]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Auto retry if we ditch records during shutdown
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
76fd7a1d
MC		 17#include <openssl/srp.h>
18#include <openssl/txt_db.h>
d0191fe0 19#include <openssl/aes.h>
2cb4b5f6
MC		 20
21#include "ssltestlib.h"
c887104f 22#include "testutil.h"
f297e4ec 23#include "testutil/output.h"
176db6dc 24#include "internal/nelem.h"
ca0413ae 25#include "../ssl/ssl_locl.h"
2cb4b5f6
MC		 26
27static char *cert = NULL;
28static char *privkey = NULL;
76fd7a1d
MC		 29static char *srpvfile = NULL;
30static char *tmpfilename = NULL;
2cb4b5f6 31
cffe973c 32#define LOG_BUFFER_SIZE 2048
6acdd3e5 33static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 34static size_t server_log_buffer_index = 0;
6acdd3e5 35static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 36static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 37static int error_writing_log = 0;
38
8f8c11d8 39#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 40static const unsigned char orespder[] = "Dummy OCSP Response";
41static int ocsp_server_called = 0;
42static int ocsp_client_called = 0;
43
44static int cdummyarg = 1;
45static X509 *ocspcert = NULL;
8f8c11d8 46#endif
ba881d3b 47
84d5549e 48#define NUM_EXTRA_CERTS 40
cf72c757 49#define CLIENT_VERSION_LEN 2
84d5549e 50
f1a5939f
CB		 51/*
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
54 */
55struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
cffe973c 58 unsigned int client_early_secret_count;
f1a5939f
CB		 59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
01a2a654 63 unsigned int early_exporter_secret_count;
6329ce8f 64 unsigned int exporter_secret_count;
f1a5939f
CB		 65};
66
16afd71c
MC		 67
68static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
72};
73
74static unsigned char serverinfov2[] = {
75 0x00, 0x00, 0x00,
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
80};
81
710756a9
RS		 82static void client_keylog_callback(const SSL *ssl, const char *line)
83{
6acdd3e5
CB		 84 int line_length = strlen(line);
85
86 /* If the log doesn't fit, error out. */
710756a9
RS		 87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
6acdd3e5
CB		 89 error_writing_log = 1;
90 return;
91 }
92
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
710756a9 95 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 96}
97
710756a9
RS		 98static void server_keylog_callback(const SSL *ssl, const char *line)
99{
6acdd3e5
CB		 100 int line_length = strlen(line);
101
102 /* If the log doesn't fit, error out. */
710756a9 103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 104 TEST_info("Server log too full");
6acdd3e5
CB		 105 error_writing_log = 1;
106 return;
107 }
108
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
710756a9 111 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 112}
113
114static int compare_hex_encoded_buffer(const char *hex_encoded,
115 size_t hex_length,
116 const uint8_t *raw,
710756a9
RS		 117 size_t raw_length)
118{
119 size_t i, j;
120 char hexed[3];
6acdd3e5 121
710756a9 122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 123 return 1;
6acdd3e5 124
710756a9 125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 126 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 129 return 1;
6acdd3e5
CB		 130 }
131
132 return 0;
133}
134
135static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 136 const SSL_SESSION *session,
710756a9
RS		 137 struct sslapitest_log_counts *expected)
138{
6acdd3e5
CB		 139 char *token = NULL;
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
cffe973c 146 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
01a2a654 151 unsigned int early_exporter_secret_count = 0;
6329ce8f 152 unsigned int exporter_secret_count = 0;
6acdd3e5 153
710756a9
RS		 154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
6acdd3e5 156 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 157 /*
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 159 * hex-encoded encrypted secret, then the hex-encoded pre-master
160 * secret.
161 */
710756a9 162 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 163 return 0;
710756a9 164 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 165 return 0;
710756a9 166 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 167 return 0;
f1a5939f
CB		 168 /*
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
172 */
173 rsa_key_exchange_count++;
6acdd3e5 174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 175 /*
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 177 * client random, then the hex-encoded master secret.
178 */
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
181 SSL3_RANDOM_SIZE);
710756a9 182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 183 return 0;
6acdd3e5 184
710756a9 185 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 186 return 0;
710756a9 187 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 188 return 0;
710756a9
RS		 189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
f1a5939f 192 return 0;
6acdd3e5 193
710756a9 194 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 195 return 0;
6acdd3e5
CB		 196 master_key_size = SSL_SESSION_get_master_key(session,
197 actual_master_key,
198 master_key_size);
710756a9 199 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 200 return 0;
710756a9
RS		 201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
202 actual_master_key,
203 master_key_size)))
f1a5939f 204 return 0;
f1a5939f 205 master_secret_count++;
cffe973c
PW		 206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 212 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 213 /*
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
218 */
cffe973c
PW		 219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
01a2a654
PW		 229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
6329ce8f
PW		 231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
f1a5939f
CB		 233
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
236 SSL3_RANDOM_SIZE);
710756a9 237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 238 return 0;
f1a5939f 239
710756a9 240 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 241 return 0;
710756a9 242 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 243 return 0;
710756a9
RS		 244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
f1a5939f 247 return 0;
6acdd3e5 248
710756a9 249 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 250 return 0;
f1a5939f
CB		 251
252 /*
253 * TODO(TLS1.3): test that application traffic secrets are what
254 * we expect */
6acdd3e5 255 } else {
710756a9 256 TEST_info("Unexpected token %s\n", token);
f1a5939f 257 return 0;
6acdd3e5 258 }
6acdd3e5
CB		 259 }
260
710756a9
RS		 261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
cffe973c
PW		 266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
710756a9
RS		 268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 275 expected->server_application_secret_count)
01a2a654
PW		 276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
6329ce8f
PW		 278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
710756a9
RS		 280 return 0;
281 return 1;
6acdd3e5
CB		 282}
283
c423ecaa 284#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 285static int test_keylog(void)
286{
6acdd3e5
CB		 287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
289 int testresult = 0;
f1a5939f 290 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 291
292 /* Clean up logging space */
710756a9
RS		 293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
298
710756a9
RS		 299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
300 TLS_client_method(),
7d7f6834 301 TLS1_VERSION, TLS_MAX_VERSION,
710756a9 302 &sctx, &cctx, cert, privkey)))
6acdd3e5 303 return 0;
6acdd3e5
CB		 304
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
308
f0deb4d3 309 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 311 goto end;
f0deb4d3 312
cf10df81
RS		 313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 315 goto end;
6acdd3e5 316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
6acdd3e5 319 goto end;
710756a9 320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
6acdd3e5 323 goto end;
6acdd3e5 324
710756a9
RS		 325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
329 SSL_ERROR_NONE))
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 333 goto end;
6acdd3e5 334
f1a5939f
CB		 335 /*
336 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 337 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
6acdd3e5 340 */
f1a5939f
CB		 341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
710756a9
RS		 343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
6acdd3e5 345 goto end;
f1a5939f
CB		 346
347 expected.rsa_key_exchange_count = 0;
710756a9
RS		 348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
6acdd3e5 350 goto end;
6acdd3e5
CB		 351
352 testresult = 1;
353
354end:
355 SSL_free(serverssl);
356 SSL_free(clientssl);
357 SSL_CTX_free(sctx);
358 SSL_CTX_free(cctx);
359
360 return testresult;
361}
c423ecaa 362#endif
6acdd3e5
CB		 363
364#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 365static int test_keylog_no_master_key(void)
366{
6acdd3e5
CB		 367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 369 SSL_SESSION *sess = NULL;
6acdd3e5 370 int testresult = 0;
f1a5939f 371 struct sslapitest_log_counts expected = {0};
cffe973c
PW		 372 unsigned char buf[1];
373 size_t readbytes, written;
6acdd3e5
CB		 374
375 /* Clean up logging space */
710756a9
RS		 376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
381
7d7f6834
RL		 382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
cffe973c
PW		 384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 386 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 387 return 0;
6acdd3e5 388
cf10df81
RS		 389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 391 goto end;
6acdd3e5
CB		 392
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
6acdd3e5 396 goto end;
6acdd3e5 397
710756a9 398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
6acdd3e5 401 goto end;
6acdd3e5 402
710756a9
RS		 403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
407 SSL_ERROR_NONE))
408 || !TEST_false(error_writing_log))
6acdd3e5 409 goto end;
6acdd3e5 410
f1a5939f
CB		 411 /*
412 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 414 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 415 */
f1a5939f
CB		 416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
6329ce8f 420 expected.exporter_secret_count = 1;
710756a9
RS		 421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
425 &expected)))
6acdd3e5 426 goto end;
6acdd3e5 427
cffe973c
PW		 428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
432 SSL_free(serverssl);
433 SSL_free(clientssl);
434 serverssl = clientssl = NULL;
435
436 /* Reset key log */
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
441
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
448 &readbytes),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
453 SSL_ERROR_NONE))
454 || !TEST_true(SSL_session_reused(clientssl)))
455 goto end;
456
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
01a2a654 459 expected.early_exporter_secret_count = 1;
cffe973c
PW		 460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
464 &expected)))
465 goto end;
466
6acdd3e5
CB		 467 testresult = 1;
468
469end:
cffe973c 470 SSL_SESSION_free(sess);
6acdd3e5
CB		 471 SSL_free(serverssl);
472 SSL_free(clientssl);
473 SSL_CTX_free(sctx);
474 SSL_CTX_free(cctx);
475
476 return testresult;
477}
478#endif
479
e9ee6536 480#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 481static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 482{
483 int *ctr = arg;
484 const unsigned char *p;
8ea404fb 485 int *exts;
2afaee51
BK		 486 /* We only configure two ciphers, but the SCSV is added automatically. */
487#ifdef OPENSSL_NO_EC
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
489#else
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
491 0x2c, 0x00, 0xff};
492#endif
8ea404fb
BK		 493 const int expected_extensions[] = {
494#ifndef OPENSSL_NO_EC
495 11, 10,
496#endif
10ed1b72 497 35, 22, 23, 13};
2afaee51
BK		 498 size_t len;
499
500 /* Make sure we can defer processing and get called back. */
501 if ((*ctr)++ == 0)
f1b97da1 502 return SSL_CLIENT_HELLO_RETRY;
2afaee51 503
a9c0d8be 504 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 506 || !TEST_size_t_eq(
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 508 || !TEST_int_eq(*p, 0))
f1b97da1 509 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 511 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 514 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 515 OPENSSL_free(exts);
f1b97da1 516 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 517 }
518 OPENSSL_free(exts);
f1b97da1 519 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 520}
521
a9c0d8be 522static int test_client_hello_cb(void)
710756a9 523{
2afaee51
BK		 524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
527
7d7f6834
RL		 528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
2afaee51 531 goto end;
a9c0d8be 532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 533
2afaee51
BK		 534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 536
710756a9
RS		 537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 543 /*
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
546 * */
a9c0d8be
DB		 547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
550 SSL_ERROR_NONE)))
2afaee51 551 goto end;
2afaee51
BK		 552
553 testresult = 1;
554
555end:
556 SSL_free(serverssl);
557 SSL_free(clientssl);
558 SSL_CTX_free(sctx);
559 SSL_CTX_free(cctx);
560
561 return testresult;
562}
e9ee6536 563#endif
2afaee51 564
84d5549e 565static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
568 int read_ahead)
84d5549e
MC		 569{
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
572 int testresult = 0;
573 int i;
710756a9 574 BIO *certbio = NULL;
84d5549e
MC		 575 X509 *chaincert = NULL;
576 int certlen;
577
710756a9 578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 579 goto end;
84d5549e 580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 581 BIO_free(certbio);
582 certbio = NULL;
710756a9 583 if (!TEST_ptr(chaincert))
fa454945 584 goto end;
84d5549e 585
7d7f6834
RL		 586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
84d5549e 588 goto end;
84d5549e 589
710756a9 590 if (read_ahead) {
7856332e
MC		 591 /*
592 * Test that read_ahead works correctly when dealing with large
593 * records
594 */
595 SSL_CTX_set_read_ahead(cctx, 1);
596 }
597
84d5549e
MC		 598 /*
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
84d5549e
MC		 604 */
605 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 609 if (!X509_up_ref(chaincert))
84d5549e 610 goto end;
84d5549e 611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 612 X509_free(chaincert);
613 goto end;
614 }
615 }
616
710756a9
RS		 617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
618 NULL, NULL))
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
620 SSL_ERROR_NONE)))
84d5549e 621 goto end;
84d5549e 622
4bf08600
MC		 623 /*
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
626 */
710756a9 627 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 628 goto end;
84d5549e 629
4bf08600 630 testresult = 1;
84d5549e
MC		 631 end:
632 X509_free(chaincert);
633 SSL_free(serverssl);
634 SSL_free(clientssl);
635 SSL_CTX_free(sctx);
636 SSL_CTX_free(cctx);
637
638 return testresult;
639}
640
641static int test_large_message_tls(void)
642{
7856332e 643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 644 TLS1_VERSION, TLS_MAX_VERSION,
7856332e
MC		 645 0);
646}
647
648static int test_large_message_tls_read_ahead(void)
649{
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 651 TLS1_VERSION, TLS_MAX_VERSION,
7856332e 652 1);
84d5549e
MC		 653}
654
55386bef 655#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 656static int test_large_message_dtls(void)
657{
7856332e
MC		 658 /*
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
660 * read_ahead is set.
661 */
84d5549e 662 return execute_test_large_message(DTLS_server_method(),
7d7f6834
RL		 663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
665 0);
84d5549e 666}
55386bef 667#endif
84d5549e 668
8f8c11d8 669#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 670static int ocsp_server_cb(SSL *s, void *arg)
671{
672 int *argi = (int *)arg;
710756a9 673 unsigned char *copy = NULL;
ba881d3b
MC		 674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
676
677 if (*argi == 2) {
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
682
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
688 }
689
710756a9 690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 691 return SSL_TLSEXT_ERR_ALERT_FATAL;
692
710756a9 693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 694 ocsp_server_called = 1;
ba881d3b
MC		 695 return SSL_TLSEXT_ERR_OK;
696}
697
698static int ocsp_client_cb(SSL *s, void *arg)
699{
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
702 size_t len;
703
704 if (*argi != 1 && *argi != 2)
705 return 0;
706
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 708 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 709 return 0;
710
711 ocsp_client_called = 1;
ba881d3b
MC		 712 return 1;
713}
714
2cb4b5f6
MC		 715static int test_tlsext_status_type(void)
716{
ba881d3b
MC		 717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 719 int testresult = 0;
ba881d3b
MC		 720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
722 BIO *certbio = NULL;
2cb4b5f6 723
7d7f6834
RL		 724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
ba881d3b 727 return 0;
2cb4b5f6 728
710756a9 729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 730 goto end;
2cb4b5f6 731
ba881d3b 732 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 733
ba881d3b 734 clientssl = SSL_new(cctx);
710756a9
RS		 735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 740 goto end;
2cb4b5f6 741
ba881d3b
MC		 742 SSL_free(clientssl);
743 clientssl = NULL;
2cb4b5f6 744
710756a9
RS		 745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 747 goto end;
2cb4b5f6 748
ba881d3b 749 clientssl = SSL_new(cctx);
710756a9 750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 751 goto end;
ba881d3b
MC		 752 SSL_free(clientssl);
753 clientssl = NULL;
754
755 /*
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
758 */
ba881d3b
MC		 759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
766 SSL_ERROR_NONE))
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
ba881d3b 769 goto end;
ba881d3b
MC		 770 SSL_free(serverssl);
771 SSL_free(clientssl);
772 serverssl = NULL;
773 clientssl = NULL;
774
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
778 cdummyarg = 0;
710756a9
RS		 779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
783 SSL_ERROR_NONE))
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
ba881d3b 786 goto end;
ba881d3b
MC		 787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 serverssl = NULL;
790 clientssl = NULL;
791
792 /*
793 * This time we'll get the client to send an OCSP_RESPID that it will
794 * accept.
795 */
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
798 cdummyarg = 2;
710756a9
RS		 799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
ba881d3b 801 goto end;
ba881d3b
MC		 802
803 /*
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 805 * specific one. We'll use the server cert.
ba881d3b 806 */
710756a9
RS		 807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
811 NULL, NULL, NULL))
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 814 goto end;
ba881d3b
MC		 815 id = NULL;
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
818 ids = NULL;
819
820 BIO_free(certbio);
821 certbio = NULL;
822
710756a9
RS		 823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
824 SSL_ERROR_NONE))
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
ba881d3b 827 goto end;
ba881d3b 828
2cb4b5f6
MC		 829 testresult = 1;
830
831 end:
ba881d3b
MC		 832 SSL_free(serverssl);
833 SSL_free(clientssl);
834 SSL_CTX_free(sctx);
835 SSL_CTX_free(cctx);
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
838 BIO_free(certbio);
839 X509_free(ocspcert);
840 ocspcert = NULL;
2cb4b5f6
MC		 841
842 return testresult;
843}
8f8c11d8 844#endif
2cb4b5f6 845
bf208d95 846#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 847static int new_called, remove_called, get_called;
eaa776da 848
eaa776da
MC		 849static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
850{
851 new_called++;
c0537ebd
MC		 852 /*
853 * sess has been up-refed for us, but we don't actually need it so free it
854 * immediately.
855 */
856 SSL_SESSION_free(sess);
eaa776da
MC		 857 return 1;
858}
859
860static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
861{
862 remove_called++;
863}
864
7a301f08
MC		 865static SSL_SESSION *get_sess_val = NULL;
866
867static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
868 int *copy)
869{
0afca811 870 get_called++;
7a301f08
MC		 871 *copy = 1;
872 return get_sess_val;
873}
874
7a301f08
MC		 875static int execute_test_session(int maxprot, int use_int_cache,
876 int use_ext_cache)
2cb4b5f6
MC		 877{
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 881# ifndef OPENSSL_NO_TLS1_1
eaa776da 882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 883# endif
2cb4b5f6 884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 885 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 886
7e885b7b
P		 887 new_called = remove_called = 0;
888
36ff232c
MC		 889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot == TLS1_3_VERSION)
891 numnewsesstick = 2;
892
7d7f6834
RL		 893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION, TLS_MAX_VERSION,
895 &sctx, &cctx, cert, privkey)))
2cb4b5f6 896 return 0;
2cb4b5f6 897
7a301f08
MC		 898 /*
899 * Only allow the max protocol version so we can force a connection failure
900 * later
901 */
902 SSL_CTX_set_min_proto_version(cctx, maxprot);
903 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 904
905 /* Set up session cache */
7e885b7b 906 if (use_ext_cache) {
eaa776da
MC		 907 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
908 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
909 }
7e885b7b 910 if (use_int_cache) {
eaa776da
MC		 911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
913 } else {
914 SSL_CTX_set_session_cache_mode(cctx,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
917 }
2cb4b5f6 918
710756a9
RS		 919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
920 NULL, NULL))
921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
922 SSL_ERROR_NONE))
923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 924 goto end;
2cb4b5f6 925
710756a9 926 /* Should fail because it should already be in the cache */
7e885b7b 927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 928 goto end;
7a301f08 929 if (use_ext_cache
36ff232c
MC		 930 && (!TEST_int_eq(new_called, numnewsesstick)
931
932 || !TEST_int_eq(remove_called, 0)))
b4982125 933 goto end;
b4982125 934
c0537ebd
MC		 935 new_called = remove_called = 0;
936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
937 &clientssl2, NULL, NULL))
938 || !TEST_true(SSL_set_session(clientssl2, sess1))
939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
940 SSL_ERROR_NONE))
941 || !TEST_true(SSL_session_reused(clientssl2)))
942 goto end;
943
7a301f08
MC		 944 if (maxprot == TLS1_3_VERSION) {
945 /*
946 * In TLSv1.3 we should have created a new session even though we have
36ff232c 947 * resumed.
7a301f08
MC		 948 */
949 if (use_ext_cache
950 && (!TEST_int_eq(new_called, 1)
36ff232c 951 || !TEST_int_eq(remove_called, 0)))
7a301f08
MC		 952 goto end;
953 } else {
954 /*
955 * In TLSv1.2 we expect to have resumed so no sessions added or
956 * removed.
957 */
958 if (use_ext_cache
959 && (!TEST_int_eq(new_called, 0)
960 || !TEST_int_eq(remove_called, 0)))
961 goto end;
962 }
c0537ebd
MC		 963
964 SSL_SESSION_free(sess1);
965 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
966 goto end;
967 shutdown_ssl_connection(serverssl2, clientssl2);
968 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 969
970 new_called = remove_called = 0;
710756a9
RS		 971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
972 &clientssl2, NULL, NULL))
973 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
974 SSL_ERROR_NONE)))
2cb4b5f6 975 goto end;
2cb4b5f6 976
710756a9 977 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 978 goto end;
2cb4b5f6 979
7a301f08 980 if (use_ext_cache
36ff232c
MC		 981 && (!TEST_int_eq(new_called, numnewsesstick)
982 || !TEST_int_eq(remove_called, 0)))
eaa776da 983 goto end;
eaa776da 984
c0537ebd 985 new_called = remove_called = 0;
2cb4b5f6 986 /*
710756a9
RS		 987 * This should clear sess2 from the cache because it is a "bad" session.
988 * See SSL_set_session() documentation.
2cb4b5f6 989 */
710756a9 990 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 991 goto end;
7a301f08
MC		 992 if (use_ext_cache
993 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 994 goto end;
710756a9 995 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 996 goto end;
2cb4b5f6 997
7e885b7b 998 if (use_int_cache) {
710756a9
RS		 999 /* Should succeeded because it should not already be in the cache */
1000 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1001 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1002 goto end;
eaa776da
MC		 1003 }
1004
c0537ebd 1005 new_called = remove_called = 0;
eaa776da 1006 /* This shouldn't be in the cache so should fail */
710756a9 1007 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1008 goto end;
2cb4b5f6 1009
7a301f08
MC		 1010 if (use_ext_cache
1011 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1012 goto end;
2cb4b5f6 1013
bf208d95 1014# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1015 new_called = remove_called = 0;
eaa776da
MC		 1016 /* Force a connection failure */
1017 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1018 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1019 &clientssl3, NULL, NULL))
1020 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1021 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1022 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1023 SSL_ERROR_NONE)))
eaa776da 1024 goto end;
b4982125 1025
eaa776da 1026 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1027 if (use_ext_cache
1028 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1029 goto end;
2cb4b5f6 1030
710756a9 1031 /* Should succeed because it should not already be in the cache */
7e885b7b 1032 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1033 goto end;
bf208d95 1034# endif
eaa776da 1035
7a301f08
MC		 1036 /* Now do some tests for server side caching */
1037 if (use_ext_cache) {
1038 SSL_CTX_sess_set_new_cb(cctx, NULL);
1039 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1040 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1041 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1042 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1043 get_sess_val = NULL;
1044 }
1045
1046 SSL_CTX_set_session_cache_mode(cctx, 0);
1047 /* Internal caching is the default on the server side */
1048 if (!use_int_cache)
1049 SSL_CTX_set_session_cache_mode(sctx,
1050 SSL_SESS_CACHE_SERVER
1051 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1052
1053 SSL_free(serverssl1);
1054 SSL_free(clientssl1);
1055 serverssl1 = clientssl1 = NULL;
1056 SSL_free(serverssl2);
1057 SSL_free(clientssl2);
1058 serverssl2 = clientssl2 = NULL;
1059 SSL_SESSION_free(sess1);
1060 sess1 = NULL;
1061 SSL_SESSION_free(sess2);
1062 sess2 = NULL;
1063
1064 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1065 if (maxprot == TLS1_2_VERSION)
1066 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1067 new_called = remove_called = get_called = 0;
7a301f08
MC		 1068 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1069 NULL, NULL))
1070 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1071 SSL_ERROR_NONE))
1072 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1073 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1074 goto end;
1075
ee94ec2e
MC		 1076 if (use_int_cache) {
1077 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1078 /*
1079 * In TLSv1.3 it should not have been added to the internal cache,
1080 * except in the case where we also have an external cache (in that
1081 * case it gets added to the cache in order to generate remove
1082 * events after timeout).
1083 */
1084 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1085 goto end;
1086 } else {
1087 /* Should fail because it should already be in the cache */
1088 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1089 goto end;
1090 }
1091 }
7a301f08
MC		 1092
1093 if (use_ext_cache) {
1094 SSL_SESSION *tmp = sess2;
1095
36ff232c 1096 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1097 || !TEST_int_eq(remove_called, 0)
1098 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1099 goto end;
1100 /*
1101 * Delete the session from the internal cache to force a lookup from
1102 * the external cache. We take a copy first because
1103 * SSL_CTX_remove_session() also marks the session as non-resumable.
1104 */
ee94ec2e 1105 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1106 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1107 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1108 goto end;
1109 SSL_SESSION_free(sess2);
1110 }
7a301f08
MC		 1111 sess2 = tmp;
1112 }
1113
0afca811 1114 new_called = remove_called = get_called = 0;
7a301f08
MC		 1115 get_sess_val = sess2;
1116 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1117 &clientssl2, NULL, NULL))
1118 || !TEST_true(SSL_set_session(clientssl2, sess1))
1119 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1120 SSL_ERROR_NONE))
1121 || !TEST_true(SSL_session_reused(clientssl2)))
1122 goto end;
1123
0afca811 1124 if (use_ext_cache) {
32305f88 1125 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1126 goto end;
1127
1128 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1129 if (!TEST_int_eq(new_called, 1)
1130 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1131 goto end;
1132 } else {
32305f88
MC		 1133 if (!TEST_int_eq(new_called, 0)
1134 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1135 goto end;
1136 }
1137 }
7a301f08 1138
2cb4b5f6 1139 testresult = 1;
eaa776da 1140
2cb4b5f6
MC		 1141 end:
1142 SSL_free(serverssl1);
1143 SSL_free(clientssl1);
1144 SSL_free(serverssl2);
1145 SSL_free(clientssl2);
bf208d95 1146# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1147 SSL_free(serverssl3);
1148 SSL_free(clientssl3);
bf208d95 1149# endif
2cb4b5f6
MC		 1150 SSL_SESSION_free(sess1);
1151 SSL_SESSION_free(sess2);
1152 SSL_CTX_free(sctx);
1153 SSL_CTX_free(cctx);
1154
1155 return testresult;
1156}
bf208d95 1157#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1158
7fb4c820
MC		 1159static int test_session_with_only_int_cache(void)
1160{
7a301f08
MC		 1161#ifndef OPENSSL_NO_TLS1_3
1162 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1163 return 0;
1164#endif
1165
1166#ifndef OPENSSL_NO_TLS1_2
1167 return execute_test_session(TLS1_2_VERSION, 1, 0);
1168#else
1169 return 1;
1170#endif
eaa776da
MC		 1171}
1172
7fb4c820
MC		 1173static int test_session_with_only_ext_cache(void)
1174{
7a301f08
MC		 1175#ifndef OPENSSL_NO_TLS1_3
1176 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1177 return 0;
1178#endif
1179
1180#ifndef OPENSSL_NO_TLS1_2
1181 return execute_test_session(TLS1_2_VERSION, 0, 1);
1182#else
1183 return 1;
1184#endif
eaa776da
MC		 1185}
1186
7fb4c820
MC		 1187static int test_session_with_both_cache(void)
1188{
7a301f08
MC		 1189#ifndef OPENSSL_NO_TLS1_3
1190 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1191 return 0;
1192#endif
1193
1194#ifndef OPENSSL_NO_TLS1_2
1195 return execute_test_session(TLS1_2_VERSION, 1, 1);
1196#else
1197 return 1;
1198#endif
eaa776da
MC		 1199}
1200
04225915 1201#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1202static SSL_SESSION *sesscache[6];
1203static int do_cache;
36ff232c
MC		 1204
1205static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1206{
c22365b3
MC		 1207 if (do_cache) {
1208 sesscache[new_called] = sess;
1209 } else {
1210 /* We don't need the reference to the session, so free it */
1211 SSL_SESSION_free(sess);
1212 }
1213 new_called++;
1214
1215 return 1;
1216}
1217
1218static int post_handshake_verify(SSL *sssl, SSL *cssl)
1219{
1220 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1221 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1222 return 0;
1223
1224 /* Start handshake on the server and client */
1225 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1226 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1227 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1228 || !TEST_true(create_ssl_connection(sssl, cssl,
1229 SSL_ERROR_NONE)))
1230 return 0;
36ff232c
MC		 1231
1232 return 1;
1233}
1234
1235static int test_tickets(int idx)
1236{
1237 SSL_CTX *sctx = NULL, *cctx = NULL;
1238 SSL *serverssl = NULL, *clientssl = NULL;
1239 int testresult = 0, i;
1240 size_t j;
1241
1242 /* idx is the test number, but also the number of tickets we want */
1243
1244 new_called = 0;
c22365b3 1245 do_cache = 1;
36ff232c
MC		 1246
1247 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1248 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1249 &cctx, cert, privkey))
1250 || !TEST_true(SSL_CTX_set_num_tickets(sctx, idx)))
1251 goto end;
1252
1253 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1254 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1255 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
1256
1257 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1258 &clientssl, NULL, NULL)))
1259 goto end;
1260
1261 SSL_force_post_handshake_auth(clientssl);
1262
1263 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1264 SSL_ERROR_NONE))
1265 /* Check we got the number of tickets we were expecting */
1266 || !TEST_int_eq(idx, new_called))
1267 goto end;
1268
1269 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1270 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1271 || !TEST_int_eq(idx * 2, new_called))
1272 goto end;
1273
36ff232c
MC		 1274 SSL_shutdown(clientssl);
1275 SSL_shutdown(serverssl);
1276 SSL_free(serverssl);
1277 SSL_free(clientssl);
1278 serverssl = clientssl = NULL;
1279
c22365b3
MC		 1280 /* Stop caching sessions - just count them */
1281 do_cache = 0;
1282
36ff232c 1283 /* Test that we can resume with all the tickets we got given */
c22365b3
MC		 1284 for (i = 0; i < idx * 2; i++) {
1285 new_called = 0;
36ff232c
MC		 1286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1287 &clientssl, NULL, NULL))
c22365b3
MC		 1288 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1289 goto end;
1290
1291 SSL_force_post_handshake_auth(clientssl);
1292
1293 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
36ff232c 1294 SSL_ERROR_NONE))
c22365b3
MC		 1295 || !TEST_true(SSL_session_reused(clientssl))
1296 /* Following a resumption we only get 1 ticket */
1297 || !TEST_int_eq(new_called, 1))
1298 goto end;
1299
1300 new_called = 0;
1301 /* After a post-handshake authentication we should get 1 new ticket */
1302 if (!post_handshake_verify(serverssl, clientssl)
1303 || !TEST_int_eq(new_called, 1))
36ff232c
MC		 1304 goto end;
1305
1306 SSL_shutdown(clientssl);
1307 SSL_shutdown(serverssl);
1308 SSL_free(serverssl);
1309 SSL_free(clientssl);
1310 serverssl = clientssl = NULL;
1311 SSL_SESSION_free(sesscache[i]);
1312 sesscache[i] = NULL;
1313 }
1314
1315 testresult = 1;
1316
1317 end:
1318 SSL_free(serverssl);
1319 SSL_free(clientssl);
c22365b3 1320 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 1321 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 1322 sesscache[j] = NULL;
1323 }
36ff232c
MC		 1324 SSL_CTX_free(sctx);
1325 SSL_CTX_free(cctx);
1326
1327 return testresult;
1328}
04225915 1329#endif
36ff232c 1330
7d4488bb
MC		 1331#define USE_NULL 0
1332#define USE_BIO_1 1
1333#define USE_BIO_2 2
1334#define USE_DEFAULT 3
1335
1336#define CONNTYPE_CONNECTION_SUCCESS 0
1337#define CONNTYPE_CONNECTION_FAIL 1
1338#define CONNTYPE_NO_CONNECTION 2
1339
1340#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1341#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1342#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1343# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1344#else
1345# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1346#endif
1347
7d4488bb
MC		 1348#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1349 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1350 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1351
1352static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1353{
1354 switch (type) {
1355 case USE_NULL:
1356 *res = NULL;
1357 break;
1358 case USE_BIO_1:
1359 *res = bio1;
1360 break;
1361 case USE_BIO_2:
1362 *res = bio2;
1363 break;
1364 }
1365}
1366
7d4488bb
MC		 1367
1368/*
1369 * Tests calls to SSL_set_bio() under various conditions.
1370 *
1371 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1372 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1373 * then do more tests where we create a successful connection first using our
1374 * standard connection setup functions, and then call SSL_set_bio() with
1375 * various combinations of valid BIOs or NULL. We then repeat these tests
1376 * following a failed connection. In this last case we are looking to check that
1377 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1378 */
7fb4c820
MC		 1379static int test_ssl_set_bio(int idx)
1380{
7d4488bb 1381 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 1382 BIO *bio1 = NULL;
1383 BIO *bio2 = NULL;
0fae8150 1384 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 1385 SSL *serverssl = NULL, *clientssl = NULL;
1386 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 1387 int testresult = 0;
1388
7d4488bb
MC		 1389 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1390 initrbio = idx % 3;
1391 idx /= 3;
1392 initwbio = idx % 3;
1393 idx /= 3;
1394 newrbio = idx % 3;
1395 idx /= 3;
1396 newwbio = idx % 3;
1397 conntype = CONNTYPE_NO_CONNECTION;
1398 } else {
1399 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1400 initrbio = initwbio = USE_DEFAULT;
1401 newrbio = idx % 2;
1402 idx /= 2;
1403 newwbio = idx % 2;
1404 idx /= 2;
1405 conntype = idx % 2;
1406 }
710756a9 1407
7d4488bb
MC		 1408 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1409 TLS1_VERSION, TLS_MAX_VERSION,
1410 &sctx, &cctx, cert, privkey)))
1411 goto end;
1412
1413 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1414 /*
1415 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1416 * because we reduced the number of tests in the definition of
1417 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1418 * mismatched protocol versions we will force a connection failure.
1419 */
1420 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1421 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1422 }
1423
1424 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1425 NULL, NULL)))
710756a9 1426 goto end;
7fb4c820 1427
710756a9
RS		 1428 if (initrbio == USE_BIO_1
1429 || initwbio == USE_BIO_1
1430 || newrbio == USE_BIO_1
7fb4c820 1431 || newwbio == USE_BIO_1) {
710756a9 1432 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1433 goto end;
7fb4c820
MC		 1434 }
1435
710756a9
RS		 1436 if (initrbio == USE_BIO_2
1437 || initwbio == USE_BIO_2
1438 || newrbio == USE_BIO_2
7fb4c820 1439 || newwbio == USE_BIO_2) {
710756a9 1440 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1441 goto end;
7fb4c820
MC		 1442 }
1443
7d4488bb
MC		 1444 if (initrbio != USE_DEFAULT) {
1445 setupbio(&irbio, bio1, bio2, initrbio);
1446 setupbio(&iwbio, bio1, bio2, initwbio);
1447 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 1448
7d4488bb
MC		 1449 /*
1450 * We want to maintain our own refs to these BIO, so do an up ref for
1451 * each BIO that will have ownership transferred in the SSL_set_bio()
1452 * call
1453 */
1454 if (irbio != NULL)
1455 BIO_up_ref(irbio);
1456 if (iwbio != NULL && iwbio != irbio)
1457 BIO_up_ref(iwbio);
1458 }
7fb4c820 1459
7d4488bb
MC		 1460 if (conntype != CONNTYPE_NO_CONNECTION
1461 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1462 SSL_ERROR_NONE)
1463 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1464 goto end;
7fb4c820
MC		 1465
1466 setupbio(&nrbio, bio1, bio2, newrbio);
1467 setupbio(&nwbio, bio1, bio2, newwbio);
1468
1469 /*
1470 * We will (maybe) transfer ownership again so do more up refs.
1471 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1472 * already been set!
1473 */
710756a9
RS		 1474 if (nrbio != NULL
1475 && nrbio != irbio
1476 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1477 BIO_up_ref(nrbio);
710756a9
RS		 1478 if (nwbio != NULL
1479 && nwbio != nrbio
1480 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1481 BIO_up_ref(nwbio);
1482
7d4488bb 1483 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 1484
1485 testresult = 1;
1486
1487 end:
7fb4c820
MC		 1488 BIO_free(bio1);
1489 BIO_free(bio2);
710756a9 1490
7fb4c820
MC		 1491 /*
1492 * This test is checking that the ref counting for SSL_set_bio is correct.
1493 * If we get here and we did too many frees then we will fail in the above
1494 * functions. If we haven't done enough then this will only be detected in
1495 * a crypto-mdebug build
1496 */
7d4488bb
MC		 1497 SSL_free(serverssl);
1498 SSL_free(clientssl);
1499 SSL_CTX_free(sctx);
1500 SSL_CTX_free(cctx);
7fb4c820
MC		 1501 return testresult;
1502}
1503
7e885b7b 1504typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1505
7e885b7b 1506static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1507{
1508 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1509 SSL_CTX *ctx;
9a716987
MC		 1510 SSL *ssl = NULL;
1511 int testresult = 0;
1512
710756a9
RS		 1513 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1514 || !TEST_ptr(ssl = SSL_new(ctx))
1515 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1516 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1517 goto end;
9a716987
MC		 1518
1519 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1520
1521 /*
1522 * If anything goes wrong here then we could leak memory, so this will
1523 * be caught in a crypto-mdebug build
1524 */
1525 BIO_push(sslbio, membio1);
1526
69687aa8 1527 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1528 if (change_bio != NO_BIO_CHANGE) {
710756a9 1529 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1530 goto end;
7e885b7b 1531 if (change_bio == CHANGE_RBIO)
65e2d672 1532 SSL_set0_rbio(ssl, membio2);
9a716987 1533 else
65e2d672 1534 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1535 }
1536 ssl = NULL;
1537
7e885b7b 1538 if (pop_ssl)
9a716987
MC		 1539 BIO_pop(sslbio);
1540 else
1541 BIO_pop(membio1);
1542
1543 testresult = 1;
1544 end:
1545 BIO_free(membio1);
1546 BIO_free(sslbio);
1547 SSL_free(ssl);
1548 SSL_CTX_free(ctx);
1549
1550 return testresult;
1551}
1552
1553static int test_ssl_bio_pop_next_bio(void)
1554{
7e885b7b 1555 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1556}
1557
1558static int test_ssl_bio_pop_ssl_bio(void)
1559{
7e885b7b 1560 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1561}
1562
1563static int test_ssl_bio_change_rbio(void)
1564{
7e885b7b 1565 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1566}
1567
1568static int test_ssl_bio_change_wbio(void)
1569{
7e885b7b 1570 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1571}
1572
c423ecaa 1573#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1574typedef struct {
1575 /* The list of sig algs */
1576 const int *list;
1577 /* The length of the list */
1578 size_t listlen;
1579 /* A sigalgs list in string format */
1580 const char *liststr;
1581 /* Whether setting the list should succeed */
1582 int valid;
1583 /* Whether creating a connection with the list should succeed */
1584 int connsuccess;
1585} sigalgs_list;
1586
1587static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1588# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1589static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1590static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1591# endif
f1b25aae
MC		 1592static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1593static const int invalidlist2[] = {NID_sha256, NID_undef};
1594static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1595static const int invalidlist4[] = {NID_sha256};
1596static const sigalgs_list testsigalgs[] = {
1597 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1598# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1599 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1600 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1601# endif
f1b25aae 1602 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1603# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1604 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1605 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1606# endif
f1b25aae
MC		 1607 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1608 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1609 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1610 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1611 {NULL, 0, "RSA", 0, 0},
1612 {NULL, 0, "SHA256", 0, 0},
1613 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1614 {NULL, 0, "Invalid", 0, 0}
1615};
f1b25aae
MC		 1616
1617static int test_set_sigalgs(int idx)
1618{
1619 SSL_CTX *cctx = NULL, *sctx = NULL;
1620 SSL *clientssl = NULL, *serverssl = NULL;
1621 int testresult = 0;
1622 const sigalgs_list *curr;
1623 int testctx;
1624
1625 /* Should never happen */
710756a9 1626 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1627 return 0;
1628
1629 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1630 curr = testctx ? &testsigalgs[idx]
1631 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1632
7d7f6834
RL		 1633 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1634 TLS1_VERSION, TLS_MAX_VERSION,
1635 &sctx, &cctx, cert, privkey)))
f1b25aae 1636 return 0;
f1b25aae 1637
d2e491f2
MC		 1638 /*
1639 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1640 * for TLSv1.2 for now until we add a new API.
1641 */
1642 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1643
f1b25aae
MC		 1644 if (testctx) {
1645 int ret;
710756a9 1646
f1b25aae
MC		 1647 if (curr->list != NULL)
1648 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1649 else
1650 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1651
1652 if (!ret) {
1653 if (curr->valid)
710756a9 1654 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1655 else
1656 testresult = 1;
1657 goto end;
1658 }
1659 if (!curr->valid) {
710756a9 1660 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1661 goto end;
1662 }
1663 }
1664
710756a9
RS		 1665 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1666 &clientssl, NULL, NULL)))
f1b25aae 1667 goto end;
f1b25aae
MC		 1668
1669 if (!testctx) {
1670 int ret;
1671
1672 if (curr->list != NULL)
1673 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1674 else
1675 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1676 if (!ret) {
1677 if (curr->valid)
710756a9 1678 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1679 else
1680 testresult = 1;
1681 goto end;
1682 }
710756a9 1683 if (!curr->valid)
f1b25aae 1684 goto end;
f1b25aae
MC		 1685 }
1686
710756a9
RS		 1687 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1688 SSL_ERROR_NONE),
1689 curr->connsuccess))
f1b25aae 1690 goto end;
f1b25aae
MC		 1691
1692 testresult = 1;
1693
1694 end:
1695 SSL_free(serverssl);
1696 SSL_free(clientssl);
1697 SSL_CTX_free(sctx);
1698 SSL_CTX_free(cctx);
1699
1700 return testresult;
1701}
c423ecaa 1702#endif
f1b25aae 1703
fff202e5
MC		 1704#ifndef OPENSSL_NO_TLS1_3
1705
57dee9bb
MC		 1706static SSL_SESSION *clientpsk = NULL;
1707static SSL_SESSION *serverpsk = NULL;
02a3ed5a
MC		 1708static const char *pskid = "Identity";
1709static const char *srvid;
1710
1711static int use_session_cb_cnt = 0;
1712static int find_session_cb_cnt = 0;
532f9578
MC		 1713static int psk_client_cb_cnt = 0;
1714static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 1715
1716static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1717 size_t *idlen, SSL_SESSION **sess)
1718{
1719 switch (++use_session_cb_cnt) {
1720 case 1:
1721 /* The first call should always have a NULL md */
1722 if (md != NULL)
1723 return 0;
1724 break;
1725
1726 case 2:
1727 /* The second call should always have an md */
1728 if (md == NULL)
1729 return 0;
1730 break;
1731
1732 default:
1733 /* We should only be called a maximum of twice */
1734 return 0;
1735 }
1736
57dee9bb
MC		 1737 if (clientpsk != NULL)
1738 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1739
57dee9bb 1740 *sess = clientpsk;
02a3ed5a
MC		 1741 *id = (const unsigned char *)pskid;
1742 *idlen = strlen(pskid);
1743
1744 return 1;
1745}
1746
c2b290c3 1747#ifndef OPENSSL_NO_PSK
532f9578
MC		 1748static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1749 unsigned int max_id_len,
1750 unsigned char *psk,
1751 unsigned int max_psk_len)
1752{
1753 unsigned int psklen = 0;
1754
1755 psk_client_cb_cnt++;
1756
1757 if (strlen(pskid) + 1 > max_id_len)
1758 return 0;
1759
1760 /* We should only ever be called a maximum of twice per connection */
1761 if (psk_client_cb_cnt > 2)
1762 return 0;
1763
1764 if (clientpsk == NULL)
1765 return 0;
1766
1767 /* We'll reuse the PSK we set up for TLSv1.3 */
1768 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1769 return 0;
1770 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1771 strncpy(id, pskid, max_id_len);
1772
1773 return psklen;
1774}
c2b290c3 1775#endif /* OPENSSL_NO_PSK */
532f9578 1776
02a3ed5a
MC		 1777static int find_session_cb(SSL *ssl, const unsigned char *identity,
1778 size_t identity_len, SSL_SESSION **sess)
1779{
1780 find_session_cb_cnt++;
1781
1782 /* We should only ever be called a maximum of twice per connection */
1783 if (find_session_cb_cnt > 2)
1784 return 0;
1785
57dee9bb 1786 if (serverpsk == NULL)
02a3ed5a
MC		 1787 return 0;
1788
1789 /* Identity should match that set by the client */
1790 if (strlen(srvid) != identity_len
1791 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1792 /* No PSK found, continue but without a PSK */
1793 *sess = NULL;
1794 return 1;
1795 }
1796
57dee9bb
MC		 1797 SSL_SESSION_up_ref(serverpsk);
1798 *sess = serverpsk;
02a3ed5a
MC		 1799
1800 return 1;
1801}
1802
c2b290c3 1803#ifndef OPENSSL_NO_PSK
532f9578
MC		 1804static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1805 unsigned char *psk, unsigned int max_psk_len)
1806{
1807 unsigned int psklen = 0;
1808
1809 psk_server_cb_cnt++;
1810
1811 /* We should only ever be called a maximum of twice per connection */
1812 if (find_session_cb_cnt > 2)
1813 return 0;
1814
1815 if (serverpsk == NULL)
1816 return 0;
1817
1818 /* Identity should match that set by the client */
1819 if (strcmp(srvid, identity) != 0) {
1820 return 0;
1821 }
1822
1823 /* We'll reuse the PSK we set up for TLSv1.3 */
1824 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1825 return 0;
1826 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1827
1828 return psklen;
1829}
c2b290c3 1830#endif /* OPENSSL_NO_PSK */
532f9578 1831
5f982038
MC		 1832#define MSG1 "Hello"
1833#define MSG2 "World."
1834#define MSG3 "This"
1835#define MSG4 "is"
1836#define MSG5 "a"
90049cea
MC		 1837#define MSG6 "test"
1838#define MSG7 "message."
5f982038 1839
02a3ed5a 1840#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 1841#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 1842
5f982038
MC		 1843/*
1844 * Helper method to setup objects for early data test. Caller frees objects on
1845 * error.
1846 */
1847static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 1848 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 1849{
7d7f6834
RL		 1850 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1851 TLS1_VERSION, TLS_MAX_VERSION,
1852 sctx, cctx, cert, privkey))
c39e4048 1853 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
c39e4048 1854 SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 1855 return 0;
5f982038 1856
02a3ed5a
MC		 1857 if (idx == 1) {
1858 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 1859 SSL_CTX_set_read_ahead(*cctx, 1);
1860 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 1861 } else if (idx == 2) {
1862 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1863 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1864 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1865 use_session_cb_cnt = 0;
1866 find_session_cb_cnt = 0;
1867 srvid = pskid;
3cb47b4e
MC		 1868 }
1869
710756a9 1870 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 1871 NULL, NULL)))
1872 return 0;
1873
141e4709
MC		 1874 /*
1875 * For one of the run throughs (doesn't matter which one), we'll try sending
1876 * some SNI data in the initial ClientHello. This will be ignored (because
1877 * there is no SNI cb set up by the server), so it should not impact
1878 * early_data.
1879 */
1880 if (idx == 1
1881 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1882 return 0;
1883
02a3ed5a
MC		 1884 if (idx == 2) {
1885 /* Create the PSK */
1886 const SSL_CIPHER *cipher = NULL;
1887 const unsigned char key[] = {
1888 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1889 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1890 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1891 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1892 0x2c, 0x2d, 0x2e, 0x2f
1893 };
1894
1895 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 1896 clientpsk = SSL_SESSION_new();
1897 if (!TEST_ptr(clientpsk)
02a3ed5a 1898 || !TEST_ptr(cipher)
57dee9bb 1899 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
02a3ed5a 1900 sizeof(key)))
57dee9bb 1901 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
02a3ed5a 1902 || !TEST_true(
57dee9bb 1903 SSL_SESSION_set_protocol_version(clientpsk,
02a3ed5a
MC		 1904 TLS1_3_VERSION))
1905 /*
1906 * We just choose an arbitrary value for max_early_data which
1907 * should be big enough for testing purposes.
1908 */
57dee9bb
MC		 1909 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1910 0x100))
1911 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1912 SSL_SESSION_free(clientpsk);
1913 clientpsk = NULL;
02a3ed5a
MC		 1914 return 0;
1915 }
57dee9bb 1916 serverpsk = clientpsk;
02a3ed5a 1917
c20e3b28
MC		 1918 if (sess != NULL) {
1919 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1920 SSL_SESSION_free(clientpsk);
1921 SSL_SESSION_free(serverpsk);
1922 clientpsk = serverpsk = NULL;
1923 return 0;
1924 }
57dee9bb 1925 *sess = clientpsk;
c20e3b28 1926 }
02a3ed5a
MC		 1927 return 1;
1928 }
1929
1930 if (sess == NULL)
1931 return 1;
1932
1933 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1934 SSL_ERROR_NONE)))
5f982038 1935 return 0;
5f982038
MC		 1936
1937 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 1938 SSL_shutdown(*clientssl);
1939 SSL_shutdown(*serverssl);
5f982038
MC		 1940 SSL_free(*serverssl);
1941 SSL_free(*clientssl);
1942 *serverssl = *clientssl = NULL;
1943
710756a9
RS		 1944 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1945 clientssl, NULL, NULL))
1946 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 1947 return 0;
5f982038
MC		 1948
1949 return 1;
1950}
1951
3cb47b4e 1952static int test_early_data_read_write(int idx)
5f982038
MC		 1953{
1954 SSL_CTX *cctx = NULL, *sctx = NULL;
1955 SSL *clientssl = NULL, *serverssl = NULL;
1956 int testresult = 0;
1957 SSL_SESSION *sess = NULL;
9b5c865d
MC		 1958 unsigned char buf[20], data[1024];
1959 size_t readbytes, written, eoedlen, rawread, rawwritten;
1960 BIO *rbio;
5f982038 1961
710756a9
RS		 1962 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1963 &serverssl, &sess, idx)))
5f982038
MC		 1964 goto end;
1965
1966 /* Write and read some early data */
710756a9
RS		 1967 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1968 &written))
1969 || !TEST_size_t_eq(written, strlen(MSG1))
1970 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1971 sizeof(buf), &readbytes),
1972 SSL_READ_EARLY_DATA_SUCCESS)
1973 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1974 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1975 SSL_EARLY_DATA_ACCEPTED))
5f982038 1976 goto end;
5f982038
MC		 1977
1978 /*
09f28874 1979 * Server should be able to write data, and client should be able to
5f982038
MC		 1980 * read it.
1981 */
710756a9
RS		 1982 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1983 &written))
1984 || !TEST_size_t_eq(written, strlen(MSG2))
1985 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1986 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1987 goto end;
5f982038
MC		 1988
1989 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 1990 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1991 &written))
1992 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 1993 goto end;
5f982038 1994
09f28874 1995 /* Server should still be able read early data after writing data */
710756a9
RS		 1996 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1997 &readbytes),
1998 SSL_READ_EARLY_DATA_SUCCESS)
1999 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2000 goto end;
5f982038 2001
09f28874 2002 /* Write more data from server and read it from client */
710756a9
RS		 2003 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2004 &written))
2005 || !TEST_size_t_eq(written, strlen(MSG4))
2006 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2007 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2008 goto end;
5f982038
MC		 2009
2010 /*
2011 * If client writes normal data it should mean writing early data is no
2012 * longer possible.
2013 */
710756a9
RS		 2014 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2015 || !TEST_size_t_eq(written, strlen(MSG5))
2016 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2017 SSL_EARLY_DATA_ACCEPTED))
5f982038 2018 goto end;
5f982038 2019
9b5c865d
MC		 2020 /*
2021 * At this point the client has written EndOfEarlyData, ClientFinished and
2022 * normal (fully protected) data. We are going to cause a delay between the
2023 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2024 * in the read BIO, and then just put back the EndOfEarlyData message.
2025 */
2026 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2027 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2028 || !TEST_size_t_lt(rawread, sizeof(data))
2029 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2030 goto end;
710756a9 2031
9b5c865d
MC		 2032 /* Record length is in the 4th and 5th bytes of the record header */
2033 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2034 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2035 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2036 goto end;
9b5c865d 2037
5f982038 2038 /* Server should be told that there is no more early data */
710756a9
RS		 2039 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2040 &readbytes),
2041 SSL_READ_EARLY_DATA_FINISH)
2042 || !TEST_size_t_eq(readbytes, 0))
5f982038 2043 goto end;
5f982038 2044
9b5c865d
MC		 2045 /*
2046 * Server has not finished init yet, so should still be able to write early
2047 * data.
2048 */
710756a9
RS		 2049 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2050 &written))
2051 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2052 goto end;
9b5c865d 2053
f8a303fa 2054 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2055 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2056 &rawwritten))
2057 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2058 goto end;
f8a303fa 2059
5f982038 2060 /* Server should be able to read normal data */
710756a9
RS		 2061 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2062 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2063 goto end;
5f982038 2064
09f28874 2065 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2066 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2067 &written)))
5f982038 2068 goto end;
5f982038 2069 ERR_clear_error();
710756a9
RS		 2070 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2071 &readbytes),
2072 SSL_READ_EARLY_DATA_ERROR))
5f982038 2073 goto end;
5f982038
MC		 2074 ERR_clear_error();
2075
9b5c865d 2076 /* Client should be able to read the data sent by the server */
710756a9
RS		 2077 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2078 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2079 goto end;
710756a9 2080
f8a303fa 2081 /*
36ff232c
MC		 2082 * Make sure we process the two NewSessionTickets. These arrive
2083 * post-handshake. We attempt reads which we do not expect to return any
2084 * data.
f8a303fa 2085 */
36ff232c
MC		 2086 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2087 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2088 &readbytes)))
f8a303fa 2089 goto end;
5f982038 2090
90049cea 2091 /* Server should be able to write normal data */
710756a9
RS		 2092 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2093 || !TEST_size_t_eq(written, strlen(MSG7))
2094 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2095 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2096 goto end;
90049cea 2097
c20e3b28 2098 SSL_SESSION_free(sess);
5f982038 2099 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2100 use_session_cb_cnt = 0;
2101 find_session_cb_cnt = 0;
5f982038
MC		 2102
2103 SSL_shutdown(clientssl);
2104 SSL_shutdown(serverssl);
5f982038
MC		 2105 SSL_free(serverssl);
2106 SSL_free(clientssl);
2107 serverssl = clientssl = NULL;
710756a9
RS		 2108 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2109 &clientssl, NULL, NULL))
2110 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2111 goto end;
5f982038
MC		 2112
2113 /* Write and read some early data */
710756a9
RS		 2114 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2115 &written))
2116 || !TEST_size_t_eq(written, strlen(MSG1))
2117 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2118 &readbytes),
2119 SSL_READ_EARLY_DATA_SUCCESS)
2120 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2121 goto end;
5f982038 2122
710756a9
RS		 2123 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2124 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2125 goto end;
5f982038 2126
09f28874 2127 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2128 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2129 &written)))
5f982038 2130 goto end;
5f982038 2131 ERR_clear_error();
710756a9
RS		 2132 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2133 &readbytes),
2134 SSL_READ_EARLY_DATA_ERROR))
5f982038 2135 goto end;
5f982038
MC		 2136 ERR_clear_error();
2137
2138 /* Client and server should be able to write/read normal data */
710756a9
RS		 2139 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2140 || !TEST_size_t_eq(written, strlen(MSG5))
2141 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2142 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2143 goto end;
5f982038
MC		 2144
2145 testresult = 1;
2146
2147 end:
c20e3b28 2148 SSL_SESSION_free(sess);
57dee9bb
MC		 2149 SSL_SESSION_free(clientpsk);
2150 SSL_SESSION_free(serverpsk);
2151 clientpsk = serverpsk = NULL;
5f982038
MC		 2152 SSL_free(serverssl);
2153 SSL_free(clientssl);
2154 SSL_CTX_free(sctx);
2155 SSL_CTX_free(cctx);
5f982038
MC		 2156 return testresult;
2157}
2158
78fb5374
MC		 2159static int test_early_data_replay(int idx)
2160{
2161 SSL_CTX *cctx = NULL, *sctx = NULL;
2162 SSL *clientssl = NULL, *serverssl = NULL;
2163 int testresult = 0;
2164 SSL_SESSION *sess = NULL;
2165
2166 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2167 &serverssl, &sess, idx)))
2168 goto end;
2169
2170 /*
2171 * The server is configured to accept early data. Create a connection to
2172 * "use up" the ticket
2173 */
2174 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2175 || !TEST_true(SSL_session_reused(clientssl)))
2176 goto end;
2177
2178 SSL_shutdown(clientssl);
2179 SSL_shutdown(serverssl);
2180 SSL_free(serverssl);
2181 SSL_free(clientssl);
2182 serverssl = clientssl = NULL;
2183
2184 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2185 &clientssl, NULL, NULL))
2186 || !TEST_true(SSL_set_session(clientssl, sess))
2187 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2188 SSL_ERROR_NONE))
2189 /*
2190 * This time we should not have resumed the session because we
2191 * already used it once.
2192 */
2193 || !TEST_false(SSL_session_reused(clientssl)))
2194 goto end;
2195
2196 testresult = 1;
2197
2198 end:
c20e3b28 2199 SSL_SESSION_free(sess);
78fb5374
MC		 2200 SSL_SESSION_free(clientpsk);
2201 SSL_SESSION_free(serverpsk);
2202 clientpsk = serverpsk = NULL;
2203 SSL_free(serverssl);
2204 SSL_free(clientssl);
2205 SSL_CTX_free(sctx);
2206 SSL_CTX_free(cctx);
2207 return testresult;
2208}
2209
710756a9 2210/*
6b84e6bf
MC		 2211 * Helper function to test that a server attempting to read early data can
2212 * handle a connection from a client where the early data should be skipped.
710756a9 2213 */
6b84e6bf 2214static int early_data_skip_helper(int hrr, int idx)
5f982038
MC		 2215{
2216 SSL_CTX *cctx = NULL, *sctx = NULL;
2217 SSL *clientssl = NULL, *serverssl = NULL;
2218 int testresult = 0;
018fcbec 2219 SSL_SESSION *sess = NULL;
5f982038
MC		 2220 unsigned char buf[20];
2221 size_t readbytes, written;
2222
710756a9
RS		 2223 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2224 &serverssl, &sess, idx)))
5f982038
MC		 2225 goto end;
2226
6b84e6bf
MC		 2227 if (hrr) {
2228 /* Force an HRR to occur */
2229 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2230 goto end;
02a3ed5a
MC		 2231 } else if (idx == 2) {
2232 /*
2233 * We force early_data rejection by ensuring the PSK identity is
2234 * unrecognised
2235 */
2236 srvid = "Dummy Identity";
6b84e6bf
MC		 2237 } else {
2238 /*
2239 * Deliberately corrupt the creation time. We take 20 seconds off the
2240 * time. It could be any value as long as it is not within tolerance.
2241 * This should mean the ticket is rejected.
2242 */
5d99881e 2243 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 2244 goto end;
2245 }
5f982038
MC		 2246
2247 /* Write some early data */
710756a9
RS		 2248 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2249 &written))
2250 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 2251 goto end;
5f982038
MC		 2252
2253 /* Server should reject the early data and skip over it */
710756a9
RS		 2254 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2255 &readbytes),
2256 SSL_READ_EARLY_DATA_FINISH)
2257 || !TEST_size_t_eq(readbytes, 0)
2258 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2259 SSL_EARLY_DATA_REJECTED))
5f982038 2260 goto end;
5f982038 2261
6b84e6bf
MC		 2262 if (hrr) {
2263 /*
2264 * Finish off the handshake. We perform the same writes and reads as
2265 * further down but we expect them to fail due to the incomplete
2266 * handshake.
2267 */
2268 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2269 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2270 &readbytes)))
2271 goto end;
2272 }
2273
710756a9
RS		 2274 /* Should be able to send normal data despite rejection of early data */
2275 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2276 || !TEST_size_t_eq(written, strlen(MSG2))
2277 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2278 SSL_EARLY_DATA_REJECTED)
2279 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2280 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2281 goto end;
5f982038
MC		 2282
2283 testresult = 1;
2284
2285 end:
c20e3b28 2286 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2287 SSL_SESSION_free(serverpsk);
2288 clientpsk = serverpsk = NULL;
5f982038
MC		 2289 SSL_SESSION_free(sess);
2290 SSL_free(serverssl);
2291 SSL_free(clientssl);
2292 SSL_CTX_free(sctx);
2293 SSL_CTX_free(cctx);
5f982038
MC		 2294 return testresult;
2295}
2296
6b84e6bf
MC		 2297/*
2298 * Test that a server attempting to read early data can handle a connection
2299 * from a client where the early data is not acceptable.
2300 */
2301static int test_early_data_skip(int idx)
2302{
2303 return early_data_skip_helper(0, idx);
2304}
2305
2306/*
2307 * Test that a server attempting to read early data can handle a connection
2308 * from a client where an HRR occurs.
2309 */
2310static int test_early_data_skip_hrr(int idx)
2311{
2312 return early_data_skip_helper(1, idx);
2313}
2314
710756a9
RS		 2315/*
2316 * Test that a server attempting to read early data can handle a connection
2317 * from a client that doesn't send any.
2318 */
3cb47b4e 2319static int test_early_data_not_sent(int idx)
5f982038
MC		 2320{
2321 SSL_CTX *cctx = NULL, *sctx = NULL;
2322 SSL *clientssl = NULL, *serverssl = NULL;
2323 int testresult = 0;
018fcbec 2324 SSL_SESSION *sess = NULL;
5f982038
MC		 2325 unsigned char buf[20];
2326 size_t readbytes, written;
2327
710756a9
RS		 2328 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2329 &serverssl, &sess, idx)))
5f982038
MC		 2330 goto end;
2331
2332 /* Write some data - should block due to handshake with server */
2333 SSL_set_connect_state(clientssl);
710756a9 2334 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2335 goto end;
5f982038
MC		 2336
2337 /* Server should detect that early data has not been sent */
710756a9
RS		 2338 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2339 &readbytes),
2340 SSL_READ_EARLY_DATA_FINISH)
2341 || !TEST_size_t_eq(readbytes, 0)
2342 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2343 SSL_EARLY_DATA_NOT_SENT)
2344 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2345 SSL_EARLY_DATA_NOT_SENT))
5f982038 2346 goto end;
5f982038
MC		 2347
2348 /* Continue writing the message we started earlier */
710756a9
RS		 2349 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2350 || !TEST_size_t_eq(written, strlen(MSG1))
2351 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2352 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2353 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2354 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2355 goto end;
5f982038 2356
710756a9
RS		 2357 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2358 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2359 goto end;
5f982038
MC		 2360
2361 testresult = 1;
2362
2363 end:
5f982038 2364 SSL_SESSION_free(sess);
c20e3b28 2365 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2366 SSL_SESSION_free(serverpsk);
2367 clientpsk = serverpsk = NULL;
5f982038
MC		 2368 SSL_free(serverssl);
2369 SSL_free(clientssl);
2370 SSL_CTX_free(sctx);
2371 SSL_CTX_free(cctx);
5f982038
MC		 2372 return testresult;
2373}
2374
976e5323
MC		 2375static int hostname_cb(SSL *s, int *al, void *arg)
2376{
2377 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2378
281bf233 2379 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2380 return SSL_TLSEXT_ERR_OK;
2381
2382 return SSL_TLSEXT_ERR_NOACK;
2383}
2384
2385static const char *servalpn;
2386
c7558d5b
PY		 2387static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2388 unsigned char *outlen, const unsigned char *in,
2389 unsigned int inlen, void *arg)
976e5323 2390{
c7558d5b 2391 unsigned int protlen = 0;
976e5323
MC		 2392 const unsigned char *prot;
2393
c7558d5b
PY		 2394 for (prot = in; prot < in + inlen; prot += protlen) {
2395 protlen = *prot++;
5d99881e 2396 if (in + inlen < prot + protlen)
976e5323
MC		 2397 return SSL_TLSEXT_ERR_NOACK;
2398
2399 if (protlen == strlen(servalpn)
0bd42fde 2400 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2401 *out = prot;
2402 *outlen = protlen;
2403 return SSL_TLSEXT_ERR_OK;
2404 }
2405 }
2406
2407 return SSL_TLSEXT_ERR_NOACK;
2408}
2409
57dee9bb 2410/* Test that a PSK can be used to send early_data */
976e5323
MC		 2411static int test_early_data_psk(int idx)
2412{
2413 SSL_CTX *cctx = NULL, *sctx = NULL;
2414 SSL *clientssl = NULL, *serverssl = NULL;
2415 int testresult = 0;
2416 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2417 unsigned char alpnlist[] = {
2418 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2419 'l', 'p', 'n'
2420 };
2421#define GOODALPNLEN 9
2422#define BADALPNLEN 8
2423#define GOODALPN (alpnlist)
2424#define BADALPN (alpnlist + GOODALPNLEN)
2425 int err = 0;
976e5323
MC		 2426 unsigned char buf[20];
2427 size_t readbytes, written;
57dee9bb 2428 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2429 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2430
2431 /* We always set this up with a final parameter of "2" for PSK */
2432 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2433 &serverssl, &sess, 2)))
2434 goto end;
2435
976e5323
MC		 2436 servalpn = "goodalpn";
2437
57dee9bb
MC		 2438 /*
2439 * Note: There is no test for inconsistent SNI with late client detection.
2440 * This is because servers do not acknowledge SNI even if they are using
2441 * it in a resumption handshake - so it is not actually possible for a
2442 * client to detect a problem.
2443 */
976e5323
MC		 2444 switch (idx) {
2445 case 0:
57dee9bb 2446 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2447 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2448 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2449 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2450 goto end;
2451 break;
2452
2453 case 1:
57dee9bb 2454 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2455 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2456 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2457 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2458 GOODALPNLEN))
2459 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2460 BADALPNLEN)))
976e5323
MC		 2461 goto end;
2462 break;
2463
2464 case 2:
2465 /*
2466 * Set invalid protocol version. Technically this affects PSKs without
2467 * early_data too, but we test it here because it is similar to the
2468 * SNI/ALPN consistency tests.
2469 */
2470 err = SSL_R_BAD_PSK;
2471 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2472 goto end;
2473 break;
2474
2475 case 3:
2476 /*
2477 * Set inconsistent SNI (server detected). In this case the connection
2478 * will succeed but reject early_data.
2479 */
281bf233
MC		 2480 SSL_SESSION_free(serverpsk);
2481 serverpsk = SSL_SESSION_dup(clientpsk);
2482 if (!TEST_ptr(serverpsk)
2483 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2484 goto end;
976e5323
MC		 2485 edstatus = SSL_EARLY_DATA_REJECTED;
2486 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2487 /* Fall through */
2488 case 4:
2489 /* Set consistent SNI */
976e5323
MC		 2490 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2491 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2492 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2493 hostname_cb)))
2494 goto end;
2495 break;
2496
2497 case 5:
2498 /*
2499 * Set inconsistent ALPN (server detected). In this case the connection
2500 * will succeed but reject early_data.
2501 */
2502 servalpn = "badalpn";
2503 edstatus = SSL_EARLY_DATA_REJECTED;
2504 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2505 /* Fall through */
2506 case 6:
976e5323 2507 /*
57dee9bb 2508 * Set consistent ALPN.
976e5323
MC		 2509 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2510 * accepts a list of protos (each one length prefixed).
2511 * SSL_set1_alpn_selected accepts a single protocol (not length
2512 * prefixed)
2513 */
57dee9bb
MC		 2514 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2515 GOODALPNLEN - 1))
2516 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2517 GOODALPNLEN)))
976e5323
MC		 2518 goto end;
2519
2520 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2521 break;
2522
57dee9bb
MC		 2523 case 7:
2524 /* Set inconsistent ALPN (late client detection) */
2525 SSL_SESSION_free(serverpsk);
2526 serverpsk = SSL_SESSION_dup(clientpsk);
2527 if (!TEST_ptr(serverpsk)
2528 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2529 BADALPN + 1,
2530 BADALPNLEN - 1))
2531 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2532 GOODALPN + 1,
2533 GOODALPNLEN - 1))
2534 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2535 sizeof(alpnlist))))
2536 goto end;
2537 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2538 edstatus = SSL_EARLY_DATA_ACCEPTED;
2539 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2540 /* SSL_connect() call should fail */
2541 connectres = -1;
2542 break;
2543
976e5323
MC		 2544 default:
2545 TEST_error("Bad test index");
2546 goto end;
2547 }
2548
2549 SSL_set_connect_state(clientssl);
2550 if (err != 0) {
2551 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2552 &written))
2553 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2554 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2555 goto end;
2556 } else {
2557 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2558 &written)))
2559 goto end;
2560
2561 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2562 &readbytes), readearlyres)
976e5323
MC		 2563 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2564 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2565 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2566 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2567 goto end;
2568 }
2569
2570 testresult = 1;
2571
2572 end:
c20e3b28 2573 SSL_SESSION_free(sess);
57dee9bb
MC		 2574 SSL_SESSION_free(clientpsk);
2575 SSL_SESSION_free(serverpsk);
2576 clientpsk = serverpsk = NULL;
976e5323
MC		 2577 SSL_free(serverssl);
2578 SSL_free(clientssl);
2579 SSL_CTX_free(sctx);
2580 SSL_CTX_free(cctx);
2581 return testresult;
2582}
2583
710756a9
RS		 2584/*
2585 * Test that a server that doesn't try to read early data can handle a
2586 * client sending some.
2587 */
3cb47b4e 2588static int test_early_data_not_expected(int idx)
5f982038
MC		 2589{
2590 SSL_CTX *cctx = NULL, *sctx = NULL;
2591 SSL *clientssl = NULL, *serverssl = NULL;
2592 int testresult = 0;
018fcbec 2593 SSL_SESSION *sess = NULL;
5f982038
MC		 2594 unsigned char buf[20];
2595 size_t readbytes, written;
2596
710756a9
RS		 2597 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2598 &serverssl, &sess, idx)))
5f982038
MC		 2599 goto end;
2600
2601 /* Write some early data */
710756a9
RS		 2602 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2603 &written)))
5f982038 2604 goto end;
5f982038
MC		 2605
2606 /*
2607 * Server should skip over early data and then block waiting for client to
2608 * continue handshake
2609 */
710756a9
RS		 2610 if (!TEST_int_le(SSL_accept(serverssl), 0)
2611 || !TEST_int_gt(SSL_connect(clientssl), 0)
2612 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2613 SSL_EARLY_DATA_REJECTED)
2614 || !TEST_int_gt(SSL_accept(serverssl), 0)
2615 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2616 SSL_EARLY_DATA_REJECTED))
5f982038 2617 goto end;
5f982038
MC		 2618
2619 /* Send some normal data from client to server */
710756a9
RS		 2620 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2621 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2622 goto end;
5f982038 2623
710756a9
RS		 2624 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2625 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2626 goto end;
5f982038
MC		 2627
2628 testresult = 1;
2629
2630 end:
5f982038 2631 SSL_SESSION_free(sess);
c20e3b28 2632 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2633 SSL_SESSION_free(serverpsk);
2634 clientpsk = serverpsk = NULL;
5f982038
MC		 2635 SSL_free(serverssl);
2636 SSL_free(clientssl);
2637 SSL_CTX_free(sctx);
2638 SSL_CTX_free(cctx);
5f982038
MC		 2639 return testresult;
2640}
2641
2642
2643# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 2644/*
2645 * Test that a server attempting to read early data can handle a connection
2646 * from a TLSv1.2 client.
2647 */
3cb47b4e 2648static int test_early_data_tls1_2(int idx)
5f982038
MC		 2649{
2650 SSL_CTX *cctx = NULL, *sctx = NULL;
2651 SSL *clientssl = NULL, *serverssl = NULL;
2652 int testresult = 0;
2653 unsigned char buf[20];
2654 size_t readbytes, written;
2655
02a3ed5a
MC		 2656 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2657 &serverssl, NULL, idx)))
5f982038 2658 goto end;
5f982038
MC		 2659
2660 /* Write some data - should block due to handshake with server */
2661 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2662 SSL_set_connect_state(clientssl);
710756a9 2663 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2664 goto end;
5f982038
MC		 2665
2666 /*
2667 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 2668 * messages from client after ServerDone. Then SSL_read_early_data should
2669 * finish and detect that early data has not been sent
5f982038 2670 */
710756a9
RS		 2671 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2672 &readbytes),
2673 SSL_READ_EARLY_DATA_ERROR))
5f982038 2674 goto end;
5f982038
MC		 2675
2676 /*
2677 * Continue writing the message we started earlier. Will still block waiting
2678 * for the CCS/Finished from server
2679 */
710756a9
RS		 2680 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2681 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2682 &readbytes),
2683 SSL_READ_EARLY_DATA_FINISH)
2684 || !TEST_size_t_eq(readbytes, 0)
2685 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2686 SSL_EARLY_DATA_NOT_SENT))
5f982038 2687 goto end;
5f982038
MC		 2688
2689 /* Continue writing the message we started earlier */
710756a9
RS		 2690 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2691 || !TEST_size_t_eq(written, strlen(MSG1))
2692 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2693 SSL_EARLY_DATA_NOT_SENT)
2694 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2695 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2696 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2697 || !TEST_size_t_eq(written, strlen(MSG2))
2698 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2699 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2700 goto end;
5f982038
MC		 2701
2702 testresult = 1;
2703
2704 end:
57dee9bb
MC		 2705 SSL_SESSION_free(clientpsk);
2706 SSL_SESSION_free(serverpsk);
2707 clientpsk = serverpsk = NULL;
5f982038
MC		 2708 SSL_free(serverssl);
2709 SSL_free(clientssl);
2710 SSL_CTX_free(sctx);
2711 SSL_CTX_free(cctx);
2712
2713 return testresult;
2714}
ca0413ae
MC		 2715# endif /* OPENSSL_NO_TLS1_2 */
2716
034cb87b
MC		 2717/*
2718 * Test configuring the TLSv1.3 ciphersuites
2719 *
2720 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2721 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2722 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2723 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2724 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2725 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2726 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2727 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2728 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2729 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2730 */
2731static int test_set_ciphersuite(int idx)
2732{
2733 SSL_CTX *cctx = NULL, *sctx = NULL;
2734 SSL *clientssl = NULL, *serverssl = NULL;
2735 int testresult = 0;
2736
2737 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2738 TLS1_VERSION, TLS_MAX_VERSION,
2739 &sctx, &cctx, cert, privkey))
2740 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2741 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2742 goto end;
2743
2744 if (idx >=4 && idx <= 7) {
2745 /* SSL_CTX explicit cipher list */
2746 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2747 goto end;
2748 }
2749
2750 if (idx == 0 || idx == 4) {
2751 /* Default ciphersuite */
2752 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2753 "TLS_AES_128_GCM_SHA256")))
2754 goto end;
2755 } else if (idx == 1 || idx == 5) {
2756 /* Non default ciphersuite */
2757 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2758 "TLS_AES_128_CCM_SHA256")))
2759 goto end;
2760 }
2761
2762 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2763 &clientssl, NULL, NULL)))
2764 goto end;
2765
2766 if (idx == 8 || idx == 9) {
2767 /* SSL explicit cipher list */
2768 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2769 goto end;
2770 }
2771
2772 if (idx == 2 || idx == 6 || idx == 8) {
2773 /* Default ciphersuite */
2774 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2775 "TLS_AES_128_GCM_SHA256")))
2776 goto end;
2777 } else if (idx == 3 || idx == 7 || idx == 9) {
2778 /* Non default ciphersuite */
2779 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2780 "TLS_AES_128_CCM_SHA256")))
2781 goto end;
2782 }
2783
2784 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2785 goto end;
2786
2787 testresult = 1;
2788
2789 end:
2790 SSL_free(serverssl);
2791 SSL_free(clientssl);
2792 SSL_CTX_free(sctx);
2793 SSL_CTX_free(cctx);
2794
2795 return testresult;
2796}
2797
ca0413ae
MC		 2798static int test_ciphersuite_change(void)
2799{
2800 SSL_CTX *cctx = NULL, *sctx = NULL;
2801 SSL *clientssl = NULL, *serverssl = NULL;
2802 SSL_SESSION *clntsess = NULL;
2803 int testresult = 0;
2804 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2805
2806 /* Create a session based on SHA-256 */
7d7f6834
RL		 2807 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2808 TLS1_VERSION, TLS_MAX_VERSION,
2809 &sctx, &cctx, cert, privkey))
f865b081
MC		 2810 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2811 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 2812 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2813 &clientssl, NULL, NULL))
2814 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2815 SSL_ERROR_NONE)))
2816 goto end;
2817
2818 clntsess = SSL_get1_session(clientssl);
2819 /* Save for later */
2820 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2821 SSL_shutdown(clientssl);
2822 SSL_shutdown(serverssl);
2823 SSL_free(serverssl);
2824 SSL_free(clientssl);
2825 serverssl = clientssl = NULL;
2826
71cff963 2827# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 2828 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 2829 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2830 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 2831 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2832 NULL, NULL))
2833 || !TEST_true(SSL_set_session(clientssl, clntsess))
2834 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2835 SSL_ERROR_NONE))
2836 || !TEST_true(SSL_session_reused(clientssl)))
2837 goto end;
2838
2839 SSL_SESSION_free(clntsess);
2840 clntsess = SSL_get1_session(clientssl);
2841 SSL_shutdown(clientssl);
2842 SSL_shutdown(serverssl);
2843 SSL_free(serverssl);
2844 SSL_free(clientssl);
2845 serverssl = clientssl = NULL;
71cff963 2846# endif
ca0413ae
MC		 2847
2848 /*
2849 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 2850 * succeeds but does not resume.
ca0413ae 2851 */
f865b081 2852 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2853 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2854 NULL, NULL))
2855 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 2856 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 2857 SSL_ERROR_SSL))
0de6d66d 2858 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 2859 goto end;
2860
2861 SSL_SESSION_free(clntsess);
2862 clntsess = NULL;
2863 SSL_shutdown(clientssl);
2864 SSL_shutdown(serverssl);
2865 SSL_free(serverssl);
2866 SSL_free(clientssl);
2867 serverssl = clientssl = NULL;
2868
2869 /* Create a session based on SHA384 */
f865b081 2870 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2871 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2872 &clientssl, NULL, NULL))
2873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2874 SSL_ERROR_NONE)))
2875 goto end;
2876
2877 clntsess = SSL_get1_session(clientssl);
2878 SSL_shutdown(clientssl);
2879 SSL_shutdown(serverssl);
2880 SSL_free(serverssl);
2881 SSL_free(clientssl);
2882 serverssl = clientssl = NULL;
2883
f865b081
MC		 2884 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2885 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2886 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2887 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2888 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2889 NULL, NULL))
2890 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 2891 /*
2892 * We use SSL_ERROR_WANT_READ below so that we can pause the
2893 * connection after the initial ClientHello has been sent to
2894 * enable us to make some session changes.
2895 */
ca0413ae
MC		 2896 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2897 SSL_ERROR_WANT_READ)))
2898 goto end;
2899
2900 /* Trick the client into thinking this session is for a different digest */
2901 clntsess->cipher = aes_128_gcm_sha256;
2902 clntsess->cipher_id = clntsess->cipher->id;
2903
2904 /*
3b0e88d3
MC		 2905 * Continue the previously started connection. Server has selected a SHA-384
2906 * ciphersuite, but client thinks the session is for SHA-256, so it should
2907 * bail out.
ca0413ae
MC		 2908 */
2909 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2910 SSL_ERROR_SSL))
2911 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2912 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2913 goto end;
2914
2915 testresult = 1;
2916
2917 end:
2918 SSL_SESSION_free(clntsess);
2919 SSL_free(serverssl);
2920 SSL_free(clientssl);
2921 SSL_CTX_free(sctx);
2922 SSL_CTX_free(cctx);
2923
2924 return testresult;
2925}
2926
0d8da779
MC		 2927/*
2928 * Test TLSv1.3 PSKs
2929 * Test 0 = Test new style callbacks
2930 * Test 1 = Test both new and old style callbacks
2931 * Test 2 = Test old style callbacks
2932 * Test 3 = Test old style callbacks with no certificate
2933 */
532f9578 2934static int test_tls13_psk(int idx)
ca8c71ba
MC		 2935{
2936 SSL_CTX *sctx = NULL, *cctx = NULL;
2937 SSL *serverssl = NULL, *clientssl = NULL;
2938 const SSL_CIPHER *cipher = NULL;
2939 const unsigned char key[] = {
2940 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2941 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 2942 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2943 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 2944 };
2945 int testresult = 0;
2946
7d7f6834
RL		 2947 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2948 TLS1_VERSION, TLS_MAX_VERSION,
0d8da779
MC		 2949 &sctx, &cctx, idx == 3 ? NULL : cert,
2950 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 2951 goto end;
2952
0d8da779
MC		 2953 if (idx != 3) {
2954 /*
2955 * We use a ciphersuite with SHA256 to ease testing old style PSK
2956 * callbacks which will always default to SHA256. This should not be
2957 * necessary if we have no cert/priv key. In that case the server should
2958 * prefer SHA256 automatically.
2959 */
2960 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2961 "TLS_AES_128_GCM_SHA256")))
2962 goto end;
2963 }
532f9578
MC		 2964
2965 /*
2966 * Test 0: New style callbacks only
2967 * Test 1: New and old style callbacks (only the new ones should be used)
2968 * Test 2: Old style callbacks only
2969 */
2970 if (idx == 0 || idx == 1) {
2971 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2972 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2973 }
c2b290c3 2974#ifndef OPENSSL_NO_PSK
0d8da779 2975 if (idx >= 1) {
532f9578
MC		 2976 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2977 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2978 }
c2b290c3 2979#endif
ca8c71ba 2980 srvid = pskid;
02a3ed5a
MC		 2981 use_session_cb_cnt = 0;
2982 find_session_cb_cnt = 0;
532f9578
MC		 2983 psk_client_cb_cnt = 0;
2984 psk_server_cb_cnt = 0;
ca8c71ba 2985
0d8da779
MC		 2986 if (idx != 3) {
2987 /*
2988 * Check we can create a connection if callback decides not to send a
2989 * PSK
2990 */
2991 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2992 NULL, NULL))
2993 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2994 SSL_ERROR_NONE))
2995 || !TEST_false(SSL_session_reused(clientssl))
2996 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 2997 goto end;
532f9578 2998
0d8da779
MC		 2999 if (idx == 0 || idx == 1) {
3000 if (!TEST_true(use_session_cb_cnt == 1)
3001 || !TEST_true(find_session_cb_cnt == 0)
3002 /*
3003 * If no old style callback then below should be 0
3004 * otherwise 1
3005 */
3006 || !TEST_true(psk_client_cb_cnt == idx)
3007 || !TEST_true(psk_server_cb_cnt == 0))
3008 goto end;
3009 } else {
3010 if (!TEST_true(use_session_cb_cnt == 0)
3011 || !TEST_true(find_session_cb_cnt == 0)
3012 || !TEST_true(psk_client_cb_cnt == 1)
3013 || !TEST_true(psk_server_cb_cnt == 0))
3014 goto end;
3015 }
3016
3017 shutdown_ssl_connection(serverssl, clientssl);
3018 serverssl = clientssl = NULL;
3019 use_session_cb_cnt = psk_client_cb_cnt = 0;
3020 }
ca8c71ba
MC		 3021
3022 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3023 NULL, NULL)))
3024 goto end;
3025
3026 /* Create the PSK */
532f9578 3027 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 3028 clientpsk = SSL_SESSION_new();
3029 if (!TEST_ptr(clientpsk)
ca8c71ba 3030 || !TEST_ptr(cipher)
57dee9bb
MC		 3031 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3032 sizeof(key)))
3033 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3034 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3035 TLS1_3_VERSION))
3036 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 3037 goto end;
57dee9bb 3038 serverpsk = clientpsk;
ca8c71ba
MC		 3039
3040 /* Check we can create a connection and the PSK is used */
3041 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3042 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3043 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3044 goto end;
3045
532f9578
MC		 3046 if (idx == 0 || idx == 1) {
3047 if (!TEST_true(use_session_cb_cnt == 1)
3048 || !TEST_true(find_session_cb_cnt == 1)
3049 || !TEST_true(psk_client_cb_cnt == 0)
3050 || !TEST_true(psk_server_cb_cnt == 0))
3051 goto end;
3052 } else {
3053 if (!TEST_true(use_session_cb_cnt == 0)
3054 || !TEST_true(find_session_cb_cnt == 0)
3055 || !TEST_true(psk_client_cb_cnt == 1)
3056 || !TEST_true(psk_server_cb_cnt == 1))
3057 goto end;
3058 }
3059
ca8c71ba
MC		 3060 shutdown_ssl_connection(serverssl, clientssl);
3061 serverssl = clientssl = NULL;
3062 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3063 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 3064
3065 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3066 NULL, NULL)))
3067 goto end;
3068
3069 /* Force an HRR */
3070 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3071 goto end;
3072
3073 /*
3074 * Check we can create a connection, the PSK is used and the callbacks are
3075 * called twice.
3076 */
3077 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3078 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3079 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3080 goto end;
3081
532f9578
MC		 3082 if (idx == 0 || idx == 1) {
3083 if (!TEST_true(use_session_cb_cnt == 2)
3084 || !TEST_true(find_session_cb_cnt == 2)
3085 || !TEST_true(psk_client_cb_cnt == 0)
3086 || !TEST_true(psk_server_cb_cnt == 0))
3087 goto end;
3088 } else {
3089 if (!TEST_true(use_session_cb_cnt == 0)
3090 || !TEST_true(find_session_cb_cnt == 0)
3091 || !TEST_true(psk_client_cb_cnt == 2)
3092 || !TEST_true(psk_server_cb_cnt == 2))
3093 goto end;
3094 }
3095
ca8c71ba
MC		 3096 shutdown_ssl_connection(serverssl, clientssl);
3097 serverssl = clientssl = NULL;
3098 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3099 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 3100
0d8da779
MC		 3101 if (idx != 3) {
3102 /*
3103 * Check that if the server rejects the PSK we can still connect, but with
3104 * a full handshake
3105 */
3106 srvid = "Dummy Identity";
3107 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3108 NULL, NULL))
3109 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3110 SSL_ERROR_NONE))
3111 || !TEST_false(SSL_session_reused(clientssl))
3112 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3113 goto end;
532f9578 3114
0d8da779
MC		 3115 if (idx == 0 || idx == 1) {
3116 if (!TEST_true(use_session_cb_cnt == 1)
3117 || !TEST_true(find_session_cb_cnt == 1)
3118 || !TEST_true(psk_client_cb_cnt == 0)
3119 /*
3120 * If no old style callback then below should be 0
3121 * otherwise 1
3122 */
3123 || !TEST_true(psk_server_cb_cnt == idx))
3124 goto end;
3125 } else {
3126 if (!TEST_true(use_session_cb_cnt == 0)
3127 || !TEST_true(find_session_cb_cnt == 0)
3128 || !TEST_true(psk_client_cb_cnt == 1)
3129 || !TEST_true(psk_server_cb_cnt == 1))
3130 goto end;
3131 }
3132
3133 shutdown_ssl_connection(serverssl, clientssl);
3134 serverssl = clientssl = NULL;
3135 }
ca8c71ba
MC		 3136 testresult = 1;
3137
3138 end:
57dee9bb
MC		 3139 SSL_SESSION_free(clientpsk);
3140 SSL_SESSION_free(serverpsk);
3141 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 3142 SSL_free(serverssl);
3143 SSL_free(clientssl);
3144 SSL_CTX_free(sctx);
3145 SSL_CTX_free(cctx);
3146 return testresult;
3147}
3148
c7b8ff25
MC		 3149static unsigned char cookie_magic_value[] = "cookie magic";
3150
3151static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3152 unsigned int *cookie_len)
3153{
3154 /*
3155 * Not suitable as a real cookie generation function but good enough for
3156 * testing!
3157 */
97ea1e7f
MC		 3158 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3159 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 3160
3161 return 1;
3162}
3163
3164static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3165 unsigned int cookie_len)
3166{
97ea1e7f 3167 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 3168 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3169 return 1;
3170
3171 return 0;
3172}
3173
3fa2812f
BS		 3174static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3175 size_t *cookie_len)
3176{
3177 unsigned int temp;
3178 int res = generate_cookie_callback(ssl, cookie, &temp);
3179 *cookie_len = temp;
3180 return res;
3181}
3182
3183static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3184 size_t cookie_len)
3185{
3186 return verify_cookie_callback(ssl, cookie, cookie_len);
3187}
3188
c7b8ff25
MC		 3189static int test_stateless(void)
3190{
3191 SSL_CTX *sctx = NULL, *cctx = NULL;
3192 SSL *serverssl = NULL, *clientssl = NULL;
3193 int testresult = 0;
3194
7d7f6834
RL		 3195 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3196 TLS1_VERSION, TLS_MAX_VERSION,
3197 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 3198 goto end;
3199
e440f513
MC		 3200 /* The arrival of CCS messages can confuse the test */
3201 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3202
3203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3204 NULL, NULL))
3205 /* Send the first ClientHello */
3206 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3207 SSL_ERROR_WANT_READ))
3208 /*
3209 * This should fail with a -1 return because we have no callbacks
3210 * set up
3211 */
3212 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3213 goto end;
3214
3215 /* Fatal error so abandon the connection from this client */
3216 SSL_free(clientssl);
3217 clientssl = NULL;
3218
c7b8ff25 3219 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 3220 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3221 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 3222
e440f513
MC		 3223 /*
3224 * Create a new connection from the client (we can reuse the server SSL
3225 * object).
3226 */
c7b8ff25
MC		 3227 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3228 NULL, NULL))
3229 /* Send the first ClientHello */
3230 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3231 SSL_ERROR_WANT_READ))
3232 /* This should fail because there is no cookie */
e440f513 3233 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 3234 goto end;
3235
3236 /* Abandon the connection from this client */
3237 SSL_free(clientssl);
3238 clientssl = NULL;
3239
3240 /*
3241 * Now create a connection from a new client but with the same server SSL
3242 * object
3243 */
3244 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3245 NULL, NULL))
3246 /* Send the first ClientHello */
3247 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3248 SSL_ERROR_WANT_READ))
3249 /* This should fail because there is no cookie */
e440f513 3250 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 3251 /* Send the second ClientHello */
3252 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3253 SSL_ERROR_WANT_READ))
3254 /* This should succeed because a cookie is now present */
e440f513 3255 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 3256 /* Complete the connection */
3257 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3258 SSL_ERROR_NONE)))
3259 goto end;
3260
3261 shutdown_ssl_connection(serverssl, clientssl);
3262 serverssl = clientssl = NULL;
3263 testresult = 1;
3264
3265 end:
3266 SSL_free(serverssl);
3267 SSL_free(clientssl);
3268 SSL_CTX_free(sctx);
3269 SSL_CTX_free(cctx);
3270 return testresult;
3271
3272}
ca0413ae 3273#endif /* OPENSSL_NO_TLS1_3 */
5f982038 3274
a37008d9
MC		 3275static int clntaddoldcb = 0;
3276static int clntparseoldcb = 0;
3277static int srvaddoldcb = 0;
3278static int srvparseoldcb = 0;
3279static int clntaddnewcb = 0;
3280static int clntparsenewcb = 0;
3281static int srvaddnewcb = 0;
3282static int srvparsenewcb = 0;
bb01ef3f 3283static int snicb = 0;
a37008d9
MC		 3284
3285#define TEST_EXT_TYPE1 0xff00
3286
3287static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3288 size_t *outlen, int *al, void *add_arg)
3289{
3290 int *server = (int *)add_arg;
3291 unsigned char *data;
3292
3293 if (SSL_is_server(s))
3294 srvaddoldcb++;
3295 else
3296 clntaddoldcb++;
3297
710756a9
RS		 3298 if (*server != SSL_is_server(s)
3299 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3300 return -1;
3301
3302 *data = 1;
3303 *out = data;
3304 *outlen = sizeof(char);
a37008d9
MC		 3305 return 1;
3306}
3307
3308static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3309 void *add_arg)
3310{
3311 OPENSSL_free((unsigned char *)out);
3312}
3313
3314static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3315 size_t inlen, int *al, void *parse_arg)
3316{
3317 int *server = (int *)parse_arg;
3318
3319 if (SSL_is_server(s))
3320 srvparseoldcb++;
3321 else
3322 clntparseoldcb++;
3323
710756a9
RS		 3324 if (*server != SSL_is_server(s)
3325 || inlen != sizeof(char)
3326 || *in != 1)
a37008d9
MC		 3327 return -1;
3328
3329 return 1;
3330}
3331
3332static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3333 const unsigned char **out, size_t *outlen, X509 *x,
3334 size_t chainidx, int *al, void *add_arg)
3335{
3336 int *server = (int *)add_arg;
3337 unsigned char *data;
3338
3339 if (SSL_is_server(s))
3340 srvaddnewcb++;
3341 else
3342 clntaddnewcb++;
3343
710756a9
RS		 3344 if (*server != SSL_is_server(s)
3345 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3346 return -1;
3347
3348 *data = 1;
3349 *out = data;
710756a9 3350 *outlen = sizeof(*data);
a37008d9
MC		 3351 return 1;
3352}
3353
3354static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3355 const unsigned char *out, void *add_arg)
3356{
3357 OPENSSL_free((unsigned char *)out);
3358}
3359
3360static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3361 const unsigned char *in, size_t inlen, X509 *x,
3362 size_t chainidx, int *al, void *parse_arg)
3363{
3364 int *server = (int *)parse_arg;
3365
3366 if (SSL_is_server(s))
3367 srvparsenewcb++;
3368 else
3369 clntparsenewcb++;
3370
710756a9
RS		 3371 if (*server != SSL_is_server(s)
3372 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 3373 return -1;
3374
3375 return 1;
3376}
bb01ef3f
MC		 3377
3378static int sni_cb(SSL *s, int *al, void *arg)
3379{
3380 SSL_CTX *ctx = (SSL_CTX *)arg;
3381
3382 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3383 *al = SSL_AD_INTERNAL_ERROR;
3384 return SSL_TLSEXT_ERR_ALERT_FATAL;
3385 }
3386 snicb++;
3387 return SSL_TLSEXT_ERR_OK;
3388}
3389
a37008d9
MC		 3390/*
3391 * Custom call back tests.
3392 * Test 0: Old style callbacks in TLSv1.2
3393 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 3394 * Test 2: New style callbacks in TLSv1.2 with SNI
3395 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3396 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 3397 */
710756a9
RS		 3398static int test_custom_exts(int tst)
3399{
bb01ef3f 3400 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 3401 SSL *clientssl = NULL, *serverssl = NULL;
3402 int testresult = 0;
3403 static int server = 1;
3404 static int client = 0;
3405 SSL_SESSION *sess = NULL;
3406 unsigned int context;
3407
c423ecaa
MC		 3408#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3409 /* Skip tests for TLSv1.2 and below in this case */
3410 if (tst < 3)
3411 return 1;
3412#endif
3413
a37008d9
MC		 3414 /* Reset callback counters */
3415 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3416 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 3417 snicb = 0;
a37008d9 3418
7d7f6834
RL		 3419 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3420 TLS1_VERSION, TLS_MAX_VERSION,
3421 &sctx, &cctx, cert, privkey)))
710756a9 3422 goto end;
a37008d9 3423
bb01ef3f 3424 if (tst == 2
7d7f6834
RL		 3425 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3426 TLS1_VERSION, TLS_MAX_VERSION,
3427 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 3428 goto end;
3429
3430
3431 if (tst < 3) {
a37008d9
MC		 3432 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3433 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 3434 if (sctx2 != NULL)
3435 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 3436 }
3437
bb01ef3f 3438 if (tst == 4) {
710756a9
RS		 3439 context = SSL_EXT_CLIENT_HELLO
3440 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3441 | SSL_EXT_TLS1_3_SERVER_HELLO
3442 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3443 | SSL_EXT_TLS1_3_CERTIFICATE
3444 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3445 } else {
710756a9
RS		 3446 context = SSL_EXT_CLIENT_HELLO
3447 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3448 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3449 }
3450
3451 /* Create a client side custom extension */
3452 if (tst == 0) {
710756a9
RS		 3453 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3454 old_add_cb, old_free_cb,
3455 &client, old_parse_cb,
3456 &client)))
3457 goto end;
a37008d9 3458 } else {
710756a9
RS		 3459 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3460 new_add_cb, new_free_cb,
3461 &client, new_parse_cb, &client)))
3462 goto end;
a37008d9
MC		 3463 }
3464
3465 /* Should not be able to add duplicates */
710756a9
RS		 3466 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3467 old_add_cb, old_free_cb,
3468 &client, old_parse_cb,
3469 &client))
3470 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3471 context, new_add_cb,
3472 new_free_cb, &client,
3473 new_parse_cb, &client)))
3474 goto end;
a37008d9
MC		 3475
3476 /* Create a server side custom extension */
3477 if (tst == 0) {
710756a9
RS		 3478 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3479 old_add_cb, old_free_cb,
3480 &server, old_parse_cb,
3481 &server)))
3482 goto end;
a37008d9 3483 } else {
710756a9
RS		 3484 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3485 new_add_cb, new_free_cb,
3486 &server, new_parse_cb, &server)))
3487 goto end;
bb01ef3f
MC		 3488 if (sctx2 != NULL
3489 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3490 context, new_add_cb,
3491 new_free_cb, &server,
3492 new_parse_cb, &server)))
3493 goto end;
a37008d9
MC		 3494 }
3495
3496 /* Should not be able to add duplicates */
710756a9
RS		 3497 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3498 old_add_cb, old_free_cb,
3499 &server, old_parse_cb,
3500 &server))
3501 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3502 context, new_add_cb,
3503 new_free_cb, &server,
3504 new_parse_cb, &server)))
a37008d9 3505 goto end;
a37008d9 3506
bb01ef3f
MC		 3507 if (tst == 2) {
3508 /* Set up SNI */
3509 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3510 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3511 goto end;
3512 }
3513
710756a9
RS		 3514 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3515 &clientssl, NULL, NULL))
3516 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3517 SSL_ERROR_NONE)))
a37008d9 3518 goto end;
a37008d9
MC		 3519
3520 if (tst == 0) {
710756a9
RS		 3521 if (clntaddoldcb != 1
3522 || clntparseoldcb != 1
3523 || srvaddoldcb != 1
3524 || srvparseoldcb != 1)
a37008d9 3525 goto end;
bb01ef3f 3526 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3527 if (clntaddnewcb != 1
3528 || clntparsenewcb != 1
3529 || srvaddnewcb != 1
bb01ef3f
MC		 3530 || srvparsenewcb != 1
3531 || (tst != 2 && snicb != 0)
3532 || (tst == 2 && snicb != 1))
a37008d9 3533 goto end;
a37008d9 3534 } else {
36ff232c 3535 /* In this case there 2 NewSessionTicket messages created */
710756a9 3536 if (clntaddnewcb != 1
36ff232c
MC		 3537 || clntparsenewcb != 5
3538 || srvaddnewcb != 5
710756a9 3539 || srvparsenewcb != 1)
a37008d9 3540 goto end;
a37008d9
MC		 3541 }
3542
3543 sess = SSL_get1_session(clientssl);
a37008d9
MC		 3544 SSL_shutdown(clientssl);
3545 SSL_shutdown(serverssl);
a37008d9
MC		 3546 SSL_free(serverssl);
3547 SSL_free(clientssl);
3548 serverssl = clientssl = NULL;
3549
bb01ef3f
MC		 3550 if (tst == 3) {
3551 /* We don't bother with the resumption aspects for this test */
3552 testresult = 1;
3553 goto end;
3554 }
3555
710756a9
RS		 3556 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3557 NULL, NULL))
3558 || !TEST_true(SSL_set_session(clientssl, sess))
3559 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3560 SSL_ERROR_NONE)))
a37008d9 3561 goto end;
a37008d9
MC		 3562
3563 /*
3564 * For a resumed session we expect to add the ClientHello extension. For the
3565 * old style callbacks we ignore it on the server side because they set
3566 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3567 * them.
3568 */
3569 if (tst == 0) {
710756a9
RS		 3570 if (clntaddoldcb != 2
3571 || clntparseoldcb != 1
3572 || srvaddoldcb != 1
3573 || srvparseoldcb != 1)
a37008d9 3574 goto end;
bb01ef3f 3575 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3576 if (clntaddnewcb != 2
3577 || clntparsenewcb != 2
3578 || srvaddnewcb != 2
3579 || srvparsenewcb != 2)
a37008d9 3580 goto end;
a37008d9 3581 } else {
36ff232c
MC		 3582 /*
3583 * No Certificate message extensions in the resumption handshake,
3584 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3585 */
710756a9 3586 if (clntaddnewcb != 2
36ff232c
MC		 3587 || clntparsenewcb != 8
3588 || srvaddnewcb != 8
710756a9 3589 || srvparsenewcb != 2)
a37008d9 3590 goto end;
a37008d9
MC		 3591 }
3592
3593 testresult = 1;
3594
3595end:
3596 SSL_SESSION_free(sess);
3597 SSL_free(serverssl);
3598 SSL_free(clientssl);
bb01ef3f 3599 SSL_CTX_free(sctx2);
a37008d9
MC		 3600 SSL_CTX_free(sctx);
3601 SSL_CTX_free(cctx);
a37008d9
MC		 3602 return testresult;
3603}
3604
16afd71c
MC		 3605/*
3606 * Test loading of serverinfo data in various formats. test_sslmessages actually
3607 * tests to make sure the extensions appear in the handshake
3608 */
3609static int test_serverinfo(int tst)
3610{
3611 unsigned int version;
3612 unsigned char *sibuf;
3613 size_t sibuflen;
3614 int ret, expected, testresult = 0;
3615 SSL_CTX *ctx;
3616
3617 ctx = SSL_CTX_new(TLS_method());
3618 if (!TEST_ptr(ctx))
3619 goto end;
3620
3621 if ((tst & 0x01) == 0x01)
3622 version = SSL_SERVERINFOV2;
3623 else
3624 version = SSL_SERVERINFOV1;
3625
3626 if ((tst & 0x02) == 0x02) {
3627 sibuf = serverinfov2;
3628 sibuflen = sizeof(serverinfov2);
3629 expected = (version == SSL_SERVERINFOV2);
3630 } else {
3631 sibuf = serverinfov1;
3632 sibuflen = sizeof(serverinfov1);
3633 expected = (version == SSL_SERVERINFOV1);
3634 }
3635
3636 if ((tst & 0x04) == 0x04) {
3637 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3638 } else {
3639 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3640
3641 /*
3642 * The version variable is irrelevant in this case - it's what is in the
3643 * buffer that matters
3644 */
3645 if ((tst & 0x02) == 0x02)
3646 expected = 0;
3647 else
3648 expected = 1;
3649 }
3650
3651 if (!TEST_true(ret == expected))
3652 goto end;
3653
3654 testresult = 1;
3655
3656 end:
3657 SSL_CTX_free(ctx);
3658
3659 return testresult;
3660}
3661
2197d1df
MC		 3662/*
3663 * Test that SSL_export_keying_material() produces expected results. There are
3664 * no test vectors so all we do is test that both sides of the communication
3665 * produce the same results for different protocol versions.
3666 */
3667static int test_export_key_mat(int tst)
3668{
a599574b 3669 int testresult = 0;
2197d1df
MC		 3670 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3671 SSL *clientssl = NULL, *serverssl = NULL;
3672 const char label[] = "test label";
3673 const unsigned char context[] = "context";
3674 const unsigned char *emptycontext = NULL;
3675 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3676 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 3677 const int protocols[] = {
3678 TLS1_VERSION,
3679 TLS1_1_VERSION,
3680 TLS1_2_VERSION,
3681 TLS1_3_VERSION
3682 };
2197d1df
MC		 3683
3684#ifdef OPENSSL_NO_TLS1
3685 if (tst == 0)
3686 return 1;
3687#endif
3688#ifdef OPENSSL_NO_TLS1_1
3689 if (tst == 1)
3690 return 1;
3691#endif
3692#ifdef OPENSSL_NO_TLS1_2
3693 if (tst == 2)
3694 return 1;
3695#endif
3696#ifdef OPENSSL_NO_TLS1_3
3697 if (tst == 3)
3698 return 1;
3699#endif
7d7f6834
RL		 3700 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3701 TLS1_VERSION, TLS_MAX_VERSION,
3702 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 3703 goto end;
3704
a599574b
MC		 3705 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3706 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3707 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 3708
3709 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3710 NULL))
3711 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3712 SSL_ERROR_NONE)))
3713 goto end;
3714
3715 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3716 sizeof(ckeymat1), label,
3717 sizeof(label) - 1, context,
3718 sizeof(context) - 1, 1), 1)
3719 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3720 sizeof(ckeymat2), label,
3721 sizeof(label) - 1,
3722 emptycontext,
3723 0, 1), 1)
3724 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3725 sizeof(ckeymat3), label,
3726 sizeof(label) - 1,
3727 NULL, 0, 0), 1)
3728 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3729 sizeof(skeymat1), label,
3730 sizeof(label) - 1,
3731 context,
3732 sizeof(context) -1, 1),
3733 1)
3734 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3735 sizeof(skeymat2), label,
3736 sizeof(label) - 1,
3737 emptycontext,
3738 0, 1), 1)
3739 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3740 sizeof(skeymat3), label,
3741 sizeof(label) - 1,
3742 NULL, 0, 0), 1)
3743 /*
3744 * Check that both sides created the same key material with the
3745 * same context.
3746 */
3747 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3748 sizeof(skeymat1))
3749 /*
3750 * Check that both sides created the same key material with an
3751 * empty context.
3752 */
3753 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3754 sizeof(skeymat2))
3755 /*
3756 * Check that both sides created the same key material without a
3757 * context.
3758 */
3759 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3760 sizeof(skeymat3))
3761 /* Different contexts should produce different results */
3762 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3763 sizeof(ckeymat2)))
3764 goto end;
3765
3766 /*
3767 * Check that an empty context and no context produce different results in
3768 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3769 */
3770 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3771 sizeof(ckeymat3)))
3772 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3773 sizeof(ckeymat3))))
3774 goto end;
3775
3776 testresult = 1;
3777
3778 end:
3779 SSL_free(serverssl);
3780 SSL_free(clientssl);
3781 SSL_CTX_free(sctx2);
3782 SSL_CTX_free(sctx);
3783 SSL_CTX_free(cctx);
3784
3785 return testresult;
3786}
3787
b38ede80
TT		 3788#ifndef OPENSSL_NO_TLS1_3
3789/*
3790 * Test that SSL_export_keying_material_early() produces expected
3791 * results. There are no test vectors so all we do is test that both
3792 * sides of the communication produce the same results for different
3793 * protocol versions.
3794 */
3795static int test_export_key_mat_early(int idx)
3796{
3797 static const char label[] = "test label";
3798 static const unsigned char context[] = "context";
3799 int testresult = 0;
3800 SSL_CTX *cctx = NULL, *sctx = NULL;
3801 SSL *clientssl = NULL, *serverssl = NULL;
3802 SSL_SESSION *sess = NULL;
3803 const unsigned char *emptycontext = NULL;
3804 unsigned char ckeymat1[80], ckeymat2[80];
3805 unsigned char skeymat1[80], skeymat2[80];
3806 unsigned char buf[1];
3807 size_t readbytes, written;
3808
3809 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3810 &sess, idx)))
3811 goto end;
3812
3813 /* Here writing 0 length early data is enough. */
3814 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3815 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3816 &readbytes),
3817 SSL_READ_EARLY_DATA_ERROR)
3818 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3819 SSL_EARLY_DATA_ACCEPTED))
3820 goto end;
3821
3822 if (!TEST_int_eq(SSL_export_keying_material_early(
3823 clientssl, ckeymat1, sizeof(ckeymat1), label,
3824 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3825 || !TEST_int_eq(SSL_export_keying_material_early(
3826 clientssl, ckeymat2, sizeof(ckeymat2), label,
3827 sizeof(label) - 1, emptycontext, 0), 1)
3828 || !TEST_int_eq(SSL_export_keying_material_early(
3829 serverssl, skeymat1, sizeof(skeymat1), label,
3830 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3831 || !TEST_int_eq(SSL_export_keying_material_early(
3832 serverssl, skeymat2, sizeof(skeymat2), label,
3833 sizeof(label) - 1, emptycontext, 0), 1)
3834 /*
3835 * Check that both sides created the same key material with the
3836 * same context.
3837 */
3838 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3839 sizeof(skeymat1))
3840 /*
3841 * Check that both sides created the same key material with an
3842 * empty context.
3843 */
3844 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3845 sizeof(skeymat2))
3846 /* Different contexts should produce different results */
3847 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3848 sizeof(ckeymat2)))
3849 goto end;
3850
3851 testresult = 1;
3852
3853 end:
c20e3b28 3854 SSL_SESSION_free(sess);
b38ede80
TT		 3855 SSL_SESSION_free(clientpsk);
3856 SSL_SESSION_free(serverpsk);
34ff74eb 3857 clientpsk = serverpsk = NULL;
b38ede80
TT		 3858 SSL_free(serverssl);
3859 SSL_free(clientssl);
3860 SSL_CTX_free(sctx);
3861 SSL_CTX_free(cctx);
3862
3863 return testresult;
3864}
3865#endif /* OPENSSL_NO_TLS1_3 */
3866
e11b6aa4
MC		 3867static int test_ssl_clear(int idx)
3868{
3869 SSL_CTX *cctx = NULL, *sctx = NULL;
3870 SSL *clientssl = NULL, *serverssl = NULL;
3871 int testresult = 0;
3872
3873#ifdef OPENSSL_NO_TLS1_2
3874 if (idx == 1)
3875 return 1;
3876#endif
3877
3878 /* Create an initial connection */
7d7f6834
RL		 3879 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3880 TLS1_VERSION, TLS_MAX_VERSION,
3881 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 3882 || (idx == 1
3883 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3884 TLS1_2_VERSION)))
3885 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3886 &clientssl, NULL, NULL))
3887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3888 SSL_ERROR_NONE)))
3889 goto end;
3890
3891 SSL_shutdown(clientssl);
3892 SSL_shutdown(serverssl);
3893 SSL_free(serverssl);
3894 serverssl = NULL;
3895
3896 /* Clear clientssl - we're going to reuse the object */
3897 if (!TEST_true(SSL_clear(clientssl)))
3898 goto end;
3899
3900 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3901 NULL, NULL))
3902 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3903 SSL_ERROR_NONE))
3904 || !TEST_true(SSL_session_reused(clientssl)))
3905 goto end;
3906
3907 SSL_shutdown(clientssl);
3908 SSL_shutdown(serverssl);
3909
3910 testresult = 1;
3911
3912 end:
3913 SSL_free(serverssl);
3914 SSL_free(clientssl);
3915 SSL_CTX_free(sctx);
3916 SSL_CTX_free(cctx);
3917
3918 return testresult;
3919}
3920
cf72c757
F		 3921/* Parse CH and retrieve any MFL extension value if present */
3922static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3923{
3924 long len;
3925 unsigned char *data;
3926 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3927 unsigned int MFL_code = 0, type = 0;
3928
3929 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3930 goto end;
3931
3932 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3933 /* Skip the record header */
3934 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3935 /* Skip the handshake message header */
3936 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3937 /* Skip client version and random */
3938 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3939 + SSL3_RANDOM_SIZE))
3940 /* Skip session id */
3941 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3942 /* Skip ciphers */
3943 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3944 /* Skip compression */
3945 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3946 /* Extensions len */
3947 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3948 goto end;
3949
3950 /* Loop through all extensions */
3951 while (PACKET_remaining(&pkt2)) {
3952 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3953 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3954 goto end;
3955
3956 if (type == TLSEXT_TYPE_max_fragment_length) {
3957 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3958 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3959 goto end;
3960
3961 *mfl_codemfl_code = MFL_code;
3962 return 1;
3963 }
3964 }
3965
3966 end:
3967 return 0;
3968}
3969
3970/* Maximum-Fragment-Length TLS extension mode to test */
3971static const unsigned char max_fragment_len_test[] = {
3972 TLSEXT_max_fragment_length_512,
3973 TLSEXT_max_fragment_length_1024,
3974 TLSEXT_max_fragment_length_2048,
3975 TLSEXT_max_fragment_length_4096
3976};
3977
3978static int test_max_fragment_len_ext(int idx_tst)
3979{
3980 SSL_CTX *ctx;
3981 SSL *con = NULL;
3982 int testresult = 0, MFL_mode = 0;
3983 BIO *rbio, *wbio;
3984
3985 ctx = SSL_CTX_new(TLS_method());
3986 if (!TEST_ptr(ctx))
3987 goto end;
3988
3989 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3990 ctx, max_fragment_len_test[idx_tst])))
3991 goto end;
3992
3993 con = SSL_new(ctx);
3994 if (!TEST_ptr(con))
3995 goto end;
3996
3997 rbio = BIO_new(BIO_s_mem());
3998 wbio = BIO_new(BIO_s_mem());
3999 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4000 BIO_free(rbio);
4001 BIO_free(wbio);
4002 goto end;
4003 }
4004
4005 SSL_set_bio(con, rbio, wbio);
4006 SSL_set_connect_state(con);
4007
4008 if (!TEST_int_le(SSL_connect(con), 0)) {
4009 /* This shouldn't succeed because we don't have a server! */
4010 goto end;
4011 }
4012
4013 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4014 /* no MFL in client hello */
4015 goto end;
4016 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4017 goto end;
4018
4019 testresult = 1;
4020
4021end:
4022 SSL_free(con);
4023 SSL_CTX_free(ctx);
4024
4025 return testresult;
4026}
4027
9d75dce3
TS		 4028#ifndef OPENSSL_NO_TLS1_3
4029static int test_pha_key_update(void)
4030{
4031 SSL_CTX *cctx = NULL, *sctx = NULL;
4032 SSL *clientssl = NULL, *serverssl = NULL;
4033 int testresult = 0;
4034
7d7f6834
RL		 4035 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4036 TLS1_VERSION, TLS_MAX_VERSION,
9d75dce3
TS		 4037 &sctx, &cctx, cert, privkey)))
4038 return 0;
4039
4040 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4041 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4042 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4043 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4044 goto end;
4045
4046
4047 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4048 NULL, NULL)))
4049 goto end;
4050
4051 SSL_force_post_handshake_auth(clientssl);
4052
4053 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4054 SSL_ERROR_NONE)))
4055 goto end;
4056
4057 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4058 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4059 goto end;
4060
4061 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4062 goto end;
4063
4064 /* Start handshake on the server */
4065 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4066 goto end;
4067
4068 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4069 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4070 SSL_ERROR_NONE)))
4071 goto end;
4072
4073 SSL_shutdown(clientssl);
4074 SSL_shutdown(serverssl);
4075
4076 testresult = 1;
4077
4078 end:
4079 SSL_free(serverssl);
4080 SSL_free(clientssl);
4081 SSL_CTX_free(sctx);
4082 SSL_CTX_free(cctx);
4083 return testresult;
4084}
4085#endif
4086
76fd7a1d
MC		 4087#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4088
4089static SRP_VBASE *vbase = NULL;
4090
4091static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4092{
4093 int ret = SSL3_AL_FATAL;
4094 char *username;
4095 SRP_user_pwd *user = NULL;
4096
4097 username = SSL_get_srp_username(s);
4098 if (username == NULL) {
4099 *ad = SSL_AD_INTERNAL_ERROR;
4100 goto err;
4101 }
4102
4103 user = SRP_VBASE_get1_by_user(vbase, username);
4104 if (user == NULL) {
4105 *ad = SSL_AD_INTERNAL_ERROR;
4106 goto err;
4107 }
4108
4109 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4110 user->info) <= 0) {
4111 *ad = SSL_AD_INTERNAL_ERROR;
4112 goto err;
4113 }
4114
4115 ret = 0;
4116
4117 err:
4118 SRP_user_pwd_free(user);
4119 return ret;
4120}
4121
4122static int create_new_vfile(char *userid, char *password, const char *filename)
4123{
4124 char *gNid = NULL;
4125 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4126 TXT_DB *db = NULL;
4127 int ret = 0;
4128 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4129 size_t i;
4130
4131 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4132 goto end;
4133
4134 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4135 &row[DB_srpverifier], NULL, NULL);
4136 if (!TEST_ptr(gNid))
4137 goto end;
4138
4139 /*
4140 * The only way to create an empty TXT_DB is to provide a BIO with no data
4141 * in it!
4142 */
4143 db = TXT_DB_read(dummy, DB_NUMBER);
4144 if (!TEST_ptr(db))
4145 goto end;
4146
4147 out = BIO_new_file(filename, "w");
4148 if (!TEST_ptr(out))
4149 goto end;
4150
4151 row[DB_srpid] = OPENSSL_strdup(userid);
4152 row[DB_srptype] = OPENSSL_strdup("V");
4153 row[DB_srpgN] = OPENSSL_strdup(gNid);
4154
4155 if (!TEST_ptr(row[DB_srpid])
4156 || !TEST_ptr(row[DB_srptype])
4157 || !TEST_ptr(row[DB_srpgN])
4158 || !TEST_true(TXT_DB_insert(db, row)))
4159 goto end;
4160
4161 row = NULL;
4162
4163 if (!TXT_DB_write(out, db))
4164 goto end;
4165
4166 ret = 1;
4167 end:
4168 if (row != NULL) {
4169 for (i = 0; i < DB_NUMBER; i++)
4170 OPENSSL_free(row[i]);
4171 }
4172 OPENSSL_free(row);
4173 BIO_free(dummy);
4174 BIO_free(out);
4175 TXT_DB_free(db);
4176
4177 return ret;
4178}
4179
4180static int create_new_vbase(char *userid, char *password)
4181{
4182 BIGNUM *verifier = NULL, *salt = NULL;
4183 const SRP_gN *lgN = NULL;
4184 SRP_user_pwd *user_pwd = NULL;
4185 int ret = 0;
4186
4187 lgN = SRP_get_default_gN(NULL);
4188 if (!TEST_ptr(lgN))
4189 goto end;
4190
4191 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4192 lgN->N, lgN->g)))
4193 goto end;
4194
4195 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4196 if (!TEST_ptr(user_pwd))
4197 goto end;
4198
4199 user_pwd->N = lgN->N;
4200 user_pwd->g = lgN->g;
4201 user_pwd->id = OPENSSL_strdup(userid);
4202 if (!TEST_ptr(user_pwd->id))
4203 goto end;
4204
4205 user_pwd->v = verifier;
4206 user_pwd->s = salt;
4207 verifier = salt = NULL;
4208
4209 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4210 goto end;
4211 user_pwd = NULL;
4212
4213 ret = 1;
4214end:
4215 SRP_user_pwd_free(user_pwd);
4216 BN_free(salt);
4217 BN_free(verifier);
4218
4219 return ret;
4220}
4221
4222/*
4223 * SRP tests
4224 *
4225 * Test 0: Simple successful SRP connection, new vbase
4226 * Test 1: Connection failure due to bad password, new vbase
4227 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4228 * Test 3: Connection failure due to bad password, vbase loaded from existing
4229 * file
4230 * Test 4: Simple successful SRP connection, vbase loaded from new file
4231 * Test 5: Connection failure due to bad password, vbase loaded from new file
4232 */
4233static int test_srp(int tst)
4234{
4235 char *userid = "test", *password = "password", *tstsrpfile;
4236 SSL_CTX *cctx = NULL, *sctx = NULL;
4237 SSL *clientssl = NULL, *serverssl = NULL;
4238 int ret, testresult = 0;
4239
4240 vbase = SRP_VBASE_new(NULL);
4241 if (!TEST_ptr(vbase))
4242 goto end;
4243
4244 if (tst == 0 || tst == 1) {
4245 if (!TEST_true(create_new_vbase(userid, password)))
4246 goto end;
4247 } else {
4248 if (tst == 4 || tst == 5) {
4249 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4250 goto end;
4251 tstsrpfile = tmpfilename;
4252 } else {
4253 tstsrpfile = srpvfile;
4254 }
4255 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4256 goto end;
4257 }
4258
4259 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4260 TLS1_VERSION, TLS_MAX_VERSION,
4261 &sctx, &cctx, cert, privkey)))
4262 goto end;
4263
4264 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4265 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4266 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4267 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4268 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4269 goto end;
4270
4271 if (tst % 2 == 1) {
4272 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4273 goto end;
4274 } else {
4275 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4276 goto end;
4277 }
4278
4279 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4280 NULL, NULL)))
4281 goto end;
4282
4283 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4284 if (ret) {
4285 if (!TEST_true(tst % 2 == 0))
4286 goto end;
4287 } else {
4288 if (!TEST_true(tst % 2 == 1))
4289 goto end;
4290 }
4291
4292 testresult = 1;
4293
4294 end:
4295 SRP_VBASE_free(vbase);
4296 vbase = NULL;
4297 SSL_free(serverssl);
4298 SSL_free(clientssl);
4299 SSL_CTX_free(sctx);
4300 SSL_CTX_free(cctx);
4301
4302 return testresult;
4303}
4304#endif
4305
5718fe45
MC		 4306static int info_cb_failed = 0;
4307static int info_cb_offset = 0;
4308static int info_cb_this_state = -1;
4309
4310static struct info_cb_states_st {
4311 int where;
4312 const char *statestr;
4313} info_cb_states[][60] = {
4314 {
4315 /* TLSv1.2 server followed by resumption */
4316 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4317 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4318 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4319 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4320 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4321 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4322 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4323 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4324 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4325 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4326 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4327 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4328 {SSL_CB_EXIT, NULL}, {0, NULL},
4329 }, {
4330 /* TLSv1.2 client followed by resumption */
4331 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4332 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4333 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4334 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4335 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4336 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4337 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4338 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4339 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4340 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4341 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4342 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4343 }, {
4344 /* TLSv1.3 server followed by resumption */
4345 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4346 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4347 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4348 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4349 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4350 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4351 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5718fe45 4352 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
36ff232c
MC		 4353 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4354 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4355 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4356 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4357 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4358 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4359 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4360 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4361 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 4362 }, {
4363 /* TLSv1.3 client followed by resumption */
4364 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4365 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4366 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4367 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4368 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4369 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4370 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4371 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
36ff232c
MC		 4372 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4373 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4374 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 4375 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4376 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4377 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4378 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4379 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4380 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4381 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4382 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4383 }, {
4384 /* TLSv1.3 server, early_data */
4385 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4386 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4387 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4388 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4389 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4390 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4391 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4392 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4393 {SSL_CB_EXIT, NULL}, {0, NULL},
4394 }, {
4395 /* TLSv1.3 client, early_data */
4396 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4397 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4398 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4399 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4400 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4401 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4402 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4403 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4404 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4405 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4406 }, {
4407 {0, NULL},
4408 }
4409};
4410
4411static void sslapi_info_callback(const SSL *s, int where, int ret)
4412{
4413 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4414
4415 /* We do not ever expect a connection to fail in this test */
4416 if (!TEST_false(ret == 0)) {
4417 info_cb_failed = 1;
4418 return;
4419 }
4420
4421 /*
4422 * Do some sanity checks. We never expect these things to happen in this
4423 * test
4424 */
4425 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4426 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4427 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4428 info_cb_failed = 1;
4429 return;
4430 }
4431
4432 /* Now check we're in the right state */
4433 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4434 info_cb_failed = 1;
4435 return;
4436 }
4437 if ((where & SSL_CB_LOOP) != 0
4438 && !TEST_int_eq(strcmp(SSL_state_string(s),
4439 state[info_cb_this_state].statestr), 0)) {
4440 info_cb_failed = 1;
4441 return;
4442 }
033c181b
MC		 4443
4444 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4445 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4446 info_cb_failed = 1;
4447 return;
4448 }
5718fe45
MC		 4449}
4450
4451/*
4452 * Test the info callback gets called when we expect it to.
4453 *
4454 * Test 0: TLSv1.2, server
4455 * Test 1: TLSv1.2, client
4456 * Test 2: TLSv1.3, server
4457 * Test 3: TLSv1.3, client
4458 * Test 4: TLSv1.3, server, early_data
4459 * Test 5: TLSv1.3, client, early_data
4460 */
4461static int test_info_callback(int tst)
4462{
4463 SSL_CTX *cctx = NULL, *sctx = NULL;
4464 SSL *clientssl = NULL, *serverssl = NULL;
4465 SSL_SESSION *clntsess = NULL;
4466 int testresult = 0;
4467 int tlsvers;
4468
4469 if (tst < 2) {
1aac20f5
MC		 4470/* We need either ECDHE or DHE for the TLSv1.2 test to work */
4471#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
4472 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 4473 tlsvers = TLS1_2_VERSION;
4474#else
4475 return 1;
4476#endif
4477 } else {
4478#ifndef OPENSSL_NO_TLS1_3
4479 tlsvers = TLS1_3_VERSION;
4480#else
4481 return 1;
4482#endif
4483 }
4484
4485 /* Reset globals */
4486 info_cb_failed = 0;
4487 info_cb_this_state = -1;
4488 info_cb_offset = tst;
4489
6e07834c 4490#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 4491 if (tst >= 4) {
4492 SSL_SESSION *sess = NULL;
4493 size_t written, readbytes;
4494 unsigned char buf[80];
4495
4496 /* early_data tests */
4497 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4498 &serverssl, &sess, 0)))
4499 goto end;
4500
4501 /* We don't actually need this reference */
4502 SSL_SESSION_free(sess);
4503
4504 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4505 sslapi_info_callback);
4506
4507 /* Write and read some early data and then complete the connection */
4508 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4509 &written))
4510 || !TEST_size_t_eq(written, strlen(MSG1))
4511 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4512 sizeof(buf), &readbytes),
4513 SSL_READ_EARLY_DATA_SUCCESS)
4514 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4516 SSL_EARLY_DATA_ACCEPTED)
4517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4518 SSL_ERROR_NONE))
4519 || !TEST_false(info_cb_failed))
4520 goto end;
4521
4522 testresult = 1;
4523 goto end;
4524 }
6e07834c 4525#endif
5718fe45
MC		 4526
4527 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4528 TLS_client_method(),
4529 tlsvers, tlsvers, &sctx, &cctx, cert,
4530 privkey)))
4531 goto end;
4532
4533 /*
4534 * For even numbered tests we check the server callbacks. For odd numbers we
4535 * check the client.
4536 */
4537 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4538 sslapi_info_callback);
4539
4540 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4541 &clientssl, NULL, NULL))
4542 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4543 SSL_ERROR_NONE))
4544 || !TEST_false(info_cb_failed))
4545 goto end;
4546
4547
4548
4549 clntsess = SSL_get1_session(clientssl);
4550 SSL_shutdown(clientssl);
4551 SSL_shutdown(serverssl);
4552 SSL_free(serverssl);
4553 SSL_free(clientssl);
4554 serverssl = clientssl = NULL;
4555
4556 /* Now do a resumption */
4557 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4558 NULL))
4559 || !TEST_true(SSL_set_session(clientssl, clntsess))
4560 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4561 SSL_ERROR_NONE))
4562 || !TEST_true(SSL_session_reused(clientssl))
4563 || !TEST_false(info_cb_failed))
4564 goto end;
4565
4566 testresult = 1;
4567
4568 end:
4569 SSL_free(serverssl);
4570 SSL_free(clientssl);
4571 SSL_SESSION_free(clntsess);
4572 SSL_CTX_free(sctx);
4573 SSL_CTX_free(cctx);
4574 return testresult;
4575}
4576
4a432af8
MC		 4577static int test_ssl_pending(int tst)
4578{
4579 SSL_CTX *cctx = NULL, *sctx = NULL;
4580 SSL *clientssl = NULL, *serverssl = NULL;
4581 int testresult = 0;
4582 char msg[] = "A test message";
4583 char buf[5];
4584 size_t written, readbytes;
4585
4586 if (tst == 0) {
4587 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4588 TLS_client_method(),
4589 TLS1_VERSION, TLS_MAX_VERSION,
4590 &sctx, &cctx, cert, privkey)))
4591 goto end;
4592 } else {
4593#ifndef OPENSSL_NO_DTLS
4594 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4595 DTLS_client_method(),
4596 DTLS1_VERSION, DTLS_MAX_VERSION,
4597 &sctx, &cctx, cert, privkey)))
4598 goto end;
4599#else
4600 return 1;
4601#endif
4602 }
4603
4604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4605 NULL, NULL))
4606 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4607 SSL_ERROR_NONE)))
4608 goto end;
4609
e8251092
MC		 4610 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4611 || !TEST_false(SSL_has_pending(clientssl))
4612 || !TEST_int_eq(SSL_pending(serverssl), 0)
4613 || !TEST_false(SSL_has_pending(serverssl))
4614 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 4615 || !TEST_size_t_eq(written, sizeof(msg))
4616 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4617 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 4618 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4619 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 4620 goto end;
4621
4622 testresult = 1;
4623
4624 end:
4625 SSL_free(serverssl);
4626 SSL_free(clientssl);
4627 SSL_CTX_free(sctx);
4628 SSL_CTX_free(cctx);
4629
4630 return testresult;
4631}
4632
e401389a
MC		 4633static struct {
4634 unsigned int maxprot;
4635 const char *clntciphers;
4636 const char *clnttls13ciphers;
4637 const char *srvrciphers;
4638 const char *srvrtls13ciphers;
4639 const char *shared;
4640} shared_ciphers_data[] = {
60155b9a
MC		 4641/*
4642 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4643 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4644 */
4645#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 4646 {
4647 TLS1_2_VERSION,
4648 "AES128-SHA:AES256-SHA",
4649 NULL,
4650 "AES256-SHA:DHE-RSA-AES128-SHA",
4651 NULL,
4652 "AES256-SHA"
4653 },
4654 {
4655 TLS1_2_VERSION,
4656 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4657 NULL,
4658 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4659 NULL,
4660 "AES128-SHA:AES256-SHA"
4661 },
4662 {
4663 TLS1_2_VERSION,
4664 "AES128-SHA:AES256-SHA",
4665 NULL,
4666 "AES128-SHA:DHE-RSA-AES128-SHA",
4667 NULL,
4668 "AES128-SHA"
4669 },
60155b9a
MC		 4670#endif
4671/*
4672 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4673 * enabled.
4674 */
4675#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4676 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 4677 {
4678 TLS1_3_VERSION,
4679 "AES128-SHA:AES256-SHA",
4680 NULL,
4681 "AES256-SHA:AES128-SHA256",
4682 NULL,
4683 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4684 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4685 },
60155b9a
MC		 4686#endif
4687#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 4688 {
4689 TLS1_3_VERSION,
4690 "AES128-SHA",
4691 "TLS_AES_256_GCM_SHA384",
4692 "AES256-SHA",
4693 "TLS_AES_256_GCM_SHA384",
4694 "TLS_AES_256_GCM_SHA384"
4695 },
4696#endif
4697};
4698
4699static int test_ssl_get_shared_ciphers(int tst)
4700{
4701 SSL_CTX *cctx = NULL, *sctx = NULL;
4702 SSL *clientssl = NULL, *serverssl = NULL;
4703 int testresult = 0;
4704 char buf[1024];
4705
4706 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4707 TLS_client_method(),
4708 TLS1_VERSION,
4709 shared_ciphers_data[tst].maxprot,
4710 &sctx, &cctx, cert, privkey)))
4711 goto end;
4712
4713 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4714 shared_ciphers_data[tst].clntciphers))
4715 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
4716 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4717 shared_ciphers_data[tst].clnttls13ciphers)))
4718 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
4719 shared_ciphers_data[tst].srvrciphers))
4720 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
4721 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4722 shared_ciphers_data[tst].srvrtls13ciphers))))
4723 goto end;
4724
4725
4726 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4727 NULL, NULL))
4728 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4729 SSL_ERROR_NONE)))
4730 goto end;
4731
4732 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
4733 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
4734 TEST_info("Shared ciphers are: %s\n", buf);
4735 goto end;
4736 }
4737
4738 testresult = 1;
4739
4740 end:
4741 SSL_free(serverssl);
4742 SSL_free(clientssl);
4743 SSL_CTX_free(sctx);
4744 SSL_CTX_free(cctx);
4745
4746 return testresult;
4747}
4748
d0191fe0 4749static const char *appdata = "Hello World";
61fb5923
MC		 4750static int gen_tick_called, dec_tick_called, tick_key_cb_called;
4751static int tick_key_renew = 0;
4752static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 4753
4754static int gen_tick_cb(SSL *s, void *arg)
4755{
4756 gen_tick_called = 1;
4757
4758 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
4759 strlen(appdata));
4760}
4761
4762static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
4763 const unsigned char *keyname,
4764 size_t keyname_length,
61fb5923
MC		 4765 SSL_TICKET_STATUS status,
4766 void *arg)
d0191fe0
MC		 4767{
4768 void *tickdata;
4769 size_t tickdlen;
4770
4771 dec_tick_called = 1;
4772
61fb5923
MC		 4773 if (status == SSL_TICKET_EMPTY)
4774 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 4775
61fb5923
MC		 4776 if (!TEST_true(status == SSL_TICKET_SUCCESS
4777 || status == SSL_TICKET_SUCCESS_RENEW))
4778 return SSL_TICKET_RETURN_ABORT;
4779
4780 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
4781 &tickdlen))
d0191fe0
MC		 4782 || !TEST_size_t_eq(tickdlen, strlen(appdata))
4783 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 4784 return SSL_TICKET_RETURN_ABORT;
d0191fe0 4785
61fb5923
MC		 4786 if (tick_key_cb_called) {
4787 /* Don't change what the ticket key callback wanted to do */
4788 switch (status) {
4789 case SSL_TICKET_NO_DECRYPT:
4790 return SSL_TICKET_RETURN_IGNORE_RENEW;
4791
4792 case SSL_TICKET_SUCCESS:
4793 return SSL_TICKET_RETURN_USE;
d0191fe0 4794
61fb5923
MC		 4795 case SSL_TICKET_SUCCESS_RENEW:
4796 return SSL_TICKET_RETURN_USE_RENEW;
4797
4798 default:
4799 return SSL_TICKET_RETURN_ABORT;
4800 }
4801 }
4802 return tick_dec_ret;
4803
4804}
d0191fe0
MC		 4805
4806static int tick_key_cb(SSL *s, unsigned char key_name[16],
4807 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
4808 HMAC_CTX *hctx, int enc)
4809{
4810 const unsigned char tick_aes_key[16] = "0123456789abcdef";
4811 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
4812
61fb5923 4813 tick_key_cb_called = 1;
d0191fe0
MC		 4814 memset(iv, 0, AES_BLOCK_SIZE);
4815 memset(key_name, 0, 16);
4816 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
4817 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
4818 EVP_sha256(), NULL))
4819 return -1;
4820
61fb5923 4821 return tick_key_renew ? 2 : 1;
d0191fe0
MC		 4822}
4823
4824/*
4825 * Test the various ticket callbacks
61fb5923
MC		 4826 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4827 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4828 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4829 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4830 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4831 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4832 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4833 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4834 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4835 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4836 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4837 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 4838 */
4839static int test_ticket_callbacks(int tst)
4840{
4841 SSL_CTX *cctx = NULL, *sctx = NULL;
4842 SSL *clientssl = NULL, *serverssl = NULL;
4843 SSL_SESSION *clntsess = NULL;
4844 int testresult = 0;
4845
4846#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 4847 if (tst % 2 == 0)
d0191fe0
MC		 4848 return 1;
4849#endif
4850#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 4851 if (tst % 2 == 1)
d0191fe0
MC		 4852 return 1;
4853#endif
4854
61fb5923 4855 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 4856
4857 /* Which tests the ticket key callback should request renewal for */
61fb5923
MC		 4858 if (tst == 10 || tst == 11)
4859 tick_key_renew = 1;
d0191fe0 4860 else
61fb5923
MC		 4861 tick_key_renew = 0;
4862
4863 /* Which tests the decrypt ticket callback should request renewal for */
4864 switch (tst) {
4865 case 0:
4866 case 1:
4867 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
4868 break;
4869
4870 case 2:
4871 case 3:
4872 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
4873 break;
4874
4875 case 4:
4876 case 5:
4877 tick_dec_ret = SSL_TICKET_RETURN_USE;
4878 break;
4879
4880 case 6:
4881 case 7:
4882 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
4883 break;
4884
4885 default:
4886 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4887 }
d0191fe0
MC		 4888
4889 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4890 TLS_client_method(),
4891 TLS1_VERSION,
61fb5923
MC		 4892 ((tst % 2) == 0) ? TLS1_2_VERSION
4893 : TLS1_3_VERSION,
d0191fe0
MC		 4894 &sctx, &cctx, cert, privkey)))
4895 goto end;
4896
61fb5923
MC		 4897 /*
4898 * We only want sessions to resume from tickets - not the session cache. So
4899 * switch the cache off.
4900 */
4901 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
4902 goto end;
4903
d0191fe0
MC		 4904 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
4905 NULL)))
4906 goto end;
4907
61fb5923 4908 if (tst >= 8
d0191fe0
MC		 4909 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
4910 goto end;
4911
4912 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4913 NULL, NULL))
4914 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4915 SSL_ERROR_NONE)))
4916 goto end;
4917
61fb5923
MC		 4918 /*
4919 * The decrypt ticket key callback in TLSv1.2 should be called even though
4920 * we have no ticket yet, because it gets called with a status of
4921 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
4922 * actually send any ticket data). This does not happen in TLSv1.3 because
4923 * it is not valid to send empty ticket data in TLSv1.3.
4924 */
d0191fe0 4925 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 4926 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 4927 goto end;
4928
4929 gen_tick_called = dec_tick_called = 0;
4930
4931 clntsess = SSL_get1_session(clientssl);
4932 SSL_shutdown(clientssl);
4933 SSL_shutdown(serverssl);
4934 SSL_free(serverssl);
4935 SSL_free(clientssl);
4936 serverssl = clientssl = NULL;
4937
4938 /* Now do a resumption */
4939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4940 NULL))
4941 || !TEST_true(SSL_set_session(clientssl, clntsess))
4942 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 4943 SSL_ERROR_NONE)))
d0191fe0
MC		 4944 goto end;
4945
61fb5923
MC		 4946 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
4947 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
4948 if (!TEST_false(SSL_session_reused(clientssl)))
4949 goto end;
4950 } else {
4951 if (!TEST_true(SSL_session_reused(clientssl)))
4952 goto end;
4953 }
4954
d0191fe0 4955 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 4956 (tick_key_renew
4957 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
4958 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
4959 ? 1 : 0)
d0191fe0
MC		 4960 || !TEST_int_eq(dec_tick_called, 1))
4961 goto end;
4962
4963 testresult = 1;
4964
4965 end:
4966 SSL_SESSION_free(clntsess);
4967 SSL_free(serverssl);
4968 SSL_free(clientssl);
4969 SSL_CTX_free(sctx);
4970 SSL_CTX_free(cctx);
4971
4972 return testresult;
4973}
4974
ad887416 4975int setup_tests(void)
2cb4b5f6 4976{
ad887416 4977 if (!TEST_ptr(cert = test_get_argument(0))
76fd7a1d
MC		 4978 || !TEST_ptr(privkey = test_get_argument(1))
4979 || !TEST_ptr(srpvfile = test_get_argument(2))
4980 || !TEST_ptr(tmpfilename = test_get_argument(3)))
710756a9 4981 return 0;
2cb4b5f6 4982
f297e4ec
RS		 4983 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
4984#ifdef OPENSSL_NO_CRYPTO_MDEBUG
4985 TEST_error("not supported in this build");
4986 return 0;
4987#else
4988 int i, mcount, rcount, fcount;
4989
4990 for (i = 0; i < 4; i++)
4991 test_export_key_mat(i);
4992 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
4993 test_printf_stdout("malloc %d realloc %d free %d\n",
4994 mcount, rcount, fcount);
4995 return 1;
4996#endif
4997 }
4998
84d5549e 4999 ADD_TEST(test_large_message_tls);
7856332e 5000 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 5001#ifndef OPENSSL_NO_DTLS
84d5549e 5002 ADD_TEST(test_large_message_dtls);
55386bef 5003#endif
8f8c11d8 5004#ifndef OPENSSL_NO_OCSP
c887104f 5005 ADD_TEST(test_tlsext_status_type);
8f8c11d8 5006#endif
eaa776da
MC		 5007 ADD_TEST(test_session_with_only_int_cache);
5008 ADD_TEST(test_session_with_only_ext_cache);
5009 ADD_TEST(test_session_with_both_cache);
36ff232c
MC		 5010#ifndef OPENSSL_NO_TLS1_3
5011 ADD_ALL_TESTS(test_tickets, 3);
5012#endif
7fb4c820 5013 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 5014 ADD_TEST(test_ssl_bio_pop_next_bio);
5015 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5016 ADD_TEST(test_ssl_bio_change_rbio);
5017 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 5018#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 5019 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 5020 ADD_TEST(test_keylog);
c423ecaa 5021#endif
6acdd3e5
CB		 5022#ifndef OPENSSL_NO_TLS1_3
5023 ADD_TEST(test_keylog_no_master_key);
5024#endif
e9ee6536 5025#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 5026 ADD_TEST(test_client_hello_cb);
5f982038
MC		 5027#endif
5028#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 5029 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 5030 /*
5031 * We don't do replay tests for external PSK. Replay protection isn't used
5032 * in that scenario.
5033 */
5034 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 5035 ADD_ALL_TESTS(test_early_data_skip, 3);
5036 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
5037 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 5038 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 5039 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 5040# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 5041 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 5042# endif
e9ee6536 5043#endif
a273157a 5044#ifndef OPENSSL_NO_TLS1_3
034cb87b 5045 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 5046 ADD_TEST(test_ciphersuite_change);
c2b290c3
MC		 5047#ifdef OPENSSL_NO_PSK
5048 ADD_ALL_TESTS(test_tls13_psk, 1);
5049#else
0d8da779 5050 ADD_ALL_TESTS(test_tls13_psk, 4);
c2b290c3 5051#endif /* OPENSSL_NO_PSK */
bb01ef3f 5052 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 5053 ADD_TEST(test_stateless);
9d75dce3 5054 ADD_TEST(test_pha_key_update);
a273157a 5055#else
bb01ef3f 5056 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 5057#endif
16afd71c 5058 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 5059 ADD_ALL_TESTS(test_export_key_mat, 4);
b38ede80
TT		 5060#ifndef OPENSSL_NO_TLS1_3
5061 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5062#endif
e11b6aa4 5063 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 5064 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 5065#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5066 ADD_ALL_TESTS(test_srp, 6);
5067#endif
5718fe45 5068 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 5069 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 5070 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
61fb5923 5071 ADD_ALL_TESTS(test_ticket_callbacks, 12);
ad887416
P		 5072 return 1;
5073}
2cb4b5f6 5074
ad887416
P		 5075void cleanup_tests(void)
5076{
fa454945 5077 bio_s_mempacket_test_free();
2cb4b5f6 5078}
A mirror of the official openssl repository