]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Updated test command line parsing to support commmon commands
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
76fd7a1d
MC		 17#include <openssl/srp.h>
18#include <openssl/txt_db.h>
d0191fe0 19#include <openssl/aes.h>
2cb4b5f6
MC		 20
21#include "ssltestlib.h"
c887104f 22#include "testutil.h"
f297e4ec 23#include "testutil/output.h"
176db6dc 24#include "internal/nelem.h"
fe5d9450 25#include "internal/ktls.h"
ca0413ae 26#include "../ssl/ssl_locl.h"
2cb4b5f6 27
8614a4eb
MC		 28#ifndef OPENSSL_NO_TLS1_3
29
30static SSL_SESSION *clientpsk = NULL;
31static SSL_SESSION *serverpsk = NULL;
32static const char *pskid = "Identity";
33static const char *srvid;
34
35static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
36 size_t *idlen, SSL_SESSION **sess);
37static int find_session_cb(SSL *ssl, const unsigned char *identity,
38 size_t identity_len, SSL_SESSION **sess);
39
40static int use_session_cb_cnt = 0;
41static int find_session_cb_cnt = 0;
42
43static SSL_SESSION *create_a_psk(SSL *ssl);
44#endif
45
2cb4b5f6
MC		 46static char *cert = NULL;
47static char *privkey = NULL;
76fd7a1d
MC		 48static char *srpvfile = NULL;
49static char *tmpfilename = NULL;
2cb4b5f6 50
cffe973c 51#define LOG_BUFFER_SIZE 2048
6acdd3e5 52static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 53static size_t server_log_buffer_index = 0;
6acdd3e5 54static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 55static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 56static int error_writing_log = 0;
57
8f8c11d8 58#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 59static const unsigned char orespder[] = "Dummy OCSP Response";
60static int ocsp_server_called = 0;
61static int ocsp_client_called = 0;
62
63static int cdummyarg = 1;
64static X509 *ocspcert = NULL;
8f8c11d8 65#endif
ba881d3b 66
84d5549e 67#define NUM_EXTRA_CERTS 40
cf72c757 68#define CLIENT_VERSION_LEN 2
84d5549e 69
f1a5939f
CB		 70/*
71 * This structure is used to validate that the correct number of log messages
72 * of various types are emitted when emitting secret logs.
73 */
74struct sslapitest_log_counts {
75 unsigned int rsa_key_exchange_count;
76 unsigned int master_secret_count;
cffe973c 77 unsigned int client_early_secret_count;
f1a5939f
CB		 78 unsigned int client_handshake_secret_count;
79 unsigned int server_handshake_secret_count;
80 unsigned int client_application_secret_count;
81 unsigned int server_application_secret_count;
01a2a654 82 unsigned int early_exporter_secret_count;
6329ce8f 83 unsigned int exporter_secret_count;
f1a5939f
CB		 84};
85
16afd71c
MC		 86
87static unsigned char serverinfov1[] = {
88 0xff, 0xff, /* Dummy extension type */
89 0x00, 0x01, /* Extension length is 1 byte */
90 0xff /* Dummy extension data */
91};
92
93static unsigned char serverinfov2[] = {
94 0x00, 0x00, 0x00,
95 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
96 0xff, 0xff, /* Dummy extension type */
97 0x00, 0x01, /* Extension length is 1 byte */
98 0xff /* Dummy extension data */
99};
100
710756a9
RS		 101static void client_keylog_callback(const SSL *ssl, const char *line)
102{
6acdd3e5
CB		 103 int line_length = strlen(line);
104
105 /* If the log doesn't fit, error out. */
710756a9
RS		 106 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
107 TEST_info("Client log too full");
6acdd3e5
CB		 108 error_writing_log = 1;
109 return;
110 }
111
112 strcat(client_log_buffer, line);
113 client_log_buffer_index += line_length;
710756a9 114 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 115}
116
710756a9
RS		 117static void server_keylog_callback(const SSL *ssl, const char *line)
118{
6acdd3e5
CB		 119 int line_length = strlen(line);
120
121 /* If the log doesn't fit, error out. */
710756a9 122 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 123 TEST_info("Server log too full");
6acdd3e5
CB		 124 error_writing_log = 1;
125 return;
126 }
127
128 strcat(server_log_buffer, line);
129 server_log_buffer_index += line_length;
710756a9 130 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 131}
132
133static int compare_hex_encoded_buffer(const char *hex_encoded,
134 size_t hex_length,
135 const uint8_t *raw,
710756a9
RS		 136 size_t raw_length)
137{
138 size_t i, j;
139 char hexed[3];
6acdd3e5 140
710756a9 141 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 142 return 1;
6acdd3e5 143
710756a9 144 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 145 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 146 if (!TEST_int_eq(hexed[0], hex_encoded[j])
147 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 148 return 1;
6acdd3e5
CB		 149 }
150
151 return 0;
152}
153
154static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 155 const SSL_SESSION *session,
710756a9
RS		 156 struct sslapitest_log_counts *expected)
157{
6acdd3e5
CB		 158 char *token = NULL;
159 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
160 size_t client_random_size = SSL3_RANDOM_SIZE;
161 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
162 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 163 unsigned int rsa_key_exchange_count = 0;
164 unsigned int master_secret_count = 0;
cffe973c 165 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 166 unsigned int client_handshake_secret_count = 0;
167 unsigned int server_handshake_secret_count = 0;
168 unsigned int client_application_secret_count = 0;
169 unsigned int server_application_secret_count = 0;
01a2a654 170 unsigned int early_exporter_secret_count = 0;
6329ce8f 171 unsigned int exporter_secret_count = 0;
6acdd3e5 172
710756a9
RS		 173 for (token = strtok(buffer, " \n"); token != NULL;
174 token = strtok(NULL, " \n")) {
6acdd3e5 175 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 176 /*
177 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 178 * hex-encoded encrypted secret, then the hex-encoded pre-master
179 * secret.
180 */
710756a9 181 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 182 return 0;
710756a9 183 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 184 return 0;
710756a9 185 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 186 return 0;
f1a5939f
CB		 187 /*
188 * We can't sensibly check the log because the premaster secret is
189 * transient, and OpenSSL doesn't keep hold of it once the master
190 * secret is generated.
191 */
192 rsa_key_exchange_count++;
6acdd3e5 193 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 194 /*
195 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 196 * client random, then the hex-encoded master secret.
197 */
198 client_random_size = SSL_get_client_random(ssl,
199 actual_client_random,
200 SSL3_RANDOM_SIZE);
710756a9 201 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 202 return 0;
6acdd3e5 203
710756a9 204 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 205 return 0;
710756a9 206 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 207 return 0;
710756a9
RS		 208 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
209 actual_client_random,
210 client_random_size)))
f1a5939f 211 return 0;
6acdd3e5 212
710756a9 213 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 214 return 0;
6acdd3e5
CB		 215 master_key_size = SSL_SESSION_get_master_key(session,
216 actual_master_key,
217 master_key_size);
710756a9 218 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 219 return 0;
710756a9
RS		 220 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
221 actual_master_key,
222 master_key_size)))
f1a5939f 223 return 0;
f1a5939f 224 master_secret_count++;
cffe973c
PW		 225 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
226 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 227 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
228 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 229 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 230 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 231 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 232 /*
233 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
234 * client random, and then the hex-encoded secret. In this case,
235 * we treat all of these secrets identically and then just
236 * distinguish between them when counting what we saw.
237 */
cffe973c
PW		 238 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
239 client_early_secret_count++;
240 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 241 client_handshake_secret_count++;
242 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
243 server_handshake_secret_count++;
244 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
245 client_application_secret_count++;
246 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
247 server_application_secret_count++;
01a2a654
PW		 248 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
249 early_exporter_secret_count++;
6329ce8f
PW		 250 else if (strcmp(token, "EXPORTER_SECRET") == 0)
251 exporter_secret_count++;
f1a5939f
CB		 252
253 client_random_size = SSL_get_client_random(ssl,
254 actual_client_random,
255 SSL3_RANDOM_SIZE);
710756a9 256 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 257 return 0;
f1a5939f 258
710756a9 259 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 260 return 0;
710756a9 261 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 262 return 0;
710756a9
RS		 263 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
264 actual_client_random,
265 client_random_size)))
f1a5939f 266 return 0;
6acdd3e5 267
710756a9 268 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 269 return 0;
f1a5939f
CB		 270
271 /*
272 * TODO(TLS1.3): test that application traffic secrets are what
273 * we expect */
6acdd3e5 274 } else {
710756a9 275 TEST_info("Unexpected token %s\n", token);
f1a5939f 276 return 0;
6acdd3e5 277 }
6acdd3e5
CB		 278 }
279
710756a9
RS		 280 /* Got what we expected? */
281 if (!TEST_size_t_eq(rsa_key_exchange_count,
282 expected->rsa_key_exchange_count)
283 || !TEST_size_t_eq(master_secret_count,
284 expected->master_secret_count)
cffe973c
PW		 285 || !TEST_size_t_eq(client_early_secret_count,
286 expected->client_early_secret_count)
710756a9
RS		 287 || !TEST_size_t_eq(client_handshake_secret_count,
288 expected->client_handshake_secret_count)
289 || !TEST_size_t_eq(server_handshake_secret_count,
290 expected->server_handshake_secret_count)
291 || !TEST_size_t_eq(client_application_secret_count,
292 expected->client_application_secret_count)
293 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 294 expected->server_application_secret_count)
01a2a654
PW		 295 || !TEST_size_t_eq(early_exporter_secret_count,
296 expected->early_exporter_secret_count)
6329ce8f
PW		 297 || !TEST_size_t_eq(exporter_secret_count,
298 expected->exporter_secret_count))
710756a9
RS		 299 return 0;
300 return 1;
6acdd3e5
CB		 301}
302
c423ecaa 303#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 304static int test_keylog(void)
305{
6acdd3e5
CB		 306 SSL_CTX *cctx = NULL, *sctx = NULL;
307 SSL *clientssl = NULL, *serverssl = NULL;
308 int testresult = 0;
f1a5939f 309 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 310
311 /* Clean up logging space */
710756a9
RS		 312 memset(client_log_buffer, 0, sizeof(client_log_buffer));
313 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 314 client_log_buffer_index = 0;
315 server_log_buffer_index = 0;
316 error_writing_log = 0;
317
710756a9
RS		 318 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
319 TLS_client_method(),
5c587fb6 320 TLS1_VERSION, 0,
710756a9 321 &sctx, &cctx, cert, privkey)))
6acdd3e5 322 return 0;
6acdd3e5
CB		 323
324 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
325 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
326 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
327
f0deb4d3 328 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 329 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 330 goto end;
f0deb4d3 331
cf10df81
RS		 332 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
333 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 334 goto end;
6acdd3e5 335 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 336 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
337 == client_keylog_callback))
6acdd3e5 338 goto end;
710756a9 339 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 340 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
341 == server_keylog_callback))
6acdd3e5 342 goto end;
6acdd3e5 343
710756a9
RS		 344 /* Now do a handshake and check that the logs have been written to. */
345 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
346 &clientssl, NULL, NULL))
347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
348 SSL_ERROR_NONE))
349 || !TEST_false(error_writing_log)
350 || !TEST_int_gt(client_log_buffer_index, 0)
351 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 352 goto end;
6acdd3e5 353
f1a5939f
CB		 354 /*
355 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 356 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 357 * data we expect. For both client and server, we expect to see one master
358 * secret. The client should also see a RSA key exchange.
6acdd3e5 359 */
f1a5939f
CB		 360 expected.rsa_key_exchange_count = 1;
361 expected.master_secret_count = 1;
710756a9
RS		 362 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
363 SSL_get_session(clientssl), &expected)))
6acdd3e5 364 goto end;
f1a5939f
CB		 365
366 expected.rsa_key_exchange_count = 0;
710756a9
RS		 367 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
368 SSL_get_session(serverssl), &expected)))
6acdd3e5 369 goto end;
6acdd3e5
CB		 370
371 testresult = 1;
372
373end:
374 SSL_free(serverssl);
375 SSL_free(clientssl);
376 SSL_CTX_free(sctx);
377 SSL_CTX_free(cctx);
378
379 return testresult;
380}
c423ecaa 381#endif
6acdd3e5
CB		 382
383#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 384static int test_keylog_no_master_key(void)
385{
6acdd3e5
CB		 386 SSL_CTX *cctx = NULL, *sctx = NULL;
387 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 388 SSL_SESSION *sess = NULL;
6acdd3e5 389 int testresult = 0;
f1a5939f 390 struct sslapitest_log_counts expected = {0};
cffe973c
PW		 391 unsigned char buf[1];
392 size_t readbytes, written;
6acdd3e5
CB		 393
394 /* Clean up logging space */
710756a9
RS		 395 memset(client_log_buffer, 0, sizeof(client_log_buffer));
396 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 397 client_log_buffer_index = 0;
398 server_log_buffer_index = 0;
399 error_writing_log = 0;
400
7d7f6834 401 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 402 TLS1_VERSION, 0,
cffe973c
PW		 403 &sctx, &cctx, cert, privkey))
404 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 405 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 406 return 0;
6acdd3e5 407
cf10df81
RS		 408 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
409 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 410 goto end;
6acdd3e5
CB		 411
412 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 413 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
414 == client_keylog_callback))
6acdd3e5 415 goto end;
6acdd3e5 416
710756a9 417 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 418 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
419 == server_keylog_callback))
6acdd3e5 420 goto end;
6acdd3e5 421
710756a9
RS		 422 /* Now do a handshake and check that the logs have been written to. */
423 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
424 &clientssl, NULL, NULL))
425 || !TEST_true(create_ssl_connection(serverssl, clientssl,
426 SSL_ERROR_NONE))
427 || !TEST_false(error_writing_log))
6acdd3e5 428 goto end;
6acdd3e5 429
f1a5939f
CB		 430 /*
431 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 432 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 433 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 434 */
f1a5939f
CB		 435 expected.client_handshake_secret_count = 1;
436 expected.server_handshake_secret_count = 1;
437 expected.client_application_secret_count = 1;
438 expected.server_application_secret_count = 1;
6329ce8f 439 expected.exporter_secret_count = 1;
710756a9
RS		 440 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
441 SSL_get_session(clientssl), &expected))
442 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
443 SSL_get_session(serverssl),
444 &expected)))
6acdd3e5 445 goto end;
6acdd3e5 446
cffe973c
PW		 447 /* Terminate old session and resume with early data. */
448 sess = SSL_get1_session(clientssl);
449 SSL_shutdown(clientssl);
450 SSL_shutdown(serverssl);
451 SSL_free(serverssl);
452 SSL_free(clientssl);
453 serverssl = clientssl = NULL;
454
455 /* Reset key log */
456 memset(client_log_buffer, 0, sizeof(client_log_buffer));
457 memset(server_log_buffer, 0, sizeof(server_log_buffer));
458 client_log_buffer_index = 0;
459 server_log_buffer_index = 0;
460
461 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
462 &clientssl, NULL, NULL))
463 || !TEST_true(SSL_set_session(clientssl, sess))
464 /* Here writing 0 length early data is enough. */
465 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
466 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
467 &readbytes),
468 SSL_READ_EARLY_DATA_ERROR)
469 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
470 SSL_EARLY_DATA_ACCEPTED)
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_true(SSL_session_reused(clientssl)))
474 goto end;
475
476 /* In addition to the previous entries, expect early secrets. */
477 expected.client_early_secret_count = 1;
01a2a654 478 expected.early_exporter_secret_count = 1;
cffe973c
PW		 479 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
480 SSL_get_session(clientssl), &expected))
481 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
482 SSL_get_session(serverssl),
483 &expected)))
484 goto end;
485
6acdd3e5
CB		 486 testresult = 1;
487
488end:
cffe973c 489 SSL_SESSION_free(sess);
6acdd3e5
CB		 490 SSL_free(serverssl);
491 SSL_free(clientssl);
492 SSL_CTX_free(sctx);
493 SSL_CTX_free(cctx);
494
495 return testresult;
496}
497#endif
498
e9ee6536 499#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 500static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 501{
502 int *ctr = arg;
503 const unsigned char *p;
8ea404fb 504 int *exts;
2afaee51
BK		 505 /* We only configure two ciphers, but the SCSV is added automatically. */
506#ifdef OPENSSL_NO_EC
507 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
508#else
509 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
510 0x2c, 0x00, 0xff};
511#endif
8ea404fb
BK		 512 const int expected_extensions[] = {
513#ifndef OPENSSL_NO_EC
514 11, 10,
515#endif
10ed1b72 516 35, 22, 23, 13};
2afaee51
BK		 517 size_t len;
518
519 /* Make sure we can defer processing and get called back. */
520 if ((*ctr)++ == 0)
f1b97da1 521 return SSL_CLIENT_HELLO_RETRY;
2afaee51 522
a9c0d8be 523 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 524 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 525 || !TEST_size_t_eq(
526 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 527 || !TEST_int_eq(*p, 0))
f1b97da1 528 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 529 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 530 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 531 if (len != OSSL_NELEM(expected_extensions) ||
532 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 533 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 534 OPENSSL_free(exts);
f1b97da1 535 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 536 }
537 OPENSSL_free(exts);
f1b97da1 538 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 539}
540
a9c0d8be 541static int test_client_hello_cb(void)
710756a9 542{
2afaee51
BK		 543 SSL_CTX *cctx = NULL, *sctx = NULL;
544 SSL *clientssl = NULL, *serverssl = NULL;
545 int testctr = 0, testresult = 0;
546
7d7f6834 547 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 548 TLS1_VERSION, 0,
7d7f6834 549 &sctx, &cctx, cert, privkey)))
2afaee51 550 goto end;
a9c0d8be 551 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 552
2afaee51
BK		 553 /* The gimpy cipher list we configure can't do TLS 1.3. */
554 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 555
710756a9
RS		 556 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
557 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
558 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
559 &clientssl, NULL, NULL))
560 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 561 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 562 /*
563 * Passing a -1 literal is a hack since
564 * the real value was lost.
565 * */
a9c0d8be
DB		 566 || !TEST_int_eq(SSL_get_error(serverssl, -1),
567 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 568 || !TEST_true(create_ssl_connection(serverssl, clientssl,
569 SSL_ERROR_NONE)))
2afaee51 570 goto end;
2afaee51
BK		 571
572 testresult = 1;
573
574end:
575 SSL_free(serverssl);
576 SSL_free(clientssl);
577 SSL_CTX_free(sctx);
578 SSL_CTX_free(cctx);
579
580 return testresult;
581}
e9ee6536 582#endif
2afaee51 583
84d5549e 584static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 585 const SSL_METHOD *cmeth,
586 int min_version, int max_version,
587 int read_ahead)
84d5549e
MC		 588{
589 SSL_CTX *cctx = NULL, *sctx = NULL;
590 SSL *clientssl = NULL, *serverssl = NULL;
591 int testresult = 0;
592 int i;
710756a9 593 BIO *certbio = NULL;
84d5549e
MC		 594 X509 *chaincert = NULL;
595 int certlen;
596
710756a9 597 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 598 goto end;
84d5549e 599 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 600 BIO_free(certbio);
601 certbio = NULL;
710756a9 602 if (!TEST_ptr(chaincert))
fa454945 603 goto end;
84d5549e 604
7d7f6834
RL		 605 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
606 &sctx, &cctx, cert, privkey)))
84d5549e 607 goto end;
84d5549e 608
710756a9 609 if (read_ahead) {
7856332e
MC		 610 /*
611 * Test that read_ahead works correctly when dealing with large
612 * records
613 */
614 SSL_CTX_set_read_ahead(cctx, 1);
615 }
616
84d5549e
MC		 617 /*
618 * We assume the supplied certificate is big enough so that if we add
619 * NUM_EXTRA_CERTS it will make the overall message large enough. The
620 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 621 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
622 * test we need to have a message larger than that.
84d5549e
MC		 623 */
624 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 625 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
626 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 627 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 628 if (!X509_up_ref(chaincert))
84d5549e 629 goto end;
84d5549e 630 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 631 X509_free(chaincert);
632 goto end;
633 }
634 }
635
710756a9
RS		 636 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
637 NULL, NULL))
638 || !TEST_true(create_ssl_connection(serverssl, clientssl,
639 SSL_ERROR_NONE)))
84d5549e 640 goto end;
84d5549e 641
4bf08600
MC		 642 /*
643 * Calling SSL_clear() first is not required but this tests that SSL_clear()
644 * doesn't leak (when using enable-crypto-mdebug).
645 */
710756a9 646 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 647 goto end;
84d5549e 648
4bf08600 649 testresult = 1;
84d5549e
MC		 650 end:
651 X509_free(chaincert);
652 SSL_free(serverssl);
653 SSL_free(clientssl);
654 SSL_CTX_free(sctx);
655 SSL_CTX_free(cctx);
656
657 return testresult;
658}
659
5e9072ed
MC		 660#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
661 && !defined(OPENSSL_NO_SOCK)
fe5d9450
BP		 662
663/* sock must be connected */
664static int ktls_chk_platform(int sock)
665{
666 if (!ktls_enable(sock))
667 return 0;
668 return 1;
669}
670
671static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd)
672{
673 static char count = 1;
674 unsigned char cbuf[16000] = {0};
675 unsigned char sbuf[16000];
676 size_t err = 0;
677 char crec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
678 char crec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
679 char srec_wseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
680 char srec_wseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
681 char srec_rseq_before[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
682 char srec_rseq_after[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE];
683
684 cbuf[0] = count++;
685 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence,
686 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
687 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence,
688 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
689 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence,
690 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
691
692 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
693 goto end;
694
695 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
696 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
697 goto end;
698 }
699 }
700
701 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
702 goto end;
703
704 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
705 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
706 goto end;
707 }
708 }
709
710 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence,
711 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
712 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence,
713 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
714 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence,
715 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
716
717 /* verify the payload */
718 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
719 goto end;
720
721 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
722 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
723 if (!TEST_mem_ne(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
724 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
725 goto end;
726 } else {
727 if (!TEST_mem_eq(crec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
728 crec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
729 goto end;
730 }
731
732 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
733 if (!TEST_mem_ne(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
734 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
735 goto end;
736 } else {
737 if (!TEST_mem_eq(srec_wseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
738 srec_wseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
739 goto end;
740 }
741
742 if (!TEST_mem_ne(srec_rseq_before, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE,
743 srec_rseq_after, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE))
744 goto end;
745
746 return 1;
747end:
748 return 0;
749}
750
751static int execute_test_ktls(int cis_ktls_tx, int sis_ktls_tx)
752{
753 SSL_CTX *cctx = NULL, *sctx = NULL;
754 SSL *clientssl = NULL, *serverssl = NULL;
755 int testresult = 0;
756 int cfd, sfd;
757
758 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
759 goto end;
760
761 /* Skip this test if the platform does not support ktls */
762 if (!ktls_chk_platform(cfd))
763 return 1;
764
765 /* Create a session based on SHA-256 */
766 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
767 TLS_client_method(),
768 TLS1_2_VERSION, TLS1_2_VERSION,
769 &sctx, &cctx, cert, privkey))
770 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
771 "AES128-GCM-SHA256"))
772 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
773 &clientssl, sfd, cfd)))
774 goto end;
775
776 if (!cis_ktls_tx) {
777 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
778 goto end;
779 }
780
781 if (!sis_ktls_tx) {
782 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
783 goto end;
784 }
785
786 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
787 SSL_ERROR_NONE)))
788 goto end;
789
790 if (!cis_ktls_tx) {
791 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
792 goto end;
793 } else {
794 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
795 goto end;
796 }
797
798 if (!sis_ktls_tx) {
799 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
800 goto end;
801 } else {
802 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
803 goto end;
804 }
805
806 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd)))
807 goto end;
808
809 testresult = 1;
810end:
811 if (clientssl) {
812 SSL_shutdown(clientssl);
813 SSL_free(clientssl);
814 }
815 if (serverssl) {
816 SSL_shutdown(serverssl);
817 SSL_free(serverssl);
818 }
819 SSL_CTX_free(sctx);
820 SSL_CTX_free(cctx);
821 serverssl = clientssl = NULL;
822 return testresult;
823}
824
825static int test_ktls_client_server(void)
826{
827 return execute_test_ktls(1, 1);
828}
829
830static int test_ktls_no_client_server(void)
831{
832 return execute_test_ktls(0, 1);
833}
834
835static int test_ktls_client_no_server(void)
836{
837 return execute_test_ktls(1, 0);
838}
839
840static int test_ktls_no_client_no_server(void)
841{
842 return execute_test_ktls(0, 0);
843}
844
845#endif
846
84d5549e
MC		 847static int test_large_message_tls(void)
848{
7856332e 849 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 850 TLS1_VERSION, 0, 0);
7856332e
MC		 851}
852
853static int test_large_message_tls_read_ahead(void)
854{
855 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 856 TLS1_VERSION, 0, 1);
84d5549e
MC		 857}
858
55386bef 859#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 860static int test_large_message_dtls(void)
861{
7856332e
MC		 862 /*
863 * read_ahead is not relevant to DTLS because DTLS always acts as if
864 * read_ahead is set.
865 */
84d5549e 866 return execute_test_large_message(DTLS_server_method(),
7d7f6834 867 DTLS_client_method(),
5c587fb6 868 DTLS1_VERSION, 0, 0);
84d5549e 869}
55386bef 870#endif
84d5549e 871
8f8c11d8 872#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 873static int ocsp_server_cb(SSL *s, void *arg)
874{
875 int *argi = (int *)arg;
710756a9 876 unsigned char *copy = NULL;
ba881d3b
MC		 877 STACK_OF(OCSP_RESPID) *ids = NULL;
878 OCSP_RESPID *id = NULL;
879
880 if (*argi == 2) {
881 /* In this test we are expecting exactly 1 OCSP_RESPID */
882 SSL_get_tlsext_status_ids(s, &ids);
883 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
884 return SSL_TLSEXT_ERR_ALERT_FATAL;
885
886 id = sk_OCSP_RESPID_value(ids, 0);
887 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
888 return SSL_TLSEXT_ERR_ALERT_FATAL;
889 } else if (*argi != 1) {
890 return SSL_TLSEXT_ERR_ALERT_FATAL;
891 }
892
710756a9 893 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 894 return SSL_TLSEXT_ERR_ALERT_FATAL;
895
710756a9 896 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 897 ocsp_server_called = 1;
ba881d3b
MC		 898 return SSL_TLSEXT_ERR_OK;
899}
900
901static int ocsp_client_cb(SSL *s, void *arg)
902{
903 int *argi = (int *)arg;
904 const unsigned char *respderin;
905 size_t len;
906
907 if (*argi != 1 && *argi != 2)
908 return 0;
909
910 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 911 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 912 return 0;
913
914 ocsp_client_called = 1;
ba881d3b
MC		 915 return 1;
916}
917
2cb4b5f6
MC		 918static int test_tlsext_status_type(void)
919{
ba881d3b
MC		 920 SSL_CTX *cctx = NULL, *sctx = NULL;
921 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 922 int testresult = 0;
ba881d3b
MC		 923 STACK_OF(OCSP_RESPID) *ids = NULL;
924 OCSP_RESPID *id = NULL;
925 BIO *certbio = NULL;
2cb4b5f6 926
7d7f6834 927 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 928 TLS1_VERSION, 0,
7d7f6834 929 &sctx, &cctx, cert, privkey))
ba881d3b 930 return 0;
2cb4b5f6 931
710756a9 932 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 933 goto end;
2cb4b5f6 934
ba881d3b 935 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 936
ba881d3b 937 clientssl = SSL_new(cctx);
710756a9
RS		 938 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
939 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
940 TLSEXT_STATUSTYPE_ocsp))
941 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
942 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 943 goto end;
2cb4b5f6 944
ba881d3b
MC		 945 SSL_free(clientssl);
946 clientssl = NULL;
2cb4b5f6 947
710756a9
RS		 948 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
949 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 950 goto end;
2cb4b5f6 951
ba881d3b 952 clientssl = SSL_new(cctx);
710756a9 953 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 954 goto end;
ba881d3b
MC		 955 SSL_free(clientssl);
956 clientssl = NULL;
957
958 /*
959 * Now actually do a handshake and check OCSP information is exchanged and
960 * the callbacks get called
961 */
ba881d3b
MC		 962 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
963 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
964 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
965 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
967 &clientssl, NULL, NULL))
968 || !TEST_true(create_ssl_connection(serverssl, clientssl,
969 SSL_ERROR_NONE))
970 || !TEST_true(ocsp_client_called)
971 || !TEST_true(ocsp_server_called))
ba881d3b 972 goto end;
ba881d3b
MC		 973 SSL_free(serverssl);
974 SSL_free(clientssl);
975 serverssl = NULL;
976 clientssl = NULL;
977
978 /* Try again but this time force the server side callback to fail */
979 ocsp_client_called = 0;
980 ocsp_server_called = 0;
981 cdummyarg = 0;
710756a9
RS		 982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
983 &clientssl, NULL, NULL))
984 /* This should fail because the callback will fail */
985 || !TEST_false(create_ssl_connection(serverssl, clientssl,
986 SSL_ERROR_NONE))
987 || !TEST_false(ocsp_client_called)
988 || !TEST_false(ocsp_server_called))
ba881d3b 989 goto end;
ba881d3b
MC		 990 SSL_free(serverssl);
991 SSL_free(clientssl);
992 serverssl = NULL;
993 clientssl = NULL;
994
995 /*
996 * This time we'll get the client to send an OCSP_RESPID that it will
997 * accept.
998 */
999 ocsp_client_called = 0;
1000 ocsp_server_called = 0;
1001 cdummyarg = 2;
710756a9
RS		 1002 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1003 &clientssl, NULL, NULL)))
ba881d3b 1004 goto end;
ba881d3b
MC		 1005
1006 /*
1007 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1008 * specific one. We'll use the server cert.
ba881d3b 1009 */
710756a9
RS		 1010 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1011 || !TEST_ptr(id = OCSP_RESPID_new())
1012 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
1013 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
1014 NULL, NULL, NULL))
1015 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
1016 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1017 goto end;
ba881d3b
MC		 1018 id = NULL;
1019 SSL_set_tlsext_status_ids(clientssl, ids);
1020 /* Control has been transferred */
1021 ids = NULL;
1022
1023 BIO_free(certbio);
1024 certbio = NULL;
1025
710756a9
RS		 1026 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1027 SSL_ERROR_NONE))
1028 || !TEST_true(ocsp_client_called)
1029 || !TEST_true(ocsp_server_called))
ba881d3b 1030 goto end;
ba881d3b 1031
2cb4b5f6
MC		 1032 testresult = 1;
1033
1034 end:
ba881d3b
MC		 1035 SSL_free(serverssl);
1036 SSL_free(clientssl);
1037 SSL_CTX_free(sctx);
1038 SSL_CTX_free(cctx);
1039 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1040 OCSP_RESPID_free(id);
1041 BIO_free(certbio);
1042 X509_free(ocspcert);
1043 ocspcert = NULL;
2cb4b5f6
MC		 1044
1045 return testresult;
1046}
8f8c11d8 1047#endif
2cb4b5f6 1048
bf208d95 1049#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1050static int new_called, remove_called, get_called;
eaa776da 1051
eaa776da
MC		 1052static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1053{
1054 new_called++;
c0537ebd
MC		 1055 /*
1056 * sess has been up-refed for us, but we don't actually need it so free it
1057 * immediately.
1058 */
1059 SSL_SESSION_free(sess);
eaa776da
MC		 1060 return 1;
1061}
1062
1063static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1064{
1065 remove_called++;
1066}
1067
7a301f08
MC		 1068static SSL_SESSION *get_sess_val = NULL;
1069
1070static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1071 int *copy)
1072{
0afca811 1073 get_called++;
7a301f08
MC		 1074 *copy = 1;
1075 return get_sess_val;
1076}
1077
7a301f08
MC		 1078static int execute_test_session(int maxprot, int use_int_cache,
1079 int use_ext_cache)
2cb4b5f6
MC		 1080{
1081 SSL_CTX *sctx = NULL, *cctx = NULL;
1082 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1083 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1084# ifndef OPENSSL_NO_TLS1_1
eaa776da 1085 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1086# endif
2cb4b5f6 1087 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1088 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1089
7e885b7b
P		 1090 new_called = remove_called = 0;
1091
36ff232c
MC		 1092 /* TLSv1.3 sends 2 NewSessionTickets */
1093 if (maxprot == TLS1_3_VERSION)
1094 numnewsesstick = 2;
1095
7d7f6834 1096 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1097 TLS1_VERSION, 0,
7d7f6834 1098 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1099 return 0;
2cb4b5f6 1100
7a301f08
MC		 1101 /*
1102 * Only allow the max protocol version so we can force a connection failure
1103 * later
1104 */
1105 SSL_CTX_set_min_proto_version(cctx, maxprot);
1106 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1107
1108 /* Set up session cache */
7e885b7b 1109 if (use_ext_cache) {
eaa776da
MC		 1110 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1111 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1112 }
7e885b7b 1113 if (use_int_cache) {
eaa776da
MC		 1114 /* Also covers instance where both are set */
1115 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1116 } else {
1117 SSL_CTX_set_session_cache_mode(cctx,
1118 SSL_SESS_CACHE_CLIENT
1119 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1120 }
2cb4b5f6 1121
710756a9
RS		 1122 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1123 NULL, NULL))
1124 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1125 SSL_ERROR_NONE))
1126 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1127 goto end;
2cb4b5f6 1128
710756a9 1129 /* Should fail because it should already be in the cache */
7e885b7b 1130 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1131 goto end;
7a301f08 1132 if (use_ext_cache
36ff232c
MC		 1133 && (!TEST_int_eq(new_called, numnewsesstick)
1134
1135 || !TEST_int_eq(remove_called, 0)))
b4982125 1136 goto end;
b4982125 1137
c0537ebd
MC		 1138 new_called = remove_called = 0;
1139 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1140 &clientssl2, NULL, NULL))
1141 || !TEST_true(SSL_set_session(clientssl2, sess1))
1142 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1143 SSL_ERROR_NONE))
1144 || !TEST_true(SSL_session_reused(clientssl2)))
1145 goto end;
1146
7a301f08
MC		 1147 if (maxprot == TLS1_3_VERSION) {
1148 /*
1149 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1150 * resumed. Since we attempted a resume we should also have removed the
1151 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1152 */
1153 if (use_ext_cache
1154 && (!TEST_int_eq(new_called, 1)
4cb00457 1155 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1156 goto end;
1157 } else {
1158 /*
1159 * In TLSv1.2 we expect to have resumed so no sessions added or
1160 * removed.
1161 */
1162 if (use_ext_cache
1163 && (!TEST_int_eq(new_called, 0)
1164 || !TEST_int_eq(remove_called, 0)))
1165 goto end;
1166 }
c0537ebd
MC		 1167
1168 SSL_SESSION_free(sess1);
1169 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1170 goto end;
1171 shutdown_ssl_connection(serverssl2, clientssl2);
1172 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1173
1174 new_called = remove_called = 0;
710756a9
RS		 1175 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1176 &clientssl2, NULL, NULL))
1177 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1178 SSL_ERROR_NONE)))
2cb4b5f6 1179 goto end;
2cb4b5f6 1180
710756a9 1181 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1182 goto end;
2cb4b5f6 1183
7a301f08 1184 if (use_ext_cache
36ff232c
MC		 1185 && (!TEST_int_eq(new_called, numnewsesstick)
1186 || !TEST_int_eq(remove_called, 0)))
eaa776da 1187 goto end;
eaa776da 1188
c0537ebd 1189 new_called = remove_called = 0;
2cb4b5f6 1190 /*
710756a9
RS		 1191 * This should clear sess2 from the cache because it is a "bad" session.
1192 * See SSL_set_session() documentation.
2cb4b5f6 1193 */
710756a9 1194 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1195 goto end;
7a301f08
MC		 1196 if (use_ext_cache
1197 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1198 goto end;
710756a9 1199 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1200 goto end;
2cb4b5f6 1201
7e885b7b 1202 if (use_int_cache) {
710756a9
RS		 1203 /* Should succeeded because it should not already be in the cache */
1204 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1205 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1206 goto end;
eaa776da
MC		 1207 }
1208
c0537ebd 1209 new_called = remove_called = 0;
eaa776da 1210 /* This shouldn't be in the cache so should fail */
710756a9 1211 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1212 goto end;
2cb4b5f6 1213
7a301f08
MC		 1214 if (use_ext_cache
1215 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1216 goto end;
2cb4b5f6 1217
bf208d95 1218# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1219 new_called = remove_called = 0;
eaa776da
MC		 1220 /* Force a connection failure */
1221 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1222 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1223 &clientssl3, NULL, NULL))
1224 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1225 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1226 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1227 SSL_ERROR_NONE)))
eaa776da 1228 goto end;
b4982125 1229
eaa776da 1230 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1231 if (use_ext_cache
1232 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1233 goto end;
2cb4b5f6 1234
710756a9 1235 /* Should succeed because it should not already be in the cache */
7e885b7b 1236 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1237 goto end;
bf208d95 1238# endif
eaa776da 1239
7a301f08
MC		 1240 /* Now do some tests for server side caching */
1241 if (use_ext_cache) {
1242 SSL_CTX_sess_set_new_cb(cctx, NULL);
1243 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1244 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1245 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1246 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1247 get_sess_val = NULL;
1248 }
1249
1250 SSL_CTX_set_session_cache_mode(cctx, 0);
1251 /* Internal caching is the default on the server side */
1252 if (!use_int_cache)
1253 SSL_CTX_set_session_cache_mode(sctx,
1254 SSL_SESS_CACHE_SERVER
1255 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1256
1257 SSL_free(serverssl1);
1258 SSL_free(clientssl1);
1259 serverssl1 = clientssl1 = NULL;
1260 SSL_free(serverssl2);
1261 SSL_free(clientssl2);
1262 serverssl2 = clientssl2 = NULL;
1263 SSL_SESSION_free(sess1);
1264 sess1 = NULL;
1265 SSL_SESSION_free(sess2);
1266 sess2 = NULL;
1267
1268 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1269 if (maxprot == TLS1_2_VERSION)
1270 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1271 new_called = remove_called = get_called = 0;
7a301f08
MC		 1272 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1273 NULL, NULL))
1274 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1275 SSL_ERROR_NONE))
1276 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1277 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1278 goto end;
1279
ee94ec2e
MC		 1280 if (use_int_cache) {
1281 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1282 /*
1283 * In TLSv1.3 it should not have been added to the internal cache,
1284 * except in the case where we also have an external cache (in that
1285 * case it gets added to the cache in order to generate remove
1286 * events after timeout).
1287 */
1288 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1289 goto end;
1290 } else {
1291 /* Should fail because it should already be in the cache */
1292 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1293 goto end;
1294 }
1295 }
7a301f08
MC		 1296
1297 if (use_ext_cache) {
1298 SSL_SESSION *tmp = sess2;
1299
36ff232c 1300 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1301 || !TEST_int_eq(remove_called, 0)
1302 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1303 goto end;
1304 /*
1305 * Delete the session from the internal cache to force a lookup from
1306 * the external cache. We take a copy first because
1307 * SSL_CTX_remove_session() also marks the session as non-resumable.
1308 */
ee94ec2e 1309 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1310 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1311 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1312 goto end;
1313 SSL_SESSION_free(sess2);
1314 }
7a301f08
MC		 1315 sess2 = tmp;
1316 }
1317
0afca811 1318 new_called = remove_called = get_called = 0;
7a301f08
MC		 1319 get_sess_val = sess2;
1320 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1321 &clientssl2, NULL, NULL))
1322 || !TEST_true(SSL_set_session(clientssl2, sess1))
1323 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1324 SSL_ERROR_NONE))
1325 || !TEST_true(SSL_session_reused(clientssl2)))
1326 goto end;
1327
0afca811 1328 if (use_ext_cache) {
32305f88 1329 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1330 goto end;
1331
1332 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1333 if (!TEST_int_eq(new_called, 1)
1334 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1335 goto end;
1336 } else {
32305f88
MC		 1337 if (!TEST_int_eq(new_called, 0)
1338 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1339 goto end;
1340 }
1341 }
7a301f08 1342
2cb4b5f6 1343 testresult = 1;
eaa776da 1344
2cb4b5f6
MC		 1345 end:
1346 SSL_free(serverssl1);
1347 SSL_free(clientssl1);
1348 SSL_free(serverssl2);
1349 SSL_free(clientssl2);
bf208d95 1350# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1351 SSL_free(serverssl3);
1352 SSL_free(clientssl3);
bf208d95 1353# endif
2cb4b5f6
MC		 1354 SSL_SESSION_free(sess1);
1355 SSL_SESSION_free(sess2);
1356 SSL_CTX_free(sctx);
1357 SSL_CTX_free(cctx);
1358
1359 return testresult;
1360}
bf208d95 1361#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1362
7fb4c820
MC		 1363static int test_session_with_only_int_cache(void)
1364{
7a301f08
MC		 1365#ifndef OPENSSL_NO_TLS1_3
1366 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1367 return 0;
1368#endif
1369
1370#ifndef OPENSSL_NO_TLS1_2
1371 return execute_test_session(TLS1_2_VERSION, 1, 0);
1372#else
1373 return 1;
1374#endif
eaa776da
MC		 1375}
1376
7fb4c820
MC		 1377static int test_session_with_only_ext_cache(void)
1378{
7a301f08
MC		 1379#ifndef OPENSSL_NO_TLS1_3
1380 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1381 return 0;
1382#endif
1383
1384#ifndef OPENSSL_NO_TLS1_2
1385 return execute_test_session(TLS1_2_VERSION, 0, 1);
1386#else
1387 return 1;
1388#endif
eaa776da
MC		 1389}
1390
7fb4c820
MC		 1391static int test_session_with_both_cache(void)
1392{
7a301f08
MC		 1393#ifndef OPENSSL_NO_TLS1_3
1394 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1395 return 0;
1396#endif
1397
1398#ifndef OPENSSL_NO_TLS1_2
1399 return execute_test_session(TLS1_2_VERSION, 1, 1);
1400#else
1401 return 1;
1402#endif
eaa776da
MC		 1403}
1404
04225915 1405#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1406static SSL_SESSION *sesscache[6];
1407static int do_cache;
36ff232c
MC		 1408
1409static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1410{
c22365b3
MC		 1411 if (do_cache) {
1412 sesscache[new_called] = sess;
1413 } else {
1414 /* We don't need the reference to the session, so free it */
1415 SSL_SESSION_free(sess);
1416 }
1417 new_called++;
1418
1419 return 1;
1420}
1421
1422static int post_handshake_verify(SSL *sssl, SSL *cssl)
1423{
1424 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1425 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1426 return 0;
1427
1428 /* Start handshake on the server and client */
1429 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1430 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1431 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1432 || !TEST_true(create_ssl_connection(sssl, cssl,
1433 SSL_ERROR_NONE)))
1434 return 0;
36ff232c
MC		 1435
1436 return 1;
1437}
1438
fbe9dafd 1439static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 1440 SSL_CTX **cctx)
1441{
1442 int sess_id_ctx = 1;
1443
1444 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1445 TLS1_VERSION, 0, sctx,
03cdf559
MC		 1446 cctx, cert, privkey))
1447 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
1448 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
1449 (void *)&sess_id_ctx,
1450 sizeof(sess_id_ctx))))
1451 return 0;
1452
1453 if (stateful)
1454 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
1455
1456 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
1457 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1458 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
1459
1460 return 1;
1461}
1462
1463static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
1464{
1465 SSL *serverssl = NULL, *clientssl = NULL;
1466 int i;
1467
1468 /* Test that we can resume with all the tickets we got given */
1469 for (i = 0; i < idx * 2; i++) {
1470 new_called = 0;
1471 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1472 &clientssl, NULL, NULL))
1473 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1474 goto end;
1475
32097b33 1476 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 1477
1478 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1479 SSL_ERROR_NONE)))
1480 goto end;
1481
1482 /*
1483 * Following a successful resumption we only get 1 ticket. After a
1484 * failed one we should get idx tickets.
1485 */
1486 if (succ) {
1487 if (!TEST_true(SSL_session_reused(clientssl))
1488 || !TEST_int_eq(new_called, 1))
1489 goto end;
1490 } else {
1491 if (!TEST_false(SSL_session_reused(clientssl))
1492 || !TEST_int_eq(new_called, idx))
1493 goto end;
1494 }
1495
1496 new_called = 0;
1497 /* After a post-handshake authentication we should get 1 new ticket */
1498 if (succ
1499 && (!post_handshake_verify(serverssl, clientssl)
1500 || !TEST_int_eq(new_called, 1)))
1501 goto end;
1502
1503 SSL_shutdown(clientssl);
1504 SSL_shutdown(serverssl);
1505 SSL_free(serverssl);
1506 SSL_free(clientssl);
1507 serverssl = clientssl = NULL;
1508 SSL_SESSION_free(sesscache[i]);
1509 sesscache[i] = NULL;
1510 }
1511
1512 return 1;
1513
1514 end:
1515 SSL_free(clientssl);
1516 SSL_free(serverssl);
1517 return 0;
1518}
1519
04d7814a 1520static int test_tickets(int stateful, int idx)
36ff232c
MC		 1521{
1522 SSL_CTX *sctx = NULL, *cctx = NULL;
1523 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 1524 int testresult = 0;
36ff232c
MC		 1525 size_t j;
1526
1527 /* idx is the test number, but also the number of tickets we want */
1528
1529 new_called = 0;
c22365b3 1530 do_cache = 1;
36ff232c 1531
fbe9dafd 1532 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 1533 goto end;
1534
03cdf559
MC		 1535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1536 &clientssl, NULL, NULL)))
1537 goto end;
1538
1539 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1540 SSL_ERROR_NONE))
1541 /* Check we got the number of tickets we were expecting */
1542 || !TEST_int_eq(idx, new_called))
1543 goto end;
04d7814a 1544
03cdf559
MC		 1545 SSL_shutdown(clientssl);
1546 SSL_shutdown(serverssl);
1547 SSL_free(serverssl);
1548 SSL_free(clientssl);
1549 SSL_CTX_free(sctx);
1550 SSL_CTX_free(cctx);
1551 clientssl = serverssl = NULL;
1552 sctx = cctx = NULL;
1553
1554 /*
1555 * Now we try to resume with the tickets we previously created. The
1556 * resumption attempt is expected to fail (because we're now using a new
1557 * SSL_CTX). We should see idx number of tickets issued again.
1558 */
1559
1560 /* Stop caching sessions - just count them */
1561 do_cache = 0;
1562
fbe9dafd 1563 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 1564 goto end;
1565
1566 if (!check_resumption(idx, sctx, cctx, 0))
1567 goto end;
1568
1569 /* Start again with caching sessions */
1570 new_called = 0;
1571 do_cache = 1;
fbe9dafd
MC		 1572 SSL_CTX_free(sctx);
1573 SSL_CTX_free(cctx);
1574 sctx = cctx = NULL;
03cdf559 1575
fbe9dafd 1576 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 1577 goto end;
36ff232c
MC		 1578
1579 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1580 &clientssl, NULL, NULL)))
1581 goto end;
1582
32097b33 1583 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 1584
1585 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1586 SSL_ERROR_NONE))
1587 /* Check we got the number of tickets we were expecting */
1588 || !TEST_int_eq(idx, new_called))
1589 goto end;
1590
1591 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1592 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1593 || !TEST_int_eq(idx * 2, new_called))
1594 goto end;
1595
36ff232c
MC		 1596 SSL_shutdown(clientssl);
1597 SSL_shutdown(serverssl);
1598 SSL_free(serverssl);
1599 SSL_free(clientssl);
1600 serverssl = clientssl = NULL;
1601
c22365b3
MC		 1602 /* Stop caching sessions - just count them */
1603 do_cache = 0;
1604
03cdf559
MC		 1605 /*
1606 * Check we can resume with all the tickets we created. This time around the
1607 * resumptions should all be successful.
1608 */
1609 if (!check_resumption(idx, sctx, cctx, 1))
1610 goto end;
36ff232c
MC		 1611
1612 testresult = 1;
1613
1614 end:
1615 SSL_free(serverssl);
1616 SSL_free(clientssl);
c22365b3 1617 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 1618 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 1619 sesscache[j] = NULL;
1620 }
36ff232c
MC		 1621 SSL_CTX_free(sctx);
1622 SSL_CTX_free(cctx);
1623
1624 return testresult;
1625}
04d7814a
MC		 1626
1627static int test_stateless_tickets(int idx)
1628{
1629 return test_tickets(0, idx);
1630}
1631
1632static int test_stateful_tickets(int idx)
1633{
1634 return test_tickets(1, idx);
1635}
8614a4eb
MC		 1636
1637static int test_psk_tickets(void)
1638{
1639 SSL_CTX *sctx = NULL, *cctx = NULL;
1640 SSL *serverssl = NULL, *clientssl = NULL;
1641 int testresult = 0;
1642 int sess_id_ctx = 1;
1643
1644 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1645 TLS1_VERSION, 0, &sctx,
8614a4eb
MC		 1646 &cctx, NULL, NULL))
1647 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
1648 (void *)&sess_id_ctx,
1649 sizeof(sess_id_ctx))))
1650 goto end;
1651
1652 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1653 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1654 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
1655 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
1656 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1657 use_session_cb_cnt = 0;
1658 find_session_cb_cnt = 0;
1659 srvid = pskid;
1660 new_called = 0;
1661
1662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1663 NULL, NULL)))
1664 goto end;
1665 clientpsk = serverpsk = create_a_psk(clientssl);
1666 if (!TEST_ptr(clientpsk))
1667 goto end;
1668 SSL_SESSION_up_ref(clientpsk);
1669
1670 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1671 SSL_ERROR_NONE))
1672 || !TEST_int_eq(1, find_session_cb_cnt)
1673 || !TEST_int_eq(1, use_session_cb_cnt)
1674 /* We should always get 1 ticket when using external PSK */
1675 || !TEST_int_eq(1, new_called))
1676 goto end;
1677
1678 testresult = 1;
1679
1680 end:
1681 SSL_free(serverssl);
1682 SSL_free(clientssl);
1683 SSL_CTX_free(sctx);
1684 SSL_CTX_free(cctx);
1685 SSL_SESSION_free(clientpsk);
1686 SSL_SESSION_free(serverpsk);
1687 clientpsk = serverpsk = NULL;
1688
1689 return testresult;
1690}
04225915 1691#endif
36ff232c 1692
7d4488bb
MC		 1693#define USE_NULL 0
1694#define USE_BIO_1 1
1695#define USE_BIO_2 2
1696#define USE_DEFAULT 3
1697
1698#define CONNTYPE_CONNECTION_SUCCESS 0
1699#define CONNTYPE_CONNECTION_FAIL 1
1700#define CONNTYPE_NO_CONNECTION 2
1701
1702#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1703#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1704#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1705# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1706#else
1707# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1708#endif
1709
7d4488bb
MC		 1710#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1711 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1712 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1713
1714static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1715{
1716 switch (type) {
1717 case USE_NULL:
1718 *res = NULL;
1719 break;
1720 case USE_BIO_1:
1721 *res = bio1;
1722 break;
1723 case USE_BIO_2:
1724 *res = bio2;
1725 break;
1726 }
1727}
1728
7d4488bb
MC		 1729
1730/*
1731 * Tests calls to SSL_set_bio() under various conditions.
1732 *
1733 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1734 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1735 * then do more tests where we create a successful connection first using our
1736 * standard connection setup functions, and then call SSL_set_bio() with
1737 * various combinations of valid BIOs or NULL. We then repeat these tests
1738 * following a failed connection. In this last case we are looking to check that
1739 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1740 */
7fb4c820
MC		 1741static int test_ssl_set_bio(int idx)
1742{
7d4488bb 1743 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 1744 BIO *bio1 = NULL;
1745 BIO *bio2 = NULL;
0fae8150 1746 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 1747 SSL *serverssl = NULL, *clientssl = NULL;
1748 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 1749 int testresult = 0;
1750
7d4488bb
MC		 1751 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1752 initrbio = idx % 3;
1753 idx /= 3;
1754 initwbio = idx % 3;
1755 idx /= 3;
1756 newrbio = idx % 3;
1757 idx /= 3;
1758 newwbio = idx % 3;
1759 conntype = CONNTYPE_NO_CONNECTION;
1760 } else {
1761 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1762 initrbio = initwbio = USE_DEFAULT;
1763 newrbio = idx % 2;
1764 idx /= 2;
1765 newwbio = idx % 2;
1766 idx /= 2;
1767 conntype = idx % 2;
1768 }
710756a9 1769
7d4488bb 1770 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1771 TLS1_VERSION, 0,
7d4488bb
MC		 1772 &sctx, &cctx, cert, privkey)))
1773 goto end;
1774
1775 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1776 /*
1777 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1778 * because we reduced the number of tests in the definition of
1779 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1780 * mismatched protocol versions we will force a connection failure.
1781 */
1782 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1783 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1784 }
1785
1786 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1787 NULL, NULL)))
710756a9 1788 goto end;
7fb4c820 1789
710756a9
RS		 1790 if (initrbio == USE_BIO_1
1791 || initwbio == USE_BIO_1
1792 || newrbio == USE_BIO_1
7fb4c820 1793 || newwbio == USE_BIO_1) {
710756a9 1794 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1795 goto end;
7fb4c820
MC		 1796 }
1797
710756a9
RS		 1798 if (initrbio == USE_BIO_2
1799 || initwbio == USE_BIO_2
1800 || newrbio == USE_BIO_2
7fb4c820 1801 || newwbio == USE_BIO_2) {
710756a9 1802 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1803 goto end;
7fb4c820
MC		 1804 }
1805
7d4488bb
MC		 1806 if (initrbio != USE_DEFAULT) {
1807 setupbio(&irbio, bio1, bio2, initrbio);
1808 setupbio(&iwbio, bio1, bio2, initwbio);
1809 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 1810
7d4488bb
MC		 1811 /*
1812 * We want to maintain our own refs to these BIO, so do an up ref for
1813 * each BIO that will have ownership transferred in the SSL_set_bio()
1814 * call
1815 */
1816 if (irbio != NULL)
1817 BIO_up_ref(irbio);
1818 if (iwbio != NULL && iwbio != irbio)
1819 BIO_up_ref(iwbio);
1820 }
7fb4c820 1821
7d4488bb
MC		 1822 if (conntype != CONNTYPE_NO_CONNECTION
1823 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1824 SSL_ERROR_NONE)
1825 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1826 goto end;
7fb4c820
MC		 1827
1828 setupbio(&nrbio, bio1, bio2, newrbio);
1829 setupbio(&nwbio, bio1, bio2, newwbio);
1830
1831 /*
1832 * We will (maybe) transfer ownership again so do more up refs.
1833 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1834 * already been set!
1835 */
710756a9
RS		 1836 if (nrbio != NULL
1837 && nrbio != irbio
1838 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1839 BIO_up_ref(nrbio);
710756a9
RS		 1840 if (nwbio != NULL
1841 && nwbio != nrbio
1842 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1843 BIO_up_ref(nwbio);
1844
7d4488bb 1845 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 1846
1847 testresult = 1;
1848
1849 end:
7fb4c820
MC		 1850 BIO_free(bio1);
1851 BIO_free(bio2);
710756a9 1852
7fb4c820
MC		 1853 /*
1854 * This test is checking that the ref counting for SSL_set_bio is correct.
1855 * If we get here and we did too many frees then we will fail in the above
1856 * functions. If we haven't done enough then this will only be detected in
1857 * a crypto-mdebug build
1858 */
7d4488bb
MC		 1859 SSL_free(serverssl);
1860 SSL_free(clientssl);
1861 SSL_CTX_free(sctx);
1862 SSL_CTX_free(cctx);
7fb4c820
MC		 1863 return testresult;
1864}
1865
7e885b7b 1866typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1867
7e885b7b 1868static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1869{
1870 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1871 SSL_CTX *ctx;
9a716987
MC		 1872 SSL *ssl = NULL;
1873 int testresult = 0;
1874
710756a9
RS		 1875 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1876 || !TEST_ptr(ssl = SSL_new(ctx))
1877 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1878 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1879 goto end;
9a716987
MC		 1880
1881 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1882
1883 /*
1884 * If anything goes wrong here then we could leak memory, so this will
1885 * be caught in a crypto-mdebug build
1886 */
1887 BIO_push(sslbio, membio1);
1888
69687aa8 1889 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1890 if (change_bio != NO_BIO_CHANGE) {
710756a9 1891 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1892 goto end;
7e885b7b 1893 if (change_bio == CHANGE_RBIO)
65e2d672 1894 SSL_set0_rbio(ssl, membio2);
9a716987 1895 else
65e2d672 1896 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1897 }
1898 ssl = NULL;
1899
7e885b7b 1900 if (pop_ssl)
9a716987
MC		 1901 BIO_pop(sslbio);
1902 else
1903 BIO_pop(membio1);
1904
1905 testresult = 1;
1906 end:
1907 BIO_free(membio1);
1908 BIO_free(sslbio);
1909 SSL_free(ssl);
1910 SSL_CTX_free(ctx);
1911
1912 return testresult;
1913}
1914
1915static int test_ssl_bio_pop_next_bio(void)
1916{
7e885b7b 1917 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1918}
1919
1920static int test_ssl_bio_pop_ssl_bio(void)
1921{
7e885b7b 1922 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1923}
1924
1925static int test_ssl_bio_change_rbio(void)
1926{
7e885b7b 1927 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1928}
1929
1930static int test_ssl_bio_change_wbio(void)
1931{
7e885b7b 1932 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1933}
1934
c423ecaa 1935#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1936typedef struct {
1937 /* The list of sig algs */
1938 const int *list;
1939 /* The length of the list */
1940 size_t listlen;
1941 /* A sigalgs list in string format */
1942 const char *liststr;
1943 /* Whether setting the list should succeed */
1944 int valid;
1945 /* Whether creating a connection with the list should succeed */
1946 int connsuccess;
1947} sigalgs_list;
1948
1949static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1950# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1951static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1952static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1953# endif
f1b25aae
MC		 1954static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1955static const int invalidlist2[] = {NID_sha256, NID_undef};
1956static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1957static const int invalidlist4[] = {NID_sha256};
1958static const sigalgs_list testsigalgs[] = {
1959 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1960# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1961 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1962 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1963# endif
f1b25aae 1964 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1965# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1966 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1967 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1968# endif
f1b25aae
MC		 1969 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1970 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1971 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1972 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1973 {NULL, 0, "RSA", 0, 0},
1974 {NULL, 0, "SHA256", 0, 0},
1975 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1976 {NULL, 0, "Invalid", 0, 0}
1977};
f1b25aae
MC		 1978
1979static int test_set_sigalgs(int idx)
1980{
1981 SSL_CTX *cctx = NULL, *sctx = NULL;
1982 SSL *clientssl = NULL, *serverssl = NULL;
1983 int testresult = 0;
1984 const sigalgs_list *curr;
1985 int testctx;
1986
1987 /* Should never happen */
710756a9 1988 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1989 return 0;
1990
1991 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1992 curr = testctx ? &testsigalgs[idx]
1993 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1994
7d7f6834 1995 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 1996 TLS1_VERSION, 0,
7d7f6834 1997 &sctx, &cctx, cert, privkey)))
f1b25aae 1998 return 0;
f1b25aae 1999
d2e491f2
MC		 2000 /*
2001 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2002 * for TLSv1.2 for now until we add a new API.
2003 */
2004 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2005
f1b25aae
MC		 2006 if (testctx) {
2007 int ret;
710756a9 2008
f1b25aae
MC		 2009 if (curr->list != NULL)
2010 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2011 else
2012 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2013
2014 if (!ret) {
2015 if (curr->valid)
710756a9 2016 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2017 else
2018 testresult = 1;
2019 goto end;
2020 }
2021 if (!curr->valid) {
710756a9 2022 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2023 goto end;
2024 }
2025 }
2026
710756a9
RS		 2027 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2028 &clientssl, NULL, NULL)))
f1b25aae 2029 goto end;
f1b25aae
MC		 2030
2031 if (!testctx) {
2032 int ret;
2033
2034 if (curr->list != NULL)
2035 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2036 else
2037 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2038 if (!ret) {
2039 if (curr->valid)
710756a9 2040 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2041 else
2042 testresult = 1;
2043 goto end;
2044 }
710756a9 2045 if (!curr->valid)
f1b25aae 2046 goto end;
f1b25aae
MC		 2047 }
2048
710756a9
RS		 2049 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2050 SSL_ERROR_NONE),
2051 curr->connsuccess))
f1b25aae 2052 goto end;
f1b25aae
MC		 2053
2054 testresult = 1;
2055
2056 end:
2057 SSL_free(serverssl);
2058 SSL_free(clientssl);
2059 SSL_CTX_free(sctx);
2060 SSL_CTX_free(cctx);
2061
2062 return testresult;
2063}
c423ecaa 2064#endif
f1b25aae 2065
fff202e5 2066#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2067static int psk_client_cb_cnt = 0;
2068static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2069
2070static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2071 size_t *idlen, SSL_SESSION **sess)
2072{
2073 switch (++use_session_cb_cnt) {
2074 case 1:
2075 /* The first call should always have a NULL md */
2076 if (md != NULL)
2077 return 0;
2078 break;
2079
2080 case 2:
2081 /* The second call should always have an md */
2082 if (md == NULL)
2083 return 0;
2084 break;
2085
2086 default:
2087 /* We should only be called a maximum of twice */
2088 return 0;
2089 }
2090
57dee9bb
MC		 2091 if (clientpsk != NULL)
2092 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2093
57dee9bb 2094 *sess = clientpsk;
02a3ed5a
MC		 2095 *id = (const unsigned char *)pskid;
2096 *idlen = strlen(pskid);
2097
2098 return 1;
2099}
2100
c2b290c3 2101#ifndef OPENSSL_NO_PSK
532f9578
MC		 2102static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2103 unsigned int max_id_len,
2104 unsigned char *psk,
2105 unsigned int max_psk_len)
2106{
2107 unsigned int psklen = 0;
2108
2109 psk_client_cb_cnt++;
2110
2111 if (strlen(pskid) + 1 > max_id_len)
2112 return 0;
2113
2114 /* We should only ever be called a maximum of twice per connection */
2115 if (psk_client_cb_cnt > 2)
2116 return 0;
2117
2118 if (clientpsk == NULL)
2119 return 0;
2120
2121 /* We'll reuse the PSK we set up for TLSv1.3 */
2122 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2123 return 0;
2124 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2125 strncpy(id, pskid, max_id_len);
2126
2127 return psklen;
2128}
c2b290c3 2129#endif /* OPENSSL_NO_PSK */
532f9578 2130
02a3ed5a
MC		 2131static int find_session_cb(SSL *ssl, const unsigned char *identity,
2132 size_t identity_len, SSL_SESSION **sess)
2133{
2134 find_session_cb_cnt++;
2135
2136 /* We should only ever be called a maximum of twice per connection */
2137 if (find_session_cb_cnt > 2)
2138 return 0;
2139
57dee9bb 2140 if (serverpsk == NULL)
02a3ed5a
MC		 2141 return 0;
2142
2143 /* Identity should match that set by the client */
2144 if (strlen(srvid) != identity_len
2145 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2146 /* No PSK found, continue but without a PSK */
2147 *sess = NULL;
2148 return 1;
2149 }
2150
57dee9bb
MC		 2151 SSL_SESSION_up_ref(serverpsk);
2152 *sess = serverpsk;
02a3ed5a
MC		 2153
2154 return 1;
2155}
2156
c2b290c3 2157#ifndef OPENSSL_NO_PSK
532f9578
MC		 2158static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2159 unsigned char *psk, unsigned int max_psk_len)
2160{
2161 unsigned int psklen = 0;
2162
2163 psk_server_cb_cnt++;
2164
2165 /* We should only ever be called a maximum of twice per connection */
2166 if (find_session_cb_cnt > 2)
2167 return 0;
2168
2169 if (serverpsk == NULL)
2170 return 0;
2171
2172 /* Identity should match that set by the client */
2173 if (strcmp(srvid, identity) != 0) {
2174 return 0;
2175 }
2176
2177 /* We'll reuse the PSK we set up for TLSv1.3 */
2178 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2179 return 0;
2180 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2181
2182 return psklen;
2183}
c2b290c3 2184#endif /* OPENSSL_NO_PSK */
532f9578 2185
5f982038
MC		 2186#define MSG1 "Hello"
2187#define MSG2 "World."
2188#define MSG3 "This"
2189#define MSG4 "is"
2190#define MSG5 "a"
90049cea
MC		 2191#define MSG6 "test"
2192#define MSG7 "message."
5f982038 2193
02a3ed5a 2194#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 2195#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 2196
8614a4eb
MC		 2197
2198static SSL_SESSION *create_a_psk(SSL *ssl)
2199{
2200 const SSL_CIPHER *cipher = NULL;
2201 const unsigned char key[] = {
2202 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2203 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2204 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2205 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2206 0x2c, 0x2d, 0x2e, 0x2f
2207 };
2208 SSL_SESSION *sess = NULL;
2209
2210 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2211 sess = SSL_SESSION_new();
2212 if (!TEST_ptr(sess)
2213 || !TEST_ptr(cipher)
2214 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2215 sizeof(key)))
2216 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2217 || !TEST_true(
2218 SSL_SESSION_set_protocol_version(sess,
2219 TLS1_3_VERSION))) {
2220 SSL_SESSION_free(sess);
2221 return NULL;
2222 }
2223 return sess;
2224}
2225
5f982038
MC		 2226/*
2227 * Helper method to setup objects for early data test. Caller frees objects on
2228 * error.
2229 */
2230static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 2231 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 2232{
5a421415
MC		 2233 if (*sctx == NULL
2234 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2235 TLS_client_method(),
5c587fb6 2236 TLS1_VERSION, 0,
5a421415
MC		 2237 sctx, cctx, cert, privkey)))
2238 return 0;
2239
2240 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 2241 return 0;
5f982038 2242
02a3ed5a
MC		 2243 if (idx == 1) {
2244 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 2245 SSL_CTX_set_read_ahead(*cctx, 1);
2246 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 2247 } else if (idx == 2) {
2248 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2249 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2250 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2251 use_session_cb_cnt = 0;
2252 find_session_cb_cnt = 0;
2253 srvid = pskid;
3cb47b4e
MC		 2254 }
2255
710756a9 2256 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 2257 NULL, NULL)))
2258 return 0;
2259
141e4709
MC		 2260 /*
2261 * For one of the run throughs (doesn't matter which one), we'll try sending
2262 * some SNI data in the initial ClientHello. This will be ignored (because
2263 * there is no SNI cb set up by the server), so it should not impact
2264 * early_data.
2265 */
2266 if (idx == 1
2267 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2268 return 0;
2269
02a3ed5a 2270 if (idx == 2) {
8614a4eb 2271 clientpsk = create_a_psk(*clientssl);
57dee9bb 2272 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 2273 /*
2274 * We just choose an arbitrary value for max_early_data which
2275 * should be big enough for testing purposes.
2276 */
57dee9bb
MC		 2277 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2278 0x100))
2279 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2280 SSL_SESSION_free(clientpsk);
2281 clientpsk = NULL;
02a3ed5a
MC		 2282 return 0;
2283 }
57dee9bb 2284 serverpsk = clientpsk;
02a3ed5a 2285
c20e3b28
MC		 2286 if (sess != NULL) {
2287 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2288 SSL_SESSION_free(clientpsk);
2289 SSL_SESSION_free(serverpsk);
2290 clientpsk = serverpsk = NULL;
2291 return 0;
2292 }
57dee9bb 2293 *sess = clientpsk;
c20e3b28 2294 }
02a3ed5a
MC		 2295 return 1;
2296 }
2297
2298 if (sess == NULL)
2299 return 1;
2300
2301 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
2302 SSL_ERROR_NONE)))
5f982038 2303 return 0;
5f982038
MC		 2304
2305 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 2306 SSL_shutdown(*clientssl);
2307 SSL_shutdown(*serverssl);
5f982038
MC		 2308 SSL_free(*serverssl);
2309 SSL_free(*clientssl);
2310 *serverssl = *clientssl = NULL;
2311
710756a9
RS		 2312 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
2313 clientssl, NULL, NULL))
2314 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 2315 return 0;
5f982038
MC		 2316
2317 return 1;
2318}
2319
3cb47b4e 2320static int test_early_data_read_write(int idx)
5f982038
MC		 2321{
2322 SSL_CTX *cctx = NULL, *sctx = NULL;
2323 SSL *clientssl = NULL, *serverssl = NULL;
2324 int testresult = 0;
2325 SSL_SESSION *sess = NULL;
9b5c865d
MC		 2326 unsigned char buf[20], data[1024];
2327 size_t readbytes, written, eoedlen, rawread, rawwritten;
2328 BIO *rbio;
5f982038 2329
710756a9
RS		 2330 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2331 &serverssl, &sess, idx)))
5f982038
MC		 2332 goto end;
2333
2334 /* Write and read some early data */
710756a9
RS		 2335 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2336 &written))
2337 || !TEST_size_t_eq(written, strlen(MSG1))
2338 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
2339 sizeof(buf), &readbytes),
2340 SSL_READ_EARLY_DATA_SUCCESS)
2341 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
2342 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2343 SSL_EARLY_DATA_ACCEPTED))
5f982038 2344 goto end;
5f982038
MC		 2345
2346 /*
09f28874 2347 * Server should be able to write data, and client should be able to
5f982038
MC		 2348 * read it.
2349 */
710756a9
RS		 2350 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
2351 &written))
2352 || !TEST_size_t_eq(written, strlen(MSG2))
2353 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2354 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2355 goto end;
5f982038
MC		 2356
2357 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 2358 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
2359 &written))
2360 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 2361 goto end;
5f982038 2362
09f28874 2363 /* Server should still be able read early data after writing data */
710756a9
RS		 2364 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2365 &readbytes),
2366 SSL_READ_EARLY_DATA_SUCCESS)
2367 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 2368 goto end;
5f982038 2369
09f28874 2370 /* Write more data from server and read it from client */
710756a9
RS		 2371 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2372 &written))
2373 || !TEST_size_t_eq(written, strlen(MSG4))
2374 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2375 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2376 goto end;
5f982038
MC		 2377
2378 /*
2379 * If client writes normal data it should mean writing early data is no
2380 * longer possible.
2381 */
710756a9
RS		 2382 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2383 || !TEST_size_t_eq(written, strlen(MSG5))
2384 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2385 SSL_EARLY_DATA_ACCEPTED))
5f982038 2386 goto end;
5f982038 2387
9b5c865d
MC		 2388 /*
2389 * At this point the client has written EndOfEarlyData, ClientFinished and
2390 * normal (fully protected) data. We are going to cause a delay between the
2391 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2392 * in the read BIO, and then just put back the EndOfEarlyData message.
2393 */
2394 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2395 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2396 || !TEST_size_t_lt(rawread, sizeof(data))
2397 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2398 goto end;
710756a9 2399
9b5c865d
MC		 2400 /* Record length is in the 4th and 5th bytes of the record header */
2401 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2402 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2403 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2404 goto end;
9b5c865d 2405
5f982038 2406 /* Server should be told that there is no more early data */
710756a9
RS		 2407 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2408 &readbytes),
2409 SSL_READ_EARLY_DATA_FINISH)
2410 || !TEST_size_t_eq(readbytes, 0))
5f982038 2411 goto end;
5f982038 2412
9b5c865d
MC		 2413 /*
2414 * Server has not finished init yet, so should still be able to write early
2415 * data.
2416 */
710756a9
RS		 2417 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2418 &written))
2419 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2420 goto end;
9b5c865d 2421
f8a303fa 2422 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2423 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2424 &rawwritten))
2425 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2426 goto end;
f8a303fa 2427
5f982038 2428 /* Server should be able to read normal data */
710756a9
RS		 2429 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2430 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2431 goto end;
5f982038 2432
09f28874 2433 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2434 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2435 &written)))
5f982038 2436 goto end;
5f982038 2437 ERR_clear_error();
710756a9
RS		 2438 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2439 &readbytes),
2440 SSL_READ_EARLY_DATA_ERROR))
5f982038 2441 goto end;
5f982038
MC		 2442 ERR_clear_error();
2443
9b5c865d 2444 /* Client should be able to read the data sent by the server */
710756a9
RS		 2445 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2446 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2447 goto end;
710756a9 2448
f8a303fa 2449 /*
36ff232c
MC		 2450 * Make sure we process the two NewSessionTickets. These arrive
2451 * post-handshake. We attempt reads which we do not expect to return any
2452 * data.
f8a303fa 2453 */
36ff232c
MC		 2454 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2455 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2456 &readbytes)))
f8a303fa 2457 goto end;
5f982038 2458
90049cea 2459 /* Server should be able to write normal data */
710756a9
RS		 2460 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2461 || !TEST_size_t_eq(written, strlen(MSG7))
2462 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2463 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2464 goto end;
90049cea 2465
c20e3b28 2466 SSL_SESSION_free(sess);
5f982038 2467 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2468 use_session_cb_cnt = 0;
2469 find_session_cb_cnt = 0;
5f982038
MC		 2470
2471 SSL_shutdown(clientssl);
2472 SSL_shutdown(serverssl);
5f982038
MC		 2473 SSL_free(serverssl);
2474 SSL_free(clientssl);
2475 serverssl = clientssl = NULL;
710756a9
RS		 2476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2477 &clientssl, NULL, NULL))
2478 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2479 goto end;
5f982038
MC		 2480
2481 /* Write and read some early data */
710756a9
RS		 2482 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2483 &written))
2484 || !TEST_size_t_eq(written, strlen(MSG1))
2485 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2486 &readbytes),
2487 SSL_READ_EARLY_DATA_SUCCESS)
2488 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2489 goto end;
5f982038 2490
710756a9
RS		 2491 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2492 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2493 goto end;
5f982038 2494
09f28874 2495 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2496 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2497 &written)))
5f982038 2498 goto end;
5f982038 2499 ERR_clear_error();
710756a9
RS		 2500 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2501 &readbytes),
2502 SSL_READ_EARLY_DATA_ERROR))
5f982038 2503 goto end;
5f982038
MC		 2504 ERR_clear_error();
2505
2506 /* Client and server should be able to write/read normal data */
710756a9
RS		 2507 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2508 || !TEST_size_t_eq(written, strlen(MSG5))
2509 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2510 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2511 goto end;
5f982038
MC		 2512
2513 testresult = 1;
2514
2515 end:
c20e3b28 2516 SSL_SESSION_free(sess);
57dee9bb
MC		 2517 SSL_SESSION_free(clientpsk);
2518 SSL_SESSION_free(serverpsk);
2519 clientpsk = serverpsk = NULL;
5f982038
MC		 2520 SSL_free(serverssl);
2521 SSL_free(clientssl);
2522 SSL_CTX_free(sctx);
2523 SSL_CTX_free(cctx);
5f982038
MC		 2524 return testresult;
2525}
2526
5a421415
MC		 2527static int allow_ed_cb_called = 0;
2528
2529static int allow_early_data_cb(SSL *s, void *arg)
2530{
2531 int *usecb = (int *)arg;
2532
2533 allow_ed_cb_called++;
2534
2535 if (*usecb == 1)
2536 return 0;
2537
2538 return 1;
2539}
2540
2541/*
2542 * idx == 0: Standard early_data setup
2543 * idx == 1: early_data setup using read_ahead
2544 * usecb == 0: Don't use a custom early data callback
2545 * usecb == 1: Use a custom early data callback and reject the early data
2546 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 2547 * confopt == 0: Configure anti-replay directly
2548 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 2549 */
3bb5e5b0 2550static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 2551{
2552 SSL_CTX *cctx = NULL, *sctx = NULL;
2553 SSL *clientssl = NULL, *serverssl = NULL;
2554 int testresult = 0;
2555 SSL_SESSION *sess = NULL;
5a421415
MC		 2556 size_t readbytes, written;
2557 unsigned char buf[20];
2558
2559 allow_ed_cb_called = 0;
2560
2561 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 2562 TLS1_VERSION, 0, &sctx,
5a421415
MC		 2563 &cctx, cert, privkey)))
2564 return 0;
2565
2566 if (usecb > 0) {
3bb5e5b0
MC		 2567 if (confopt == 0) {
2568 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
2569 } else {
2570 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
2571
2572 if (!TEST_ptr(confctx))
2573 goto end;
2574 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
2575 | SSL_CONF_FLAG_SERVER);
2576 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
2577 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
2578 2)) {
2579 SSL_CONF_CTX_free(confctx);
2580 goto end;
2581 }
2582 SSL_CONF_CTX_free(confctx);
2583 }
5a421415
MC		 2584 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
2585 }
78fb5374
MC		 2586
2587 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2588 &serverssl, &sess, idx)))
2589 goto end;
2590
2591 /*
2592 * The server is configured to accept early data. Create a connection to
2593 * "use up" the ticket
2594 */
2595 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2596 || !TEST_true(SSL_session_reused(clientssl)))
2597 goto end;
2598
2599 SSL_shutdown(clientssl);
2600 SSL_shutdown(serverssl);
2601 SSL_free(serverssl);
2602 SSL_free(clientssl);
2603 serverssl = clientssl = NULL;
2604
2605 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2606 &clientssl, NULL, NULL))
5a421415
MC		 2607 || !TEST_true(SSL_set_session(clientssl, sess)))
2608 goto end;
2609
2610 /* Write and read some early data */
2611 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2612 &written))
2613 || !TEST_size_t_eq(written, strlen(MSG1)))
2614 goto end;
2615
2616 if (usecb <= 1) {
2617 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2618 &readbytes),
2619 SSL_READ_EARLY_DATA_FINISH)
2620 /*
2621 * The ticket was reused, so the we should have rejected the
2622 * early data
2623 */
2624 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2625 SSL_EARLY_DATA_REJECTED))
2626 goto end;
2627 } else {
2628 /* In this case the callback decides to accept the early data */
2629 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2630 &readbytes),
2631 SSL_READ_EARLY_DATA_SUCCESS)
2632 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
2633 /*
2634 * Server will have sent its flight so client can now send
2635 * end of early data and complete its half of the handshake
2636 */
2637 || !TEST_int_gt(SSL_connect(clientssl), 0)
2638 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2639 &readbytes),
2640 SSL_READ_EARLY_DATA_FINISH)
2641 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2642 SSL_EARLY_DATA_ACCEPTED))
2643 goto end;
2644 }
2645
2646 /* Complete the connection */
2647 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2648 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
2649 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 2650 goto end;
2651
2652 testresult = 1;
2653
2654 end:
c20e3b28 2655 SSL_SESSION_free(sess);
78fb5374
MC		 2656 SSL_SESSION_free(clientpsk);
2657 SSL_SESSION_free(serverpsk);
2658 clientpsk = serverpsk = NULL;
2659 SSL_free(serverssl);
2660 SSL_free(clientssl);
2661 SSL_CTX_free(sctx);
2662 SSL_CTX_free(cctx);
2663 return testresult;
2664}
2665
5a421415
MC		 2666static int test_early_data_replay(int idx)
2667{
3bb5e5b0 2668 int ret = 1, usecb, confopt;
5a421415 2669
3bb5e5b0
MC		 2670 for (usecb = 0; usecb < 3; usecb++) {
2671 for (confopt = 0; confopt < 2; confopt++)
2672 ret &= test_early_data_replay_int(idx, usecb, confopt);
2673 }
5a421415
MC		 2674
2675 return ret;
2676}
2677
710756a9 2678/*
6b84e6bf
MC		 2679 * Helper function to test that a server attempting to read early data can
2680 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 2681 * testtype: 0 == No HRR
2682 * testtype: 1 == HRR
0efa0ba4
MC		 2683 * testtype: 2 == HRR, invalid early_data sent after HRR
2684 * testtype: 3 == recv_max_early_data set to 0
710756a9 2685 */
0d1b7789 2686static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 2687{
2688 SSL_CTX *cctx = NULL, *sctx = NULL;
2689 SSL *clientssl = NULL, *serverssl = NULL;
2690 int testresult = 0;
018fcbec 2691 SSL_SESSION *sess = NULL;
5f982038
MC		 2692 unsigned char buf[20];
2693 size_t readbytes, written;
2694
710756a9
RS		 2695 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2696 &serverssl, &sess, idx)))
5f982038
MC		 2697 goto end;
2698
0efa0ba4 2699 if (testtype == 1 || testtype == 2) {
6b84e6bf
MC		 2700 /* Force an HRR to occur */
2701 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2702 goto end;
02a3ed5a
MC		 2703 } else if (idx == 2) {
2704 /*
2705 * We force early_data rejection by ensuring the PSK identity is
2706 * unrecognised
2707 */
2708 srvid = "Dummy Identity";
6b84e6bf
MC		 2709 } else {
2710 /*
2711 * Deliberately corrupt the creation time. We take 20 seconds off the
2712 * time. It could be any value as long as it is not within tolerance.
2713 * This should mean the ticket is rejected.
2714 */
5d99881e 2715 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 2716 goto end;
2717 }
5f982038 2718
0efa0ba4 2719 if (testtype == 3
0d1b7789
MC		 2720 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
2721 goto end;
2722
5f982038 2723 /* Write some early data */
710756a9
RS		 2724 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2725 &written))
2726 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 2727 goto end;
5f982038 2728
0d1b7789 2729 /* Server should reject the early data */
710756a9
RS		 2730 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2731 &readbytes),
2732 SSL_READ_EARLY_DATA_FINISH)
2733 || !TEST_size_t_eq(readbytes, 0)
2734 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2735 SSL_EARLY_DATA_REJECTED))
5f982038 2736 goto end;
5f982038 2737
0efa0ba4
MC		 2738 switch (testtype) {
2739 case 0:
2740 /* Nothing to do */
2741 break;
2742
2743 case 1:
6b84e6bf
MC		 2744 /*
2745 * Finish off the handshake. We perform the same writes and reads as
2746 * further down but we expect them to fail due to the incomplete
2747 * handshake.
2748 */
2749 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2750 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2751 &readbytes)))
2752 goto end;
0efa0ba4
MC		 2753 break;
2754
2755 case 2:
2756 {
2757 BIO *wbio = SSL_get_wbio(clientssl);
2758 /* A record that will appear as bad early_data */
2759 const unsigned char bad_early_data[] = {
2760 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
2761 };
2762
2763 /*
2764 * We force the client to attempt a write. This will fail because
2765 * we're still in the handshake. It will cause the second
2766 * ClientHello to be sent.
2767 */
2768 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
2769 &written)))
2770 goto end;
2771
2772 /*
2773 * Inject some early_data after the second ClientHello. This should
2774 * cause the server to fail
2775 */
2776 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
2777 sizeof(bad_early_data), &written)))
2778 goto end;
2779 }
2780 /* fallthrough */
2781
2782 case 3:
0d1b7789 2783 /*
0efa0ba4
MC		 2784 * This client has sent more early_data than we are willing to skip
2785 * (case 3) or sent invalid early_data (case 2) so the connection should
2786 * abort.
0d1b7789
MC		 2787 */
2788 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2789 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
2790 goto end;
2791
2792 /* Connection has failed - nothing more to do */
2793 testresult = 1;
2794 goto end;
0efa0ba4
MC		 2795
2796 default:
2797 TEST_error("Invalid test type");
2798 goto end;
6b84e6bf
MC		 2799 }
2800
0d1b7789
MC		 2801 /*
2802 * Should be able to send normal data despite rejection of early data. The
2803 * early_data should be skipped.
2804 */
710756a9
RS		 2805 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2806 || !TEST_size_t_eq(written, strlen(MSG2))
2807 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2808 SSL_EARLY_DATA_REJECTED)
2809 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2810 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2811 goto end;
5f982038
MC		 2812
2813 testresult = 1;
2814
2815 end:
c20e3b28 2816 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2817 SSL_SESSION_free(serverpsk);
2818 clientpsk = serverpsk = NULL;
5f982038
MC		 2819 SSL_SESSION_free(sess);
2820 SSL_free(serverssl);
2821 SSL_free(clientssl);
2822 SSL_CTX_free(sctx);
2823 SSL_CTX_free(cctx);
5f982038
MC		 2824 return testresult;
2825}
2826
6b84e6bf
MC		 2827/*
2828 * Test that a server attempting to read early data can handle a connection
2829 * from a client where the early data is not acceptable.
2830 */
2831static int test_early_data_skip(int idx)
2832{
2833 return early_data_skip_helper(0, idx);
2834}
2835
2836/*
2837 * Test that a server attempting to read early data can handle a connection
2838 * from a client where an HRR occurs.
2839 */
2840static int test_early_data_skip_hrr(int idx)
2841{
2842 return early_data_skip_helper(1, idx);
2843}
2844
0efa0ba4
MC		 2845/*
2846 * Test that a server attempting to read early data can handle a connection
2847 * from a client where an HRR occurs and correctly fails if early_data is sent
2848 * after the HRR
2849 */
2850static int test_early_data_skip_hrr_fail(int idx)
2851{
2852 return early_data_skip_helper(2, idx);
2853}
2854
0d1b7789
MC		 2855/*
2856 * Test that a server attempting to read early data will abort if it tries to
2857 * skip over too much.
2858 */
2859static int test_early_data_skip_abort(int idx)
2860{
0efa0ba4 2861 return early_data_skip_helper(3, idx);
0d1b7789
MC		 2862}
2863
710756a9
RS		 2864/*
2865 * Test that a server attempting to read early data can handle a connection
2866 * from a client that doesn't send any.
2867 */
3cb47b4e 2868static int test_early_data_not_sent(int idx)
5f982038
MC		 2869{
2870 SSL_CTX *cctx = NULL, *sctx = NULL;
2871 SSL *clientssl = NULL, *serverssl = NULL;
2872 int testresult = 0;
018fcbec 2873 SSL_SESSION *sess = NULL;
5f982038
MC		 2874 unsigned char buf[20];
2875 size_t readbytes, written;
2876
710756a9
RS		 2877 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2878 &serverssl, &sess, idx)))
5f982038
MC		 2879 goto end;
2880
2881 /* Write some data - should block due to handshake with server */
2882 SSL_set_connect_state(clientssl);
710756a9 2883 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2884 goto end;
5f982038
MC		 2885
2886 /* Server should detect that early data has not been sent */
710756a9
RS		 2887 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2888 &readbytes),
2889 SSL_READ_EARLY_DATA_FINISH)
2890 || !TEST_size_t_eq(readbytes, 0)
2891 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2892 SSL_EARLY_DATA_NOT_SENT)
2893 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2894 SSL_EARLY_DATA_NOT_SENT))
5f982038 2895 goto end;
5f982038
MC		 2896
2897 /* Continue writing the message we started earlier */
710756a9
RS		 2898 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2899 || !TEST_size_t_eq(written, strlen(MSG1))
2900 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2901 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2902 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2903 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2904 goto end;
5f982038 2905
710756a9
RS		 2906 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2907 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2908 goto end;
5f982038
MC		 2909
2910 testresult = 1;
2911
2912 end:
5f982038 2913 SSL_SESSION_free(sess);
c20e3b28 2914 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2915 SSL_SESSION_free(serverpsk);
2916 clientpsk = serverpsk = NULL;
5f982038
MC		 2917 SSL_free(serverssl);
2918 SSL_free(clientssl);
2919 SSL_CTX_free(sctx);
2920 SSL_CTX_free(cctx);
5f982038
MC		 2921 return testresult;
2922}
2923
976e5323
MC		 2924static int hostname_cb(SSL *s, int *al, void *arg)
2925{
2926 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2927
281bf233 2928 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2929 return SSL_TLSEXT_ERR_OK;
2930
2931 return SSL_TLSEXT_ERR_NOACK;
2932}
2933
2934static const char *servalpn;
2935
c7558d5b
PY		 2936static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2937 unsigned char *outlen, const unsigned char *in,
2938 unsigned int inlen, void *arg)
976e5323 2939{
c7558d5b 2940 unsigned int protlen = 0;
976e5323
MC		 2941 const unsigned char *prot;
2942
c7558d5b
PY		 2943 for (prot = in; prot < in + inlen; prot += protlen) {
2944 protlen = *prot++;
5d99881e 2945 if (in + inlen < prot + protlen)
976e5323
MC		 2946 return SSL_TLSEXT_ERR_NOACK;
2947
2948 if (protlen == strlen(servalpn)
0bd42fde 2949 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2950 *out = prot;
2951 *outlen = protlen;
2952 return SSL_TLSEXT_ERR_OK;
2953 }
2954 }
2955
2956 return SSL_TLSEXT_ERR_NOACK;
2957}
2958
57dee9bb 2959/* Test that a PSK can be used to send early_data */
976e5323
MC		 2960static int test_early_data_psk(int idx)
2961{
2962 SSL_CTX *cctx = NULL, *sctx = NULL;
2963 SSL *clientssl = NULL, *serverssl = NULL;
2964 int testresult = 0;
2965 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2966 unsigned char alpnlist[] = {
2967 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2968 'l', 'p', 'n'
2969 };
2970#define GOODALPNLEN 9
2971#define BADALPNLEN 8
2972#define GOODALPN (alpnlist)
2973#define BADALPN (alpnlist + GOODALPNLEN)
2974 int err = 0;
976e5323
MC		 2975 unsigned char buf[20];
2976 size_t readbytes, written;
57dee9bb 2977 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2978 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2979
2980 /* We always set this up with a final parameter of "2" for PSK */
2981 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2982 &serverssl, &sess, 2)))
2983 goto end;
2984
976e5323
MC		 2985 servalpn = "goodalpn";
2986
57dee9bb
MC		 2987 /*
2988 * Note: There is no test for inconsistent SNI with late client detection.
2989 * This is because servers do not acknowledge SNI even if they are using
2990 * it in a resumption handshake - so it is not actually possible for a
2991 * client to detect a problem.
2992 */
976e5323
MC		 2993 switch (idx) {
2994 case 0:
57dee9bb 2995 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2996 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2997 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2998 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2999 goto end;
3000 break;
3001
3002 case 1:
57dee9bb 3003 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3004 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3005 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3006 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3007 GOODALPNLEN))
3008 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3009 BADALPNLEN)))
976e5323
MC		 3010 goto end;
3011 break;
3012
3013 case 2:
3014 /*
3015 * Set invalid protocol version. Technically this affects PSKs without
3016 * early_data too, but we test it here because it is similar to the
3017 * SNI/ALPN consistency tests.
3018 */
3019 err = SSL_R_BAD_PSK;
3020 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3021 goto end;
3022 break;
3023
3024 case 3:
3025 /*
3026 * Set inconsistent SNI (server detected). In this case the connection
3027 * will succeed but reject early_data.
3028 */
281bf233
MC		 3029 SSL_SESSION_free(serverpsk);
3030 serverpsk = SSL_SESSION_dup(clientpsk);
3031 if (!TEST_ptr(serverpsk)
3032 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3033 goto end;
976e5323
MC		 3034 edstatus = SSL_EARLY_DATA_REJECTED;
3035 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3036 /* Fall through */
3037 case 4:
3038 /* Set consistent SNI */
976e5323
MC		 3039 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3040 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3041 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3042 hostname_cb)))
3043 goto end;
3044 break;
3045
3046 case 5:
3047 /*
3048 * Set inconsistent ALPN (server detected). In this case the connection
3049 * will succeed but reject early_data.
3050 */
3051 servalpn = "badalpn";
3052 edstatus = SSL_EARLY_DATA_REJECTED;
3053 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3054 /* Fall through */
3055 case 6:
976e5323 3056 /*
57dee9bb 3057 * Set consistent ALPN.
976e5323
MC		 3058 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3059 * accepts a list of protos (each one length prefixed).
3060 * SSL_set1_alpn_selected accepts a single protocol (not length
3061 * prefixed)
3062 */
57dee9bb
MC		 3063 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3064 GOODALPNLEN - 1))
3065 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3066 GOODALPNLEN)))
976e5323
MC		 3067 goto end;
3068
3069 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3070 break;
3071
57dee9bb
MC		 3072 case 7:
3073 /* Set inconsistent ALPN (late client detection) */
3074 SSL_SESSION_free(serverpsk);
3075 serverpsk = SSL_SESSION_dup(clientpsk);
3076 if (!TEST_ptr(serverpsk)
3077 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3078 BADALPN + 1,
3079 BADALPNLEN - 1))
3080 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3081 GOODALPN + 1,
3082 GOODALPNLEN - 1))
3083 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3084 sizeof(alpnlist))))
3085 goto end;
3086 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3087 edstatus = SSL_EARLY_DATA_ACCEPTED;
3088 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3089 /* SSL_connect() call should fail */
3090 connectres = -1;
3091 break;
3092
976e5323
MC		 3093 default:
3094 TEST_error("Bad test index");
3095 goto end;
3096 }
3097
3098 SSL_set_connect_state(clientssl);
3099 if (err != 0) {
3100 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3101 &written))
3102 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3103 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3104 goto end;
3105 } else {
3106 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3107 &written)))
3108 goto end;
3109
3110 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3111 &readbytes), readearlyres)
976e5323
MC		 3112 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3113 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3114 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3115 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3116 goto end;
3117 }
3118
3119 testresult = 1;
3120
3121 end:
c20e3b28 3122 SSL_SESSION_free(sess);
57dee9bb
MC		 3123 SSL_SESSION_free(clientpsk);
3124 SSL_SESSION_free(serverpsk);
3125 clientpsk = serverpsk = NULL;
976e5323
MC		 3126 SSL_free(serverssl);
3127 SSL_free(clientssl);
3128 SSL_CTX_free(sctx);
3129 SSL_CTX_free(cctx);
3130 return testresult;
3131}
3132
710756a9
RS		 3133/*
3134 * Test that a server that doesn't try to read early data can handle a
3135 * client sending some.
3136 */
3cb47b4e 3137static int test_early_data_not_expected(int idx)
5f982038
MC		 3138{
3139 SSL_CTX *cctx = NULL, *sctx = NULL;
3140 SSL *clientssl = NULL, *serverssl = NULL;
3141 int testresult = 0;
018fcbec 3142 SSL_SESSION *sess = NULL;
5f982038
MC		 3143 unsigned char buf[20];
3144 size_t readbytes, written;
3145
710756a9
RS		 3146 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3147 &serverssl, &sess, idx)))
5f982038
MC		 3148 goto end;
3149
3150 /* Write some early data */
710756a9
RS		 3151 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3152 &written)))
5f982038 3153 goto end;
5f982038
MC		 3154
3155 /*
3156 * Server should skip over early data and then block waiting for client to
3157 * continue handshake
3158 */
710756a9
RS		 3159 if (!TEST_int_le(SSL_accept(serverssl), 0)
3160 || !TEST_int_gt(SSL_connect(clientssl), 0)
3161 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3162 SSL_EARLY_DATA_REJECTED)
3163 || !TEST_int_gt(SSL_accept(serverssl), 0)
3164 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3165 SSL_EARLY_DATA_REJECTED))
5f982038 3166 goto end;
5f982038
MC		 3167
3168 /* Send some normal data from client to server */
710756a9
RS		 3169 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3170 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3171 goto end;
5f982038 3172
710756a9
RS		 3173 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3174 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3175 goto end;
5f982038
MC		 3176
3177 testresult = 1;
3178
3179 end:
5f982038 3180 SSL_SESSION_free(sess);
c20e3b28 3181 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3182 SSL_SESSION_free(serverpsk);
3183 clientpsk = serverpsk = NULL;
5f982038
MC		 3184 SSL_free(serverssl);
3185 SSL_free(clientssl);
3186 SSL_CTX_free(sctx);
3187 SSL_CTX_free(cctx);
5f982038
MC		 3188 return testresult;
3189}
3190
3191
3192# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 3193/*
3194 * Test that a server attempting to read early data can handle a connection
3195 * from a TLSv1.2 client.
3196 */
3cb47b4e 3197static int test_early_data_tls1_2(int idx)
5f982038
MC		 3198{
3199 SSL_CTX *cctx = NULL, *sctx = NULL;
3200 SSL *clientssl = NULL, *serverssl = NULL;
3201 int testresult = 0;
3202 unsigned char buf[20];
3203 size_t readbytes, written;
3204
02a3ed5a
MC		 3205 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3206 &serverssl, NULL, idx)))
5f982038 3207 goto end;
5f982038
MC		 3208
3209 /* Write some data - should block due to handshake with server */
3210 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
3211 SSL_set_connect_state(clientssl);
710756a9 3212 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3213 goto end;
5f982038
MC		 3214
3215 /*
3216 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 3217 * messages from client after ServerDone. Then SSL_read_early_data should
3218 * finish and detect that early data has not been sent
5f982038 3219 */
710756a9
RS		 3220 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3221 &readbytes),
3222 SSL_READ_EARLY_DATA_ERROR))
5f982038 3223 goto end;
5f982038
MC		 3224
3225 /*
3226 * Continue writing the message we started earlier. Will still block waiting
3227 * for the CCS/Finished from server
3228 */
710756a9
RS		 3229 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3230 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3231 &readbytes),
3232 SSL_READ_EARLY_DATA_FINISH)
3233 || !TEST_size_t_eq(readbytes, 0)
3234 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3235 SSL_EARLY_DATA_NOT_SENT))
5f982038 3236 goto end;
5f982038
MC		 3237
3238 /* Continue writing the message we started earlier */
710756a9
RS		 3239 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3240 || !TEST_size_t_eq(written, strlen(MSG1))
3241 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3242 SSL_EARLY_DATA_NOT_SENT)
3243 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3244 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3245 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
3246 || !TEST_size_t_eq(written, strlen(MSG2))
3247 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
3248 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3249 goto end;
5f982038
MC		 3250
3251 testresult = 1;
3252
3253 end:
57dee9bb
MC		 3254 SSL_SESSION_free(clientpsk);
3255 SSL_SESSION_free(serverpsk);
3256 clientpsk = serverpsk = NULL;
5f982038
MC		 3257 SSL_free(serverssl);
3258 SSL_free(clientssl);
3259 SSL_CTX_free(sctx);
3260 SSL_CTX_free(cctx);
3261
3262 return testresult;
3263}
ca0413ae
MC		 3264# endif /* OPENSSL_NO_TLS1_2 */
3265
034cb87b
MC		 3266/*
3267 * Test configuring the TLSv1.3 ciphersuites
3268 *
3269 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
3270 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
3271 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
3272 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
3273 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3274 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
3275 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
3276 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
3277 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
3278 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
3279 */
3280static int test_set_ciphersuite(int idx)
3281{
3282 SSL_CTX *cctx = NULL, *sctx = NULL;
3283 SSL *clientssl = NULL, *serverssl = NULL;
3284 int testresult = 0;
3285
3286 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3287 TLS1_VERSION, 0,
034cb87b
MC		 3288 &sctx, &cctx, cert, privkey))
3289 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3290 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
3291 goto end;
3292
3293 if (idx >=4 && idx <= 7) {
3294 /* SSL_CTX explicit cipher list */
3295 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
3296 goto end;
3297 }
3298
3299 if (idx == 0 || idx == 4) {
3300 /* Default ciphersuite */
3301 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3302 "TLS_AES_128_GCM_SHA256")))
3303 goto end;
3304 } else if (idx == 1 || idx == 5) {
3305 /* Non default ciphersuite */
3306 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3307 "TLS_AES_128_CCM_SHA256")))
3308 goto end;
3309 }
3310
3311 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3312 &clientssl, NULL, NULL)))
3313 goto end;
3314
3315 if (idx == 8 || idx == 9) {
3316 /* SSL explicit cipher list */
3317 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
3318 goto end;
3319 }
3320
3321 if (idx == 2 || idx == 6 || idx == 8) {
3322 /* Default ciphersuite */
3323 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3324 "TLS_AES_128_GCM_SHA256")))
3325 goto end;
3326 } else if (idx == 3 || idx == 7 || idx == 9) {
3327 /* Non default ciphersuite */
3328 if (!TEST_true(SSL_set_ciphersuites(clientssl,
3329 "TLS_AES_128_CCM_SHA256")))
3330 goto end;
3331 }
3332
3333 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
3334 goto end;
3335
3336 testresult = 1;
3337
3338 end:
3339 SSL_free(serverssl);
3340 SSL_free(clientssl);
3341 SSL_CTX_free(sctx);
3342 SSL_CTX_free(cctx);
3343
3344 return testresult;
3345}
3346
ca0413ae
MC		 3347static int test_ciphersuite_change(void)
3348{
3349 SSL_CTX *cctx = NULL, *sctx = NULL;
3350 SSL *clientssl = NULL, *serverssl = NULL;
3351 SSL_SESSION *clntsess = NULL;
3352 int testresult = 0;
3353 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
3354
3355 /* Create a session based on SHA-256 */
7d7f6834 3356 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3357 TLS1_VERSION, 0,
7d7f6834 3358 &sctx, &cctx, cert, privkey))
f865b081
MC		 3359 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
3360 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 3361 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3362 &clientssl, NULL, NULL))
3363 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3364 SSL_ERROR_NONE)))
3365 goto end;
3366
3367 clntsess = SSL_get1_session(clientssl);
3368 /* Save for later */
3369 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
3370 SSL_shutdown(clientssl);
3371 SSL_shutdown(serverssl);
3372 SSL_free(serverssl);
3373 SSL_free(clientssl);
3374 serverssl = clientssl = NULL;
3375
71cff963 3376# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 3377 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 3378 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3379 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 3380 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3381 NULL, NULL))
3382 || !TEST_true(SSL_set_session(clientssl, clntsess))
3383 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3384 SSL_ERROR_NONE))
3385 || !TEST_true(SSL_session_reused(clientssl)))
3386 goto end;
3387
3388 SSL_SESSION_free(clntsess);
3389 clntsess = SSL_get1_session(clientssl);
3390 SSL_shutdown(clientssl);
3391 SSL_shutdown(serverssl);
3392 SSL_free(serverssl);
3393 SSL_free(clientssl);
3394 serverssl = clientssl = NULL;
71cff963 3395# endif
ca0413ae
MC		 3396
3397 /*
3398 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 3399 * succeeds but does not resume.
ca0413ae 3400 */
f865b081 3401 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3402 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3403 NULL, NULL))
3404 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 3405 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 3406 SSL_ERROR_SSL))
0de6d66d 3407 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 3408 goto end;
3409
3410 SSL_SESSION_free(clntsess);
3411 clntsess = NULL;
3412 SSL_shutdown(clientssl);
3413 SSL_shutdown(serverssl);
3414 SSL_free(serverssl);
3415 SSL_free(clientssl);
3416 serverssl = clientssl = NULL;
3417
3418 /* Create a session based on SHA384 */
f865b081 3419 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3420 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3421 &clientssl, NULL, NULL))
3422 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3423 SSL_ERROR_NONE)))
3424 goto end;
3425
3426 clntsess = SSL_get1_session(clientssl);
3427 SSL_shutdown(clientssl);
3428 SSL_shutdown(serverssl);
3429 SSL_free(serverssl);
3430 SSL_free(clientssl);
3431 serverssl = clientssl = NULL;
3432
f865b081
MC		 3433 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3434 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
3435 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
3436 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 3437 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3438 NULL, NULL))
3439 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 3440 /*
3441 * We use SSL_ERROR_WANT_READ below so that we can pause the
3442 * connection after the initial ClientHello has been sent to
3443 * enable us to make some session changes.
3444 */
ca0413ae
MC		 3445 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3446 SSL_ERROR_WANT_READ)))
3447 goto end;
3448
3449 /* Trick the client into thinking this session is for a different digest */
3450 clntsess->cipher = aes_128_gcm_sha256;
3451 clntsess->cipher_id = clntsess->cipher->id;
3452
3453 /*
3b0e88d3
MC		 3454 * Continue the previously started connection. Server has selected a SHA-384
3455 * ciphersuite, but client thinks the session is for SHA-256, so it should
3456 * bail out.
ca0413ae
MC		 3457 */
3458 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
3459 SSL_ERROR_SSL))
3460 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
3461 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
3462 goto end;
3463
3464 testresult = 1;
3465
3466 end:
3467 SSL_SESSION_free(clntsess);
3468 SSL_free(serverssl);
3469 SSL_free(clientssl);
3470 SSL_CTX_free(sctx);
3471 SSL_CTX_free(cctx);
3472
3473 return testresult;
3474}
3475
0d8da779
MC		 3476/*
3477 * Test TLSv1.3 PSKs
3478 * Test 0 = Test new style callbacks
3479 * Test 1 = Test both new and old style callbacks
3480 * Test 2 = Test old style callbacks
3481 * Test 3 = Test old style callbacks with no certificate
3482 */
532f9578 3483static int test_tls13_psk(int idx)
ca8c71ba
MC		 3484{
3485 SSL_CTX *sctx = NULL, *cctx = NULL;
3486 SSL *serverssl = NULL, *clientssl = NULL;
3487 const SSL_CIPHER *cipher = NULL;
3488 const unsigned char key[] = {
3489 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
3490 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 3491 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
3492 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 3493 };
3494 int testresult = 0;
3495
7d7f6834 3496 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3497 TLS1_VERSION, 0,
0d8da779
MC		 3498 &sctx, &cctx, idx == 3 ? NULL : cert,
3499 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 3500 goto end;
3501
0d8da779
MC		 3502 if (idx != 3) {
3503 /*
3504 * We use a ciphersuite with SHA256 to ease testing old style PSK
3505 * callbacks which will always default to SHA256. This should not be
3506 * necessary if we have no cert/priv key. In that case the server should
3507 * prefer SHA256 automatically.
3508 */
3509 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
3510 "TLS_AES_128_GCM_SHA256")))
3511 goto end;
3512 }
532f9578
MC		 3513
3514 /*
3515 * Test 0: New style callbacks only
3516 * Test 1: New and old style callbacks (only the new ones should be used)
3517 * Test 2: Old style callbacks only
3518 */
3519 if (idx == 0 || idx == 1) {
3520 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
3521 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
3522 }
c2b290c3 3523#ifndef OPENSSL_NO_PSK
0d8da779 3524 if (idx >= 1) {
532f9578
MC		 3525 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
3526 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
3527 }
c2b290c3 3528#endif
ca8c71ba 3529 srvid = pskid;
02a3ed5a
MC		 3530 use_session_cb_cnt = 0;
3531 find_session_cb_cnt = 0;
532f9578
MC		 3532 psk_client_cb_cnt = 0;
3533 psk_server_cb_cnt = 0;
ca8c71ba 3534
0d8da779
MC		 3535 if (idx != 3) {
3536 /*
3537 * Check we can create a connection if callback decides not to send a
3538 * PSK
3539 */
3540 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3541 NULL, NULL))
3542 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3543 SSL_ERROR_NONE))
3544 || !TEST_false(SSL_session_reused(clientssl))
3545 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3546 goto end;
532f9578 3547
0d8da779
MC		 3548 if (idx == 0 || idx == 1) {
3549 if (!TEST_true(use_session_cb_cnt == 1)
3550 || !TEST_true(find_session_cb_cnt == 0)
3551 /*
3552 * If no old style callback then below should be 0
3553 * otherwise 1
3554 */
3555 || !TEST_true(psk_client_cb_cnt == idx)
3556 || !TEST_true(psk_server_cb_cnt == 0))
3557 goto end;
3558 } else {
3559 if (!TEST_true(use_session_cb_cnt == 0)
3560 || !TEST_true(find_session_cb_cnt == 0)
3561 || !TEST_true(psk_client_cb_cnt == 1)
3562 || !TEST_true(psk_server_cb_cnt == 0))
3563 goto end;
3564 }
3565
3566 shutdown_ssl_connection(serverssl, clientssl);
3567 serverssl = clientssl = NULL;
3568 use_session_cb_cnt = psk_client_cb_cnt = 0;
3569 }
ca8c71ba
MC		 3570
3571 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3572 NULL, NULL)))
3573 goto end;
3574
3575 /* Create the PSK */
532f9578 3576 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 3577 clientpsk = SSL_SESSION_new();
3578 if (!TEST_ptr(clientpsk)
ca8c71ba 3579 || !TEST_ptr(cipher)
57dee9bb
MC		 3580 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3581 sizeof(key)))
3582 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3583 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3584 TLS1_3_VERSION))
3585 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 3586 goto end;
57dee9bb 3587 serverpsk = clientpsk;
ca8c71ba
MC		 3588
3589 /* Check we can create a connection and the PSK is used */
3590 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3591 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3592 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3593 goto end;
3594
532f9578
MC		 3595 if (idx == 0 || idx == 1) {
3596 if (!TEST_true(use_session_cb_cnt == 1)
3597 || !TEST_true(find_session_cb_cnt == 1)
3598 || !TEST_true(psk_client_cb_cnt == 0)
3599 || !TEST_true(psk_server_cb_cnt == 0))
3600 goto end;
3601 } else {
3602 if (!TEST_true(use_session_cb_cnt == 0)
3603 || !TEST_true(find_session_cb_cnt == 0)
3604 || !TEST_true(psk_client_cb_cnt == 1)
3605 || !TEST_true(psk_server_cb_cnt == 1))
3606 goto end;
3607 }
3608
ca8c71ba
MC		 3609 shutdown_ssl_connection(serverssl, clientssl);
3610 serverssl = clientssl = NULL;
3611 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3612 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 3613
3614 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3615 NULL, NULL)))
3616 goto end;
3617
3618 /* Force an HRR */
3619 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3620 goto end;
3621
3622 /*
3623 * Check we can create a connection, the PSK is used and the callbacks are
3624 * called twice.
3625 */
3626 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3627 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3628 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3629 goto end;
3630
532f9578
MC		 3631 if (idx == 0 || idx == 1) {
3632 if (!TEST_true(use_session_cb_cnt == 2)
3633 || !TEST_true(find_session_cb_cnt == 2)
3634 || !TEST_true(psk_client_cb_cnt == 0)
3635 || !TEST_true(psk_server_cb_cnt == 0))
3636 goto end;
3637 } else {
3638 if (!TEST_true(use_session_cb_cnt == 0)
3639 || !TEST_true(find_session_cb_cnt == 0)
3640 || !TEST_true(psk_client_cb_cnt == 2)
3641 || !TEST_true(psk_server_cb_cnt == 2))
3642 goto end;
3643 }
3644
ca8c71ba
MC		 3645 shutdown_ssl_connection(serverssl, clientssl);
3646 serverssl = clientssl = NULL;
3647 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3648 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 3649
0d8da779
MC		 3650 if (idx != 3) {
3651 /*
3652 * Check that if the server rejects the PSK we can still connect, but with
3653 * a full handshake
3654 */
3655 srvid = "Dummy Identity";
3656 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3657 NULL, NULL))
3658 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3659 SSL_ERROR_NONE))
3660 || !TEST_false(SSL_session_reused(clientssl))
3661 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3662 goto end;
532f9578 3663
0d8da779
MC		 3664 if (idx == 0 || idx == 1) {
3665 if (!TEST_true(use_session_cb_cnt == 1)
3666 || !TEST_true(find_session_cb_cnt == 1)
3667 || !TEST_true(psk_client_cb_cnt == 0)
3668 /*
3669 * If no old style callback then below should be 0
3670 * otherwise 1
3671 */
3672 || !TEST_true(psk_server_cb_cnt == idx))
3673 goto end;
3674 } else {
3675 if (!TEST_true(use_session_cb_cnt == 0)
3676 || !TEST_true(find_session_cb_cnt == 0)
3677 || !TEST_true(psk_client_cb_cnt == 1)
3678 || !TEST_true(psk_server_cb_cnt == 1))
3679 goto end;
3680 }
3681
3682 shutdown_ssl_connection(serverssl, clientssl);
3683 serverssl = clientssl = NULL;
3684 }
ca8c71ba
MC		 3685 testresult = 1;
3686
3687 end:
57dee9bb
MC		 3688 SSL_SESSION_free(clientpsk);
3689 SSL_SESSION_free(serverpsk);
3690 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 3691 SSL_free(serverssl);
3692 SSL_free(clientssl);
3693 SSL_CTX_free(sctx);
3694 SSL_CTX_free(cctx);
3695 return testresult;
3696}
3697
c7b8ff25
MC		 3698static unsigned char cookie_magic_value[] = "cookie magic";
3699
3700static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3701 unsigned int *cookie_len)
3702{
3703 /*
3704 * Not suitable as a real cookie generation function but good enough for
3705 * testing!
3706 */
97ea1e7f
MC		 3707 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3708 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 3709
3710 return 1;
3711}
3712
3713static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3714 unsigned int cookie_len)
3715{
97ea1e7f 3716 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 3717 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3718 return 1;
3719
3720 return 0;
3721}
3722
3fa2812f
BS		 3723static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3724 size_t *cookie_len)
3725{
3726 unsigned int temp;
3727 int res = generate_cookie_callback(ssl, cookie, &temp);
3728 *cookie_len = temp;
3729 return res;
3730}
3731
3732static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3733 size_t cookie_len)
3734{
3735 return verify_cookie_callback(ssl, cookie, cookie_len);
3736}
3737
c7b8ff25
MC		 3738static int test_stateless(void)
3739{
3740 SSL_CTX *sctx = NULL, *cctx = NULL;
3741 SSL *serverssl = NULL, *clientssl = NULL;
3742 int testresult = 0;
3743
7d7f6834 3744 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3745 TLS1_VERSION, 0,
7d7f6834 3746 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 3747 goto end;
3748
e440f513
MC		 3749 /* The arrival of CCS messages can confuse the test */
3750 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3751
3752 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3753 NULL, NULL))
3754 /* Send the first ClientHello */
3755 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3756 SSL_ERROR_WANT_READ))
3757 /*
3758 * This should fail with a -1 return because we have no callbacks
3759 * set up
3760 */
3761 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3762 goto end;
3763
3764 /* Fatal error so abandon the connection from this client */
3765 SSL_free(clientssl);
3766 clientssl = NULL;
3767
c7b8ff25 3768 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 3769 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3770 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 3771
e440f513
MC		 3772 /*
3773 * Create a new connection from the client (we can reuse the server SSL
3774 * object).
3775 */
c7b8ff25
MC		 3776 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3777 NULL, NULL))
3778 /* Send the first ClientHello */
3779 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3780 SSL_ERROR_WANT_READ))
3781 /* This should fail because there is no cookie */
e440f513 3782 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 3783 goto end;
3784
3785 /* Abandon the connection from this client */
3786 SSL_free(clientssl);
3787 clientssl = NULL;
3788
3789 /*
3790 * Now create a connection from a new client but with the same server SSL
3791 * object
3792 */
3793 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3794 NULL, NULL))
3795 /* Send the first ClientHello */
3796 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3797 SSL_ERROR_WANT_READ))
3798 /* This should fail because there is no cookie */
e440f513 3799 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 3800 /* Send the second ClientHello */
3801 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3802 SSL_ERROR_WANT_READ))
3803 /* This should succeed because a cookie is now present */
e440f513 3804 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 3805 /* Complete the connection */
3806 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3807 SSL_ERROR_NONE)))
3808 goto end;
3809
3810 shutdown_ssl_connection(serverssl, clientssl);
3811 serverssl = clientssl = NULL;
3812 testresult = 1;
3813
3814 end:
3815 SSL_free(serverssl);
3816 SSL_free(clientssl);
3817 SSL_CTX_free(sctx);
3818 SSL_CTX_free(cctx);
3819 return testresult;
3820
3821}
ca0413ae 3822#endif /* OPENSSL_NO_TLS1_3 */
5f982038 3823
a37008d9
MC		 3824static int clntaddoldcb = 0;
3825static int clntparseoldcb = 0;
3826static int srvaddoldcb = 0;
3827static int srvparseoldcb = 0;
3828static int clntaddnewcb = 0;
3829static int clntparsenewcb = 0;
3830static int srvaddnewcb = 0;
3831static int srvparsenewcb = 0;
bb01ef3f 3832static int snicb = 0;
a37008d9
MC		 3833
3834#define TEST_EXT_TYPE1 0xff00
3835
3836static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3837 size_t *outlen, int *al, void *add_arg)
3838{
3839 int *server = (int *)add_arg;
3840 unsigned char *data;
3841
3842 if (SSL_is_server(s))
3843 srvaddoldcb++;
3844 else
3845 clntaddoldcb++;
3846
710756a9
RS		 3847 if (*server != SSL_is_server(s)
3848 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3849 return -1;
3850
3851 *data = 1;
3852 *out = data;
3853 *outlen = sizeof(char);
a37008d9
MC		 3854 return 1;
3855}
3856
3857static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3858 void *add_arg)
3859{
3860 OPENSSL_free((unsigned char *)out);
3861}
3862
3863static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3864 size_t inlen, int *al, void *parse_arg)
3865{
3866 int *server = (int *)parse_arg;
3867
3868 if (SSL_is_server(s))
3869 srvparseoldcb++;
3870 else
3871 clntparseoldcb++;
3872
710756a9
RS		 3873 if (*server != SSL_is_server(s)
3874 || inlen != sizeof(char)
3875 || *in != 1)
a37008d9
MC		 3876 return -1;
3877
3878 return 1;
3879}
3880
3881static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3882 const unsigned char **out, size_t *outlen, X509 *x,
3883 size_t chainidx, int *al, void *add_arg)
3884{
3885 int *server = (int *)add_arg;
3886 unsigned char *data;
3887
3888 if (SSL_is_server(s))
3889 srvaddnewcb++;
3890 else
3891 clntaddnewcb++;
3892
710756a9
RS		 3893 if (*server != SSL_is_server(s)
3894 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3895 return -1;
3896
3897 *data = 1;
3898 *out = data;
710756a9 3899 *outlen = sizeof(*data);
a37008d9
MC		 3900 return 1;
3901}
3902
3903static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3904 const unsigned char *out, void *add_arg)
3905{
3906 OPENSSL_free((unsigned char *)out);
3907}
3908
3909static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3910 const unsigned char *in, size_t inlen, X509 *x,
3911 size_t chainidx, int *al, void *parse_arg)
3912{
3913 int *server = (int *)parse_arg;
3914
3915 if (SSL_is_server(s))
3916 srvparsenewcb++;
3917 else
3918 clntparsenewcb++;
3919
710756a9
RS		 3920 if (*server != SSL_is_server(s)
3921 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 3922 return -1;
3923
3924 return 1;
3925}
bb01ef3f
MC		 3926
3927static int sni_cb(SSL *s, int *al, void *arg)
3928{
3929 SSL_CTX *ctx = (SSL_CTX *)arg;
3930
3931 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3932 *al = SSL_AD_INTERNAL_ERROR;
3933 return SSL_TLSEXT_ERR_ALERT_FATAL;
3934 }
3935 snicb++;
3936 return SSL_TLSEXT_ERR_OK;
3937}
3938
a37008d9
MC		 3939/*
3940 * Custom call back tests.
3941 * Test 0: Old style callbacks in TLSv1.2
3942 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 3943 * Test 2: New style callbacks in TLSv1.2 with SNI
3944 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3945 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 3946 */
710756a9
RS		 3947static int test_custom_exts(int tst)
3948{
bb01ef3f 3949 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 3950 SSL *clientssl = NULL, *serverssl = NULL;
3951 int testresult = 0;
3952 static int server = 1;
3953 static int client = 0;
3954 SSL_SESSION *sess = NULL;
3955 unsigned int context;
3956
c423ecaa
MC		 3957#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3958 /* Skip tests for TLSv1.2 and below in this case */
3959 if (tst < 3)
3960 return 1;
3961#endif
3962
a37008d9
MC		 3963 /* Reset callback counters */
3964 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3965 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 3966 snicb = 0;
a37008d9 3967
7d7f6834 3968 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 3969 TLS1_VERSION, 0,
7d7f6834 3970 &sctx, &cctx, cert, privkey)))
710756a9 3971 goto end;
a37008d9 3972
bb01ef3f 3973 if (tst == 2
7d7f6834 3974 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
5c587fb6 3975 TLS1_VERSION, 0,
7d7f6834 3976 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 3977 goto end;
3978
3979
3980 if (tst < 3) {
a37008d9
MC		 3981 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3982 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 3983 if (sctx2 != NULL)
3984 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 3985 }
3986
bb01ef3f 3987 if (tst == 4) {
710756a9
RS		 3988 context = SSL_EXT_CLIENT_HELLO
3989 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3990 | SSL_EXT_TLS1_3_SERVER_HELLO
3991 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3992 | SSL_EXT_TLS1_3_CERTIFICATE
3993 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3994 } else {
710756a9
RS		 3995 context = SSL_EXT_CLIENT_HELLO
3996 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3997 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3998 }
3999
4000 /* Create a client side custom extension */
4001 if (tst == 0) {
710756a9
RS		 4002 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4003 old_add_cb, old_free_cb,
4004 &client, old_parse_cb,
4005 &client)))
4006 goto end;
a37008d9 4007 } else {
710756a9
RS		 4008 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
4009 new_add_cb, new_free_cb,
4010 &client, new_parse_cb, &client)))
4011 goto end;
a37008d9
MC		 4012 }
4013
4014 /* Should not be able to add duplicates */
710756a9
RS		 4015 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
4016 old_add_cb, old_free_cb,
4017 &client, old_parse_cb,
4018 &client))
4019 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
4020 context, new_add_cb,
4021 new_free_cb, &client,
4022 new_parse_cb, &client)))
4023 goto end;
a37008d9
MC		 4024
4025 /* Create a server side custom extension */
4026 if (tst == 0) {
710756a9
RS		 4027 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4028 old_add_cb, old_free_cb,
4029 &server, old_parse_cb,
4030 &server)))
4031 goto end;
a37008d9 4032 } else {
710756a9
RS		 4033 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
4034 new_add_cb, new_free_cb,
4035 &server, new_parse_cb, &server)))
4036 goto end;
bb01ef3f
MC		 4037 if (sctx2 != NULL
4038 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
4039 context, new_add_cb,
4040 new_free_cb, &server,
4041 new_parse_cb, &server)))
4042 goto end;
a37008d9
MC		 4043 }
4044
4045 /* Should not be able to add duplicates */
710756a9
RS		 4046 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
4047 old_add_cb, old_free_cb,
4048 &server, old_parse_cb,
4049 &server))
4050 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
4051 context, new_add_cb,
4052 new_free_cb, &server,
4053 new_parse_cb, &server)))
a37008d9 4054 goto end;
a37008d9 4055
bb01ef3f
MC		 4056 if (tst == 2) {
4057 /* Set up SNI */
4058 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
4059 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
4060 goto end;
4061 }
4062
710756a9
RS		 4063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4064 &clientssl, NULL, NULL))
4065 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4066 SSL_ERROR_NONE)))
a37008d9 4067 goto end;
a37008d9
MC		 4068
4069 if (tst == 0) {
710756a9
RS		 4070 if (clntaddoldcb != 1
4071 || clntparseoldcb != 1
4072 || srvaddoldcb != 1
4073 || srvparseoldcb != 1)
a37008d9 4074 goto end;
bb01ef3f 4075 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4076 if (clntaddnewcb != 1
4077 || clntparsenewcb != 1
4078 || srvaddnewcb != 1
bb01ef3f
MC		 4079 || srvparsenewcb != 1
4080 || (tst != 2 && snicb != 0)
4081 || (tst == 2 && snicb != 1))
a37008d9 4082 goto end;
a37008d9 4083 } else {
36ff232c 4084 /* In this case there 2 NewSessionTicket messages created */
710756a9 4085 if (clntaddnewcb != 1
36ff232c
MC		 4086 || clntparsenewcb != 5
4087 || srvaddnewcb != 5
710756a9 4088 || srvparsenewcb != 1)
a37008d9 4089 goto end;
a37008d9
MC		 4090 }
4091
4092 sess = SSL_get1_session(clientssl);
a37008d9
MC		 4093 SSL_shutdown(clientssl);
4094 SSL_shutdown(serverssl);
a37008d9
MC		 4095 SSL_free(serverssl);
4096 SSL_free(clientssl);
4097 serverssl = clientssl = NULL;
4098
bb01ef3f
MC		 4099 if (tst == 3) {
4100 /* We don't bother with the resumption aspects for this test */
4101 testresult = 1;
4102 goto end;
4103 }
4104
710756a9
RS		 4105 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4106 NULL, NULL))
4107 || !TEST_true(SSL_set_session(clientssl, sess))
4108 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4109 SSL_ERROR_NONE)))
a37008d9 4110 goto end;
a37008d9
MC		 4111
4112 /*
4113 * For a resumed session we expect to add the ClientHello extension. For the
4114 * old style callbacks we ignore it on the server side because they set
4115 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
4116 * them.
4117 */
4118 if (tst == 0) {
710756a9
RS		 4119 if (clntaddoldcb != 2
4120 || clntparseoldcb != 1
4121 || srvaddoldcb != 1
4122 || srvparseoldcb != 1)
a37008d9 4123 goto end;
bb01ef3f 4124 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 4125 if (clntaddnewcb != 2
4126 || clntparsenewcb != 2
4127 || srvaddnewcb != 2
4128 || srvparsenewcb != 2)
a37008d9 4129 goto end;
a37008d9 4130 } else {
36ff232c
MC		 4131 /*
4132 * No Certificate message extensions in the resumption handshake,
4133 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
4134 */
710756a9 4135 if (clntaddnewcb != 2
36ff232c
MC		 4136 || clntparsenewcb != 8
4137 || srvaddnewcb != 8
710756a9 4138 || srvparsenewcb != 2)
a37008d9 4139 goto end;
a37008d9
MC		 4140 }
4141
4142 testresult = 1;
4143
4144end:
4145 SSL_SESSION_free(sess);
4146 SSL_free(serverssl);
4147 SSL_free(clientssl);
bb01ef3f 4148 SSL_CTX_free(sctx2);
a37008d9
MC		 4149 SSL_CTX_free(sctx);
4150 SSL_CTX_free(cctx);
a37008d9
MC		 4151 return testresult;
4152}
4153
16afd71c
MC		 4154/*
4155 * Test loading of serverinfo data in various formats. test_sslmessages actually
4156 * tests to make sure the extensions appear in the handshake
4157 */
4158static int test_serverinfo(int tst)
4159{
4160 unsigned int version;
4161 unsigned char *sibuf;
4162 size_t sibuflen;
4163 int ret, expected, testresult = 0;
4164 SSL_CTX *ctx;
4165
4166 ctx = SSL_CTX_new(TLS_method());
4167 if (!TEST_ptr(ctx))
4168 goto end;
4169
4170 if ((tst & 0x01) == 0x01)
4171 version = SSL_SERVERINFOV2;
4172 else
4173 version = SSL_SERVERINFOV1;
4174
4175 if ((tst & 0x02) == 0x02) {
4176 sibuf = serverinfov2;
4177 sibuflen = sizeof(serverinfov2);
4178 expected = (version == SSL_SERVERINFOV2);
4179 } else {
4180 sibuf = serverinfov1;
4181 sibuflen = sizeof(serverinfov1);
4182 expected = (version == SSL_SERVERINFOV1);
4183 }
4184
4185 if ((tst & 0x04) == 0x04) {
4186 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
4187 } else {
4188 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
4189
4190 /*
4191 * The version variable is irrelevant in this case - it's what is in the
4192 * buffer that matters
4193 */
4194 if ((tst & 0x02) == 0x02)
4195 expected = 0;
4196 else
4197 expected = 1;
4198 }
4199
4200 if (!TEST_true(ret == expected))
4201 goto end;
4202
4203 testresult = 1;
4204
4205 end:
4206 SSL_CTX_free(ctx);
4207
4208 return testresult;
4209}
4210
2197d1df
MC		 4211/*
4212 * Test that SSL_export_keying_material() produces expected results. There are
4213 * no test vectors so all we do is test that both sides of the communication
4214 * produce the same results for different protocol versions.
4215 */
0fb2815b
MC		 4216#define SMALL_LABEL_LEN 10
4217#define LONG_LABEL_LEN 249
2197d1df
MC		 4218static int test_export_key_mat(int tst)
4219{
a599574b 4220 int testresult = 0;
2197d1df
MC		 4221 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
4222 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 4223 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 4224 const unsigned char context[] = "context";
4225 const unsigned char *emptycontext = NULL;
4226 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
4227 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 4228 size_t labellen;
a599574b
MC		 4229 const int protocols[] = {
4230 TLS1_VERSION,
4231 TLS1_1_VERSION,
4232 TLS1_2_VERSION,
0fb2815b
MC		 4233 TLS1_3_VERSION,
4234 TLS1_3_VERSION,
a599574b
MC		 4235 TLS1_3_VERSION
4236 };
2197d1df
MC		 4237
4238#ifdef OPENSSL_NO_TLS1
4239 if (tst == 0)
4240 return 1;
4241#endif
4242#ifdef OPENSSL_NO_TLS1_1
4243 if (tst == 1)
4244 return 1;
4245#endif
4246#ifdef OPENSSL_NO_TLS1_2
4247 if (tst == 2)
4248 return 1;
4249#endif
4250#ifdef OPENSSL_NO_TLS1_3
0fb2815b 4251 if (tst >= 3)
2197d1df
MC		 4252 return 1;
4253#endif
7d7f6834 4254 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4255 TLS1_VERSION, 0,
7d7f6834 4256 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 4257 goto end;
4258
a599574b
MC		 4259 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
4260 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
4261 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 4262
4263 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4264 NULL))
4265 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4266 SSL_ERROR_NONE)))
4267 goto end;
4268
0fb2815b
MC		 4269 if (tst == 5) {
4270 /*
4271 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
4272 * go over that.
4273 */
4274 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
4275 sizeof(ckeymat1), label,
4276 LONG_LABEL_LEN + 1, context,
4277 sizeof(context) - 1, 1), 0))
4278 goto end;
4279
4280 testresult = 1;
4281 goto end;
4282 } else if (tst == 4) {
4283 labellen = LONG_LABEL_LEN;
4284 } else {
4285 labellen = SMALL_LABEL_LEN;
4286 }
4287
2197d1df
MC		 4288 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
4289 sizeof(ckeymat1), label,
0fb2815b 4290 labellen, context,
2197d1df
MC		 4291 sizeof(context) - 1, 1), 1)
4292 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
4293 sizeof(ckeymat2), label,
0fb2815b 4294 labellen,
2197d1df
MC		 4295 emptycontext,
4296 0, 1), 1)
4297 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
4298 sizeof(ckeymat3), label,
0fb2815b 4299 labellen,
2197d1df
MC		 4300 NULL, 0, 0), 1)
4301 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
4302 sizeof(skeymat1), label,
0fb2815b 4303 labellen,
2197d1df
MC		 4304 context,
4305 sizeof(context) -1, 1),
4306 1)
4307 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
4308 sizeof(skeymat2), label,
0fb2815b 4309 labellen,
2197d1df
MC		 4310 emptycontext,
4311 0, 1), 1)
4312 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
4313 sizeof(skeymat3), label,
0fb2815b 4314 labellen,
2197d1df
MC		 4315 NULL, 0, 0), 1)
4316 /*
4317 * Check that both sides created the same key material with the
4318 * same context.
4319 */
4320 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4321 sizeof(skeymat1))
4322 /*
4323 * Check that both sides created the same key material with an
4324 * empty context.
4325 */
4326 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4327 sizeof(skeymat2))
4328 /*
4329 * Check that both sides created the same key material without a
4330 * context.
4331 */
4332 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
4333 sizeof(skeymat3))
4334 /* Different contexts should produce different results */
4335 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4336 sizeof(ckeymat2)))
4337 goto end;
4338
4339 /*
4340 * Check that an empty context and no context produce different results in
4341 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
4342 */
0fb2815b 4343 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 4344 sizeof(ckeymat3)))
0fb2815b
MC		 4345 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
4346 sizeof(ckeymat3))))
2197d1df
MC		 4347 goto end;
4348
4349 testresult = 1;
4350
4351 end:
4352 SSL_free(serverssl);
4353 SSL_free(clientssl);
4354 SSL_CTX_free(sctx2);
4355 SSL_CTX_free(sctx);
4356 SSL_CTX_free(cctx);
4357
4358 return testresult;
4359}
4360
b38ede80
TT		 4361#ifndef OPENSSL_NO_TLS1_3
4362/*
4363 * Test that SSL_export_keying_material_early() produces expected
4364 * results. There are no test vectors so all we do is test that both
4365 * sides of the communication produce the same results for different
4366 * protocol versions.
4367 */
4368static int test_export_key_mat_early(int idx)
4369{
4370 static const char label[] = "test label";
4371 static const unsigned char context[] = "context";
4372 int testresult = 0;
4373 SSL_CTX *cctx = NULL, *sctx = NULL;
4374 SSL *clientssl = NULL, *serverssl = NULL;
4375 SSL_SESSION *sess = NULL;
4376 const unsigned char *emptycontext = NULL;
4377 unsigned char ckeymat1[80], ckeymat2[80];
4378 unsigned char skeymat1[80], skeymat2[80];
4379 unsigned char buf[1];
4380 size_t readbytes, written;
4381
4382 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
4383 &sess, idx)))
4384 goto end;
4385
4386 /* Here writing 0 length early data is enough. */
4387 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
4388 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4389 &readbytes),
4390 SSL_READ_EARLY_DATA_ERROR)
4391 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4392 SSL_EARLY_DATA_ACCEPTED))
4393 goto end;
4394
4395 if (!TEST_int_eq(SSL_export_keying_material_early(
4396 clientssl, ckeymat1, sizeof(ckeymat1), label,
4397 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4398 || !TEST_int_eq(SSL_export_keying_material_early(
4399 clientssl, ckeymat2, sizeof(ckeymat2), label,
4400 sizeof(label) - 1, emptycontext, 0), 1)
4401 || !TEST_int_eq(SSL_export_keying_material_early(
4402 serverssl, skeymat1, sizeof(skeymat1), label,
4403 sizeof(label) - 1, context, sizeof(context) - 1), 1)
4404 || !TEST_int_eq(SSL_export_keying_material_early(
4405 serverssl, skeymat2, sizeof(skeymat2), label,
4406 sizeof(label) - 1, emptycontext, 0), 1)
4407 /*
4408 * Check that both sides created the same key material with the
4409 * same context.
4410 */
4411 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
4412 sizeof(skeymat1))
4413 /*
4414 * Check that both sides created the same key material with an
4415 * empty context.
4416 */
4417 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
4418 sizeof(skeymat2))
4419 /* Different contexts should produce different results */
4420 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
4421 sizeof(ckeymat2)))
4422 goto end;
4423
4424 testresult = 1;
4425
4426 end:
c20e3b28 4427 SSL_SESSION_free(sess);
b38ede80
TT		 4428 SSL_SESSION_free(clientpsk);
4429 SSL_SESSION_free(serverpsk);
34ff74eb 4430 clientpsk = serverpsk = NULL;
b38ede80
TT		 4431 SSL_free(serverssl);
4432 SSL_free(clientssl);
4433 SSL_CTX_free(sctx);
4434 SSL_CTX_free(cctx);
4435
4436 return testresult;
4437}
4438#endif /* OPENSSL_NO_TLS1_3 */
4439
e11b6aa4
MC		 4440static int test_ssl_clear(int idx)
4441{
4442 SSL_CTX *cctx = NULL, *sctx = NULL;
4443 SSL *clientssl = NULL, *serverssl = NULL;
4444 int testresult = 0;
4445
4446#ifdef OPENSSL_NO_TLS1_2
4447 if (idx == 1)
4448 return 1;
4449#endif
4450
4451 /* Create an initial connection */
7d7f6834 4452 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4453 TLS1_VERSION, 0,
7d7f6834 4454 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 4455 || (idx == 1
4456 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
4457 TLS1_2_VERSION)))
4458 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4459 &clientssl, NULL, NULL))
4460 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4461 SSL_ERROR_NONE)))
4462 goto end;
4463
4464 SSL_shutdown(clientssl);
4465 SSL_shutdown(serverssl);
4466 SSL_free(serverssl);
4467 serverssl = NULL;
4468
4469 /* Clear clientssl - we're going to reuse the object */
4470 if (!TEST_true(SSL_clear(clientssl)))
4471 goto end;
4472
4473 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4474 NULL, NULL))
4475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4476 SSL_ERROR_NONE))
4477 || !TEST_true(SSL_session_reused(clientssl)))
4478 goto end;
4479
4480 SSL_shutdown(clientssl);
4481 SSL_shutdown(serverssl);
4482
4483 testresult = 1;
4484
4485 end:
4486 SSL_free(serverssl);
4487 SSL_free(clientssl);
4488 SSL_CTX_free(sctx);
4489 SSL_CTX_free(cctx);
4490
4491 return testresult;
4492}
4493
cf72c757
F		 4494/* Parse CH and retrieve any MFL extension value if present */
4495static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
4496{
4497 long len;
4498 unsigned char *data;
4499 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
4500 unsigned int MFL_code = 0, type = 0;
4501
4502 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
4503 goto end;
4504
4505 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
4506 /* Skip the record header */
4507 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
4508 /* Skip the handshake message header */
4509 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
4510 /* Skip client version and random */
4511 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
4512 + SSL3_RANDOM_SIZE))
4513 /* Skip session id */
4514 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4515 /* Skip ciphers */
4516 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
4517 /* Skip compression */
4518 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
4519 /* Extensions len */
4520 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
4521 goto end;
4522
4523 /* Loop through all extensions */
4524 while (PACKET_remaining(&pkt2)) {
4525 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
4526 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
4527 goto end;
4528
4529 if (type == TLSEXT_TYPE_max_fragment_length) {
4530 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
4531 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
4532 goto end;
4533
4534 *mfl_codemfl_code = MFL_code;
4535 return 1;
4536 }
4537 }
4538
4539 end:
4540 return 0;
4541}
4542
4543/* Maximum-Fragment-Length TLS extension mode to test */
4544static const unsigned char max_fragment_len_test[] = {
4545 TLSEXT_max_fragment_length_512,
4546 TLSEXT_max_fragment_length_1024,
4547 TLSEXT_max_fragment_length_2048,
4548 TLSEXT_max_fragment_length_4096
4549};
4550
4551static int test_max_fragment_len_ext(int idx_tst)
4552{
4553 SSL_CTX *ctx;
4554 SSL *con = NULL;
4555 int testresult = 0, MFL_mode = 0;
4556 BIO *rbio, *wbio;
4557
4558 ctx = SSL_CTX_new(TLS_method());
4559 if (!TEST_ptr(ctx))
4560 goto end;
4561
4562 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
4563 ctx, max_fragment_len_test[idx_tst])))
4564 goto end;
4565
4566 con = SSL_new(ctx);
4567 if (!TEST_ptr(con))
4568 goto end;
4569
4570 rbio = BIO_new(BIO_s_mem());
4571 wbio = BIO_new(BIO_s_mem());
4572 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4573 BIO_free(rbio);
4574 BIO_free(wbio);
4575 goto end;
4576 }
4577
4578 SSL_set_bio(con, rbio, wbio);
4579 SSL_set_connect_state(con);
4580
4581 if (!TEST_int_le(SSL_connect(con), 0)) {
4582 /* This shouldn't succeed because we don't have a server! */
4583 goto end;
4584 }
4585
4586 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4587 /* no MFL in client hello */
4588 goto end;
4589 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4590 goto end;
4591
4592 testresult = 1;
4593
4594end:
4595 SSL_free(con);
4596 SSL_CTX_free(ctx);
4597
4598 return testresult;
4599}
4600
9d75dce3
TS		 4601#ifndef OPENSSL_NO_TLS1_3
4602static int test_pha_key_update(void)
4603{
4604 SSL_CTX *cctx = NULL, *sctx = NULL;
4605 SSL *clientssl = NULL, *serverssl = NULL;
4606 int testresult = 0;
4607
7d7f6834 4608 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4609 TLS1_VERSION, 0,
9d75dce3
TS		 4610 &sctx, &cctx, cert, privkey)))
4611 return 0;
4612
4613 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4614 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4615 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4616 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4617 goto end;
4618
e97be718 4619 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 4620
4621 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4622 NULL, NULL)))
4623 goto end;
4624
9d75dce3
TS		 4625 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4626 SSL_ERROR_NONE)))
4627 goto end;
4628
4629 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4630 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4631 goto end;
4632
4633 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4634 goto end;
4635
4636 /* Start handshake on the server */
4637 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4638 goto end;
4639
4640 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4641 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4642 SSL_ERROR_NONE)))
4643 goto end;
4644
4645 SSL_shutdown(clientssl);
4646 SSL_shutdown(serverssl);
4647
4648 testresult = 1;
4649
4650 end:
4651 SSL_free(serverssl);
4652 SSL_free(clientssl);
4653 SSL_CTX_free(sctx);
4654 SSL_CTX_free(cctx);
4655 return testresult;
4656}
4657#endif
4658
76fd7a1d
MC		 4659#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4660
4661static SRP_VBASE *vbase = NULL;
4662
4663static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4664{
4665 int ret = SSL3_AL_FATAL;
4666 char *username;
4667 SRP_user_pwd *user = NULL;
4668
4669 username = SSL_get_srp_username(s);
4670 if (username == NULL) {
4671 *ad = SSL_AD_INTERNAL_ERROR;
4672 goto err;
4673 }
4674
4675 user = SRP_VBASE_get1_by_user(vbase, username);
4676 if (user == NULL) {
4677 *ad = SSL_AD_INTERNAL_ERROR;
4678 goto err;
4679 }
4680
4681 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4682 user->info) <= 0) {
4683 *ad = SSL_AD_INTERNAL_ERROR;
4684 goto err;
4685 }
4686
4687 ret = 0;
4688
4689 err:
4690 SRP_user_pwd_free(user);
4691 return ret;
4692}
4693
4694static int create_new_vfile(char *userid, char *password, const char *filename)
4695{
4696 char *gNid = NULL;
4697 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4698 TXT_DB *db = NULL;
4699 int ret = 0;
4700 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4701 size_t i;
4702
4703 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4704 goto end;
4705
4706 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4707 &row[DB_srpverifier], NULL, NULL);
4708 if (!TEST_ptr(gNid))
4709 goto end;
4710
4711 /*
4712 * The only way to create an empty TXT_DB is to provide a BIO with no data
4713 * in it!
4714 */
4715 db = TXT_DB_read(dummy, DB_NUMBER);
4716 if (!TEST_ptr(db))
4717 goto end;
4718
4719 out = BIO_new_file(filename, "w");
4720 if (!TEST_ptr(out))
4721 goto end;
4722
4723 row[DB_srpid] = OPENSSL_strdup(userid);
4724 row[DB_srptype] = OPENSSL_strdup("V");
4725 row[DB_srpgN] = OPENSSL_strdup(gNid);
4726
4727 if (!TEST_ptr(row[DB_srpid])
4728 || !TEST_ptr(row[DB_srptype])
4729 || !TEST_ptr(row[DB_srpgN])
4730 || !TEST_true(TXT_DB_insert(db, row)))
4731 goto end;
4732
4733 row = NULL;
4734
4735 if (!TXT_DB_write(out, db))
4736 goto end;
4737
4738 ret = 1;
4739 end:
4740 if (row != NULL) {
4741 for (i = 0; i < DB_NUMBER; i++)
4742 OPENSSL_free(row[i]);
4743 }
4744 OPENSSL_free(row);
4745 BIO_free(dummy);
4746 BIO_free(out);
4747 TXT_DB_free(db);
4748
4749 return ret;
4750}
4751
4752static int create_new_vbase(char *userid, char *password)
4753{
4754 BIGNUM *verifier = NULL, *salt = NULL;
4755 const SRP_gN *lgN = NULL;
4756 SRP_user_pwd *user_pwd = NULL;
4757 int ret = 0;
4758
4759 lgN = SRP_get_default_gN(NULL);
4760 if (!TEST_ptr(lgN))
4761 goto end;
4762
4763 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4764 lgN->N, lgN->g)))
4765 goto end;
4766
4767 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4768 if (!TEST_ptr(user_pwd))
4769 goto end;
4770
4771 user_pwd->N = lgN->N;
4772 user_pwd->g = lgN->g;
4773 user_pwd->id = OPENSSL_strdup(userid);
4774 if (!TEST_ptr(user_pwd->id))
4775 goto end;
4776
4777 user_pwd->v = verifier;
4778 user_pwd->s = salt;
4779 verifier = salt = NULL;
4780
4781 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4782 goto end;
4783 user_pwd = NULL;
4784
4785 ret = 1;
4786end:
4787 SRP_user_pwd_free(user_pwd);
4788 BN_free(salt);
4789 BN_free(verifier);
4790
4791 return ret;
4792}
4793
4794/*
4795 * SRP tests
4796 *
4797 * Test 0: Simple successful SRP connection, new vbase
4798 * Test 1: Connection failure due to bad password, new vbase
4799 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4800 * Test 3: Connection failure due to bad password, vbase loaded from existing
4801 * file
4802 * Test 4: Simple successful SRP connection, vbase loaded from new file
4803 * Test 5: Connection failure due to bad password, vbase loaded from new file
4804 */
4805static int test_srp(int tst)
4806{
4807 char *userid = "test", *password = "password", *tstsrpfile;
4808 SSL_CTX *cctx = NULL, *sctx = NULL;
4809 SSL *clientssl = NULL, *serverssl = NULL;
4810 int ret, testresult = 0;
4811
4812 vbase = SRP_VBASE_new(NULL);
4813 if (!TEST_ptr(vbase))
4814 goto end;
4815
4816 if (tst == 0 || tst == 1) {
4817 if (!TEST_true(create_new_vbase(userid, password)))
4818 goto end;
4819 } else {
4820 if (tst == 4 || tst == 5) {
4821 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4822 goto end;
4823 tstsrpfile = tmpfilename;
4824 } else {
4825 tstsrpfile = srpvfile;
4826 }
4827 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4828 goto end;
4829 }
4830
4831 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
5c587fb6 4832 TLS1_VERSION, 0,
76fd7a1d
MC		 4833 &sctx, &cctx, cert, privkey)))
4834 goto end;
4835
4836 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4837 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4838 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4839 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4840 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4841 goto end;
4842
4843 if (tst % 2 == 1) {
4844 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4845 goto end;
4846 } else {
4847 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4848 goto end;
4849 }
4850
4851 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4852 NULL, NULL)))
4853 goto end;
4854
4855 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4856 if (ret) {
4857 if (!TEST_true(tst % 2 == 0))
4858 goto end;
4859 } else {
4860 if (!TEST_true(tst % 2 == 1))
4861 goto end;
4862 }
4863
4864 testresult = 1;
4865
4866 end:
4867 SRP_VBASE_free(vbase);
4868 vbase = NULL;
4869 SSL_free(serverssl);
4870 SSL_free(clientssl);
4871 SSL_CTX_free(sctx);
4872 SSL_CTX_free(cctx);
4873
4874 return testresult;
4875}
4876#endif
4877
5718fe45
MC		 4878static int info_cb_failed = 0;
4879static int info_cb_offset = 0;
4880static int info_cb_this_state = -1;
4881
4882static struct info_cb_states_st {
4883 int where;
4884 const char *statestr;
4885} info_cb_states[][60] = {
4886 {
4887 /* TLSv1.2 server followed by resumption */
4888 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4889 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4890 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4891 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4892 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4893 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4894 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4895 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4896 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4897 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4898 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4899 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4900 {SSL_CB_EXIT, NULL}, {0, NULL},
4901 }, {
4902 /* TLSv1.2 client followed by resumption */
4903 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4904 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4905 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4906 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4907 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4908 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4909 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4910 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4911 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4912 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4913 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4914 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4915 }, {
4916 /* TLSv1.3 server followed by resumption */
4917 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4918 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4919 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4920 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4921 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4922 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4923 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5718fe45 4924 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
36ff232c
MC		 4925 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4926 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4927 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4928 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4929 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4930 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4931 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4932 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4933 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 4934 }, {
4935 /* TLSv1.3 client followed by resumption */
4936 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4937 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4938 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4939 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4940 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4941 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4942 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4943 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
36ff232c
MC		 4944 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4945 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4946 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 4947 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4948 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4949 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4950 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4951 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4952 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4953 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4954 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4955 }, {
4956 /* TLSv1.3 server, early_data */
4957 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4958 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4959 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4960 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4961 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4962 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4963 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4964 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4965 {SSL_CB_EXIT, NULL}, {0, NULL},
4966 }, {
4967 /* TLSv1.3 client, early_data */
4968 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4969 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4970 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4971 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4972 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4973 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4974 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4975 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4976 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4977 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4978 }, {
4979 {0, NULL},
4980 }
4981};
4982
4983static void sslapi_info_callback(const SSL *s, int where, int ret)
4984{
4985 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4986
4987 /* We do not ever expect a connection to fail in this test */
4988 if (!TEST_false(ret == 0)) {
4989 info_cb_failed = 1;
4990 return;
4991 }
4992
4993 /*
4994 * Do some sanity checks. We never expect these things to happen in this
4995 * test
4996 */
4997 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4998 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4999 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
5000 info_cb_failed = 1;
5001 return;
5002 }
5003
5004 /* Now check we're in the right state */
5005 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
5006 info_cb_failed = 1;
5007 return;
5008 }
5009 if ((where & SSL_CB_LOOP) != 0
5010 && !TEST_int_eq(strcmp(SSL_state_string(s),
5011 state[info_cb_this_state].statestr), 0)) {
5012 info_cb_failed = 1;
5013 return;
5014 }
033c181b
MC		 5015
5016 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
5017 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
5018 info_cb_failed = 1;
5019 return;
5020 }
5718fe45
MC		 5021}
5022
5023/*
5024 * Test the info callback gets called when we expect it to.
5025 *
5026 * Test 0: TLSv1.2, server
5027 * Test 1: TLSv1.2, client
5028 * Test 2: TLSv1.3, server
5029 * Test 3: TLSv1.3, client
5030 * Test 4: TLSv1.3, server, early_data
5031 * Test 5: TLSv1.3, client, early_data
5032 */
5033static int test_info_callback(int tst)
5034{
5035 SSL_CTX *cctx = NULL, *sctx = NULL;
5036 SSL *clientssl = NULL, *serverssl = NULL;
5037 SSL_SESSION *clntsess = NULL;
5038 int testresult = 0;
5039 int tlsvers;
5040
5041 if (tst < 2) {
1aac20f5
MC		 5042/* We need either ECDHE or DHE for the TLSv1.2 test to work */
5043#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
5044 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 5045 tlsvers = TLS1_2_VERSION;
5046#else
5047 return 1;
5048#endif
5049 } else {
5050#ifndef OPENSSL_NO_TLS1_3
5051 tlsvers = TLS1_3_VERSION;
5052#else
5053 return 1;
5054#endif
5055 }
5056
5057 /* Reset globals */
5058 info_cb_failed = 0;
5059 info_cb_this_state = -1;
5060 info_cb_offset = tst;
5061
6e07834c 5062#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 5063 if (tst >= 4) {
5064 SSL_SESSION *sess = NULL;
5065 size_t written, readbytes;
5066 unsigned char buf[80];
5067
5068 /* early_data tests */
5069 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
5070 &serverssl, &sess, 0)))
5071 goto end;
5072
5073 /* We don't actually need this reference */
5074 SSL_SESSION_free(sess);
5075
5076 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
5077 sslapi_info_callback);
5078
5079 /* Write and read some early data and then complete the connection */
5080 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
5081 &written))
5082 || !TEST_size_t_eq(written, strlen(MSG1))
5083 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
5084 sizeof(buf), &readbytes),
5085 SSL_READ_EARLY_DATA_SUCCESS)
5086 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5087 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5088 SSL_EARLY_DATA_ACCEPTED)
5089 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5090 SSL_ERROR_NONE))
5091 || !TEST_false(info_cb_failed))
5092 goto end;
5093
5094 testresult = 1;
5095 goto end;
5096 }
6e07834c 5097#endif
5718fe45
MC		 5098
5099 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5100 TLS_client_method(),
5101 tlsvers, tlsvers, &sctx, &cctx, cert,
5102 privkey)))
5103 goto end;
5104
5105 /*
5106 * For even numbered tests we check the server callbacks. For odd numbers we
5107 * check the client.
5108 */
5109 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
5110 sslapi_info_callback);
5111
5112 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5113 &clientssl, NULL, NULL))
5114 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5115 SSL_ERROR_NONE))
5116 || !TEST_false(info_cb_failed))
5117 goto end;
5118
5119
5120
5121 clntsess = SSL_get1_session(clientssl);
5122 SSL_shutdown(clientssl);
5123 SSL_shutdown(serverssl);
5124 SSL_free(serverssl);
5125 SSL_free(clientssl);
5126 serverssl = clientssl = NULL;
5127
5128 /* Now do a resumption */
5129 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5130 NULL))
5131 || !TEST_true(SSL_set_session(clientssl, clntsess))
5132 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5133 SSL_ERROR_NONE))
5134 || !TEST_true(SSL_session_reused(clientssl))
5135 || !TEST_false(info_cb_failed))
5136 goto end;
5137
5138 testresult = 1;
5139
5140 end:
5141 SSL_free(serverssl);
5142 SSL_free(clientssl);
5143 SSL_SESSION_free(clntsess);
5144 SSL_CTX_free(sctx);
5145 SSL_CTX_free(cctx);
5146 return testresult;
5147}
5148
4a432af8
MC		 5149static int test_ssl_pending(int tst)
5150{
5151 SSL_CTX *cctx = NULL, *sctx = NULL;
5152 SSL *clientssl = NULL, *serverssl = NULL;
5153 int testresult = 0;
5154 char msg[] = "A test message";
5155 char buf[5];
5156 size_t written, readbytes;
5157
5158 if (tst == 0) {
5159 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5160 TLS_client_method(),
5c587fb6 5161 TLS1_VERSION, 0,
4a432af8
MC		 5162 &sctx, &cctx, cert, privkey)))
5163 goto end;
5164 } else {
5165#ifndef OPENSSL_NO_DTLS
5166 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
5167 DTLS_client_method(),
5c587fb6 5168 DTLS1_VERSION, 0,
4a432af8
MC		 5169 &sctx, &cctx, cert, privkey)))
5170 goto end;
5171#else
5172 return 1;
5173#endif
5174 }
5175
5176 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5177 NULL, NULL))
5178 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5179 SSL_ERROR_NONE)))
5180 goto end;
5181
e8251092
MC		 5182 if (!TEST_int_eq(SSL_pending(clientssl), 0)
5183 || !TEST_false(SSL_has_pending(clientssl))
5184 || !TEST_int_eq(SSL_pending(serverssl), 0)
5185 || !TEST_false(SSL_has_pending(serverssl))
5186 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 5187 || !TEST_size_t_eq(written, sizeof(msg))
5188 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
5189 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 5190 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
5191 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 5192 goto end;
5193
5194 testresult = 1;
5195
5196 end:
5197 SSL_free(serverssl);
5198 SSL_free(clientssl);
5199 SSL_CTX_free(sctx);
5200 SSL_CTX_free(cctx);
5201
5202 return testresult;
5203}
5204
e401389a
MC		 5205static struct {
5206 unsigned int maxprot;
5207 const char *clntciphers;
5208 const char *clnttls13ciphers;
5209 const char *srvrciphers;
5210 const char *srvrtls13ciphers;
5211 const char *shared;
5212} shared_ciphers_data[] = {
60155b9a
MC		 5213/*
5214 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
5215 * TLSv1.3 is enabled but TLSv1.2 is disabled.
5216 */
5217#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 5218 {
5219 TLS1_2_VERSION,
5220 "AES128-SHA:AES256-SHA",
5221 NULL,
5222 "AES256-SHA:DHE-RSA-AES128-SHA",
5223 NULL,
5224 "AES256-SHA"
5225 },
5226 {
5227 TLS1_2_VERSION,
5228 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
5229 NULL,
5230 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
5231 NULL,
5232 "AES128-SHA:AES256-SHA"
5233 },
5234 {
5235 TLS1_2_VERSION,
5236 "AES128-SHA:AES256-SHA",
5237 NULL,
5238 "AES128-SHA:DHE-RSA-AES128-SHA",
5239 NULL,
5240 "AES128-SHA"
5241 },
60155b9a
MC		 5242#endif
5243/*
5244 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
5245 * enabled.
5246 */
5247#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
5248 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 5249 {
5250 TLS1_3_VERSION,
5251 "AES128-SHA:AES256-SHA",
5252 NULL,
5253 "AES256-SHA:AES128-SHA256",
5254 NULL,
5255 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
5256 "TLS_AES_128_GCM_SHA256:AES256-SHA"
5257 },
60155b9a
MC		 5258#endif
5259#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 5260 {
5261 TLS1_3_VERSION,
5262 "AES128-SHA",
5263 "TLS_AES_256_GCM_SHA384",
5264 "AES256-SHA",
5265 "TLS_AES_256_GCM_SHA384",
5266 "TLS_AES_256_GCM_SHA384"
5267 },
5268#endif
5269};
5270
5271static int test_ssl_get_shared_ciphers(int tst)
5272{
5273 SSL_CTX *cctx = NULL, *sctx = NULL;
5274 SSL *clientssl = NULL, *serverssl = NULL;
5275 int testresult = 0;
5276 char buf[1024];
5277
5278 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5279 TLS_client_method(),
5280 TLS1_VERSION,
5281 shared_ciphers_data[tst].maxprot,
5282 &sctx, &cctx, cert, privkey)))
5283 goto end;
5284
5285 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5286 shared_ciphers_data[tst].clntciphers))
5287 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
5288 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
5289 shared_ciphers_data[tst].clnttls13ciphers)))
5290 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
5291 shared_ciphers_data[tst].srvrciphers))
5292 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
5293 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
5294 shared_ciphers_data[tst].srvrtls13ciphers))))
5295 goto end;
5296
5297
5298 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5299 NULL, NULL))
5300 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5301 SSL_ERROR_NONE)))
5302 goto end;
5303
5304 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
5305 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
5306 TEST_info("Shared ciphers are: %s\n", buf);
5307 goto end;
5308 }
5309
5310 testresult = 1;
5311
5312 end:
5313 SSL_free(serverssl);
5314 SSL_free(clientssl);
5315 SSL_CTX_free(sctx);
5316 SSL_CTX_free(cctx);
5317
5318 return testresult;
5319}
5320
d0191fe0 5321static const char *appdata = "Hello World";
61fb5923
MC		 5322static int gen_tick_called, dec_tick_called, tick_key_cb_called;
5323static int tick_key_renew = 0;
5324static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 5325
5326static int gen_tick_cb(SSL *s, void *arg)
5327{
5328 gen_tick_called = 1;
5329
5330 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
5331 strlen(appdata));
5332}
5333
5334static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
5335 const unsigned char *keyname,
5336 size_t keyname_length,
61fb5923
MC		 5337 SSL_TICKET_STATUS status,
5338 void *arg)
d0191fe0
MC		 5339{
5340 void *tickdata;
5341 size_t tickdlen;
5342
5343 dec_tick_called = 1;
5344
61fb5923
MC		 5345 if (status == SSL_TICKET_EMPTY)
5346 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 5347
61fb5923
MC		 5348 if (!TEST_true(status == SSL_TICKET_SUCCESS
5349 || status == SSL_TICKET_SUCCESS_RENEW))
5350 return SSL_TICKET_RETURN_ABORT;
5351
5352 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
5353 &tickdlen))
d0191fe0
MC		 5354 || !TEST_size_t_eq(tickdlen, strlen(appdata))
5355 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 5356 return SSL_TICKET_RETURN_ABORT;
d0191fe0 5357
61fb5923
MC		 5358 if (tick_key_cb_called) {
5359 /* Don't change what the ticket key callback wanted to do */
5360 switch (status) {
5361 case SSL_TICKET_NO_DECRYPT:
5362 return SSL_TICKET_RETURN_IGNORE_RENEW;
5363
5364 case SSL_TICKET_SUCCESS:
5365 return SSL_TICKET_RETURN_USE;
d0191fe0 5366
61fb5923
MC		 5367 case SSL_TICKET_SUCCESS_RENEW:
5368 return SSL_TICKET_RETURN_USE_RENEW;
5369
5370 default:
5371 return SSL_TICKET_RETURN_ABORT;
5372 }
5373 }
5374 return tick_dec_ret;
5375
5376}
d0191fe0
MC		 5377
5378static int tick_key_cb(SSL *s, unsigned char key_name[16],
5379 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
5380 HMAC_CTX *hctx, int enc)
5381{
5382 const unsigned char tick_aes_key[16] = "0123456789abcdef";
5383 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5384
61fb5923 5385 tick_key_cb_called = 1;
d0191fe0
MC		 5386 memset(iv, 0, AES_BLOCK_SIZE);
5387 memset(key_name, 0, 16);
5388 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
5389 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
5390 EVP_sha256(), NULL))
5391 return -1;
5392
61fb5923 5393 return tick_key_renew ? 2 : 1;
d0191fe0
MC		 5394}
5395
5396/*
5397 * Test the various ticket callbacks
61fb5923
MC		 5398 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
5399 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
5400 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
5401 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
5402 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
5403 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
5404 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
5405 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
5406 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
5407 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
5408 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
5409 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 5410 */
5411static int test_ticket_callbacks(int tst)
5412{
5413 SSL_CTX *cctx = NULL, *sctx = NULL;
5414 SSL *clientssl = NULL, *serverssl = NULL;
5415 SSL_SESSION *clntsess = NULL;
5416 int testresult = 0;
5417
5418#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 5419 if (tst % 2 == 0)
d0191fe0
MC		 5420 return 1;
5421#endif
5422#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 5423 if (tst % 2 == 1)
d0191fe0
MC		 5424 return 1;
5425#endif
5426
61fb5923 5427 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 5428
5429 /* Which tests the ticket key callback should request renewal for */
61fb5923
MC		 5430 if (tst == 10 || tst == 11)
5431 tick_key_renew = 1;
d0191fe0 5432 else
61fb5923
MC		 5433 tick_key_renew = 0;
5434
5435 /* Which tests the decrypt ticket callback should request renewal for */
5436 switch (tst) {
5437 case 0:
5438 case 1:
5439 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
5440 break;
5441
5442 case 2:
5443 case 3:
5444 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
5445 break;
5446
5447 case 4:
5448 case 5:
5449 tick_dec_ret = SSL_TICKET_RETURN_USE;
5450 break;
5451
5452 case 6:
5453 case 7:
5454 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
5455 break;
5456
5457 default:
5458 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
5459 }
d0191fe0
MC		 5460
5461 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5462 TLS_client_method(),
5463 TLS1_VERSION,
61fb5923
MC		 5464 ((tst % 2) == 0) ? TLS1_2_VERSION
5465 : TLS1_3_VERSION,
d0191fe0
MC		 5466 &sctx, &cctx, cert, privkey)))
5467 goto end;
5468
61fb5923
MC		 5469 /*
5470 * We only want sessions to resume from tickets - not the session cache. So
5471 * switch the cache off.
5472 */
5473 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
5474 goto end;
5475
d0191fe0
MC		 5476 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
5477 NULL)))
5478 goto end;
5479
61fb5923 5480 if (tst >= 8
d0191fe0
MC		 5481 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
5482 goto end;
5483
5484 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5485 NULL, NULL))
5486 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5487 SSL_ERROR_NONE)))
5488 goto end;
5489
61fb5923
MC		 5490 /*
5491 * The decrypt ticket key callback in TLSv1.2 should be called even though
5492 * we have no ticket yet, because it gets called with a status of
5493 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
5494 * actually send any ticket data). This does not happen in TLSv1.3 because
5495 * it is not valid to send empty ticket data in TLSv1.3.
5496 */
d0191fe0 5497 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 5498 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 5499 goto end;
5500
5501 gen_tick_called = dec_tick_called = 0;
5502
5503 clntsess = SSL_get1_session(clientssl);
5504 SSL_shutdown(clientssl);
5505 SSL_shutdown(serverssl);
5506 SSL_free(serverssl);
5507 SSL_free(clientssl);
5508 serverssl = clientssl = NULL;
5509
5510 /* Now do a resumption */
5511 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
5512 NULL))
5513 || !TEST_true(SSL_set_session(clientssl, clntsess))
5514 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 5515 SSL_ERROR_NONE)))
d0191fe0
MC		 5516 goto end;
5517
61fb5923
MC		 5518 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
5519 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
5520 if (!TEST_false(SSL_session_reused(clientssl)))
5521 goto end;
5522 } else {
5523 if (!TEST_true(SSL_session_reused(clientssl)))
5524 goto end;
5525 }
5526
d0191fe0 5527 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 5528 (tick_key_renew
5529 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
5530 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
5531 ? 1 : 0)
d0191fe0
MC		 5532 || !TEST_int_eq(dec_tick_called, 1))
5533 goto end;
5534
5535 testresult = 1;
5536
5537 end:
5538 SSL_SESSION_free(clntsess);
5539 SSL_free(serverssl);
5540 SSL_free(clientssl);
5541 SSL_CTX_free(sctx);
5542 SSL_CTX_free(cctx);
5543
5544 return testresult;
5545}
5546
c748834f
MC		 5547/*
5548 * Test bi-directional shutdown.
5549 * Test 0: TLSv1.2
5550 * Test 1: TLSv1.2, server continues to read/write after client shutdown
5551 * Test 2: TLSv1.3, no pending NewSessionTicket messages
5552 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 5553 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
5554 * sends key update, client reads it
57d7b988
MC		 5555 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
5556 * sends CertificateRequest, client reads and ignores it
5557 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 5558 * doesn't read it
5559 */
5560static int test_shutdown(int tst)
5561{
5562 SSL_CTX *cctx = NULL, *sctx = NULL;
5563 SSL *clientssl = NULL, *serverssl = NULL;
5564 int testresult = 0;
5565 char msg[] = "A test message";
5566 char buf[80];
5567 size_t written, readbytes;
80eff008 5568 SSL_SESSION *sess;
c748834f
MC		 5569
5570#ifdef OPENSSL_NO_TLS1_2
a97d19f7 5571 if (tst <= 1)
c748834f
MC		 5572 return 1;
5573#endif
5574#ifdef OPENSSL_NO_TLS1_3
a97d19f7 5575 if (tst >= 2)
c748834f
MC		 5576 return 1;
5577#endif
5578
5579 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5580 TLS_client_method(),
5581 TLS1_VERSION,
5582 (tst <= 1) ? TLS1_2_VERSION
5583 : TLS1_3_VERSION,
57d7b988
MC		 5584 &sctx, &cctx, cert, privkey)))
5585 goto end;
5586
5587 if (tst == 5)
5588 SSL_CTX_set_post_handshake_auth(cctx, 1);
5589
5590 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 5591 NULL, NULL)))
5592 goto end;
5593
5594 if (tst == 3) {
5595 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 5596 SSL_ERROR_NONE, 1))
80eff008
KR		 5597 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5598 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 5599 goto end;
5600 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 5601 SSL_ERROR_NONE))
5602 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5603 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 5604 goto end;
5605 }
5606
5607 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
5608 goto end;
5609
5610 if (tst >= 4) {
5611 /*
5612 * Reading on the server after the client has sent close_notify should
5613 * fail and provide SSL_ERROR_ZERO_RETURN
5614 */
5615 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
5616 || !TEST_int_eq(SSL_get_error(serverssl, 0),
5617 SSL_ERROR_ZERO_RETURN)
5618 || !TEST_int_eq(SSL_get_shutdown(serverssl),
5619 SSL_RECEIVED_SHUTDOWN)
5620 /*
5621 * Even though we're shutdown on receive we should still be
5622 * able to write.
5623 */
80eff008
KR		 5624 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
5625 goto end;
57d7b988
MC		 5626 if (tst == 4
5627 && !TEST_true(SSL_key_update(serverssl,
5628 SSL_KEY_UPDATE_REQUESTED)))
5629 goto end;
5630 if (tst == 5) {
5631 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5632 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5633 goto end;
5634 }
5635 if ((tst == 4 || tst == 5)
5636 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 5637 goto end;
5638 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 5639 goto end;
57d7b988 5640 if (tst == 4 || tst == 5) {
80eff008 5641 /* Should still be able to read data from server */
c748834f 5642 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 5643 &readbytes))
5644 || !TEST_size_t_eq(readbytes, sizeof(msg))
5645 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
5646 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
5647 &readbytes))
c748834f
MC		 5648 || !TEST_size_t_eq(readbytes, sizeof(msg))
5649 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
5650 goto end;
5651 }
5652 }
5653
5654 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 5655 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 5656 goto end;
5657
5658 if (tst < 4) {
5659 /*
5660 * For these tests the client has sent close_notify but it has not yet
5661 * been received by the server. The server has not sent close_notify
5662 * yet.
5663 */
5664 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 5665 /*
5666 * Writing on the server after sending close_notify shouldn't
5667 * be possible.
5668 */
5669 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 5670 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 5671 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5672 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 5673 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
5674 goto end;
57d7b988 5675 } else if (tst == 4 || tst == 5) {
c748834f
MC		 5676 /*
5677 * In this test the client has sent close_notify and it has been
5678 * received by the server which has responded with a close_notify. The
358ffa05 5679 * client needs to read the close_notify sent by the server.
c748834f 5680 */
80eff008
KR		 5681 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
5682 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
5683 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 5684 goto end;
358ffa05
MC		 5685 } else {
5686 /*
57d7b988 5687 * tst == 6
358ffa05
MC		 5688 *
5689 * The client has sent close_notify and is expecting a close_notify
5690 * back, but instead there is application data first. The shutdown
5691 * should fail with a fatal error.
5692 */
5693 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
5694 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
5695 goto end;
c748834f
MC		 5696 }
5697
5698 testresult = 1;
5699
5700 end:
5701 SSL_free(serverssl);
5702 SSL_free(clientssl);
5703 SSL_CTX_free(sctx);
5704 SSL_CTX_free(cctx);
5705
5706 return testresult;
5707}
5708
7f1d923a 5709#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 5710static int cert_cb_cnt;
5711
5712static int cert_cb(SSL *s, void *arg)
5713{
5714 SSL_CTX *ctx = (SSL_CTX *)arg;
5715
5716 if (cert_cb_cnt == 0) {
5717 /* Suspend the handshake */
5718 cert_cb_cnt++;
5719 return -1;
5720 } else if (cert_cb_cnt == 1) {
5721 /*
5722 * Update the SSL_CTX, set the certificate and private key and then
5723 * continue the handshake normally.
5724 */
5725 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
5726 return 0;
5727
5728 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
5729 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
5730 SSL_FILETYPE_PEM))
5731 || !TEST_true(SSL_check_private_key(s)))
5732 return 0;
5733 cert_cb_cnt++;
5734 return 1;
5735 }
5736
5737 /* Abort the handshake */
5738 return 0;
5739}
5740
5741/*
5742 * Test the certificate callback.
5743 * Test 0: Callback fails
5744 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
5745 * Test 2: Success - SSL_set_SSL_CTX() in the callback
5746 */
5747static int test_cert_cb_int(int prot, int tst)
5748{
5749 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
5750 SSL *clientssl = NULL, *serverssl = NULL;
5751 int testresult = 0, ret;
5752
5753 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5754 TLS_client_method(),
5755 TLS1_VERSION,
5756 prot,
5757 &sctx, &cctx, NULL, NULL)))
5758 goto end;
5759
5760 if (tst == 0)
5761 cert_cb_cnt = -1;
5762 else
5763 cert_cb_cnt = 0;
5764 if (tst == 2)
5765 snictx = SSL_CTX_new(TLS_server_method());
5766 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
5767
5768 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5769 NULL, NULL)))
5770 goto end;
5771
5772 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
5773 if (!TEST_true(tst == 0 ? !ret : ret)
5774 || (tst > 0 && !TEST_int_eq(cert_cb_cnt, 2))) {
5775 goto end;
5776 }
5777
5778 testresult = 1;
5779
5780 end:
5781 SSL_free(serverssl);
5782 SSL_free(clientssl);
5783 SSL_CTX_free(sctx);
5784 SSL_CTX_free(cctx);
5785 SSL_CTX_free(snictx);
5786
5787 return testresult;
5788}
7f1d923a 5789#endif
cd6fe29f
MC		 5790
5791static int test_cert_cb(int tst)
5792{
5793 int testresult = 1;
5794
5795#ifndef OPENSSL_NO_TLS1_2
5796 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
5797#endif
7f1d923a 5798#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 5799 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
5800#endif
5801
5802 return testresult;
5803}
5804
6e46c065
MC		 5805static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
5806{
5807 X509 *xcert, *peer;
5808 EVP_PKEY *privpkey;
5809 BIO *in = NULL;
5810
5811 /* Check that SSL_get_peer_certificate() returns something sensible */
5812 peer = SSL_get_peer_certificate(ssl);
5813 if (!TEST_ptr(peer))
5814 return 0;
5815 X509_free(peer);
5816
5817 in = BIO_new_file(cert, "r");
5818 if (!TEST_ptr(in))
5819 return 0;
5820
5821 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
5822 BIO_free(in);
5823 if (!TEST_ptr(xcert))
5824 return 0;
5825
5826 in = BIO_new_file(privkey, "r");
5827 if (!TEST_ptr(in)) {
5828 X509_free(xcert);
5829 return 0;
5830 }
5831
5832 privpkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
5833 BIO_free(in);
5834 if (!TEST_ptr(privpkey)) {
5835 X509_free(xcert);
5836 return 0;
5837 }
5838
5839 *x509 = xcert;
5840 *pkey = privpkey;
5841
5842 return 1;
5843}
5844
5845static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5846{
5847 return 1;
5848}
5849
5850static int test_client_cert_cb(int tst)
5851{
5852 SSL_CTX *cctx = NULL, *sctx = NULL;
5853 SSL *clientssl = NULL, *serverssl = NULL;
5854 int testresult = 0;
5855
5856#ifdef OPENSSL_NO_TLS1_2
5857 if (tst == 0)
5858 return 1;
5859#endif
5860#ifdef OPENSSL_NO_TLS1_3
5861 if (tst == 1)
5862 return 1;
5863#endif
5864
5865 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5866 TLS_client_method(),
5867 TLS1_VERSION,
5868 tst == 0 ? TLS1_2_VERSION
5869 : TLS1_3_VERSION,
5870 &sctx, &cctx, cert, privkey)))
5871 goto end;
5872
5873 /*
5874 * Test that setting a client_cert_cb results in a client certificate being
5875 * sent.
5876 */
5877 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
5878 SSL_CTX_set_verify(sctx,
5879 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5880 verify_cb);
fb8c8359
MC		 5881
5882 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5883 NULL, NULL))
5884 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5885 SSL_ERROR_NONE)))
5886 goto end;
5887
5888 testresult = 1;
5889
5890 end:
5891 SSL_free(serverssl);
5892 SSL_free(clientssl);
5893 SSL_CTX_free(sctx);
5894 SSL_CTX_free(cctx);
5895
5896 return testresult;
5897}
5898
5899#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
5900/*
5901 * Test setting certificate authorities on both client and server.
5902 *
5903 * Test 0: SSL_CTX_set0_CA_list() only
5904 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
5905 * Test 2: Only SSL_CTX_set_client_CA_list()
5906 */
5907static int test_ca_names_int(int prot, int tst)
5908{
5909 SSL_CTX *cctx = NULL, *sctx = NULL;
5910 SSL *clientssl = NULL, *serverssl = NULL;
5911 int testresult = 0;
5912 size_t i;
5913 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
5914 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
5915 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
5916 const STACK_OF(X509_NAME) *sktmp = NULL;
5917
5918 for (i = 0; i < OSSL_NELEM(name); i++) {
5919 name[i] = X509_NAME_new();
5920 if (!TEST_ptr(name[i])
5921 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
5922 MBSTRING_ASC,
5923 (unsigned char *)
5924 strnames[i],
5925 -1, -1, 0)))
5926 goto end;
5927 }
5928
5929 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
5930 TLS_client_method(),
5931 TLS1_VERSION,
5932 prot,
5933 &sctx, &cctx, cert, privkey)))
5934 goto end;
5935
5936 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
5937
5938 if (tst == 0 || tst == 1) {
5939 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5940 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
5941 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
5942 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5943 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
5944 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
5945 goto end;
5946
5947 SSL_CTX_set0_CA_list(sctx, sk1);
5948 SSL_CTX_set0_CA_list(cctx, sk2);
5949 sk1 = sk2 = NULL;
5950 }
5951 if (tst == 1 || tst == 2) {
5952 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
5953 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
5954 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
5955 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
5956 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
5957 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
5958 goto end;
5959
5960 SSL_CTX_set_client_CA_list(sctx, sk1);
5961 SSL_CTX_set_client_CA_list(cctx, sk2);
5962 sk1 = sk2 = NULL;
5963 }
5964
6e46c065
MC		 5965 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5966 NULL, NULL))
5967 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5968 SSL_ERROR_NONE)))
5969 goto end;
5970
fb8c8359
MC		 5971 /*
5972 * We only expect certificate authorities to have been sent to the server
5973 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
5974 */
5975 sktmp = SSL_get0_peer_CA_list(serverssl);
5976 if (prot == TLS1_3_VERSION
5977 && (tst == 0 || tst == 1)) {
5978 if (!TEST_ptr(sktmp)
5979 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
5980 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
5981 name[0]), 0)
5982 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
5983 name[1]), 0))
5984 goto end;
5985 } else if (!TEST_ptr_null(sktmp)) {
5986 goto end;
5987 }
5988
5989 /*
5990 * In all tests we expect certificate authorities to have been sent to the
5991 * client. However, SSL_set_client_CA_list() should override
5992 * SSL_set0_CA_list()
5993 */
5994 sktmp = SSL_get0_peer_CA_list(clientssl);
5995 if (!TEST_ptr(sktmp)
5996 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
5997 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
5998 name[tst == 0 ? 0 : 2]), 0)
5999 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
6000 name[tst == 0 ? 1 : 3]), 0))
6001 goto end;
6002
6e46c065
MC		 6003 testresult = 1;
6004
6005 end:
6006 SSL_free(serverssl);
6007 SSL_free(clientssl);
6008 SSL_CTX_free(sctx);
6009 SSL_CTX_free(cctx);
fb8c8359
MC		 6010 for (i = 0; i < OSSL_NELEM(name); i++)
6011 X509_NAME_free(name[i]);
6012 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
6013 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
6014
6015 return testresult;
6016}
6017#endif
6018
6019static int test_ca_names(int tst)
6020{
6021 int testresult = 1;
6022
6023#ifndef OPENSSL_NO_TLS1_2
6024 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
6025#endif
6026#ifndef OPENSSL_NO_TLS1_3
6027 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
6028#endif
6e46c065
MC		 6029
6030 return testresult;
6031}
6032
a43ce58f
SL		 6033
6034OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
6035
ad887416 6036int setup_tests(void)
2cb4b5f6 6037{
ad887416 6038 if (!TEST_ptr(cert = test_get_argument(0))
76fd7a1d
MC		 6039 || !TEST_ptr(privkey = test_get_argument(1))
6040 || !TEST_ptr(srpvfile = test_get_argument(2))
6041 || !TEST_ptr(tmpfilename = test_get_argument(3)))
710756a9 6042 return 0;
2cb4b5f6 6043
f297e4ec
RS		 6044 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
6045#ifdef OPENSSL_NO_CRYPTO_MDEBUG
6046 TEST_error("not supported in this build");
6047 return 0;
6048#else
6049 int i, mcount, rcount, fcount;
6050
6051 for (i = 0; i < 4; i++)
6052 test_export_key_mat(i);
6053 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
6054 test_printf_stdout("malloc %d realloc %d free %d\n",
6055 mcount, rcount, fcount);
6056 return 1;
6057#endif
6058 }
6059
5e9072ed
MC		 6060#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \
6061 && !defined(OPENSSL_NO_SOCK)
fe5d9450
BP		 6062 ADD_TEST(test_ktls_client_server);
6063 ADD_TEST(test_ktls_no_client_server);
6064 ADD_TEST(test_ktls_client_no_server);
6065 ADD_TEST(test_ktls_no_client_no_server);
6066#endif
84d5549e 6067 ADD_TEST(test_large_message_tls);
7856332e 6068 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 6069#ifndef OPENSSL_NO_DTLS
84d5549e 6070 ADD_TEST(test_large_message_dtls);
55386bef 6071#endif
8f8c11d8 6072#ifndef OPENSSL_NO_OCSP
c887104f 6073 ADD_TEST(test_tlsext_status_type);
8f8c11d8 6074#endif
eaa776da
MC		 6075 ADD_TEST(test_session_with_only_int_cache);
6076 ADD_TEST(test_session_with_only_ext_cache);
6077 ADD_TEST(test_session_with_both_cache);
36ff232c 6078#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 6079 ADD_ALL_TESTS(test_stateful_tickets, 3);
6080 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 6081 ADD_TEST(test_psk_tickets);
36ff232c 6082#endif
7fb4c820 6083 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 6084 ADD_TEST(test_ssl_bio_pop_next_bio);
6085 ADD_TEST(test_ssl_bio_pop_ssl_bio);
6086 ADD_TEST(test_ssl_bio_change_rbio);
6087 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 6088#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 6089 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 6090 ADD_TEST(test_keylog);
c423ecaa 6091#endif
6acdd3e5
CB		 6092#ifndef OPENSSL_NO_TLS1_3
6093 ADD_TEST(test_keylog_no_master_key);
6094#endif
e9ee6536 6095#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 6096 ADD_TEST(test_client_hello_cb);
5f982038
MC		 6097#endif
6098#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 6099 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 6100 /*
6101 * We don't do replay tests for external PSK. Replay protection isn't used
6102 * in that scenario.
6103 */
6104 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 6105 ADD_ALL_TESTS(test_early_data_skip, 3);
6106 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 6107 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 6108 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 6109 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 6110 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 6111 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 6112# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 6113 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 6114# endif
e9ee6536 6115#endif
a273157a 6116#ifndef OPENSSL_NO_TLS1_3
034cb87b 6117 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 6118 ADD_TEST(test_ciphersuite_change);
c2b290c3
MC		 6119#ifdef OPENSSL_NO_PSK
6120 ADD_ALL_TESTS(test_tls13_psk, 1);
6121#else
0d8da779 6122 ADD_ALL_TESTS(test_tls13_psk, 4);
c2b290c3 6123#endif /* OPENSSL_NO_PSK */
bb01ef3f 6124 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 6125 ADD_TEST(test_stateless);
9d75dce3 6126 ADD_TEST(test_pha_key_update);
a273157a 6127#else
bb01ef3f 6128 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 6129#endif
16afd71c 6130 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 6131 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 6132#ifndef OPENSSL_NO_TLS1_3
6133 ADD_ALL_TESTS(test_export_key_mat_early, 3);
6134#endif
e11b6aa4 6135 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 6136 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 6137#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6138 ADD_ALL_TESTS(test_srp, 6);
6139#endif
5718fe45 6140 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 6141 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 6142 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
61fb5923 6143 ADD_ALL_TESTS(test_ticket_callbacks, 12);
57d7b988 6144 ADD_ALL_TESTS(test_shutdown, 7);
cd6fe29f 6145 ADD_ALL_TESTS(test_cert_cb, 3);
6e46c065 6146 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 6147 ADD_ALL_TESTS(test_ca_names, 3);
ad887416
P		 6148 return 1;
6149}
2cb4b5f6 6150
ad887416
P		 6151void cleanup_tests(void)
6152{
fa454945 6153 bio_s_mempacket_test_free();
2cb4b5f6 6154}
A mirror of the official openssl repository