * in it!
6170 */
6171 db = TXT_DB_read(dummy, DB_NUMBER);
6172 if (!TEST_ptr(db))
6173 goto end;
6174
6175 out = BIO_new_file(filename, "w");
6176 if (!TEST_ptr(out))
6177 goto end;
6178
6179 row[DB_srpid] = OPENSSL_strdup(userid);
6180 row[DB_srptype] = OPENSSL_strdup("V");
6181 row[DB_srpgN] = OPENSSL_strdup(gNid);
6182
6183 if (!TEST_ptr(row[DB_srpid])
6184 || !TEST_ptr(row[DB_srptype])
6185 || !TEST_ptr(row[DB_srpgN])
6186 || !TEST_true(TXT_DB_insert(db, row)))
6187 goto end;
6188
6189 row = NULL;
6190
6191 if (!TXT_DB_write(out, db))
6192 goto end;
6193
6194 ret = 1;
6195 end:
6196 if (row != NULL) {
6197 for (i = 0; i < DB_NUMBER; i++)
6198 OPENSSL_free(row[i]);
6199 }
6200 OPENSSL_free(row);
6201 BIO_free(dummy);
6202 BIO_free(out);
6203 TXT_DB_free(db);
6204
6205 return ret;
6206}
6207
6208static int create_new_vbase(char *userid, char *password)
6209{
6210 BIGNUM *verifier = NULL, *salt = NULL;
6211 const SRP_gN *lgN = NULL;
6212 SRP_user_pwd *user_pwd = NULL;
6213 int ret = 0;
6214
6215 lgN = SRP_get_default_gN(NULL);
6216 if (!TEST_ptr(lgN))
6217 goto end;
6218
20c00d0a 6219 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6220 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6221 goto end;
6222
6223 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6224 if (!TEST_ptr(user_pwd))
6225 goto end;
6226
6227 user_pwd->N = lgN->N;
6228 user_pwd->g = lgN->g;
6229 user_pwd->id = OPENSSL_strdup(userid);
6230 if (!TEST_ptr(user_pwd->id))
6231 goto end;
6232
6233 user_pwd->v = verifier;
6234 user_pwd->s = salt;
6235 verifier = salt = NULL;
6236
6237 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6238 goto end;
6239 user_pwd = NULL;
6240
6241 ret = 1;
6242end:
6243 SRP_user_pwd_free(user_pwd);
6244 BN_free(salt);
6245 BN_free(verifier);
6246
6247 return ret;
6248}
6249
6250/*
6251 * SRP tests
6252 *
6253 * Test 0: Simple successful SRP connection, new vbase
6254 * Test 1: Connection failure due to bad password, new vbase
6255 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6256 * Test 3: Connection failure due to bad password, vbase loaded from existing
6257 * file
6258 * Test 4: Simple successful SRP connection, vbase loaded from new file
6259 * Test 5: Connection failure due to bad password, vbase loaded from new file
6260 */
6261static int test_srp(int tst)
6262{
6263 char *userid = "test", *password = "password", *tstsrpfile;
6264 SSL_CTX *cctx = NULL, *sctx = NULL;
6265 SSL *clientssl = NULL, *serverssl = NULL;
6266 int ret, testresult = 0;
6267
6268 vbase = SRP_VBASE_new(NULL);
6269 if (!TEST_ptr(vbase))
6270 goto end;
6271
6272 if (tst == 0 || tst == 1) {
6273 if (!TEST_true(create_new_vbase(userid, password)))
6274 goto end;
6275 } else {
6276 if (tst == 4 || tst == 5) {
6277 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6278 goto end;
6279 tstsrpfile = tmpfilename;
6280 } else {
6281 tstsrpfile = srpvfile;
6282 }
6283 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6284 goto end;
6285 }
6286
5e30f2fd
MC		 6287 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6288 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6289 &sctx, &cctx, cert, privkey)))
6290 goto end;
6291
6292 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6293 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6294 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6295 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6296 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6297 goto end;
6298
6299 if (tst % 2 == 1) {
6300 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6301 goto end;
6302 } else {
6303 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6304 goto end;
6305 }
6306
6307 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6308 NULL, NULL)))
6309 goto end;
6310
6311 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6312 if (ret) {
6313 if (!TEST_true(tst % 2 == 0))
6314 goto end;
6315 } else {
6316 if (!TEST_true(tst % 2 == 1))
6317 goto end;
6318 }
6319
6320 testresult = 1;
6321
6322 end:
6323 SRP_VBASE_free(vbase);
6324 vbase = NULL;
6325 SSL_free(serverssl);
6326 SSL_free(clientssl);
6327 SSL_CTX_free(sctx);
6328 SSL_CTX_free(cctx);
6329
6330 return testresult;
6331}
6332#endif
6333
5718fe45
MC		 6334static int info_cb_failed = 0;
6335static int info_cb_offset = 0;
6336static int info_cb_this_state = -1;
6337
6338static struct info_cb_states_st {
6339 int where;
6340 const char *statestr;
6341} info_cb_states[][60] = {
6342 {
6343 /* TLSv1.2 server followed by resumption */
6344 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6345 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6346 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6347 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6348 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6349 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6350 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6351 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6352 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6353 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6354 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6355 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6356 {SSL_CB_EXIT, NULL}, {0, NULL},
6357 }, {
6358 /* TLSv1.2 client followed by resumption */
6359 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6360 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6361 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6362 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6363 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6364 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6365 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6366 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6367 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6368 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6369 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6370 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6371 }, {
6372 /* TLSv1.3 server followed by resumption */
6373 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6374 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6375 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6376 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6377 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6378 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6379 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6380 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6381 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6382 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6383 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6384 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6385 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6386 }, {
6387 /* TLSv1.3 client followed by resumption */
6388 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6389 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6390 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6391 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6392 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6393 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6394 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6395 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 6396 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6397 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6398 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6399 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6400 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 6401 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6402 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6403 }, {
6404 /* TLSv1.3 server, early_data */
6405 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6406 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6407 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6408 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6409 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6410 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 6411 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 6412 {SSL_CB_EXIT, NULL}, {0, NULL},
6413 }, {
6414 /* TLSv1.3 client, early_data */
6415 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6416 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6417 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6418 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6419 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6420 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6421 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6422 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6423 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6424 }, {
6425 {0, NULL},
6426 }
6427};
6428
6429static void sslapi_info_callback(const SSL *s, int where, int ret)
6430{
6431 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6432
6433 /* We do not ever expect a connection to fail in this test */
6434 if (!TEST_false(ret == 0)) {
6435 info_cb_failed = 1;
6436 return;
6437 }
6438
6439 /*
6440 * Do some sanity checks. We never expect these things to happen in this
6441 * test
6442 */
6443 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6444 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6445 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6446 info_cb_failed = 1;
6447 return;
6448 }
6449
6450 /* Now check we're in the right state */
6451 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6452 info_cb_failed = 1;
6453 return;
6454 }
6455 if ((where & SSL_CB_LOOP) != 0
6456 && !TEST_int_eq(strcmp(SSL_state_string(s),
6457 state[info_cb_this_state].statestr), 0)) {
6458 info_cb_failed = 1;
6459 return;
6460 }
033c181b 6461
4af5836b
MC		 6462 /*
6463 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6464 */
6465 if ((where & SSL_CB_HANDSHAKE_DONE)
6466 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 6467 info_cb_failed = 1;
6468 return;
6469 }
5718fe45
MC		 6470}
6471
6472/*
6473 * Test the info callback gets called when we expect it to.
6474 *
6475 * Test 0: TLSv1.2, server
6476 * Test 1: TLSv1.2, client
6477 * Test 2: TLSv1.3, server
6478 * Test 3: TLSv1.3, client
6479 * Test 4: TLSv1.3, server, early_data
6480 * Test 5: TLSv1.3, client, early_data
6481 */
6482static int test_info_callback(int tst)
6483{
6484 SSL_CTX *cctx = NULL, *sctx = NULL;
6485 SSL *clientssl = NULL, *serverssl = NULL;
6486 SSL_SESSION *clntsess = NULL;
6487 int testresult = 0;
6488 int tlsvers;
6489
6490 if (tst < 2) {
1aac20f5
MC		 6491/* We need either ECDHE or DHE for the TLSv1.2 test to work */
6492#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6493 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 6494 tlsvers = TLS1_2_VERSION;
6495#else
6496 return 1;
6497#endif
6498 } else {
6499#ifndef OPENSSL_NO_TLS1_3
6500 tlsvers = TLS1_3_VERSION;
6501#else
6502 return 1;
6503#endif
6504 }
6505
6506 /* Reset globals */
6507 info_cb_failed = 0;
6508 info_cb_this_state = -1;
6509 info_cb_offset = tst;
6510
6e07834c 6511#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 6512 if (tst >= 4) {
6513 SSL_SESSION *sess = NULL;
6514 size_t written, readbytes;
6515 unsigned char buf[80];
6516
6517 /* early_data tests */
6518 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6519 &serverssl, &sess, 0)))
6520 goto end;
6521
6522 /* We don't actually need this reference */
6523 SSL_SESSION_free(sess);
6524
6525 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6526 sslapi_info_callback);
6527
6528 /* Write and read some early data and then complete the connection */
6529 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6530 &written))
6531 || !TEST_size_t_eq(written, strlen(MSG1))
6532 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6533 sizeof(buf), &readbytes),
6534 SSL_READ_EARLY_DATA_SUCCESS)
6535 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6536 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6537 SSL_EARLY_DATA_ACCEPTED)
6538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6539 SSL_ERROR_NONE))
6540 || !TEST_false(info_cb_failed))
6541 goto end;
6542
6543 testresult = 1;
6544 goto end;
6545 }
6e07834c 6546#endif
5718fe45 6547
5e30f2fd 6548 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 6549 TLS_client_method(),
6550 tlsvers, tlsvers, &sctx, &cctx, cert,
6551 privkey)))
6552 goto end;
6553
6554 /*
6555 * For even numbered tests we check the server callbacks. For odd numbers we
6556 * check the client.
6557 */
6558 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6559 sslapi_info_callback);
6560
6561 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6562 &clientssl, NULL, NULL))
6563 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6564 SSL_ERROR_NONE))
6565 || !TEST_false(info_cb_failed))
6566 goto end;
6567
6568
6569
6570 clntsess = SSL_get1_session(clientssl);
6571 SSL_shutdown(clientssl);
6572 SSL_shutdown(serverssl);
6573 SSL_free(serverssl);
6574 SSL_free(clientssl);
6575 serverssl = clientssl = NULL;
6576
6577 /* Now do a resumption */
6578 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6579 NULL))
6580 || !TEST_true(SSL_set_session(clientssl, clntsess))
6581 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6582 SSL_ERROR_NONE))
6583 || !TEST_true(SSL_session_reused(clientssl))
6584 || !TEST_false(info_cb_failed))
6585 goto end;
6586
6587 testresult = 1;
6588
6589 end:
6590 SSL_free(serverssl);
6591 SSL_free(clientssl);
6592 SSL_SESSION_free(clntsess);
6593 SSL_CTX_free(sctx);
6594 SSL_CTX_free(cctx);
6595 return testresult;
6596}
6597
4a432af8
MC		 6598static int test_ssl_pending(int tst)
6599{
6600 SSL_CTX *cctx = NULL, *sctx = NULL;
6601 SSL *clientssl = NULL, *serverssl = NULL;
6602 int testresult = 0;
6603 char msg[] = "A test message";
6604 char buf[5];
6605 size_t written, readbytes;
6606
6607 if (tst == 0) {
5e30f2fd 6608 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6609 TLS_client_method(),
5c587fb6 6610 TLS1_VERSION, 0,
4a432af8
MC		 6611 &sctx, &cctx, cert, privkey)))
6612 goto end;
6613 } else {
6614#ifndef OPENSSL_NO_DTLS
5e30f2fd 6615 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6616 DTLS_client_method(),
5c587fb6 6617 DTLS1_VERSION, 0,
4a432af8
MC		 6618 &sctx, &cctx, cert, privkey)))
6619 goto end;
6620#else
6621 return 1;
6622#endif
6623 }
6624
6625 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6626 NULL, NULL))
6627 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6628 SSL_ERROR_NONE)))
6629 goto end;
6630
e8251092
MC		 6631 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6632 || !TEST_false(SSL_has_pending(clientssl))
6633 || !TEST_int_eq(SSL_pending(serverssl), 0)
6634 || !TEST_false(SSL_has_pending(serverssl))
6635 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6636 || !TEST_size_t_eq(written, sizeof(msg))
6637 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6638 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6639 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6640 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6641 goto end;
6642
6643 testresult = 1;
6644
6645 end:
6646 SSL_free(serverssl);
6647 SSL_free(clientssl);
6648 SSL_CTX_free(sctx);
6649 SSL_CTX_free(cctx);
6650
6651 return testresult;
6652}
6653
e401389a
MC		 6654static struct {
6655 unsigned int maxprot;
6656 const char *clntciphers;
6657 const char *clnttls13ciphers;
6658 const char *srvrciphers;
6659 const char *srvrtls13ciphers;
6660 const char *shared;
a96e6c34 6661 const char *fipsshared;
e401389a 6662} shared_ciphers_data[] = {
60155b9a
MC		 6663/*
6664 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6665 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6666 */
6667#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6668 {
6669 TLS1_2_VERSION,
6670 "AES128-SHA:AES256-SHA",
6671 NULL,
6672 "AES256-SHA:DHE-RSA-AES128-SHA",
6673 NULL,
a96e6c34 6674 "AES256-SHA",
e401389a
MC		 6675 "AES256-SHA"
6676 },
a96e6c34
MC		 6677# if !defined(OPENSSL_NO_CHACHA) \
6678 && !defined(OPENSSL_NO_POLY1305) \
6679 && !defined(OPENSSL_NO_EC)
6680 {
6681 TLS1_2_VERSION,
6682 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6683 NULL,
6684 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6685 NULL,
6686 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6687 "AES128-SHA"
6688 },
6689# endif
e401389a
MC		 6690 {
6691 TLS1_2_VERSION,
6692 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6693 NULL,
6694 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6695 NULL,
a96e6c34 6696 "AES128-SHA:AES256-SHA",
e401389a
MC		 6697 "AES128-SHA:AES256-SHA"
6698 },
6699 {
6700 TLS1_2_VERSION,
6701 "AES128-SHA:AES256-SHA",
6702 NULL,
6703 "AES128-SHA:DHE-RSA-AES128-SHA",
6704 NULL,
a96e6c34 6705 "AES128-SHA",
e401389a
MC		 6706 "AES128-SHA"
6707 },
60155b9a
MC		 6708#endif
6709/*
6710 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6711 * enabled.
6712 */
6713#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6714 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6715 {
6716 TLS1_3_VERSION,
6717 "AES128-SHA:AES256-SHA",
6718 NULL,
6719 "AES256-SHA:AES128-SHA256",
6720 NULL,
6721 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 6722 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6723 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 6724 },
60155b9a
MC		 6725#endif
6726#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 6727 {
6728 TLS1_3_VERSION,
6729 "AES128-SHA",
6730 "TLS_AES_256_GCM_SHA384",
6731 "AES256-SHA",
6732 "TLS_AES_256_GCM_SHA384",
a96e6c34 6733 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 6734 "TLS_AES_256_GCM_SHA384"
6735 },
6736#endif
6737};
6738
a96e6c34 6739static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 6740{
6741 SSL_CTX *cctx = NULL, *sctx = NULL;
6742 SSL *clientssl = NULL, *serverssl = NULL;
6743 int testresult = 0;
6744 char buf[1024];
a96e6c34
MC		 6745 OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
6746
6747 if (!TEST_ptr(tmplibctx))
6748 goto end;
6749
6750 /*
6751 * Regardless of whether we're testing with the FIPS provider loaded into
6752 * libctx, we want one peer to always use the full set of ciphersuites
6753 * available. Therefore we use a separate libctx with the default provider
6754 * loaded into it. We run the same tests twice - once with the client side
6755 * having the full set of ciphersuites and once with the server side.
6756 */
6757 if (clnt) {
6758 cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
6759 if (!TEST_ptr(cctx))
6760 goto end;
6761 } else {
6762 sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
6763 if (!TEST_ptr(sctx))
6764 goto end;
6765 }
e401389a 6766
5e30f2fd 6767 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 6768 TLS_client_method(),
6769 TLS1_VERSION,
6770 shared_ciphers_data[tst].maxprot,
6771 &sctx, &cctx, cert, privkey)))
6772 goto end;
6773
6774 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6775 shared_ciphers_data[tst].clntciphers))
6776 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6777 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6778 shared_ciphers_data[tst].clnttls13ciphers)))
6779 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6780 shared_ciphers_data[tst].srvrciphers))
6781 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6782 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6783 shared_ciphers_data[tst].srvrtls13ciphers))))
6784 goto end;
6785
6786
6787 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6788 NULL, NULL))
6789 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6790 SSL_ERROR_NONE)))
6791 goto end;
6792
6793 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 6794 || !TEST_int_eq(strcmp(buf,
6795 is_fips
6796 ? shared_ciphers_data[tst].fipsshared
6797 : shared_ciphers_data[tst].shared),
6798 0)) {
e401389a
MC		 6799 TEST_info("Shared ciphers are: %s\n", buf);
6800 goto end;
6801 }
6802
6803 testresult = 1;
6804
6805 end:
6806 SSL_free(serverssl);
6807 SSL_free(clientssl);
6808 SSL_CTX_free(sctx);
6809 SSL_CTX_free(cctx);
a96e6c34 6810 OPENSSL_CTX_free(tmplibctx);
e401389a
MC		 6811
6812 return testresult;
6813}
6814
a96e6c34
MC		 6815static int test_ssl_get_shared_ciphers(int tst)
6816{
6817 return int_test_ssl_get_shared_ciphers(tst, 0)
6818 && int_test_ssl_get_shared_ciphers(tst, 1);
6819}
6820
6821
d0191fe0 6822static const char *appdata = "Hello World";
61fb5923
MC		 6823static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6824static int tick_key_renew = 0;
6825static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6826
6827static int gen_tick_cb(SSL *s, void *arg)
6828{
6829 gen_tick_called = 1;
6830
6831 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6832 strlen(appdata));
6833}
6834
6835static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6836 const unsigned char *keyname,
6837 size_t keyname_length,
61fb5923
MC		 6838 SSL_TICKET_STATUS status,
6839 void *arg)
d0191fe0
MC		 6840{
6841 void *tickdata;
6842 size_t tickdlen;
6843
6844 dec_tick_called = 1;
6845
61fb5923
MC		 6846 if (status == SSL_TICKET_EMPTY)
6847 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6848
61fb5923
MC		 6849 if (!TEST_true(status == SSL_TICKET_SUCCESS
6850 || status == SSL_TICKET_SUCCESS_RENEW))
6851 return SSL_TICKET_RETURN_ABORT;
6852
6853 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6854 &tickdlen))
d0191fe0
MC		 6855 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6856 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6857 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6858
61fb5923
MC		 6859 if (tick_key_cb_called) {
6860 /* Don't change what the ticket key callback wanted to do */
6861 switch (status) {
6862 case SSL_TICKET_NO_DECRYPT:
6863 return SSL_TICKET_RETURN_IGNORE_RENEW;
6864
6865 case SSL_TICKET_SUCCESS:
6866 return SSL_TICKET_RETURN_USE;
d0191fe0 6867
61fb5923
MC		 6868 case SSL_TICKET_SUCCESS_RENEW:
6869 return SSL_TICKET_RETURN_USE_RENEW;
6870
6871 default:
6872 return SSL_TICKET_RETURN_ABORT;
6873 }
6874 }
6875 return tick_dec_ret;
6876
6877}
d0191fe0 6878
a76ce286 6879#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6880static int tick_key_cb(SSL *s, unsigned char key_name[16],
6881 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6882 HMAC_CTX *hctx, int enc)
6883{
6884 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6885 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 6886 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6887 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6888 int ret;
d0191fe0 6889
61fb5923 6890 tick_key_cb_called = 1;
d0191fe0
MC		 6891 memset(iv, 0, AES_BLOCK_SIZE);
6892 memset(key_name, 0, 16);
5e30f2fd
MC		 6893 if (aes128cbc == NULL
6894 || sha256 == NULL
6895 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6896 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6897 NULL))
6898 ret = -1;
6899 else
6900 ret = tick_key_renew ? 2 : 1;
d0191fe0 6901
5e30f2fd
MC		 6902 EVP_CIPHER_free(aes128cbc);
6903 EVP_MD_free(sha256);
6904
6905 return ret;
d0191fe0 6906}
a76ce286
P		 6907#endif
6908
6909static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6910 unsigned char iv[EVP_MAX_IV_LENGTH],
6911 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6912{
6913 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6914 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6915 OSSL_PARAM params[3];
5e30f2fd
MC		 6916 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6917 int ret;
a76ce286
P		 6918
6919 tick_key_cb_called = 1;
6920 memset(iv, 0, AES_BLOCK_SIZE);
6921 memset(key_name, 0, 16);
6922 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6923 "SHA256", 0);
6924 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6925 tick_hmac_key,
6926 sizeof(tick_hmac_key));
6927 params[2] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 6928 if (aes128cbc == NULL
6929 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
d9c2fd51 6930 || !EVP_MAC_set_ctx_params(hctx, params)
a76ce286 6931 || !EVP_MAC_init(hctx))
5e30f2fd
MC		 6932 ret = -1;
6933 else
6934 ret = tick_key_renew ? 2 : 1;
6935
6936 EVP_CIPHER_free(aes128cbc);
a76ce286 6937
5e30f2fd 6938 return ret;
a76ce286 6939}
d0191fe0
MC		 6940
6941/*
6942 * Test the various ticket callbacks
61fb5923
MC		 6943 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6944 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6945 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6946 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6947 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6948 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6949 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6950 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6951 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6952 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6953 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6954 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6955 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6956 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6957 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6958 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6959 */
6960static int test_ticket_callbacks(int tst)
6961{
6962 SSL_CTX *cctx = NULL, *sctx = NULL;
6963 SSL *clientssl = NULL, *serverssl = NULL;
6964 SSL_SESSION *clntsess = NULL;
6965 int testresult = 0;
6966
6967#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6968 if (tst % 2 == 0)
d0191fe0
MC		 6969 return 1;
6970#endif
6971#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 6972 if (tst % 2 == 1)
d0191fe0
MC		 6973 return 1;
6974#endif
a76ce286
P		 6975#ifdef OPENSSL_NO_DEPRECATED_3_0
6976 if (tst >= 8 && tst <= 11)
6977 return 1;
6978#endif
d0191fe0 6979
61fb5923 6980 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6981
6982 /* Which tests the ticket key callback should request renewal for */
a76ce286 6983 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6984 tick_key_renew = 1;
d0191fe0 6985 else
61fb5923
MC		 6986 tick_key_renew = 0;
6987
6988 /* Which tests the decrypt ticket callback should request renewal for */
6989 switch (tst) {
6990 case 0:
6991 case 1:
6992 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6993 break;
6994
6995 case 2:
6996 case 3:
6997 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6998 break;
6999
7000 case 4:
7001 case 5:
7002 tick_dec_ret = SSL_TICKET_RETURN_USE;
7003 break;
7004
7005 case 6:
7006 case 7:
7007 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7008 break;
7009
7010 default:
7011 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7012 }
d0191fe0 7013
5e30f2fd 7014 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 7015 TLS_client_method(),
7016 TLS1_VERSION,
61fb5923
MC		 7017 ((tst % 2) == 0) ? TLS1_2_VERSION
7018 : TLS1_3_VERSION,
d0191fe0
MC		 7019 &sctx, &cctx, cert, privkey)))
7020 goto end;
7021
61fb5923
MC		 7022 /*
7023 * We only want sessions to resume from tickets - not the session cache. So
7024 * switch the cache off.
7025 */
7026 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7027 goto end;
7028
d0191fe0
MC		 7029 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7030 NULL)))
7031 goto end;
7032
a76ce286
P		 7033 if (tst >= 12) {
7034 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7035 goto end;
7036#ifndef OPENSSL_NO_DEPRECATED_3_0
7037 } else if (tst >= 8) {
7038 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7039 goto end;
7040#endif
7041 }
d0191fe0
MC		 7042
7043 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7044 NULL, NULL))
7045 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7046 SSL_ERROR_NONE)))
7047 goto end;
7048
61fb5923
MC		 7049 /*
7050 * The decrypt ticket key callback in TLSv1.2 should be called even though
7051 * we have no ticket yet, because it gets called with a status of
7052 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7053 * actually send any ticket data). This does not happen in TLSv1.3 because
7054 * it is not valid to send empty ticket data in TLSv1.3.
7055 */
d0191fe0 7056 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7057 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7058 goto end;
7059
7060 gen_tick_called = dec_tick_called = 0;
7061
7062 clntsess = SSL_get1_session(clientssl);
7063 SSL_shutdown(clientssl);
7064 SSL_shutdown(serverssl);
7065 SSL_free(serverssl);
7066 SSL_free(clientssl);
7067 serverssl = clientssl = NULL;
7068
7069 /* Now do a resumption */
7070 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7071 NULL))
7072 || !TEST_true(SSL_set_session(clientssl, clntsess))
7073 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7074 SSL_ERROR_NONE)))
d0191fe0
MC		 7075 goto end;
7076
61fb5923
MC		 7077 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7078 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7079 if (!TEST_false(SSL_session_reused(clientssl)))
7080 goto end;
7081 } else {
7082 if (!TEST_true(SSL_session_reused(clientssl)))
7083 goto end;
7084 }
7085
d0191fe0 7086 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7087 (tick_key_renew
7088 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7089 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7090 ? 1 : 0)
d0191fe0
MC		 7091 || !TEST_int_eq(dec_tick_called, 1))
7092 goto end;
7093
7094 testresult = 1;
7095
7096 end:
7097 SSL_SESSION_free(clntsess);
7098 SSL_free(serverssl);
7099 SSL_free(clientssl);
7100 SSL_CTX_free(sctx);
7101 SSL_CTX_free(cctx);
7102
7103 return testresult;
7104}
7105
e638112e
DB		 7106/*
7107 * Test incorrect shutdown.
7108 * Test 0: client does not shutdown properly,
7109 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7110 * server should get SSL_ERROR_SSL
7111 * Test 1: client does not shutdown properly,
7112 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7113 * server should get SSL_ERROR_ZERO_RETURN
7114 */
7115static int test_incorrect_shutdown(int tst)
7116{
7117 SSL_CTX *cctx = NULL, *sctx = NULL;
7118 SSL *clientssl = NULL, *serverssl = NULL;
7119 int testresult = 0;
7120 char buf[80];
7121 BIO *c2s;
7122
7123 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7124 TLS_client_method(), 0, 0,
7125 &sctx, &cctx, cert, privkey)))
7126 goto end;
7127
7128 if (tst == 1)
7129 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7130
7131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7132 NULL, NULL)))
7133 goto end;
7134
7135 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7136 SSL_ERROR_NONE)))
7137 goto end;
7138
7139 c2s = SSL_get_rbio(serverssl);
7140 BIO_set_mem_eof_return(c2s, 0);
7141
7142 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7143 goto end;
7144
7145 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7146 goto end;
7147 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7148 goto end;
7149
7150 testresult = 1;
7151
7152 end:
7153 SSL_free(serverssl);
7154 SSL_free(clientssl);
7155 SSL_CTX_free(sctx);
7156 SSL_CTX_free(cctx);
7157
7158 return testresult;
7159}
7160
c748834f
MC		 7161/*
7162 * Test bi-directional shutdown.
7163 * Test 0: TLSv1.2
7164 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7165 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7166 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7167 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7168 * sends key update, client reads it
57d7b988
MC		 7169 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7170 * sends CertificateRequest, client reads and ignores it
7171 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7172 * doesn't read it
7173 */
7174static int test_shutdown(int tst)
7175{
7176 SSL_CTX *cctx = NULL, *sctx = NULL;
7177 SSL *clientssl = NULL, *serverssl = NULL;
7178 int testresult = 0;
7179 char msg[] = "A test message";
7180 char buf[80];
7181 size_t written, readbytes;
80eff008 7182 SSL_SESSION *sess;
c748834f
MC		 7183
7184#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7185 if (tst <= 1)
c748834f
MC		 7186 return 1;
7187#endif
7188#ifdef OPENSSL_NO_TLS1_3
a97d19f7 7189 if (tst >= 2)
c748834f
MC		 7190 return 1;
7191#endif
7192
5e30f2fd 7193 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7194 TLS_client_method(),
7195 TLS1_VERSION,
7196 (tst <= 1) ? TLS1_2_VERSION
7197 : TLS1_3_VERSION,
57d7b988
MC		 7198 &sctx, &cctx, cert, privkey)))
7199 goto end;
7200
7201 if (tst == 5)
7202 SSL_CTX_set_post_handshake_auth(cctx, 1);
7203
7204 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7205 NULL, NULL)))
7206 goto end;
7207
7208 if (tst == 3) {
7209 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7210 SSL_ERROR_NONE, 1))
80eff008
KR		 7211 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7212 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7213 goto end;
7214 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7215 SSL_ERROR_NONE))
7216 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7217 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7218 goto end;
7219 }
7220
7221 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7222 goto end;
7223
7224 if (tst >= 4) {
7225 /*
7226 * Reading on the server after the client has sent close_notify should
7227 * fail and provide SSL_ERROR_ZERO_RETURN
7228 */
7229 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7230 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7231 SSL_ERROR_ZERO_RETURN)
7232 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7233 SSL_RECEIVED_SHUTDOWN)
7234 /*
7235 * Even though we're shutdown on receive we should still be
7236 * able to write.
7237 */
80eff008
KR		 7238 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7239 goto end;
57d7b988
MC		 7240 if (tst == 4
7241 && !TEST_true(SSL_key_update(serverssl,
7242 SSL_KEY_UPDATE_REQUESTED)))
7243 goto end;
7244 if (tst == 5) {
7245 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7246 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7247 goto end;
7248 }
7249 if ((tst == 4 || tst == 5)
7250 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7251 goto end;
7252 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7253 goto end;
57d7b988 7254 if (tst == 4 || tst == 5) {
80eff008 7255 /* Should still be able to read data from server */
c748834f 7256 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7257 &readbytes))
7258 || !TEST_size_t_eq(readbytes, sizeof(msg))
7259 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7260 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7261 &readbytes))
c748834f
MC		 7262 || !TEST_size_t_eq(readbytes, sizeof(msg))
7263 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7264 goto end;
7265 }
7266 }
7267
7268 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7269 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7270 goto end;
7271
7272 if (tst < 4) {
7273 /*
7274 * For these tests the client has sent close_notify but it has not yet
7275 * been received by the server. The server has not sent close_notify
7276 * yet.
7277 */
7278 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7279 /*
7280 * Writing on the server after sending close_notify shouldn't
7281 * be possible.
7282 */
7283 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7284 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7285 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7286 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7287 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7288 goto end;
57d7b988 7289 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7290 /*
7291 * In this test the client has sent close_notify and it has been
7292 * received by the server which has responded with a close_notify. The
358ffa05 7293 * client needs to read the close_notify sent by the server.
c748834f 7294 */
80eff008
KR		 7295 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7296 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7297 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7298 goto end;
358ffa05
MC		 7299 } else {
7300 /*
57d7b988 7301 * tst == 6
358ffa05
MC		 7302 *
7303 * The client has sent close_notify and is expecting a close_notify
7304 * back, but instead there is application data first. The shutdown
7305 * should fail with a fatal error.
7306 */
7307 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7308 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7309 goto end;
c748834f
MC		 7310 }
7311
7312 testresult = 1;
7313
7314 end:
7315 SSL_free(serverssl);
7316 SSL_free(clientssl);
7317 SSL_CTX_free(sctx);
7318 SSL_CTX_free(cctx);
7319
7320 return testresult;
7321}
7322
7f1d923a 7323#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 7324static int cert_cb_cnt;
7325
7326static int cert_cb(SSL *s, void *arg)
7327{
7328 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7329 BIO *in = NULL;
7330 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7331 X509 *x509 = NULL, *rootx = NULL;
7332 STACK_OF(X509) *chain = NULL;
7333 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7334 int ret = 0;
cd6fe29f
MC		 7335
7336 if (cert_cb_cnt == 0) {
7337 /* Suspend the handshake */
7338 cert_cb_cnt++;
7339 return -1;
7340 } else if (cert_cb_cnt == 1) {
7341 /*
7342 * Update the SSL_CTX, set the certificate and private key and then
7343 * continue the handshake normally.
7344 */
7345 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7346 return 0;
7347
7348 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7349 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7350 SSL_FILETYPE_PEM))
7351 || !TEST_true(SSL_check_private_key(s)))
7352 return 0;
7353 cert_cb_cnt++;
7354 return 1;
7cb8fb07
BK		 7355 } else if (cert_cb_cnt == 3) {
7356 int rv;
1a2a3a42
MC		 7357
7358 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7359 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7360 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7361 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7362 goto out;
7363 chain = sk_X509_new_null();
7364 if (!TEST_ptr(chain))
7365 goto out;
7cb8fb07 7366 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42
MC		 7367 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
7368 || !TEST_ptr(rootx = PEM_read_bio_X509(in, NULL, NULL, NULL))
7369 || !TEST_true(sk_X509_push(chain, rootx)))
7370 goto out;
7371 rootx = NULL;
7372 BIO_free(in);
7373 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7374 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
7cb8fb07
BK		 7375 || !TEST_ptr(x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
7376 goto out;
7377 BIO_free(in);
7378 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7379 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
7cb8fb07
BK		 7380 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)))
7381 goto out;
1a2a3a42 7382 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 7383 /*
7384 * If the cert doesn't show as valid here (e.g., because we don't
7385 * have any shared sigalgs), then we will not set it, and there will
7386 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7387 * will cause tls_choose_sigalgs() to fail the connection.
7388 */
1a2a3a42
MC		 7389 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7390 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 7391 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7392 goto out;
7393 }
1a2a3a42
MC		 7394
7395 ret = 1;
cd6fe29f
MC		 7396 }
7397
7398 /* Abort the handshake */
7cb8fb07 7399 out:
1a2a3a42
MC		 7400 OPENSSL_free(ecdsacert);
7401 OPENSSL_free(ecdsakey);
7402 OPENSSL_free(rootfile);
7cb8fb07
BK		 7403 BIO_free(in);
7404 EVP_PKEY_free(pkey);
7405 X509_free(x509);
1a2a3a42
MC		 7406 X509_free(rootx);
7407 sk_X509_pop_free(chain, X509_free);
7408 return ret;
cd6fe29f
MC		 7409}
7410
7411/*
7412 * Test the certificate callback.
7413 * Test 0: Callback fails
7414 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7415 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 7416 * Test 3: Success - Call SSL_check_chain from the callback
7417 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7418 * chain
7419 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 7420 */
7421static int test_cert_cb_int(int prot, int tst)
7422{
7423 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7424 SSL *clientssl = NULL, *serverssl = NULL;
7425 int testresult = 0, ret;
7426
1a2a3a42
MC		 7427#ifdef OPENSSL_NO_EC
7428 /* We use an EC cert in these tests, so we skip in a no-ec build */
7429 if (tst >= 3)
7430 return 1;
7431#endif
7432
5e30f2fd 7433 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 7434 TLS_client_method(),
7435 TLS1_VERSION,
7436 prot,
7437 &sctx, &cctx, NULL, NULL)))
7438 goto end;
7439
7440 if (tst == 0)
7441 cert_cb_cnt = -1;
1a2a3a42 7442 else if (tst >= 3)
7cb8fb07 7443 cert_cb_cnt = 3;
cd6fe29f
MC		 7444 else
7445 cert_cb_cnt = 0;
1a2a3a42 7446
cd6fe29f
MC		 7447 if (tst == 2)
7448 snictx = SSL_CTX_new(TLS_server_method());
7449 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7450
7451 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7452 NULL, NULL)))
7453 goto end;
7454
1a2a3a42
MC		 7455 if (tst == 4) {
7456 /*
7457 * We cause SSL_check_chain() to fail by specifying sig_algs that
7458 * the chain doesn't meet (the root uses an RSA cert)
7459 */
7460 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7461 "ecdsa_secp256r1_sha256")))
7462 goto end;
7463 } else if (tst == 5) {
7464 /*
7465 * We cause SSL_check_chain() to fail by specifying sig_algs that
7466 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7467 */
7468 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7469 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7470 goto end;
7471 }
7472
cd6fe29f 7473 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 7474 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 7475 || (tst > 0
7476 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 7477 goto end;
7478 }
7479
7480 testresult = 1;
7481
7482 end:
7483 SSL_free(serverssl);
7484 SSL_free(clientssl);
7485 SSL_CTX_free(sctx);
7486 SSL_CTX_free(cctx);
7487 SSL_CTX_free(snictx);
7488
7489 return testresult;
7490}
7f1d923a 7491#endif
cd6fe29f
MC		 7492
7493static int test_cert_cb(int tst)
7494{
7495 int testresult = 1;
7496
7497#ifndef OPENSSL_NO_TLS1_2
7498 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7499#endif
7f1d923a 7500#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 7501 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7502#endif
7503
7504 return testresult;
7505}
7506
6e46c065
MC		 7507static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7508{
7509 X509 *xcert, *peer;
7510 EVP_PKEY *privpkey;
7511 BIO *in = NULL;
7512
7513 /* Check that SSL_get_peer_certificate() returns something sensible */
7514 peer = SSL_get_peer_certificate(ssl);
7515 if (!TEST_ptr(peer))
7516 return 0;
7517 X509_free(peer);
7518
7519 in = BIO_new_file(cert, "r");
7520 if (!TEST_ptr(in))
7521 return 0;
7522
7523 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
7524 BIO_free(in);
7525 if (!TEST_ptr(xcert))
7526 return 0;
7527
7528 in = BIO_new_file(privkey, "r");
7529 if (!TEST_ptr(in)) {
7530 X509_free(xcert);
7531 return 0;
7532 }
7533
7534 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
7535 BIO_free(in);
7536 if (!TEST_ptr(privpkey)) {
7537 X509_free(xcert);
7538 return 0;
7539 }
7540
7541 *x509 = xcert;
7542 *pkey = privpkey;
7543
7544 return 1;
7545}
7546
7547static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7548{
7549 return 1;
7550}
7551
7552static int test_client_cert_cb(int tst)
7553{
7554 SSL_CTX *cctx = NULL, *sctx = NULL;
7555 SSL *clientssl = NULL, *serverssl = NULL;
7556 int testresult = 0;
7557
7558#ifdef OPENSSL_NO_TLS1_2
7559 if (tst == 0)
7560 return 1;
7561#endif
7562#ifdef OPENSSL_NO_TLS1_3
7563 if (tst == 1)
7564 return 1;
7565#endif
7566
5e30f2fd 7567 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 7568 TLS_client_method(),
7569 TLS1_VERSION,
7570 tst == 0 ? TLS1_2_VERSION
7571 : TLS1_3_VERSION,
7572 &sctx, &cctx, cert, privkey)))
7573 goto end;
7574
7575 /*
7576 * Test that setting a client_cert_cb results in a client certificate being
7577 * sent.
7578 */
7579 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7580 SSL_CTX_set_verify(sctx,
7581 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7582 verify_cb);
fb8c8359
MC		 7583
7584 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7585 NULL, NULL))
7586 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7587 SSL_ERROR_NONE)))
7588 goto end;
7589
7590 testresult = 1;
7591
7592 end:
7593 SSL_free(serverssl);
7594 SSL_free(clientssl);
7595 SSL_CTX_free(sctx);
7596 SSL_CTX_free(cctx);
7597
7598 return testresult;
7599}
7600
7601#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7602/*
7603 * Test setting certificate authorities on both client and server.
7604 *
7605 * Test 0: SSL_CTX_set0_CA_list() only
7606 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7607 * Test 2: Only SSL_CTX_set_client_CA_list()
7608 */
7609static int test_ca_names_int(int prot, int tst)
7610{
7611 SSL_CTX *cctx = NULL, *sctx = NULL;
7612 SSL *clientssl = NULL, *serverssl = NULL;
7613 int testresult = 0;
7614 size_t i;
7615 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7616 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7617 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7618 const STACK_OF(X509_NAME) *sktmp = NULL;
7619
7620 for (i = 0; i < OSSL_NELEM(name); i++) {
7621 name[i] = X509_NAME_new();
7622 if (!TEST_ptr(name[i])
7623 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7624 MBSTRING_ASC,
7625 (unsigned char *)
7626 strnames[i],
7627 -1, -1, 0)))
7628 goto end;
7629 }
7630
5e30f2fd 7631 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 7632 TLS_client_method(),
7633 TLS1_VERSION,
7634 prot,
7635 &sctx, &cctx, cert, privkey)))
7636 goto end;
7637
7638 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7639
7640 if (tst == 0 || tst == 1) {
7641 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7642 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7643 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7644 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7645 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7646 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7647 goto end;
7648
7649 SSL_CTX_set0_CA_list(sctx, sk1);
7650 SSL_CTX_set0_CA_list(cctx, sk2);
7651 sk1 = sk2 = NULL;
7652 }
7653 if (tst == 1 || tst == 2) {
7654 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7655 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7656 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7657 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7658 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7659 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7660 goto end;
7661
7662 SSL_CTX_set_client_CA_list(sctx, sk1);
7663 SSL_CTX_set_client_CA_list(cctx, sk2);
7664 sk1 = sk2 = NULL;
7665 }
7666
6e46c065
MC		 7667 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7668 NULL, NULL))
7669 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7670 SSL_ERROR_NONE)))
7671 goto end;
7672
fb8c8359
MC		 7673 /*
7674 * We only expect certificate authorities to have been sent to the server
7675 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7676 */
7677 sktmp = SSL_get0_peer_CA_list(serverssl);
7678 if (prot == TLS1_3_VERSION
7679 && (tst == 0 || tst == 1)) {
7680 if (!TEST_ptr(sktmp)
7681 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7682 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7683 name[0]), 0)
7684 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7685 name[1]), 0))
7686 goto end;
7687 } else if (!TEST_ptr_null(sktmp)) {
7688 goto end;
7689 }
7690
7691 /*
7692 * In all tests we expect certificate authorities to have been sent to the
7693 * client. However, SSL_set_client_CA_list() should override
7694 * SSL_set0_CA_list()
7695 */
7696 sktmp = SSL_get0_peer_CA_list(clientssl);
7697 if (!TEST_ptr(sktmp)
7698 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7699 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7700 name[tst == 0 ? 0 : 2]), 0)
7701 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7702 name[tst == 0 ? 1 : 3]), 0))
7703 goto end;
7704
6e46c065
MC		 7705 testresult = 1;
7706
7707 end:
7708 SSL_free(serverssl);
7709 SSL_free(clientssl);
7710 SSL_CTX_free(sctx);
7711 SSL_CTX_free(cctx);
fb8c8359
MC		 7712 for (i = 0; i < OSSL_NELEM(name); i++)
7713 X509_NAME_free(name[i]);
7714 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7715 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7716
7717 return testresult;
7718}
7719#endif
7720
7721static int test_ca_names(int tst)
7722{
7723 int testresult = 1;
7724
7725#ifndef OPENSSL_NO_TLS1_2
7726 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7727#endif
7728#ifndef OPENSSL_NO_TLS1_3
7729 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7730#endif
6e46c065
MC		 7731
7732 return testresult;
7733}
7734
0d2bfe52
SL		 7735#ifndef OPENSSL_NO_TLS1_2
7736static const char *multiblock_cipherlist_data[]=
7737{
7738 "AES128-SHA",
7739 "AES128-SHA256",
7740 "AES256-SHA",
7741 "AES256-SHA256",
7742};
7743
7744/* Reduce the fragment size - so the multiblock test buffer can be small */
7745# define MULTIBLOCK_FRAGSIZE 512
7746
7747static int test_multiblock_write(int test_index)
7748{
7749 static const char *fetchable_ciphers[]=
7750 {
7751 "AES-128-CBC-HMAC-SHA1",
7752 "AES-128-CBC-HMAC-SHA256",
7753 "AES-256-CBC-HMAC-SHA1",
7754 "AES-256-CBC-HMAC-SHA256"
7755 };
7756 const char *cipherlist = multiblock_cipherlist_data[test_index];
7757 const SSL_METHOD *smeth = TLS_server_method();
7758 const SSL_METHOD *cmeth = TLS_client_method();
7759 int min_version = TLS1_VERSION;
7760 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7761 SSL_CTX *cctx = NULL, *sctx = NULL;
7762 SSL *clientssl = NULL, *serverssl = NULL;
7763 int testresult = 0;
7764
7765 /*
7766 * Choose a buffer large enough to perform a multi-block operation
7767 * i.e: write_len >= 4 * frag_size
7768 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7769 */
7770 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7771 unsigned char buf[sizeof(msg)], *p = buf;
7772 size_t readbytes, written, len;
7773 EVP_CIPHER *ciph = NULL;
7774
7775 /*
7776 * Check if the cipher exists before attempting to use it since it only has
7777 * a hardware specific implementation.
7778 */
7779 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7780 if (ciph == NULL) {
7781 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7782 return 1;
7783 }
7784 EVP_CIPHER_free(ciph);
7785
7786 /* Set up a buffer with some data that will be sent to the client */
7787 RAND_bytes(msg, sizeof(msg));
7788
5e30f2fd
MC		 7789 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7790 max_version, &sctx, &cctx, cert,
7791 privkey)))
0d2bfe52
SL		 7792 goto end;
7793
7794 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7795 goto end;
7796
7797 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7798 NULL, NULL)))
7799 goto end;
7800
7801 /* settings to force it to use AES-CBC-HMAC_SHA */
7802 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7803 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7804 goto end;
7805
7806 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7807 goto end;
7808
7809 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7810 || !TEST_size_t_eq(written, sizeof(msg)))
7811 goto end;
7812
7813 len = written;
7814 while (len > 0) {
7815 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7816 goto end;
7817 p += readbytes;
7818 len -= readbytes;
7819 }
7820 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7821 goto end;
7822
7823 testresult = 1;
7824end:
7825 SSL_free(serverssl);
7826 SSL_free(clientssl);
7827 SSL_CTX_free(sctx);
7828 SSL_CTX_free(cctx);
7829
7830 return testresult;
7831}
7832#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7833
49ef3d07
MC		 7834/*
7835 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7836 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7837 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7838 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7839 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7840 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7841 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7842 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7843 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7844 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7845 */
7846static int test_servername(int tst)
7847{
7848 SSL_CTX *cctx = NULL, *sctx = NULL;
7849 SSL *clientssl = NULL, *serverssl = NULL;
7850 int testresult = 0;
7851 SSL_SESSION *sess = NULL;
7852 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7853
7854#ifdef OPENSSL_NO_TLS1_2
7855 if (tst <= 4)
7856 return 1;
7857#endif
7858#ifdef OPENSSL_NO_TLS1_3
7859 if (tst >= 5)
7860 return 1;
7861#endif
7862
5e30f2fd 7863 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 7864 TLS_client_method(),
7865 TLS1_VERSION,
7866 (tst <= 4) ? TLS1_2_VERSION
7867 : TLS1_3_VERSION,
7868 &sctx, &cctx, cert, privkey))
7869 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7870 NULL, NULL)))
7871 goto end;
7872
7873 if (tst != 1 && tst != 6) {
7874 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7875 hostname_cb)))
7876 goto end;
7877 }
7878
7879 if (tst != 3 && tst != 8) {
7880 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7881 goto end;
7882 sexpectedhost = cexpectedhost = "goodhost";
7883 }
7884
7885 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7886 goto end;
7887
7888 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7889 cexpectedhost)
7890 || !TEST_str_eq(SSL_get_servername(serverssl,
7891 TLSEXT_NAMETYPE_host_name),
7892 sexpectedhost))
7893 goto end;
7894
7895 /* Now repeat with a resumption handshake */
7896
7897 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7898 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7899 || !TEST_true(SSL_SESSION_is_resumable(sess))
7900 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7901 goto end;
7902
7903 SSL_free(clientssl);
7904 SSL_free(serverssl);
7905 clientssl = serverssl = NULL;
7906
7907 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7908 NULL)))
7909 goto end;
7910
7911 if (!TEST_true(SSL_set_session(clientssl, sess)))
7912 goto end;
7913
7914 sexpectedhost = cexpectedhost = "goodhost";
7915 if (tst == 2 || tst == 7) {
7916 /* Set an inconsistent hostname */
7917 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7918 goto end;
7919 /*
7920 * In TLSv1.2 we expect the hostname from the original handshake, in
7921 * TLSv1.3 we expect the hostname from this handshake
7922 */
7923 if (tst == 7)
7924 sexpectedhost = cexpectedhost = "altgoodhost";
7925
7926 if (!TEST_str_eq(SSL_get_servername(clientssl,
7927 TLSEXT_NAMETYPE_host_name),
7928 "altgoodhost"))
7929 goto end;
7930 } else if (tst == 4 || tst == 9) {
7931 /*
7932 * A TLSv1.3 session does not associate a session with a servername,
7933 * but a TLSv1.2 session does.
7934 */
7935 if (tst == 9)
7936 sexpectedhost = cexpectedhost = NULL;
7937
7938 if (!TEST_str_eq(SSL_get_servername(clientssl,
7939 TLSEXT_NAMETYPE_host_name),
7940 cexpectedhost))
7941 goto end;
7942 } else {
7943 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7944 goto end;
7945 /*
7946 * In a TLSv1.2 resumption where the hostname was not acknowledged
7947 * we expect the hostname on the server to be empty. On the client we
7948 * return what was requested in this case.
7949 *
7950 * Similarly if the client didn't set a hostname on an original TLSv1.2
7951 * session but is now, the server hostname will be empty, but the client
7952 * is as we set it.
7953 */
7954 if (tst == 1 || tst == 3)
7955 sexpectedhost = NULL;
7956
7957 if (!TEST_str_eq(SSL_get_servername(clientssl,
7958 TLSEXT_NAMETYPE_host_name),
7959 "goodhost"))
7960 goto end;
7961 }
7962
7963 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7964 goto end;
7965
7966 if (!TEST_true(SSL_session_reused(clientssl))
7967 || !TEST_true(SSL_session_reused(serverssl))
7968 || !TEST_str_eq(SSL_get_servername(clientssl,
7969 TLSEXT_NAMETYPE_host_name),
7970 cexpectedhost)
7971 || !TEST_str_eq(SSL_get_servername(serverssl,
7972 TLSEXT_NAMETYPE_host_name),
7973 sexpectedhost))
7974 goto end;
7975
7976 testresult = 1;
7977
7978 end:
7979 SSL_SESSION_free(sess);
7980 SSL_free(serverssl);
7981 SSL_free(clientssl);
7982 SSL_CTX_free(sctx);
7983 SSL_CTX_free(cctx);
7984
7985 return testresult;
7986}
7987
b3842539
MC		 7988#ifndef OPENSSL_NO_EC
7989/*
7990 * Test that if signature algorithms are not available, then we do not offer or
7991 * accept them.
7992 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7993 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7994 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7995 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7996 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7997 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7998 */
7999static int test_sigalgs_available(int idx)
8000{
8001 SSL_CTX *cctx = NULL, *sctx = NULL;
8002 SSL *clientssl = NULL, *serverssl = NULL;
8003 int testresult = 0;
8004 OPENSSL_CTX *tmpctx = OPENSSL_CTX_new();
8005 OPENSSL_CTX *clientctx = libctx, *serverctx = libctx;
8006 OSSL_PROVIDER *filterprov = NULL;
8007 int sig, hash;
8008
8009 if (!TEST_ptr(tmpctx))
8010 goto end;
8011
8012 if (idx != 0 && idx != 3) {
8013 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8014 filter_provider_init)))
8015 goto end;
8016
8017 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8018 if (!TEST_ptr(filterprov))
8019 goto end;
8020
8021 if (idx < 3) {
8022 /*
8023 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8024 * or accepted for the peer that uses this libctx. Note that libssl
8025 * *requires* SHA2-256 to be available so we cannot disable that. We
8026 * also need SHA1 for our certificate.
8027 */
8028 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8029 "SHA2-256:SHA1")))
8030 goto end;
8031 } else {
8032 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8033 "ECDSA"))
8034 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8035 "EC:X25519:X448")))
8036 goto end;
8037 }
8038
8039 if (idx == 1 || idx == 4)
8040 clientctx = tmpctx;
8041 else
8042 serverctx = tmpctx;
8043 }
8044
8045 cctx = SSL_CTX_new_with_libctx(clientctx, NULL, TLS_client_method());
8046 sctx = SSL_CTX_new_with_libctx(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 8047 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8048 goto end;
b3842539
MC		 8049
8050 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8051 TLS_client_method(),
8052 TLS1_VERSION,
8053 0,
8054 &sctx, &cctx, cert, privkey)))
8055 goto end;
8056
8057 if (idx < 3) {
8058 if (!SSL_CTX_set1_sigalgs_list(cctx,
8059 "rsa_pss_rsae_sha384"
8060 ":rsa_pss_rsae_sha256")
8061 || !SSL_CTX_set1_sigalgs_list(sctx,
8062 "rsa_pss_rsae_sha384"
8063 ":rsa_pss_rsae_sha256"))
8064 goto end;
8065 } else {
8066 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8067 || !SSL_CTX_set1_sigalgs_list(sctx,
8068 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8069 goto end;
8070 }
8071
8072 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8073 SSL_FILETYPE_PEM), 1)
8074 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8075 privkey2,
8076 SSL_FILETYPE_PEM), 1)
8077 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8078 goto end;
8079
8080 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8081 NULL, NULL)))
8082 goto end;
8083
8084 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8085 goto end;
8086
8087 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8088 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8089 NULL, NULL),
8090 (idx == 0 || idx == 3) ? 2 : 1))
8091 goto end;
8092
8093 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8094 goto end;
8095
8096 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8097 : NID_rsassaPss))
8098 goto end;
8099
8100 testresult = 1;
8101
8102 end:
8103 SSL_free(serverssl);
8104 SSL_free(clientssl);
8105 SSL_CTX_free(sctx);
8106 SSL_CTX_free(cctx);
8107 OSSL_PROVIDER_unload(filterprov);
8108 OPENSSL_CTX_free(tmpctx);
8109
8110 return testresult;
8111}
8112#endif /* OPENSSL_NO_EC */
8113
0c13cdf8
MC		 8114#ifndef OPENSSL_NO_TLS1_3
8115static int test_pluggable_group(void)
8116{
8117 SSL_CTX *cctx = NULL, *sctx = NULL;
8118 SSL *clientssl = NULL, *serverssl = NULL;
8119 int testresult = 0;
8120 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
8121
8122 if (!TEST_ptr(tlsprov))
8123 goto end;
8124
8125 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8126 TLS_client_method(),
8127 TLS1_3_VERSION,
8128 TLS1_3_VERSION,
8129 &sctx, &cctx, cert, privkey))
8130 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8131 NULL, NULL)))
8132 goto end;
8133
8134 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
8135 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
8136 goto end;
8137
8138 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8139 goto end;
8140
8141 testresult = 1;
8142
8143 end:
8144 SSL_free(serverssl);
8145 SSL_free(clientssl);
8146 SSL_CTX_free(sctx);
8147 SSL_CTX_free(cctx);
8148 OSSL_PROVIDER_unload(tlsprov);
8149
8150 return testresult;
8151}
8152#endif
b3842539 8153
5e30f2fd 8154OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 8155
ad887416 8156int setup_tests(void)
2cb4b5f6 8157{
5e30f2fd
MC		 8158 char *modulename;
8159 char *configfile;
8160
8161 libctx = OPENSSL_CTX_new();
8162 if (!TEST_ptr(libctx))
8163 return 0;
8164
8165 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8166
8167 /*
8168 * Verify that the default and fips providers in the default libctx are not
8169 * available
8170 */
8171 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8172 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8173 return 0;
8174
8d242823
MC		 8175 if (!test_skip_common_options()) {
8176 TEST_error("Error parsing test options\n");
8177 return 0;
8178 }
8179
1a2a3a42
MC		 8180 if (!TEST_ptr(certsdir = test_get_argument(0))
8181 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 8182 || !TEST_ptr(tmpfilename = test_get_argument(2))
8183 || !TEST_ptr(modulename = test_get_argument(3))
8184 || !TEST_ptr(configfile = test_get_argument(4)))
8185 return 0;
8186
8187 if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
8188 return 0;
8189
8190 /* Check we have the expected provider available */
8191 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8192 return 0;
8193
8194 /* Check the default provider is not available */
8195 if (strcmp(modulename, "default") != 0
8196 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 8197 return 0;
2cb4b5f6 8198
4f6c7044
MC		 8199 if (strcmp(modulename, "fips") == 0)
8200 is_fips = 1;
8201
0c13cdf8
MC		 8202 /*
8203 * We add, but don't load the test "tls-provider". We'll load it when we
8204 * need it.
8205 */
8206 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8207 tls_provider_init)))
8208 return 0;
8209
8210
f297e4ec
RS		 8211 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8212#ifdef OPENSSL_NO_CRYPTO_MDEBUG
8213 TEST_error("not supported in this build");
8214 return 0;
8215#else
8216 int i, mcount, rcount, fcount;
8217
8218 for (i = 0; i < 4; i++)
8219 test_export_key_mat(i);
8220 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8221 test_printf_stdout("malloc %d realloc %d free %d\n",
8222 mcount, rcount, fcount);
8223 return 1;
8224#endif
8225 }
8226
1a2a3a42
MC		 8227 cert = test_mk_file_path(certsdir, "servercert.pem");
8228 if (cert == NULL)
b3842539 8229 goto err;
1a2a3a42
MC		 8230
8231 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 8232 if (privkey == NULL)
8233 goto err;
8234
8235 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8236 if (cert2 == NULL)
8237 goto err;
8238
8239 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8240 if (privkey2 == NULL)
8241 goto err;
1a2a3a42 8242
da4db160
VF		 8243#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
8244#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
8245 ADD_ALL_TESTS(test_ktls, 32);
8246 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
8247#endif
fe5d9450 8248#endif
84d5549e 8249 ADD_TEST(test_large_message_tls);
7856332e 8250 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 8251#ifndef OPENSSL_NO_DTLS
84d5549e 8252 ADD_TEST(test_large_message_dtls);
55386bef 8253#endif
8f8c11d8 8254#ifndef OPENSSL_NO_OCSP
c887104f 8255 ADD_TEST(test_tlsext_status_type);
8f8c11d8 8256#endif
eaa776da
MC		 8257 ADD_TEST(test_session_with_only_int_cache);
8258 ADD_TEST(test_session_with_only_ext_cache);
8259 ADD_TEST(test_session_with_both_cache);
90fc2c26 8260 ADD_TEST(test_session_wo_ca_names);
36ff232c 8261#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 8262 ADD_ALL_TESTS(test_stateful_tickets, 3);
8263 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 8264 ADD_TEST(test_psk_tickets);
f0049b86 8265 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 8266#endif
7fb4c820 8267 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 8268 ADD_TEST(test_ssl_bio_pop_next_bio);
8269 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8270 ADD_TEST(test_ssl_bio_change_rbio);
8271 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 8272#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 8273 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 8274 ADD_TEST(test_keylog);
c423ecaa 8275#endif
6acdd3e5
CB		 8276#ifndef OPENSSL_NO_TLS1_3
8277 ADD_TEST(test_keylog_no_master_key);
8278#endif
e9ee6536 8279#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 8280 ADD_TEST(test_client_hello_cb);
088dfa13 8281 ADD_TEST(test_no_ems);
3cd14e5e 8282 ADD_TEST(test_ccs_change_cipher);
5f982038
MC		 8283#endif
8284#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 8285 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 8286 /*
8287 * We don't do replay tests for external PSK. Replay protection isn't used
8288 * in that scenario.
8289 */
8290 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 8291 ADD_ALL_TESTS(test_early_data_skip, 3);
8292 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 8293 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 8294 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 8295 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 8296 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 8297 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 8298 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 8299# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 8300 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 8301# endif
e9ee6536 8302#endif
a273157a 8303#ifndef OPENSSL_NO_TLS1_3
034cb87b 8304 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 8305 ADD_TEST(test_ciphersuite_change);
5bf2eade 8306 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8307# ifdef OPENSSL_NO_PSK
c2b290c3 8308 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 8309# else
0d8da779 8310 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 8311# endif /* OPENSSL_NO_PSK */
8312# ifndef OPENSSL_NO_TLS1_2
8313 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 8314 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 8315# else
8316 /* Test with only TLSv1.3 versions */
8317 ADD_ALL_TESTS(test_key_exchange, 12);
8318# endif
bb01ef3f 8319 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 8320 ADD_TEST(test_stateless);
9d75dce3 8321 ADD_TEST(test_pha_key_update);
a273157a 8322#else
bb01ef3f 8323 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 8324#endif
16afd71c 8325 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 8326 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 8327#ifndef OPENSSL_NO_TLS1_3
8328 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 8329 ADD_TEST(test_key_update);
a77b4dba 8330 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 8331#endif
e11b6aa4 8332 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 8333 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 8334#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8335 ADD_ALL_TESTS(test_srp, 6);
8336#endif
5718fe45 8337 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 8338 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 8339 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 8340 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 8341 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 8342 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 8343 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 8344 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 8345 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 8346#ifndef OPENSSL_NO_TLS1_2
8347 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8348#endif
49ef3d07 8349 ADD_ALL_TESTS(test_servername, 10);
b3842539
MC		 8350#ifndef OPENSSL_NO_EC
8351 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 8352#endif
8353#ifndef OPENSSL_NO_TLS1_3
8354 ADD_TEST(test_pluggable_group);
b3842539 8355#endif
ad887416 8356 return 1;
b3842539
MC		 8357
8358 err:
8359 OPENSSL_free(cert);
8360 OPENSSL_free(privkey);
8361 OPENSSL_free(cert2);
8362 OPENSSL_free(privkey2);
8363 return 0;
ad887416 8364}
2cb4b5f6 8365
ad887416
P		 8366void cleanup_tests(void)
8367{
1a2a3a42
MC		 8368 OPENSSL_free(cert);
8369 OPENSSL_free(privkey);
b3842539
MC		 8370 OPENSSL_free(cert2);
8371 OPENSSL_free(privkey2);
fa454945 8372 bio_s_mempacket_test_free();
a77b4dba 8373 bio_s_always_retry_free();
5e30f2fd
MC		 8374 OSSL_PROVIDER_unload(defctxnull);
8375 OPENSSL_CTX_free(libctx);
2cb4b5f6 8376}
A mirror of the official openssl repository