]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add OSSL_PARAM_dup() and OSSL_PARAM_merge().
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
4333b89f 2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
2cb4b5f6 35
20f8bc72 36#include "helpers/ssltestlib.h"
c887104f 37#include "testutil.h"
f297e4ec 38#include "testutil/output.h"
176db6dc 39#include "internal/nelem.h"
fe5d9450 40#include "internal/ktls.h"
706457b7 41#include "../ssl/ssl_local.h"
b0001d0c 42#include "filterprov.h"
2cb4b5f6 43
a763ca11
MC		 44#undef OSSL_NO_USABLE_TLS1_3
45#if defined(OPENSSL_NO_TLS1_3) \
46 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
47/*
48 * If we don't have ec or dh then there are no built-in groups that are usable
49 * with TLSv1.3
50 */
51# define OSSL_NO_USABLE_TLS1_3
52#endif
53
0c13cdf8
MC		 54/* Defined in tls-provider.c */
55int tls_provider_init(const OSSL_CORE_HANDLE *handle,
56 const OSSL_DISPATCH *in,
57 const OSSL_DISPATCH **out,
58 void **provctx);
852c2ed2 59
b4250010 60static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 61static OSSL_PROVIDER *defctxnull = NULL;
62
a763ca11 63#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 64
65static SSL_SESSION *clientpsk = NULL;
66static SSL_SESSION *serverpsk = NULL;
67static const char *pskid = "Identity";
68static const char *srvid;
69
70static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
71 size_t *idlen, SSL_SESSION **sess);
72static int find_session_cb(SSL *ssl, const unsigned char *identity,
73 size_t identity_len, SSL_SESSION **sess);
74
75static int use_session_cb_cnt = 0;
76static int find_session_cb_cnt = 0;
77
78static SSL_SESSION *create_a_psk(SSL *ssl);
79#endif
80
1a2a3a42 81static char *certsdir = NULL;
2cb4b5f6
MC		 82static char *cert = NULL;
83static char *privkey = NULL;
b3842539
MC		 84static char *cert2 = NULL;
85static char *privkey2 = NULL;
3105d846
MC		 86static char *cert1024 = NULL;
87static char *privkey1024 = NULL;
88static char *cert3072 = NULL;
89static char *privkey3072 = NULL;
90static char *cert4096 = NULL;
91static char *privkey4096 = NULL;
92static char *cert8192 = NULL;
93static char *privkey8192 = NULL;
76fd7a1d
MC		 94static char *srpvfile = NULL;
95static char *tmpfilename = NULL;
2cb4b5f6 96
4f6c7044
MC		 97static int is_fips = 0;
98
cffe973c 99#define LOG_BUFFER_SIZE 2048
6acdd3e5 100static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 101static size_t server_log_buffer_index = 0;
6acdd3e5 102static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 103static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 104static int error_writing_log = 0;
105
8f8c11d8 106#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 107static const unsigned char orespder[] = "Dummy OCSP Response";
108static int ocsp_server_called = 0;
109static int ocsp_client_called = 0;
110
111static int cdummyarg = 1;
112static X509 *ocspcert = NULL;
8f8c11d8 113#endif
ba881d3b 114
84d5549e 115#define NUM_EXTRA_CERTS 40
cf72c757 116#define CLIENT_VERSION_LEN 2
84d5549e 117
f1a5939f
CB		 118/*
119 * This structure is used to validate that the correct number of log messages
120 * of various types are emitted when emitting secret logs.
121 */
122struct sslapitest_log_counts {
123 unsigned int rsa_key_exchange_count;
124 unsigned int master_secret_count;
cffe973c 125 unsigned int client_early_secret_count;
f1a5939f
CB		 126 unsigned int client_handshake_secret_count;
127 unsigned int server_handshake_secret_count;
128 unsigned int client_application_secret_count;
129 unsigned int server_application_secret_count;
01a2a654 130 unsigned int early_exporter_secret_count;
6329ce8f 131 unsigned int exporter_secret_count;
f1a5939f
CB		 132};
133
16afd71c
MC		 134
135static unsigned char serverinfov1[] = {
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
139};
140
141static unsigned char serverinfov2[] = {
142 0x00, 0x00, 0x00,
143 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
144 0xff, 0xff, /* Dummy extension type */
145 0x00, 0x01, /* Extension length is 1 byte */
146 0xff /* Dummy extension data */
147};
148
104a733d
MC		 149static int hostname_cb(SSL *s, int *al, void *arg)
150{
151 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
152
153 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
154 || strcmp(hostname, "altgoodhost") == 0))
155 return SSL_TLSEXT_ERR_OK;
156
157 return SSL_TLSEXT_ERR_NOACK;
158}
159
710756a9
RS		 160static void client_keylog_callback(const SSL *ssl, const char *line)
161{
6acdd3e5
CB		 162 int line_length = strlen(line);
163
164 /* If the log doesn't fit, error out. */
710756a9
RS		 165 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
166 TEST_info("Client log too full");
6acdd3e5
CB		 167 error_writing_log = 1;
168 return;
169 }
170
171 strcat(client_log_buffer, line);
172 client_log_buffer_index += line_length;
710756a9 173 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 174}
175
710756a9
RS		 176static void server_keylog_callback(const SSL *ssl, const char *line)
177{
6acdd3e5
CB		 178 int line_length = strlen(line);
179
180 /* If the log doesn't fit, error out. */
710756a9 181 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 182 TEST_info("Server log too full");
6acdd3e5
CB		 183 error_writing_log = 1;
184 return;
185 }
186
187 strcat(server_log_buffer, line);
188 server_log_buffer_index += line_length;
710756a9 189 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 190}
191
192static int compare_hex_encoded_buffer(const char *hex_encoded,
193 size_t hex_length,
194 const uint8_t *raw,
710756a9
RS		 195 size_t raw_length)
196{
197 size_t i, j;
198 char hexed[3];
6acdd3e5 199
710756a9 200 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 201 return 1;
6acdd3e5 202
710756a9 203 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 204 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 205 if (!TEST_int_eq(hexed[0], hex_encoded[j])
206 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 207 return 1;
6acdd3e5
CB		 208 }
209
210 return 0;
211}
212
213static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 214 const SSL_SESSION *session,
710756a9
RS		 215 struct sslapitest_log_counts *expected)
216{
6acdd3e5
CB		 217 char *token = NULL;
218 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
219 size_t client_random_size = SSL3_RANDOM_SIZE;
220 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
221 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 222 unsigned int rsa_key_exchange_count = 0;
223 unsigned int master_secret_count = 0;
cffe973c 224 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 225 unsigned int client_handshake_secret_count = 0;
226 unsigned int server_handshake_secret_count = 0;
227 unsigned int client_application_secret_count = 0;
228 unsigned int server_application_secret_count = 0;
01a2a654 229 unsigned int early_exporter_secret_count = 0;
6329ce8f 230 unsigned int exporter_secret_count = 0;
6acdd3e5 231
710756a9
RS		 232 for (token = strtok(buffer, " \n"); token != NULL;
233 token = strtok(NULL, " \n")) {
6acdd3e5 234 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 235 /*
236 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 237 * hex-encoded encrypted secret, then the hex-encoded pre-master
238 * secret.
239 */
710756a9 240 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 241 return 0;
710756a9 242 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 243 return 0;
710756a9 244 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 245 return 0;
f1a5939f
CB		 246 /*
247 * We can't sensibly check the log because the premaster secret is
248 * transient, and OpenSSL doesn't keep hold of it once the master
249 * secret is generated.
250 */
251 rsa_key_exchange_count++;
6acdd3e5 252 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 253 /*
254 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 255 * client random, then the hex-encoded master secret.
256 */
257 client_random_size = SSL_get_client_random(ssl,
258 actual_client_random,
259 SSL3_RANDOM_SIZE);
710756a9 260 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 261 return 0;
6acdd3e5 262
710756a9 263 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 264 return 0;
710756a9 265 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 266 return 0;
710756a9
RS		 267 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
268 actual_client_random,
269 client_random_size)))
f1a5939f 270 return 0;
6acdd3e5 271
710756a9 272 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 273 return 0;
6acdd3e5
CB		 274 master_key_size = SSL_SESSION_get_master_key(session,
275 actual_master_key,
276 master_key_size);
710756a9 277 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 278 return 0;
710756a9
RS		 279 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
280 actual_master_key,
281 master_key_size)))
f1a5939f 282 return 0;
f1a5939f 283 master_secret_count++;
cffe973c
PW		 284 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
285 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 286 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 288 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 289 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 290 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 291 /*
292 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
293 * client random, and then the hex-encoded secret. In this case,
294 * we treat all of these secrets identically and then just
295 * distinguish between them when counting what we saw.
296 */
cffe973c
PW		 297 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
298 client_early_secret_count++;
299 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 300 client_handshake_secret_count++;
301 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
302 server_handshake_secret_count++;
303 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
304 client_application_secret_count++;
305 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
306 server_application_secret_count++;
01a2a654
PW		 307 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
308 early_exporter_secret_count++;
6329ce8f
PW		 309 else if (strcmp(token, "EXPORTER_SECRET") == 0)
310 exporter_secret_count++;
f1a5939f
CB		 311
312 client_random_size = SSL_get_client_random(ssl,
313 actual_client_random,
314 SSL3_RANDOM_SIZE);
710756a9 315 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 316 return 0;
f1a5939f 317
710756a9 318 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 319 return 0;
710756a9 320 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 321 return 0;
710756a9
RS		 322 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
323 actual_client_random,
324 client_random_size)))
f1a5939f 325 return 0;
6acdd3e5 326
710756a9 327 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 328 return 0;
f1a5939f
CB		 329
330 /*
331 * TODO(TLS1.3): test that application traffic secrets are what
332 * we expect */
6acdd3e5 333 } else {
710756a9 334 TEST_info("Unexpected token %s\n", token);
f1a5939f 335 return 0;
6acdd3e5 336 }
6acdd3e5
CB		 337 }
338
710756a9
RS		 339 /* Got what we expected? */
340 if (!TEST_size_t_eq(rsa_key_exchange_count,
341 expected->rsa_key_exchange_count)
342 || !TEST_size_t_eq(master_secret_count,
343 expected->master_secret_count)
cffe973c
PW		 344 || !TEST_size_t_eq(client_early_secret_count,
345 expected->client_early_secret_count)
710756a9
RS		 346 || !TEST_size_t_eq(client_handshake_secret_count,
347 expected->client_handshake_secret_count)
348 || !TEST_size_t_eq(server_handshake_secret_count,
349 expected->server_handshake_secret_count)
350 || !TEST_size_t_eq(client_application_secret_count,
351 expected->client_application_secret_count)
352 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 353 expected->server_application_secret_count)
01a2a654
PW		 354 || !TEST_size_t_eq(early_exporter_secret_count,
355 expected->early_exporter_secret_count)
6329ce8f
PW		 356 || !TEST_size_t_eq(exporter_secret_count,
357 expected->exporter_secret_count))
710756a9
RS		 358 return 0;
359 return 1;
6acdd3e5
CB		 360}
361
a763ca11 362#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 363static int test_keylog(void)
364{
6acdd3e5
CB		 365 SSL_CTX *cctx = NULL, *sctx = NULL;
366 SSL *clientssl = NULL, *serverssl = NULL;
367 int testresult = 0;
6fc1e624 368 struct sslapitest_log_counts expected;
6acdd3e5
CB		 369
370 /* Clean up logging space */
6fc1e624 371 memset(&expected, 0, sizeof(expected));
710756a9
RS		 372 memset(client_log_buffer, 0, sizeof(client_log_buffer));
373 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 374 client_log_buffer_index = 0;
375 server_log_buffer_index = 0;
376 error_writing_log = 0;
377
5e30f2fd 378 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 379 TLS_client_method(),
5c587fb6 380 TLS1_VERSION, 0,
710756a9 381 &sctx, &cctx, cert, privkey)))
6acdd3e5 382 return 0;
6acdd3e5
CB		 383
384 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
385 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
386 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
387
f0deb4d3 388 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 389 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 390 goto end;
f0deb4d3 391
cf10df81
RS		 392 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
393 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 394 goto end;
6acdd3e5 395 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 396 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
397 == client_keylog_callback))
6acdd3e5 398 goto end;
710756a9 399 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 400 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
401 == server_keylog_callback))
6acdd3e5 402 goto end;
6acdd3e5 403
710756a9
RS		 404 /* Now do a handshake and check that the logs have been written to. */
405 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
406 &clientssl, NULL, NULL))
407 || !TEST_true(create_ssl_connection(serverssl, clientssl,
408 SSL_ERROR_NONE))
409 || !TEST_false(error_writing_log)
410 || !TEST_int_gt(client_log_buffer_index, 0)
411 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 412 goto end;
6acdd3e5 413
f1a5939f
CB		 414 /*
415 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 416 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 417 * data we expect. For both client and server, we expect to see one master
418 * secret. The client should also see a RSA key exchange.
6acdd3e5 419 */
f1a5939f
CB		 420 expected.rsa_key_exchange_count = 1;
421 expected.master_secret_count = 1;
710756a9
RS		 422 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
423 SSL_get_session(clientssl), &expected)))
6acdd3e5 424 goto end;
f1a5939f
CB		 425
426 expected.rsa_key_exchange_count = 0;
710756a9
RS		 427 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
428 SSL_get_session(serverssl), &expected)))
6acdd3e5 429 goto end;
6acdd3e5
CB		 430
431 testresult = 1;
432
433end:
434 SSL_free(serverssl);
435 SSL_free(clientssl);
436 SSL_CTX_free(sctx);
437 SSL_CTX_free(cctx);
438
439 return testresult;
440}
c423ecaa 441#endif
6acdd3e5 442
a763ca11 443#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 444static int test_keylog_no_master_key(void)
445{
6acdd3e5
CB		 446 SSL_CTX *cctx = NULL, *sctx = NULL;
447 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 448 SSL_SESSION *sess = NULL;
6acdd3e5 449 int testresult = 0;
6fc1e624 450 struct sslapitest_log_counts expected;
cffe973c
PW		 451 unsigned char buf[1];
452 size_t readbytes, written;
6acdd3e5
CB		 453
454 /* Clean up logging space */
6fc1e624 455 memset(&expected, 0, sizeof(expected));
710756a9
RS		 456 memset(client_log_buffer, 0, sizeof(client_log_buffer));
457 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 458 client_log_buffer_index = 0;
459 server_log_buffer_index = 0;
460 error_writing_log = 0;
461
5e30f2fd
MC		 462 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
463 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 464 &sctx, &cctx, cert, privkey))
465 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 466 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 467 return 0;
6acdd3e5 468
cf10df81
RS		 469 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
470 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 471 goto end;
6acdd3e5
CB		 472
473 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 474 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
475 == client_keylog_callback))
6acdd3e5 476 goto end;
6acdd3e5 477
710756a9 478 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 479 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
480 == server_keylog_callback))
6acdd3e5 481 goto end;
6acdd3e5 482
710756a9
RS		 483 /* Now do a handshake and check that the logs have been written to. */
484 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
485 &clientssl, NULL, NULL))
486 || !TEST_true(create_ssl_connection(serverssl, clientssl,
487 SSL_ERROR_NONE))
488 || !TEST_false(error_writing_log))
6acdd3e5 489 goto end;
6acdd3e5 490
f1a5939f
CB		 491 /*
492 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 493 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 494 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 495 */
f1a5939f
CB		 496 expected.client_handshake_secret_count = 1;
497 expected.server_handshake_secret_count = 1;
498 expected.client_application_secret_count = 1;
499 expected.server_application_secret_count = 1;
6329ce8f 500 expected.exporter_secret_count = 1;
710756a9
RS		 501 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
502 SSL_get_session(clientssl), &expected))
503 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
504 SSL_get_session(serverssl),
505 &expected)))
6acdd3e5 506 goto end;
6acdd3e5 507
cffe973c
PW		 508 /* Terminate old session and resume with early data. */
509 sess = SSL_get1_session(clientssl);
510 SSL_shutdown(clientssl);
511 SSL_shutdown(serverssl);
512 SSL_free(serverssl);
513 SSL_free(clientssl);
514 serverssl = clientssl = NULL;
515
516 /* Reset key log */
517 memset(client_log_buffer, 0, sizeof(client_log_buffer));
518 memset(server_log_buffer, 0, sizeof(server_log_buffer));
519 client_log_buffer_index = 0;
520 server_log_buffer_index = 0;
521
522 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
523 &clientssl, NULL, NULL))
524 || !TEST_true(SSL_set_session(clientssl, sess))
525 /* Here writing 0 length early data is enough. */
526 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
527 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
528 &readbytes),
529 SSL_READ_EARLY_DATA_ERROR)
530 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
531 SSL_EARLY_DATA_ACCEPTED)
532 || !TEST_true(create_ssl_connection(serverssl, clientssl,
533 SSL_ERROR_NONE))
534 || !TEST_true(SSL_session_reused(clientssl)))
535 goto end;
536
537 /* In addition to the previous entries, expect early secrets. */
538 expected.client_early_secret_count = 1;
01a2a654 539 expected.early_exporter_secret_count = 1;
cffe973c
PW		 540 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
541 SSL_get_session(clientssl), &expected))
542 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
543 SSL_get_session(serverssl),
544 &expected)))
545 goto end;
546
6acdd3e5
CB		 547 testresult = 1;
548
549end:
cffe973c 550 SSL_SESSION_free(sess);
6acdd3e5
CB		 551 SSL_free(serverssl);
552 SSL_free(clientssl);
553 SSL_CTX_free(sctx);
554 SSL_CTX_free(cctx);
555
556 return testresult;
557}
558#endif
559
0c3eb279
DDO		 560static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
561{
562 int res = X509_verify_cert(ctx);
563
564 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
565 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
566 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
567 return res;
568}
569
570static int test_client_cert_verify_cb(void)
571{
572 /* server key, cert, chain, and root */
573 char *skey = test_mk_file_path(certsdir, "leaf.key");
574 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
575 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
576 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
577 char *root = test_mk_file_path(certsdir, "rootCA.pem");
578 X509 *crt1 = NULL, *crt2 = NULL;
579 STACK_OF(X509) *server_chain;
580 SSL_CTX *cctx = NULL, *sctx = NULL;
581 SSL *clientssl = NULL, *serverssl = NULL;
582 int testresult = 0;
583
584 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
585 TLS_client_method(), TLS1_VERSION, 0,
586 &sctx, &cctx, NULL, NULL)))
587 goto end;
588 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
589 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
590 SSL_FILETYPE_PEM), 1)
591 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
592 goto end;
593 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
594 goto end;
595 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
596 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
597 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
598 &clientssl, NULL, NULL)))
599 goto end;
600
601 /* attempt SSL_connect() with incomplete server chain */
602 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
603 SSL_ERROR_WANT_RETRY_VERIFY)))
604 goto end;
605
606 /* application provides intermediate certs needed to verify server cert */
607 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
608 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
609 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
610 goto end;
611 /* add certs in reverse order to demonstrate real chain building */
612 if (!TEST_true(sk_X509_push(server_chain, crt1)))
613 goto end;
614 crt1 = NULL;
615 if (!TEST_true(sk_X509_push(server_chain, crt2)))
616 goto end;
617 crt2 = NULL;
618
619 /* continue SSL_connect(), must now succeed with completed server chain */
620 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
621 SSL_ERROR_NONE)))
622 goto end;
623
624 testresult = 1;
625
626end:
627 X509_free(crt1);
628 X509_free(crt2);
c38048e7
P		 629 if (clientssl != NULL) {
630 SSL_shutdown(clientssl);
631 SSL_free(clientssl);
632 }
633 if (serverssl != NULL) {
634 SSL_shutdown(serverssl);
635 SSL_free(serverssl);
636 }
0c3eb279
DDO		 637 SSL_CTX_free(sctx);
638 SSL_CTX_free(cctx);
639
640 OPENSSL_free(skey);
641 OPENSSL_free(leaf);
642 OPENSSL_free(int2);
643 OPENSSL_free(int1);
644 OPENSSL_free(root);
645
646 return testresult;
647}
648
4e4ae840
SL		 649static int test_ssl_build_cert_chain(void)
650{
651 int ret = 0;
652 SSL_CTX *ssl_ctx = NULL;
653 SSL *ssl = NULL;
654 char *skey = test_mk_file_path(certsdir, "leaf.key");
655 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
656
657 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
658 goto end;
659 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
660 goto end;
661 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
662 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
663 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
664 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
665 goto end;
666 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
667 | SSL_BUILD_CHAIN_FLAG_CHECK)))
668 goto end;
669 ret = 1;
670end:
671 SSL_free(ssl);
672 SSL_CTX_free(ssl_ctx);
673 OPENSSL_free(leaf_chain);
674 OPENSSL_free(skey);
675 return ret;
676}
677
678static int test_ssl_ctx_build_cert_chain(void)
679{
680 int ret = 0;
681 SSL_CTX *ctx = NULL;
682 char *skey = test_mk_file_path(certsdir, "leaf.key");
683 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
684
685 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
686 goto end;
687 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
688 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
689 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
690 SSL_FILETYPE_PEM), 1)
691 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
692 goto end;
693 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
694 | SSL_BUILD_CHAIN_FLAG_CHECK)))
695 goto end;
696 ret = 1;
697end:
698 SSL_CTX_free(ctx);
699 OPENSSL_free(leaf_chain);
700 OPENSSL_free(skey);
701 return ret;
702}
703
e9ee6536 704#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 705static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 706{
707 int *ctr = arg;
708 const unsigned char *p;
8ea404fb 709 int *exts;
2afaee51
BK		 710 /* We only configure two ciphers, but the SCSV is added automatically. */
711#ifdef OPENSSL_NO_EC
712 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
713#else
714 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
715 0x2c, 0x00, 0xff};
716#endif
8ea404fb
BK		 717 const int expected_extensions[] = {
718#ifndef OPENSSL_NO_EC
719 11, 10,
720#endif
10ed1b72 721 35, 22, 23, 13};
2afaee51
BK		 722 size_t len;
723
724 /* Make sure we can defer processing and get called back. */
725 if ((*ctr)++ == 0)
f1b97da1 726 return SSL_CLIENT_HELLO_RETRY;
2afaee51 727
a9c0d8be 728 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 729 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 730 || !TEST_size_t_eq(
731 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 732 || !TEST_int_eq(*p, 0))
f1b97da1 733 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 734 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 735 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 736 if (len != OSSL_NELEM(expected_extensions) ||
737 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 738 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 739 OPENSSL_free(exts);
f1b97da1 740 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 741 }
742 OPENSSL_free(exts);
f1b97da1 743 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 744}
745
a9c0d8be 746static int test_client_hello_cb(void)
710756a9 747{
2afaee51
BK		 748 SSL_CTX *cctx = NULL, *sctx = NULL;
749 SSL *clientssl = NULL, *serverssl = NULL;
750 int testctr = 0, testresult = 0;
751
5e30f2fd
MC		 752 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
753 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 754 &sctx, &cctx, cert, privkey)))
2afaee51 755 goto end;
a9c0d8be 756 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 757
2afaee51
BK		 758 /* The gimpy cipher list we configure can't do TLS 1.3. */
759 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 760
710756a9
RS		 761 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
762 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
763 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 766 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 767 /*
768 * Passing a -1 literal is a hack since
769 * the real value was lost.
770 * */
a9c0d8be
DB		 771 || !TEST_int_eq(SSL_get_error(serverssl, -1),
772 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 773 || !TEST_true(create_ssl_connection(serverssl, clientssl,
774 SSL_ERROR_NONE)))
2afaee51 775 goto end;
2afaee51
BK		 776
777 testresult = 1;
778
088dfa13
TS		 779end:
780 SSL_free(serverssl);
781 SSL_free(clientssl);
782 SSL_CTX_free(sctx);
783 SSL_CTX_free(cctx);
784
785 return testresult;
786}
787
788static int test_no_ems(void)
789{
790 SSL_CTX *cctx = NULL, *sctx = NULL;
791 SSL *clientssl = NULL, *serverssl = NULL;
792 int testresult = 0;
793
5e30f2fd 794 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 795 TLS1_VERSION, TLS1_2_VERSION,
796 &sctx, &cctx, cert, privkey)) {
797 printf("Unable to create SSL_CTX pair\n");
798 goto end;
799 }
800
801 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
802
803 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
804 printf("Unable to create SSL objects\n");
805 goto end;
806 }
807
808 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
809 printf("Creating SSL connection failed\n");
810 goto end;
811 }
812
813 if (SSL_get_extms_support(serverssl)) {
814 printf("Server reports Extended Master Secret support\n");
815 goto end;
816 }
817
818 if (SSL_get_extms_support(clientssl)) {
819 printf("Client reports Extended Master Secret support\n");
820 goto end;
821 }
822 testresult = 1;
823
2afaee51
BK		 824end:
825 SSL_free(serverssl);
826 SSL_free(clientssl);
827 SSL_CTX_free(sctx);
828 SSL_CTX_free(cctx);
829
830 return testresult;
831}
832
3cd14e5e
BK		 833/*
834 * Very focused test to exercise a single case in the server-side state
835 * machine, when the ChangeCipherState message needs to actually change
836 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 837 * encryption to real encryption).
3cd14e5e
BK		 838 */
839static int test_ccs_change_cipher(void)
840{
841 SSL_CTX *cctx = NULL, *sctx = NULL;
842 SSL *clientssl = NULL, *serverssl = NULL;
843 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
844 int testresult = 0;
845 int i;
846 unsigned char buf;
847 size_t readbytes;
848
849 /*
850 * Create a conection so we can resume and potentially (but not) use
851 * a different cipher in the second connection.
852 */
5e30f2fd 853 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 854 TLS_client_method(),
855 TLS1_VERSION, TLS1_2_VERSION,
856 &sctx, &cctx, cert, privkey))
857 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
858 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
859 NULL, NULL))
860 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
861 || !TEST_true(create_ssl_connection(serverssl, clientssl,
862 SSL_ERROR_NONE))
863 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
864 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
865 goto end;
866
867 shutdown_ssl_connection(serverssl, clientssl);
868 serverssl = clientssl = NULL;
869
870 /* Resume, preferring a different cipher. Our server will force the
871 * same cipher to be used as the initial handshake. */
872 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
873 NULL, NULL))
874 || !TEST_true(SSL_set_session(clientssl, sess))
875 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
876 || !TEST_true(create_ssl_connection(serverssl, clientssl,
877 SSL_ERROR_NONE))
878 || !TEST_true(SSL_session_reused(clientssl))
879 || !TEST_true(SSL_session_reused(serverssl))
880 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
881 || !TEST_ptr_eq(sesspre, sesspost)
882 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
883 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
884 goto end;
885 shutdown_ssl_connection(serverssl, clientssl);
886 serverssl = clientssl = NULL;
887
888 /*
889 * Now create a fresh connection and try to renegotiate a different
890 * cipher on it.
891 */
b3e6d666
BK		 892 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
893 NULL, NULL))
3cd14e5e
BK		 894 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
895 || !TEST_true(create_ssl_connection(serverssl, clientssl,
896 SSL_ERROR_NONE))
897 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
898 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
899 || !TEST_true(SSL_renegotiate(clientssl))
900 || !TEST_true(SSL_renegotiate_pending(clientssl)))
901 goto end;
902 /* Actually drive the renegotiation. */
903 for (i = 0; i < 3; i++) {
904 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
905 if (!TEST_ulong_eq(readbytes, 0))
906 goto end;
907 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
908 SSL_ERROR_WANT_READ)) {
909 goto end;
910 }
911 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
912 if (!TEST_ulong_eq(readbytes, 0))
913 goto end;
914 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
915 SSL_ERROR_WANT_READ)) {
916 goto end;
917 }
918 }
919 /* sesspre and sesspost should be different since the cipher changed. */
920 if (!TEST_false(SSL_renegotiate_pending(clientssl))
921 || !TEST_false(SSL_session_reused(clientssl))
922 || !TEST_false(SSL_session_reused(serverssl))
923 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
924 || !TEST_ptr_ne(sesspre, sesspost)
925 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
926 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
927 goto end;
928
929 shutdown_ssl_connection(serverssl, clientssl);
930 serverssl = clientssl = NULL;
931
932 testresult = 1;
933
934end:
935 SSL_free(serverssl);
936 SSL_free(clientssl);
937 SSL_CTX_free(sctx);
938 SSL_CTX_free(cctx);
939 SSL_SESSION_free(sess);
940
941 return testresult;
942}
fb121631 943#endif
3cd14e5e 944
84d5549e 945static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 946 const SSL_METHOD *cmeth,
947 int min_version, int max_version,
948 int read_ahead)
84d5549e
MC		 949{
950 SSL_CTX *cctx = NULL, *sctx = NULL;
951 SSL *clientssl = NULL, *serverssl = NULL;
952 int testresult = 0;
953 int i;
710756a9 954 BIO *certbio = NULL;
84d5549e
MC		 955 X509 *chaincert = NULL;
956 int certlen;
957
710756a9 958 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 959 goto end;
6725682d 960
d8652be0 961 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 962 goto end;
963
964 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
965 goto end;
fa454945
MC		 966 BIO_free(certbio);
967 certbio = NULL;
84d5549e 968
5e30f2fd
MC		 969 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
970 max_version, &sctx, &cctx, cert,
971 privkey)))
84d5549e 972 goto end;
84d5549e 973
710756a9 974 if (read_ahead) {
7856332e
MC		 975 /*
976 * Test that read_ahead works correctly when dealing with large
977 * records
978 */
979 SSL_CTX_set_read_ahead(cctx, 1);
980 }
981
84d5549e
MC		 982 /*
983 * We assume the supplied certificate is big enough so that if we add
984 * NUM_EXTRA_CERTS it will make the overall message large enough. The
985 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 986 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
987 * test we need to have a message larger than that.
84d5549e
MC		 988 */
989 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 990 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
991 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 992 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 993 if (!X509_up_ref(chaincert))
84d5549e 994 goto end;
84d5549e 995 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 996 X509_free(chaincert);
997 goto end;
998 }
999 }
1000
710756a9
RS		 1001 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1002 NULL, NULL))
1003 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1004 SSL_ERROR_NONE)))
84d5549e 1005 goto end;
84d5549e 1006
4bf08600
MC		 1007 /*
1008 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1009 * doesn't leak.
4bf08600 1010 */
710756a9 1011 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1012 goto end;
84d5549e 1013
4bf08600 1014 testresult = 1;
84d5549e 1015 end:
6725682d 1016 BIO_free(certbio);
84d5549e
MC		 1017 X509_free(chaincert);
1018 SSL_free(serverssl);
1019 SSL_free(clientssl);
1020 SSL_CTX_free(sctx);
1021 SSL_CTX_free(cctx);
1022
1023 return testresult;
1024}
1025
da4db160 1026#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1027 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
da4db160 1028#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
fe5d9450
BP		 1029/* sock must be connected */
1030static int ktls_chk_platform(int sock)
1031{
1032 if (!ktls_enable(sock))
1033 return 0;
1034 return 1;
1035}
1036
da4db160 1037static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
fe5d9450
BP		 1038{
1039 static char count = 1;
1040 unsigned char cbuf[16000] = {0};
1041 unsigned char sbuf[16000];
1042 size_t err = 0;
da4db160
VF		 1043 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1044 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1045 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1046 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1047 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1048 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1049 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
1050 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
fe5d9450
BP		 1051
1052 cbuf[0] = count++;
da4db160
VF		 1053 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
1054 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
1055 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
1056 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 1057
1058 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1059 goto end;
1060
1061 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1062 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1063 goto end;
1064 }
1065 }
1066
1067 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1068 goto end;
1069
1070 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1071 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1072 goto end;
1073 }
1074 }
1075
da4db160
VF		 1076 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
1077 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
1078 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
1079 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 1080
1081 /* verify the payload */
1082 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1083 goto end;
1084
1085 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
1086 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 1087 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
1088 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 1089 goto end;
1090 } else {
da4db160
VF		 1091 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
1092 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 1093 goto end;
1094 }
1095
1096 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 1097 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
1098 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 1099 goto end;
1100 } else {
da4db160
VF		 1101 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
1102 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 1103 goto end;
1104 }
1105
2fab79af 1106 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 1107 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
1108 crec_rseq_after, rec_seq_size))
2fab79af
BP		 1109 goto end;
1110 } else {
da4db160
VF		 1111 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
1112 crec_rseq_after, rec_seq_size))
2fab79af
BP		 1113 goto end;
1114 }
1115
1116 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 1117 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
1118 srec_rseq_after, rec_seq_size))
2fab79af
BP		 1119 goto end;
1120 } else {
da4db160
VF		 1121 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
1122 srec_rseq_after, rec_seq_size))
2fab79af
BP		 1123 goto end;
1124 }
fe5d9450
BP		 1125
1126 return 1;
1127end:
1128 return 0;
1129}
1130
2fab79af 1131static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
da4db160
VF		 1132 int sis_ktls_tx, int sis_ktls_rx,
1133 int tls_version, const char *cipher,
1134 int rec_seq_size)
fe5d9450
BP		 1135{
1136 SSL_CTX *cctx = NULL, *sctx = NULL;
1137 SSL *clientssl = NULL, *serverssl = NULL;
1138 int testresult = 0;
1139 int cfd, sfd;
1140
1141 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1142 goto end;
1143
1144 /* Skip this test if the platform does not support ktls */
1145 if (!ktls_chk_platform(cfd))
1146 return 1;
1147
1148 /* Create a session based on SHA-256 */
5e30f2fd 1149 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1150 TLS_client_method(),
da4db160 1151 tls_version, tls_version,
fe5d9450 1152 &sctx, &cctx, cert, privkey))
da4db160 1153 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1154 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
fe5d9450
BP		 1155 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1156 &clientssl, sfd, cfd)))
1157 goto end;
1158
1159 if (!cis_ktls_tx) {
1160 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1161 goto end;
1162 }
1163
1164 if (!sis_ktls_tx) {
1165 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1166 goto end;
1167 }
1168
2fab79af
BP		 1169 if (!cis_ktls_rx) {
1170 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1171 goto end;
1172 }
1173
1174 if (!sis_ktls_rx) {
1175 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1176 goto end;
1177 }
1178
fe5d9450
BP		 1179 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1180 SSL_ERROR_NONE)))
1181 goto end;
1182
1183 if (!cis_ktls_tx) {
1184 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1185 goto end;
1186 } else {
1187 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1188 goto end;
1189 }
1190
1191 if (!sis_ktls_tx) {
1192 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1193 goto end;
1194 } else {
1195 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1196 goto end;
1197 }
1198
2fab79af
BP		 1199 if (!cis_ktls_rx) {
1200 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1201 goto end;
1202 } else {
1203 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1204 goto end;
1205 }
1206
1207 if (!sis_ktls_rx) {
1208 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1209 goto end;
1210 } else {
1211 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1212 goto end;
1213 }
1214
da4db160
VF		 1215 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1216 rec_seq_size)))
fe5d9450
BP		 1217 goto end;
1218
1219 testresult = 1;
1220end:
1221 if (clientssl) {
1222 SSL_shutdown(clientssl);
1223 SSL_free(clientssl);
1224 }
1225 if (serverssl) {
1226 SSL_shutdown(serverssl);
1227 SSL_free(serverssl);
1228 }
1229 SSL_CTX_free(sctx);
1230 SSL_CTX_free(cctx);
1231 serverssl = clientssl = NULL;
1232 return testresult;
1233}
1234
7c3a7561
BP		 1235#define SENDFILE_SZ (16 * 4096)
1236#define SENDFILE_CHUNK (4 * 4096)
1237#define min(a,b) ((a) > (b) ? (b) : (a))
1238
da4db160 1239static int test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1240{
1241 SSL_CTX *cctx = NULL, *sctx = NULL;
1242 SSL *clientssl = NULL, *serverssl = NULL;
1243 unsigned char *buf, *buf_dst;
1244 BIO *out = NULL, *in = NULL;
1245 int cfd, sfd, ffd, err;
1246 ssize_t chunk_size = 0;
1247 off_t chunk_off = 0;
1248 int testresult = 0;
1249 FILE *ffdp;
1250
1251 buf = OPENSSL_zalloc(SENDFILE_SZ);
1252 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1253 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1254 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1255 goto end;
1256
1257 /* Skip this test if the platform does not support ktls */
1258 if (!ktls_chk_platform(sfd)) {
1259 testresult = 1;
1260 goto end;
1261 }
1262
1263 /* Create a session based on SHA-256 */
5e30f2fd 1264 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1265 TLS_client_method(),
da4db160 1266 tls_version, tls_version,
7c3a7561 1267 &sctx, &cctx, cert, privkey))
da4db160 1268 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1269 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
7c3a7561
BP		 1270 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1271 &clientssl, sfd, cfd)))
1272 goto end;
1273
1274 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1275 SSL_ERROR_NONE))
1276 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1277 goto end;
1278
72c1e374
JB		 1279 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1280 goto end;
1281
7c3a7561
BP		 1282 out = BIO_new_file(tmpfilename, "wb");
1283 if (!TEST_ptr(out))
1284 goto end;
1285
1286 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1287 goto end;
1288
1289 BIO_free(out);
1290 out = NULL;
1291 in = BIO_new_file(tmpfilename, "rb");
1292 BIO_get_fp(in, &ffdp);
1293 ffd = fileno(ffdp);
1294
1295 while (chunk_off < SENDFILE_SZ) {
1296 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1297 while ((err = SSL_sendfile(serverssl,
1298 ffd,
1299 chunk_off,
1300 chunk_size,
1301 0)) != chunk_size) {
1302 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1303 goto end;
1304 }
1305 while ((err = SSL_read(clientssl,
1306 buf_dst + chunk_off,
1307 chunk_size)) != chunk_size) {
1308 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1309 goto end;
1310 }
1311
1312 /* verify the payload */
1313 if (!TEST_mem_eq(buf_dst + chunk_off,
1314 chunk_size,
1315 buf + chunk_off,
1316 chunk_size))
1317 goto end;
1318
1319 chunk_off += chunk_size;
1320 }
1321
1322 testresult = 1;
1323end:
1324 if (clientssl) {
1325 SSL_shutdown(clientssl);
1326 SSL_free(clientssl);
1327 }
1328 if (serverssl) {
1329 SSL_shutdown(serverssl);
1330 SSL_free(serverssl);
1331 }
1332 SSL_CTX_free(sctx);
1333 SSL_CTX_free(cctx);
1334 serverssl = clientssl = NULL;
1335 BIO_free(out);
1336 BIO_free(in);
1337 OPENSSL_free(buf);
1338 OPENSSL_free(buf_dst);
1339 return testresult;
1340}
1341
a763ca11 1342#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
da4db160
VF		 1343static int test_ktls(int test)
1344{
eb818d23
JB		 1345 int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
1346 int tlsver, testresult;
da4db160
VF		 1347
1348 if (test > 15) {
a763ca11 1349#if defined(OSSL_NO_USABLE_TLS1_3)
da4db160
VF		 1350 return 1;
1351#else
1352 test -= 16;
1353 tlsver = TLS1_3_VERSION;
1354#endif
1355 } else {
1356#if defined(OPENSSL_NO_TLS1_2)
1357 return 1;
1358#else
1359 tlsver = TLS1_2_VERSION;
1360#endif
1361 }
1362
eb818d23
JB		 1363 cis_ktls_tx = (test & 1) != 0;
1364 cis_ktls_rx = (test & 2) != 0;
1365 sis_ktls_tx = (test & 4) != 0;
1366 sis_ktls_rx = (test & 8) != 0;
1367
cd03b5dc
JB		 1368#if defined(OPENSSL_NO_KTLS_RX)
1369 if (cis_ktls_rx || sis_ktls_rx)
1370 return 1;
1371#endif
a763ca11 1372#if !defined(OSSL_NO_USABLE_TLS1_3)
18efb630
JB		 1373 if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
1374 return 1;
1375#endif
cd03b5dc 1376
eb818d23
JB		 1377 testresult = 1;
1378#ifdef OPENSSL_KTLS_AES_GCM_128
1379 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1380 sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
1381 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1382#endif
1383#ifdef OPENSSL_KTLS_AES_CCM_128
1384 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
ab114c6d 1385 sis_ktls_rx, tlsver, "AES128-CCM",
eb818d23
JB		 1386 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1387#endif
1388#ifdef OPENSSL_KTLS_AES_GCM_256
1389 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1390 sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
1391 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1392#endif
1393 return testresult;
2fab79af
BP		 1394}
1395
da4db160 1396static int test_ktls_sendfile_anytls(int tst)
fe5d9450 1397{
ab114c6d 1398 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
da4db160
VF		 1399 int tlsver;
1400
1401 if (tst > 2) {
a763ca11 1402#if defined(OSSL_NO_USABLE_TLS1_3)
da4db160
VF		 1403 return 1;
1404#else
1405 tst -= 3;
1406 tlsver = TLS1_3_VERSION;
1407#endif
1408 } else {
1409#if defined(OPENSSL_NO_TLS1_2)
1410 return 1;
1411#else
1412 tlsver = TLS1_2_VERSION;
1413#endif
1414 }
1415
1416#ifndef OPENSSL_KTLS_AES_GCM_128
1417 if(tst == 0) return 1;
1418#endif
1419#ifndef OPENSSL_KTLS_AES_CCM_128
1420 if(tst == 1) return 1;
1421#endif
1422#ifndef OPENSSL_KTLS_AES_GCM_256
1423 if(tst == 2) return 1;
1424#endif
1425 return test_ktls_sendfile(tlsver, cipher[tst]);
fe5d9450 1426}
da4db160
VF		 1427
1428#endif
fe5d9450
BP		 1429#endif
1430
84d5549e
MC		 1431static int test_large_message_tls(void)
1432{
7856332e 1433 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1434 TLS1_VERSION, 0, 0);
7856332e
MC		 1435}
1436
1437static int test_large_message_tls_read_ahead(void)
1438{
1439 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1440 TLS1_VERSION, 0, 1);
84d5549e
MC		 1441}
1442
55386bef 1443#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1444static int test_large_message_dtls(void)
1445{
7856332e
MC		 1446 /*
1447 * read_ahead is not relevant to DTLS because DTLS always acts as if
1448 * read_ahead is set.
1449 */
84d5549e 1450 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1451 DTLS_client_method(),
5c587fb6 1452 DTLS1_VERSION, 0, 0);
84d5549e 1453}
55386bef 1454#endif
84d5549e 1455
163b8016
ME		 1456static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1457 const SSL_METHOD *cmeth,
1458 int min_version, int max_version)
1459{
1460 size_t i;
1461 SSL_CTX *cctx = NULL, *sctx = NULL;
1462 SSL *clientssl = NULL, *serverssl = NULL;
1463 int testresult = 0;
1464 SSL3_RECORD *rr;
1465 void *zbuf;
1466
1467 static unsigned char cbuf[16000];
1468 static unsigned char sbuf[16000];
1469
1470 if (!TEST_true(create_ssl_ctx_pair(libctx,
1471 smeth, cmeth,
1472 min_version, max_version,
1473 &sctx, &cctx, cert,
1474 privkey)))
1475 goto end;
1476
1477 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1478 NULL, NULL)))
1479 goto end;
1480
1481 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1482 goto end;
1483
1484 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1485 SSL_ERROR_NONE)))
1486 goto end;
1487
1488 for (i = 0; i < sizeof(cbuf); i++) {
1489 cbuf[i] = i & 0xff;
1490 }
1491
1492 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1493 goto end;
1494
1495 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1496 goto end;
1497
1498 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1499 goto end;
1500
1501 /*
1502 * Since we called SSL_peek(), we know the data in the record
1503 * layer is a plaintext record. We can gather the pointer to check
1504 * for zeroization after SSL_read().
1505 */
1506 rr = serverssl->rlayer.rrec;
1507 zbuf = &rr->data[rr->off];
1508 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1509 goto end;
1510
1511 /*
1512 * After SSL_peek() the plaintext must still be stored in the
1513 * record.
1514 */
1515 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1516 goto end;
1517
1518 memset(sbuf, 0, sizeof(sbuf));
1519 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1520 goto end;
1521
1522 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1523 goto end;
1524
1525 /* Check if rbuf is cleansed */
1526 memset(cbuf, 0, sizeof(cbuf));
1527 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1528 goto end;
1529
1530 testresult = 1;
1531 end:
1532 SSL_free(serverssl);
1533 SSL_free(clientssl);
1534 SSL_CTX_free(sctx);
1535 SSL_CTX_free(cctx);
1536
1537 return testresult;
1538}
1539
1540static int test_cleanse_plaintext(void)
1541{
1542#if !defined(OPENSSL_NO_TLS1_2)
1543 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1544 TLS_client_method(),
1545 TLS1_2_VERSION,
1546 TLS1_2_VERSION)))
1547 return 0;
1548
1549#endif
1550
a763ca11 1551#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1552 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1553 TLS_client_method(),
1554 TLS1_3_VERSION,
1555 TLS1_3_VERSION)))
1556 return 0;
1557#endif
1558
1559#if !defined(OPENSSL_NO_DTLS)
1560 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1561 DTLS_client_method(),
1562 DTLS1_VERSION,
1563 0)))
1564 return 0;
1565#endif
1566 return 1;
1567}
1568
8f8c11d8 1569#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1570static int ocsp_server_cb(SSL *s, void *arg)
1571{
1572 int *argi = (int *)arg;
710756a9 1573 unsigned char *copy = NULL;
ba881d3b
MC		 1574 STACK_OF(OCSP_RESPID) *ids = NULL;
1575 OCSP_RESPID *id = NULL;
1576
1577 if (*argi == 2) {
1578 /* In this test we are expecting exactly 1 OCSP_RESPID */
1579 SSL_get_tlsext_status_ids(s, &ids);
1580 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1581 return SSL_TLSEXT_ERR_ALERT_FATAL;
1582
1583 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1584 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1585 return SSL_TLSEXT_ERR_ALERT_FATAL;
1586 } else if (*argi != 1) {
1587 return SSL_TLSEXT_ERR_ALERT_FATAL;
1588 }
1589
710756a9 1590 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1591 return SSL_TLSEXT_ERR_ALERT_FATAL;
1592
710756a9 1593 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1594 ocsp_server_called = 1;
ba881d3b
MC		 1595 return SSL_TLSEXT_ERR_OK;
1596}
1597
1598static int ocsp_client_cb(SSL *s, void *arg)
1599{
1600 int *argi = (int *)arg;
1601 const unsigned char *respderin;
1602 size_t len;
1603
1604 if (*argi != 1 && *argi != 2)
1605 return 0;
1606
1607 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1608 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1609 return 0;
1610
1611 ocsp_client_called = 1;
ba881d3b
MC		 1612 return 1;
1613}
1614
2cb4b5f6
MC		 1615static int test_tlsext_status_type(void)
1616{
ba881d3b
MC		 1617 SSL_CTX *cctx = NULL, *sctx = NULL;
1618 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1619 int testresult = 0;
ba881d3b
MC		 1620 STACK_OF(OCSP_RESPID) *ids = NULL;
1621 OCSP_RESPID *id = NULL;
1622 BIO *certbio = NULL;
2cb4b5f6 1623
5e30f2fd 1624 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1625 TLS1_VERSION, 0,
7d7f6834 1626 &sctx, &cctx, cert, privkey))
ba881d3b 1627 return 0;
2cb4b5f6 1628
710756a9 1629 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1630 goto end;
2cb4b5f6 1631
ba881d3b 1632 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1633
ba881d3b 1634 clientssl = SSL_new(cctx);
710756a9
RS		 1635 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1636 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1637 TLSEXT_STATUSTYPE_ocsp))
1638 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1639 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1640 goto end;
2cb4b5f6 1641
ba881d3b
MC		 1642 SSL_free(clientssl);
1643 clientssl = NULL;
2cb4b5f6 1644
710756a9
RS		 1645 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1646 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1647 goto end;
2cb4b5f6 1648
ba881d3b 1649 clientssl = SSL_new(cctx);
710756a9 1650 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1651 goto end;
ba881d3b
MC		 1652 SSL_free(clientssl);
1653 clientssl = NULL;
1654
1655 /*
1656 * Now actually do a handshake and check OCSP information is exchanged and
1657 * the callbacks get called
1658 */
ba881d3b
MC		 1659 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1660 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1661 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1662 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1663 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1664 &clientssl, NULL, NULL))
1665 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1666 SSL_ERROR_NONE))
1667 || !TEST_true(ocsp_client_called)
1668 || !TEST_true(ocsp_server_called))
ba881d3b 1669 goto end;
ba881d3b
MC		 1670 SSL_free(serverssl);
1671 SSL_free(clientssl);
1672 serverssl = NULL;
1673 clientssl = NULL;
1674
1675 /* Try again but this time force the server side callback to fail */
1676 ocsp_client_called = 0;
1677 ocsp_server_called = 0;
1678 cdummyarg = 0;
710756a9
RS		 1679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1680 &clientssl, NULL, NULL))
1681 /* This should fail because the callback will fail */
1682 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1683 SSL_ERROR_NONE))
1684 || !TEST_false(ocsp_client_called)
1685 || !TEST_false(ocsp_server_called))
ba881d3b 1686 goto end;
ba881d3b
MC		 1687 SSL_free(serverssl);
1688 SSL_free(clientssl);
1689 serverssl = NULL;
1690 clientssl = NULL;
1691
1692 /*
1693 * This time we'll get the client to send an OCSP_RESPID that it will
1694 * accept.
1695 */
1696 ocsp_client_called = 0;
1697 ocsp_server_called = 0;
1698 cdummyarg = 2;
710756a9
RS		 1699 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1700 &clientssl, NULL, NULL)))
ba881d3b 1701 goto end;
ba881d3b
MC		 1702
1703 /*
1704 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1705 * specific one. We'll use the server cert.
ba881d3b 1706 */
710756a9
RS		 1707 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1708 || !TEST_ptr(id = OCSP_RESPID_new())
1709 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1710 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1711 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1712 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1713 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1714 goto end;
ba881d3b
MC		 1715 id = NULL;
1716 SSL_set_tlsext_status_ids(clientssl, ids);
1717 /* Control has been transferred */
1718 ids = NULL;
1719
1720 BIO_free(certbio);
1721 certbio = NULL;
1722
710756a9
RS		 1723 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1724 SSL_ERROR_NONE))
1725 || !TEST_true(ocsp_client_called)
1726 || !TEST_true(ocsp_server_called))
ba881d3b 1727 goto end;
ba881d3b 1728
2cb4b5f6
MC		 1729 testresult = 1;
1730
1731 end:
ba881d3b
MC		 1732 SSL_free(serverssl);
1733 SSL_free(clientssl);
1734 SSL_CTX_free(sctx);
1735 SSL_CTX_free(cctx);
1736 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1737 OCSP_RESPID_free(id);
1738 BIO_free(certbio);
1739 X509_free(ocspcert);
1740 ocspcert = NULL;
2cb4b5f6
MC		 1741
1742 return testresult;
1743}
8f8c11d8 1744#endif
2cb4b5f6 1745
a763ca11 1746#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1747static int new_called, remove_called, get_called;
eaa776da 1748
eaa776da
MC		 1749static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1750{
1751 new_called++;
c0537ebd
MC		 1752 /*
1753 * sess has been up-refed for us, but we don't actually need it so free it
1754 * immediately.
1755 */
1756 SSL_SESSION_free(sess);
eaa776da
MC		 1757 return 1;
1758}
1759
1760static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1761{
1762 remove_called++;
1763}
1764
7a301f08
MC		 1765static SSL_SESSION *get_sess_val = NULL;
1766
1767static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1768 int *copy)
1769{
0afca811 1770 get_called++;
7a301f08
MC		 1771 *copy = 1;
1772 return get_sess_val;
1773}
1774
7a301f08 1775static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1776 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1777{
1778 SSL_CTX *sctx = NULL, *cctx = NULL;
1779 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1780 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1781# ifndef OPENSSL_NO_TLS1_1
eaa776da 1782 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1783# endif
2cb4b5f6 1784 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1785 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1786
7e885b7b
P		 1787 new_called = remove_called = 0;
1788
36ff232c
MC		 1789 /* TLSv1.3 sends 2 NewSessionTickets */
1790 if (maxprot == TLS1_3_VERSION)
1791 numnewsesstick = 2;
1792
5e30f2fd
MC		 1793 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1794 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1795 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1796 return 0;
2cb4b5f6 1797
7a301f08
MC		 1798 /*
1799 * Only allow the max protocol version so we can force a connection failure
1800 * later
1801 */
1802 SSL_CTX_set_min_proto_version(cctx, maxprot);
1803 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1804
1805 /* Set up session cache */
7e885b7b 1806 if (use_ext_cache) {
eaa776da
MC		 1807 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1808 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1809 }
7e885b7b 1810 if (use_int_cache) {
eaa776da
MC		 1811 /* Also covers instance where both are set */
1812 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1813 } else {
1814 SSL_CTX_set_session_cache_mode(cctx,
1815 SSL_SESS_CACHE_CLIENT
1816 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1817 }
2cb4b5f6 1818
90fc2c26
NM		 1819 if (s_options) {
1820 SSL_CTX_set_options(sctx, s_options);
1821 }
1822
710756a9
RS		 1823 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1824 NULL, NULL))
1825 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1826 SSL_ERROR_NONE))
1827 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1828 goto end;
2cb4b5f6 1829
710756a9 1830 /* Should fail because it should already be in the cache */
7e885b7b 1831 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1832 goto end;
7a301f08 1833 if (use_ext_cache
36ff232c
MC		 1834 && (!TEST_int_eq(new_called, numnewsesstick)
1835
1836 || !TEST_int_eq(remove_called, 0)))
b4982125 1837 goto end;
b4982125 1838
c0537ebd
MC		 1839 new_called = remove_called = 0;
1840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1841 &clientssl2, NULL, NULL))
1842 || !TEST_true(SSL_set_session(clientssl2, sess1))
1843 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1844 SSL_ERROR_NONE))
1845 || !TEST_true(SSL_session_reused(clientssl2)))
1846 goto end;
1847
7a301f08
MC		 1848 if (maxprot == TLS1_3_VERSION) {
1849 /*
1850 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1851 * resumed. Since we attempted a resume we should also have removed the
1852 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1853 */
1854 if (use_ext_cache
1855 && (!TEST_int_eq(new_called, 1)
4cb00457 1856 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1857 goto end;
1858 } else {
1859 /*
1860 * In TLSv1.2 we expect to have resumed so no sessions added or
1861 * removed.
1862 */
1863 if (use_ext_cache
1864 && (!TEST_int_eq(new_called, 0)
1865 || !TEST_int_eq(remove_called, 0)))
1866 goto end;
1867 }
c0537ebd
MC		 1868
1869 SSL_SESSION_free(sess1);
1870 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1871 goto end;
1872 shutdown_ssl_connection(serverssl2, clientssl2);
1873 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1874
1875 new_called = remove_called = 0;
710756a9
RS		 1876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1877 &clientssl2, NULL, NULL))
1878 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1879 SSL_ERROR_NONE)))
2cb4b5f6 1880 goto end;
2cb4b5f6 1881
710756a9 1882 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1883 goto end;
2cb4b5f6 1884
7a301f08 1885 if (use_ext_cache
36ff232c
MC		 1886 && (!TEST_int_eq(new_called, numnewsesstick)
1887 || !TEST_int_eq(remove_called, 0)))
eaa776da 1888 goto end;
eaa776da 1889
c0537ebd 1890 new_called = remove_called = 0;
2cb4b5f6 1891 /*
710756a9
RS		 1892 * This should clear sess2 from the cache because it is a "bad" session.
1893 * See SSL_set_session() documentation.
2cb4b5f6 1894 */
710756a9 1895 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1896 goto end;
7a301f08
MC		 1897 if (use_ext_cache
1898 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1899 goto end;
710756a9 1900 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1901 goto end;
2cb4b5f6 1902
7e885b7b 1903 if (use_int_cache) {
710756a9
RS		 1904 /* Should succeeded because it should not already be in the cache */
1905 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1906 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1907 goto end;
eaa776da
MC		 1908 }
1909
c0537ebd 1910 new_called = remove_called = 0;
eaa776da 1911 /* This shouldn't be in the cache so should fail */
710756a9 1912 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1913 goto end;
2cb4b5f6 1914
7a301f08
MC		 1915 if (use_ext_cache
1916 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1917 goto end;
2cb4b5f6 1918
bf208d95 1919# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1920 new_called = remove_called = 0;
eaa776da
MC		 1921 /* Force a connection failure */
1922 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1923 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1924 &clientssl3, NULL, NULL))
1925 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1926 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1927 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1928 SSL_ERROR_NONE)))
eaa776da 1929 goto end;
b4982125 1930
eaa776da 1931 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1932 if (use_ext_cache
1933 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1934 goto end;
2cb4b5f6 1935
710756a9 1936 /* Should succeed because it should not already be in the cache */
7e885b7b 1937 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1938 goto end;
bf208d95 1939# endif
eaa776da 1940
7a301f08
MC		 1941 /* Now do some tests for server side caching */
1942 if (use_ext_cache) {
1943 SSL_CTX_sess_set_new_cb(cctx, NULL);
1944 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1945 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1946 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1947 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1948 get_sess_val = NULL;
1949 }
1950
1951 SSL_CTX_set_session_cache_mode(cctx, 0);
1952 /* Internal caching is the default on the server side */
1953 if (!use_int_cache)
1954 SSL_CTX_set_session_cache_mode(sctx,
1955 SSL_SESS_CACHE_SERVER
1956 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1957
1958 SSL_free(serverssl1);
1959 SSL_free(clientssl1);
1960 serverssl1 = clientssl1 = NULL;
1961 SSL_free(serverssl2);
1962 SSL_free(clientssl2);
1963 serverssl2 = clientssl2 = NULL;
1964 SSL_SESSION_free(sess1);
1965 sess1 = NULL;
1966 SSL_SESSION_free(sess2);
1967 sess2 = NULL;
1968
1969 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1970 if (maxprot == TLS1_2_VERSION)
1971 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1972 new_called = remove_called = get_called = 0;
7a301f08
MC		 1973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1974 NULL, NULL))
1975 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1976 SSL_ERROR_NONE))
1977 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1978 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1979 goto end;
1980
ee94ec2e
MC		 1981 if (use_int_cache) {
1982 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1983 /*
1984 * In TLSv1.3 it should not have been added to the internal cache,
1985 * except in the case where we also have an external cache (in that
1986 * case it gets added to the cache in order to generate remove
1987 * events after timeout).
1988 */
1989 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1990 goto end;
1991 } else {
1992 /* Should fail because it should already be in the cache */
1993 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1994 goto end;
1995 }
1996 }
7a301f08
MC		 1997
1998 if (use_ext_cache) {
1999 SSL_SESSION *tmp = sess2;
2000
36ff232c 2001 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2002 || !TEST_int_eq(remove_called, 0)
2003 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2004 goto end;
2005 /*
2006 * Delete the session from the internal cache to force a lookup from
2007 * the external cache. We take a copy first because
2008 * SSL_CTX_remove_session() also marks the session as non-resumable.
2009 */
ee94ec2e 2010 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2011 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2012 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2013 goto end;
2014 SSL_SESSION_free(sess2);
2015 }
7a301f08
MC		 2016 sess2 = tmp;
2017 }
2018
0afca811 2019 new_called = remove_called = get_called = 0;
7a301f08
MC		 2020 get_sess_val = sess2;
2021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2022 &clientssl2, NULL, NULL))
2023 || !TEST_true(SSL_set_session(clientssl2, sess1))
2024 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2025 SSL_ERROR_NONE))
2026 || !TEST_true(SSL_session_reused(clientssl2)))
2027 goto end;
2028
0afca811 2029 if (use_ext_cache) {
32305f88 2030 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2031 goto end;
2032
2033 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2034 if (!TEST_int_eq(new_called, 1)
2035 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2036 goto end;
2037 } else {
32305f88
MC		 2038 if (!TEST_int_eq(new_called, 0)
2039 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2040 goto end;
2041 }
2042 }
7a301f08 2043
2cb4b5f6 2044 testresult = 1;
eaa776da 2045
2cb4b5f6
MC		 2046 end:
2047 SSL_free(serverssl1);
2048 SSL_free(clientssl1);
2049 SSL_free(serverssl2);
2050 SSL_free(clientssl2);
bf208d95 2051# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2052 SSL_free(serverssl3);
2053 SSL_free(clientssl3);
bf208d95 2054# endif
2cb4b5f6
MC		 2055 SSL_SESSION_free(sess1);
2056 SSL_SESSION_free(sess2);
2057 SSL_CTX_free(sctx);
2058 SSL_CTX_free(cctx);
2059
2060 return testresult;
2061}
a763ca11 2062#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2063
7fb4c820
MC		 2064static int test_session_with_only_int_cache(void)
2065{
a763ca11 2066#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2067 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2068 return 0;
2069#endif
2070
2071#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2072 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2073#else
2074 return 1;
2075#endif
eaa776da
MC		 2076}
2077
7fb4c820
MC		 2078static int test_session_with_only_ext_cache(void)
2079{
a763ca11 2080#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2081 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2082 return 0;
2083#endif
2084
2085#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2086 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2087#else
2088 return 1;
2089#endif
eaa776da
MC		 2090}
2091
7fb4c820
MC		 2092static int test_session_with_both_cache(void)
2093{
a763ca11 2094#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2095 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2096 return 0;
2097#endif
2098
2099#ifndef OPENSSL_NO_TLS1_2
2100 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2101#else
2102 return 1;
2103#endif
2104}
2105
2106static int test_session_wo_ca_names(void)
2107{
a763ca11 2108#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2109 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2110 return 0;
2111#endif
2112
2113#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2114 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2115#else
2116 return 1;
2117#endif
eaa776da
MC		 2118}
2119
90fc2c26 2120
a763ca11 2121#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2122static SSL_SESSION *sesscache[6];
2123static int do_cache;
36ff232c
MC		 2124
2125static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2126{
c22365b3
MC		 2127 if (do_cache) {
2128 sesscache[new_called] = sess;
2129 } else {
2130 /* We don't need the reference to the session, so free it */
2131 SSL_SESSION_free(sess);
2132 }
2133 new_called++;
2134
2135 return 1;
2136}
2137
2138static int post_handshake_verify(SSL *sssl, SSL *cssl)
2139{
2140 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2141 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2142 return 0;
2143
2144 /* Start handshake on the server and client */
2145 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2146 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2147 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2148 || !TEST_true(create_ssl_connection(sssl, cssl,
2149 SSL_ERROR_NONE)))
2150 return 0;
36ff232c
MC		 2151
2152 return 1;
2153}
2154
fbe9dafd 2155static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2156 SSL_CTX **cctx)
2157{
2158 int sess_id_ctx = 1;
2159
5e30f2fd
MC		 2160 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2161 TLS_client_method(), TLS1_VERSION, 0,
2162 sctx, cctx, cert, privkey))
03cdf559
MC		 2163 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2164 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2165 (void *)&sess_id_ctx,
2166 sizeof(sess_id_ctx))))
2167 return 0;
2168
2169 if (stateful)
2170 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2171
2172 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2173 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2174 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2175
2176 return 1;
2177}
2178
2179static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2180{
2181 SSL *serverssl = NULL, *clientssl = NULL;
2182 int i;
2183
2184 /* Test that we can resume with all the tickets we got given */
2185 for (i = 0; i < idx * 2; i++) {
2186 new_called = 0;
2187 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2188 &clientssl, NULL, NULL))
2189 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2190 goto end;
2191
32097b33 2192 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2193
2194 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2195 SSL_ERROR_NONE)))
2196 goto end;
2197
2198 /*
2199 * Following a successful resumption we only get 1 ticket. After a
2200 * failed one we should get idx tickets.
2201 */
2202 if (succ) {
2203 if (!TEST_true(SSL_session_reused(clientssl))
2204 || !TEST_int_eq(new_called, 1))
2205 goto end;
2206 } else {
2207 if (!TEST_false(SSL_session_reused(clientssl))
2208 || !TEST_int_eq(new_called, idx))
2209 goto end;
2210 }
2211
2212 new_called = 0;
2213 /* After a post-handshake authentication we should get 1 new ticket */
2214 if (succ
2215 && (!post_handshake_verify(serverssl, clientssl)
2216 || !TEST_int_eq(new_called, 1)))
2217 goto end;
2218
2219 SSL_shutdown(clientssl);
2220 SSL_shutdown(serverssl);
2221 SSL_free(serverssl);
2222 SSL_free(clientssl);
2223 serverssl = clientssl = NULL;
2224 SSL_SESSION_free(sesscache[i]);
2225 sesscache[i] = NULL;
2226 }
2227
2228 return 1;
2229
2230 end:
2231 SSL_free(clientssl);
2232 SSL_free(serverssl);
2233 return 0;
2234}
2235
04d7814a 2236static int test_tickets(int stateful, int idx)
36ff232c
MC		 2237{
2238 SSL_CTX *sctx = NULL, *cctx = NULL;
2239 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2240 int testresult = 0;
36ff232c
MC		 2241 size_t j;
2242
2243 /* idx is the test number, but also the number of tickets we want */
2244
2245 new_called = 0;
c22365b3 2246 do_cache = 1;
36ff232c 2247
fbe9dafd 2248 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2249 goto end;
2250
03cdf559
MC		 2251 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2252 &clientssl, NULL, NULL)))
2253 goto end;
2254
2255 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2256 SSL_ERROR_NONE))
2257 /* Check we got the number of tickets we were expecting */
2258 || !TEST_int_eq(idx, new_called))
2259 goto end;
04d7814a 2260
03cdf559
MC		 2261 SSL_shutdown(clientssl);
2262 SSL_shutdown(serverssl);
2263 SSL_free(serverssl);
2264 SSL_free(clientssl);
2265 SSL_CTX_free(sctx);
2266 SSL_CTX_free(cctx);
2267 clientssl = serverssl = NULL;
2268 sctx = cctx = NULL;
2269
2270 /*
2271 * Now we try to resume with the tickets we previously created. The
2272 * resumption attempt is expected to fail (because we're now using a new
2273 * SSL_CTX). We should see idx number of tickets issued again.
2274 */
2275
2276 /* Stop caching sessions - just count them */
2277 do_cache = 0;
2278
fbe9dafd 2279 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2280 goto end;
2281
2282 if (!check_resumption(idx, sctx, cctx, 0))
2283 goto end;
2284
2285 /* Start again with caching sessions */
2286 new_called = 0;
2287 do_cache = 1;
fbe9dafd
MC		 2288 SSL_CTX_free(sctx);
2289 SSL_CTX_free(cctx);
2290 sctx = cctx = NULL;
03cdf559 2291
fbe9dafd 2292 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2293 goto end;
36ff232c
MC		 2294
2295 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2296 &clientssl, NULL, NULL)))
2297 goto end;
2298
32097b33 2299 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2300
2301 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2302 SSL_ERROR_NONE))
2303 /* Check we got the number of tickets we were expecting */
2304 || !TEST_int_eq(idx, new_called))
2305 goto end;
2306
2307 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2308 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2309 || !TEST_int_eq(idx * 2, new_called))
2310 goto end;
2311
36ff232c
MC		 2312 SSL_shutdown(clientssl);
2313 SSL_shutdown(serverssl);
2314 SSL_free(serverssl);
2315 SSL_free(clientssl);
2316 serverssl = clientssl = NULL;
2317
c22365b3
MC		 2318 /* Stop caching sessions - just count them */
2319 do_cache = 0;
2320
03cdf559
MC		 2321 /*
2322 * Check we can resume with all the tickets we created. This time around the
2323 * resumptions should all be successful.
2324 */
2325 if (!check_resumption(idx, sctx, cctx, 1))
2326 goto end;
36ff232c
MC		 2327
2328 testresult = 1;
2329
2330 end:
2331 SSL_free(serverssl);
2332 SSL_free(clientssl);
c22365b3 2333 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2334 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2335 sesscache[j] = NULL;
2336 }
36ff232c
MC		 2337 SSL_CTX_free(sctx);
2338 SSL_CTX_free(cctx);
2339
2340 return testresult;
2341}
04d7814a
MC		 2342
2343static int test_stateless_tickets(int idx)
2344{
2345 return test_tickets(0, idx);
2346}
2347
2348static int test_stateful_tickets(int idx)
2349{
2350 return test_tickets(1, idx);
2351}
8614a4eb
MC		 2352
2353static int test_psk_tickets(void)
2354{
2355 SSL_CTX *sctx = NULL, *cctx = NULL;
2356 SSL *serverssl = NULL, *clientssl = NULL;
2357 int testresult = 0;
2358 int sess_id_ctx = 1;
2359
5e30f2fd
MC		 2360 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2361 TLS_client_method(), TLS1_VERSION, 0,
2362 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2363 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2364 (void *)&sess_id_ctx,
2365 sizeof(sess_id_ctx))))
2366 goto end;
2367
2368 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2369 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2370 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2371 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2372 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2373 use_session_cb_cnt = 0;
2374 find_session_cb_cnt = 0;
2375 srvid = pskid;
2376 new_called = 0;
2377
2378 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2379 NULL, NULL)))
2380 goto end;
2381 clientpsk = serverpsk = create_a_psk(clientssl);
2382 if (!TEST_ptr(clientpsk))
2383 goto end;
2384 SSL_SESSION_up_ref(clientpsk);
2385
2386 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2387 SSL_ERROR_NONE))
2388 || !TEST_int_eq(1, find_session_cb_cnt)
2389 || !TEST_int_eq(1, use_session_cb_cnt)
2390 /* We should always get 1 ticket when using external PSK */
2391 || !TEST_int_eq(1, new_called))
2392 goto end;
2393
2394 testresult = 1;
2395
2396 end:
2397 SSL_free(serverssl);
2398 SSL_free(clientssl);
2399 SSL_CTX_free(sctx);
2400 SSL_CTX_free(cctx);
2401 SSL_SESSION_free(clientpsk);
2402 SSL_SESSION_free(serverpsk);
2403 clientpsk = serverpsk = NULL;
2404
2405 return testresult;
2406}
f0049b86
BK		 2407
2408static int test_extra_tickets(int idx)
2409{
2410 SSL_CTX *sctx = NULL, *cctx = NULL;
2411 SSL *serverssl = NULL, *clientssl = NULL;
2412 BIO *bretry = BIO_new(bio_s_always_retry());
2413 BIO *tmp = NULL;
2414 int testresult = 0;
2415 int stateful = 0;
2416 size_t nbytes;
2417 unsigned char c, buf[1];
2418
2419 new_called = 0;
2420 do_cache = 1;
2421
2422 if (idx >= 3) {
2423 idx -= 3;
2424 stateful = 1;
2425 }
2426
2427 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2428 goto end;
2429 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2430 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2431 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2432
2433 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2434 &clientssl, NULL, NULL)))
2435 goto end;
2436
2437 /*
2438 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2439 * incremented by both client and server.
2440 */
2441 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2442 SSL_ERROR_NONE))
2443 /* Check we got the number of tickets we were expecting */
2444 || !TEST_int_eq(idx * 2, new_called)
2445 || !TEST_true(SSL_new_session_ticket(serverssl))
2446 || !TEST_true(SSL_new_session_ticket(serverssl))
2447 || !TEST_int_eq(idx * 2, new_called))
2448 goto end;
2449
2450 /* Now try a (real) write to actually send the tickets */
2451 c = '1';
2452 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2453 || !TEST_size_t_eq(1, nbytes)
2454 || !TEST_int_eq(idx * 2 + 2, new_called)
2455 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2456 || !TEST_int_eq(idx * 2 + 4, new_called)
2457 || !TEST_int_eq(sizeof(buf), nbytes)
2458 || !TEST_int_eq(c, buf[0])
2459 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2460 goto end;
2461
2462 /* Try with only requesting one new ticket, too */
2463 c = '2';
2464 new_called = 0;
2465 if (!TEST_true(SSL_new_session_ticket(serverssl))
2466 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2467 || !TEST_size_t_eq(sizeof(c), nbytes)
2468 || !TEST_int_eq(1, new_called)
2469 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2470 || !TEST_int_eq(2, new_called)
2471 || !TEST_size_t_eq(sizeof(buf), nbytes)
2472 || !TEST_int_eq(c, buf[0]))
2473 goto end;
2474
2475 /* Do it again but use dummy writes to drive the ticket generation */
2476 c = '3';
2477 new_called = 0;
2478 if (!TEST_true(SSL_new_session_ticket(serverssl))
2479 || !TEST_true(SSL_new_session_ticket(serverssl))
2480 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2481 || !TEST_size_t_eq(0, nbytes)
2482 || !TEST_int_eq(2, new_called)
2483 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2484 || !TEST_int_eq(4, new_called))
2485 goto end;
2486
2487 /*
2488 * Use the always-retry BIO to exercise the logic that forces ticket
2489 * generation to wait until a record boundary.
2490 */
2491 c = '4';
2492 new_called = 0;
2493 tmp = SSL_get_wbio(serverssl);
2494 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2495 tmp = NULL;
2496 goto end;
2497 }
2498 SSL_set0_wbio(serverssl, bretry);
2499 bretry = NULL;
2500 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2501 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2502 || !TEST_size_t_eq(nbytes, 0))
2503 goto end;
2504 /* Restore a BIO that will let the write succeed */
2505 SSL_set0_wbio(serverssl, tmp);
2506 tmp = NULL;
2507 /* These calls should just queue the request and not send anything. */
2508 if (!TEST_true(SSL_new_session_ticket(serverssl))
2509 || !TEST_true(SSL_new_session_ticket(serverssl))
2510 || !TEST_int_eq(0, new_called))
2511 goto end;
2512 /* Re-do the write; still no tickets sent */
2513 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2514 || !TEST_size_t_eq(1, nbytes)
2515 || !TEST_int_eq(0, new_called)
2516 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2517 || !TEST_int_eq(0, new_called)
2518 || !TEST_int_eq(sizeof(buf), nbytes)
2519 || !TEST_int_eq(c, buf[0])
2520 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2521 goto end;
2522 /* Now the *next* write should send the tickets */
2523 c = '5';
2524 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2525 || !TEST_size_t_eq(1, nbytes)
2526 || !TEST_int_eq(2, new_called)
2527 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2528 || !TEST_int_eq(4, new_called)
2529 || !TEST_int_eq(sizeof(buf), nbytes)
2530 || !TEST_int_eq(c, buf[0])
2531 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2532 goto end;
2533
2534 SSL_shutdown(clientssl);
2535 SSL_shutdown(serverssl);
2536 testresult = 1;
2537
2538 end:
2539 BIO_free(bretry);
2540 BIO_free(tmp);
2541 SSL_free(serverssl);
2542 SSL_free(clientssl);
2543 SSL_CTX_free(sctx);
2544 SSL_CTX_free(cctx);
2545 clientssl = serverssl = NULL;
2546 sctx = cctx = NULL;
2547 return testresult;
2548}
04225915 2549#endif
36ff232c 2550
7d4488bb
MC		 2551#define USE_NULL 0
2552#define USE_BIO_1 1
2553#define USE_BIO_2 2
2554#define USE_DEFAULT 3
2555
2556#define CONNTYPE_CONNECTION_SUCCESS 0
2557#define CONNTYPE_CONNECTION_FAIL 1
2558#define CONNTYPE_NO_CONNECTION 2
2559
2560#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2561#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2562#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2563# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2564#else
2565# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2566#endif
2567
7d4488bb
MC		 2568#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2569 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2570 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2571
2572static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2573{
2574 switch (type) {
2575 case USE_NULL:
2576 *res = NULL;
2577 break;
2578 case USE_BIO_1:
2579 *res = bio1;
2580 break;
2581 case USE_BIO_2:
2582 *res = bio2;
2583 break;
2584 }
2585}
2586
7d4488bb
MC		 2587
2588/*
2589 * Tests calls to SSL_set_bio() under various conditions.
2590 *
2591 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2592 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2593 * then do more tests where we create a successful connection first using our
2594 * standard connection setup functions, and then call SSL_set_bio() with
2595 * various combinations of valid BIOs or NULL. We then repeat these tests
2596 * following a failed connection. In this last case we are looking to check that
2597 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2598 */
7fb4c820
MC		 2599static int test_ssl_set_bio(int idx)
2600{
7d4488bb 2601 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2602 BIO *bio1 = NULL;
2603 BIO *bio2 = NULL;
0fae8150 2604 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2605 SSL *serverssl = NULL, *clientssl = NULL;
2606 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2607 int testresult = 0;
2608
7d4488bb
MC		 2609 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2610 initrbio = idx % 3;
2611 idx /= 3;
2612 initwbio = idx % 3;
2613 idx /= 3;
2614 newrbio = idx % 3;
2615 idx /= 3;
2616 newwbio = idx % 3;
2617 conntype = CONNTYPE_NO_CONNECTION;
2618 } else {
2619 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2620 initrbio = initwbio = USE_DEFAULT;
2621 newrbio = idx % 2;
2622 idx /= 2;
2623 newwbio = idx % 2;
2624 idx /= 2;
2625 conntype = idx % 2;
2626 }
710756a9 2627
5e30f2fd
MC		 2628 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2629 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2630 &sctx, &cctx, cert, privkey)))
2631 goto end;
2632
2633 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2634 /*
2635 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2636 * because we reduced the number of tests in the definition of
2637 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2638 * mismatched protocol versions we will force a connection failure.
2639 */
2640 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2641 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2642 }
2643
2644 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2645 NULL, NULL)))
710756a9 2646 goto end;
7fb4c820 2647
710756a9
RS		 2648 if (initrbio == USE_BIO_1
2649 || initwbio == USE_BIO_1
2650 || newrbio == USE_BIO_1
7fb4c820 2651 || newwbio == USE_BIO_1) {
710756a9 2652 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2653 goto end;
7fb4c820
MC		 2654 }
2655
710756a9
RS		 2656 if (initrbio == USE_BIO_2
2657 || initwbio == USE_BIO_2
2658 || newrbio == USE_BIO_2
7fb4c820 2659 || newwbio == USE_BIO_2) {
710756a9 2660 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2661 goto end;
7fb4c820
MC		 2662 }
2663
7d4488bb
MC		 2664 if (initrbio != USE_DEFAULT) {
2665 setupbio(&irbio, bio1, bio2, initrbio);
2666 setupbio(&iwbio, bio1, bio2, initwbio);
2667 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2668
7d4488bb
MC		 2669 /*
2670 * We want to maintain our own refs to these BIO, so do an up ref for
2671 * each BIO that will have ownership transferred in the SSL_set_bio()
2672 * call
2673 */
2674 if (irbio != NULL)
2675 BIO_up_ref(irbio);
2676 if (iwbio != NULL && iwbio != irbio)
2677 BIO_up_ref(iwbio);
2678 }
7fb4c820 2679
7d4488bb
MC		 2680 if (conntype != CONNTYPE_NO_CONNECTION
2681 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2682 SSL_ERROR_NONE)
2683 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2684 goto end;
7fb4c820
MC		 2685
2686 setupbio(&nrbio, bio1, bio2, newrbio);
2687 setupbio(&nwbio, bio1, bio2, newwbio);
2688
2689 /*
2690 * We will (maybe) transfer ownership again so do more up refs.
2691 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2692 * already been set!
2693 */
710756a9
RS		 2694 if (nrbio != NULL
2695 && nrbio != irbio
2696 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2697 BIO_up_ref(nrbio);
710756a9
RS		 2698 if (nwbio != NULL
2699 && nwbio != nrbio
2700 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2701 BIO_up_ref(nwbio);
2702
7d4488bb 2703 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2704
2705 testresult = 1;
2706
2707 end:
7fb4c820
MC		 2708 BIO_free(bio1);
2709 BIO_free(bio2);
710756a9 2710
7fb4c820
MC		 2711 /*
2712 * This test is checking that the ref counting for SSL_set_bio is correct.
2713 * If we get here and we did too many frees then we will fail in the above
742ccab3 2714 * functions.
7fb4c820 2715 */
7d4488bb
MC		 2716 SSL_free(serverssl);
2717 SSL_free(clientssl);
2718 SSL_CTX_free(sctx);
2719 SSL_CTX_free(cctx);
7fb4c820
MC		 2720 return testresult;
2721}
2722
7e885b7b 2723typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2724
7e885b7b 2725static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2726{
2727 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2728 SSL_CTX *ctx;
9a716987
MC		 2729 SSL *ssl = NULL;
2730 int testresult = 0;
2731
d8652be0 2732 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2733 || !TEST_ptr(ssl = SSL_new(ctx))
2734 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2735 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2736 goto end;
9a716987
MC		 2737
2738 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2739
2740 /*
742ccab3 2741 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2742 */
2743 BIO_push(sslbio, membio1);
2744
69687aa8 2745 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2746 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 2747 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2748 ssl = NULL;
9a716987 2749 goto end;
493e7898 2750 }
7e885b7b 2751 if (change_bio == CHANGE_RBIO)
65e2d672 2752 SSL_set0_rbio(ssl, membio2);
9a716987 2753 else
65e2d672 2754 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2755 }
2756 ssl = NULL;
2757
7e885b7b 2758 if (pop_ssl)
9a716987
MC		 2759 BIO_pop(sslbio);
2760 else
2761 BIO_pop(membio1);
2762
2763 testresult = 1;
2764 end:
2765 BIO_free(membio1);
2766 BIO_free(sslbio);
2767 SSL_free(ssl);
2768 SSL_CTX_free(ctx);
2769
2770 return testresult;
2771}
2772
2773static int test_ssl_bio_pop_next_bio(void)
2774{
7e885b7b 2775 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2776}
2777
2778static int test_ssl_bio_pop_ssl_bio(void)
2779{
7e885b7b 2780 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2781}
2782
2783static int test_ssl_bio_change_rbio(void)
2784{
7e885b7b 2785 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2786}
2787
2788static int test_ssl_bio_change_wbio(void)
2789{
7e885b7b 2790 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2791}
2792
a763ca11 2793#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 2794typedef struct {
2795 /* The list of sig algs */
2796 const int *list;
2797 /* The length of the list */
2798 size_t listlen;
2799 /* A sigalgs list in string format */
2800 const char *liststr;
2801 /* Whether setting the list should succeed */
2802 int valid;
2803 /* Whether creating a connection with the list should succeed */
2804 int connsuccess;
2805} sigalgs_list;
2806
2807static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2808# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2809static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2810static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2811# endif
f1b25aae
MC		 2812static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2813static const int invalidlist2[] = {NID_sha256, NID_undef};
2814static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2815static const int invalidlist4[] = {NID_sha256};
2816static const sigalgs_list testsigalgs[] = {
2817 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2818# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2819 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2820 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2821# endif
f1b25aae 2822 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2823# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2824 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2825 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2826# endif
f1b25aae
MC		 2827 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2828 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2829 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2830 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2831 {NULL, 0, "RSA", 0, 0},
2832 {NULL, 0, "SHA256", 0, 0},
2833 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2834 {NULL, 0, "Invalid", 0, 0}
2835};
f1b25aae
MC		 2836
2837static int test_set_sigalgs(int idx)
2838{
2839 SSL_CTX *cctx = NULL, *sctx = NULL;
2840 SSL *clientssl = NULL, *serverssl = NULL;
2841 int testresult = 0;
2842 const sigalgs_list *curr;
2843 int testctx;
2844
2845 /* Should never happen */
710756a9 2846 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2847 return 0;
2848
2849 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2850 curr = testctx ? &testsigalgs[idx]
2851 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2852
5e30f2fd
MC		 2853 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2854 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2855 &sctx, &cctx, cert, privkey)))
f1b25aae 2856 return 0;
f1b25aae 2857
d2e491f2
MC		 2858 /*
2859 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2860 * for TLSv1.2 for now until we add a new API.
2861 */
2862 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2863
f1b25aae
MC		 2864 if (testctx) {
2865 int ret;
710756a9 2866
f1b25aae
MC		 2867 if (curr->list != NULL)
2868 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2869 else
2870 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2871
2872 if (!ret) {
2873 if (curr->valid)
710756a9 2874 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2875 else
2876 testresult = 1;
2877 goto end;
2878 }
2879 if (!curr->valid) {
710756a9 2880 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2881 goto end;
2882 }
2883 }
2884
710756a9
RS		 2885 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2886 &clientssl, NULL, NULL)))
f1b25aae 2887 goto end;
f1b25aae
MC		 2888
2889 if (!testctx) {
2890 int ret;
2891
2892 if (curr->list != NULL)
2893 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2894 else
2895 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2896 if (!ret) {
2897 if (curr->valid)
710756a9 2898 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2899 else
2900 testresult = 1;
2901 goto end;
2902 }
710756a9 2903 if (!curr->valid)
f1b25aae 2904 goto end;
f1b25aae
MC		 2905 }
2906
710756a9
RS		 2907 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2908 SSL_ERROR_NONE),
2909 curr->connsuccess))
f1b25aae 2910 goto end;
f1b25aae
MC		 2911
2912 testresult = 1;
2913
2914 end:
2915 SSL_free(serverssl);
2916 SSL_free(clientssl);
2917 SSL_CTX_free(sctx);
2918 SSL_CTX_free(cctx);
2919
2920 return testresult;
2921}
c423ecaa 2922#endif
f1b25aae 2923
a763ca11 2924#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 2925static int psk_client_cb_cnt = 0;
2926static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2927
2928static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2929 size_t *idlen, SSL_SESSION **sess)
2930{
2931 switch (++use_session_cb_cnt) {
2932 case 1:
2933 /* The first call should always have a NULL md */
2934 if (md != NULL)
2935 return 0;
2936 break;
2937
2938 case 2:
2939 /* The second call should always have an md */
2940 if (md == NULL)
2941 return 0;
2942 break;
2943
2944 default:
2945 /* We should only be called a maximum of twice */
2946 return 0;
2947 }
2948
57dee9bb
MC		 2949 if (clientpsk != NULL)
2950 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2951
57dee9bb 2952 *sess = clientpsk;
02a3ed5a
MC		 2953 *id = (const unsigned char *)pskid;
2954 *idlen = strlen(pskid);
2955
2956 return 1;
2957}
2958
c2b290c3 2959#ifndef OPENSSL_NO_PSK
532f9578
MC		 2960static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2961 unsigned int max_id_len,
2962 unsigned char *psk,
2963 unsigned int max_psk_len)
2964{
2965 unsigned int psklen = 0;
2966
2967 psk_client_cb_cnt++;
2968
2969 if (strlen(pskid) + 1 > max_id_len)
2970 return 0;
2971
2972 /* We should only ever be called a maximum of twice per connection */
2973 if (psk_client_cb_cnt > 2)
2974 return 0;
2975
2976 if (clientpsk == NULL)
2977 return 0;
2978
2979 /* We'll reuse the PSK we set up for TLSv1.3 */
2980 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2981 return 0;
2982 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2983 strncpy(id, pskid, max_id_len);
2984
2985 return psklen;
2986}
c2b290c3 2987#endif /* OPENSSL_NO_PSK */
532f9578 2988
02a3ed5a
MC		 2989static int find_session_cb(SSL *ssl, const unsigned char *identity,
2990 size_t identity_len, SSL_SESSION **sess)
2991{
2992 find_session_cb_cnt++;
2993
2994 /* We should only ever be called a maximum of twice per connection */
2995 if (find_session_cb_cnt > 2)
2996 return 0;
2997
57dee9bb 2998 if (serverpsk == NULL)
02a3ed5a
MC		 2999 return 0;
3000
3001 /* Identity should match that set by the client */
3002 if (strlen(srvid) != identity_len
3003 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3004 /* No PSK found, continue but without a PSK */
3005 *sess = NULL;
3006 return 1;
3007 }
3008
57dee9bb
MC		 3009 SSL_SESSION_up_ref(serverpsk);
3010 *sess = serverpsk;
02a3ed5a
MC		 3011
3012 return 1;
3013}
3014
c2b290c3 3015#ifndef OPENSSL_NO_PSK
532f9578
MC		 3016static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3017 unsigned char *psk, unsigned int max_psk_len)
3018{
3019 unsigned int psklen = 0;
3020
3021 psk_server_cb_cnt++;
3022
3023 /* We should only ever be called a maximum of twice per connection */
3024 if (find_session_cb_cnt > 2)
3025 return 0;
3026
3027 if (serverpsk == NULL)
3028 return 0;
3029
3030 /* Identity should match that set by the client */
3031 if (strcmp(srvid, identity) != 0) {
3032 return 0;
3033 }
3034
3035 /* We'll reuse the PSK we set up for TLSv1.3 */
3036 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3037 return 0;
3038 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3039
3040 return psklen;
3041}
c2b290c3 3042#endif /* OPENSSL_NO_PSK */
532f9578 3043
5f982038
MC		 3044#define MSG1 "Hello"
3045#define MSG2 "World."
3046#define MSG3 "This"
3047#define MSG4 "is"
3048#define MSG5 "a"
90049cea
MC		 3049#define MSG6 "test"
3050#define MSG7 "message."
5f982038 3051
532f9578 3052#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3053#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3054#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3055#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3056#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3057
8614a4eb
MC		 3058
3059static SSL_SESSION *create_a_psk(SSL *ssl)
3060{
3061 const SSL_CIPHER *cipher = NULL;
3062 const unsigned char key[] = {
3063 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3064 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3065 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3066 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3067 0x2c, 0x2d, 0x2e, 0x2f
3068 };
3069 SSL_SESSION *sess = NULL;
3070
3071 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3072 sess = SSL_SESSION_new();
3073 if (!TEST_ptr(sess)
3074 || !TEST_ptr(cipher)
3075 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3076 sizeof(key)))
3077 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3078 || !TEST_true(
3079 SSL_SESSION_set_protocol_version(sess,
3080 TLS1_3_VERSION))) {
3081 SSL_SESSION_free(sess);
3082 return NULL;
3083 }
3084 return sess;
3085}
3086
5f982038
MC		 3087/*
3088 * Helper method to setup objects for early data test. Caller frees objects on
3089 * error.
3090 */
3091static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3092 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3093{
5a421415 3094 if (*sctx == NULL
5e30f2fd 3095 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3096 TLS_client_method(),
5c587fb6 3097 TLS1_VERSION, 0,
5a421415
MC		 3098 sctx, cctx, cert, privkey)))
3099 return 0;
3100
3101 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3102 return 0;
5f982038 3103
02a3ed5a
MC		 3104 if (idx == 1) {
3105 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3106 SSL_CTX_set_read_ahead(*cctx, 1);
3107 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3108 } else if (idx == 2) {
3109 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3110 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3111 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3112 use_session_cb_cnt = 0;
3113 find_session_cb_cnt = 0;
3114 srvid = pskid;
3cb47b4e
MC		 3115 }
3116
710756a9 3117 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3118 NULL, NULL)))
3119 return 0;
3120
141e4709
MC		 3121 /*
3122 * For one of the run throughs (doesn't matter which one), we'll try sending
3123 * some SNI data in the initial ClientHello. This will be ignored (because
3124 * there is no SNI cb set up by the server), so it should not impact
3125 * early_data.
3126 */
3127 if (idx == 1
3128 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3129 return 0;
3130
02a3ed5a 3131 if (idx == 2) {
8614a4eb 3132 clientpsk = create_a_psk(*clientssl);
57dee9bb 3133 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3134 /*
3135 * We just choose an arbitrary value for max_early_data which
3136 * should be big enough for testing purposes.
3137 */
57dee9bb
MC		 3138 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3139 0x100))
3140 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3141 SSL_SESSION_free(clientpsk);
3142 clientpsk = NULL;
02a3ed5a
MC		 3143 return 0;
3144 }
57dee9bb 3145 serverpsk = clientpsk;
02a3ed5a 3146
c20e3b28
MC		 3147 if (sess != NULL) {
3148 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3149 SSL_SESSION_free(clientpsk);
3150 SSL_SESSION_free(serverpsk);
3151 clientpsk = serverpsk = NULL;
3152 return 0;
3153 }
57dee9bb 3154 *sess = clientpsk;
c20e3b28 3155 }
02a3ed5a
MC		 3156 return 1;
3157 }
3158
3159 if (sess == NULL)
3160 return 1;
3161
3162 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3163 SSL_ERROR_NONE)))
5f982038 3164 return 0;
5f982038
MC		 3165
3166 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3167 SSL_shutdown(*clientssl);
3168 SSL_shutdown(*serverssl);
5f982038
MC		 3169 SSL_free(*serverssl);
3170 SSL_free(*clientssl);
3171 *serverssl = *clientssl = NULL;
3172
710756a9
RS		 3173 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3174 clientssl, NULL, NULL))
3175 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3176 return 0;
5f982038
MC		 3177
3178 return 1;
3179}
3180
3cb47b4e 3181static int test_early_data_read_write(int idx)
5f982038
MC		 3182{
3183 SSL_CTX *cctx = NULL, *sctx = NULL;
3184 SSL *clientssl = NULL, *serverssl = NULL;
3185 int testresult = 0;
3186 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3187 unsigned char buf[20], data[1024];
3188 size_t readbytes, written, eoedlen, rawread, rawwritten;
3189 BIO *rbio;
5f982038 3190
710756a9
RS		 3191 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3192 &serverssl, &sess, idx)))
5f982038
MC		 3193 goto end;
3194
3195 /* Write and read some early data */
710756a9
RS		 3196 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3197 &written))
3198 || !TEST_size_t_eq(written, strlen(MSG1))
3199 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3200 sizeof(buf), &readbytes),
3201 SSL_READ_EARLY_DATA_SUCCESS)
3202 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3203 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3204 SSL_EARLY_DATA_ACCEPTED))
5f982038 3205 goto end;
5f982038
MC		 3206
3207 /*
09f28874 3208 * Server should be able to write data, and client should be able to
5f982038
MC		 3209 * read it.
3210 */
710756a9
RS		 3211 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3212 &written))
3213 || !TEST_size_t_eq(written, strlen(MSG2))
3214 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3215 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3216 goto end;
5f982038
MC		 3217
3218 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3219 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3220 &written))
3221 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3222 goto end;
5f982038 3223
09f28874 3224 /* Server should still be able read early data after writing data */
710756a9
RS		 3225 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3226 &readbytes),
3227 SSL_READ_EARLY_DATA_SUCCESS)
3228 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3229 goto end;
5f982038 3230
09f28874 3231 /* Write more data from server and read it from client */
710756a9
RS		 3232 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3233 &written))
3234 || !TEST_size_t_eq(written, strlen(MSG4))
3235 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3236 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3237 goto end;
5f982038
MC		 3238
3239 /*
3240 * If client writes normal data it should mean writing early data is no
3241 * longer possible.
3242 */
710756a9
RS		 3243 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3244 || !TEST_size_t_eq(written, strlen(MSG5))
3245 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3246 SSL_EARLY_DATA_ACCEPTED))
5f982038 3247 goto end;
5f982038 3248
9b5c865d
MC		 3249 /*
3250 * At this point the client has written EndOfEarlyData, ClientFinished and
3251 * normal (fully protected) data. We are going to cause a delay between the
3252 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3253 * in the read BIO, and then just put back the EndOfEarlyData message.
3254 */
3255 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3256 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3257 || !TEST_size_t_lt(rawread, sizeof(data))
3258 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3259 goto end;
710756a9 3260
9b5c865d
MC		 3261 /* Record length is in the 4th and 5th bytes of the record header */
3262 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3263 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3264 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3265 goto end;
9b5c865d 3266
5f982038 3267 /* Server should be told that there is no more early data */
710756a9
RS		 3268 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3269 &readbytes),
3270 SSL_READ_EARLY_DATA_FINISH)
3271 || !TEST_size_t_eq(readbytes, 0))
5f982038 3272 goto end;
5f982038 3273
9b5c865d
MC		 3274 /*
3275 * Server has not finished init yet, so should still be able to write early
3276 * data.
3277 */
710756a9
RS		 3278 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3279 &written))
3280 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3281 goto end;
9b5c865d 3282
f8a303fa 3283 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3284 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3285 &rawwritten))
3286 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3287 goto end;
f8a303fa 3288
5f982038 3289 /* Server should be able to read normal data */
710756a9
RS		 3290 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3291 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3292 goto end;
5f982038 3293
09f28874 3294 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3295 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3296 &written)))
5f982038 3297 goto end;
5f982038 3298 ERR_clear_error();
710756a9
RS		 3299 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3300 &readbytes),
3301 SSL_READ_EARLY_DATA_ERROR))
5f982038 3302 goto end;
5f982038
MC		 3303 ERR_clear_error();
3304
9b5c865d 3305 /* Client should be able to read the data sent by the server */
710756a9
RS		 3306 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3307 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3308 goto end;
710756a9 3309
f8a303fa 3310 /*
36ff232c
MC		 3311 * Make sure we process the two NewSessionTickets. These arrive
3312 * post-handshake. We attempt reads which we do not expect to return any
3313 * data.
f8a303fa 3314 */
36ff232c
MC		 3315 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3316 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3317 &readbytes)))
f8a303fa 3318 goto end;
5f982038 3319
90049cea 3320 /* Server should be able to write normal data */
710756a9
RS		 3321 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3322 || !TEST_size_t_eq(written, strlen(MSG7))
3323 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3324 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3325 goto end;
90049cea 3326
c20e3b28 3327 SSL_SESSION_free(sess);
5f982038 3328 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3329 use_session_cb_cnt = 0;
3330 find_session_cb_cnt = 0;
5f982038
MC		 3331
3332 SSL_shutdown(clientssl);
3333 SSL_shutdown(serverssl);
5f982038
MC		 3334 SSL_free(serverssl);
3335 SSL_free(clientssl);
3336 serverssl = clientssl = NULL;
710756a9
RS		 3337 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3338 &clientssl, NULL, NULL))
3339 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3340 goto end;
5f982038
MC		 3341
3342 /* Write and read some early data */
710756a9
RS		 3343 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3344 &written))
3345 || !TEST_size_t_eq(written, strlen(MSG1))
3346 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3347 &readbytes),
3348 SSL_READ_EARLY_DATA_SUCCESS)
3349 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3350 goto end;
5f982038 3351
710756a9
RS		 3352 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3353 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3354 goto end;
5f982038 3355
09f28874 3356 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3357 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3358 &written)))
5f982038 3359 goto end;
5f982038 3360 ERR_clear_error();
710756a9
RS		 3361 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3362 &readbytes),
3363 SSL_READ_EARLY_DATA_ERROR))
5f982038 3364 goto end;
5f982038
MC		 3365 ERR_clear_error();
3366
3367 /* Client and server should be able to write/read normal data */
710756a9
RS		 3368 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3369 || !TEST_size_t_eq(written, strlen(MSG5))
3370 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3371 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3372 goto end;
5f982038
MC		 3373
3374 testresult = 1;
3375
3376 end:
c20e3b28 3377 SSL_SESSION_free(sess);
57dee9bb
MC		 3378 SSL_SESSION_free(clientpsk);
3379 SSL_SESSION_free(serverpsk);
3380 clientpsk = serverpsk = NULL;
5f982038
MC		 3381 SSL_free(serverssl);
3382 SSL_free(clientssl);
3383 SSL_CTX_free(sctx);
3384 SSL_CTX_free(cctx);
5f982038
MC		 3385 return testresult;
3386}
3387
5a421415
MC		 3388static int allow_ed_cb_called = 0;
3389
3390static int allow_early_data_cb(SSL *s, void *arg)
3391{
3392 int *usecb = (int *)arg;
3393
3394 allow_ed_cb_called++;
3395
3396 if (*usecb == 1)
3397 return 0;
3398
3399 return 1;
3400}
3401
3402/*
3403 * idx == 0: Standard early_data setup
3404 * idx == 1: early_data setup using read_ahead
3405 * usecb == 0: Don't use a custom early data callback
3406 * usecb == 1: Use a custom early data callback and reject the early data
3407 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3408 * confopt == 0: Configure anti-replay directly
3409 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3410 */
3bb5e5b0 3411static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3412{
3413 SSL_CTX *cctx = NULL, *sctx = NULL;
3414 SSL *clientssl = NULL, *serverssl = NULL;
3415 int testresult = 0;
3416 SSL_SESSION *sess = NULL;
5a421415
MC		 3417 size_t readbytes, written;
3418 unsigned char buf[20];
3419
3420 allow_ed_cb_called = 0;
3421
5e30f2fd
MC		 3422 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3423 TLS_client_method(), TLS1_VERSION, 0,
3424 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3425 return 0;
3426
3427 if (usecb > 0) {
3bb5e5b0
MC		 3428 if (confopt == 0) {
3429 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3430 } else {
3431 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3432
3433 if (!TEST_ptr(confctx))
3434 goto end;
3435 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3436 | SSL_CONF_FLAG_SERVER);
3437 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3438 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3439 2)) {
3440 SSL_CONF_CTX_free(confctx);
3441 goto end;
3442 }
3443 SSL_CONF_CTX_free(confctx);
3444 }
5a421415
MC		 3445 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3446 }
78fb5374
MC		 3447
3448 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3449 &serverssl, &sess, idx)))
3450 goto end;
3451
3452 /*
3453 * The server is configured to accept early data. Create a connection to
3454 * "use up" the ticket
3455 */
3456 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3457 || !TEST_true(SSL_session_reused(clientssl)))
3458 goto end;
3459
3460 SSL_shutdown(clientssl);
3461 SSL_shutdown(serverssl);
3462 SSL_free(serverssl);
3463 SSL_free(clientssl);
3464 serverssl = clientssl = NULL;
3465
3466 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3467 &clientssl, NULL, NULL))
5a421415
MC		 3468 || !TEST_true(SSL_set_session(clientssl, sess)))
3469 goto end;
3470
3471 /* Write and read some early data */
3472 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3473 &written))
3474 || !TEST_size_t_eq(written, strlen(MSG1)))
3475 goto end;
3476
3477 if (usecb <= 1) {
3478 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3479 &readbytes),
3480 SSL_READ_EARLY_DATA_FINISH)
3481 /*
3482 * The ticket was reused, so the we should have rejected the
3483 * early data
3484 */
3485 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3486 SSL_EARLY_DATA_REJECTED))
3487 goto end;
3488 } else {
3489 /* In this case the callback decides to accept the early data */
3490 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3491 &readbytes),
3492 SSL_READ_EARLY_DATA_SUCCESS)
3493 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3494 /*
3495 * Server will have sent its flight so client can now send
3496 * end of early data and complete its half of the handshake
3497 */
3498 || !TEST_int_gt(SSL_connect(clientssl), 0)
3499 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3500 &readbytes),
3501 SSL_READ_EARLY_DATA_FINISH)
3502 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3503 SSL_EARLY_DATA_ACCEPTED))
3504 goto end;
3505 }
3506
3507 /* Complete the connection */
3508 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3509 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3510 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3511 goto end;
3512
3513 testresult = 1;
3514
3515 end:
c20e3b28 3516 SSL_SESSION_free(sess);
78fb5374
MC		 3517 SSL_SESSION_free(clientpsk);
3518 SSL_SESSION_free(serverpsk);
3519 clientpsk = serverpsk = NULL;
3520 SSL_free(serverssl);
3521 SSL_free(clientssl);
3522 SSL_CTX_free(sctx);
3523 SSL_CTX_free(cctx);
3524 return testresult;
3525}
3526
5a421415
MC		 3527static int test_early_data_replay(int idx)
3528{
3bb5e5b0 3529 int ret = 1, usecb, confopt;
5a421415 3530
3bb5e5b0
MC		 3531 for (usecb = 0; usecb < 3; usecb++) {
3532 for (confopt = 0; confopt < 2; confopt++)
3533 ret &= test_early_data_replay_int(idx, usecb, confopt);
3534 }
5a421415
MC		 3535
3536 return ret;
3537}
3538
710756a9 3539/*
6b84e6bf
MC		 3540 * Helper function to test that a server attempting to read early data can
3541 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3542 * testtype: 0 == No HRR
3543 * testtype: 1 == HRR
0efa0ba4
MC		 3544 * testtype: 2 == HRR, invalid early_data sent after HRR
3545 * testtype: 3 == recv_max_early_data set to 0
710756a9 3546 */
0d1b7789 3547static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3548{
3549 SSL_CTX *cctx = NULL, *sctx = NULL;
3550 SSL *clientssl = NULL, *serverssl = NULL;
3551 int testresult = 0;
018fcbec 3552 SSL_SESSION *sess = NULL;
5f982038
MC		 3553 unsigned char buf[20];
3554 size_t readbytes, written;
3555
710756a9
RS		 3556 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3557 &serverssl, &sess, idx)))
5f982038
MC		 3558 goto end;
3559
0efa0ba4 3560 if (testtype == 1 || testtype == 2) {
6b84e6bf 3561 /* Force an HRR to occur */
dbc6268f
MC		 3562#if defined(OPENSSL_NO_EC)
3563 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3564 goto end;
3565#else
6b84e6bf
MC		 3566 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3567 goto end;
dbc6268f 3568#endif
02a3ed5a
MC		 3569 } else if (idx == 2) {
3570 /*
3571 * We force early_data rejection by ensuring the PSK identity is
3572 * unrecognised
3573 */
3574 srvid = "Dummy Identity";
6b84e6bf
MC		 3575 } else {
3576 /*
3577 * Deliberately corrupt the creation time. We take 20 seconds off the
3578 * time. It could be any value as long as it is not within tolerance.
3579 * This should mean the ticket is rejected.
3580 */
5d99881e 3581 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3582 goto end;
3583 }
5f982038 3584
0efa0ba4 3585 if (testtype == 3
0d1b7789
MC		 3586 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3587 goto end;
3588
5f982038 3589 /* Write some early data */
710756a9
RS		 3590 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3591 &written))
3592 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3593 goto end;
5f982038 3594
0d1b7789 3595 /* Server should reject the early data */
710756a9
RS		 3596 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3597 &readbytes),
3598 SSL_READ_EARLY_DATA_FINISH)
3599 || !TEST_size_t_eq(readbytes, 0)
3600 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3601 SSL_EARLY_DATA_REJECTED))
5f982038 3602 goto end;
5f982038 3603
0efa0ba4
MC		 3604 switch (testtype) {
3605 case 0:
3606 /* Nothing to do */
3607 break;
3608
3609 case 1:
6b84e6bf
MC		 3610 /*
3611 * Finish off the handshake. We perform the same writes and reads as
3612 * further down but we expect them to fail due to the incomplete
3613 * handshake.
3614 */
3615 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3616 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3617 &readbytes)))
3618 goto end;
0efa0ba4
MC		 3619 break;
3620
3621 case 2:
3622 {
3623 BIO *wbio = SSL_get_wbio(clientssl);
3624 /* A record that will appear as bad early_data */
3625 const unsigned char bad_early_data[] = {
3626 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3627 };
3628
3629 /*
3630 * We force the client to attempt a write. This will fail because
3631 * we're still in the handshake. It will cause the second
3632 * ClientHello to be sent.
3633 */
3634 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3635 &written)))
3636 goto end;
3637
3638 /*
3639 * Inject some early_data after the second ClientHello. This should
3640 * cause the server to fail
3641 */
3642 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3643 sizeof(bad_early_data), &written)))
3644 goto end;
3645 }
3646 /* fallthrough */
3647
3648 case 3:
0d1b7789 3649 /*
0efa0ba4
MC		 3650 * This client has sent more early_data than we are willing to skip
3651 * (case 3) or sent invalid early_data (case 2) so the connection should
3652 * abort.
0d1b7789
MC		 3653 */
3654 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3655 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3656 goto end;
3657
3658 /* Connection has failed - nothing more to do */
3659 testresult = 1;
3660 goto end;
0efa0ba4
MC		 3661
3662 default:
3663 TEST_error("Invalid test type");
3664 goto end;
6b84e6bf
MC		 3665 }
3666
0d1b7789
MC		 3667 /*
3668 * Should be able to send normal data despite rejection of early data. The
3669 * early_data should be skipped.
3670 */
710756a9
RS		 3671 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3672 || !TEST_size_t_eq(written, strlen(MSG2))
3673 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3674 SSL_EARLY_DATA_REJECTED)
3675 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3676 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3677 goto end;
5f982038
MC		 3678
3679 testresult = 1;
3680
3681 end:
c20e3b28 3682 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3683 SSL_SESSION_free(serverpsk);
3684 clientpsk = serverpsk = NULL;
5f982038
MC		 3685 SSL_SESSION_free(sess);
3686 SSL_free(serverssl);
3687 SSL_free(clientssl);
3688 SSL_CTX_free(sctx);
3689 SSL_CTX_free(cctx);
5f982038
MC		 3690 return testresult;
3691}
3692
6b84e6bf
MC		 3693/*
3694 * Test that a server attempting to read early data can handle a connection
3695 * from a client where the early data is not acceptable.
3696 */
3697static int test_early_data_skip(int idx)
3698{
3699 return early_data_skip_helper(0, idx);
3700}
3701
3702/*
3703 * Test that a server attempting to read early data can handle a connection
3704 * from a client where an HRR occurs.
3705 */
3706static int test_early_data_skip_hrr(int idx)
3707{
3708 return early_data_skip_helper(1, idx);
3709}
3710
0efa0ba4
MC		 3711/*
3712 * Test that a server attempting to read early data can handle a connection
3713 * from a client where an HRR occurs and correctly fails if early_data is sent
3714 * after the HRR
3715 */
3716static int test_early_data_skip_hrr_fail(int idx)
3717{
3718 return early_data_skip_helper(2, idx);
3719}
3720
0d1b7789
MC		 3721/*
3722 * Test that a server attempting to read early data will abort if it tries to
3723 * skip over too much.
3724 */
3725static int test_early_data_skip_abort(int idx)
3726{
0efa0ba4 3727 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3728}
3729
710756a9
RS		 3730/*
3731 * Test that a server attempting to read early data can handle a connection
3732 * from a client that doesn't send any.
3733 */
3cb47b4e 3734static int test_early_data_not_sent(int idx)
5f982038
MC		 3735{
3736 SSL_CTX *cctx = NULL, *sctx = NULL;
3737 SSL *clientssl = NULL, *serverssl = NULL;
3738 int testresult = 0;
018fcbec 3739 SSL_SESSION *sess = NULL;
5f982038
MC		 3740 unsigned char buf[20];
3741 size_t readbytes, written;
3742
710756a9
RS		 3743 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3744 &serverssl, &sess, idx)))
5f982038
MC		 3745 goto end;
3746
3747 /* Write some data - should block due to handshake with server */
3748 SSL_set_connect_state(clientssl);
710756a9 3749 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3750 goto end;
5f982038
MC		 3751
3752 /* Server should detect that early data has not been sent */
710756a9
RS		 3753 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3754 &readbytes),
3755 SSL_READ_EARLY_DATA_FINISH)
3756 || !TEST_size_t_eq(readbytes, 0)
3757 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3758 SSL_EARLY_DATA_NOT_SENT)
3759 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3760 SSL_EARLY_DATA_NOT_SENT))
5f982038 3761 goto end;
5f982038
MC		 3762
3763 /* Continue writing the message we started earlier */
710756a9
RS		 3764 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3765 || !TEST_size_t_eq(written, strlen(MSG1))
3766 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3767 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3768 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3769 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3770 goto end;
5f982038 3771
710756a9
RS		 3772 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3773 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3774 goto end;
5f982038
MC		 3775
3776 testresult = 1;
3777
3778 end:
5f982038 3779 SSL_SESSION_free(sess);
c20e3b28 3780 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3781 SSL_SESSION_free(serverpsk);
3782 clientpsk = serverpsk = NULL;
5f982038
MC		 3783 SSL_free(serverssl);
3784 SSL_free(clientssl);
3785 SSL_CTX_free(sctx);
3786 SSL_CTX_free(cctx);
5f982038
MC		 3787 return testresult;
3788}
3789
976e5323
MC		 3790static const char *servalpn;
3791
c7558d5b
PY		 3792static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3793 unsigned char *outlen, const unsigned char *in,
3794 unsigned int inlen, void *arg)
976e5323 3795{
c7558d5b 3796 unsigned int protlen = 0;
976e5323
MC		 3797 const unsigned char *prot;
3798
c7558d5b
PY		 3799 for (prot = in; prot < in + inlen; prot += protlen) {
3800 protlen = *prot++;
5d99881e 3801 if (in + inlen < prot + protlen)
976e5323
MC		 3802 return SSL_TLSEXT_ERR_NOACK;
3803
3804 if (protlen == strlen(servalpn)
0bd42fde 3805 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3806 *out = prot;
3807 *outlen = protlen;
3808 return SSL_TLSEXT_ERR_OK;
3809 }
3810 }
3811
3812 return SSL_TLSEXT_ERR_NOACK;
3813}
3814
57dee9bb 3815/* Test that a PSK can be used to send early_data */
976e5323
MC		 3816static int test_early_data_psk(int idx)
3817{
3818 SSL_CTX *cctx = NULL, *sctx = NULL;
3819 SSL *clientssl = NULL, *serverssl = NULL;
3820 int testresult = 0;
3821 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3822 unsigned char alpnlist[] = {
3823 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3824 'l', 'p', 'n'
3825 };
3826#define GOODALPNLEN 9
3827#define BADALPNLEN 8
3828#define GOODALPN (alpnlist)
3829#define BADALPN (alpnlist + GOODALPNLEN)
3830 int err = 0;
976e5323
MC		 3831 unsigned char buf[20];
3832 size_t readbytes, written;
57dee9bb 3833 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3834 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3835
3836 /* We always set this up with a final parameter of "2" for PSK */
3837 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3838 &serverssl, &sess, 2)))
3839 goto end;
3840
976e5323
MC		 3841 servalpn = "goodalpn";
3842
57dee9bb
MC		 3843 /*
3844 * Note: There is no test for inconsistent SNI with late client detection.
3845 * This is because servers do not acknowledge SNI even if they are using
3846 * it in a resumption handshake - so it is not actually possible for a
3847 * client to detect a problem.
3848 */
976e5323
MC		 3849 switch (idx) {
3850 case 0:
57dee9bb 3851 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3852 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3853 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3854 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3855 goto end;
3856 break;
3857
3858 case 1:
57dee9bb 3859 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3860 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3861 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3862 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3863 GOODALPNLEN))
3864 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3865 BADALPNLEN)))
976e5323
MC		 3866 goto end;
3867 break;
3868
3869 case 2:
3870 /*
3871 * Set invalid protocol version. Technically this affects PSKs without
3872 * early_data too, but we test it here because it is similar to the
3873 * SNI/ALPN consistency tests.
3874 */
3875 err = SSL_R_BAD_PSK;
3876 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3877 goto end;
3878 break;
3879
3880 case 3:
3881 /*
49ef3d07
MC		 3882 * Set inconsistent SNI (server side). In this case the connection
3883 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3884 * is associated with each handshake - not the session. Therefore it
3885 * should not matter that we used a different server name last time.
976e5323 3886 */
281bf233
MC		 3887 SSL_SESSION_free(serverpsk);
3888 serverpsk = SSL_SESSION_dup(clientpsk);
3889 if (!TEST_ptr(serverpsk)
3890 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3891 goto end;
976e5323
MC		 3892 /* Fall through */
3893 case 4:
3894 /* Set consistent SNI */
976e5323
MC		 3895 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3896 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3897 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3898 hostname_cb)))
3899 goto end;
3900 break;
3901
3902 case 5:
3903 /*
3904 * Set inconsistent ALPN (server detected). In this case the connection
3905 * will succeed but reject early_data.
3906 */
3907 servalpn = "badalpn";
3908 edstatus = SSL_EARLY_DATA_REJECTED;
3909 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3910 /* Fall through */
3911 case 6:
976e5323 3912 /*
57dee9bb 3913 * Set consistent ALPN.
976e5323
MC		 3914 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3915 * accepts a list of protos (each one length prefixed).
3916 * SSL_set1_alpn_selected accepts a single protocol (not length
3917 * prefixed)
3918 */
57dee9bb
MC		 3919 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3920 GOODALPNLEN - 1))
3921 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3922 GOODALPNLEN)))
976e5323
MC		 3923 goto end;
3924
3925 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3926 break;
3927
57dee9bb
MC		 3928 case 7:
3929 /* Set inconsistent ALPN (late client detection) */
3930 SSL_SESSION_free(serverpsk);
3931 serverpsk = SSL_SESSION_dup(clientpsk);
3932 if (!TEST_ptr(serverpsk)
3933 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3934 BADALPN + 1,
3935 BADALPNLEN - 1))
3936 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3937 GOODALPN + 1,
3938 GOODALPNLEN - 1))
3939 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3940 sizeof(alpnlist))))
3941 goto end;
3942 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3943 edstatus = SSL_EARLY_DATA_ACCEPTED;
3944 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3945 /* SSL_connect() call should fail */
3946 connectres = -1;
3947 break;
3948
976e5323
MC		 3949 default:
3950 TEST_error("Bad test index");
3951 goto end;
3952 }
3953
3954 SSL_set_connect_state(clientssl);
3955 if (err != 0) {
3956 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3957 &written))
3958 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3959 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3960 goto end;
3961 } else {
3962 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3963 &written)))
3964 goto end;
3965
3966 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3967 &readbytes), readearlyres)
976e5323
MC		 3968 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3969 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3970 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3971 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3972 goto end;
3973 }
3974
3975 testresult = 1;
3976
3977 end:
c20e3b28 3978 SSL_SESSION_free(sess);
57dee9bb
MC		 3979 SSL_SESSION_free(clientpsk);
3980 SSL_SESSION_free(serverpsk);
3981 clientpsk = serverpsk = NULL;
976e5323
MC		 3982 SSL_free(serverssl);
3983 SSL_free(clientssl);
3984 SSL_CTX_free(sctx);
3985 SSL_CTX_free(cctx);
3986 return testresult;
3987}
3988
0b2b0be9 3989/*
3990 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3991 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3992 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3993 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3994 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3995 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3996 */
3997static int test_early_data_psk_with_all_ciphers(int idx)
3998{
3999 SSL_CTX *cctx = NULL, *sctx = NULL;
4000 SSL *clientssl = NULL, *serverssl = NULL;
4001 int testresult = 0;
4002 SSL_SESSION *sess = NULL;
4003 unsigned char buf[20];
4004 size_t readbytes, written;
4005 const SSL_CIPHER *cipher;
4006 const char *cipher_str[] = {
4007 TLS1_3_RFC_AES_128_GCM_SHA256,
4008 TLS1_3_RFC_AES_256_GCM_SHA384,
4009# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4010 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4011# else
4012 NULL,
4013# endif
4014 TLS1_3_RFC_AES_128_CCM_SHA256,
4015 TLS1_3_RFC_AES_128_CCM_8_SHA256
4016 };
4017 const unsigned char *cipher_bytes[] = {
4018 TLS13_AES_128_GCM_SHA256_BYTES,
4019 TLS13_AES_256_GCM_SHA384_BYTES,
4020# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4021 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4022# else
4023 NULL,
4024# endif
4025 TLS13_AES_128_CCM_SHA256_BYTES,
4026 TLS13_AES_128_CCM_8_SHA256_BYTES
4027 };
4028
4029 if (cipher_str[idx] == NULL)
4030 return 1;
4031 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4032 if (idx == 2 && is_fips == 1)
4033 return 1;
4034
4035 /* We always set this up with a final parameter of "2" for PSK */
4036 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4037 &serverssl, &sess, 2)))
4038 goto end;
4039
4040 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4041 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4042 goto end;
4043
4044 /*
4045 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4046 * and assigns to both client and server with incremented reference
4047 * and the same instance is updated in 'sess'.
4048 * So updating ciphersuite in 'sess' which will get reflected in
4049 * PSK handshake using psk use sess and find sess cb.
4050 */
4051 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4052 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4053 goto end;
4054
4055 SSL_set_connect_state(clientssl);
4056 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4057 &written)))
4058 goto end;
4059
4060 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4061 &readbytes),
4062 SSL_READ_EARLY_DATA_SUCCESS)
4063 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4064 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4065 SSL_EARLY_DATA_ACCEPTED)
4066 || !TEST_int_eq(SSL_connect(clientssl), 1)
4067 || !TEST_int_eq(SSL_accept(serverssl), 1))
4068 goto end;
4069
4070 /* Send some normal data from client to server */
4071 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4072 || !TEST_size_t_eq(written, strlen(MSG2)))
4073 goto end;
4074
4075 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4076 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4077 goto end;
4078
4079 testresult = 1;
4080 end:
4081 SSL_SESSION_free(sess);
4082 SSL_SESSION_free(clientpsk);
4083 SSL_SESSION_free(serverpsk);
4084 clientpsk = serverpsk = NULL;
4085 if (clientssl != NULL)
4086 SSL_shutdown(clientssl);
4087 if (serverssl != NULL)
4088 SSL_shutdown(serverssl);
4089 SSL_free(serverssl);
4090 SSL_free(clientssl);
4091 SSL_CTX_free(sctx);
4092 SSL_CTX_free(cctx);
4093 return testresult;
4094}
4095
710756a9
RS		 4096/*
4097 * Test that a server that doesn't try to read early data can handle a
4098 * client sending some.
4099 */
3cb47b4e 4100static int test_early_data_not_expected(int idx)
5f982038
MC		 4101{
4102 SSL_CTX *cctx = NULL, *sctx = NULL;
4103 SSL *clientssl = NULL, *serverssl = NULL;
4104 int testresult = 0;
018fcbec 4105 SSL_SESSION *sess = NULL;
5f982038
MC		 4106 unsigned char buf[20];
4107 size_t readbytes, written;
4108
710756a9
RS		 4109 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4110 &serverssl, &sess, idx)))
5f982038
MC		 4111 goto end;
4112
4113 /* Write some early data */
710756a9
RS		 4114 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4115 &written)))
5f982038 4116 goto end;
5f982038
MC		 4117
4118 /*
4119 * Server should skip over early data and then block waiting for client to
4120 * continue handshake
4121 */
710756a9
RS		 4122 if (!TEST_int_le(SSL_accept(serverssl), 0)
4123 || !TEST_int_gt(SSL_connect(clientssl), 0)
4124 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4125 SSL_EARLY_DATA_REJECTED)
4126 || !TEST_int_gt(SSL_accept(serverssl), 0)
4127 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4128 SSL_EARLY_DATA_REJECTED))
5f982038 4129 goto end;
5f982038
MC		 4130
4131 /* Send some normal data from client to server */
710756a9
RS		 4132 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4133 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4134 goto end;
5f982038 4135
710756a9
RS		 4136 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4137 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4138 goto end;
5f982038
MC		 4139
4140 testresult = 1;
4141
4142 end:
5f982038 4143 SSL_SESSION_free(sess);
c20e3b28 4144 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4145 SSL_SESSION_free(serverpsk);
4146 clientpsk = serverpsk = NULL;
5f982038
MC		 4147 SSL_free(serverssl);
4148 SSL_free(clientssl);
4149 SSL_CTX_free(sctx);
4150 SSL_CTX_free(cctx);
5f982038
MC		 4151 return testresult;
4152}
4153
4154
4155# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4156/*
4157 * Test that a server attempting to read early data can handle a connection
4158 * from a TLSv1.2 client.
4159 */
3cb47b4e 4160static int test_early_data_tls1_2(int idx)
5f982038
MC		 4161{
4162 SSL_CTX *cctx = NULL, *sctx = NULL;
4163 SSL *clientssl = NULL, *serverssl = NULL;
4164 int testresult = 0;
4165 unsigned char buf[20];
4166 size_t readbytes, written;
4167
02a3ed5a
MC		 4168 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4169 &serverssl, NULL, idx)))
5f982038 4170 goto end;
5f982038
MC		 4171
4172 /* Write some data - should block due to handshake with server */
4173 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4174 SSL_set_connect_state(clientssl);
710756a9 4175 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4176 goto end;
5f982038
MC		 4177
4178 /*
4179 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4180 * messages from client after ServerDone. Then SSL_read_early_data should
4181 * finish and detect that early data has not been sent
5f982038 4182 */
710756a9
RS		 4183 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4184 &readbytes),
4185 SSL_READ_EARLY_DATA_ERROR))
5f982038 4186 goto end;
5f982038
MC		 4187
4188 /*
4189 * Continue writing the message we started earlier. Will still block waiting
4190 * for the CCS/Finished from server
4191 */
710756a9
RS		 4192 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4193 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4194 &readbytes),
4195 SSL_READ_EARLY_DATA_FINISH)
4196 || !TEST_size_t_eq(readbytes, 0)
4197 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4198 SSL_EARLY_DATA_NOT_SENT))
5f982038 4199 goto end;
5f982038
MC		 4200
4201 /* Continue writing the message we started earlier */
710756a9
RS		 4202 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4203 || !TEST_size_t_eq(written, strlen(MSG1))
4204 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4205 SSL_EARLY_DATA_NOT_SENT)
4206 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4207 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4208 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4209 || !TEST_size_t_eq(written, strlen(MSG2))
4210 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4211 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4212 goto end;
5f982038
MC		 4213
4214 testresult = 1;
4215
4216 end:
57dee9bb
MC		 4217 SSL_SESSION_free(clientpsk);
4218 SSL_SESSION_free(serverpsk);
4219 clientpsk = serverpsk = NULL;
5f982038
MC		 4220 SSL_free(serverssl);
4221 SSL_free(clientssl);
4222 SSL_CTX_free(sctx);
4223 SSL_CTX_free(cctx);
4224
4225 return testresult;
4226}
ca0413ae
MC		 4227# endif /* OPENSSL_NO_TLS1_2 */
4228
034cb87b
MC		 4229/*
4230 * Test configuring the TLSv1.3 ciphersuites
4231 *
4232 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4233 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4234 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4235 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4236 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4237 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4238 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4239 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4240 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4241 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4242 */
4243static int test_set_ciphersuite(int idx)
4244{
4245 SSL_CTX *cctx = NULL, *sctx = NULL;
4246 SSL *clientssl = NULL, *serverssl = NULL;
4247 int testresult = 0;
4248
5e30f2fd
MC		 4249 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4250 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4251 &sctx, &cctx, cert, privkey))
4252 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4253 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4254 goto end;
4255
4256 if (idx >=4 && idx <= 7) {
4257 /* SSL_CTX explicit cipher list */
4258 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4259 goto end;
4260 }
4261
4262 if (idx == 0 || idx == 4) {
4263 /* Default ciphersuite */
4264 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4265 "TLS_AES_128_GCM_SHA256")))
4266 goto end;
4267 } else if (idx == 1 || idx == 5) {
4268 /* Non default ciphersuite */
4269 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4270 "TLS_AES_128_CCM_SHA256")))
4271 goto end;
4272 }
4273
4274 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4275 &clientssl, NULL, NULL)))
4276 goto end;
4277
4278 if (idx == 8 || idx == 9) {
4279 /* SSL explicit cipher list */
4280 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4281 goto end;
4282 }
4283
4284 if (idx == 2 || idx == 6 || idx == 8) {
4285 /* Default ciphersuite */
4286 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4287 "TLS_AES_128_GCM_SHA256")))
4288 goto end;
4289 } else if (idx == 3 || idx == 7 || idx == 9) {
4290 /* Non default ciphersuite */
4291 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4292 "TLS_AES_128_CCM_SHA256")))
4293 goto end;
4294 }
4295
4296 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4297 goto end;
4298
4299 testresult = 1;
4300
4301 end:
4302 SSL_free(serverssl);
4303 SSL_free(clientssl);
4304 SSL_CTX_free(sctx);
4305 SSL_CTX_free(cctx);
4306
4307 return testresult;
4308}
4309
ca0413ae
MC		 4310static int test_ciphersuite_change(void)
4311{
4312 SSL_CTX *cctx = NULL, *sctx = NULL;
4313 SSL *clientssl = NULL, *serverssl = NULL;
4314 SSL_SESSION *clntsess = NULL;
4315 int testresult = 0;
4316 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4317
4318 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4319 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4320 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4321 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4322 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4323 "TLS_AES_128_GCM_SHA256:"
4324 "TLS_AES_256_GCM_SHA384:"
4325 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 4326 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4327 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 4328 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4329 &clientssl, NULL, NULL))
4330 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4331 SSL_ERROR_NONE)))
4332 goto end;
4333
4334 clntsess = SSL_get1_session(clientssl);
4335 /* Save for later */
4336 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4337 SSL_shutdown(clientssl);
4338 SSL_shutdown(serverssl);
4339 SSL_free(serverssl);
4340 SSL_free(clientssl);
4341 serverssl = clientssl = NULL;
4342
4343 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4344 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4345 "TLS_AES_128_CCM_SHA256"))
4346 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4347 &clientssl, NULL, NULL))
ca0413ae
MC		 4348 || !TEST_true(SSL_set_session(clientssl, clntsess))
4349 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4350 SSL_ERROR_NONE))
4351 || !TEST_true(SSL_session_reused(clientssl)))
4352 goto end;
4353
4354 SSL_SESSION_free(clntsess);
4355 clntsess = SSL_get1_session(clientssl);
4356 SSL_shutdown(clientssl);
4357 SSL_shutdown(serverssl);
4358 SSL_free(serverssl);
4359 SSL_free(clientssl);
4360 serverssl = clientssl = NULL;
4361
4362 /*
4363 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4364 * succeeds but does not resume.
ca0413ae 4365 */
f865b081 4366 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4367 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4368 NULL, NULL))
4369 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4371 SSL_ERROR_SSL))
0de6d66d 4372 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4373 goto end;
4374
4375 SSL_SESSION_free(clntsess);
4376 clntsess = NULL;
4377 SSL_shutdown(clientssl);
4378 SSL_shutdown(serverssl);
4379 SSL_free(serverssl);
4380 SSL_free(clientssl);
4381 serverssl = clientssl = NULL;
4382
4383 /* Create a session based on SHA384 */
f865b081 4384 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4385 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4386 &clientssl, NULL, NULL))
4387 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4388 SSL_ERROR_NONE)))
4389 goto end;
4390
4391 clntsess = SSL_get1_session(clientssl);
4392 SSL_shutdown(clientssl);
4393 SSL_shutdown(serverssl);
4394 SSL_free(serverssl);
4395 SSL_free(clientssl);
4396 serverssl = clientssl = NULL;
4397
f865b081
MC		 4398 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4399 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4400 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4401 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4402 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4403 NULL, NULL))
4404 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4405 /*
4406 * We use SSL_ERROR_WANT_READ below so that we can pause the
4407 * connection after the initial ClientHello has been sent to
4408 * enable us to make some session changes.
4409 */
ca0413ae
MC		 4410 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4411 SSL_ERROR_WANT_READ)))
4412 goto end;
4413
4414 /* Trick the client into thinking this session is for a different digest */
4415 clntsess->cipher = aes_128_gcm_sha256;
4416 clntsess->cipher_id = clntsess->cipher->id;
4417
4418 /*
3b0e88d3
MC		 4419 * Continue the previously started connection. Server has selected a SHA-384
4420 * ciphersuite, but client thinks the session is for SHA-256, so it should
4421 * bail out.
ca0413ae
MC		 4422 */
4423 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4424 SSL_ERROR_SSL))
4425 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4426 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4427 goto end;
4428
4429 testresult = 1;
4430
4431 end:
4432 SSL_SESSION_free(clntsess);
4433 SSL_free(serverssl);
4434 SSL_free(clientssl);
4435 SSL_CTX_free(sctx);
4436 SSL_CTX_free(cctx);
4437
4438 return testresult;
4439}
4440
8e63900a 4441/*
5bf2eade 4442 * Test TLSv1.3 Key exchange
4443 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4444 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4445 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4446 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4447 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4448 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4449 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4450 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4451 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4452 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4453 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4454 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4455 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4456 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4457 */
db26ec80 4458static int test_key_exchange(int idx)
8e63900a 4459{
4460 SSL_CTX *sctx = NULL, *cctx = NULL;
4461 SSL *serverssl = NULL, *clientssl = NULL;
4462 int testresult = 0;
5bf2eade 4463# ifndef OPENSSL_NO_EC
4464 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4465 NID_secp521r1, NID_X25519, NID_X448};
4466# endif
4467# ifndef OPENSSL_NO_DH
8e63900a 4468 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4469 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 4470# endif
fb8c6db4 4471 int kexch_alg;
4472 int *kexch_groups = &kexch_alg;
4473 int kexch_groups_size = 1;
8e63900a 4474 int max_version = TLS1_3_VERSION;
becbacd7 4475 char *kexch_name0 = NULL;
8e63900a 4476
4477 switch (idx) {
5bf2eade 4478# ifndef OPENSSL_NO_EC
db26ec80 4479# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4480 case 12:
fb8c6db4 4481 max_version = TLS1_2_VERSION;
db26ec80 4482# endif
fb8c6db4 4483 /* Fall through */
4484 case 0:
4485 kexch_groups = ecdhe_kexch_groups;
4486 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4487 kexch_name0 = "secp256r1";
fb8c6db4 4488 break;
5bf2eade 4489 case 1:
fb8c6db4 4490 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4491 kexch_name0 = "secp256r1";
fb8c6db4 4492 break;
5bf2eade 4493 case 2:
fb8c6db4 4494 kexch_alg = NID_secp384r1;
becbacd7 4495 kexch_name0 = "secp384r1";
fb8c6db4 4496 break;
5bf2eade 4497 case 3:
fb8c6db4 4498 kexch_alg = NID_secp521r1;
becbacd7 4499 kexch_name0 = "secp521r1";
fb8c6db4 4500 break;
5bf2eade 4501 case 4:
fb8c6db4 4502 kexch_alg = NID_X25519;
becbacd7 4503 kexch_name0 = "x25519";
fb8c6db4 4504 break;
5bf2eade 4505 case 5:
fb8c6db4 4506 kexch_alg = NID_X448;
becbacd7 4507 kexch_name0 = "x448";
fb8c6db4 4508 break;
5bf2eade 4509# endif
4510# ifndef OPENSSL_NO_DH
db26ec80 4511# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4512 case 13:
dbc6268f 4513 max_version = TLS1_2_VERSION;
becbacd7 4514 kexch_name0 = "ffdhe2048";
db26ec80 4515# endif
dbc6268f 4516 /* Fall through */
5bf2eade 4517 case 6:
8e63900a 4518 kexch_groups = ffdhe_kexch_groups;
4519 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4520 kexch_name0 = "ffdhe2048";
8e63900a 4521 break;
5bf2eade 4522 case 7:
fb8c6db4 4523 kexch_alg = NID_ffdhe2048;
becbacd7 4524 kexch_name0 = "ffdhe2048";
fb8c6db4 4525 break;
5bf2eade 4526 case 8:
fb8c6db4 4527 kexch_alg = NID_ffdhe3072;
becbacd7 4528 kexch_name0 = "ffdhe3072";
fb8c6db4 4529 break;
5bf2eade 4530 case 9:
fb8c6db4 4531 kexch_alg = NID_ffdhe4096;
becbacd7 4532 kexch_name0 = "ffdhe4096";
fb8c6db4 4533 break;
5bf2eade 4534 case 10:
fb8c6db4 4535 kexch_alg = NID_ffdhe6144;
becbacd7 4536 kexch_name0 = "ffdhe6144";
fb8c6db4 4537 break;
5bf2eade 4538 case 11:
fb8c6db4 4539 kexch_alg = NID_ffdhe8192;
becbacd7 4540 kexch_name0 = "ffdhe8192";
8e63900a 4541 break;
5bf2eade 4542# endif
6597d62b
MC		 4543 default:
4544 /* We're skipping this test */
4545 return 1;
8e63900a 4546 }
4547
5e30f2fd
MC		 4548 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4549 TLS_client_method(), TLS1_VERSION,
4550 max_version, &sctx, &cctx, cert,
4551 privkey)))
8e63900a 4552 goto end;
4553
5bf2eade 4554 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4555 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4556 goto end;
4557
5bf2eade 4558 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4559 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4560 goto end;
4561
5bf2eade 4562 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4563 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4564 goto end;
4565
dbc6268f
MC		 4566 /*
4567 * Must include an EC ciphersuite so that we send supported groups in
4568 * TLSv1.2
4569 */
5bf2eade 4570# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 4571 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4572 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4573 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4574 goto end;
5bf2eade 4575# endif
8e63900a 4576
4577 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4578 NULL, NULL)))
4579 goto end;
4580
4581 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4582 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4583 goto end;
4584
5bf2eade 4585 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4586 goto end;
8e63900a 4587
dbc6268f 4588 /*
5bf2eade 4589 * If Handshake succeeds the negotiated kexch alg should be the first one in
4590 * configured, except in the case of FFDHE groups (idx 13), which are
4591 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4592 */
4593 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4594 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4595 goto end;
becbacd7
MB		 4596
4597 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4598 kexch_name0))
4599 goto end;
4600
fb8c6db4 4601 if (max_version == TLS1_3_VERSION) {
4602 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4603 goto end;
4604 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4605 goto end;
4606 }
8e63900a 4607
4608 testresult = 1;
4609 end:
4610 SSL_free(serverssl);
4611 SSL_free(clientssl);
4612 SSL_CTX_free(sctx);
4613 SSL_CTX_free(cctx);
4614 return testresult;
4615}
4616
5bf2eade 4617/*
4618 * Test TLSv1.3 Cipher Suite
4619 * Test 0 = Set TLS1.3 cipher on context
4620 * Test 1 = Set TLS1.3 cipher on SSL
4621 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4622 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4623 */
4624static int test_tls13_ciphersuite(int idx)
4625{
4626 SSL_CTX *sctx = NULL, *cctx = NULL;
4627 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4628 static const struct {
4629 const char *ciphername;
4630 int fipscapable;
4631 } t13_ciphers[] = {
4632 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4633 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4634 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4635# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4636 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4637 { TLS1_3_RFC_AES_256_GCM_SHA384
4638 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4639# endif
4f6c7044 4640 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4641 };
4642 const char *t13_cipher = NULL;
4643 const char *t12_cipher = NULL;
4644 const char *negotiated_scipher;
4645 const char *negotiated_ccipher;
4646 int set_at_ctx = 0;
4647 int set_at_ssl = 0;
4648 int testresult = 0;
4649 int max_ver;
4650 size_t i;
4651
4652 switch (idx) {
4653 case 0:
4654 set_at_ctx = 1;
4655 break;
4656 case 1:
4657 set_at_ssl = 1;
4658 break;
4659 case 2:
4660 set_at_ctx = 1;
2d900758 4661 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4662 break;
4663 case 3:
4664 set_at_ssl = 1;
2d900758 4665 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4666 break;
4667 }
4668
4669 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4670# ifdef OPENSSL_NO_TLS1_2
4671 if (max_ver == TLS1_2_VERSION)
4672 continue;
4673# endif
4674 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4675 if (is_fips && !t13_ciphers[i].fipscapable)
4676 continue;
4677 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4678 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4679 TLS_client_method(),
4680 TLS1_VERSION, max_ver,
4681 &sctx, &cctx, cert, privkey)))
4682 goto end;
4683
4684 if (set_at_ctx) {
4685 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4686 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4687 goto end;
4688 if (t12_cipher != NULL) {
4689 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4690 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4691 t12_cipher)))
4692 goto end;
4693 }
4694 }
4695
4696 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4697 &clientssl, NULL, NULL)))
4698 goto end;
4699
4700 if (set_at_ssl) {
4701 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4702 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4703 goto end;
4704 if (t12_cipher != NULL) {
4705 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4706 || !TEST_true(SSL_set_cipher_list(clientssl,
4707 t12_cipher)))
4708 goto end;
4709 }
4710 }
4711
4712 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4713 SSL_ERROR_NONE)))
4714 goto end;
4715
4716 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4717 serverssl));
4718 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4719 clientssl));
4720 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4721 goto end;
4722
4723 /*
4724 * TEST_strn_eq is used below because t13_cipher can contain
4725 * multiple ciphersuites
4726 */
4727 if (max_ver == TLS1_3_VERSION
4728 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4729 strlen(negotiated_scipher)))
4730 goto end;
4731
4732# ifndef OPENSSL_NO_TLS1_2
4733 /* Below validation is not done when t12_cipher is NULL */
4734 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4735 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4736 goto end;
4737# endif
4738
4739 SSL_free(serverssl);
4740 serverssl = NULL;
4741 SSL_free(clientssl);
4742 clientssl = NULL;
4743 SSL_CTX_free(sctx);
4744 sctx = NULL;
4745 SSL_CTX_free(cctx);
4746 cctx = NULL;
4747 }
4748 }
4749
4750 testresult = 1;
4751 end:
4752 SSL_free(serverssl);
4753 SSL_free(clientssl);
4754 SSL_CTX_free(sctx);
4755 SSL_CTX_free(cctx);
4756 return testresult;
4757}
4758
0d8da779
MC		 4759/*
4760 * Test TLSv1.3 PSKs
4761 * Test 0 = Test new style callbacks
4762 * Test 1 = Test both new and old style callbacks
4763 * Test 2 = Test old style callbacks
4764 * Test 3 = Test old style callbacks with no certificate
4765 */
532f9578 4766static int test_tls13_psk(int idx)
ca8c71ba
MC		 4767{
4768 SSL_CTX *sctx = NULL, *cctx = NULL;
4769 SSL *serverssl = NULL, *clientssl = NULL;
4770 const SSL_CIPHER *cipher = NULL;
4771 const unsigned char key[] = {
4772 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4773 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4774 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4775 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4776 };
4777 int testresult = 0;
4778
5e30f2fd
MC		 4779 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4780 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 4781 &sctx, &cctx, idx == 3 ? NULL : cert,
4782 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4783 goto end;
4784
0d8da779
MC		 4785 if (idx != 3) {
4786 /*
4787 * We use a ciphersuite with SHA256 to ease testing old style PSK
4788 * callbacks which will always default to SHA256. This should not be
4789 * necessary if we have no cert/priv key. In that case the server should
4790 * prefer SHA256 automatically.
4791 */
4792 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4793 "TLS_AES_128_GCM_SHA256")))
4794 goto end;
4f6c7044
MC		 4795 } else {
4796 /*
4797 * As noted above the server should prefer SHA256 automatically. However
4798 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4799 * code works even if we are testing with only the FIPS provider loaded.
4800 */
4801 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4802 "TLS_AES_256_GCM_SHA384:"
4803 "TLS_AES_128_GCM_SHA256")))
4804 goto end;
0d8da779 4805 }
532f9578
MC		 4806
4807 /*
4808 * Test 0: New style callbacks only
4809 * Test 1: New and old style callbacks (only the new ones should be used)
4810 * Test 2: Old style callbacks only
4811 */
4812 if (idx == 0 || idx == 1) {
4813 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4814 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4815 }
c2b290c3 4816#ifndef OPENSSL_NO_PSK
0d8da779 4817 if (idx >= 1) {
532f9578
MC		 4818 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4819 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4820 }
c2b290c3 4821#endif
ca8c71ba 4822 srvid = pskid;
02a3ed5a
MC		 4823 use_session_cb_cnt = 0;
4824 find_session_cb_cnt = 0;
532f9578
MC		 4825 psk_client_cb_cnt = 0;
4826 psk_server_cb_cnt = 0;
ca8c71ba 4827
0d8da779
MC		 4828 if (idx != 3) {
4829 /*
4830 * Check we can create a connection if callback decides not to send a
4831 * PSK
4832 */
4833 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4834 NULL, NULL))
4835 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4836 SSL_ERROR_NONE))
4837 || !TEST_false(SSL_session_reused(clientssl))
4838 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4839 goto end;
532f9578 4840
0d8da779
MC		 4841 if (idx == 0 || idx == 1) {
4842 if (!TEST_true(use_session_cb_cnt == 1)
4843 || !TEST_true(find_session_cb_cnt == 0)
4844 /*
4845 * If no old style callback then below should be 0
4846 * otherwise 1
4847 */
4848 || !TEST_true(psk_client_cb_cnt == idx)
4849 || !TEST_true(psk_server_cb_cnt == 0))
4850 goto end;
4851 } else {
4852 if (!TEST_true(use_session_cb_cnt == 0)
4853 || !TEST_true(find_session_cb_cnt == 0)
4854 || !TEST_true(psk_client_cb_cnt == 1)
4855 || !TEST_true(psk_server_cb_cnt == 0))
4856 goto end;
4857 }
4858
4859 shutdown_ssl_connection(serverssl, clientssl);
4860 serverssl = clientssl = NULL;
4861 use_session_cb_cnt = psk_client_cb_cnt = 0;
4862 }
ca8c71ba
MC		 4863
4864 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4865 NULL, NULL)))
4866 goto end;
4867
4868 /* Create the PSK */
532f9578 4869 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4870 clientpsk = SSL_SESSION_new();
4871 if (!TEST_ptr(clientpsk)
ca8c71ba 4872 || !TEST_ptr(cipher)
57dee9bb
MC		 4873 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4874 sizeof(key)))
4875 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4876 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4877 TLS1_3_VERSION))
4878 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4879 goto end;
57dee9bb 4880 serverpsk = clientpsk;
ca8c71ba
MC		 4881
4882 /* Check we can create a connection and the PSK is used */
4883 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4884 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4885 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4886 goto end;
4887
532f9578
MC		 4888 if (idx == 0 || idx == 1) {
4889 if (!TEST_true(use_session_cb_cnt == 1)
4890 || !TEST_true(find_session_cb_cnt == 1)
4891 || !TEST_true(psk_client_cb_cnt == 0)
4892 || !TEST_true(psk_server_cb_cnt == 0))
4893 goto end;
4894 } else {
4895 if (!TEST_true(use_session_cb_cnt == 0)
4896 || !TEST_true(find_session_cb_cnt == 0)
4897 || !TEST_true(psk_client_cb_cnt == 1)
4898 || !TEST_true(psk_server_cb_cnt == 1))
4899 goto end;
4900 }
4901
ca8c71ba
MC		 4902 shutdown_ssl_connection(serverssl, clientssl);
4903 serverssl = clientssl = NULL;
4904 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4905 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4906
4907 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4908 NULL, NULL)))
4909 goto end;
4910
4911 /* Force an HRR */
dbc6268f
MC		 4912#if defined(OPENSSL_NO_EC)
4913 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4914 goto end;
4915#else
ca8c71ba
MC		 4916 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4917 goto end;
dbc6268f 4918#endif
ca8c71ba
MC		 4919
4920 /*
4921 * Check we can create a connection, the PSK is used and the callbacks are
4922 * called twice.
4923 */
4924 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4925 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4926 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4927 goto end;
4928
532f9578
MC		 4929 if (idx == 0 || idx == 1) {
4930 if (!TEST_true(use_session_cb_cnt == 2)
4931 || !TEST_true(find_session_cb_cnt == 2)
4932 || !TEST_true(psk_client_cb_cnt == 0)
4933 || !TEST_true(psk_server_cb_cnt == 0))
4934 goto end;
4935 } else {
4936 if (!TEST_true(use_session_cb_cnt == 0)
4937 || !TEST_true(find_session_cb_cnt == 0)
4938 || !TEST_true(psk_client_cb_cnt == 2)
4939 || !TEST_true(psk_server_cb_cnt == 2))
4940 goto end;
4941 }
4942
ca8c71ba
MC		 4943 shutdown_ssl_connection(serverssl, clientssl);
4944 serverssl = clientssl = NULL;
4945 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4946 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4947
0d8da779
MC		 4948 if (idx != 3) {
4949 /*
4950 * Check that if the server rejects the PSK we can still connect, but with
4951 * a full handshake
4952 */
4953 srvid = "Dummy Identity";
4954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4955 NULL, NULL))
4956 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4957 SSL_ERROR_NONE))
4958 || !TEST_false(SSL_session_reused(clientssl))
4959 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4960 goto end;
532f9578 4961
0d8da779
MC		 4962 if (idx == 0 || idx == 1) {
4963 if (!TEST_true(use_session_cb_cnt == 1)
4964 || !TEST_true(find_session_cb_cnt == 1)
4965 || !TEST_true(psk_client_cb_cnt == 0)
4966 /*
4967 * If no old style callback then below should be 0
4968 * otherwise 1
4969 */
4970 || !TEST_true(psk_server_cb_cnt == idx))
4971 goto end;
4972 } else {
4973 if (!TEST_true(use_session_cb_cnt == 0)
4974 || !TEST_true(find_session_cb_cnt == 0)
4975 || !TEST_true(psk_client_cb_cnt == 1)
4976 || !TEST_true(psk_server_cb_cnt == 1))
4977 goto end;
4978 }
4979
4980 shutdown_ssl_connection(serverssl, clientssl);
4981 serverssl = clientssl = NULL;
4982 }
ca8c71ba
MC		 4983 testresult = 1;
4984
4985 end:
57dee9bb
MC		 4986 SSL_SESSION_free(clientpsk);
4987 SSL_SESSION_free(serverpsk);
4988 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4989 SSL_free(serverssl);
4990 SSL_free(clientssl);
4991 SSL_CTX_free(sctx);
4992 SSL_CTX_free(cctx);
4993 return testresult;
4994}
4995
c7b8ff25
MC		 4996static unsigned char cookie_magic_value[] = "cookie magic";
4997
4998static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4999 unsigned int *cookie_len)
5000{
5001 /*
5002 * Not suitable as a real cookie generation function but good enough for
5003 * testing!
5004 */
97ea1e7f
MC		 5005 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5006 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5007
5008 return 1;
5009}
5010
5011static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5012 unsigned int cookie_len)
5013{
97ea1e7f 5014 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5015 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5016 return 1;
5017
5018 return 0;
5019}
5020
3fa2812f
BS		 5021static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5022 size_t *cookie_len)
5023{
5024 unsigned int temp;
5025 int res = generate_cookie_callback(ssl, cookie, &temp);
5026 *cookie_len = temp;
5027 return res;
5028}
5029
5030static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5031 size_t cookie_len)
5032{
5033 return verify_cookie_callback(ssl, cookie, cookie_len);
5034}
5035
c7b8ff25
MC		 5036static int test_stateless(void)
5037{
5038 SSL_CTX *sctx = NULL, *cctx = NULL;
5039 SSL *serverssl = NULL, *clientssl = NULL;
5040 int testresult = 0;
5041
5e30f2fd
MC		 5042 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5043 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5044 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5045 goto end;
5046
e440f513
MC		 5047 /* The arrival of CCS messages can confuse the test */
5048 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5049
5050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5051 NULL, NULL))
5052 /* Send the first ClientHello */
5053 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5054 SSL_ERROR_WANT_READ))
5055 /*
5056 * This should fail with a -1 return because we have no callbacks
5057 * set up
5058 */
5059 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5060 goto end;
5061
5062 /* Fatal error so abandon the connection from this client */
5063 SSL_free(clientssl);
5064 clientssl = NULL;
5065
c7b8ff25 5066 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5067 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5068 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5069
e440f513
MC		 5070 /*
5071 * Create a new connection from the client (we can reuse the server SSL
5072 * object).
5073 */
c7b8ff25
MC		 5074 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5075 NULL, NULL))
5076 /* Send the first ClientHello */
5077 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5078 SSL_ERROR_WANT_READ))
5079 /* This should fail because there is no cookie */
e440f513 5080 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5081 goto end;
5082
5083 /* Abandon the connection from this client */
5084 SSL_free(clientssl);
5085 clientssl = NULL;
5086
5087 /*
5088 * Now create a connection from a new client but with the same server SSL
5089 * object
5090 */
5091 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5092 NULL, NULL))
5093 /* Send the first ClientHello */
5094 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5095 SSL_ERROR_WANT_READ))
5096 /* This should fail because there is no cookie */
e440f513 5097 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5098 /* Send the second ClientHello */
5099 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5100 SSL_ERROR_WANT_READ))
5101 /* This should succeed because a cookie is now present */
e440f513 5102 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5103 /* Complete the connection */
5104 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5105 SSL_ERROR_NONE)))
5106 goto end;
5107
5108 shutdown_ssl_connection(serverssl, clientssl);
5109 serverssl = clientssl = NULL;
5110 testresult = 1;
5111
5112 end:
5113 SSL_free(serverssl);
5114 SSL_free(clientssl);
5115 SSL_CTX_free(sctx);
5116 SSL_CTX_free(cctx);
5117 return testresult;
5118
5119}
a763ca11 5120#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5121
a37008d9
MC		 5122static int clntaddoldcb = 0;
5123static int clntparseoldcb = 0;
5124static int srvaddoldcb = 0;
5125static int srvparseoldcb = 0;
5126static int clntaddnewcb = 0;
5127static int clntparsenewcb = 0;
5128static int srvaddnewcb = 0;
5129static int srvparsenewcb = 0;
bb01ef3f 5130static int snicb = 0;
a37008d9
MC		 5131
5132#define TEST_EXT_TYPE1 0xff00
5133
5134static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5135 size_t *outlen, int *al, void *add_arg)
5136{
5137 int *server = (int *)add_arg;
5138 unsigned char *data;
5139
5140 if (SSL_is_server(s))
5141 srvaddoldcb++;
5142 else
5143 clntaddoldcb++;
5144
710756a9
RS		 5145 if (*server != SSL_is_server(s)
5146 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5147 return -1;
5148
5149 *data = 1;
5150 *out = data;
5151 *outlen = sizeof(char);
a37008d9
MC		 5152 return 1;
5153}
5154
5155static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5156 void *add_arg)
5157{
5158 OPENSSL_free((unsigned char *)out);
5159}
5160
5161static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5162 size_t inlen, int *al, void *parse_arg)
5163{
5164 int *server = (int *)parse_arg;
5165
5166 if (SSL_is_server(s))
5167 srvparseoldcb++;
5168 else
5169 clntparseoldcb++;
5170
710756a9
RS		 5171 if (*server != SSL_is_server(s)
5172 || inlen != sizeof(char)
5173 || *in != 1)
a37008d9
MC		 5174 return -1;
5175
5176 return 1;
5177}
5178
5179static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5180 const unsigned char **out, size_t *outlen, X509 *x,
5181 size_t chainidx, int *al, void *add_arg)
5182{
5183 int *server = (int *)add_arg;
5184 unsigned char *data;
5185
5186 if (SSL_is_server(s))
5187 srvaddnewcb++;
5188 else
5189 clntaddnewcb++;
5190
710756a9
RS		 5191 if (*server != SSL_is_server(s)
5192 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5193 return -1;
5194
5195 *data = 1;
5196 *out = data;
710756a9 5197 *outlen = sizeof(*data);
a37008d9
MC		 5198 return 1;
5199}
5200
5201static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5202 const unsigned char *out, void *add_arg)
5203{
5204 OPENSSL_free((unsigned char *)out);
5205}
5206
5207static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5208 const unsigned char *in, size_t inlen, X509 *x,
5209 size_t chainidx, int *al, void *parse_arg)
5210{
5211 int *server = (int *)parse_arg;
5212
5213 if (SSL_is_server(s))
5214 srvparsenewcb++;
5215 else
5216 clntparsenewcb++;
5217
710756a9
RS		 5218 if (*server != SSL_is_server(s)
5219 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5220 return -1;
5221
5222 return 1;
5223}
bb01ef3f
MC		 5224
5225static int sni_cb(SSL *s, int *al, void *arg)
5226{
5227 SSL_CTX *ctx = (SSL_CTX *)arg;
5228
5229 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5230 *al = SSL_AD_INTERNAL_ERROR;
5231 return SSL_TLSEXT_ERR_ALERT_FATAL;
5232 }
5233 snicb++;
5234 return SSL_TLSEXT_ERR_OK;
5235}
5236
a37008d9
MC		 5237/*
5238 * Custom call back tests.
5239 * Test 0: Old style callbacks in TLSv1.2
5240 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5241 * Test 2: New style callbacks in TLSv1.2 with SNI
5242 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5243 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 5244 */
710756a9
RS		 5245static int test_custom_exts(int tst)
5246{
bb01ef3f 5247 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5248 SSL *clientssl = NULL, *serverssl = NULL;
5249 int testresult = 0;
5250 static int server = 1;
5251 static int client = 0;
5252 SSL_SESSION *sess = NULL;
5253 unsigned int context;
5254
a763ca11 5255#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5256 /* Skip tests for TLSv1.2 and below in this case */
5257 if (tst < 3)
5258 return 1;
5259#endif
5260
a37008d9
MC		 5261 /* Reset callback counters */
5262 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5263 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5264 snicb = 0;
a37008d9 5265
5e30f2fd
MC		 5266 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5267 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5268 &sctx, &cctx, cert, privkey)))
710756a9 5269 goto end;
a37008d9 5270
bb01ef3f 5271 if (tst == 2
5e30f2fd 5272 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5273 TLS1_VERSION, 0,
7d7f6834 5274 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5275 goto end;
5276
5277
5278 if (tst < 3) {
a37008d9
MC		 5279 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5280 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5281 if (sctx2 != NULL)
5282 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5283 }
5284
bb01ef3f 5285 if (tst == 4) {
710756a9
RS		 5286 context = SSL_EXT_CLIENT_HELLO
5287 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5288 | SSL_EXT_TLS1_3_SERVER_HELLO
5289 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5290 | SSL_EXT_TLS1_3_CERTIFICATE
5291 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5292 } else {
710756a9
RS		 5293 context = SSL_EXT_CLIENT_HELLO
5294 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5295 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5296 }
5297
5298 /* Create a client side custom extension */
5299 if (tst == 0) {
710756a9
RS		 5300 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5301 old_add_cb, old_free_cb,
5302 &client, old_parse_cb,
5303 &client)))
5304 goto end;
a37008d9 5305 } else {
710756a9
RS		 5306 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5307 new_add_cb, new_free_cb,
5308 &client, new_parse_cb, &client)))
5309 goto end;
a37008d9
MC		 5310 }
5311
5312 /* Should not be able to add duplicates */
710756a9
RS		 5313 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5314 old_add_cb, old_free_cb,
5315 &client, old_parse_cb,
5316 &client))
5317 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5318 context, new_add_cb,
5319 new_free_cb, &client,
5320 new_parse_cb, &client)))
5321 goto end;
a37008d9
MC		 5322
5323 /* Create a server side custom extension */
5324 if (tst == 0) {
710756a9
RS		 5325 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5326 old_add_cb, old_free_cb,
5327 &server, old_parse_cb,
5328 &server)))
5329 goto end;
a37008d9 5330 } else {
710756a9
RS		 5331 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5332 new_add_cb, new_free_cb,
5333 &server, new_parse_cb, &server)))
5334 goto end;
bb01ef3f
MC		 5335 if (sctx2 != NULL
5336 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5337 context, new_add_cb,
5338 new_free_cb, &server,
5339 new_parse_cb, &server)))
5340 goto end;
a37008d9
MC		 5341 }
5342
5343 /* Should not be able to add duplicates */
710756a9
RS		 5344 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5345 old_add_cb, old_free_cb,
5346 &server, old_parse_cb,
5347 &server))
5348 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5349 context, new_add_cb,
5350 new_free_cb, &server,
5351 new_parse_cb, &server)))
a37008d9 5352 goto end;
a37008d9 5353
bb01ef3f
MC		 5354 if (tst == 2) {
5355 /* Set up SNI */
5356 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5357 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5358 goto end;
5359 }
5360
710756a9
RS		 5361 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5362 &clientssl, NULL, NULL))
5363 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5364 SSL_ERROR_NONE)))
a37008d9 5365 goto end;
a37008d9
MC		 5366
5367 if (tst == 0) {
710756a9
RS		 5368 if (clntaddoldcb != 1
5369 || clntparseoldcb != 1
5370 || srvaddoldcb != 1
5371 || srvparseoldcb != 1)
a37008d9 5372 goto end;
bb01ef3f 5373 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5374 if (clntaddnewcb != 1
5375 || clntparsenewcb != 1
5376 || srvaddnewcb != 1
bb01ef3f
MC		 5377 || srvparsenewcb != 1
5378 || (tst != 2 && snicb != 0)
5379 || (tst == 2 && snicb != 1))
a37008d9 5380 goto end;
a37008d9 5381 } else {
36ff232c 5382 /* In this case there 2 NewSessionTicket messages created */
710756a9 5383 if (clntaddnewcb != 1
36ff232c
MC		 5384 || clntparsenewcb != 5
5385 || srvaddnewcb != 5
710756a9 5386 || srvparsenewcb != 1)
a37008d9 5387 goto end;
a37008d9
MC		 5388 }
5389
5390 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5391 SSL_shutdown(clientssl);
5392 SSL_shutdown(serverssl);
a37008d9
MC		 5393 SSL_free(serverssl);
5394 SSL_free(clientssl);
5395 serverssl = clientssl = NULL;
5396
bb01ef3f
MC		 5397 if (tst == 3) {
5398 /* We don't bother with the resumption aspects for this test */
5399 testresult = 1;
5400 goto end;
5401 }
5402
710756a9
RS		 5403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5404 NULL, NULL))
5405 || !TEST_true(SSL_set_session(clientssl, sess))
5406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5407 SSL_ERROR_NONE)))
a37008d9 5408 goto end;
a37008d9
MC		 5409
5410 /*
5411 * For a resumed session we expect to add the ClientHello extension. For the
5412 * old style callbacks we ignore it on the server side because they set
5413 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5414 * them.
5415 */
5416 if (tst == 0) {
710756a9
RS		 5417 if (clntaddoldcb != 2
5418 || clntparseoldcb != 1
5419 || srvaddoldcb != 1
5420 || srvparseoldcb != 1)
a37008d9 5421 goto end;
bb01ef3f 5422 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5423 if (clntaddnewcb != 2
5424 || clntparsenewcb != 2
5425 || srvaddnewcb != 2
5426 || srvparsenewcb != 2)
a37008d9 5427 goto end;
a37008d9 5428 } else {
36ff232c
MC		 5429 /*
5430 * No Certificate message extensions in the resumption handshake,
5431 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5432 */
710756a9 5433 if (clntaddnewcb != 2
36ff232c
MC		 5434 || clntparsenewcb != 8
5435 || srvaddnewcb != 8
710756a9 5436 || srvparsenewcb != 2)
a37008d9 5437 goto end;
a37008d9
MC		 5438 }
5439
5440 testresult = 1;
5441
5442end:
5443 SSL_SESSION_free(sess);
5444 SSL_free(serverssl);
5445 SSL_free(clientssl);
bb01ef3f 5446 SSL_CTX_free(sctx2);
a37008d9
MC		 5447 SSL_CTX_free(sctx);
5448 SSL_CTX_free(cctx);
a37008d9
MC		 5449 return testresult;
5450}
5451
16afd71c
MC		 5452/*
5453 * Test loading of serverinfo data in various formats. test_sslmessages actually
5454 * tests to make sure the extensions appear in the handshake
5455 */
5456static int test_serverinfo(int tst)
5457{
5458 unsigned int version;
5459 unsigned char *sibuf;
5460 size_t sibuflen;
5461 int ret, expected, testresult = 0;
5462 SSL_CTX *ctx;
5463
d8652be0 5464 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5465 if (!TEST_ptr(ctx))
5466 goto end;
5467
5468 if ((tst & 0x01) == 0x01)
5469 version = SSL_SERVERINFOV2;
5470 else
5471 version = SSL_SERVERINFOV1;
5472
5473 if ((tst & 0x02) == 0x02) {
5474 sibuf = serverinfov2;
5475 sibuflen = sizeof(serverinfov2);
5476 expected = (version == SSL_SERVERINFOV2);
5477 } else {
5478 sibuf = serverinfov1;
5479 sibuflen = sizeof(serverinfov1);
5480 expected = (version == SSL_SERVERINFOV1);
5481 }
5482
5483 if ((tst & 0x04) == 0x04) {
5484 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5485 } else {
5486 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5487
5488 /*
5489 * The version variable is irrelevant in this case - it's what is in the
5490 * buffer that matters
5491 */
5492 if ((tst & 0x02) == 0x02)
5493 expected = 0;
5494 else
5495 expected = 1;
5496 }
5497
5498 if (!TEST_true(ret == expected))
5499 goto end;
5500
5501 testresult = 1;
5502
5503 end:
5504 SSL_CTX_free(ctx);
5505
5506 return testresult;
5507}
5508
2197d1df
MC		 5509/*
5510 * Test that SSL_export_keying_material() produces expected results. There are
5511 * no test vectors so all we do is test that both sides of the communication
5512 * produce the same results for different protocol versions.
5513 */
0fb2815b
MC		 5514#define SMALL_LABEL_LEN 10
5515#define LONG_LABEL_LEN 249
2197d1df
MC		 5516static int test_export_key_mat(int tst)
5517{
a599574b 5518 int testresult = 0;
2197d1df
MC		 5519 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5520 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5521 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5522 const unsigned char context[] = "context";
5523 const unsigned char *emptycontext = NULL;
5524 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5525 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5526 size_t labellen;
a599574b
MC		 5527 const int protocols[] = {
5528 TLS1_VERSION,
5529 TLS1_1_VERSION,
5530 TLS1_2_VERSION,
0fb2815b
MC		 5531 TLS1_3_VERSION,
5532 TLS1_3_VERSION,
a599574b
MC		 5533 TLS1_3_VERSION
5534 };
2197d1df
MC		 5535
5536#ifdef OPENSSL_NO_TLS1
5537 if (tst == 0)
5538 return 1;
5539#endif
5540#ifdef OPENSSL_NO_TLS1_1
5541 if (tst == 1)
5542 return 1;
5543#endif
4f6c7044
MC		 5544 if (is_fips && (tst == 0 || tst == 1))
5545 return 1;
2197d1df
MC		 5546#ifdef OPENSSL_NO_TLS1_2
5547 if (tst == 2)
5548 return 1;
5549#endif
a763ca11 5550#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 5551 if (tst >= 3)
2197d1df
MC		 5552 return 1;
5553#endif
5e30f2fd
MC		 5554 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5555 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5556 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5557 goto end;
5558
a599574b
MC		 5559 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5560 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5561 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5562 if ((protocols[tst] < TLS1_2_VERSION) &&
5563 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5564 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5565 goto end;
2197d1df
MC		 5566
5567 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5568 NULL)))
5569 goto end;
5570
5571 /*
5572 * Premature call of SSL_export_keying_material should just fail.
5573 */
5574 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5575 sizeof(ckeymat1), label,
5576 SMALL_LABEL_LEN + 1, context,
5577 sizeof(context) - 1, 1), 0))
5578 goto end;
5579
5580 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5581 SSL_ERROR_NONE)))
2197d1df
MC		 5582 goto end;
5583
0fb2815b
MC		 5584 if (tst == 5) {
5585 /*
5586 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5587 * go over that.
5588 */
5589 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5590 sizeof(ckeymat1), label,
5591 LONG_LABEL_LEN + 1, context,
5592 sizeof(context) - 1, 1), 0))
5593 goto end;
5594
5595 testresult = 1;
5596 goto end;
5597 } else if (tst == 4) {
5598 labellen = LONG_LABEL_LEN;
5599 } else {
5600 labellen = SMALL_LABEL_LEN;
5601 }
5602
2197d1df
MC		 5603 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5604 sizeof(ckeymat1), label,
0fb2815b 5605 labellen, context,
2197d1df
MC		 5606 sizeof(context) - 1, 1), 1)
5607 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5608 sizeof(ckeymat2), label,
0fb2815b 5609 labellen,
2197d1df
MC		 5610 emptycontext,
5611 0, 1), 1)
5612 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5613 sizeof(ckeymat3), label,
0fb2815b 5614 labellen,
2197d1df
MC		 5615 NULL, 0, 0), 1)
5616 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5617 sizeof(skeymat1), label,
0fb2815b 5618 labellen,
2197d1df
MC		 5619 context,
5620 sizeof(context) -1, 1),
5621 1)
5622 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5623 sizeof(skeymat2), label,
0fb2815b 5624 labellen,
2197d1df
MC		 5625 emptycontext,
5626 0, 1), 1)
5627 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5628 sizeof(skeymat3), label,
0fb2815b 5629 labellen,
2197d1df
MC		 5630 NULL, 0, 0), 1)
5631 /*
5632 * Check that both sides created the same key material with the
5633 * same context.
5634 */
5635 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5636 sizeof(skeymat1))
5637 /*
5638 * Check that both sides created the same key material with an
5639 * empty context.
5640 */
5641 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5642 sizeof(skeymat2))
5643 /*
5644 * Check that both sides created the same key material without a
5645 * context.
5646 */
5647 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5648 sizeof(skeymat3))
5649 /* Different contexts should produce different results */
5650 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5651 sizeof(ckeymat2)))
5652 goto end;
5653
5654 /*
5655 * Check that an empty context and no context produce different results in
5656 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5657 */
0fb2815b 5658 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5659 sizeof(ckeymat3)))
0fb2815b
MC		 5660 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5661 sizeof(ckeymat3))))
2197d1df
MC		 5662 goto end;
5663
5664 testresult = 1;
5665
5666 end:
5667 SSL_free(serverssl);
5668 SSL_free(clientssl);
5669 SSL_CTX_free(sctx2);
5670 SSL_CTX_free(sctx);
5671 SSL_CTX_free(cctx);
5672
5673 return testresult;
5674}
5675
a763ca11 5676#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 5677/*
5678 * Test that SSL_export_keying_material_early() produces expected
5679 * results. There are no test vectors so all we do is test that both
5680 * sides of the communication produce the same results for different
5681 * protocol versions.
5682 */
5683static int test_export_key_mat_early(int idx)
5684{
5685 static const char label[] = "test label";
5686 static const unsigned char context[] = "context";
5687 int testresult = 0;
5688 SSL_CTX *cctx = NULL, *sctx = NULL;
5689 SSL *clientssl = NULL, *serverssl = NULL;
5690 SSL_SESSION *sess = NULL;
5691 const unsigned char *emptycontext = NULL;
5692 unsigned char ckeymat1[80], ckeymat2[80];
5693 unsigned char skeymat1[80], skeymat2[80];
5694 unsigned char buf[1];
5695 size_t readbytes, written;
5696
5697 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5698 &sess, idx)))
5699 goto end;
5700
5701 /* Here writing 0 length early data is enough. */
5702 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5703 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5704 &readbytes),
5705 SSL_READ_EARLY_DATA_ERROR)
5706 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5707 SSL_EARLY_DATA_ACCEPTED))
5708 goto end;
5709
5710 if (!TEST_int_eq(SSL_export_keying_material_early(
5711 clientssl, ckeymat1, sizeof(ckeymat1), label,
5712 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5713 || !TEST_int_eq(SSL_export_keying_material_early(
5714 clientssl, ckeymat2, sizeof(ckeymat2), label,
5715 sizeof(label) - 1, emptycontext, 0), 1)
5716 || !TEST_int_eq(SSL_export_keying_material_early(
5717 serverssl, skeymat1, sizeof(skeymat1), label,
5718 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5719 || !TEST_int_eq(SSL_export_keying_material_early(
5720 serverssl, skeymat2, sizeof(skeymat2), label,
5721 sizeof(label) - 1, emptycontext, 0), 1)
5722 /*
5723 * Check that both sides created the same key material with the
5724 * same context.
5725 */
5726 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5727 sizeof(skeymat1))
5728 /*
5729 * Check that both sides created the same key material with an
5730 * empty context.
5731 */
5732 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5733 sizeof(skeymat2))
5734 /* Different contexts should produce different results */
5735 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5736 sizeof(ckeymat2)))
5737 goto end;
5738
5739 testresult = 1;
5740
5741 end:
c20e3b28 5742 SSL_SESSION_free(sess);
b38ede80
TT		 5743 SSL_SESSION_free(clientpsk);
5744 SSL_SESSION_free(serverpsk);
34ff74eb 5745 clientpsk = serverpsk = NULL;
b38ede80
TT		 5746 SSL_free(serverssl);
5747 SSL_free(clientssl);
5748 SSL_CTX_free(sctx);
5749 SSL_CTX_free(cctx);
5750
5751 return testresult;
5752}
3409a5ff
MC		 5753
5754#define NUM_KEY_UPDATE_MESSAGES 40
5755/*
5756 * Test KeyUpdate.
5757 */
5758static int test_key_update(void)
5759{
5760 SSL_CTX *cctx = NULL, *sctx = NULL;
5761 SSL *clientssl = NULL, *serverssl = NULL;
5762 int testresult = 0, i, j;
5763 char buf[20];
5764 static char *mess = "A test message";
5765
5e30f2fd 5766 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 5767 TLS_client_method(),
5768 TLS1_3_VERSION,
5769 0,
5770 &sctx, &cctx, cert, privkey))
5771 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5772 NULL, NULL))
5773 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5774 SSL_ERROR_NONE)))
5775 goto end;
5776
5777 for (j = 0; j < 2; j++) {
5778 /* Send lots of KeyUpdate messages */
5779 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5780 if (!TEST_true(SSL_key_update(clientssl,
5781 (j == 0)
5782 ? SSL_KEY_UPDATE_NOT_REQUESTED
5783 : SSL_KEY_UPDATE_REQUESTED))
5784 || !TEST_true(SSL_do_handshake(clientssl)))
5785 goto end;
5786 }
5787
5788 /* Check that sending and receiving app data is ok */
5789 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5790 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5791 strlen(mess)))
5792 goto end;
a77b4dba
MC		 5793
5794 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5795 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5796 strlen(mess)))
5797 goto end;
3409a5ff
MC		 5798 }
5799
5800 testresult = 1;
5801
5802 end:
5803 SSL_free(serverssl);
5804 SSL_free(clientssl);
5805 SSL_CTX_free(sctx);
5806 SSL_CTX_free(cctx);
5807
5808 return testresult;
5809}
a77b4dba
MC		 5810
5811/*
5812 * Test we can handle a KeyUpdate (update requested) message while write data
5813 * is pending.
5814 * Test 0: Client sends KeyUpdate while Server is writing
5815 * Test 1: Server sends KeyUpdate while Client is writing
5816 */
5817static int test_key_update_in_write(int tst)
5818{
5819 SSL_CTX *cctx = NULL, *sctx = NULL;
5820 SSL *clientssl = NULL, *serverssl = NULL;
5821 int testresult = 0;
5822 char buf[20];
5823 static char *mess = "A test message";
5824 BIO *bretry = BIO_new(bio_s_always_retry());
5825 BIO *tmp = NULL;
5826 SSL *peerupdate = NULL, *peerwrite = NULL;
5827
5828 if (!TEST_ptr(bretry)
5e30f2fd 5829 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 5830 TLS_client_method(),
5831 TLS1_3_VERSION,
5832 0,
5833 &sctx, &cctx, cert, privkey))
5834 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5835 NULL, NULL))
5836 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5837 SSL_ERROR_NONE)))
5838 goto end;
5839
5840 peerupdate = tst == 0 ? clientssl : serverssl;
5841 peerwrite = tst == 0 ? serverssl : clientssl;
5842
5843 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5844 || !TEST_true(SSL_do_handshake(peerupdate)))
5845 goto end;
5846
5847 /* Swap the writing endpoint's write BIO to force a retry */
5848 tmp = SSL_get_wbio(peerwrite);
5849 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5850 tmp = NULL;
5851 goto end;
5852 }
5853 SSL_set0_wbio(peerwrite, bretry);
5854 bretry = NULL;
5855
5856 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5857 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5858 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5859 goto end;
5860
5861 /* Reinstate the original writing endpoint's write BIO */
5862 SSL_set0_wbio(peerwrite, tmp);
5863 tmp = NULL;
5864
5865 /* Now read some data - we will read the key update */
5866 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5867 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5868 goto end;
5869
5870 /*
5871 * Complete the write we started previously and read it from the other
5872 * endpoint
5873 */
5874 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5875 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5876 goto end;
5877
5878 /* Write more data to ensure we send the KeyUpdate message back */
5879 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5880 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5881 goto end;
5882
5883 testresult = 1;
5884
5885 end:
5886 SSL_free(serverssl);
5887 SSL_free(clientssl);
5888 SSL_CTX_free(sctx);
5889 SSL_CTX_free(cctx);
5890 BIO_free(bretry);
5891 BIO_free(tmp);
5892
5893 return testresult;
5894}
a763ca11 5895#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 5896
e11b6aa4
MC		 5897static int test_ssl_clear(int idx)
5898{
5899 SSL_CTX *cctx = NULL, *sctx = NULL;
5900 SSL *clientssl = NULL, *serverssl = NULL;
5901 int testresult = 0;
5902
5903#ifdef OPENSSL_NO_TLS1_2
5904 if (idx == 1)
5905 return 1;
5906#endif
5907
5908 /* Create an initial connection */
5e30f2fd
MC		 5909 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5910 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5911 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5912 || (idx == 1
5913 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5914 TLS1_2_VERSION)))
5915 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5916 &clientssl, NULL, NULL))
5917 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5918 SSL_ERROR_NONE)))
5919 goto end;
5920
5921 SSL_shutdown(clientssl);
5922 SSL_shutdown(serverssl);
5923 SSL_free(serverssl);
5924 serverssl = NULL;
5925
5926 /* Clear clientssl - we're going to reuse the object */
5927 if (!TEST_true(SSL_clear(clientssl)))
5928 goto end;
5929
5930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5931 NULL, NULL))
5932 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5933 SSL_ERROR_NONE))
5934 || !TEST_true(SSL_session_reused(clientssl)))
5935 goto end;
5936
5937 SSL_shutdown(clientssl);
5938 SSL_shutdown(serverssl);
5939
5940 testresult = 1;
5941
5942 end:
5943 SSL_free(serverssl);
5944 SSL_free(clientssl);
5945 SSL_CTX_free(sctx);
5946 SSL_CTX_free(cctx);
5947
5948 return testresult;
5949}
5950
cf72c757
F		 5951/* Parse CH and retrieve any MFL extension value if present */
5952static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5953{
5954 long len;
5955 unsigned char *data;
72962d02 5956 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5957 unsigned int MFL_code = 0, type = 0;
5958
5959 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5960 goto end;
5961
72962d02
P		 5962 memset(&pkt, 0, sizeof(pkt));
5963 memset(&pkt2, 0, sizeof(pkt2));
5964 memset(&pkt3, 0, sizeof(pkt3));
5965
9ba18520
P		 5966 if (!TEST_long_gt(len, 0)
5967 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
cf72c757
F		 5968 /* Skip the record header */
5969 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5970 /* Skip the handshake message header */
5971 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5972 /* Skip client version and random */
5973 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5974 + SSL3_RANDOM_SIZE))
5975 /* Skip session id */
5976 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5977 /* Skip ciphers */
5978 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5979 /* Skip compression */
5980 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5981 /* Extensions len */
5982 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5983 goto end;
5984
5985 /* Loop through all extensions */
5986 while (PACKET_remaining(&pkt2)) {
5987 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5988 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5989 goto end;
5990
5991 if (type == TLSEXT_TYPE_max_fragment_length) {
5992 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5993 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5994 goto end;
5995
5996 *mfl_codemfl_code = MFL_code;
5997 return 1;
5998 }
5999 }
6000
6001 end:
6002 return 0;
6003}
6004
6005/* Maximum-Fragment-Length TLS extension mode to test */
6006static const unsigned char max_fragment_len_test[] = {
6007 TLSEXT_max_fragment_length_512,
6008 TLSEXT_max_fragment_length_1024,
6009 TLSEXT_max_fragment_length_2048,
6010 TLSEXT_max_fragment_length_4096
6011};
6012
6013static int test_max_fragment_len_ext(int idx_tst)
6014{
a763ca11 6015 SSL_CTX *ctx = NULL;
cf72c757
F		 6016 SSL *con = NULL;
6017 int testresult = 0, MFL_mode = 0;
6018 BIO *rbio, *wbio;
6019
a763ca11
MC		 6020 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6021 TLS1_VERSION, 0, NULL, &ctx, NULL,
6022 NULL)))
6023 return 0;
cf72c757
F		 6024
6025 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6026 ctx, max_fragment_len_test[idx_tst])))
6027 goto end;
6028
6029 con = SSL_new(ctx);
6030 if (!TEST_ptr(con))
6031 goto end;
6032
6033 rbio = BIO_new(BIO_s_mem());
6034 wbio = BIO_new(BIO_s_mem());
6035 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6036 BIO_free(rbio);
6037 BIO_free(wbio);
6038 goto end;
6039 }
6040
6041 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 6042
6043 if (!TEST_int_le(SSL_connect(con), 0)) {
6044 /* This shouldn't succeed because we don't have a server! */
6045 goto end;
6046 }
6047
6048 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6049 /* no MFL in client hello */
6050 goto end;
6051 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6052 goto end;
6053
6054 testresult = 1;
6055
6056end:
6057 SSL_free(con);
6058 SSL_CTX_free(ctx);
6059
6060 return testresult;
6061}
6062
a763ca11 6063#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 6064static int test_pha_key_update(void)
6065{
6066 SSL_CTX *cctx = NULL, *sctx = NULL;
6067 SSL *clientssl = NULL, *serverssl = NULL;
6068 int testresult = 0;
6069
5e30f2fd
MC		 6070 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6071 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6072 &sctx, &cctx, cert, privkey)))
6073 return 0;
6074
6075 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6076 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6077 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6078 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6079 goto end;
6080
e97be718 6081 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6082
6083 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6084 NULL, NULL)))
6085 goto end;
6086
9d75dce3
TS		 6087 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6088 SSL_ERROR_NONE)))
6089 goto end;
6090
6091 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6092 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6093 goto end;
6094
6095 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6096 goto end;
6097
6098 /* Start handshake on the server */
6099 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6100 goto end;
6101
6102 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6103 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6104 SSL_ERROR_NONE)))
6105 goto end;
6106
6107 SSL_shutdown(clientssl);
6108 SSL_shutdown(serverssl);
6109
6110 testresult = 1;
6111
6112 end:
6113 SSL_free(serverssl);
6114 SSL_free(clientssl);
6115 SSL_CTX_free(sctx);
6116 SSL_CTX_free(cctx);
6117 return testresult;
6118}
6119#endif
6120
76fd7a1d
MC		 6121#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6122
6123static SRP_VBASE *vbase = NULL;
6124
6125static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6126{
6127 int ret = SSL3_AL_FATAL;
6128 char *username;
6129 SRP_user_pwd *user = NULL;
6130
6131 username = SSL_get_srp_username(s);
6132 if (username == NULL) {
6133 *ad = SSL_AD_INTERNAL_ERROR;
6134 goto err;
6135 }
6136
6137 user = SRP_VBASE_get1_by_user(vbase, username);
6138 if (user == NULL) {
6139 *ad = SSL_AD_INTERNAL_ERROR;
6140 goto err;
6141 }
6142
6143 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6144 user->info) <= 0) {
6145 *ad = SSL_AD_INTERNAL_ERROR;
6146 goto err;
6147 }
6148
6149 ret = 0;
6150
6151 err:
6152 SRP_user_pwd_free(user);
6153 return ret;
6154}
6155
6156static int create_new_vfile(char *userid, char *password, const char *filename)
6157{
6158 char *gNid = NULL;
6159 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6160 TXT_DB *db = NULL;
6161 int ret = 0;
6162 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6163 size_t i;
6164
6165 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6166 goto end;
6167
20c00d0a 6168 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6169 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6170 if (!TEST_ptr(gNid))
6171 goto end;
6172
6173 /*
6174 * The only way to create an empty TXT_DB is to provide a BIO with no data
6175 * in it!
6176 */
6177 db = TXT_DB_read(dummy, DB_NUMBER);
6178 if (!TEST_ptr(db))
6179 goto end;
6180
6181 out = BIO_new_file(filename, "w");
6182 if (!TEST_ptr(out))
6183 goto end;
6184
6185 row[DB_srpid] = OPENSSL_strdup(userid);
6186 row[DB_srptype] = OPENSSL_strdup("V");
6187 row[DB_srpgN] = OPENSSL_strdup(gNid);
6188
6189 if (!TEST_ptr(row[DB_srpid])
6190 || !TEST_ptr(row[DB_srptype])
6191 || !TEST_ptr(row[DB_srpgN])
6192 || !TEST_true(TXT_DB_insert(db, row)))
6193 goto end;
6194
6195 row = NULL;
6196
6197 if (!TXT_DB_write(out, db))
6198 goto end;
6199
6200 ret = 1;
6201 end:
6202 if (row != NULL) {
6203 for (i = 0; i < DB_NUMBER; i++)
6204 OPENSSL_free(row[i]);
6205 }
6206 OPENSSL_free(row);
6207 BIO_free(dummy);
6208 BIO_free(out);
6209 TXT_DB_free(db);
6210
6211 return ret;
6212}
6213
6214static int create_new_vbase(char *userid, char *password)
6215{
6216 BIGNUM *verifier = NULL, *salt = NULL;
6217 const SRP_gN *lgN = NULL;
6218 SRP_user_pwd *user_pwd = NULL;
6219 int ret = 0;
6220
6221 lgN = SRP_get_default_gN(NULL);
6222 if (!TEST_ptr(lgN))
6223 goto end;
6224
20c00d0a 6225 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6226 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6227 goto end;
6228
6229 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6230 if (!TEST_ptr(user_pwd))
6231 goto end;
6232
6233 user_pwd->N = lgN->N;
6234 user_pwd->g = lgN->g;
6235 user_pwd->id = OPENSSL_strdup(userid);
6236 if (!TEST_ptr(user_pwd->id))
6237 goto end;
6238
6239 user_pwd->v = verifier;
6240 user_pwd->s = salt;
6241 verifier = salt = NULL;
6242
6243 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6244 goto end;
6245 user_pwd = NULL;
6246
6247 ret = 1;
6248end:
6249 SRP_user_pwd_free(user_pwd);
6250 BN_free(salt);
6251 BN_free(verifier);
6252
6253 return ret;
6254}
6255
6256/*
6257 * SRP tests
6258 *
6259 * Test 0: Simple successful SRP connection, new vbase
6260 * Test 1: Connection failure due to bad password, new vbase
6261 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6262 * Test 3: Connection failure due to bad password, vbase loaded from existing
6263 * file
6264 * Test 4: Simple successful SRP connection, vbase loaded from new file
6265 * Test 5: Connection failure due to bad password, vbase loaded from new file
6266 */
6267static int test_srp(int tst)
6268{
6269 char *userid = "test", *password = "password", *tstsrpfile;
6270 SSL_CTX *cctx = NULL, *sctx = NULL;
6271 SSL *clientssl = NULL, *serverssl = NULL;
6272 int ret, testresult = 0;
6273
6274 vbase = SRP_VBASE_new(NULL);
6275 if (!TEST_ptr(vbase))
6276 goto end;
6277
6278 if (tst == 0 || tst == 1) {
6279 if (!TEST_true(create_new_vbase(userid, password)))
6280 goto end;
6281 } else {
6282 if (tst == 4 || tst == 5) {
6283 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6284 goto end;
6285 tstsrpfile = tmpfilename;
6286 } else {
6287 tstsrpfile = srpvfile;
6288 }
6289 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6290 goto end;
6291 }
6292
5e30f2fd
MC		 6293 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6294 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6295 &sctx, &cctx, cert, privkey)))
6296 goto end;
6297
6298 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6299 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6300 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6301 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6302 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6303 goto end;
6304
6305 if (tst % 2 == 1) {
6306 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6307 goto end;
6308 } else {
6309 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6310 goto end;
6311 }
6312
6313 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6314 NULL, NULL)))
6315 goto end;
6316
6317 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6318 if (ret) {
6319 if (!TEST_true(tst % 2 == 0))
6320 goto end;
6321 } else {
6322 if (!TEST_true(tst % 2 == 1))
6323 goto end;
6324 }
6325
6326 testresult = 1;
6327
6328 end:
6329 SRP_VBASE_free(vbase);
6330 vbase = NULL;
6331 SSL_free(serverssl);
6332 SSL_free(clientssl);
6333 SSL_CTX_free(sctx);
6334 SSL_CTX_free(cctx);
6335
6336 return testresult;
6337}
6338#endif
6339
5718fe45
MC		 6340static int info_cb_failed = 0;
6341static int info_cb_offset = 0;
6342static int info_cb_this_state = -1;
6343
6344static struct info_cb_states_st {
6345 int where;
6346 const char *statestr;
6347} info_cb_states[][60] = {
6348 {
6349 /* TLSv1.2 server followed by resumption */
6350 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6351 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6352 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6353 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6354 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6355 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6356 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6357 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6358 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6359 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6360 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6361 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6362 {SSL_CB_EXIT, NULL}, {0, NULL},
6363 }, {
6364 /* TLSv1.2 client followed by resumption */
6365 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6366 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6367 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6368 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6369 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6370 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6371 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6372 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6373 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6374 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6375 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6376 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6377 }, {
6378 /* TLSv1.3 server followed by resumption */
6379 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6380 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6381 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6382 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6383 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6384 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6385 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6386 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6387 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6388 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6389 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6390 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6391 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6392 }, {
6393 /* TLSv1.3 client followed by resumption */
6394 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6395 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6396 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6397 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6398 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6399 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6400 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6401 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 6402 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6403 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6404 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6405 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6406 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 6407 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6408 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6409 }, {
6410 /* TLSv1.3 server, early_data */
6411 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6412 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6413 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6414 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6415 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6416 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 6417 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 6418 {SSL_CB_EXIT, NULL}, {0, NULL},
6419 }, {
6420 /* TLSv1.3 client, early_data */
6421 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6422 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6423 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6424 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6425 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6426 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6427 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6428 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6429 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6430 }, {
6431 {0, NULL},
6432 }
6433};
6434
6435static void sslapi_info_callback(const SSL *s, int where, int ret)
6436{
6437 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6438
6439 /* We do not ever expect a connection to fail in this test */
6440 if (!TEST_false(ret == 0)) {
6441 info_cb_failed = 1;
6442 return;
6443 }
6444
6445 /*
6446 * Do some sanity checks. We never expect these things to happen in this
6447 * test
6448 */
6449 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6450 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6451 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6452 info_cb_failed = 1;
6453 return;
6454 }
6455
6456 /* Now check we're in the right state */
6457 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6458 info_cb_failed = 1;
6459 return;
6460 }
6461 if ((where & SSL_CB_LOOP) != 0
6462 && !TEST_int_eq(strcmp(SSL_state_string(s),
6463 state[info_cb_this_state].statestr), 0)) {
6464 info_cb_failed = 1;
6465 return;
6466 }
033c181b 6467
4af5836b
MC		 6468 /*
6469 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6470 */
6471 if ((where & SSL_CB_HANDSHAKE_DONE)
6472 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 6473 info_cb_failed = 1;
6474 return;
6475 }
5718fe45
MC		 6476}
6477
6478/*
6479 * Test the info callback gets called when we expect it to.
6480 *
6481 * Test 0: TLSv1.2, server
6482 * Test 1: TLSv1.2, client
6483 * Test 2: TLSv1.3, server
6484 * Test 3: TLSv1.3, client
6485 * Test 4: TLSv1.3, server, early_data
6486 * Test 5: TLSv1.3, client, early_data
6487 */
6488static int test_info_callback(int tst)
6489{
6490 SSL_CTX *cctx = NULL, *sctx = NULL;
6491 SSL *clientssl = NULL, *serverssl = NULL;
6492 SSL_SESSION *clntsess = NULL;
6493 int testresult = 0;
6494 int tlsvers;
6495
6496 if (tst < 2) {
1aac20f5
MC		 6497/* We need either ECDHE or DHE for the TLSv1.2 test to work */
6498#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6499 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 6500 tlsvers = TLS1_2_VERSION;
6501#else
6502 return 1;
6503#endif
6504 } else {
a763ca11 6505#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 6506 tlsvers = TLS1_3_VERSION;
6507#else
6508 return 1;
6509#endif
6510 }
6511
6512 /* Reset globals */
6513 info_cb_failed = 0;
6514 info_cb_this_state = -1;
6515 info_cb_offset = tst;
6516
a763ca11 6517#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 6518 if (tst >= 4) {
6519 SSL_SESSION *sess = NULL;
6520 size_t written, readbytes;
6521 unsigned char buf[80];
6522
6523 /* early_data tests */
6524 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6525 &serverssl, &sess, 0)))
6526 goto end;
6527
6528 /* We don't actually need this reference */
6529 SSL_SESSION_free(sess);
6530
6531 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6532 sslapi_info_callback);
6533
6534 /* Write and read some early data and then complete the connection */
6535 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6536 &written))
6537 || !TEST_size_t_eq(written, strlen(MSG1))
6538 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6539 sizeof(buf), &readbytes),
6540 SSL_READ_EARLY_DATA_SUCCESS)
6541 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6542 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6543 SSL_EARLY_DATA_ACCEPTED)
6544 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6545 SSL_ERROR_NONE))
6546 || !TEST_false(info_cb_failed))
6547 goto end;
6548
6549 testresult = 1;
6550 goto end;
6551 }
6e07834c 6552#endif
5718fe45 6553
5e30f2fd 6554 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 6555 TLS_client_method(),
6556 tlsvers, tlsvers, &sctx, &cctx, cert,
6557 privkey)))
6558 goto end;
6559
33c39a06
MC		 6560 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6561 goto end;
6562
5718fe45
MC		 6563 /*
6564 * For even numbered tests we check the server callbacks. For odd numbers we
6565 * check the client.
6566 */
6567 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6568 sslapi_info_callback);
6569
6570 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6571 &clientssl, NULL, NULL))
6572 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6573 SSL_ERROR_NONE))
6574 || !TEST_false(info_cb_failed))
6575 goto end;
6576
6577
6578
6579 clntsess = SSL_get1_session(clientssl);
6580 SSL_shutdown(clientssl);
6581 SSL_shutdown(serverssl);
6582 SSL_free(serverssl);
6583 SSL_free(clientssl);
6584 serverssl = clientssl = NULL;
6585
6586 /* Now do a resumption */
6587 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6588 NULL))
6589 || !TEST_true(SSL_set_session(clientssl, clntsess))
6590 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6591 SSL_ERROR_NONE))
6592 || !TEST_true(SSL_session_reused(clientssl))
6593 || !TEST_false(info_cb_failed))
6594 goto end;
6595
6596 testresult = 1;
6597
6598 end:
6599 SSL_free(serverssl);
6600 SSL_free(clientssl);
6601 SSL_SESSION_free(clntsess);
6602 SSL_CTX_free(sctx);
6603 SSL_CTX_free(cctx);
6604 return testresult;
6605}
6606
4a432af8
MC		 6607static int test_ssl_pending(int tst)
6608{
6609 SSL_CTX *cctx = NULL, *sctx = NULL;
6610 SSL *clientssl = NULL, *serverssl = NULL;
6611 int testresult = 0;
6612 char msg[] = "A test message";
6613 char buf[5];
6614 size_t written, readbytes;
6615
6616 if (tst == 0) {
5e30f2fd 6617 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6618 TLS_client_method(),
5c587fb6 6619 TLS1_VERSION, 0,
4a432af8
MC		 6620 &sctx, &cctx, cert, privkey)))
6621 goto end;
6622 } else {
6623#ifndef OPENSSL_NO_DTLS
5e30f2fd 6624 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6625 DTLS_client_method(),
5c587fb6 6626 DTLS1_VERSION, 0,
4a432af8
MC		 6627 &sctx, &cctx, cert, privkey)))
6628 goto end;
6629#else
6630 return 1;
6631#endif
6632 }
6633
6634 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6635 NULL, NULL))
6636 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6637 SSL_ERROR_NONE)))
6638 goto end;
6639
e8251092
MC		 6640 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6641 || !TEST_false(SSL_has_pending(clientssl))
6642 || !TEST_int_eq(SSL_pending(serverssl), 0)
6643 || !TEST_false(SSL_has_pending(serverssl))
6644 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6645 || !TEST_size_t_eq(written, sizeof(msg))
6646 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6647 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6648 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6649 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6650 goto end;
6651
6652 testresult = 1;
6653
6654 end:
6655 SSL_free(serverssl);
6656 SSL_free(clientssl);
6657 SSL_CTX_free(sctx);
6658 SSL_CTX_free(cctx);
6659
6660 return testresult;
6661}
6662
e401389a
MC		 6663static struct {
6664 unsigned int maxprot;
6665 const char *clntciphers;
6666 const char *clnttls13ciphers;
6667 const char *srvrciphers;
6668 const char *srvrtls13ciphers;
6669 const char *shared;
a96e6c34 6670 const char *fipsshared;
e401389a 6671} shared_ciphers_data[] = {
60155b9a
MC		 6672/*
6673 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6674 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6675 */
a763ca11 6676#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6677 {
6678 TLS1_2_VERSION,
6679 "AES128-SHA:AES256-SHA",
6680 NULL,
6681 "AES256-SHA:DHE-RSA-AES128-SHA",
6682 NULL,
a96e6c34 6683 "AES256-SHA",
e401389a
MC		 6684 "AES256-SHA"
6685 },
a96e6c34
MC		 6686# if !defined(OPENSSL_NO_CHACHA) \
6687 && !defined(OPENSSL_NO_POLY1305) \
6688 && !defined(OPENSSL_NO_EC)
6689 {
6690 TLS1_2_VERSION,
6691 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6692 NULL,
6693 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6694 NULL,
6695 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6696 "AES128-SHA"
6697 },
6698# endif
e401389a
MC		 6699 {
6700 TLS1_2_VERSION,
6701 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6702 NULL,
6703 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6704 NULL,
a96e6c34 6705 "AES128-SHA:AES256-SHA",
e401389a
MC		 6706 "AES128-SHA:AES256-SHA"
6707 },
6708 {
6709 TLS1_2_VERSION,
6710 "AES128-SHA:AES256-SHA",
6711 NULL,
6712 "AES128-SHA:DHE-RSA-AES128-SHA",
6713 NULL,
a96e6c34 6714 "AES128-SHA",
e401389a
MC		 6715 "AES128-SHA"
6716 },
60155b9a
MC		 6717#endif
6718/*
6719 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6720 * enabled.
6721 */
a763ca11 6722#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 6723 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6724 {
6725 TLS1_3_VERSION,
6726 "AES128-SHA:AES256-SHA",
6727 NULL,
6728 "AES256-SHA:AES128-SHA256",
6729 NULL,
6730 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 6731 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6732 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 6733 },
60155b9a 6734#endif
a763ca11 6735#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 6736 {
6737 TLS1_3_VERSION,
6738 "AES128-SHA",
6739 "TLS_AES_256_GCM_SHA384",
6740 "AES256-SHA",
6741 "TLS_AES_256_GCM_SHA384",
a96e6c34 6742 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 6743 "TLS_AES_256_GCM_SHA384"
6744 },
6745#endif
6746};
6747
a96e6c34 6748static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 6749{
6750 SSL_CTX *cctx = NULL, *sctx = NULL;
6751 SSL *clientssl = NULL, *serverssl = NULL;
6752 int testresult = 0;
6753 char buf[1024];
b4250010 6754 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 6755
6756 if (!TEST_ptr(tmplibctx))
6757 goto end;
6758
6759 /*
6760 * Regardless of whether we're testing with the FIPS provider loaded into
6761 * libctx, we want one peer to always use the full set of ciphersuites
6762 * available. Therefore we use a separate libctx with the default provider
6763 * loaded into it. We run the same tests twice - once with the client side
6764 * having the full set of ciphersuites and once with the server side.
6765 */
6766 if (clnt) {
d8652be0 6767 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 6768 if (!TEST_ptr(cctx))
6769 goto end;
6770 } else {
d8652be0 6771 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 6772 if (!TEST_ptr(sctx))
6773 goto end;
6774 }
e401389a 6775
5e30f2fd 6776 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 6777 TLS_client_method(),
6778 TLS1_VERSION,
6779 shared_ciphers_data[tst].maxprot,
6780 &sctx, &cctx, cert, privkey)))
6781 goto end;
6782
6783 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6784 shared_ciphers_data[tst].clntciphers))
6785 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6786 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6787 shared_ciphers_data[tst].clnttls13ciphers)))
6788 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6789 shared_ciphers_data[tst].srvrciphers))
6790 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6791 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6792 shared_ciphers_data[tst].srvrtls13ciphers))))
6793 goto end;
6794
6795
6796 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6797 NULL, NULL))
6798 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6799 SSL_ERROR_NONE)))
6800 goto end;
6801
6802 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 6803 || !TEST_int_eq(strcmp(buf,
6804 is_fips
6805 ? shared_ciphers_data[tst].fipsshared
6806 : shared_ciphers_data[tst].shared),
6807 0)) {
e401389a
MC		 6808 TEST_info("Shared ciphers are: %s\n", buf);
6809 goto end;
6810 }
6811
6812 testresult = 1;
6813
6814 end:
6815 SSL_free(serverssl);
6816 SSL_free(clientssl);
6817 SSL_CTX_free(sctx);
6818 SSL_CTX_free(cctx);
b4250010 6819 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 6820
6821 return testresult;
6822}
6823
a96e6c34
MC		 6824static int test_ssl_get_shared_ciphers(int tst)
6825{
6826 return int_test_ssl_get_shared_ciphers(tst, 0)
6827 && int_test_ssl_get_shared_ciphers(tst, 1);
6828}
6829
6830
d0191fe0 6831static const char *appdata = "Hello World";
61fb5923
MC		 6832static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6833static int tick_key_renew = 0;
6834static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6835
6836static int gen_tick_cb(SSL *s, void *arg)
6837{
6838 gen_tick_called = 1;
6839
6840 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6841 strlen(appdata));
6842}
6843
6844static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6845 const unsigned char *keyname,
6846 size_t keyname_length,
61fb5923
MC		 6847 SSL_TICKET_STATUS status,
6848 void *arg)
d0191fe0
MC		 6849{
6850 void *tickdata;
6851 size_t tickdlen;
6852
6853 dec_tick_called = 1;
6854
61fb5923
MC		 6855 if (status == SSL_TICKET_EMPTY)
6856 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6857
61fb5923
MC		 6858 if (!TEST_true(status == SSL_TICKET_SUCCESS
6859 || status == SSL_TICKET_SUCCESS_RENEW))
6860 return SSL_TICKET_RETURN_ABORT;
6861
6862 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6863 &tickdlen))
d0191fe0
MC		 6864 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6865 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6866 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6867
61fb5923
MC		 6868 if (tick_key_cb_called) {
6869 /* Don't change what the ticket key callback wanted to do */
6870 switch (status) {
6871 case SSL_TICKET_NO_DECRYPT:
6872 return SSL_TICKET_RETURN_IGNORE_RENEW;
6873
6874 case SSL_TICKET_SUCCESS:
6875 return SSL_TICKET_RETURN_USE;
d0191fe0 6876
61fb5923
MC		 6877 case SSL_TICKET_SUCCESS_RENEW:
6878 return SSL_TICKET_RETURN_USE_RENEW;
6879
6880 default:
6881 return SSL_TICKET_RETURN_ABORT;
6882 }
6883 }
6884 return tick_dec_ret;
6885
6886}
d0191fe0 6887
a76ce286 6888#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6889static int tick_key_cb(SSL *s, unsigned char key_name[16],
6890 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6891 HMAC_CTX *hctx, int enc)
6892{
6893 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6894 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 6895 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6896 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6897 int ret;
d0191fe0 6898
61fb5923 6899 tick_key_cb_called = 1;
d0191fe0
MC		 6900 memset(iv, 0, AES_BLOCK_SIZE);
6901 memset(key_name, 0, 16);
5e30f2fd
MC		 6902 if (aes128cbc == NULL
6903 || sha256 == NULL
6904 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6905 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6906 NULL))
6907 ret = -1;
6908 else
6909 ret = tick_key_renew ? 2 : 1;
d0191fe0 6910
5e30f2fd
MC		 6911 EVP_CIPHER_free(aes128cbc);
6912 EVP_MD_free(sha256);
6913
6914 return ret;
d0191fe0 6915}
a76ce286
P		 6916#endif
6917
6918static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6919 unsigned char iv[EVP_MAX_IV_LENGTH],
6920 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6921{
6922 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6923 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 6924 OSSL_PARAM params[2];
5e30f2fd
MC		 6925 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6926 int ret;
a76ce286
P		 6927
6928 tick_key_cb_called = 1;
6929 memset(iv, 0, AES_BLOCK_SIZE);
6930 memset(key_name, 0, 16);
6931 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6932 "SHA256", 0);
77e4ae58 6933 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 6934 if (aes128cbc == NULL
6935 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 6936 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
6937 params))
5e30f2fd
MC		 6938 ret = -1;
6939 else
6940 ret = tick_key_renew ? 2 : 1;
6941
6942 EVP_CIPHER_free(aes128cbc);
a76ce286 6943
5e30f2fd 6944 return ret;
a76ce286 6945}
d0191fe0
MC		 6946
6947/*
6948 * Test the various ticket callbacks
61fb5923
MC		 6949 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6950 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6951 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6952 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6953 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6954 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6955 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6956 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6957 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6958 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6959 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6960 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6961 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6962 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6963 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6964 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6965 */
6966static int test_ticket_callbacks(int tst)
6967{
6968 SSL_CTX *cctx = NULL, *sctx = NULL;
6969 SSL *clientssl = NULL, *serverssl = NULL;
6970 SSL_SESSION *clntsess = NULL;
6971 int testresult = 0;
6972
6973#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6974 if (tst % 2 == 0)
d0191fe0
MC		 6975 return 1;
6976#endif
a763ca11 6977#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 6978 if (tst % 2 == 1)
d0191fe0
MC		 6979 return 1;
6980#endif
a76ce286
P		 6981#ifdef OPENSSL_NO_DEPRECATED_3_0
6982 if (tst >= 8 && tst <= 11)
6983 return 1;
6984#endif
d0191fe0 6985
61fb5923 6986 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6987
6988 /* Which tests the ticket key callback should request renewal for */
a76ce286 6989 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6990 tick_key_renew = 1;
d0191fe0 6991 else
61fb5923
MC		 6992 tick_key_renew = 0;
6993
6994 /* Which tests the decrypt ticket callback should request renewal for */
6995 switch (tst) {
6996 case 0:
6997 case 1:
6998 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6999 break;
7000
7001 case 2:
7002 case 3:
7003 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7004 break;
7005
7006 case 4:
7007 case 5:
7008 tick_dec_ret = SSL_TICKET_RETURN_USE;
7009 break;
7010
7011 case 6:
7012 case 7:
7013 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7014 break;
7015
7016 default:
7017 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7018 }
d0191fe0 7019
5e30f2fd 7020 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 7021 TLS_client_method(),
7022 TLS1_VERSION,
61fb5923
MC		 7023 ((tst % 2) == 0) ? TLS1_2_VERSION
7024 : TLS1_3_VERSION,
d0191fe0
MC		 7025 &sctx, &cctx, cert, privkey)))
7026 goto end;
7027
61fb5923
MC		 7028 /*
7029 * We only want sessions to resume from tickets - not the session cache. So
7030 * switch the cache off.
7031 */
7032 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7033 goto end;
7034
d0191fe0
MC		 7035 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7036 NULL)))
7037 goto end;
7038
a76ce286
P		 7039 if (tst >= 12) {
7040 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7041 goto end;
7042#ifndef OPENSSL_NO_DEPRECATED_3_0
7043 } else if (tst >= 8) {
7044 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7045 goto end;
7046#endif
7047 }
d0191fe0
MC		 7048
7049 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7050 NULL, NULL))
7051 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7052 SSL_ERROR_NONE)))
7053 goto end;
7054
61fb5923
MC		 7055 /*
7056 * The decrypt ticket key callback in TLSv1.2 should be called even though
7057 * we have no ticket yet, because it gets called with a status of
7058 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7059 * actually send any ticket data). This does not happen in TLSv1.3 because
7060 * it is not valid to send empty ticket data in TLSv1.3.
7061 */
d0191fe0 7062 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7063 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7064 goto end;
7065
7066 gen_tick_called = dec_tick_called = 0;
7067
7068 clntsess = SSL_get1_session(clientssl);
7069 SSL_shutdown(clientssl);
7070 SSL_shutdown(serverssl);
7071 SSL_free(serverssl);
7072 SSL_free(clientssl);
7073 serverssl = clientssl = NULL;
7074
7075 /* Now do a resumption */
7076 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7077 NULL))
7078 || !TEST_true(SSL_set_session(clientssl, clntsess))
7079 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7080 SSL_ERROR_NONE)))
d0191fe0
MC		 7081 goto end;
7082
61fb5923
MC		 7083 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7084 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7085 if (!TEST_false(SSL_session_reused(clientssl)))
7086 goto end;
7087 } else {
7088 if (!TEST_true(SSL_session_reused(clientssl)))
7089 goto end;
7090 }
7091
d0191fe0 7092 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7093 (tick_key_renew
7094 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7095 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7096 ? 1 : 0)
d0191fe0
MC		 7097 || !TEST_int_eq(dec_tick_called, 1))
7098 goto end;
7099
7100 testresult = 1;
7101
7102 end:
7103 SSL_SESSION_free(clntsess);
7104 SSL_free(serverssl);
7105 SSL_free(clientssl);
7106 SSL_CTX_free(sctx);
7107 SSL_CTX_free(cctx);
7108
7109 return testresult;
7110}
7111
e638112e
DB		 7112/*
7113 * Test incorrect shutdown.
7114 * Test 0: client does not shutdown properly,
7115 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7116 * server should get SSL_ERROR_SSL
7117 * Test 1: client does not shutdown properly,
7118 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7119 * server should get SSL_ERROR_ZERO_RETURN
7120 */
7121static int test_incorrect_shutdown(int tst)
7122{
7123 SSL_CTX *cctx = NULL, *sctx = NULL;
7124 SSL *clientssl = NULL, *serverssl = NULL;
7125 int testresult = 0;
7126 char buf[80];
7127 BIO *c2s;
7128
7129 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7130 TLS_client_method(), 0, 0,
7131 &sctx, &cctx, cert, privkey)))
7132 goto end;
7133
7134 if (tst == 1)
7135 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7136
7137 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7138 NULL, NULL)))
7139 goto end;
7140
7141 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7142 SSL_ERROR_NONE)))
7143 goto end;
7144
7145 c2s = SSL_get_rbio(serverssl);
7146 BIO_set_mem_eof_return(c2s, 0);
7147
7148 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7149 goto end;
7150
7151 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7152 goto end;
7153 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7154 goto end;
7155
7156 testresult = 1;
7157
7158 end:
7159 SSL_free(serverssl);
7160 SSL_free(clientssl);
7161 SSL_CTX_free(sctx);
7162 SSL_CTX_free(cctx);
7163
7164 return testresult;
7165}
7166
c748834f
MC		 7167/*
7168 * Test bi-directional shutdown.
7169 * Test 0: TLSv1.2
7170 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7171 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7172 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7173 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7174 * sends key update, client reads it
57d7b988
MC		 7175 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7176 * sends CertificateRequest, client reads and ignores it
7177 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7178 * doesn't read it
7179 */
7180static int test_shutdown(int tst)
7181{
7182 SSL_CTX *cctx = NULL, *sctx = NULL;
7183 SSL *clientssl = NULL, *serverssl = NULL;
7184 int testresult = 0;
7185 char msg[] = "A test message";
7186 char buf[80];
7187 size_t written, readbytes;
80eff008 7188 SSL_SESSION *sess;
c748834f
MC		 7189
7190#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7191 if (tst <= 1)
c748834f
MC		 7192 return 1;
7193#endif
a763ca11 7194#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 7195 if (tst >= 2)
c748834f
MC		 7196 return 1;
7197#endif
7198
5e30f2fd 7199 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7200 TLS_client_method(),
7201 TLS1_VERSION,
7202 (tst <= 1) ? TLS1_2_VERSION
7203 : TLS1_3_VERSION,
57d7b988
MC		 7204 &sctx, &cctx, cert, privkey)))
7205 goto end;
7206
7207 if (tst == 5)
7208 SSL_CTX_set_post_handshake_auth(cctx, 1);
7209
7210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7211 NULL, NULL)))
7212 goto end;
7213
7214 if (tst == 3) {
7215 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7216 SSL_ERROR_NONE, 1))
80eff008
KR		 7217 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7218 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7219 goto end;
7220 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7221 SSL_ERROR_NONE))
7222 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7223 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7224 goto end;
7225 }
7226
7227 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7228 goto end;
7229
7230 if (tst >= 4) {
7231 /*
7232 * Reading on the server after the client has sent close_notify should
7233 * fail and provide SSL_ERROR_ZERO_RETURN
7234 */
7235 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7236 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7237 SSL_ERROR_ZERO_RETURN)
7238 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7239 SSL_RECEIVED_SHUTDOWN)
7240 /*
7241 * Even though we're shutdown on receive we should still be
7242 * able to write.
7243 */
80eff008
KR		 7244 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7245 goto end;
57d7b988
MC		 7246 if (tst == 4
7247 && !TEST_true(SSL_key_update(serverssl,
7248 SSL_KEY_UPDATE_REQUESTED)))
7249 goto end;
7250 if (tst == 5) {
7251 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7252 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7253 goto end;
7254 }
7255 if ((tst == 4 || tst == 5)
7256 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7257 goto end;
7258 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7259 goto end;
57d7b988 7260 if (tst == 4 || tst == 5) {
80eff008 7261 /* Should still be able to read data from server */
c748834f 7262 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7263 &readbytes))
7264 || !TEST_size_t_eq(readbytes, sizeof(msg))
7265 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7266 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7267 &readbytes))
c748834f
MC		 7268 || !TEST_size_t_eq(readbytes, sizeof(msg))
7269 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7270 goto end;
7271 }
7272 }
7273
7274 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7275 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7276 goto end;
7277
7278 if (tst < 4) {
7279 /*
7280 * For these tests the client has sent close_notify but it has not yet
7281 * been received by the server. The server has not sent close_notify
7282 * yet.
7283 */
7284 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7285 /*
7286 * Writing on the server after sending close_notify shouldn't
7287 * be possible.
7288 */
7289 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7290 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7291 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7292 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7293 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7294 goto end;
57d7b988 7295 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7296 /*
7297 * In this test the client has sent close_notify and it has been
7298 * received by the server which has responded with a close_notify. The
358ffa05 7299 * client needs to read the close_notify sent by the server.
c748834f 7300 */
80eff008
KR		 7301 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7302 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7303 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7304 goto end;
358ffa05
MC		 7305 } else {
7306 /*
57d7b988 7307 * tst == 6
358ffa05
MC		 7308 *
7309 * The client has sent close_notify and is expecting a close_notify
7310 * back, but instead there is application data first. The shutdown
7311 * should fail with a fatal error.
7312 */
7313 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7314 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7315 goto end;
c748834f
MC		 7316 }
7317
7318 testresult = 1;
7319
7320 end:
7321 SSL_free(serverssl);
7322 SSL_free(clientssl);
7323 SSL_CTX_free(sctx);
7324 SSL_CTX_free(cctx);
7325
7326 return testresult;
7327}
7328
a763ca11 7329#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 7330static int cert_cb_cnt;
7331
7332static int cert_cb(SSL *s, void *arg)
7333{
7334 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7335 BIO *in = NULL;
7336 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7337 X509 *x509 = NULL, *rootx = NULL;
7338 STACK_OF(X509) *chain = NULL;
7339 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7340 int ret = 0;
cd6fe29f
MC		 7341
7342 if (cert_cb_cnt == 0) {
7343 /* Suspend the handshake */
7344 cert_cb_cnt++;
7345 return -1;
7346 } else if (cert_cb_cnt == 1) {
7347 /*
7348 * Update the SSL_CTX, set the certificate and private key and then
7349 * continue the handshake normally.
7350 */
7351 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7352 return 0;
7353
7354 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7355 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7356 SSL_FILETYPE_PEM))
7357 || !TEST_true(SSL_check_private_key(s)))
7358 return 0;
7359 cert_cb_cnt++;
7360 return 1;
7cb8fb07
BK		 7361 } else if (cert_cb_cnt == 3) {
7362 int rv;
1a2a3a42
MC		 7363
7364 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7365 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7366 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7367 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7368 goto out;
7369 chain = sk_X509_new_null();
7370 if (!TEST_ptr(chain))
7371 goto out;
7cb8fb07 7372 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7373 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
d8652be0 7374 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 7375 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 7376 || !TEST_true(sk_X509_push(chain, rootx)))
7377 goto out;
7378 rootx = NULL;
7379 BIO_free(in);
7380 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7381 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
d8652be0 7382 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 7383 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 7384 goto out;
7385 BIO_free(in);
7386 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7387 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 7388 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7389 NULL, NULL,
7390 libctx, NULL)))
7cb8fb07 7391 goto out;
1a2a3a42 7392 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 7393 /*
7394 * If the cert doesn't show as valid here (e.g., because we don't
7395 * have any shared sigalgs), then we will not set it, and there will
7396 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7397 * will cause tls_choose_sigalgs() to fail the connection.
7398 */
1a2a3a42
MC		 7399 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7400 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 7401 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7402 goto out;
7403 }
1a2a3a42
MC		 7404
7405 ret = 1;
cd6fe29f
MC		 7406 }
7407
7408 /* Abort the handshake */
7cb8fb07 7409 out:
1a2a3a42
MC		 7410 OPENSSL_free(ecdsacert);
7411 OPENSSL_free(ecdsakey);
7412 OPENSSL_free(rootfile);
7cb8fb07
BK		 7413 BIO_free(in);
7414 EVP_PKEY_free(pkey);
7415 X509_free(x509);
1a2a3a42
MC		 7416 X509_free(rootx);
7417 sk_X509_pop_free(chain, X509_free);
7418 return ret;
cd6fe29f
MC		 7419}
7420
7421/*
7422 * Test the certificate callback.
7423 * Test 0: Callback fails
7424 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7425 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 7426 * Test 3: Success - Call SSL_check_chain from the callback
7427 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7428 * chain
7429 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 7430 */
7431static int test_cert_cb_int(int prot, int tst)
7432{
7433 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7434 SSL *clientssl = NULL, *serverssl = NULL;
7435 int testresult = 0, ret;
7436
1a2a3a42
MC		 7437#ifdef OPENSSL_NO_EC
7438 /* We use an EC cert in these tests, so we skip in a no-ec build */
7439 if (tst >= 3)
7440 return 1;
7441#endif
7442
5e30f2fd 7443 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 7444 TLS_client_method(),
7445 TLS1_VERSION,
7446 prot,
7447 &sctx, &cctx, NULL, NULL)))
7448 goto end;
7449
7450 if (tst == 0)
7451 cert_cb_cnt = -1;
1a2a3a42 7452 else if (tst >= 3)
7cb8fb07 7453 cert_cb_cnt = 3;
cd6fe29f
MC		 7454 else
7455 cert_cb_cnt = 0;
1a2a3a42 7456
cd6fe29f
MC		 7457 if (tst == 2)
7458 snictx = SSL_CTX_new(TLS_server_method());
7459 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7460
7461 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7462 NULL, NULL)))
7463 goto end;
7464
1a2a3a42
MC		 7465 if (tst == 4) {
7466 /*
7467 * We cause SSL_check_chain() to fail by specifying sig_algs that
7468 * the chain doesn't meet (the root uses an RSA cert)
7469 */
7470 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7471 "ecdsa_secp256r1_sha256")))
7472 goto end;
7473 } else if (tst == 5) {
7474 /*
7475 * We cause SSL_check_chain() to fail by specifying sig_algs that
7476 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7477 */
7478 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7479 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7480 goto end;
7481 }
7482
cd6fe29f 7483 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 7484 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 7485 || (tst > 0
7486 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 7487 goto end;
7488 }
7489
7490 testresult = 1;
7491
7492 end:
7493 SSL_free(serverssl);
7494 SSL_free(clientssl);
7495 SSL_CTX_free(sctx);
7496 SSL_CTX_free(cctx);
7497 SSL_CTX_free(snictx);
7498
7499 return testresult;
7500}
7f1d923a 7501#endif
cd6fe29f
MC		 7502
7503static int test_cert_cb(int tst)
7504{
7505 int testresult = 1;
7506
7507#ifndef OPENSSL_NO_TLS1_2
7508 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7509#endif
a763ca11 7510#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 7511 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7512#endif
7513
7514 return testresult;
7515}
7516
6e46c065
MC		 7517static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7518{
8c2bfd25 7519 X509 *xcert;
6e46c065
MC		 7520 EVP_PKEY *privpkey;
7521 BIO *in = NULL;
6725682d 7522 BIO *priv_in = NULL;
6e46c065 7523
8c2bfd25
TS		 7524 /* Check that SSL_get0_peer_certificate() returns something sensible */
7525 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 7526 return 0;
6e46c065
MC		 7527
7528 in = BIO_new_file(cert, "r");
7529 if (!TEST_ptr(in))
7530 return 0;
7531
d8652be0 7532 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 7533 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7534 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 7535 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7536 NULL, NULL,
7537 libctx, NULL)))
6725682d 7538 goto err;
6e46c065
MC		 7539
7540 *x509 = xcert;
7541 *pkey = privpkey;
7542
6725682d
SL		 7543 BIO_free(in);
7544 BIO_free(priv_in);
6e46c065 7545 return 1;
6725682d
SL		 7546err:
7547 X509_free(xcert);
7548 BIO_free(in);
7549 BIO_free(priv_in);
7550 return 0;
6e46c065
MC		 7551}
7552
7553static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7554{
7555 return 1;
7556}
7557
7558static int test_client_cert_cb(int tst)
7559{
7560 SSL_CTX *cctx = NULL, *sctx = NULL;
7561 SSL *clientssl = NULL, *serverssl = NULL;
7562 int testresult = 0;
7563
7564#ifdef OPENSSL_NO_TLS1_2
7565 if (tst == 0)
7566 return 1;
7567#endif
a763ca11 7568#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 7569 if (tst == 1)
7570 return 1;
7571#endif
7572
5e30f2fd 7573 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 7574 TLS_client_method(),
7575 TLS1_VERSION,
7576 tst == 0 ? TLS1_2_VERSION
7577 : TLS1_3_VERSION,
7578 &sctx, &cctx, cert, privkey)))
7579 goto end;
7580
7581 /*
7582 * Test that setting a client_cert_cb results in a client certificate being
7583 * sent.
7584 */
7585 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7586 SSL_CTX_set_verify(sctx,
7587 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7588 verify_cb);
fb8c8359
MC		 7589
7590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7591 NULL, NULL))
7592 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7593 SSL_ERROR_NONE)))
7594 goto end;
7595
7596 testresult = 1;
7597
7598 end:
7599 SSL_free(serverssl);
7600 SSL_free(clientssl);
7601 SSL_CTX_free(sctx);
7602 SSL_CTX_free(cctx);
7603
7604 return testresult;
7605}
7606
a763ca11 7607#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 7608/*
7609 * Test setting certificate authorities on both client and server.
7610 *
7611 * Test 0: SSL_CTX_set0_CA_list() only
7612 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7613 * Test 2: Only SSL_CTX_set_client_CA_list()
7614 */
7615static int test_ca_names_int(int prot, int tst)
7616{
7617 SSL_CTX *cctx = NULL, *sctx = NULL;
7618 SSL *clientssl = NULL, *serverssl = NULL;
7619 int testresult = 0;
7620 size_t i;
7621 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7622 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7623 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7624 const STACK_OF(X509_NAME) *sktmp = NULL;
7625
7626 for (i = 0; i < OSSL_NELEM(name); i++) {
7627 name[i] = X509_NAME_new();
7628 if (!TEST_ptr(name[i])
7629 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7630 MBSTRING_ASC,
7631 (unsigned char *)
7632 strnames[i],
7633 -1, -1, 0)))
7634 goto end;
7635 }
7636
5e30f2fd 7637 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 7638 TLS_client_method(),
7639 TLS1_VERSION,
7640 prot,
7641 &sctx, &cctx, cert, privkey)))
7642 goto end;
7643
7644 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7645
7646 if (tst == 0 || tst == 1) {
7647 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7648 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7649 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7650 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7651 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7652 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7653 goto end;
7654
7655 SSL_CTX_set0_CA_list(sctx, sk1);
7656 SSL_CTX_set0_CA_list(cctx, sk2);
7657 sk1 = sk2 = NULL;
7658 }
7659 if (tst == 1 || tst == 2) {
7660 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7661 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7662 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7663 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7664 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7665 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7666 goto end;
7667
7668 SSL_CTX_set_client_CA_list(sctx, sk1);
7669 SSL_CTX_set_client_CA_list(cctx, sk2);
7670 sk1 = sk2 = NULL;
7671 }
7672
6e46c065
MC		 7673 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7674 NULL, NULL))
7675 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7676 SSL_ERROR_NONE)))
7677 goto end;
7678
fb8c8359
MC		 7679 /*
7680 * We only expect certificate authorities to have been sent to the server
7681 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7682 */
7683 sktmp = SSL_get0_peer_CA_list(serverssl);
7684 if (prot == TLS1_3_VERSION
7685 && (tst == 0 || tst == 1)) {
7686 if (!TEST_ptr(sktmp)
7687 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7688 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7689 name[0]), 0)
7690 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7691 name[1]), 0))
7692 goto end;
7693 } else if (!TEST_ptr_null(sktmp)) {
7694 goto end;
7695 }
7696
7697 /*
7698 * In all tests we expect certificate authorities to have been sent to the
7699 * client. However, SSL_set_client_CA_list() should override
7700 * SSL_set0_CA_list()
7701 */
7702 sktmp = SSL_get0_peer_CA_list(clientssl);
7703 if (!TEST_ptr(sktmp)
7704 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7705 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7706 name[tst == 0 ? 0 : 2]), 0)
7707 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7708 name[tst == 0 ? 1 : 3]), 0))
7709 goto end;
7710
6e46c065
MC		 7711 testresult = 1;
7712
7713 end:
7714 SSL_free(serverssl);
7715 SSL_free(clientssl);
7716 SSL_CTX_free(sctx);
7717 SSL_CTX_free(cctx);
fb8c8359
MC		 7718 for (i = 0; i < OSSL_NELEM(name); i++)
7719 X509_NAME_free(name[i]);
7720 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7721 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7722
7723 return testresult;
7724}
7725#endif
7726
7727static int test_ca_names(int tst)
7728{
7729 int testresult = 1;
7730
7731#ifndef OPENSSL_NO_TLS1_2
7732 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7733#endif
a763ca11 7734#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 7735 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7736#endif
6e46c065
MC		 7737
7738 return testresult;
7739}
7740
0d2bfe52
SL		 7741#ifndef OPENSSL_NO_TLS1_2
7742static const char *multiblock_cipherlist_data[]=
7743{
7744 "AES128-SHA",
7745 "AES128-SHA256",
7746 "AES256-SHA",
7747 "AES256-SHA256",
7748};
7749
7750/* Reduce the fragment size - so the multiblock test buffer can be small */
7751# define MULTIBLOCK_FRAGSIZE 512
7752
7753static int test_multiblock_write(int test_index)
7754{
7755 static const char *fetchable_ciphers[]=
7756 {
7757 "AES-128-CBC-HMAC-SHA1",
7758 "AES-128-CBC-HMAC-SHA256",
7759 "AES-256-CBC-HMAC-SHA1",
7760 "AES-256-CBC-HMAC-SHA256"
7761 };
7762 const char *cipherlist = multiblock_cipherlist_data[test_index];
7763 const SSL_METHOD *smeth = TLS_server_method();
7764 const SSL_METHOD *cmeth = TLS_client_method();
7765 int min_version = TLS1_VERSION;
7766 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7767 SSL_CTX *cctx = NULL, *sctx = NULL;
7768 SSL *clientssl = NULL, *serverssl = NULL;
7769 int testresult = 0;
7770
7771 /*
7772 * Choose a buffer large enough to perform a multi-block operation
7773 * i.e: write_len >= 4 * frag_size
7774 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7775 */
7776 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7777 unsigned char buf[sizeof(msg)], *p = buf;
7778 size_t readbytes, written, len;
7779 EVP_CIPHER *ciph = NULL;
7780
7781 /*
7782 * Check if the cipher exists before attempting to use it since it only has
7783 * a hardware specific implementation.
7784 */
7785 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7786 if (ciph == NULL) {
7787 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7788 return 1;
7789 }
7790 EVP_CIPHER_free(ciph);
7791
7792 /* Set up a buffer with some data that will be sent to the client */
7793 RAND_bytes(msg, sizeof(msg));
7794
5e30f2fd
MC		 7795 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7796 max_version, &sctx, &cctx, cert,
7797 privkey)))
0d2bfe52
SL		 7798 goto end;
7799
7800 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7801 goto end;
7802
7803 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7804 NULL, NULL)))
7805 goto end;
7806
7807 /* settings to force it to use AES-CBC-HMAC_SHA */
7808 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7809 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7810 goto end;
7811
7812 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7813 goto end;
7814
7815 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7816 || !TEST_size_t_eq(written, sizeof(msg)))
7817 goto end;
7818
7819 len = written;
7820 while (len > 0) {
7821 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7822 goto end;
7823 p += readbytes;
7824 len -= readbytes;
7825 }
7826 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7827 goto end;
7828
7829 testresult = 1;
7830end:
7831 SSL_free(serverssl);
7832 SSL_free(clientssl);
7833 SSL_CTX_free(sctx);
7834 SSL_CTX_free(cctx);
7835
7836 return testresult;
7837}
7838#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7839
49ef3d07
MC		 7840/*
7841 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7842 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7843 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7844 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7845 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7846 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7847 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7848 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7849 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7850 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7851 */
7852static int test_servername(int tst)
7853{
7854 SSL_CTX *cctx = NULL, *sctx = NULL;
7855 SSL *clientssl = NULL, *serverssl = NULL;
7856 int testresult = 0;
7857 SSL_SESSION *sess = NULL;
7858 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7859
7860#ifdef OPENSSL_NO_TLS1_2
7861 if (tst <= 4)
7862 return 1;
7863#endif
a763ca11 7864#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 7865 if (tst >= 5)
7866 return 1;
7867#endif
7868
5e30f2fd 7869 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 7870 TLS_client_method(),
7871 TLS1_VERSION,
7872 (tst <= 4) ? TLS1_2_VERSION
7873 : TLS1_3_VERSION,
7874 &sctx, &cctx, cert, privkey))
7875 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7876 NULL, NULL)))
7877 goto end;
7878
7879 if (tst != 1 && tst != 6) {
7880 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7881 hostname_cb)))
7882 goto end;
7883 }
7884
7885 if (tst != 3 && tst != 8) {
7886 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7887 goto end;
7888 sexpectedhost = cexpectedhost = "goodhost";
7889 }
7890
7891 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7892 goto end;
7893
7894 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7895 cexpectedhost)
7896 || !TEST_str_eq(SSL_get_servername(serverssl,
7897 TLSEXT_NAMETYPE_host_name),
7898 sexpectedhost))
7899 goto end;
7900
7901 /* Now repeat with a resumption handshake */
7902
7903 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7904 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7905 || !TEST_true(SSL_SESSION_is_resumable(sess))
7906 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7907 goto end;
7908
7909 SSL_free(clientssl);
7910 SSL_free(serverssl);
7911 clientssl = serverssl = NULL;
7912
7913 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7914 NULL)))
7915 goto end;
7916
7917 if (!TEST_true(SSL_set_session(clientssl, sess)))
7918 goto end;
7919
7920 sexpectedhost = cexpectedhost = "goodhost";
7921 if (tst == 2 || tst == 7) {
7922 /* Set an inconsistent hostname */
7923 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7924 goto end;
7925 /*
7926 * In TLSv1.2 we expect the hostname from the original handshake, in
7927 * TLSv1.3 we expect the hostname from this handshake
7928 */
7929 if (tst == 7)
7930 sexpectedhost = cexpectedhost = "altgoodhost";
7931
7932 if (!TEST_str_eq(SSL_get_servername(clientssl,
7933 TLSEXT_NAMETYPE_host_name),
7934 "altgoodhost"))
7935 goto end;
7936 } else if (tst == 4 || tst == 9) {
7937 /*
7938 * A TLSv1.3 session does not associate a session with a servername,
7939 * but a TLSv1.2 session does.
7940 */
7941 if (tst == 9)
7942 sexpectedhost = cexpectedhost = NULL;
7943
7944 if (!TEST_str_eq(SSL_get_servername(clientssl,
7945 TLSEXT_NAMETYPE_host_name),
7946 cexpectedhost))
7947 goto end;
7948 } else {
7949 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7950 goto end;
7951 /*
7952 * In a TLSv1.2 resumption where the hostname was not acknowledged
7953 * we expect the hostname on the server to be empty. On the client we
7954 * return what was requested in this case.
7955 *
7956 * Similarly if the client didn't set a hostname on an original TLSv1.2
7957 * session but is now, the server hostname will be empty, but the client
7958 * is as we set it.
7959 */
7960 if (tst == 1 || tst == 3)
7961 sexpectedhost = NULL;
7962
7963 if (!TEST_str_eq(SSL_get_servername(clientssl,
7964 TLSEXT_NAMETYPE_host_name),
7965 "goodhost"))
7966 goto end;
7967 }
7968
7969 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7970 goto end;
7971
7972 if (!TEST_true(SSL_session_reused(clientssl))
7973 || !TEST_true(SSL_session_reused(serverssl))
7974 || !TEST_str_eq(SSL_get_servername(clientssl,
7975 TLSEXT_NAMETYPE_host_name),
7976 cexpectedhost)
7977 || !TEST_str_eq(SSL_get_servername(serverssl,
7978 TLSEXT_NAMETYPE_host_name),
7979 sexpectedhost))
7980 goto end;
7981
7982 testresult = 1;
7983
7984 end:
7985 SSL_SESSION_free(sess);
7986 SSL_free(serverssl);
7987 SSL_free(clientssl);
7988 SSL_CTX_free(sctx);
7989 SSL_CTX_free(cctx);
7990
7991 return testresult;
7992}
7993
b1fdbc68 7994#if !defined(OPENSSL_NO_EC) \
a763ca11 7995 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 7996/*
7997 * Test that if signature algorithms are not available, then we do not offer or
7998 * accept them.
7999 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8000 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8001 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8002 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8003 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8004 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8005 */
8006static int test_sigalgs_available(int idx)
8007{
8008 SSL_CTX *cctx = NULL, *sctx = NULL;
8009 SSL *clientssl = NULL, *serverssl = NULL;
8010 int testresult = 0;
b4250010
DMSP		 8011 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8012 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 8013 OSSL_PROVIDER *filterprov = NULL;
8014 int sig, hash;
8015
8016 if (!TEST_ptr(tmpctx))
8017 goto end;
8018
8019 if (idx != 0 && idx != 3) {
8020 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8021 filter_provider_init)))
8022 goto end;
8023
8024 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8025 if (!TEST_ptr(filterprov))
8026 goto end;
8027
8028 if (idx < 3) {
8029 /*
8030 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8031 * or accepted for the peer that uses this libctx. Note that libssl
8032 * *requires* SHA2-256 to be available so we cannot disable that. We
8033 * also need SHA1 for our certificate.
8034 */
8035 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8036 "SHA2-256:SHA1")))
8037 goto end;
8038 } else {
8039 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8040 "ECDSA"))
8041 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8042 "EC:X25519:X448")))
8043 goto end;
8044 }
8045
8046 if (idx == 1 || idx == 4)
8047 clientctx = tmpctx;
8048 else
8049 serverctx = tmpctx;
8050 }
8051
d8652be0
MC		 8052 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8053 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 8054 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8055 goto end;
b3842539
MC		 8056
8057 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8058 TLS_client_method(),
8059 TLS1_VERSION,
8060 0,
8061 &sctx, &cctx, cert, privkey)))
8062 goto end;
8063
b1fdbc68
MC		 8064 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8065 if (idx < 4) {
8066 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8067 "ECDHE-RSA-AES128-GCM-SHA256")))
8068 goto end;
8069 } else {
8070 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8071 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8072 goto end;
8073 }
8074
b3842539
MC		 8075 if (idx < 3) {
8076 if (!SSL_CTX_set1_sigalgs_list(cctx,
8077 "rsa_pss_rsae_sha384"
8078 ":rsa_pss_rsae_sha256")
8079 || !SSL_CTX_set1_sigalgs_list(sctx,
8080 "rsa_pss_rsae_sha384"
8081 ":rsa_pss_rsae_sha256"))
8082 goto end;
8083 } else {
8084 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8085 || !SSL_CTX_set1_sigalgs_list(sctx,
8086 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8087 goto end;
8088 }
8089
8090 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8091 SSL_FILETYPE_PEM), 1)
8092 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8093 privkey2,
8094 SSL_FILETYPE_PEM), 1)
8095 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
8096 goto end;
8097
8098 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8099 NULL, NULL)))
8100 goto end;
8101
8102 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8103 goto end;
8104
8105 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8106 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8107 NULL, NULL),
8108 (idx == 0 || idx == 3) ? 2 : 1))
8109 goto end;
8110
8111 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8112 goto end;
8113
8114 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8115 : NID_rsassaPss))
8116 goto end;
8117
b0001d0c 8118 testresult = filter_provider_check_clean_finish();
b3842539
MC		 8119
8120 end:
8121 SSL_free(serverssl);
8122 SSL_free(clientssl);
8123 SSL_CTX_free(sctx);
8124 SSL_CTX_free(cctx);
8125 OSSL_PROVIDER_unload(filterprov);
b4250010 8126 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 8127
8128 return testresult;
8129}
b1fdbc68
MC		 8130#endif /*
8131 * !defined(OPENSSL_NO_EC) \
a763ca11 8132 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 8133 */
b3842539 8134
0c13cdf8 8135#ifndef OPENSSL_NO_TLS1_3
a763ca11 8136/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 8137static int test_pluggable_group(int idx)
0c13cdf8
MC		 8138{
8139 SSL_CTX *cctx = NULL, *sctx = NULL;
8140 SSL *clientssl = NULL, *serverssl = NULL;
8141 int testresult = 0;
8142 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 8143 /* Check that we are not impacted by a provider without any groups */
8144 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 8145 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 8146
5ae54dba 8147 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 8148 goto end;
8149
5ae54dba
MC		 8150 if (legacyprov == NULL) {
8151 /*
8152 * In this case we assume we've been built with "no-legacy" and skip
8153 * this test (there is no OPENSSL_NO_LEGACY)
8154 */
8155 testresult = 1;
8156 goto end;
8157 }
8158
0c13cdf8
MC		 8159 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8160 TLS_client_method(),
8161 TLS1_3_VERSION,
8162 TLS1_3_VERSION,
8163 &sctx, &cctx, cert, privkey))
8164 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8165 NULL, NULL)))
8166 goto end;
8167
c8e3a4c6
NT		 8168 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8169 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 8170 goto end;
8171
8172 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8173 goto end;
8174
becbacd7
MB		 8175 if (!TEST_str_eq(group_name,
8176 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8177 goto end;
8178
0c13cdf8
MC		 8179 testresult = 1;
8180
8181 end:
8182 SSL_free(serverssl);
8183 SSL_free(clientssl);
8184 SSL_CTX_free(sctx);
8185 SSL_CTX_free(cctx);
8186 OSSL_PROVIDER_unload(tlsprov);
146aebc6 8187 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 8188
8189 return testresult;
8190}
8191#endif
b3842539 8192
49a36a52
MC		 8193#ifndef OPENSSL_NO_TLS1_2
8194static int test_ssl_dup(void)
8195{
8196 SSL_CTX *cctx = NULL, *sctx = NULL;
8197 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8198 int testresult = 0;
8199 BIO *rbio = NULL, *wbio = NULL;
8200
8201 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8202 TLS_client_method(),
8203 0,
8204 0,
8205 &sctx, &cctx, cert, privkey)))
8206 goto end;
8207
8208 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8209 NULL, NULL)))
8210 goto end;
8211
8212 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8213 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8214 goto end;
8215
8216 client2ssl = SSL_dup(clientssl);
8217 rbio = SSL_get_rbio(clientssl);
8218 if (!TEST_ptr(rbio)
8219 || !TEST_true(BIO_up_ref(rbio)))
8220 goto end;
8221 SSL_set0_rbio(client2ssl, rbio);
8222 rbio = NULL;
8223
8224 wbio = SSL_get_wbio(clientssl);
8225 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8226 goto end;
8227 SSL_set0_wbio(client2ssl, wbio);
8228 rbio = NULL;
8229
8230 if (!TEST_ptr(client2ssl)
8231 /* Handshake not started so pointers should be different */
8232 || !TEST_ptr_ne(clientssl, client2ssl))
8233 goto end;
8234
8235 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8236 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8237 goto end;
8238
8239 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8240 goto end;
8241
8242 SSL_free(clientssl);
8243 clientssl = SSL_dup(client2ssl);
8244 if (!TEST_ptr(clientssl)
8245 /* Handshake has finished so pointers should be the same */
8246 || !TEST_ptr_eq(clientssl, client2ssl))
8247 goto end;
8248
8249 testresult = 1;
8250
8251 end:
8252 SSL_free(serverssl);
8253 SSL_free(clientssl);
8254 SSL_free(client2ssl);
8255 SSL_CTX_free(sctx);
8256 SSL_CTX_free(cctx);
8257
8258 return testresult;
8259}
33c39a06
MC		 8260
8261# ifndef OPENSSL_NO_DH
8262
8263static EVP_PKEY *tmp_dh_params = NULL;
8264
8265/* Helper function for the test_set_tmp_dh() tests */
8266static EVP_PKEY *get_tmp_dh_params(void)
8267{
8268 if (tmp_dh_params == NULL) {
8269 BIGNUM *p = NULL;
8270 OSSL_PARAM_BLD *tmpl = NULL;
8271 EVP_PKEY_CTX *pctx = NULL;
8272 OSSL_PARAM *params = NULL;
8273 EVP_PKEY *dhpkey = NULL;
8274
8275 p = BN_get_rfc3526_prime_2048(NULL);
8276 if (!TEST_ptr(p))
8277 goto end;
8278
8279 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8280 if (!TEST_ptr(pctx)
2db985b7 8281 || !TEST_true(EVP_PKEY_fromdata_init(pctx)))
33c39a06
MC		 8282 goto end;
8283
8284 tmpl = OSSL_PARAM_BLD_new();
8285 if (!TEST_ptr(tmpl)
8286 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8287 OSSL_PKEY_PARAM_FFC_P,
8288 p))
8289 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8290 OSSL_PKEY_PARAM_FFC_G,
8291 2)))
8292 goto end;
8293
8294 params = OSSL_PARAM_BLD_to_param(tmpl);
8295 if (!TEST_ptr(params)
2db985b7
SL		 8296 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey,
8297 EVP_PKEY_KEY_PARAMETERS, params)))
33c39a06
MC		 8298 goto end;
8299
8300 tmp_dh_params = dhpkey;
8301 end:
8302 BN_free(p);
8303 EVP_PKEY_CTX_free(pctx);
8304 OSSL_PARAM_BLD_free(tmpl);
8305 OSSL_PARAM_BLD_free_params(params);
8306 }
8307
f1619160 8308 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 8309 return NULL;
8310
8311 return tmp_dh_params;
8312}
8313
39f3427d 8314# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 8315/* Callback used by test_set_tmp_dh() */
8316static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8317{
8318 EVP_PKEY *dhpkey = get_tmp_dh_params();
8319 DH *ret = NULL;
8320
8321 if (!TEST_ptr(dhpkey))
8322 return NULL;
8323
7bc0fdd3
MC		 8324 /*
8325 * libssl does not free the returned DH, so we free it now knowing that even
8326 * after we free dhpkey, there will still be a reference to the owning
8327 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
8328 * of time we need it for.
8329 */
8330 ret = EVP_PKEY_get1_DH(dhpkey);
8331 DH_free(ret);
33c39a06
MC		 8332
8333 EVP_PKEY_free(dhpkey);
8334
8335 return ret;
8336}
8337# endif
8338
8339/*
8340 * Test the various methods for setting temporary DH parameters
8341 *
8342 * Test 0: Default (no auto) setting
8343 * Test 1: Explicit SSL_CTX auto off
8344 * Test 2: Explicit SSL auto off
8345 * Test 3: Explicit SSL_CTX auto on
8346 * Test 4: Explicit SSL auto on
8347 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8348 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8349 *
8350 * The following are testing deprecated APIs, so we only run them if available
8351 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8352 * Test 8: Explicit SSL auto off, custom DH params via DH
8353 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8354 * Test 10: Explicit SSL auto off, custom DH params via callback
8355 */
8356static int test_set_tmp_dh(int idx)
8357{
8358 SSL_CTX *cctx = NULL, *sctx = NULL;
8359 SSL *clientssl = NULL, *serverssl = NULL;
8360 int testresult = 0;
8361 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8362 int expected = (idx <= 2) ? 0 : 1;
8363 EVP_PKEY *dhpkey = NULL;
8364# ifndef OPENSSL_NO_DEPRECATED_3_0
8365 DH *dh = NULL;
8366# else
8367
8368 if (idx >= 7)
8369 return 1;
8370# endif
8371
8372 if (idx >= 5 && idx <= 8) {
8373 dhpkey = get_tmp_dh_params();
8374 if (!TEST_ptr(dhpkey))
8375 goto end;
8376 }
8377# ifndef OPENSSL_NO_DEPRECATED_3_0
8378 if (idx == 7 || idx == 8) {
7bc0fdd3 8379 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 8380 if (!TEST_ptr(dh))
8381 goto end;
8382 }
8383# endif
8384
8385 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8386 TLS_client_method(),
8387 0,
8388 0,
8389 &sctx, &cctx, cert, privkey)))
8390 goto end;
8391
8392 if ((idx & 1) == 1) {
8393 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8394 goto end;
8395 }
8396
8397 if (idx == 5) {
8398 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8399 goto end;
8400 dhpkey = NULL;
8401 }
8402# ifndef OPENSSL_NO_DEPRECATED_3_0
8403 else if (idx == 7) {
8404 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8405 goto end;
8406 } else if (idx == 9) {
8407 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8408 }
8409# endif
8410
8411 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8412 NULL, NULL)))
8413 goto end;
8414
8415 if ((idx & 1) == 0 && idx != 0) {
8416 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8417 goto end;
8418 }
8419 if (idx == 6) {
8420 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8421 goto end;
8422 dhpkey = NULL;
8423 }
8424# ifndef OPENSSL_NO_DEPRECATED_3_0
8425 else if (idx == 8) {
8426 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8427 goto end;
8428 } else if (idx == 10) {
8429 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8430 }
8431# endif
8432
8433 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8434 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8435 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8436 goto end;
8437
8438 /*
8439 * If autoon then we should succeed. Otherwise we expect failure because
8440 * there are no parameters
8441 */
8442 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8443 SSL_ERROR_NONE), expected))
8444 goto end;
8445
8446 testresult = 1;
8447
8448 end:
7bc0fdd3
MC		 8449# ifndef OPENSSL_NO_DEPRECATED_3_0
8450 DH_free(dh);
8451# endif
33c39a06
MC		 8452 SSL_free(serverssl);
8453 SSL_free(clientssl);
8454 SSL_CTX_free(sctx);
8455 SSL_CTX_free(cctx);
8456 EVP_PKEY_free(dhpkey);
8457
8458 return testresult;
8459}
3105d846
MC		 8460
8461/*
8462 * Test the auto DH keys are appropriately sized
8463 */
8464static int test_dh_auto(int idx)
8465{
8466 SSL_CTX *cctx = NULL, *sctx = NULL;
8467 SSL *clientssl = NULL, *serverssl = NULL;
8468 int testresult = 0;
8469 EVP_PKEY *tmpkey = NULL;
8470 char *thiscert = NULL, *thiskey = NULL;
8471 size_t expdhsize = 0;
8472 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8473
8474 switch (idx) {
8475 case 0:
8476 /* The FIPS provider doesn't support this DH size - so we ignore it */
8477 if (is_fips)
8478 return 1;
8479 thiscert = cert1024;
8480 thiskey = privkey1024;
8481 expdhsize = 1024;
8482 break;
8483 case 1:
8484 /* 2048 bit prime */
8485 thiscert = cert;
8486 thiskey = privkey;
8487 expdhsize = 2048;
8488 break;
8489 case 2:
8490 thiscert = cert3072;
8491 thiskey = privkey3072;
8492 expdhsize = 3072;
8493 break;
8494 case 3:
8495 thiscert = cert4096;
8496 thiskey = privkey4096;
8497 expdhsize = 4096;
8498 break;
8499 case 4:
8500 thiscert = cert8192;
8501 thiskey = privkey8192;
8502 expdhsize = 8192;
8503 break;
8504 /* No certificate cases */
8505 case 5:
8506 /* The FIPS provider doesn't support this DH size - so we ignore it */
8507 if (is_fips)
8508 return 1;
8509 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8510 expdhsize = 1024;
8511 break;
8512 case 6:
8513 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8514 expdhsize = 3072;
8515 break;
8516 default:
8517 TEST_error("Invalid text index");
8518 goto end;
8519 }
8520
8521 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8522 TLS_client_method(),
8523 0,
8524 0,
8525 &sctx, &cctx, thiscert, thiskey)))
8526 goto end;
8527
8528 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8529 NULL, NULL)))
8530 goto end;
8531
8532 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8533 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8534 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8535 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8536 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8537 goto end;
8538
8539 /*
8540 * Send the server's first flight. At this point the server has created the
8541 * temporary DH key but hasn't finished using it yet. Once used it is
8542 * removed, so we cannot test it.
8543 */
8544 if (!TEST_int_le(SSL_connect(clientssl), 0)
8545 || !TEST_int_le(SSL_accept(serverssl), 0))
8546 goto end;
8547
8548 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8549 goto end;
8550 if (!TEST_size_t_eq(EVP_PKEY_bits(tmpkey), expdhsize))
8551 goto end;
8552
8553 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8554 goto end;
8555
8556 testresult = 1;
8557
8558 end:
8559 SSL_free(serverssl);
8560 SSL_free(clientssl);
8561 SSL_CTX_free(sctx);
8562 SSL_CTX_free(cctx);
8563 EVP_PKEY_free(tmpkey);
8564
8565 return testresult;
8566
8567}
33c39a06
MC		 8568# endif /* OPENSSL_NO_DH */
8569#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 8570
a763ca11 8571#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 8572/*
8573 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
8574 * that it works even without a certificate configured for the original
8575 * SSL_CTX
8576 */
8577static int test_sni_tls13(void)
8578{
8579 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
8580 SSL *clientssl = NULL, *serverssl = NULL;
8581 int testresult = 0;
8582
8583 /* Reset callback counter */
8584 snicb = 0;
8585
8586 /* Create an initial SSL_CTX with no certificate configured */
8587 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8588 if (!TEST_ptr(sctx))
8589 goto end;
8590 /* Require TLSv1.3 as a minimum */
8591 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8592 TLS_client_method(), TLS1_3_VERSION, 0,
8593 &sctx2, &cctx, cert, privkey)))
8594 goto end;
8595
8596 /* Set up SNI */
8597 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
8598 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
8599 goto end;
8600
8601 /*
8602 * Connection should still succeed because the final SSL_CTX has the right
8603 * certificates configured.
8604 */
8605 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
8606 &clientssl, NULL, NULL))
8607 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8608 SSL_ERROR_NONE)))
8609 goto end;
8610
8611 /* We should have had the SNI callback called exactly once */
8612 if (!TEST_int_eq(snicb, 1))
8613 goto end;
8614
8615 testresult = 1;
8616
8617end:
8618 SSL_free(serverssl);
8619 SSL_free(clientssl);
8620 SSL_CTX_free(sctx2);
8621 SSL_CTX_free(sctx);
8622 SSL_CTX_free(cctx);
8623 return testresult;
8624}
8625#endif
8626
dfccfde0
CH		 8627static int test_inherit_verify_param(void)
8628{
8629 int testresult = 0;
8630
8631 SSL_CTX *ctx = NULL;
8632 X509_VERIFY_PARAM *cp = NULL;
8633 SSL *ssl = NULL;
8634 X509_VERIFY_PARAM *sp = NULL;
8635 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
8636
8637 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
8638 if (!TEST_ptr(ctx))
8639 goto end;
8640
8641 cp = SSL_CTX_get0_param(ctx);
8642 if (!TEST_ptr(cp))
8643 goto end;
8644 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
8645 goto end;
8646
8647 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
8648
8649 ssl = SSL_new(ctx);
8650 if (!TEST_ptr(ssl))
8651 goto end;
8652
8653 sp = SSL_get0_param(ssl);
8654 if (!TEST_ptr(sp))
8655 goto end;
8656 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
8657 goto end;
8658
8659 testresult = 1;
8660
8661 end:
8662 SSL_free(ssl);
8663 SSL_CTX_free(ctx);
8664
8665 return testresult;
8666}
8667
5e30f2fd 8668OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 8669
ad887416 8670int setup_tests(void)
2cb4b5f6 8671{
5e30f2fd
MC		 8672 char *modulename;
8673 char *configfile;
8674
b4250010 8675 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 8676 if (!TEST_ptr(libctx))
8677 return 0;
8678
8679 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8680
8681 /*
8682 * Verify that the default and fips providers in the default libctx are not
8683 * available
8684 */
8685 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8686 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8687 return 0;
8688
8d242823
MC		 8689 if (!test_skip_common_options()) {
8690 TEST_error("Error parsing test options\n");
8691 return 0;
8692 }
8693
1a2a3a42
MC		 8694 if (!TEST_ptr(certsdir = test_get_argument(0))
8695 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 8696 || !TEST_ptr(tmpfilename = test_get_argument(2))
8697 || !TEST_ptr(modulename = test_get_argument(3))
8698 || !TEST_ptr(configfile = test_get_argument(4)))
8699 return 0;
8700
b4250010 8701 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 8702 return 0;
8703
8704 /* Check we have the expected provider available */
8705 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8706 return 0;
8707
8708 /* Check the default provider is not available */
8709 if (strcmp(modulename, "default") != 0
8710 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 8711 return 0;
2cb4b5f6 8712
4f6c7044
MC		 8713 if (strcmp(modulename, "fips") == 0)
8714 is_fips = 1;
8715
0c13cdf8
MC		 8716 /*
8717 * We add, but don't load the test "tls-provider". We'll load it when we
8718 * need it.
8719 */
8720 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8721 tls_provider_init)))
8722 return 0;
8723
8724
f297e4ec
RS		 8725 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8726#ifdef OPENSSL_NO_CRYPTO_MDEBUG
8727 TEST_error("not supported in this build");
8728 return 0;
8729#else
8730 int i, mcount, rcount, fcount;
8731
8732 for (i = 0; i < 4; i++)
8733 test_export_key_mat(i);
8734 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8735 test_printf_stdout("malloc %d realloc %d free %d\n",
8736 mcount, rcount, fcount);
8737 return 1;
8738#endif
8739 }
8740
1a2a3a42
MC		 8741 cert = test_mk_file_path(certsdir, "servercert.pem");
8742 if (cert == NULL)
b3842539 8743 goto err;
1a2a3a42
MC		 8744
8745 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 8746 if (privkey == NULL)
8747 goto err;
8748
8749 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8750 if (cert2 == NULL)
8751 goto err;
8752
8753 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8754 if (privkey2 == NULL)
8755 goto err;
1a2a3a42 8756
3105d846
MC		 8757 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
8758 if (cert1024 == NULL)
8759 goto err;
8760
8761 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
8762 if (privkey1024 == NULL)
8763 goto err;
8764
8765 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
8766 if (cert3072 == NULL)
8767 goto err;
8768
8769 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
8770 if (privkey3072 == NULL)
8771 goto err;
8772
8773 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
8774 if (cert4096 == NULL)
8775 goto err;
8776
8777 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
8778 if (privkey4096 == NULL)
8779 goto err;
8780
8781 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
8782 if (cert8192 == NULL)
8783 goto err;
8784
8785 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
8786 if (privkey8192 == NULL)
8787 goto err;
8788
da4db160 8789#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 8790# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
da4db160
VF		 8791 ADD_ALL_TESTS(test_ktls, 32);
8792 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
c8e3a4c6 8793# endif
fe5d9450 8794#endif
84d5549e 8795 ADD_TEST(test_large_message_tls);
7856332e 8796 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 8797#ifndef OPENSSL_NO_DTLS
84d5549e 8798 ADD_TEST(test_large_message_dtls);
55386bef 8799#endif
163b8016 8800 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 8801#ifndef OPENSSL_NO_OCSP
c887104f 8802 ADD_TEST(test_tlsext_status_type);
8f8c11d8 8803#endif
eaa776da
MC		 8804 ADD_TEST(test_session_with_only_int_cache);
8805 ADD_TEST(test_session_with_only_ext_cache);
8806 ADD_TEST(test_session_with_both_cache);
90fc2c26 8807 ADD_TEST(test_session_wo_ca_names);
a763ca11 8808#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 8809 ADD_ALL_TESTS(test_stateful_tickets, 3);
8810 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 8811 ADD_TEST(test_psk_tickets);
f0049b86 8812 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 8813#endif
7fb4c820 8814 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 8815 ADD_TEST(test_ssl_bio_pop_next_bio);
8816 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8817 ADD_TEST(test_ssl_bio_change_rbio);
8818 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 8819#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 8820 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 8821 ADD_TEST(test_keylog);
c423ecaa 8822#endif
a763ca11 8823#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 8824 ADD_TEST(test_keylog_no_master_key);
8825#endif
0c3eb279 8826 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 8827 ADD_TEST(test_ssl_build_cert_chain);
8828 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 8829#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 8830 ADD_TEST(test_client_hello_cb);
088dfa13 8831 ADD_TEST(test_no_ems);
3cd14e5e 8832 ADD_TEST(test_ccs_change_cipher);
5f982038 8833#endif
a763ca11 8834#ifndef OSSL_NO_USABLE_TLS1_3
02a3ed5a 8835 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 8836 /*
8837 * We don't do replay tests for external PSK. Replay protection isn't used
8838 * in that scenario.
8839 */
8840 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 8841 ADD_ALL_TESTS(test_early_data_skip, 3);
8842 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 8843 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 8844 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 8845 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 8846 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 8847 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 8848 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 8849# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 8850 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 8851# endif
e9ee6536 8852#endif
a763ca11 8853#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 8854 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 8855 ADD_TEST(test_ciphersuite_change);
5bf2eade 8856 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8857# ifdef OPENSSL_NO_PSK
c2b290c3 8858 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 8859# else
0d8da779 8860 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 8861# endif /* OPENSSL_NO_PSK */
8862# ifndef OPENSSL_NO_TLS1_2
8863 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 8864 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 8865# else
8866 /* Test with only TLSv1.3 versions */
8867 ADD_ALL_TESTS(test_key_exchange, 12);
8868# endif
bb01ef3f 8869 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 8870 ADD_TEST(test_stateless);
9d75dce3 8871 ADD_TEST(test_pha_key_update);
a273157a 8872#else
bb01ef3f 8873 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 8874#endif
16afd71c 8875 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 8876 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 8877#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 8878 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 8879 ADD_TEST(test_key_update);
a77b4dba 8880 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 8881#endif
e11b6aa4 8882 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 8883 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 8884#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8885 ADD_ALL_TESTS(test_srp, 6);
8886#endif
5718fe45 8887 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 8888 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 8889 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 8890 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 8891 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 8892 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 8893 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 8894 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 8895 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 8896#ifndef OPENSSL_NO_TLS1_2
8897 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8898#endif
49ef3d07 8899 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 8900#if !defined(OPENSSL_NO_EC) \
a763ca11 8901 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 8902 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 8903#endif
8904#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 8905 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 8906#endif
8907#ifndef OPENSSL_NO_TLS1_2
8908 ADD_TEST(test_ssl_dup);
33c39a06
MC		 8909# ifndef OPENSSL_NO_DH
8910 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 8911 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 8912# endif
6582661f 8913#endif
a763ca11 8914#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 8915 ADD_TEST(test_sni_tls13);
b3842539 8916#endif
dfccfde0 8917 ADD_TEST(test_inherit_verify_param);
ad887416 8918 return 1;
b3842539
MC		 8919
8920 err:
8921 OPENSSL_free(cert);
8922 OPENSSL_free(privkey);
8923 OPENSSL_free(cert2);
8924 OPENSSL_free(privkey2);
8925 return 0;
ad887416 8926}
2cb4b5f6 8927
ad887416
P		 8928void cleanup_tests(void)
8929{
8778f0eb 8930# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 8931 EVP_PKEY_free(tmp_dh_params);
8932#endif
1a2a3a42
MC		 8933 OPENSSL_free(cert);
8934 OPENSSL_free(privkey);
b3842539
MC		 8935 OPENSSL_free(cert2);
8936 OPENSSL_free(privkey2);
3105d846
MC		 8937 OPENSSL_free(cert1024);
8938 OPENSSL_free(privkey1024);
8939 OPENSSL_free(cert3072);
8940 OPENSSL_free(privkey3072);
8941 OPENSSL_free(cert4096);
8942 OPENSSL_free(privkey4096);
8943 OPENSSL_free(cert8192);
8944 OPENSSL_free(privkey8192);
fa454945 8945 bio_s_mempacket_test_free();
a77b4dba 8946 bio_s_always_retry_free();
5e30f2fd 8947 OSSL_PROVIDER_unload(defctxnull);
b4250010 8948 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 8949}
A mirror of the official openssl repository