]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
KTLS: Handle TLS 1.3 in ssl3_get_record.
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
4333b89f 2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
2cb4b5f6 36
20f8bc72 37#include "helpers/ssltestlib.h"
c887104f 38#include "testutil.h"
f297e4ec 39#include "testutil/output.h"
176db6dc 40#include "internal/nelem.h"
fe5d9450 41#include "internal/ktls.h"
706457b7 42#include "../ssl/ssl_local.h"
b0001d0c 43#include "filterprov.h"
2cb4b5f6 44
a763ca11
MC		 45#undef OSSL_NO_USABLE_TLS1_3
46#if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
48/*
49 * If we don't have ec or dh then there are no built-in groups that are usable
50 * with TLSv1.3
51 */
52# define OSSL_NO_USABLE_TLS1_3
53#endif
54
0c13cdf8
MC		 55/* Defined in tls-provider.c */
56int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
59 void **provctx);
852c2ed2 60
b4250010 61static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 62static OSSL_PROVIDER *defctxnull = NULL;
63
a763ca11 64#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 65
66static SSL_SESSION *clientpsk = NULL;
67static SSL_SESSION *serverpsk = NULL;
68static const char *pskid = "Identity";
69static const char *srvid;
70
71static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
75
76static int use_session_cb_cnt = 0;
77static int find_session_cb_cnt = 0;
78
79static SSL_SESSION *create_a_psk(SSL *ssl);
80#endif
81
1a2a3a42 82static char *certsdir = NULL;
2cb4b5f6
MC		 83static char *cert = NULL;
84static char *privkey = NULL;
b3842539
MC		 85static char *cert2 = NULL;
86static char *privkey2 = NULL;
3105d846
MC		 87static char *cert1024 = NULL;
88static char *privkey1024 = NULL;
89static char *cert3072 = NULL;
90static char *privkey3072 = NULL;
91static char *cert4096 = NULL;
92static char *privkey4096 = NULL;
93static char *cert8192 = NULL;
94static char *privkey8192 = NULL;
76fd7a1d
MC		 95static char *srpvfile = NULL;
96static char *tmpfilename = NULL;
2cb4b5f6 97
4f6c7044
MC		 98static int is_fips = 0;
99
cffe973c 100#define LOG_BUFFER_SIZE 2048
6acdd3e5 101static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 102static size_t server_log_buffer_index = 0;
6acdd3e5 103static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 104static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 105static int error_writing_log = 0;
106
8f8c11d8 107#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 108static const unsigned char orespder[] = "Dummy OCSP Response";
109static int ocsp_server_called = 0;
110static int ocsp_client_called = 0;
111
112static int cdummyarg = 1;
113static X509 *ocspcert = NULL;
8f8c11d8 114#endif
ba881d3b 115
84d5549e 116#define NUM_EXTRA_CERTS 40
cf72c757 117#define CLIENT_VERSION_LEN 2
84d5549e 118
f1a5939f
CB		 119/*
120 * This structure is used to validate that the correct number of log messages
121 * of various types are emitted when emitting secret logs.
122 */
123struct sslapitest_log_counts {
124 unsigned int rsa_key_exchange_count;
125 unsigned int master_secret_count;
cffe973c 126 unsigned int client_early_secret_count;
f1a5939f
CB		 127 unsigned int client_handshake_secret_count;
128 unsigned int server_handshake_secret_count;
129 unsigned int client_application_secret_count;
130 unsigned int server_application_secret_count;
01a2a654 131 unsigned int early_exporter_secret_count;
6329ce8f 132 unsigned int exporter_secret_count;
f1a5939f
CB		 133};
134
16afd71c
MC		 135
136static unsigned char serverinfov1[] = {
137 0xff, 0xff, /* Dummy extension type */
138 0x00, 0x01, /* Extension length is 1 byte */
139 0xff /* Dummy extension data */
140};
141
142static unsigned char serverinfov2[] = {
143 0x00, 0x00, 0x00,
144 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
145 0xff, 0xff, /* Dummy extension type */
146 0x00, 0x01, /* Extension length is 1 byte */
147 0xff /* Dummy extension data */
148};
149
104a733d
MC		 150static int hostname_cb(SSL *s, int *al, void *arg)
151{
152 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
153
154 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
155 || strcmp(hostname, "altgoodhost") == 0))
156 return SSL_TLSEXT_ERR_OK;
157
158 return SSL_TLSEXT_ERR_NOACK;
159}
160
710756a9
RS		 161static void client_keylog_callback(const SSL *ssl, const char *line)
162{
6acdd3e5
CB		 163 int line_length = strlen(line);
164
165 /* If the log doesn't fit, error out. */
710756a9
RS		 166 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
167 TEST_info("Client log too full");
6acdd3e5
CB		 168 error_writing_log = 1;
169 return;
170 }
171
172 strcat(client_log_buffer, line);
173 client_log_buffer_index += line_length;
710756a9 174 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 175}
176
710756a9
RS		 177static void server_keylog_callback(const SSL *ssl, const char *line)
178{
6acdd3e5
CB		 179 int line_length = strlen(line);
180
181 /* If the log doesn't fit, error out. */
710756a9 182 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 183 TEST_info("Server log too full");
6acdd3e5
CB		 184 error_writing_log = 1;
185 return;
186 }
187
188 strcat(server_log_buffer, line);
189 server_log_buffer_index += line_length;
710756a9 190 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 191}
192
193static int compare_hex_encoded_buffer(const char *hex_encoded,
194 size_t hex_length,
195 const uint8_t *raw,
710756a9
RS		 196 size_t raw_length)
197{
198 size_t i, j;
199 char hexed[3];
6acdd3e5 200
710756a9 201 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 202 return 1;
6acdd3e5 203
710756a9 204 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 205 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 206 if (!TEST_int_eq(hexed[0], hex_encoded[j])
207 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 208 return 1;
6acdd3e5
CB		 209 }
210
211 return 0;
212}
213
214static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 215 const SSL_SESSION *session,
710756a9
RS		 216 struct sslapitest_log_counts *expected)
217{
6acdd3e5
CB		 218 char *token = NULL;
219 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
220 size_t client_random_size = SSL3_RANDOM_SIZE;
221 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
222 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 223 unsigned int rsa_key_exchange_count = 0;
224 unsigned int master_secret_count = 0;
cffe973c 225 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 226 unsigned int client_handshake_secret_count = 0;
227 unsigned int server_handshake_secret_count = 0;
228 unsigned int client_application_secret_count = 0;
229 unsigned int server_application_secret_count = 0;
01a2a654 230 unsigned int early_exporter_secret_count = 0;
6329ce8f 231 unsigned int exporter_secret_count = 0;
6acdd3e5 232
710756a9
RS		 233 for (token = strtok(buffer, " \n"); token != NULL;
234 token = strtok(NULL, " \n")) {
6acdd3e5 235 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 236 /*
237 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 238 * hex-encoded encrypted secret, then the hex-encoded pre-master
239 * secret.
240 */
710756a9 241 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 242 return 0;
710756a9 243 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 244 return 0;
710756a9 245 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 246 return 0;
f1a5939f
CB		 247 /*
248 * We can't sensibly check the log because the premaster secret is
249 * transient, and OpenSSL doesn't keep hold of it once the master
250 * secret is generated.
251 */
252 rsa_key_exchange_count++;
6acdd3e5 253 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 254 /*
255 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 256 * client random, then the hex-encoded master secret.
257 */
258 client_random_size = SSL_get_client_random(ssl,
259 actual_client_random,
260 SSL3_RANDOM_SIZE);
710756a9 261 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 262 return 0;
6acdd3e5 263
710756a9 264 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 265 return 0;
710756a9 266 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 267 return 0;
710756a9
RS		 268 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
269 actual_client_random,
270 client_random_size)))
f1a5939f 271 return 0;
6acdd3e5 272
710756a9 273 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 274 return 0;
6acdd3e5
CB		 275 master_key_size = SSL_SESSION_get_master_key(session,
276 actual_master_key,
277 master_key_size);
710756a9 278 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 279 return 0;
710756a9
RS		 280 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
281 actual_master_key,
282 master_key_size)))
f1a5939f 283 return 0;
f1a5939f 284 master_secret_count++;
cffe973c
PW		 285 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
286 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 287 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
288 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 289 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 290 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 291 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 292 /*
293 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
294 * client random, and then the hex-encoded secret. In this case,
295 * we treat all of these secrets identically and then just
296 * distinguish between them when counting what we saw.
297 */
cffe973c
PW		 298 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
299 client_early_secret_count++;
300 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 301 client_handshake_secret_count++;
302 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
303 server_handshake_secret_count++;
304 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
305 client_application_secret_count++;
306 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
307 server_application_secret_count++;
01a2a654
PW		 308 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
309 early_exporter_secret_count++;
6329ce8f
PW		 310 else if (strcmp(token, "EXPORTER_SECRET") == 0)
311 exporter_secret_count++;
f1a5939f
CB		 312
313 client_random_size = SSL_get_client_random(ssl,
314 actual_client_random,
315 SSL3_RANDOM_SIZE);
710756a9 316 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 317 return 0;
f1a5939f 318
710756a9 319 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 320 return 0;
710756a9 321 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 322 return 0;
710756a9
RS		 323 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
324 actual_client_random,
325 client_random_size)))
f1a5939f 326 return 0;
6acdd3e5 327
710756a9 328 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 329 return 0;
6acdd3e5 330 } else {
710756a9 331 TEST_info("Unexpected token %s\n", token);
f1a5939f 332 return 0;
6acdd3e5 333 }
6acdd3e5
CB		 334 }
335
710756a9
RS		 336 /* Got what we expected? */
337 if (!TEST_size_t_eq(rsa_key_exchange_count,
338 expected->rsa_key_exchange_count)
339 || !TEST_size_t_eq(master_secret_count,
340 expected->master_secret_count)
cffe973c
PW		 341 || !TEST_size_t_eq(client_early_secret_count,
342 expected->client_early_secret_count)
710756a9
RS		 343 || !TEST_size_t_eq(client_handshake_secret_count,
344 expected->client_handshake_secret_count)
345 || !TEST_size_t_eq(server_handshake_secret_count,
346 expected->server_handshake_secret_count)
347 || !TEST_size_t_eq(client_application_secret_count,
348 expected->client_application_secret_count)
349 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 350 expected->server_application_secret_count)
01a2a654
PW		 351 || !TEST_size_t_eq(early_exporter_secret_count,
352 expected->early_exporter_secret_count)
6329ce8f
PW		 353 || !TEST_size_t_eq(exporter_secret_count,
354 expected->exporter_secret_count))
710756a9
RS		 355 return 0;
356 return 1;
6acdd3e5
CB		 357}
358
a763ca11 359#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 360static int test_keylog(void)
361{
6acdd3e5
CB		 362 SSL_CTX *cctx = NULL, *sctx = NULL;
363 SSL *clientssl = NULL, *serverssl = NULL;
364 int testresult = 0;
6fc1e624 365 struct sslapitest_log_counts expected;
6acdd3e5
CB		 366
367 /* Clean up logging space */
6fc1e624 368 memset(&expected, 0, sizeof(expected));
710756a9
RS		 369 memset(client_log_buffer, 0, sizeof(client_log_buffer));
370 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 371 client_log_buffer_index = 0;
372 server_log_buffer_index = 0;
373 error_writing_log = 0;
374
5e30f2fd 375 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 376 TLS_client_method(),
5c587fb6 377 TLS1_VERSION, 0,
710756a9 378 &sctx, &cctx, cert, privkey)))
6acdd3e5 379 return 0;
6acdd3e5
CB		 380
381 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
382 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
383 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
384
f0deb4d3 385 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 386 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 387 goto end;
f0deb4d3 388
cf10df81
RS		 389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 391 goto end;
6acdd3e5 392 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 393 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
394 == client_keylog_callback))
6acdd3e5 395 goto end;
710756a9 396 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 397 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
398 == server_keylog_callback))
6acdd3e5 399 goto end;
6acdd3e5 400
710756a9
RS		 401 /* Now do a handshake and check that the logs have been written to. */
402 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
403 &clientssl, NULL, NULL))
404 || !TEST_true(create_ssl_connection(serverssl, clientssl,
405 SSL_ERROR_NONE))
406 || !TEST_false(error_writing_log)
407 || !TEST_int_gt(client_log_buffer_index, 0)
408 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 409 goto end;
6acdd3e5 410
f1a5939f
CB		 411 /*
412 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 413 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 414 * data we expect. For both client and server, we expect to see one master
415 * secret. The client should also see a RSA key exchange.
6acdd3e5 416 */
f1a5939f
CB		 417 expected.rsa_key_exchange_count = 1;
418 expected.master_secret_count = 1;
710756a9
RS		 419 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
420 SSL_get_session(clientssl), &expected)))
6acdd3e5 421 goto end;
f1a5939f
CB		 422
423 expected.rsa_key_exchange_count = 0;
710756a9
RS		 424 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
425 SSL_get_session(serverssl), &expected)))
6acdd3e5 426 goto end;
6acdd3e5
CB		 427
428 testresult = 1;
429
430end:
431 SSL_free(serverssl);
432 SSL_free(clientssl);
433 SSL_CTX_free(sctx);
434 SSL_CTX_free(cctx);
435
436 return testresult;
437}
c423ecaa 438#endif
6acdd3e5 439
a763ca11 440#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 441static int test_keylog_no_master_key(void)
442{
6acdd3e5
CB		 443 SSL_CTX *cctx = NULL, *sctx = NULL;
444 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 445 SSL_SESSION *sess = NULL;
6acdd3e5 446 int testresult = 0;
6fc1e624 447 struct sslapitest_log_counts expected;
cffe973c
PW		 448 unsigned char buf[1];
449 size_t readbytes, written;
6acdd3e5
CB		 450
451 /* Clean up logging space */
6fc1e624 452 memset(&expected, 0, sizeof(expected));
710756a9
RS		 453 memset(client_log_buffer, 0, sizeof(client_log_buffer));
454 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 455 client_log_buffer_index = 0;
456 server_log_buffer_index = 0;
457 error_writing_log = 0;
458
5e30f2fd
MC		 459 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
460 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 461 &sctx, &cctx, cert, privkey))
462 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 463 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 464 return 0;
6acdd3e5 465
cf10df81
RS		 466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
467 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 468 goto end;
6acdd3e5
CB		 469
470 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 471 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
472 == client_keylog_callback))
6acdd3e5 473 goto end;
6acdd3e5 474
710756a9 475 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 476 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
477 == server_keylog_callback))
6acdd3e5 478 goto end;
6acdd3e5 479
710756a9
RS		 480 /* Now do a handshake and check that the logs have been written to. */
481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
482 &clientssl, NULL, NULL))
483 || !TEST_true(create_ssl_connection(serverssl, clientssl,
484 SSL_ERROR_NONE))
485 || !TEST_false(error_writing_log))
6acdd3e5 486 goto end;
6acdd3e5 487
f1a5939f
CB		 488 /*
489 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 490 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 491 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 492 */
f1a5939f
CB		 493 expected.client_handshake_secret_count = 1;
494 expected.server_handshake_secret_count = 1;
495 expected.client_application_secret_count = 1;
496 expected.server_application_secret_count = 1;
6329ce8f 497 expected.exporter_secret_count = 1;
710756a9
RS		 498 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
499 SSL_get_session(clientssl), &expected))
500 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
501 SSL_get_session(serverssl),
502 &expected)))
6acdd3e5 503 goto end;
6acdd3e5 504
cffe973c
PW		 505 /* Terminate old session and resume with early data. */
506 sess = SSL_get1_session(clientssl);
507 SSL_shutdown(clientssl);
508 SSL_shutdown(serverssl);
509 SSL_free(serverssl);
510 SSL_free(clientssl);
511 serverssl = clientssl = NULL;
512
513 /* Reset key log */
514 memset(client_log_buffer, 0, sizeof(client_log_buffer));
515 memset(server_log_buffer, 0, sizeof(server_log_buffer));
516 client_log_buffer_index = 0;
517 server_log_buffer_index = 0;
518
519 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
520 &clientssl, NULL, NULL))
521 || !TEST_true(SSL_set_session(clientssl, sess))
522 /* Here writing 0 length early data is enough. */
523 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
524 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
525 &readbytes),
526 SSL_READ_EARLY_DATA_ERROR)
527 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
528 SSL_EARLY_DATA_ACCEPTED)
529 || !TEST_true(create_ssl_connection(serverssl, clientssl,
530 SSL_ERROR_NONE))
531 || !TEST_true(SSL_session_reused(clientssl)))
532 goto end;
533
534 /* In addition to the previous entries, expect early secrets. */
535 expected.client_early_secret_count = 1;
01a2a654 536 expected.early_exporter_secret_count = 1;
cffe973c
PW		 537 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
538 SSL_get_session(clientssl), &expected))
539 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
540 SSL_get_session(serverssl),
541 &expected)))
542 goto end;
543
6acdd3e5
CB		 544 testresult = 1;
545
546end:
cffe973c 547 SSL_SESSION_free(sess);
6acdd3e5
CB		 548 SSL_free(serverssl);
549 SSL_free(clientssl);
550 SSL_CTX_free(sctx);
551 SSL_CTX_free(cctx);
552
553 return testresult;
554}
555#endif
556
0c3eb279
DDO		 557static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
558{
559 int res = X509_verify_cert(ctx);
dfb39f73
TM		 560 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
561 SSL *ssl;
562
563 /* this should not happen but check anyway */
564 if (idx < 0
565 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
566 return 0;
0c3eb279
DDO		 567
568 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
569 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
dfb39f73
TM		 570 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
571 return SSL_set_retry_verify(ssl);
572
0c3eb279
DDO		 573 return res;
574}
575
576static int test_client_cert_verify_cb(void)
577{
578 /* server key, cert, chain, and root */
579 char *skey = test_mk_file_path(certsdir, "leaf.key");
580 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
581 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
582 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
583 char *root = test_mk_file_path(certsdir, "rootCA.pem");
584 X509 *crt1 = NULL, *crt2 = NULL;
585 STACK_OF(X509) *server_chain;
586 SSL_CTX *cctx = NULL, *sctx = NULL;
587 SSL *clientssl = NULL, *serverssl = NULL;
588 int testresult = 0;
589
590 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
591 TLS_client_method(), TLS1_VERSION, 0,
592 &sctx, &cctx, NULL, NULL)))
593 goto end;
594 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
595 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
596 SSL_FILETYPE_PEM), 1)
597 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
598 goto end;
599 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
600 goto end;
601 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
602 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
603 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
604 &clientssl, NULL, NULL)))
605 goto end;
606
607 /* attempt SSL_connect() with incomplete server chain */
608 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
609 SSL_ERROR_WANT_RETRY_VERIFY)))
610 goto end;
611
612 /* application provides intermediate certs needed to verify server cert */
613 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
614 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
615 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
616 goto end;
617 /* add certs in reverse order to demonstrate real chain building */
618 if (!TEST_true(sk_X509_push(server_chain, crt1)))
619 goto end;
620 crt1 = NULL;
621 if (!TEST_true(sk_X509_push(server_chain, crt2)))
622 goto end;
623 crt2 = NULL;
624
625 /* continue SSL_connect(), must now succeed with completed server chain */
626 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
627 SSL_ERROR_NONE)))
628 goto end;
629
630 testresult = 1;
631
632end:
633 X509_free(crt1);
634 X509_free(crt2);
c38048e7
P		 635 if (clientssl != NULL) {
636 SSL_shutdown(clientssl);
637 SSL_free(clientssl);
638 }
639 if (serverssl != NULL) {
640 SSL_shutdown(serverssl);
641 SSL_free(serverssl);
642 }
0c3eb279
DDO		 643 SSL_CTX_free(sctx);
644 SSL_CTX_free(cctx);
645
646 OPENSSL_free(skey);
647 OPENSSL_free(leaf);
648 OPENSSL_free(int2);
649 OPENSSL_free(int1);
650 OPENSSL_free(root);
651
652 return testresult;
653}
654
4e4ae840
SL		 655static int test_ssl_build_cert_chain(void)
656{
657 int ret = 0;
658 SSL_CTX *ssl_ctx = NULL;
659 SSL *ssl = NULL;
660 char *skey = test_mk_file_path(certsdir, "leaf.key");
661 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
662
663 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
664 goto end;
665 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
666 goto end;
667 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
668 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
669 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
670 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
671 goto end;
672 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
673 | SSL_BUILD_CHAIN_FLAG_CHECK)))
674 goto end;
675 ret = 1;
676end:
677 SSL_free(ssl);
678 SSL_CTX_free(ssl_ctx);
679 OPENSSL_free(leaf_chain);
680 OPENSSL_free(skey);
681 return ret;
682}
683
c7debe81
TM		 684static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
685{
686 static const char pass[] = "testpass";
687
688 if (!TEST_int_eq(size, PEM_BUFSIZE))
689 return -1;
690
691 memcpy(buf, pass, sizeof(pass) - 1);
692 return sizeof(pass) - 1;
693}
694
4e4ae840
SL		 695static int test_ssl_ctx_build_cert_chain(void)
696{
697 int ret = 0;
698 SSL_CTX *ctx = NULL;
c7debe81 699 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
4e4ae840
SL		 700 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
701
702 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
703 goto end;
c7debe81 704 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
4e4ae840
SL		 705 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
706 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
707 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
708 SSL_FILETYPE_PEM), 1)
709 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
710 goto end;
711 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
712 | SSL_BUILD_CHAIN_FLAG_CHECK)))
713 goto end;
714 ret = 1;
715end:
716 SSL_CTX_free(ctx);
717 OPENSSL_free(leaf_chain);
718 OPENSSL_free(skey);
719 return ret;
720}
721
e9ee6536 722#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 723static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 724{
725 int *ctr = arg;
726 const unsigned char *p;
8ea404fb 727 int *exts;
2afaee51
BK		 728 /* We only configure two ciphers, but the SCSV is added automatically. */
729#ifdef OPENSSL_NO_EC
730 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
731#else
732 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
733 0x2c, 0x00, 0xff};
734#endif
8ea404fb
BK		 735 const int expected_extensions[] = {
736#ifndef OPENSSL_NO_EC
737 11, 10,
738#endif
10ed1b72 739 35, 22, 23, 13};
2afaee51
BK		 740 size_t len;
741
742 /* Make sure we can defer processing and get called back. */
743 if ((*ctr)++ == 0)
f1b97da1 744 return SSL_CLIENT_HELLO_RETRY;
2afaee51 745
a9c0d8be 746 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 747 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 748 || !TEST_size_t_eq(
749 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 750 || !TEST_int_eq(*p, 0))
f1b97da1 751 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 752 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 753 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 754 if (len != OSSL_NELEM(expected_extensions) ||
755 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 756 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 757 OPENSSL_free(exts);
f1b97da1 758 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 759 }
760 OPENSSL_free(exts);
f1b97da1 761 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 762}
763
a9c0d8be 764static int test_client_hello_cb(void)
710756a9 765{
2afaee51
BK		 766 SSL_CTX *cctx = NULL, *sctx = NULL;
767 SSL *clientssl = NULL, *serverssl = NULL;
768 int testctr = 0, testresult = 0;
769
5e30f2fd
MC		 770 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
771 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 772 &sctx, &cctx, cert, privkey)))
2afaee51 773 goto end;
a9c0d8be 774 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 775
2afaee51
BK		 776 /* The gimpy cipher list we configure can't do TLS 1.3. */
777 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 778
710756a9
RS		 779 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
780 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
781 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
782 &clientssl, NULL, NULL))
783 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 784 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 785 /*
786 * Passing a -1 literal is a hack since
787 * the real value was lost.
788 * */
a9c0d8be
DB		 789 || !TEST_int_eq(SSL_get_error(serverssl, -1),
790 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 791 || !TEST_true(create_ssl_connection(serverssl, clientssl,
792 SSL_ERROR_NONE)))
2afaee51 793 goto end;
2afaee51
BK		 794
795 testresult = 1;
796
088dfa13
TS		 797end:
798 SSL_free(serverssl);
799 SSL_free(clientssl);
800 SSL_CTX_free(sctx);
801 SSL_CTX_free(cctx);
802
803 return testresult;
804}
805
806static int test_no_ems(void)
807{
808 SSL_CTX *cctx = NULL, *sctx = NULL;
809 SSL *clientssl = NULL, *serverssl = NULL;
810 int testresult = 0;
811
5e30f2fd 812 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 813 TLS1_VERSION, TLS1_2_VERSION,
814 &sctx, &cctx, cert, privkey)) {
815 printf("Unable to create SSL_CTX pair\n");
816 goto end;
817 }
818
819 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
820
821 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
822 printf("Unable to create SSL objects\n");
823 goto end;
824 }
825
826 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
827 printf("Creating SSL connection failed\n");
828 goto end;
829 }
830
831 if (SSL_get_extms_support(serverssl)) {
832 printf("Server reports Extended Master Secret support\n");
833 goto end;
834 }
835
836 if (SSL_get_extms_support(clientssl)) {
837 printf("Client reports Extended Master Secret support\n");
838 goto end;
839 }
840 testresult = 1;
841
2afaee51
BK		 842end:
843 SSL_free(serverssl);
844 SSL_free(clientssl);
845 SSL_CTX_free(sctx);
846 SSL_CTX_free(cctx);
847
848 return testresult;
849}
850
3cd14e5e
BK		 851/*
852 * Very focused test to exercise a single case in the server-side state
853 * machine, when the ChangeCipherState message needs to actually change
854 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 855 * encryption to real encryption).
3cd14e5e
BK		 856 */
857static int test_ccs_change_cipher(void)
858{
859 SSL_CTX *cctx = NULL, *sctx = NULL;
860 SSL *clientssl = NULL, *serverssl = NULL;
861 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
862 int testresult = 0;
863 int i;
864 unsigned char buf;
865 size_t readbytes;
866
867 /*
e304aa87 868 * Create a connection so we can resume and potentially (but not) use
3cd14e5e
BK		 869 * a different cipher in the second connection.
870 */
5e30f2fd 871 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 872 TLS_client_method(),
873 TLS1_VERSION, TLS1_2_VERSION,
874 &sctx, &cctx, cert, privkey))
875 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
876 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
877 NULL, NULL))
878 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
879 || !TEST_true(create_ssl_connection(serverssl, clientssl,
880 SSL_ERROR_NONE))
881 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
882 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
883 goto end;
884
885 shutdown_ssl_connection(serverssl, clientssl);
886 serverssl = clientssl = NULL;
887
888 /* Resume, preferring a different cipher. Our server will force the
889 * same cipher to be used as the initial handshake. */
890 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
891 NULL, NULL))
892 || !TEST_true(SSL_set_session(clientssl, sess))
893 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
894 || !TEST_true(create_ssl_connection(serverssl, clientssl,
895 SSL_ERROR_NONE))
896 || !TEST_true(SSL_session_reused(clientssl))
897 || !TEST_true(SSL_session_reused(serverssl))
898 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
899 || !TEST_ptr_eq(sesspre, sesspost)
900 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
901 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
902 goto end;
903 shutdown_ssl_connection(serverssl, clientssl);
904 serverssl = clientssl = NULL;
905
906 /*
907 * Now create a fresh connection and try to renegotiate a different
908 * cipher on it.
909 */
b3e6d666
BK		 910 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
911 NULL, NULL))
3cd14e5e
BK		 912 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
913 || !TEST_true(create_ssl_connection(serverssl, clientssl,
914 SSL_ERROR_NONE))
915 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
916 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
917 || !TEST_true(SSL_renegotiate(clientssl))
918 || !TEST_true(SSL_renegotiate_pending(clientssl)))
919 goto end;
920 /* Actually drive the renegotiation. */
921 for (i = 0; i < 3; i++) {
922 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
923 if (!TEST_ulong_eq(readbytes, 0))
924 goto end;
925 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
926 SSL_ERROR_WANT_READ)) {
927 goto end;
928 }
929 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
930 if (!TEST_ulong_eq(readbytes, 0))
931 goto end;
932 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
933 SSL_ERROR_WANT_READ)) {
934 goto end;
935 }
936 }
937 /* sesspre and sesspost should be different since the cipher changed. */
938 if (!TEST_false(SSL_renegotiate_pending(clientssl))
939 || !TEST_false(SSL_session_reused(clientssl))
940 || !TEST_false(SSL_session_reused(serverssl))
941 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
942 || !TEST_ptr_ne(sesspre, sesspost)
943 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
944 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
945 goto end;
946
947 shutdown_ssl_connection(serverssl, clientssl);
948 serverssl = clientssl = NULL;
949
950 testresult = 1;
951
952end:
953 SSL_free(serverssl);
954 SSL_free(clientssl);
955 SSL_CTX_free(sctx);
956 SSL_CTX_free(cctx);
957 SSL_SESSION_free(sess);
958
959 return testresult;
960}
fb121631 961#endif
3cd14e5e 962
84d5549e 963static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 964 const SSL_METHOD *cmeth,
965 int min_version, int max_version,
966 int read_ahead)
84d5549e
MC		 967{
968 SSL_CTX *cctx = NULL, *sctx = NULL;
969 SSL *clientssl = NULL, *serverssl = NULL;
970 int testresult = 0;
971 int i;
710756a9 972 BIO *certbio = NULL;
84d5549e
MC		 973 X509 *chaincert = NULL;
974 int certlen;
975
710756a9 976 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 977 goto end;
6725682d 978
d8652be0 979 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 980 goto end;
981
982 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
983 goto end;
fa454945
MC		 984 BIO_free(certbio);
985 certbio = NULL;
84d5549e 986
5e30f2fd
MC		 987 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
988 max_version, &sctx, &cctx, cert,
989 privkey)))
84d5549e 990 goto end;
84d5549e 991
8ce390e1
MC		 992#ifdef OPENSSL_NO_DTLS1_2
993 if (smeth == DTLS_server_method()) {
994 /*
995 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
996 * level 0
997 */
998 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
999 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1000 "DEFAULT:@SECLEVEL=0")))
1001 goto end;
1002 }
1003#endif
1004
710756a9 1005 if (read_ahead) {
7856332e
MC		 1006 /*
1007 * Test that read_ahead works correctly when dealing with large
1008 * records
1009 */
1010 SSL_CTX_set_read_ahead(cctx, 1);
1011 }
1012
84d5549e
MC		 1013 /*
1014 * We assume the supplied certificate is big enough so that if we add
1015 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1016 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 1017 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1018 * test we need to have a message larger than that.
84d5549e
MC		 1019 */
1020 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 1021 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1022 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 1023 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 1024 if (!X509_up_ref(chaincert))
84d5549e 1025 goto end;
84d5549e 1026 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 1027 X509_free(chaincert);
1028 goto end;
1029 }
1030 }
1031
710756a9
RS		 1032 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1033 NULL, NULL))
1034 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1035 SSL_ERROR_NONE)))
84d5549e 1036 goto end;
84d5549e 1037
4bf08600
MC		 1038 /*
1039 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1040 * doesn't leak.
4bf08600 1041 */
710756a9 1042 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1043 goto end;
84d5549e 1044
4bf08600 1045 testresult = 1;
84d5549e 1046 end:
6725682d 1047 BIO_free(certbio);
84d5549e
MC		 1048 X509_free(chaincert);
1049 SSL_free(serverssl);
1050 SSL_free(clientssl);
1051 SSL_CTX_free(sctx);
1052 SSL_CTX_free(cctx);
1053
1054 return testresult;
1055}
1056
da4db160 1057#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1058 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1059/* sock must be connected */
1060static int ktls_chk_platform(int sock)
1061{
1062 if (!ktls_enable(sock))
1063 return 0;
1064 return 1;
1065}
1066
e1fdd526 1067static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1068{
1069 static char count = 1;
1070 unsigned char cbuf[16000] = {0};
1071 unsigned char sbuf[16000];
1072 size_t err = 0;
e1fdd526
JB		 1073 char crec_wseq_before[SEQ_NUM_SIZE];
1074 char crec_wseq_after[SEQ_NUM_SIZE];
1075 char crec_rseq_before[SEQ_NUM_SIZE];
1076 char crec_rseq_after[SEQ_NUM_SIZE];
1077 char srec_wseq_before[SEQ_NUM_SIZE];
1078 char srec_wseq_after[SEQ_NUM_SIZE];
1079 char srec_rseq_before[SEQ_NUM_SIZE];
1080 char srec_rseq_after[SEQ_NUM_SIZE];
fe5d9450
BP		 1081
1082 cbuf[0] = count++;
e1fdd526
JB		 1083 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1084 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1085 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1086 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1087
1088 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1089 goto end;
1090
1091 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1092 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1093 goto end;
1094 }
1095 }
1096
1097 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1098 goto end;
1099
1100 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1101 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1102 goto end;
1103 }
1104 }
1105
e1fdd526
JB		 1106 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1107 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1108 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1109 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1110
1111 /* verify the payload */
1112 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1113 goto end;
1114
e1fdd526
JB		 1115 /*
1116 * If ktls is used then kernel sequences are used instead of
1117 * OpenSSL sequences
1118 */
1119 if (!BIO_get_ktls_send(clientssl->wbio)) {
1120 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1121 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1122 goto end;
1123 } else {
e1fdd526
JB		 1124 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1125 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1126 goto end;
1127 }
1128
e1fdd526
JB		 1129 if (!BIO_get_ktls_send(serverssl->wbio)) {
1130 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1131 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1132 goto end;
1133 } else {
e1fdd526
JB		 1134 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1135 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1136 goto end;
1137 }
1138
e1fdd526
JB		 1139 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1140 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1141 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1142 goto end;
1143 } else {
e1fdd526
JB		 1144 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1145 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1146 goto end;
1147 }
1148
e1fdd526
JB		 1149 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1150 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1151 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1152 goto end;
1153 } else {
e1fdd526
JB		 1154 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1155 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1156 goto end;
1157 }
fe5d9450
BP		 1158
1159 return 1;
1160end:
1161 return 0;
1162}
1163
a3a54179 1164static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1165 int tls_version, const char *cipher)
fe5d9450
BP		 1166{
1167 SSL_CTX *cctx = NULL, *sctx = NULL;
1168 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1169 int ktls_used = 0, testresult = 0;
1170 int cfd = -1, sfd = -1;
1171 int rx_supported;
fe5d9450
BP		 1172
1173 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1174 goto end;
1175
1176 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1177 if (!ktls_chk_platform(cfd)) {
1178 testresult = TEST_skip("Kernel does not support KTLS");
1179 goto end;
1180 }
fe5d9450 1181
a5d8a2f8
DB		 1182 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1183 testresult = TEST_skip("CHACHA is not supported in FIPS");
1184 goto end;
1185 }
1186
fe5d9450 1187 /* Create a session based on SHA-256 */
5e30f2fd 1188 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1189 TLS_client_method(),
da4db160 1190 tls_version, tls_version,
e1fdd526
JB		 1191 &sctx, &cctx, cert, privkey)))
1192 goto end;
1193
1194 if (tls_version == TLS1_3_VERSION) {
1195 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1196 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1197 goto end;
1198 } else {
1199 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1200 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1201 goto end;
1202 }
1203
1204 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1205 &clientssl, sfd, cfd)))
fe5d9450
BP		 1206 goto end;
1207
a3a54179
MC		 1208 if (cis_ktls) {
1209 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1210 goto end;
1211 }
1212
a3a54179 1213 if (sis_ktls) {
e1fdd526 1214 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1215 goto end;
1216 }
1217
e1fdd526 1218 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1219 goto end;
1220
e1fdd526
JB		 1221 /*
1222 * The running kernel may not support a given cipher suite
1223 * or direction, so just check that KTLS isn't used when it
1224 * isn't enabled.
1225 */
a3a54179 1226 if (!cis_ktls) {
fe5d9450
BP		 1227 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1228 goto end;
1229 } else {
e1fdd526
JB		 1230 if (BIO_get_ktls_send(clientssl->wbio))
1231 ktls_used = 1;
fe5d9450
BP		 1232 }
1233
a3a54179 1234 if (!sis_ktls) {
fe5d9450
BP		 1235 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1236 goto end;
1237 } else {
e1fdd526
JB		 1238 if (BIO_get_ktls_send(serverssl->wbio))
1239 ktls_used = 1;
fe5d9450
BP		 1240 }
1241
a3a54179 1242#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1243 rx_supported = 0;
1244#else
1245 rx_supported = (tls_version != TLS1_3_VERSION);
a3a54179 1246#endif
e1fdd526 1247 if (!cis_ktls || !rx_supported) {
2fab79af
BP		 1248 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1249 goto end;
1250 } else {
e1fdd526
JB		 1251 if (BIO_get_ktls_send(clientssl->rbio))
1252 ktls_used = 1;
2fab79af
BP		 1253 }
1254
e1fdd526 1255 if (!sis_ktls || !rx_supported) {
2fab79af
BP		 1256 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1257 goto end;
1258 } else {
e1fdd526
JB		 1259 if (BIO_get_ktls_send(serverssl->rbio))
1260 ktls_used = 1;
1261 }
1262
1263 if ((cis_ktls || sis_ktls) && !ktls_used) {
1264 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1265 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1266 "TLS 1.2", cipher);
1267 goto end;
2fab79af
BP		 1268 }
1269
e1fdd526 1270 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1271 goto end;
1272
1273 testresult = 1;
1274end:
1275 if (clientssl) {
1276 SSL_shutdown(clientssl);
1277 SSL_free(clientssl);
1278 }
1279 if (serverssl) {
1280 SSL_shutdown(serverssl);
1281 SSL_free(serverssl);
1282 }
1283 SSL_CTX_free(sctx);
1284 SSL_CTX_free(cctx);
1285 serverssl = clientssl = NULL;
e1fdd526
JB		 1286 if (cfd != -1)
1287 close(cfd);
1288 if (sfd != -1)
1289 close(sfd);
fe5d9450
BP		 1290 return testresult;
1291}
1292
7c3a7561
BP		 1293#define SENDFILE_SZ (16 * 4096)
1294#define SENDFILE_CHUNK (4 * 4096)
1295#define min(a,b) ((a) > (b) ? (b) : (a))
1296
e1fdd526 1297static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1298{
1299 SSL_CTX *cctx = NULL, *sctx = NULL;
1300 SSL *clientssl = NULL, *serverssl = NULL;
1301 unsigned char *buf, *buf_dst;
1302 BIO *out = NULL, *in = NULL;
e1fdd526 1303 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1304 ssize_t chunk_size = 0;
1305 off_t chunk_off = 0;
1306 int testresult = 0;
1307 FILE *ffdp;
1308
1309 buf = OPENSSL_zalloc(SENDFILE_SZ);
1310 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1311 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1312 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1313 goto end;
1314
1315 /* Skip this test if the platform does not support ktls */
1316 if (!ktls_chk_platform(sfd)) {
e1fdd526 1317 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1318 goto end;
1319 }
1320
a5d8a2f8
DB		 1321 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1322 testresult = TEST_skip("CHACHA is not supported in FIPS");
1323 goto end;
1324 }
1325
7c3a7561 1326 /* Create a session based on SHA-256 */
5e30f2fd 1327 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1328 TLS_client_method(),
da4db160 1329 tls_version, tls_version,
e1fdd526
JB		 1330 &sctx, &cctx, cert, privkey)))
1331 goto end;
1332
1333 if (tls_version == TLS1_3_VERSION) {
1334 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1335 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1336 goto end;
1337 } else {
1338 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1339 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1340 goto end;
1341 }
1342
1343 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1344 &clientssl, sfd, cfd)))
1345 goto end;
1346
1347 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1348 goto end;
1349
1350 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1351 SSL_ERROR_NONE)))
7c3a7561
BP		 1352 goto end;
1353
e1fdd526
JB		 1354 if (!BIO_get_ktls_send(serverssl->wbio)) {
1355 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1356 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1357 "TLS 1.2", cipher);
1358 goto end;
1359 }
1360
c9007bda 1361 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1362 goto end;
1363
7c3a7561
BP		 1364 out = BIO_new_file(tmpfilename, "wb");
1365 if (!TEST_ptr(out))
1366 goto end;
1367
1368 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1369 goto end;
1370
1371 BIO_free(out);
1372 out = NULL;
1373 in = BIO_new_file(tmpfilename, "rb");
1374 BIO_get_fp(in, &ffdp);
1375 ffd = fileno(ffdp);
1376
1377 while (chunk_off < SENDFILE_SZ) {
1378 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1379 while ((err = SSL_sendfile(serverssl,
1380 ffd,
1381 chunk_off,
1382 chunk_size,
1383 0)) != chunk_size) {
1384 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1385 goto end;
1386 }
1387 while ((err = SSL_read(clientssl,
1388 buf_dst + chunk_off,
1389 chunk_size)) != chunk_size) {
1390 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1391 goto end;
1392 }
1393
1394 /* verify the payload */
1395 if (!TEST_mem_eq(buf_dst + chunk_off,
1396 chunk_size,
1397 buf + chunk_off,
1398 chunk_size))
1399 goto end;
1400
1401 chunk_off += chunk_size;
1402 }
1403
1404 testresult = 1;
1405end:
1406 if (clientssl) {
1407 SSL_shutdown(clientssl);
1408 SSL_free(clientssl);
1409 }
1410 if (serverssl) {
1411 SSL_shutdown(serverssl);
1412 SSL_free(serverssl);
1413 }
1414 SSL_CTX_free(sctx);
1415 SSL_CTX_free(cctx);
1416 serverssl = clientssl = NULL;
1417 BIO_free(out);
1418 BIO_free(in);
e1fdd526
JB		 1419 if (cfd != -1)
1420 close(cfd);
1421 if (sfd != -1)
1422 close(sfd);
7c3a7561
BP		 1423 OPENSSL_free(buf);
1424 OPENSSL_free(buf_dst);
1425 return testresult;
1426}
1427
e1fdd526
JB		 1428static struct ktls_test_cipher {
1429 int tls_version;
1430 const char *cipher;
1431} ktls_test_ciphers[] = {
1432# if !defined(OPENSSL_NO_TLS1_2)
1433# ifdef OPENSSL_KTLS_AES_GCM_128
1434 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1435# endif
1436# ifdef OPENSSL_KTLS_AES_CCM_128
1437 { TLS1_2_VERSION, "AES128-CCM"},
1438# endif
1439# ifdef OPENSSL_KTLS_AES_GCM_256
1440 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1441# endif
11bac1b4
JB		 1442# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1443 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1444# endif
e1fdd526
JB		 1445# endif
1446# if !defined(OSSL_NO_USABLE_TLS1_3)
1447# ifdef OPENSSL_KTLS_AES_GCM_128
1448 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1449# endif
1450# ifdef OPENSSL_KTLS_AES_CCM_128
1451 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1452# endif
1453# ifdef OPENSSL_KTLS_AES_GCM_256
1454 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1455# endif
11bac1b4
JB		 1456# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1457 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1458# endif
e1fdd526
JB		 1459# endif
1460};
1461
1462#define NUM_KTLS_TEST_CIPHERS \
1463 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1464
da4db160
VF		 1465static int test_ktls(int test)
1466{
e1fdd526 1467 struct ktls_test_cipher *cipher;
a3a54179 1468 int cis_ktls, sis_ktls;
da4db160 1469
2cff17fd 1470 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1471 cipher = &ktls_test_ciphers[test / 4];
da4db160 1472
a3a54179
MC		 1473 cis_ktls = (test & 1) != 0;
1474 sis_ktls = (test & 2) != 0;
cd03b5dc 1475
e1fdd526
JB		 1476 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1477 cipher->cipher);
2fab79af
BP		 1478}
1479
e1fdd526 1480static int test_ktls_sendfile(int tst)
fe5d9450 1481{
e1fdd526 1482 struct ktls_test_cipher *cipher;
da4db160 1483
2cff17fd 1484 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1485 cipher = &ktls_test_ciphers[tst];
da4db160 1486
e1fdd526 1487 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
fe5d9450 1488}
fe5d9450
BP		 1489#endif
1490
84d5549e
MC		 1491static int test_large_message_tls(void)
1492{
7856332e 1493 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1494 TLS1_VERSION, 0, 0);
7856332e
MC		 1495}
1496
1497static int test_large_message_tls_read_ahead(void)
1498{
1499 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1500 TLS1_VERSION, 0, 1);
84d5549e
MC		 1501}
1502
55386bef 1503#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1504static int test_large_message_dtls(void)
1505{
8ce390e1
MC		 1506# ifdef OPENSSL_NO_DTLS1_2
1507 /* Not supported in the FIPS provider */
1508 if (is_fips)
1509 return 1;
1510# endif
7856332e
MC		 1511 /*
1512 * read_ahead is not relevant to DTLS because DTLS always acts as if
1513 * read_ahead is set.
1514 */
84d5549e 1515 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1516 DTLS_client_method(),
5c587fb6 1517 DTLS1_VERSION, 0, 0);
84d5549e 1518}
55386bef 1519#endif
84d5549e 1520
163b8016
ME		 1521static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1522 const SSL_METHOD *cmeth,
1523 int min_version, int max_version)
1524{
1525 size_t i;
1526 SSL_CTX *cctx = NULL, *sctx = NULL;
1527 SSL *clientssl = NULL, *serverssl = NULL;
1528 int testresult = 0;
1529 SSL3_RECORD *rr;
1530 void *zbuf;
1531
1532 static unsigned char cbuf[16000];
1533 static unsigned char sbuf[16000];
1534
1535 if (!TEST_true(create_ssl_ctx_pair(libctx,
1536 smeth, cmeth,
1537 min_version, max_version,
1538 &sctx, &cctx, cert,
1539 privkey)))
1540 goto end;
1541
8ce390e1
MC		 1542#ifdef OPENSSL_NO_DTLS1_2
1543 if (smeth == DTLS_server_method()) {
1544# ifdef OPENSSL_NO_DTLS1_2
1545 /* Not supported in the FIPS provider */
1546 if (is_fips) {
1547 testresult = 1;
1548 goto end;
1549 };
1550# endif
1551 /*
1552 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1553 * level 0
1554 */
1555 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1556 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1557 "DEFAULT:@SECLEVEL=0")))
1558 goto end;
1559 }
1560#endif
1561
163b8016
ME		 1562 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1563 NULL, NULL)))
1564 goto end;
1565
1566 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1567 goto end;
1568
1569 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1570 SSL_ERROR_NONE)))
1571 goto end;
1572
1573 for (i = 0; i < sizeof(cbuf); i++) {
1574 cbuf[i] = i & 0xff;
1575 }
1576
1577 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1578 goto end;
1579
1580 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1581 goto end;
1582
1583 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1584 goto end;
1585
1586 /*
1587 * Since we called SSL_peek(), we know the data in the record
1588 * layer is a plaintext record. We can gather the pointer to check
1589 * for zeroization after SSL_read().
1590 */
1591 rr = serverssl->rlayer.rrec;
1592 zbuf = &rr->data[rr->off];
1593 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1594 goto end;
1595
1596 /*
1597 * After SSL_peek() the plaintext must still be stored in the
1598 * record.
1599 */
1600 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1601 goto end;
1602
1603 memset(sbuf, 0, sizeof(sbuf));
1604 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1605 goto end;
1606
1607 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1608 goto end;
1609
1610 /* Check if rbuf is cleansed */
1611 memset(cbuf, 0, sizeof(cbuf));
1612 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1613 goto end;
1614
1615 testresult = 1;
1616 end:
1617 SSL_free(serverssl);
1618 SSL_free(clientssl);
1619 SSL_CTX_free(sctx);
1620 SSL_CTX_free(cctx);
1621
1622 return testresult;
1623}
1624
1625static int test_cleanse_plaintext(void)
1626{
1627#if !defined(OPENSSL_NO_TLS1_2)
1628 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1629 TLS_client_method(),
1630 TLS1_2_VERSION,
1631 TLS1_2_VERSION)))
1632 return 0;
1633
1634#endif
1635
a763ca11 1636#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1637 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1638 TLS_client_method(),
1639 TLS1_3_VERSION,
1640 TLS1_3_VERSION)))
1641 return 0;
1642#endif
1643
1644#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1645
163b8016
ME		 1646 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1647 DTLS_client_method(),
1648 DTLS1_VERSION,
1649 0)))
1650 return 0;
1651#endif
1652 return 1;
1653}
1654
8f8c11d8 1655#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1656static int ocsp_server_cb(SSL *s, void *arg)
1657{
1658 int *argi = (int *)arg;
710756a9 1659 unsigned char *copy = NULL;
ba881d3b
MC		 1660 STACK_OF(OCSP_RESPID) *ids = NULL;
1661 OCSP_RESPID *id = NULL;
1662
1663 if (*argi == 2) {
1664 /* In this test we are expecting exactly 1 OCSP_RESPID */
1665 SSL_get_tlsext_status_ids(s, &ids);
1666 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1667 return SSL_TLSEXT_ERR_ALERT_FATAL;
1668
1669 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1670 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1671 return SSL_TLSEXT_ERR_ALERT_FATAL;
1672 } else if (*argi != 1) {
1673 return SSL_TLSEXT_ERR_ALERT_FATAL;
1674 }
1675
710756a9 1676 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1677 return SSL_TLSEXT_ERR_ALERT_FATAL;
1678
711d5a2f
P		 1679 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1680 sizeof(orespder)))) {
1681 OPENSSL_free(copy);
1682 return SSL_TLSEXT_ERR_ALERT_FATAL;
1683 }
ba881d3b 1684 ocsp_server_called = 1;
ba881d3b
MC		 1685 return SSL_TLSEXT_ERR_OK;
1686}
1687
1688static int ocsp_client_cb(SSL *s, void *arg)
1689{
1690 int *argi = (int *)arg;
1691 const unsigned char *respderin;
1692 size_t len;
1693
1694 if (*argi != 1 && *argi != 2)
1695 return 0;
1696
1697 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1698 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1699 return 0;
1700
1701 ocsp_client_called = 1;
ba881d3b
MC		 1702 return 1;
1703}
1704
2cb4b5f6
MC		 1705static int test_tlsext_status_type(void)
1706{
ba881d3b
MC		 1707 SSL_CTX *cctx = NULL, *sctx = NULL;
1708 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1709 int testresult = 0;
ba881d3b
MC		 1710 STACK_OF(OCSP_RESPID) *ids = NULL;
1711 OCSP_RESPID *id = NULL;
1712 BIO *certbio = NULL;
2cb4b5f6 1713
5e30f2fd 1714 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1715 TLS1_VERSION, 0,
7d7f6834 1716 &sctx, &cctx, cert, privkey))
ba881d3b 1717 return 0;
2cb4b5f6 1718
710756a9 1719 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1720 goto end;
2cb4b5f6 1721
ba881d3b 1722 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1723
ba881d3b 1724 clientssl = SSL_new(cctx);
710756a9
RS		 1725 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1726 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1727 TLSEXT_STATUSTYPE_ocsp))
1728 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1729 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1730 goto end;
2cb4b5f6 1731
ba881d3b
MC		 1732 SSL_free(clientssl);
1733 clientssl = NULL;
2cb4b5f6 1734
710756a9
RS		 1735 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1736 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1737 goto end;
2cb4b5f6 1738
ba881d3b 1739 clientssl = SSL_new(cctx);
710756a9 1740 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1741 goto end;
ba881d3b
MC		 1742 SSL_free(clientssl);
1743 clientssl = NULL;
1744
1745 /*
1746 * Now actually do a handshake and check OCSP information is exchanged and
1747 * the callbacks get called
1748 */
ba881d3b
MC		 1749 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1750 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1751 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1752 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1753 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1754 &clientssl, NULL, NULL))
1755 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1756 SSL_ERROR_NONE))
1757 || !TEST_true(ocsp_client_called)
1758 || !TEST_true(ocsp_server_called))
ba881d3b 1759 goto end;
ba881d3b
MC		 1760 SSL_free(serverssl);
1761 SSL_free(clientssl);
1762 serverssl = NULL;
1763 clientssl = NULL;
1764
1765 /* Try again but this time force the server side callback to fail */
1766 ocsp_client_called = 0;
1767 ocsp_server_called = 0;
1768 cdummyarg = 0;
710756a9
RS		 1769 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1770 &clientssl, NULL, NULL))
1771 /* This should fail because the callback will fail */
1772 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1773 SSL_ERROR_NONE))
1774 || !TEST_false(ocsp_client_called)
1775 || !TEST_false(ocsp_server_called))
ba881d3b 1776 goto end;
ba881d3b
MC		 1777 SSL_free(serverssl);
1778 SSL_free(clientssl);
1779 serverssl = NULL;
1780 clientssl = NULL;
1781
1782 /*
1783 * This time we'll get the client to send an OCSP_RESPID that it will
1784 * accept.
1785 */
1786 ocsp_client_called = 0;
1787 ocsp_server_called = 0;
1788 cdummyarg = 2;
710756a9
RS		 1789 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1790 &clientssl, NULL, NULL)))
ba881d3b 1791 goto end;
ba881d3b
MC		 1792
1793 /*
1794 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1795 * specific one. We'll use the server cert.
ba881d3b 1796 */
710756a9
RS		 1797 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1798 || !TEST_ptr(id = OCSP_RESPID_new())
1799 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1800 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1801 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1802 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1803 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1804 goto end;
ba881d3b
MC		 1805 id = NULL;
1806 SSL_set_tlsext_status_ids(clientssl, ids);
1807 /* Control has been transferred */
1808 ids = NULL;
1809
1810 BIO_free(certbio);
1811 certbio = NULL;
1812
710756a9
RS		 1813 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1814 SSL_ERROR_NONE))
1815 || !TEST_true(ocsp_client_called)
1816 || !TEST_true(ocsp_server_called))
ba881d3b 1817 goto end;
ba881d3b 1818
2cb4b5f6
MC		 1819 testresult = 1;
1820
1821 end:
ba881d3b
MC		 1822 SSL_free(serverssl);
1823 SSL_free(clientssl);
1824 SSL_CTX_free(sctx);
1825 SSL_CTX_free(cctx);
1826 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1827 OCSP_RESPID_free(id);
1828 BIO_free(certbio);
1829 X509_free(ocspcert);
1830 ocspcert = NULL;
2cb4b5f6
MC		 1831
1832 return testresult;
1833}
8f8c11d8 1834#endif
2cb4b5f6 1835
a763ca11 1836#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1837static int new_called, remove_called, get_called;
eaa776da 1838
eaa776da
MC		 1839static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1840{
1841 new_called++;
c0537ebd
MC		 1842 /*
1843 * sess has been up-refed for us, but we don't actually need it so free it
1844 * immediately.
1845 */
1846 SSL_SESSION_free(sess);
eaa776da
MC		 1847 return 1;
1848}
1849
1850static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1851{
1852 remove_called++;
1853}
1854
7a301f08
MC		 1855static SSL_SESSION *get_sess_val = NULL;
1856
1857static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1858 int *copy)
1859{
0afca811 1860 get_called++;
7a301f08
MC		 1861 *copy = 1;
1862 return get_sess_val;
1863}
1864
7a301f08 1865static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1866 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1867{
1868 SSL_CTX *sctx = NULL, *cctx = NULL;
1869 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1870 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1871# ifndef OPENSSL_NO_TLS1_1
eaa776da 1872 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1873# endif
2cb4b5f6 1874 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1875 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1876
7e885b7b
P		 1877 new_called = remove_called = 0;
1878
36ff232c
MC		 1879 /* TLSv1.3 sends 2 NewSessionTickets */
1880 if (maxprot == TLS1_3_VERSION)
1881 numnewsesstick = 2;
1882
5e30f2fd
MC		 1883 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1884 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1885 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1886 return 0;
2cb4b5f6 1887
7a301f08
MC		 1888 /*
1889 * Only allow the max protocol version so we can force a connection failure
1890 * later
1891 */
1892 SSL_CTX_set_min_proto_version(cctx, maxprot);
1893 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1894
1895 /* Set up session cache */
7e885b7b 1896 if (use_ext_cache) {
eaa776da
MC		 1897 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1898 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1899 }
7e885b7b 1900 if (use_int_cache) {
eaa776da
MC		 1901 /* Also covers instance where both are set */
1902 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1903 } else {
1904 SSL_CTX_set_session_cache_mode(cctx,
1905 SSL_SESS_CACHE_CLIENT
1906 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1907 }
2cb4b5f6 1908
90fc2c26
NM		 1909 if (s_options) {
1910 SSL_CTX_set_options(sctx, s_options);
1911 }
1912
710756a9
RS		 1913 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1914 NULL, NULL))
1915 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1916 SSL_ERROR_NONE))
1917 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1918 goto end;
2cb4b5f6 1919
710756a9 1920 /* Should fail because it should already be in the cache */
7e885b7b 1921 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1922 goto end;
7a301f08 1923 if (use_ext_cache
36ff232c
MC		 1924 && (!TEST_int_eq(new_called, numnewsesstick)
1925
1926 || !TEST_int_eq(remove_called, 0)))
b4982125 1927 goto end;
b4982125 1928
c0537ebd
MC		 1929 new_called = remove_called = 0;
1930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1931 &clientssl2, NULL, NULL))
1932 || !TEST_true(SSL_set_session(clientssl2, sess1))
1933 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1934 SSL_ERROR_NONE))
1935 || !TEST_true(SSL_session_reused(clientssl2)))
1936 goto end;
1937
7a301f08
MC		 1938 if (maxprot == TLS1_3_VERSION) {
1939 /*
1940 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1941 * resumed. Since we attempted a resume we should also have removed the
1942 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1943 */
1944 if (use_ext_cache
1945 && (!TEST_int_eq(new_called, 1)
4cb00457 1946 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1947 goto end;
1948 } else {
1949 /*
1950 * In TLSv1.2 we expect to have resumed so no sessions added or
1951 * removed.
1952 */
1953 if (use_ext_cache
1954 && (!TEST_int_eq(new_called, 0)
1955 || !TEST_int_eq(remove_called, 0)))
1956 goto end;
1957 }
c0537ebd
MC		 1958
1959 SSL_SESSION_free(sess1);
1960 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1961 goto end;
1962 shutdown_ssl_connection(serverssl2, clientssl2);
1963 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1964
1965 new_called = remove_called = 0;
710756a9
RS		 1966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1967 &clientssl2, NULL, NULL))
1968 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1969 SSL_ERROR_NONE)))
2cb4b5f6 1970 goto end;
2cb4b5f6 1971
710756a9 1972 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1973 goto end;
2cb4b5f6 1974
7a301f08 1975 if (use_ext_cache
36ff232c
MC		 1976 && (!TEST_int_eq(new_called, numnewsesstick)
1977 || !TEST_int_eq(remove_called, 0)))
eaa776da 1978 goto end;
eaa776da 1979
c0537ebd 1980 new_called = remove_called = 0;
2cb4b5f6 1981 /*
710756a9
RS		 1982 * This should clear sess2 from the cache because it is a "bad" session.
1983 * See SSL_set_session() documentation.
2cb4b5f6 1984 */
710756a9 1985 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1986 goto end;
7a301f08
MC		 1987 if (use_ext_cache
1988 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1989 goto end;
710756a9 1990 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1991 goto end;
2cb4b5f6 1992
7e885b7b 1993 if (use_int_cache) {
710756a9
RS		 1994 /* Should succeeded because it should not already be in the cache */
1995 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1996 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1997 goto end;
eaa776da
MC		 1998 }
1999
c0537ebd 2000 new_called = remove_called = 0;
eaa776da 2001 /* This shouldn't be in the cache so should fail */
710756a9 2002 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2003 goto end;
2cb4b5f6 2004
7a301f08
MC		 2005 if (use_ext_cache
2006 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2007 goto end;
2cb4b5f6 2008
bf208d95 2009# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2010 new_called = remove_called = 0;
eaa776da
MC		 2011 /* Force a connection failure */
2012 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2013 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2014 &clientssl3, NULL, NULL))
2015 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2016 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2017 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2018 SSL_ERROR_NONE)))
eaa776da 2019 goto end;
b4982125 2020
eaa776da 2021 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2022 if (use_ext_cache
2023 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2024 goto end;
2cb4b5f6 2025
710756a9 2026 /* Should succeed because it should not already be in the cache */
7e885b7b 2027 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2028 goto end;
bf208d95 2029# endif
eaa776da 2030
7a301f08
MC		 2031 /* Now do some tests for server side caching */
2032 if (use_ext_cache) {
2033 SSL_CTX_sess_set_new_cb(cctx, NULL);
2034 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2035 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2036 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2037 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2038 get_sess_val = NULL;
2039 }
2040
2041 SSL_CTX_set_session_cache_mode(cctx, 0);
2042 /* Internal caching is the default on the server side */
2043 if (!use_int_cache)
2044 SSL_CTX_set_session_cache_mode(sctx,
2045 SSL_SESS_CACHE_SERVER
2046 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2047
2048 SSL_free(serverssl1);
2049 SSL_free(clientssl1);
2050 serverssl1 = clientssl1 = NULL;
2051 SSL_free(serverssl2);
2052 SSL_free(clientssl2);
2053 serverssl2 = clientssl2 = NULL;
2054 SSL_SESSION_free(sess1);
2055 sess1 = NULL;
2056 SSL_SESSION_free(sess2);
2057 sess2 = NULL;
2058
2059 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2060 if (maxprot == TLS1_2_VERSION)
2061 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2062 new_called = remove_called = get_called = 0;
7a301f08
MC		 2063 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2064 NULL, NULL))
2065 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2066 SSL_ERROR_NONE))
2067 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2068 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2069 goto end;
2070
ee94ec2e
MC		 2071 if (use_int_cache) {
2072 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2073 /*
2074 * In TLSv1.3 it should not have been added to the internal cache,
2075 * except in the case where we also have an external cache (in that
2076 * case it gets added to the cache in order to generate remove
2077 * events after timeout).
2078 */
2079 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2080 goto end;
2081 } else {
2082 /* Should fail because it should already be in the cache */
2083 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2084 goto end;
2085 }
2086 }
7a301f08
MC		 2087
2088 if (use_ext_cache) {
2089 SSL_SESSION *tmp = sess2;
2090
36ff232c 2091 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2092 || !TEST_int_eq(remove_called, 0)
2093 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2094 goto end;
2095 /*
2096 * Delete the session from the internal cache to force a lookup from
2097 * the external cache. We take a copy first because
2098 * SSL_CTX_remove_session() also marks the session as non-resumable.
2099 */
ee94ec2e 2100 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2101 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2102 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2103 goto end;
2104 SSL_SESSION_free(sess2);
2105 }
7a301f08
MC		 2106 sess2 = tmp;
2107 }
2108
0afca811 2109 new_called = remove_called = get_called = 0;
7a301f08
MC		 2110 get_sess_val = sess2;
2111 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2112 &clientssl2, NULL, NULL))
2113 || !TEST_true(SSL_set_session(clientssl2, sess1))
2114 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2115 SSL_ERROR_NONE))
2116 || !TEST_true(SSL_session_reused(clientssl2)))
2117 goto end;
2118
0afca811 2119 if (use_ext_cache) {
32305f88 2120 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2121 goto end;
2122
2123 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2124 if (!TEST_int_eq(new_called, 1)
2125 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2126 goto end;
2127 } else {
32305f88
MC		 2128 if (!TEST_int_eq(new_called, 0)
2129 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2130 goto end;
2131 }
2132 }
7a301f08 2133
2cb4b5f6 2134 testresult = 1;
eaa776da 2135
2cb4b5f6
MC		 2136 end:
2137 SSL_free(serverssl1);
2138 SSL_free(clientssl1);
2139 SSL_free(serverssl2);
2140 SSL_free(clientssl2);
bf208d95 2141# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2142 SSL_free(serverssl3);
2143 SSL_free(clientssl3);
bf208d95 2144# endif
2cb4b5f6
MC		 2145 SSL_SESSION_free(sess1);
2146 SSL_SESSION_free(sess2);
2147 SSL_CTX_free(sctx);
2148 SSL_CTX_free(cctx);
2149
2150 return testresult;
2151}
a763ca11 2152#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2153
7fb4c820
MC		 2154static int test_session_with_only_int_cache(void)
2155{
a763ca11 2156#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2157 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2158 return 0;
2159#endif
2160
2161#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2162 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2163#else
2164 return 1;
2165#endif
eaa776da
MC		 2166}
2167
7fb4c820
MC		 2168static int test_session_with_only_ext_cache(void)
2169{
a763ca11 2170#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2171 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2172 return 0;
2173#endif
2174
2175#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2176 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2177#else
2178 return 1;
2179#endif
eaa776da
MC		 2180}
2181
7fb4c820
MC		 2182static int test_session_with_both_cache(void)
2183{
a763ca11 2184#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2185 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2186 return 0;
2187#endif
2188
2189#ifndef OPENSSL_NO_TLS1_2
2190 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2191#else
2192 return 1;
2193#endif
2194}
2195
2196static int test_session_wo_ca_names(void)
2197{
a763ca11 2198#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2199 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2200 return 0;
2201#endif
2202
2203#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2204 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2205#else
2206 return 1;
2207#endif
eaa776da
MC		 2208}
2209
90fc2c26 2210
a763ca11 2211#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2212static SSL_SESSION *sesscache[6];
2213static int do_cache;
36ff232c
MC		 2214
2215static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2216{
c22365b3
MC		 2217 if (do_cache) {
2218 sesscache[new_called] = sess;
2219 } else {
2220 /* We don't need the reference to the session, so free it */
2221 SSL_SESSION_free(sess);
2222 }
2223 new_called++;
2224
2225 return 1;
2226}
2227
2228static int post_handshake_verify(SSL *sssl, SSL *cssl)
2229{
2230 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2231 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2232 return 0;
2233
2234 /* Start handshake on the server and client */
2235 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2236 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2237 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2238 || !TEST_true(create_ssl_connection(sssl, cssl,
2239 SSL_ERROR_NONE)))
2240 return 0;
36ff232c
MC		 2241
2242 return 1;
2243}
2244
fbe9dafd 2245static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2246 SSL_CTX **cctx)
2247{
2248 int sess_id_ctx = 1;
2249
5e30f2fd
MC		 2250 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2251 TLS_client_method(), TLS1_VERSION, 0,
2252 sctx, cctx, cert, privkey))
03cdf559
MC		 2253 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2254 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2255 (void *)&sess_id_ctx,
2256 sizeof(sess_id_ctx))))
2257 return 0;
2258
2259 if (stateful)
2260 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2261
2262 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2263 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2264 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2265
2266 return 1;
2267}
2268
2269static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2270{
2271 SSL *serverssl = NULL, *clientssl = NULL;
2272 int i;
2273
2274 /* Test that we can resume with all the tickets we got given */
2275 for (i = 0; i < idx * 2; i++) {
2276 new_called = 0;
2277 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2278 &clientssl, NULL, NULL))
2279 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2280 goto end;
2281
32097b33 2282 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2283
2284 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2285 SSL_ERROR_NONE)))
2286 goto end;
2287
2288 /*
2289 * Following a successful resumption we only get 1 ticket. After a
2290 * failed one we should get idx tickets.
2291 */
2292 if (succ) {
2293 if (!TEST_true(SSL_session_reused(clientssl))
2294 || !TEST_int_eq(new_called, 1))
2295 goto end;
2296 } else {
2297 if (!TEST_false(SSL_session_reused(clientssl))
2298 || !TEST_int_eq(new_called, idx))
2299 goto end;
2300 }
2301
2302 new_called = 0;
2303 /* After a post-handshake authentication we should get 1 new ticket */
2304 if (succ
2305 && (!post_handshake_verify(serverssl, clientssl)
2306 || !TEST_int_eq(new_called, 1)))
2307 goto end;
2308
2309 SSL_shutdown(clientssl);
2310 SSL_shutdown(serverssl);
2311 SSL_free(serverssl);
2312 SSL_free(clientssl);
2313 serverssl = clientssl = NULL;
2314 SSL_SESSION_free(sesscache[i]);
2315 sesscache[i] = NULL;
2316 }
2317
2318 return 1;
2319
2320 end:
2321 SSL_free(clientssl);
2322 SSL_free(serverssl);
2323 return 0;
2324}
2325
04d7814a 2326static int test_tickets(int stateful, int idx)
36ff232c
MC		 2327{
2328 SSL_CTX *sctx = NULL, *cctx = NULL;
2329 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2330 int testresult = 0;
36ff232c
MC		 2331 size_t j;
2332
2333 /* idx is the test number, but also the number of tickets we want */
2334
2335 new_called = 0;
c22365b3 2336 do_cache = 1;
36ff232c 2337
fbe9dafd 2338 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2339 goto end;
2340
03cdf559
MC		 2341 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2342 &clientssl, NULL, NULL)))
2343 goto end;
2344
2345 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2346 SSL_ERROR_NONE))
2347 /* Check we got the number of tickets we were expecting */
2348 || !TEST_int_eq(idx, new_called))
2349 goto end;
04d7814a 2350
03cdf559
MC		 2351 SSL_shutdown(clientssl);
2352 SSL_shutdown(serverssl);
2353 SSL_free(serverssl);
2354 SSL_free(clientssl);
2355 SSL_CTX_free(sctx);
2356 SSL_CTX_free(cctx);
2357 clientssl = serverssl = NULL;
2358 sctx = cctx = NULL;
2359
2360 /*
2361 * Now we try to resume with the tickets we previously created. The
2362 * resumption attempt is expected to fail (because we're now using a new
2363 * SSL_CTX). We should see idx number of tickets issued again.
2364 */
2365
2366 /* Stop caching sessions - just count them */
2367 do_cache = 0;
2368
fbe9dafd 2369 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2370 goto end;
2371
2372 if (!check_resumption(idx, sctx, cctx, 0))
2373 goto end;
2374
2375 /* Start again with caching sessions */
2376 new_called = 0;
2377 do_cache = 1;
fbe9dafd
MC		 2378 SSL_CTX_free(sctx);
2379 SSL_CTX_free(cctx);
2380 sctx = cctx = NULL;
03cdf559 2381
fbe9dafd 2382 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2383 goto end;
36ff232c
MC		 2384
2385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2386 &clientssl, NULL, NULL)))
2387 goto end;
2388
32097b33 2389 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2390
2391 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2392 SSL_ERROR_NONE))
2393 /* Check we got the number of tickets we were expecting */
2394 || !TEST_int_eq(idx, new_called))
2395 goto end;
2396
2397 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2398 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2399 || !TEST_int_eq(idx * 2, new_called))
2400 goto end;
2401
36ff232c
MC		 2402 SSL_shutdown(clientssl);
2403 SSL_shutdown(serverssl);
2404 SSL_free(serverssl);
2405 SSL_free(clientssl);
2406 serverssl = clientssl = NULL;
2407
c22365b3
MC		 2408 /* Stop caching sessions - just count them */
2409 do_cache = 0;
2410
03cdf559
MC		 2411 /*
2412 * Check we can resume with all the tickets we created. This time around the
2413 * resumptions should all be successful.
2414 */
2415 if (!check_resumption(idx, sctx, cctx, 1))
2416 goto end;
36ff232c
MC		 2417
2418 testresult = 1;
2419
2420 end:
2421 SSL_free(serverssl);
2422 SSL_free(clientssl);
c22365b3 2423 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2424 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2425 sesscache[j] = NULL;
2426 }
36ff232c
MC		 2427 SSL_CTX_free(sctx);
2428 SSL_CTX_free(cctx);
2429
2430 return testresult;
2431}
04d7814a
MC		 2432
2433static int test_stateless_tickets(int idx)
2434{
2435 return test_tickets(0, idx);
2436}
2437
2438static int test_stateful_tickets(int idx)
2439{
2440 return test_tickets(1, idx);
2441}
8614a4eb
MC		 2442
2443static int test_psk_tickets(void)
2444{
2445 SSL_CTX *sctx = NULL, *cctx = NULL;
2446 SSL *serverssl = NULL, *clientssl = NULL;
2447 int testresult = 0;
2448 int sess_id_ctx = 1;
2449
5e30f2fd
MC		 2450 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2451 TLS_client_method(), TLS1_VERSION, 0,
2452 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2453 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2454 (void *)&sess_id_ctx,
2455 sizeof(sess_id_ctx))))
2456 goto end;
2457
2458 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2459 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2460 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2461 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2462 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2463 use_session_cb_cnt = 0;
2464 find_session_cb_cnt = 0;
2465 srvid = pskid;
2466 new_called = 0;
2467
2468 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2469 NULL, NULL)))
2470 goto end;
2471 clientpsk = serverpsk = create_a_psk(clientssl);
2472 if (!TEST_ptr(clientpsk))
2473 goto end;
2474 SSL_SESSION_up_ref(clientpsk);
2475
2476 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2477 SSL_ERROR_NONE))
2478 || !TEST_int_eq(1, find_session_cb_cnt)
2479 || !TEST_int_eq(1, use_session_cb_cnt)
2480 /* We should always get 1 ticket when using external PSK */
2481 || !TEST_int_eq(1, new_called))
2482 goto end;
2483
2484 testresult = 1;
2485
2486 end:
2487 SSL_free(serverssl);
2488 SSL_free(clientssl);
2489 SSL_CTX_free(sctx);
2490 SSL_CTX_free(cctx);
2491 SSL_SESSION_free(clientpsk);
2492 SSL_SESSION_free(serverpsk);
2493 clientpsk = serverpsk = NULL;
2494
2495 return testresult;
2496}
f0049b86
BK		 2497
2498static int test_extra_tickets(int idx)
2499{
2500 SSL_CTX *sctx = NULL, *cctx = NULL;
2501 SSL *serverssl = NULL, *clientssl = NULL;
2502 BIO *bretry = BIO_new(bio_s_always_retry());
2503 BIO *tmp = NULL;
2504 int testresult = 0;
2505 int stateful = 0;
2506 size_t nbytes;
2507 unsigned char c, buf[1];
2508
2509 new_called = 0;
2510 do_cache = 1;
2511
2512 if (idx >= 3) {
2513 idx -= 3;
2514 stateful = 1;
2515 }
2516
2517 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2518 goto end;
2519 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2520 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2521 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2522
2523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2524 &clientssl, NULL, NULL)))
2525 goto end;
2526
2527 /*
2528 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2529 * incremented by both client and server.
2530 */
2531 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2532 SSL_ERROR_NONE))
2533 /* Check we got the number of tickets we were expecting */
2534 || !TEST_int_eq(idx * 2, new_called)
2535 || !TEST_true(SSL_new_session_ticket(serverssl))
2536 || !TEST_true(SSL_new_session_ticket(serverssl))
2537 || !TEST_int_eq(idx * 2, new_called))
2538 goto end;
2539
2540 /* Now try a (real) write to actually send the tickets */
2541 c = '1';
2542 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2543 || !TEST_size_t_eq(1, nbytes)
2544 || !TEST_int_eq(idx * 2 + 2, new_called)
2545 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2546 || !TEST_int_eq(idx * 2 + 4, new_called)
2547 || !TEST_int_eq(sizeof(buf), nbytes)
2548 || !TEST_int_eq(c, buf[0])
2549 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2550 goto end;
2551
2552 /* Try with only requesting one new ticket, too */
2553 c = '2';
2554 new_called = 0;
2555 if (!TEST_true(SSL_new_session_ticket(serverssl))
2556 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2557 || !TEST_size_t_eq(sizeof(c), nbytes)
2558 || !TEST_int_eq(1, new_called)
2559 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2560 || !TEST_int_eq(2, new_called)
2561 || !TEST_size_t_eq(sizeof(buf), nbytes)
2562 || !TEST_int_eq(c, buf[0]))
2563 goto end;
2564
2565 /* Do it again but use dummy writes to drive the ticket generation */
2566 c = '3';
2567 new_called = 0;
2568 if (!TEST_true(SSL_new_session_ticket(serverssl))
2569 || !TEST_true(SSL_new_session_ticket(serverssl))
2570 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2571 || !TEST_size_t_eq(0, nbytes)
2572 || !TEST_int_eq(2, new_called)
2573 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2574 || !TEST_int_eq(4, new_called))
2575 goto end;
2576
a0bbcb42
BK		 2577 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2578 c = '4';
2579 new_called = 0;
2580 if (!TEST_true(SSL_new_session_ticket(serverssl))
2581 || !TEST_true(SSL_new_session_ticket(serverssl))
2582 || !TEST_true(SSL_do_handshake(serverssl))
2583 || !TEST_int_eq(2, new_called)
2584 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2585 || !TEST_int_eq(4, new_called))
2586 goto end;
2587
f0049b86
BK		 2588 /*
2589 * Use the always-retry BIO to exercise the logic that forces ticket
2590 * generation to wait until a record boundary.
2591 */
a0bbcb42 2592 c = '5';
f0049b86
BK		 2593 new_called = 0;
2594 tmp = SSL_get_wbio(serverssl);
2595 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2596 tmp = NULL;
2597 goto end;
2598 }
2599 SSL_set0_wbio(serverssl, bretry);
2600 bretry = NULL;
2601 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2602 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2603 || !TEST_size_t_eq(nbytes, 0))
2604 goto end;
2605 /* Restore a BIO that will let the write succeed */
2606 SSL_set0_wbio(serverssl, tmp);
2607 tmp = NULL;
a0bbcb42
BK		 2608 /*
2609 * These calls should just queue the request and not send anything
2610 * even if we explicitly try to hit the state machine.
2611 */
f0049b86
BK		 2612 if (!TEST_true(SSL_new_session_ticket(serverssl))
2613 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2614 || !TEST_int_eq(0, new_called)
2615 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2616 || !TEST_int_eq(0, new_called))
2617 goto end;
2618 /* Re-do the write; still no tickets sent */
2619 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2620 || !TEST_size_t_eq(1, nbytes)
2621 || !TEST_int_eq(0, new_called)
2622 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2623 || !TEST_int_eq(0, new_called)
2624 || !TEST_int_eq(sizeof(buf), nbytes)
2625 || !TEST_int_eq(c, buf[0])
2626 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2627 goto end;
a0bbcb42
BK		 2628 /* Even trying to hit the state machine now will still not send tickets */
2629 if (!TEST_true(SSL_do_handshake(serverssl))
2630 || !TEST_int_eq(0, new_called))
2631 goto end;
f0049b86 2632 /* Now the *next* write should send the tickets */
a0bbcb42 2633 c = '6';
f0049b86
BK		 2634 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2635 || !TEST_size_t_eq(1, nbytes)
2636 || !TEST_int_eq(2, new_called)
2637 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2638 || !TEST_int_eq(4, new_called)
2639 || !TEST_int_eq(sizeof(buf), nbytes)
2640 || !TEST_int_eq(c, buf[0])
2641 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2642 goto end;
2643
2644 SSL_shutdown(clientssl);
2645 SSL_shutdown(serverssl);
2646 testresult = 1;
2647
2648 end:
2649 BIO_free(bretry);
2650 BIO_free(tmp);
2651 SSL_free(serverssl);
2652 SSL_free(clientssl);
2653 SSL_CTX_free(sctx);
2654 SSL_CTX_free(cctx);
2655 clientssl = serverssl = NULL;
2656 sctx = cctx = NULL;
2657 return testresult;
2658}
04225915 2659#endif
36ff232c 2660
7d4488bb
MC		 2661#define USE_NULL 0
2662#define USE_BIO_1 1
2663#define USE_BIO_2 2
2664#define USE_DEFAULT 3
2665
2666#define CONNTYPE_CONNECTION_SUCCESS 0
2667#define CONNTYPE_CONNECTION_FAIL 1
2668#define CONNTYPE_NO_CONNECTION 2
2669
2670#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2671#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2672#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2673# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2674#else
2675# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2676#endif
2677
7d4488bb
MC		 2678#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2679 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2680 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2681
2682static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2683{
2684 switch (type) {
2685 case USE_NULL:
2686 *res = NULL;
2687 break;
2688 case USE_BIO_1:
2689 *res = bio1;
2690 break;
2691 case USE_BIO_2:
2692 *res = bio2;
2693 break;
2694 }
2695}
2696
7d4488bb
MC		 2697
2698/*
2699 * Tests calls to SSL_set_bio() under various conditions.
2700 *
2701 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2702 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2703 * then do more tests where we create a successful connection first using our
2704 * standard connection setup functions, and then call SSL_set_bio() with
2705 * various combinations of valid BIOs or NULL. We then repeat these tests
2706 * following a failed connection. In this last case we are looking to check that
2707 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2708 */
7fb4c820
MC		 2709static int test_ssl_set_bio(int idx)
2710{
7d4488bb 2711 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2712 BIO *bio1 = NULL;
2713 BIO *bio2 = NULL;
0fae8150 2714 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2715 SSL *serverssl = NULL, *clientssl = NULL;
2716 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2717 int testresult = 0;
2718
7d4488bb
MC		 2719 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2720 initrbio = idx % 3;
2721 idx /= 3;
2722 initwbio = idx % 3;
2723 idx /= 3;
2724 newrbio = idx % 3;
2725 idx /= 3;
2726 newwbio = idx % 3;
2727 conntype = CONNTYPE_NO_CONNECTION;
2728 } else {
2729 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2730 initrbio = initwbio = USE_DEFAULT;
2731 newrbio = idx % 2;
2732 idx /= 2;
2733 newwbio = idx % 2;
2734 idx /= 2;
2735 conntype = idx % 2;
2736 }
710756a9 2737
5e30f2fd
MC		 2738 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2739 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2740 &sctx, &cctx, cert, privkey)))
2741 goto end;
2742
2743 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2744 /*
2745 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2746 * because we reduced the number of tests in the definition of
2747 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2748 * mismatched protocol versions we will force a connection failure.
2749 */
2750 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2751 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2752 }
2753
2754 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2755 NULL, NULL)))
710756a9 2756 goto end;
7fb4c820 2757
710756a9
RS		 2758 if (initrbio == USE_BIO_1
2759 || initwbio == USE_BIO_1
2760 || newrbio == USE_BIO_1
7fb4c820 2761 || newwbio == USE_BIO_1) {
710756a9 2762 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2763 goto end;
7fb4c820
MC		 2764 }
2765
710756a9
RS		 2766 if (initrbio == USE_BIO_2
2767 || initwbio == USE_BIO_2
2768 || newrbio == USE_BIO_2
7fb4c820 2769 || newwbio == USE_BIO_2) {
710756a9 2770 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2771 goto end;
7fb4c820
MC		 2772 }
2773
7d4488bb
MC		 2774 if (initrbio != USE_DEFAULT) {
2775 setupbio(&irbio, bio1, bio2, initrbio);
2776 setupbio(&iwbio, bio1, bio2, initwbio);
2777 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2778
7d4488bb
MC		 2779 /*
2780 * We want to maintain our own refs to these BIO, so do an up ref for
2781 * each BIO that will have ownership transferred in the SSL_set_bio()
2782 * call
2783 */
2784 if (irbio != NULL)
2785 BIO_up_ref(irbio);
2786 if (iwbio != NULL && iwbio != irbio)
2787 BIO_up_ref(iwbio);
2788 }
7fb4c820 2789
7d4488bb
MC		 2790 if (conntype != CONNTYPE_NO_CONNECTION
2791 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2792 SSL_ERROR_NONE)
2793 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2794 goto end;
7fb4c820
MC		 2795
2796 setupbio(&nrbio, bio1, bio2, newrbio);
2797 setupbio(&nwbio, bio1, bio2, newwbio);
2798
2799 /*
2800 * We will (maybe) transfer ownership again so do more up refs.
2801 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2802 * already been set!
2803 */
710756a9
RS		 2804 if (nrbio != NULL
2805 && nrbio != irbio
2806 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2807 BIO_up_ref(nrbio);
710756a9
RS		 2808 if (nwbio != NULL
2809 && nwbio != nrbio
2810 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2811 BIO_up_ref(nwbio);
2812
7d4488bb 2813 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2814
2815 testresult = 1;
2816
2817 end:
7fb4c820
MC		 2818 BIO_free(bio1);
2819 BIO_free(bio2);
710756a9 2820
7fb4c820
MC		 2821 /*
2822 * This test is checking that the ref counting for SSL_set_bio is correct.
2823 * If we get here and we did too many frees then we will fail in the above
742ccab3 2824 * functions.
7fb4c820 2825 */
7d4488bb
MC		 2826 SSL_free(serverssl);
2827 SSL_free(clientssl);
2828 SSL_CTX_free(sctx);
2829 SSL_CTX_free(cctx);
7fb4c820
MC		 2830 return testresult;
2831}
2832
7e885b7b 2833typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2834
7e885b7b 2835static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2836{
2837 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2838 SSL_CTX *ctx;
9a716987
MC		 2839 SSL *ssl = NULL;
2840 int testresult = 0;
2841
d8652be0 2842 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2843 || !TEST_ptr(ssl = SSL_new(ctx))
2844 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2845 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2846 goto end;
9a716987
MC		 2847
2848 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2849
2850 /*
742ccab3 2851 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2852 */
2853 BIO_push(sslbio, membio1);
2854
69687aa8 2855 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2856 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 2857 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2858 ssl = NULL;
9a716987 2859 goto end;
493e7898 2860 }
7e885b7b 2861 if (change_bio == CHANGE_RBIO)
65e2d672 2862 SSL_set0_rbio(ssl, membio2);
9a716987 2863 else
65e2d672 2864 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2865 }
2866 ssl = NULL;
2867
7e885b7b 2868 if (pop_ssl)
9a716987
MC		 2869 BIO_pop(sslbio);
2870 else
2871 BIO_pop(membio1);
2872
2873 testresult = 1;
2874 end:
2875 BIO_free(membio1);
2876 BIO_free(sslbio);
2877 SSL_free(ssl);
2878 SSL_CTX_free(ctx);
2879
2880 return testresult;
2881}
2882
2883static int test_ssl_bio_pop_next_bio(void)
2884{
7e885b7b 2885 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2886}
2887
2888static int test_ssl_bio_pop_ssl_bio(void)
2889{
7e885b7b 2890 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2891}
2892
2893static int test_ssl_bio_change_rbio(void)
2894{
7e885b7b 2895 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2896}
2897
2898static int test_ssl_bio_change_wbio(void)
2899{
7e885b7b 2900 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2901}
2902
a763ca11 2903#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 2904typedef struct {
2905 /* The list of sig algs */
2906 const int *list;
2907 /* The length of the list */
2908 size_t listlen;
2909 /* A sigalgs list in string format */
2910 const char *liststr;
2911 /* Whether setting the list should succeed */
2912 int valid;
2913 /* Whether creating a connection with the list should succeed */
2914 int connsuccess;
2915} sigalgs_list;
2916
2917static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2918# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2919static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2920static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2921# endif
f1b25aae
MC		 2922static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2923static const int invalidlist2[] = {NID_sha256, NID_undef};
2924static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2925static const int invalidlist4[] = {NID_sha256};
2926static const sigalgs_list testsigalgs[] = {
2927 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2928# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2929 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2930 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2931# endif
f1b25aae 2932 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2933# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2934 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2935 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2936# endif
f1b25aae
MC		 2937 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2938 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2939 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2940 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2941 {NULL, 0, "RSA", 0, 0},
2942 {NULL, 0, "SHA256", 0, 0},
2943 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2944 {NULL, 0, "Invalid", 0, 0}
2945};
f1b25aae
MC		 2946
2947static int test_set_sigalgs(int idx)
2948{
2949 SSL_CTX *cctx = NULL, *sctx = NULL;
2950 SSL *clientssl = NULL, *serverssl = NULL;
2951 int testresult = 0;
2952 const sigalgs_list *curr;
2953 int testctx;
2954
2955 /* Should never happen */
710756a9 2956 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2957 return 0;
2958
2959 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2960 curr = testctx ? &testsigalgs[idx]
2961 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2962
5e30f2fd
MC		 2963 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2964 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2965 &sctx, &cctx, cert, privkey)))
f1b25aae 2966 return 0;
f1b25aae 2967
d2e491f2
MC		 2968 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2969
f1b25aae
MC		 2970 if (testctx) {
2971 int ret;
710756a9 2972
f1b25aae
MC		 2973 if (curr->list != NULL)
2974 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2975 else
2976 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2977
2978 if (!ret) {
2979 if (curr->valid)
710756a9 2980 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2981 else
2982 testresult = 1;
2983 goto end;
2984 }
2985 if (!curr->valid) {
710756a9 2986 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2987 goto end;
2988 }
2989 }
2990
710756a9
RS		 2991 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2992 &clientssl, NULL, NULL)))
f1b25aae 2993 goto end;
f1b25aae
MC		 2994
2995 if (!testctx) {
2996 int ret;
2997
2998 if (curr->list != NULL)
2999 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3000 else
3001 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3002 if (!ret) {
3003 if (curr->valid)
710756a9 3004 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3005 else
3006 testresult = 1;
3007 goto end;
3008 }
710756a9 3009 if (!curr->valid)
f1b25aae 3010 goto end;
f1b25aae
MC		 3011 }
3012
710756a9
RS		 3013 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3014 SSL_ERROR_NONE),
3015 curr->connsuccess))
f1b25aae 3016 goto end;
f1b25aae
MC		 3017
3018 testresult = 1;
3019
3020 end:
3021 SSL_free(serverssl);
3022 SSL_free(clientssl);
3023 SSL_CTX_free(sctx);
3024 SSL_CTX_free(cctx);
3025
3026 return testresult;
3027}
c423ecaa 3028#endif
f1b25aae 3029
a763ca11 3030#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3031static int psk_client_cb_cnt = 0;
3032static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3033
3034static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3035 size_t *idlen, SSL_SESSION **sess)
3036{
3037 switch (++use_session_cb_cnt) {
3038 case 1:
3039 /* The first call should always have a NULL md */
3040 if (md != NULL)
3041 return 0;
3042 break;
3043
3044 case 2:
3045 /* The second call should always have an md */
3046 if (md == NULL)
3047 return 0;
3048 break;
3049
3050 default:
3051 /* We should only be called a maximum of twice */
3052 return 0;
3053 }
3054
57dee9bb
MC		 3055 if (clientpsk != NULL)
3056 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3057
57dee9bb 3058 *sess = clientpsk;
02a3ed5a
MC		 3059 *id = (const unsigned char *)pskid;
3060 *idlen = strlen(pskid);
3061
3062 return 1;
3063}
3064
c2b290c3 3065#ifndef OPENSSL_NO_PSK
532f9578
MC		 3066static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3067 unsigned int max_id_len,
3068 unsigned char *psk,
3069 unsigned int max_psk_len)
3070{
3071 unsigned int psklen = 0;
3072
3073 psk_client_cb_cnt++;
3074
3075 if (strlen(pskid) + 1 > max_id_len)
3076 return 0;
3077
3078 /* We should only ever be called a maximum of twice per connection */
3079 if (psk_client_cb_cnt > 2)
3080 return 0;
3081
3082 if (clientpsk == NULL)
3083 return 0;
3084
3085 /* We'll reuse the PSK we set up for TLSv1.3 */
3086 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3087 return 0;
3088 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3089 strncpy(id, pskid, max_id_len);
3090
3091 return psklen;
3092}
c2b290c3 3093#endif /* OPENSSL_NO_PSK */
532f9578 3094
02a3ed5a
MC		 3095static int find_session_cb(SSL *ssl, const unsigned char *identity,
3096 size_t identity_len, SSL_SESSION **sess)
3097{
3098 find_session_cb_cnt++;
3099
3100 /* We should only ever be called a maximum of twice per connection */
3101 if (find_session_cb_cnt > 2)
3102 return 0;
3103
57dee9bb 3104 if (serverpsk == NULL)
02a3ed5a
MC		 3105 return 0;
3106
3107 /* Identity should match that set by the client */
3108 if (strlen(srvid) != identity_len
3109 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3110 /* No PSK found, continue but without a PSK */
3111 *sess = NULL;
3112 return 1;
3113 }
3114
57dee9bb
MC		 3115 SSL_SESSION_up_ref(serverpsk);
3116 *sess = serverpsk;
02a3ed5a
MC		 3117
3118 return 1;
3119}
3120
c2b290c3 3121#ifndef OPENSSL_NO_PSK
532f9578
MC		 3122static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3123 unsigned char *psk, unsigned int max_psk_len)
3124{
3125 unsigned int psklen = 0;
3126
3127 psk_server_cb_cnt++;
3128
3129 /* We should only ever be called a maximum of twice per connection */
3130 if (find_session_cb_cnt > 2)
3131 return 0;
3132
3133 if (serverpsk == NULL)
3134 return 0;
3135
3136 /* Identity should match that set by the client */
3137 if (strcmp(srvid, identity) != 0) {
3138 return 0;
3139 }
3140
3141 /* We'll reuse the PSK we set up for TLSv1.3 */
3142 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3143 return 0;
3144 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3145
3146 return psklen;
3147}
c2b290c3 3148#endif /* OPENSSL_NO_PSK */
532f9578 3149
5f982038
MC		 3150#define MSG1 "Hello"
3151#define MSG2 "World."
3152#define MSG3 "This"
3153#define MSG4 "is"
3154#define MSG5 "a"
90049cea
MC		 3155#define MSG6 "test"
3156#define MSG7 "message."
5f982038 3157
532f9578 3158#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3159#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3160#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3161#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3162#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3163
8614a4eb
MC		 3164
3165static SSL_SESSION *create_a_psk(SSL *ssl)
3166{
3167 const SSL_CIPHER *cipher = NULL;
3168 const unsigned char key[] = {
3169 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3170 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3171 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3172 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3173 0x2c, 0x2d, 0x2e, 0x2f
3174 };
3175 SSL_SESSION *sess = NULL;
3176
3177 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3178 sess = SSL_SESSION_new();
3179 if (!TEST_ptr(sess)
3180 || !TEST_ptr(cipher)
3181 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3182 sizeof(key)))
3183 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3184 || !TEST_true(
3185 SSL_SESSION_set_protocol_version(sess,
3186 TLS1_3_VERSION))) {
3187 SSL_SESSION_free(sess);
3188 return NULL;
3189 }
3190 return sess;
3191}
3192
5f982038
MC		 3193/*
3194 * Helper method to setup objects for early data test. Caller frees objects on
3195 * error.
3196 */
3197static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3198 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3199{
5a421415 3200 if (*sctx == NULL
5e30f2fd 3201 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3202 TLS_client_method(),
5c587fb6 3203 TLS1_VERSION, 0,
5a421415
MC		 3204 sctx, cctx, cert, privkey)))
3205 return 0;
3206
3207 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3208 return 0;
5f982038 3209
02a3ed5a
MC		 3210 if (idx == 1) {
3211 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3212 SSL_CTX_set_read_ahead(*cctx, 1);
3213 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3214 } else if (idx == 2) {
3215 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3216 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3217 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3218 use_session_cb_cnt = 0;
3219 find_session_cb_cnt = 0;
3220 srvid = pskid;
3cb47b4e
MC		 3221 }
3222
710756a9 3223 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3224 NULL, NULL)))
3225 return 0;
3226
141e4709
MC		 3227 /*
3228 * For one of the run throughs (doesn't matter which one), we'll try sending
3229 * some SNI data in the initial ClientHello. This will be ignored (because
3230 * there is no SNI cb set up by the server), so it should not impact
3231 * early_data.
3232 */
3233 if (idx == 1
3234 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3235 return 0;
3236
02a3ed5a 3237 if (idx == 2) {
8614a4eb 3238 clientpsk = create_a_psk(*clientssl);
57dee9bb 3239 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3240 /*
3241 * We just choose an arbitrary value for max_early_data which
3242 * should be big enough for testing purposes.
3243 */
57dee9bb
MC		 3244 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3245 0x100))
3246 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3247 SSL_SESSION_free(clientpsk);
3248 clientpsk = NULL;
02a3ed5a
MC		 3249 return 0;
3250 }
57dee9bb 3251 serverpsk = clientpsk;
02a3ed5a 3252
c20e3b28
MC		 3253 if (sess != NULL) {
3254 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3255 SSL_SESSION_free(clientpsk);
3256 SSL_SESSION_free(serverpsk);
3257 clientpsk = serverpsk = NULL;
3258 return 0;
3259 }
57dee9bb 3260 *sess = clientpsk;
c20e3b28 3261 }
02a3ed5a
MC		 3262 return 1;
3263 }
3264
3265 if (sess == NULL)
3266 return 1;
3267
3268 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3269 SSL_ERROR_NONE)))
5f982038 3270 return 0;
5f982038
MC		 3271
3272 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3273 SSL_shutdown(*clientssl);
3274 SSL_shutdown(*serverssl);
5f982038
MC		 3275 SSL_free(*serverssl);
3276 SSL_free(*clientssl);
3277 *serverssl = *clientssl = NULL;
3278
710756a9
RS		 3279 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3280 clientssl, NULL, NULL))
3281 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3282 return 0;
5f982038
MC		 3283
3284 return 1;
3285}
3286
3cb47b4e 3287static int test_early_data_read_write(int idx)
5f982038
MC		 3288{
3289 SSL_CTX *cctx = NULL, *sctx = NULL;
3290 SSL *clientssl = NULL, *serverssl = NULL;
3291 int testresult = 0;
3292 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3293 unsigned char buf[20], data[1024];
3294 size_t readbytes, written, eoedlen, rawread, rawwritten;
3295 BIO *rbio;
5f982038 3296
710756a9
RS		 3297 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3298 &serverssl, &sess, idx)))
5f982038
MC		 3299 goto end;
3300
3301 /* Write and read some early data */
710756a9
RS		 3302 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3303 &written))
3304 || !TEST_size_t_eq(written, strlen(MSG1))
3305 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3306 sizeof(buf), &readbytes),
3307 SSL_READ_EARLY_DATA_SUCCESS)
3308 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3309 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3310 SSL_EARLY_DATA_ACCEPTED))
5f982038 3311 goto end;
5f982038
MC		 3312
3313 /*
09f28874 3314 * Server should be able to write data, and client should be able to
5f982038
MC		 3315 * read it.
3316 */
710756a9
RS		 3317 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3318 &written))
3319 || !TEST_size_t_eq(written, strlen(MSG2))
3320 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3321 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3322 goto end;
5f982038
MC		 3323
3324 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3325 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3326 &written))
3327 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3328 goto end;
5f982038 3329
09f28874 3330 /* Server should still be able read early data after writing data */
710756a9
RS		 3331 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3332 &readbytes),
3333 SSL_READ_EARLY_DATA_SUCCESS)
3334 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3335 goto end;
5f982038 3336
09f28874 3337 /* Write more data from server and read it from client */
710756a9
RS		 3338 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3339 &written))
3340 || !TEST_size_t_eq(written, strlen(MSG4))
3341 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3342 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3343 goto end;
5f982038
MC		 3344
3345 /*
3346 * If client writes normal data it should mean writing early data is no
3347 * longer possible.
3348 */
710756a9
RS		 3349 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3350 || !TEST_size_t_eq(written, strlen(MSG5))
3351 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3352 SSL_EARLY_DATA_ACCEPTED))
5f982038 3353 goto end;
5f982038 3354
9b5c865d
MC		 3355 /*
3356 * At this point the client has written EndOfEarlyData, ClientFinished and
3357 * normal (fully protected) data. We are going to cause a delay between the
3358 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3359 * in the read BIO, and then just put back the EndOfEarlyData message.
3360 */
3361 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3362 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3363 || !TEST_size_t_lt(rawread, sizeof(data))
3364 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3365 goto end;
710756a9 3366
9b5c865d
MC		 3367 /* Record length is in the 4th and 5th bytes of the record header */
3368 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3369 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3370 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3371 goto end;
9b5c865d 3372
5f982038 3373 /* Server should be told that there is no more early data */
710756a9
RS		 3374 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3375 &readbytes),
3376 SSL_READ_EARLY_DATA_FINISH)
3377 || !TEST_size_t_eq(readbytes, 0))
5f982038 3378 goto end;
5f982038 3379
9b5c865d
MC		 3380 /*
3381 * Server has not finished init yet, so should still be able to write early
3382 * data.
3383 */
710756a9
RS		 3384 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3385 &written))
3386 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3387 goto end;
9b5c865d 3388
f8a303fa 3389 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3390 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3391 &rawwritten))
3392 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3393 goto end;
f8a303fa 3394
5f982038 3395 /* Server should be able to read normal data */
710756a9
RS		 3396 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3397 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3398 goto end;
5f982038 3399
09f28874 3400 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3401 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3402 &written)))
5f982038 3403 goto end;
5f982038 3404 ERR_clear_error();
710756a9
RS		 3405 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3406 &readbytes),
3407 SSL_READ_EARLY_DATA_ERROR))
5f982038 3408 goto end;
5f982038
MC		 3409 ERR_clear_error();
3410
9b5c865d 3411 /* Client should be able to read the data sent by the server */
710756a9
RS		 3412 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3413 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3414 goto end;
710756a9 3415
f8a303fa 3416 /*
36ff232c
MC		 3417 * Make sure we process the two NewSessionTickets. These arrive
3418 * post-handshake. We attempt reads which we do not expect to return any
3419 * data.
f8a303fa 3420 */
36ff232c
MC		 3421 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3422 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3423 &readbytes)))
f8a303fa 3424 goto end;
5f982038 3425
90049cea 3426 /* Server should be able to write normal data */
710756a9
RS		 3427 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3428 || !TEST_size_t_eq(written, strlen(MSG7))
3429 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3430 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3431 goto end;
90049cea 3432
c20e3b28 3433 SSL_SESSION_free(sess);
5f982038 3434 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3435 use_session_cb_cnt = 0;
3436 find_session_cb_cnt = 0;
5f982038
MC		 3437
3438 SSL_shutdown(clientssl);
3439 SSL_shutdown(serverssl);
5f982038
MC		 3440 SSL_free(serverssl);
3441 SSL_free(clientssl);
3442 serverssl = clientssl = NULL;
710756a9
RS		 3443 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3444 &clientssl, NULL, NULL))
3445 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3446 goto end;
5f982038
MC		 3447
3448 /* Write and read some early data */
710756a9
RS		 3449 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3450 &written))
3451 || !TEST_size_t_eq(written, strlen(MSG1))
3452 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3453 &readbytes),
3454 SSL_READ_EARLY_DATA_SUCCESS)
3455 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3456 goto end;
5f982038 3457
710756a9
RS		 3458 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3459 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3460 goto end;
5f982038 3461
09f28874 3462 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3463 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3464 &written)))
5f982038 3465 goto end;
5f982038 3466 ERR_clear_error();
710756a9
RS		 3467 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3468 &readbytes),
3469 SSL_READ_EARLY_DATA_ERROR))
5f982038 3470 goto end;
5f982038
MC		 3471 ERR_clear_error();
3472
3473 /* Client and server should be able to write/read normal data */
710756a9
RS		 3474 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3475 || !TEST_size_t_eq(written, strlen(MSG5))
3476 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3477 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3478 goto end;
5f982038
MC		 3479
3480 testresult = 1;
3481
3482 end:
c20e3b28 3483 SSL_SESSION_free(sess);
57dee9bb
MC		 3484 SSL_SESSION_free(clientpsk);
3485 SSL_SESSION_free(serverpsk);
3486 clientpsk = serverpsk = NULL;
5f982038
MC		 3487 SSL_free(serverssl);
3488 SSL_free(clientssl);
3489 SSL_CTX_free(sctx);
3490 SSL_CTX_free(cctx);
5f982038
MC		 3491 return testresult;
3492}
3493
5a421415
MC		 3494static int allow_ed_cb_called = 0;
3495
3496static int allow_early_data_cb(SSL *s, void *arg)
3497{
3498 int *usecb = (int *)arg;
3499
3500 allow_ed_cb_called++;
3501
3502 if (*usecb == 1)
3503 return 0;
3504
3505 return 1;
3506}
3507
3508/*
3509 * idx == 0: Standard early_data setup
3510 * idx == 1: early_data setup using read_ahead
3511 * usecb == 0: Don't use a custom early data callback
3512 * usecb == 1: Use a custom early data callback and reject the early data
3513 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3514 * confopt == 0: Configure anti-replay directly
3515 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3516 */
3bb5e5b0 3517static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3518{
3519 SSL_CTX *cctx = NULL, *sctx = NULL;
3520 SSL *clientssl = NULL, *serverssl = NULL;
3521 int testresult = 0;
3522 SSL_SESSION *sess = NULL;
5a421415
MC		 3523 size_t readbytes, written;
3524 unsigned char buf[20];
3525
3526 allow_ed_cb_called = 0;
3527
5e30f2fd
MC		 3528 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3529 TLS_client_method(), TLS1_VERSION, 0,
3530 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3531 return 0;
3532
3533 if (usecb > 0) {
3bb5e5b0
MC		 3534 if (confopt == 0) {
3535 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3536 } else {
3537 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3538
3539 if (!TEST_ptr(confctx))
3540 goto end;
3541 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3542 | SSL_CONF_FLAG_SERVER);
3543 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3544 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3545 2)) {
3546 SSL_CONF_CTX_free(confctx);
3547 goto end;
3548 }
3549 SSL_CONF_CTX_free(confctx);
3550 }
5a421415
MC		 3551 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3552 }
78fb5374
MC		 3553
3554 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3555 &serverssl, &sess, idx)))
3556 goto end;
3557
3558 /*
3559 * The server is configured to accept early data. Create a connection to
3560 * "use up" the ticket
3561 */
3562 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3563 || !TEST_true(SSL_session_reused(clientssl)))
3564 goto end;
3565
3566 SSL_shutdown(clientssl);
3567 SSL_shutdown(serverssl);
3568 SSL_free(serverssl);
3569 SSL_free(clientssl);
3570 serverssl = clientssl = NULL;
3571
3572 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3573 &clientssl, NULL, NULL))
5a421415
MC		 3574 || !TEST_true(SSL_set_session(clientssl, sess)))
3575 goto end;
3576
3577 /* Write and read some early data */
3578 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3579 &written))
3580 || !TEST_size_t_eq(written, strlen(MSG1)))
3581 goto end;
3582
3583 if (usecb <= 1) {
3584 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3585 &readbytes),
3586 SSL_READ_EARLY_DATA_FINISH)
3587 /*
3588 * The ticket was reused, so the we should have rejected the
3589 * early data
3590 */
3591 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3592 SSL_EARLY_DATA_REJECTED))
3593 goto end;
3594 } else {
3595 /* In this case the callback decides to accept the early data */
3596 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3597 &readbytes),
3598 SSL_READ_EARLY_DATA_SUCCESS)
3599 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3600 /*
3601 * Server will have sent its flight so client can now send
3602 * end of early data and complete its half of the handshake
3603 */
3604 || !TEST_int_gt(SSL_connect(clientssl), 0)
3605 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3606 &readbytes),
3607 SSL_READ_EARLY_DATA_FINISH)
3608 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3609 SSL_EARLY_DATA_ACCEPTED))
3610 goto end;
3611 }
3612
3613 /* Complete the connection */
3614 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3615 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3616 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3617 goto end;
3618
3619 testresult = 1;
3620
3621 end:
c20e3b28 3622 SSL_SESSION_free(sess);
78fb5374
MC		 3623 SSL_SESSION_free(clientpsk);
3624 SSL_SESSION_free(serverpsk);
3625 clientpsk = serverpsk = NULL;
3626 SSL_free(serverssl);
3627 SSL_free(clientssl);
3628 SSL_CTX_free(sctx);
3629 SSL_CTX_free(cctx);
3630 return testresult;
3631}
3632
5a421415
MC		 3633static int test_early_data_replay(int idx)
3634{
3bb5e5b0 3635 int ret = 1, usecb, confopt;
5a421415 3636
3bb5e5b0
MC		 3637 for (usecb = 0; usecb < 3; usecb++) {
3638 for (confopt = 0; confopt < 2; confopt++)
3639 ret &= test_early_data_replay_int(idx, usecb, confopt);
3640 }
5a421415
MC		 3641
3642 return ret;
3643}
3644
710756a9 3645/*
6b84e6bf
MC		 3646 * Helper function to test that a server attempting to read early data can
3647 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3648 * testtype: 0 == No HRR
3649 * testtype: 1 == HRR
0efa0ba4
MC		 3650 * testtype: 2 == HRR, invalid early_data sent after HRR
3651 * testtype: 3 == recv_max_early_data set to 0
710756a9 3652 */
0d1b7789 3653static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3654{
3655 SSL_CTX *cctx = NULL, *sctx = NULL;
3656 SSL *clientssl = NULL, *serverssl = NULL;
3657 int testresult = 0;
018fcbec 3658 SSL_SESSION *sess = NULL;
5f982038
MC		 3659 unsigned char buf[20];
3660 size_t readbytes, written;
3661
710756a9
RS		 3662 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3663 &serverssl, &sess, idx)))
5f982038
MC		 3664 goto end;
3665
0efa0ba4 3666 if (testtype == 1 || testtype == 2) {
6b84e6bf 3667 /* Force an HRR to occur */
dbc6268f
MC		 3668#if defined(OPENSSL_NO_EC)
3669 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3670 goto end;
3671#else
6b84e6bf
MC		 3672 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3673 goto end;
dbc6268f 3674#endif
02a3ed5a
MC		 3675 } else if (idx == 2) {
3676 /*
3677 * We force early_data rejection by ensuring the PSK identity is
3678 * unrecognised
3679 */
3680 srvid = "Dummy Identity";
6b84e6bf
MC		 3681 } else {
3682 /*
3683 * Deliberately corrupt the creation time. We take 20 seconds off the
3684 * time. It could be any value as long as it is not within tolerance.
3685 * This should mean the ticket is rejected.
3686 */
5d99881e 3687 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3688 goto end;
3689 }
5f982038 3690
0efa0ba4 3691 if (testtype == 3
0d1b7789
MC		 3692 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3693 goto end;
3694
5f982038 3695 /* Write some early data */
710756a9
RS		 3696 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3697 &written))
3698 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3699 goto end;
5f982038 3700
0d1b7789 3701 /* Server should reject the early data */
710756a9
RS		 3702 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3703 &readbytes),
3704 SSL_READ_EARLY_DATA_FINISH)
3705 || !TEST_size_t_eq(readbytes, 0)
3706 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3707 SSL_EARLY_DATA_REJECTED))
5f982038 3708 goto end;
5f982038 3709
0efa0ba4
MC		 3710 switch (testtype) {
3711 case 0:
3712 /* Nothing to do */
3713 break;
3714
3715 case 1:
6b84e6bf
MC		 3716 /*
3717 * Finish off the handshake. We perform the same writes and reads as
3718 * further down but we expect them to fail due to the incomplete
3719 * handshake.
3720 */
3721 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3722 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3723 &readbytes)))
3724 goto end;
0efa0ba4
MC		 3725 break;
3726
3727 case 2:
3728 {
3729 BIO *wbio = SSL_get_wbio(clientssl);
3730 /* A record that will appear as bad early_data */
3731 const unsigned char bad_early_data[] = {
3732 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3733 };
3734
3735 /*
3736 * We force the client to attempt a write. This will fail because
3737 * we're still in the handshake. It will cause the second
3738 * ClientHello to be sent.
3739 */
3740 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3741 &written)))
3742 goto end;
3743
3744 /*
3745 * Inject some early_data after the second ClientHello. This should
3746 * cause the server to fail
3747 */
3748 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3749 sizeof(bad_early_data), &written)))
3750 goto end;
3751 }
3752 /* fallthrough */
3753
3754 case 3:
0d1b7789 3755 /*
0efa0ba4
MC		 3756 * This client has sent more early_data than we are willing to skip
3757 * (case 3) or sent invalid early_data (case 2) so the connection should
3758 * abort.
0d1b7789
MC		 3759 */
3760 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3761 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3762 goto end;
3763
3764 /* Connection has failed - nothing more to do */
3765 testresult = 1;
3766 goto end;
0efa0ba4
MC		 3767
3768 default:
3769 TEST_error("Invalid test type");
3770 goto end;
6b84e6bf
MC		 3771 }
3772
0d1b7789
MC		 3773 /*
3774 * Should be able to send normal data despite rejection of early data. The
3775 * early_data should be skipped.
3776 */
710756a9
RS		 3777 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3778 || !TEST_size_t_eq(written, strlen(MSG2))
3779 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3780 SSL_EARLY_DATA_REJECTED)
3781 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3782 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3783 goto end;
5f982038
MC		 3784
3785 testresult = 1;
3786
3787 end:
c20e3b28 3788 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3789 SSL_SESSION_free(serverpsk);
3790 clientpsk = serverpsk = NULL;
5f982038
MC		 3791 SSL_SESSION_free(sess);
3792 SSL_free(serverssl);
3793 SSL_free(clientssl);
3794 SSL_CTX_free(sctx);
3795 SSL_CTX_free(cctx);
5f982038
MC		 3796 return testresult;
3797}
3798
6b84e6bf
MC		 3799/*
3800 * Test that a server attempting to read early data can handle a connection
3801 * from a client where the early data is not acceptable.
3802 */
3803static int test_early_data_skip(int idx)
3804{
3805 return early_data_skip_helper(0, idx);
3806}
3807
3808/*
3809 * Test that a server attempting to read early data can handle a connection
3810 * from a client where an HRR occurs.
3811 */
3812static int test_early_data_skip_hrr(int idx)
3813{
3814 return early_data_skip_helper(1, idx);
3815}
3816
0efa0ba4
MC		 3817/*
3818 * Test that a server attempting to read early data can handle a connection
3819 * from a client where an HRR occurs and correctly fails if early_data is sent
3820 * after the HRR
3821 */
3822static int test_early_data_skip_hrr_fail(int idx)
3823{
3824 return early_data_skip_helper(2, idx);
3825}
3826
0d1b7789
MC		 3827/*
3828 * Test that a server attempting to read early data will abort if it tries to
3829 * skip over too much.
3830 */
3831static int test_early_data_skip_abort(int idx)
3832{
0efa0ba4 3833 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3834}
3835
710756a9
RS		 3836/*
3837 * Test that a server attempting to read early data can handle a connection
3838 * from a client that doesn't send any.
3839 */
3cb47b4e 3840static int test_early_data_not_sent(int idx)
5f982038
MC		 3841{
3842 SSL_CTX *cctx = NULL, *sctx = NULL;
3843 SSL *clientssl = NULL, *serverssl = NULL;
3844 int testresult = 0;
018fcbec 3845 SSL_SESSION *sess = NULL;
5f982038
MC		 3846 unsigned char buf[20];
3847 size_t readbytes, written;
3848
710756a9
RS		 3849 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3850 &serverssl, &sess, idx)))
5f982038
MC		 3851 goto end;
3852
3853 /* Write some data - should block due to handshake with server */
3854 SSL_set_connect_state(clientssl);
710756a9 3855 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3856 goto end;
5f982038
MC		 3857
3858 /* Server should detect that early data has not been sent */
710756a9
RS		 3859 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3860 &readbytes),
3861 SSL_READ_EARLY_DATA_FINISH)
3862 || !TEST_size_t_eq(readbytes, 0)
3863 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3864 SSL_EARLY_DATA_NOT_SENT)
3865 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3866 SSL_EARLY_DATA_NOT_SENT))
5f982038 3867 goto end;
5f982038
MC		 3868
3869 /* Continue writing the message we started earlier */
710756a9
RS		 3870 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3871 || !TEST_size_t_eq(written, strlen(MSG1))
3872 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3873 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3874 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3875 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3876 goto end;
5f982038 3877
710756a9
RS		 3878 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3879 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3880 goto end;
5f982038
MC		 3881
3882 testresult = 1;
3883
3884 end:
5f982038 3885 SSL_SESSION_free(sess);
c20e3b28 3886 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3887 SSL_SESSION_free(serverpsk);
3888 clientpsk = serverpsk = NULL;
5f982038
MC		 3889 SSL_free(serverssl);
3890 SSL_free(clientssl);
3891 SSL_CTX_free(sctx);
3892 SSL_CTX_free(cctx);
5f982038
MC		 3893 return testresult;
3894}
3895
976e5323
MC		 3896static const char *servalpn;
3897
c7558d5b
PY		 3898static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3899 unsigned char *outlen, const unsigned char *in,
3900 unsigned int inlen, void *arg)
976e5323 3901{
c7558d5b 3902 unsigned int protlen = 0;
976e5323
MC		 3903 const unsigned char *prot;
3904
c7558d5b
PY		 3905 for (prot = in; prot < in + inlen; prot += protlen) {
3906 protlen = *prot++;
5d99881e 3907 if (in + inlen < prot + protlen)
976e5323
MC		 3908 return SSL_TLSEXT_ERR_NOACK;
3909
3910 if (protlen == strlen(servalpn)
0bd42fde 3911 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3912 *out = prot;
3913 *outlen = protlen;
3914 return SSL_TLSEXT_ERR_OK;
3915 }
3916 }
3917
3918 return SSL_TLSEXT_ERR_NOACK;
3919}
3920
57dee9bb 3921/* Test that a PSK can be used to send early_data */
976e5323
MC		 3922static int test_early_data_psk(int idx)
3923{
3924 SSL_CTX *cctx = NULL, *sctx = NULL;
3925 SSL *clientssl = NULL, *serverssl = NULL;
3926 int testresult = 0;
3927 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3928 unsigned char alpnlist[] = {
3929 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3930 'l', 'p', 'n'
3931 };
3932#define GOODALPNLEN 9
3933#define BADALPNLEN 8
3934#define GOODALPN (alpnlist)
3935#define BADALPN (alpnlist + GOODALPNLEN)
3936 int err = 0;
976e5323
MC		 3937 unsigned char buf[20];
3938 size_t readbytes, written;
57dee9bb 3939 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3940 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3941
3942 /* We always set this up with a final parameter of "2" for PSK */
3943 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3944 &serverssl, &sess, 2)))
3945 goto end;
3946
976e5323
MC		 3947 servalpn = "goodalpn";
3948
57dee9bb
MC		 3949 /*
3950 * Note: There is no test for inconsistent SNI with late client detection.
3951 * This is because servers do not acknowledge SNI even if they are using
3952 * it in a resumption handshake - so it is not actually possible for a
3953 * client to detect a problem.
3954 */
976e5323
MC		 3955 switch (idx) {
3956 case 0:
57dee9bb 3957 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3958 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3959 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3960 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3961 goto end;
3962 break;
3963
3964 case 1:
57dee9bb 3965 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3966 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3967 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3968 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3969 GOODALPNLEN))
3970 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3971 BADALPNLEN)))
976e5323
MC		 3972 goto end;
3973 break;
3974
3975 case 2:
3976 /*
3977 * Set invalid protocol version. Technically this affects PSKs without
3978 * early_data too, but we test it here because it is similar to the
3979 * SNI/ALPN consistency tests.
3980 */
3981 err = SSL_R_BAD_PSK;
3982 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3983 goto end;
3984 break;
3985
3986 case 3:
3987 /*
49ef3d07
MC		 3988 * Set inconsistent SNI (server side). In this case the connection
3989 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3990 * is associated with each handshake - not the session. Therefore it
3991 * should not matter that we used a different server name last time.
976e5323 3992 */
281bf233
MC		 3993 SSL_SESSION_free(serverpsk);
3994 serverpsk = SSL_SESSION_dup(clientpsk);
3995 if (!TEST_ptr(serverpsk)
3996 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3997 goto end;
976e5323
MC		 3998 /* Fall through */
3999 case 4:
4000 /* Set consistent SNI */
976e5323
MC		 4001 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4002 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4003 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4004 hostname_cb)))
4005 goto end;
4006 break;
4007
4008 case 5:
4009 /*
4010 * Set inconsistent ALPN (server detected). In this case the connection
4011 * will succeed but reject early_data.
4012 */
4013 servalpn = "badalpn";
4014 edstatus = SSL_EARLY_DATA_REJECTED;
4015 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4016 /* Fall through */
4017 case 6:
976e5323 4018 /*
57dee9bb 4019 * Set consistent ALPN.
976e5323
MC		 4020 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4021 * accepts a list of protos (each one length prefixed).
4022 * SSL_set1_alpn_selected accepts a single protocol (not length
4023 * prefixed)
4024 */
57dee9bb
MC		 4025 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4026 GOODALPNLEN - 1))
4027 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4028 GOODALPNLEN)))
976e5323
MC		 4029 goto end;
4030
4031 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4032 break;
4033
57dee9bb
MC		 4034 case 7:
4035 /* Set inconsistent ALPN (late client detection) */
4036 SSL_SESSION_free(serverpsk);
4037 serverpsk = SSL_SESSION_dup(clientpsk);
4038 if (!TEST_ptr(serverpsk)
4039 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4040 BADALPN + 1,
4041 BADALPNLEN - 1))
4042 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4043 GOODALPN + 1,
4044 GOODALPNLEN - 1))
4045 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4046 sizeof(alpnlist))))
4047 goto end;
4048 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4049 edstatus = SSL_EARLY_DATA_ACCEPTED;
4050 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4051 /* SSL_connect() call should fail */
4052 connectres = -1;
4053 break;
4054
976e5323
MC		 4055 default:
4056 TEST_error("Bad test index");
4057 goto end;
4058 }
4059
4060 SSL_set_connect_state(clientssl);
4061 if (err != 0) {
4062 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4063 &written))
4064 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4065 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4066 goto end;
4067 } else {
4068 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4069 &written)))
4070 goto end;
4071
4072 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4073 &readbytes), readearlyres)
976e5323
MC		 4074 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4075 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4076 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4077 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4078 goto end;
4079 }
4080
4081 testresult = 1;
4082
4083 end:
c20e3b28 4084 SSL_SESSION_free(sess);
57dee9bb
MC		 4085 SSL_SESSION_free(clientpsk);
4086 SSL_SESSION_free(serverpsk);
4087 clientpsk = serverpsk = NULL;
976e5323
MC		 4088 SSL_free(serverssl);
4089 SSL_free(clientssl);
4090 SSL_CTX_free(sctx);
4091 SSL_CTX_free(cctx);
4092 return testresult;
4093}
4094
0b2b0be9 4095/*
4096 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4097 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4098 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4099 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4100 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4101 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4102 */
4103static int test_early_data_psk_with_all_ciphers(int idx)
4104{
4105 SSL_CTX *cctx = NULL, *sctx = NULL;
4106 SSL *clientssl = NULL, *serverssl = NULL;
4107 int testresult = 0;
4108 SSL_SESSION *sess = NULL;
4109 unsigned char buf[20];
4110 size_t readbytes, written;
4111 const SSL_CIPHER *cipher;
4112 const char *cipher_str[] = {
4113 TLS1_3_RFC_AES_128_GCM_SHA256,
4114 TLS1_3_RFC_AES_256_GCM_SHA384,
4115# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4116 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4117# else
4118 NULL,
4119# endif
4120 TLS1_3_RFC_AES_128_CCM_SHA256,
4121 TLS1_3_RFC_AES_128_CCM_8_SHA256
4122 };
4123 const unsigned char *cipher_bytes[] = {
4124 TLS13_AES_128_GCM_SHA256_BYTES,
4125 TLS13_AES_256_GCM_SHA384_BYTES,
4126# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4127 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4128# else
4129 NULL,
4130# endif
4131 TLS13_AES_128_CCM_SHA256_BYTES,
4132 TLS13_AES_128_CCM_8_SHA256_BYTES
4133 };
4134
4135 if (cipher_str[idx] == NULL)
4136 return 1;
4137 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4138 if (idx == 2 && is_fips == 1)
4139 return 1;
4140
4141 /* We always set this up with a final parameter of "2" for PSK */
4142 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4143 &serverssl, &sess, 2)))
4144 goto end;
4145
e0710222
P		 4146 if (idx == 4) {
4147 /* CCM8 ciphers are considered low security due to their short tag */
4148 SSL_set_security_level(clientssl, 0);
4149 SSL_set_security_level(serverssl, 0);
4150 }
4151
0b2b0be9 4152 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4153 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4154 goto end;
4155
4156 /*
4157 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4158 * and assigns to both client and server with incremented reference
4159 * and the same instance is updated in 'sess'.
4160 * So updating ciphersuite in 'sess' which will get reflected in
4161 * PSK handshake using psk use sess and find sess cb.
4162 */
4163 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4164 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4165 goto end;
4166
4167 SSL_set_connect_state(clientssl);
4168 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4169 &written)))
4170 goto end;
4171
4172 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4173 &readbytes),
4174 SSL_READ_EARLY_DATA_SUCCESS)
4175 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4176 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4177 SSL_EARLY_DATA_ACCEPTED)
4178 || !TEST_int_eq(SSL_connect(clientssl), 1)
4179 || !TEST_int_eq(SSL_accept(serverssl), 1))
4180 goto end;
4181
4182 /* Send some normal data from client to server */
4183 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4184 || !TEST_size_t_eq(written, strlen(MSG2)))
4185 goto end;
4186
4187 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4188 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4189 goto end;
4190
4191 testresult = 1;
4192 end:
4193 SSL_SESSION_free(sess);
4194 SSL_SESSION_free(clientpsk);
4195 SSL_SESSION_free(serverpsk);
4196 clientpsk = serverpsk = NULL;
4197 if (clientssl != NULL)
4198 SSL_shutdown(clientssl);
4199 if (serverssl != NULL)
4200 SSL_shutdown(serverssl);
4201 SSL_free(serverssl);
4202 SSL_free(clientssl);
4203 SSL_CTX_free(sctx);
4204 SSL_CTX_free(cctx);
4205 return testresult;
4206}
4207
710756a9
RS		 4208/*
4209 * Test that a server that doesn't try to read early data can handle a
4210 * client sending some.
4211 */
3cb47b4e 4212static int test_early_data_not_expected(int idx)
5f982038
MC		 4213{
4214 SSL_CTX *cctx = NULL, *sctx = NULL;
4215 SSL *clientssl = NULL, *serverssl = NULL;
4216 int testresult = 0;
018fcbec 4217 SSL_SESSION *sess = NULL;
5f982038
MC		 4218 unsigned char buf[20];
4219 size_t readbytes, written;
4220
710756a9
RS		 4221 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4222 &serverssl, &sess, idx)))
5f982038
MC		 4223 goto end;
4224
4225 /* Write some early data */
710756a9
RS		 4226 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4227 &written)))
5f982038 4228 goto end;
5f982038
MC		 4229
4230 /*
4231 * Server should skip over early data and then block waiting for client to
4232 * continue handshake
4233 */
710756a9
RS		 4234 if (!TEST_int_le(SSL_accept(serverssl), 0)
4235 || !TEST_int_gt(SSL_connect(clientssl), 0)
4236 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4237 SSL_EARLY_DATA_REJECTED)
4238 || !TEST_int_gt(SSL_accept(serverssl), 0)
4239 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4240 SSL_EARLY_DATA_REJECTED))
5f982038 4241 goto end;
5f982038
MC		 4242
4243 /* Send some normal data from client to server */
710756a9
RS		 4244 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4245 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4246 goto end;
5f982038 4247
710756a9
RS		 4248 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4249 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4250 goto end;
5f982038
MC		 4251
4252 testresult = 1;
4253
4254 end:
5f982038 4255 SSL_SESSION_free(sess);
c20e3b28 4256 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4257 SSL_SESSION_free(serverpsk);
4258 clientpsk = serverpsk = NULL;
5f982038
MC		 4259 SSL_free(serverssl);
4260 SSL_free(clientssl);
4261 SSL_CTX_free(sctx);
4262 SSL_CTX_free(cctx);
5f982038
MC		 4263 return testresult;
4264}
4265
4266
4267# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4268/*
4269 * Test that a server attempting to read early data can handle a connection
4270 * from a TLSv1.2 client.
4271 */
3cb47b4e 4272static int test_early_data_tls1_2(int idx)
5f982038
MC		 4273{
4274 SSL_CTX *cctx = NULL, *sctx = NULL;
4275 SSL *clientssl = NULL, *serverssl = NULL;
4276 int testresult = 0;
4277 unsigned char buf[20];
4278 size_t readbytes, written;
4279
02a3ed5a
MC		 4280 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4281 &serverssl, NULL, idx)))
5f982038 4282 goto end;
5f982038
MC		 4283
4284 /* Write some data - should block due to handshake with server */
4285 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4286 SSL_set_connect_state(clientssl);
710756a9 4287 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4288 goto end;
5f982038
MC		 4289
4290 /*
4291 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4292 * messages from client after ServerDone. Then SSL_read_early_data should
4293 * finish and detect that early data has not been sent
5f982038 4294 */
710756a9
RS		 4295 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4296 &readbytes),
4297 SSL_READ_EARLY_DATA_ERROR))
5f982038 4298 goto end;
5f982038
MC		 4299
4300 /*
4301 * Continue writing the message we started earlier. Will still block waiting
4302 * for the CCS/Finished from server
4303 */
710756a9
RS		 4304 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4305 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4306 &readbytes),
4307 SSL_READ_EARLY_DATA_FINISH)
4308 || !TEST_size_t_eq(readbytes, 0)
4309 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4310 SSL_EARLY_DATA_NOT_SENT))
5f982038 4311 goto end;
5f982038
MC		 4312
4313 /* Continue writing the message we started earlier */
710756a9
RS		 4314 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4315 || !TEST_size_t_eq(written, strlen(MSG1))
4316 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4317 SSL_EARLY_DATA_NOT_SENT)
4318 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4319 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4320 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4321 || !TEST_size_t_eq(written, strlen(MSG2))
4322 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4323 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4324 goto end;
5f982038
MC		 4325
4326 testresult = 1;
4327
4328 end:
57dee9bb
MC		 4329 SSL_SESSION_free(clientpsk);
4330 SSL_SESSION_free(serverpsk);
4331 clientpsk = serverpsk = NULL;
5f982038
MC		 4332 SSL_free(serverssl);
4333 SSL_free(clientssl);
4334 SSL_CTX_free(sctx);
4335 SSL_CTX_free(cctx);
4336
4337 return testresult;
4338}
ca0413ae
MC		 4339# endif /* OPENSSL_NO_TLS1_2 */
4340
034cb87b
MC		 4341/*
4342 * Test configuring the TLSv1.3 ciphersuites
4343 *
4344 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4345 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4346 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4347 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4348 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4349 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4350 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4351 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4352 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4353 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4354 */
4355static int test_set_ciphersuite(int idx)
4356{
4357 SSL_CTX *cctx = NULL, *sctx = NULL;
4358 SSL *clientssl = NULL, *serverssl = NULL;
4359 int testresult = 0;
4360
5e30f2fd
MC		 4361 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4362 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4363 &sctx, &cctx, cert, privkey))
4364 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4365 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4366 goto end;
4367
4368 if (idx >=4 && idx <= 7) {
4369 /* SSL_CTX explicit cipher list */
4370 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4371 goto end;
4372 }
4373
4374 if (idx == 0 || idx == 4) {
4375 /* Default ciphersuite */
4376 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4377 "TLS_AES_128_GCM_SHA256")))
4378 goto end;
4379 } else if (idx == 1 || idx == 5) {
4380 /* Non default ciphersuite */
4381 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4382 "TLS_AES_128_CCM_SHA256")))
4383 goto end;
4384 }
4385
4386 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4387 &clientssl, NULL, NULL)))
4388 goto end;
4389
4390 if (idx == 8 || idx == 9) {
4391 /* SSL explicit cipher list */
4392 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4393 goto end;
4394 }
4395
4396 if (idx == 2 || idx == 6 || idx == 8) {
4397 /* Default ciphersuite */
4398 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4399 "TLS_AES_128_GCM_SHA256")))
4400 goto end;
4401 } else if (idx == 3 || idx == 7 || idx == 9) {
4402 /* Non default ciphersuite */
4403 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4404 "TLS_AES_128_CCM_SHA256")))
4405 goto end;
4406 }
4407
4408 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4409 goto end;
4410
4411 testresult = 1;
4412
4413 end:
4414 SSL_free(serverssl);
4415 SSL_free(clientssl);
4416 SSL_CTX_free(sctx);
4417 SSL_CTX_free(cctx);
4418
4419 return testresult;
4420}
4421
ca0413ae
MC		 4422static int test_ciphersuite_change(void)
4423{
4424 SSL_CTX *cctx = NULL, *sctx = NULL;
4425 SSL *clientssl = NULL, *serverssl = NULL;
4426 SSL_SESSION *clntsess = NULL;
4427 int testresult = 0;
4428 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4429
4430 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4431 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4432 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4433 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4434 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4435 "TLS_AES_128_GCM_SHA256:"
4436 "TLS_AES_256_GCM_SHA384:"
4437 "TLS_AES_128_CCM_SHA256"))
f865b081 4438 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4439 "TLS_AES_128_GCM_SHA256")))
4440 goto end;
4441
4442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4443 NULL, NULL))
ca0413ae
MC		 4444 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4445 SSL_ERROR_NONE)))
4446 goto end;
4447
4448 clntsess = SSL_get1_session(clientssl);
4449 /* Save for later */
4450 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4451 SSL_shutdown(clientssl);
4452 SSL_shutdown(serverssl);
4453 SSL_free(serverssl);
4454 SSL_free(clientssl);
4455 serverssl = clientssl = NULL;
4456
4457 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4458 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4459 "TLS_AES_128_CCM_SHA256"))
4460 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4461 &clientssl, NULL, NULL))
ca0413ae
MC		 4462 || !TEST_true(SSL_set_session(clientssl, clntsess))
4463 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4464 SSL_ERROR_NONE))
4465 || !TEST_true(SSL_session_reused(clientssl)))
4466 goto end;
4467
4468 SSL_SESSION_free(clntsess);
4469 clntsess = SSL_get1_session(clientssl);
4470 SSL_shutdown(clientssl);
4471 SSL_shutdown(serverssl);
4472 SSL_free(serverssl);
4473 SSL_free(clientssl);
4474 serverssl = clientssl = NULL;
4475
4476 /*
4477 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4478 * succeeds but does not resume.
ca0413ae 4479 */
f865b081 4480 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4481 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4482 NULL, NULL))
4483 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4484 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4485 SSL_ERROR_SSL))
0de6d66d 4486 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4487 goto end;
4488
4489 SSL_SESSION_free(clntsess);
4490 clntsess = NULL;
4491 SSL_shutdown(clientssl);
4492 SSL_shutdown(serverssl);
4493 SSL_free(serverssl);
4494 SSL_free(clientssl);
4495 serverssl = clientssl = NULL;
4496
4497 /* Create a session based on SHA384 */
f865b081 4498 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4499 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4500 &clientssl, NULL, NULL))
4501 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4502 SSL_ERROR_NONE)))
4503 goto end;
4504
4505 clntsess = SSL_get1_session(clientssl);
4506 SSL_shutdown(clientssl);
4507 SSL_shutdown(serverssl);
4508 SSL_free(serverssl);
4509 SSL_free(clientssl);
4510 serverssl = clientssl = NULL;
4511
f865b081
MC		 4512 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4513 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4514 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4515 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4516 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4517 NULL, NULL))
4518 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4519 /*
4520 * We use SSL_ERROR_WANT_READ below so that we can pause the
4521 * connection after the initial ClientHello has been sent to
4522 * enable us to make some session changes.
4523 */
ca0413ae
MC		 4524 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4525 SSL_ERROR_WANT_READ)))
4526 goto end;
4527
4528 /* Trick the client into thinking this session is for a different digest */
4529 clntsess->cipher = aes_128_gcm_sha256;
4530 clntsess->cipher_id = clntsess->cipher->id;
4531
4532 /*
3b0e88d3
MC		 4533 * Continue the previously started connection. Server has selected a SHA-384
4534 * ciphersuite, but client thinks the session is for SHA-256, so it should
4535 * bail out.
ca0413ae
MC		 4536 */
4537 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4538 SSL_ERROR_SSL))
4539 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4540 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4541 goto end;
4542
4543 testresult = 1;
4544
4545 end:
4546 SSL_SESSION_free(clntsess);
4547 SSL_free(serverssl);
4548 SSL_free(clientssl);
4549 SSL_CTX_free(sctx);
4550 SSL_CTX_free(cctx);
4551
4552 return testresult;
4553}
4554
8e63900a 4555/*
5bf2eade 4556 * Test TLSv1.3 Key exchange
4557 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4558 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4559 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4560 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4561 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4562 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4563 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4564 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4565 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4566 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4567 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4568 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4569 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4570 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4571 */
f89d3d69
BK		 4572# ifndef OPENSSL_NO_EC
4573static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4574 NID_secp521r1, NID_X25519, NID_X448};
4575# endif
4576# ifndef OPENSSL_NO_DH
4577static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4578 NID_ffdhe6144, NID_ffdhe8192};
4579# endif
db26ec80 4580static int test_key_exchange(int idx)
8e63900a 4581{
4582 SSL_CTX *sctx = NULL, *cctx = NULL;
4583 SSL *serverssl = NULL, *clientssl = NULL;
4584 int testresult = 0;
fb8c6db4 4585 int kexch_alg;
4586 int *kexch_groups = &kexch_alg;
4587 int kexch_groups_size = 1;
8e63900a 4588 int max_version = TLS1_3_VERSION;
becbacd7 4589 char *kexch_name0 = NULL;
8e63900a 4590
4591 switch (idx) {
5bf2eade 4592# ifndef OPENSSL_NO_EC
db26ec80 4593# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4594 case 12:
fb8c6db4 4595 max_version = TLS1_2_VERSION;
db26ec80 4596# endif
fb8c6db4 4597 /* Fall through */
4598 case 0:
4599 kexch_groups = ecdhe_kexch_groups;
4600 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4601 kexch_name0 = "secp256r1";
fb8c6db4 4602 break;
5bf2eade 4603 case 1:
fb8c6db4 4604 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4605 kexch_name0 = "secp256r1";
fb8c6db4 4606 break;
5bf2eade 4607 case 2:
fb8c6db4 4608 kexch_alg = NID_secp384r1;
becbacd7 4609 kexch_name0 = "secp384r1";
fb8c6db4 4610 break;
5bf2eade 4611 case 3:
fb8c6db4 4612 kexch_alg = NID_secp521r1;
becbacd7 4613 kexch_name0 = "secp521r1";
fb8c6db4 4614 break;
5bf2eade 4615 case 4:
fb8c6db4 4616 kexch_alg = NID_X25519;
becbacd7 4617 kexch_name0 = "x25519";
fb8c6db4 4618 break;
5bf2eade 4619 case 5:
fb8c6db4 4620 kexch_alg = NID_X448;
becbacd7 4621 kexch_name0 = "x448";
fb8c6db4 4622 break;
5bf2eade 4623# endif
4624# ifndef OPENSSL_NO_DH
db26ec80 4625# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4626 case 13:
dbc6268f 4627 max_version = TLS1_2_VERSION;
becbacd7 4628 kexch_name0 = "ffdhe2048";
db26ec80 4629# endif
dbc6268f 4630 /* Fall through */
5bf2eade 4631 case 6:
8e63900a 4632 kexch_groups = ffdhe_kexch_groups;
4633 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4634 kexch_name0 = "ffdhe2048";
8e63900a 4635 break;
5bf2eade 4636 case 7:
fb8c6db4 4637 kexch_alg = NID_ffdhe2048;
becbacd7 4638 kexch_name0 = "ffdhe2048";
fb8c6db4 4639 break;
5bf2eade 4640 case 8:
fb8c6db4 4641 kexch_alg = NID_ffdhe3072;
becbacd7 4642 kexch_name0 = "ffdhe3072";
fb8c6db4 4643 break;
5bf2eade 4644 case 9:
fb8c6db4 4645 kexch_alg = NID_ffdhe4096;
becbacd7 4646 kexch_name0 = "ffdhe4096";
fb8c6db4 4647 break;
5bf2eade 4648 case 10:
fb8c6db4 4649 kexch_alg = NID_ffdhe6144;
becbacd7 4650 kexch_name0 = "ffdhe6144";
fb8c6db4 4651 break;
5bf2eade 4652 case 11:
fb8c6db4 4653 kexch_alg = NID_ffdhe8192;
becbacd7 4654 kexch_name0 = "ffdhe8192";
8e63900a 4655 break;
5bf2eade 4656# endif
6597d62b
MC		 4657 default:
4658 /* We're skipping this test */
4659 return 1;
8e63900a 4660 }
4661
5e30f2fd
MC		 4662 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4663 TLS_client_method(), TLS1_VERSION,
4664 max_version, &sctx, &cctx, cert,
4665 privkey)))
8e63900a 4666 goto end;
4667
5bf2eade 4668 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4669 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4670 goto end;
4671
5bf2eade 4672 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4673 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4674 goto end;
4675
5bf2eade 4676 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4677 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4678 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4679 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4680 goto end;
4681
dbc6268f
MC		 4682 /*
4683 * Must include an EC ciphersuite so that we send supported groups in
4684 * TLSv1.2
4685 */
5bf2eade 4686# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4687 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4688 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4689 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4690 goto end;
5bf2eade 4691# endif
8e63900a 4692
4693 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4694 NULL, NULL)))
4695 goto end;
4696
4697 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4698 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4699 goto end;
4700
5bf2eade 4701 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4702 goto end;
8e63900a 4703
dbc6268f 4704 /*
5bf2eade 4705 * If Handshake succeeds the negotiated kexch alg should be the first one in
4706 * configured, except in the case of FFDHE groups (idx 13), which are
4707 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4708 */
4709 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4710 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4711 goto end;
becbacd7
MB		 4712
4713 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4714 kexch_name0))
4715 goto end;
4716
75d48520
BK		 4717 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4718 if (idx != 13) {
fb8c6db4 4719 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4720 goto end;
4721 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4722 goto end;
4723 }
8e63900a 4724
4725 testresult = 1;
4726 end:
4727 SSL_free(serverssl);
4728 SSL_free(clientssl);
4729 SSL_CTX_free(sctx);
4730 SSL_CTX_free(cctx);
4731 return testresult;
4732}
4733
c9cddf05
P		 4734# if !defined(OPENSSL_NO_TLS1_2) \
4735 && !defined(OPENSSL_NO_EC) \
4736 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 4737static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4738 int isecdhe, int idx)
4739{
4740 int kexch_alg;
4741 int *kexch_groups = &kexch_alg;
4742 int numec, numff;
4743
4744 numec = OSSL_NELEM(ecdhe_kexch_groups);
4745 numff = OSSL_NELEM(ffdhe_kexch_groups);
4746 if (isecdhe)
4747 kexch_alg = ecdhe_kexch_groups[idx];
4748 else
4749 kexch_alg = ffdhe_kexch_groups[idx];
4750
4751 if (clientmulti) {
4752 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4753 return 0;
4754 if (isecdhe) {
4755 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4756 numec)))
4757 return 0;
4758 } else {
4759 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4760 numff)))
4761 return 0;
4762 }
4763 } else {
4764 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4765 return 0;
4766 if (isecdhe) {
4767 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4768 numec)))
4769 return 0;
4770 } else {
4771 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4772 numff)))
4773 return 0;
4774 }
4775 }
4776 return 1;
4777}
4778
4779/*-
4780 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4781 * Run through both the ECDHE and FFDHE group lists used in the previous
4782 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4783 * confirming the expected result; then perform a resumption handshake
4784 * while offering the same group list, and another resumption handshake
4785 * offering a different group list. The returned value should be the
4786 * negotiated group for the initial handshake; for TLS 1.3 resumption
4787 * handshakes the returned value will be negotiated on the resumption
4788 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4789 * be cached in the session from the original handshake, regardless of what
4790 * was offered in the resumption ClientHello.
4791 *
4792 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 4793 * E tests of ECDHE with TLS 1.3, server only has one group
4794 * F tests of FFDHE with TLS 1.3, server only has one group
4795 * E tests of ECDHE with TLS 1.2, server only has one group
4796 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 4797 * E tests of ECDHE with TLS 1.3, client sends only one group
4798 * F tests of FFDHE with TLS 1.3, client sends only one group
4799 * E tests of ECDHE with TLS 1.2, client sends only one group
4800 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 4801 */
4802static int test_negotiated_group(int idx)
4803{
4804 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4805 int expectednid;
4806 SSL_CTX *sctx = NULL, *cctx = NULL;
4807 SSL *serverssl = NULL, *clientssl = NULL;
4808 SSL_SESSION *origsess = NULL;
4809 int testresult = 0;
4810 int kexch_alg;
4811 int max_version = TLS1_3_VERSION;
4812
4813 numec = OSSL_NELEM(ecdhe_kexch_groups);
4814 numff = OSSL_NELEM(ffdhe_kexch_groups);
4815 numgroups = numec + numff;
4816 clientmulti = (idx < 2 * numgroups);
4817 idx = idx % (2 * numgroups);
4818 istls13 = (idx < numgroups);
4819 idx = idx % numgroups;
4820 isecdhe = (idx < numec);
4821 if (!isecdhe)
4822 idx -= numec;
4823 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4824 if (isecdhe)
4825 kexch_alg = ecdhe_kexch_groups[idx];
4826 else
4827 kexch_alg = ffdhe_kexch_groups[idx];
4828 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4829 if (!istls13 && !isecdhe)
4830 expectednid = NID_undef;
4831 else
4832 expectednid = kexch_alg;
4833
4834 if (!istls13)
4835 max_version = TLS1_2_VERSION;
4836
4837 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4838 TLS_client_method(), TLS1_VERSION,
4839 max_version, &sctx, &cctx, cert,
4840 privkey)))
4841 goto end;
4842
4843 /*
4844 * Force (EC)DHE ciphers for TLS 1.2.
4845 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4846 */
4847 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4848 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4849 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4850 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4851 goto end;
4852 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4853 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4854 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4855 goto end;
4856
4857 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4858 NULL, NULL)))
4859 goto end;
4860
4861 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4862 idx)))
4863 goto end;
4864
4865 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4866 goto end;
4867
4868 /* Initial handshake; always the configured one */
4869 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4870 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4871 goto end;
4872
4873 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4874 goto end;
4875
4876 SSL_shutdown(clientssl);
4877 SSL_shutdown(serverssl);
4878 SSL_free(serverssl);
4879 SSL_free(clientssl);
4880 serverssl = clientssl = NULL;
4881
4882 /* First resumption attempt; use the same config as initial handshake */
4883 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4884 NULL, NULL))
4885 || !TEST_true(SSL_set_session(clientssl, origsess))
4886 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4887 isecdhe, idx)))
4888 goto end;
4889
4890 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4891 || !TEST_true(SSL_session_reused(clientssl)))
4892 goto end;
4893
4894 /* Still had better agree, since nothing changed... */
4895 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4896 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4897 goto end;
4898
4899 SSL_shutdown(clientssl);
4900 SSL_shutdown(serverssl);
4901 SSL_free(serverssl);
4902 SSL_free(clientssl);
4903 serverssl = clientssl = NULL;
4904
4905 /*-
4906 * Second resumption attempt
4907 * The party that picks one group changes it, which we effectuate by
4908 * changing 'idx' and updating what we expect.
4909 */
4910 if (idx == 0)
4911 idx = 1;
4912 else
4913 idx--;
4914 if (istls13) {
4915 if (isecdhe)
4916 expectednid = ecdhe_kexch_groups[idx];
4917 else
4918 expectednid = ffdhe_kexch_groups[idx];
4919 /* Verify that we are changing what we expect. */
4920 if (!TEST_int_ne(expectednid, kexch_alg))
4921 goto end;
4922 } else {
4923 /* TLS 1.2 only supports named groups for ECDHE. */
4924 if (isecdhe)
4925 expectednid = kexch_alg;
4926 else
4927 expectednid = 0;
4928 }
4929 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4930 NULL, NULL))
4931 || !TEST_true(SSL_set_session(clientssl, origsess))
4932 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4933 isecdhe, idx)))
4934 goto end;
4935
4936 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4937 || !TEST_true(SSL_session_reused(clientssl)))
4938 goto end;
4939
4940 /* Check that we get what we expected */
4941 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4942 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4943 goto end;
4944
4945 testresult = 1;
4946 end:
4947 SSL_free(serverssl);
4948 SSL_free(clientssl);
4949 SSL_CTX_free(sctx);
4950 SSL_CTX_free(cctx);
4951 SSL_SESSION_free(origsess);
4952 return testresult;
4953}
4954# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4955
5bf2eade 4956/*
4957 * Test TLSv1.3 Cipher Suite
4958 * Test 0 = Set TLS1.3 cipher on context
4959 * Test 1 = Set TLS1.3 cipher on SSL
4960 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4961 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4962 */
4963static int test_tls13_ciphersuite(int idx)
4964{
4965 SSL_CTX *sctx = NULL, *cctx = NULL;
4966 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4967 static const struct {
4968 const char *ciphername;
4969 int fipscapable;
e0710222 4970 int low_security;
4f6c7044 4971 } t13_ciphers[] = {
e0710222
P		 4972 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
4973 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
4974 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 4975# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 4976 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 4977 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 4978 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 4979# endif
e0710222
P		 4980 /* CCM8 ciphers are considered low security due to their short tag */
4981 { TLS1_3_RFC_AES_128_CCM_8_SHA256
4982 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5bf2eade 4983 };
4984 const char *t13_cipher = NULL;
4985 const char *t12_cipher = NULL;
4986 const char *negotiated_scipher;
4987 const char *negotiated_ccipher;
4988 int set_at_ctx = 0;
4989 int set_at_ssl = 0;
4990 int testresult = 0;
4991 int max_ver;
4992 size_t i;
4993
4994 switch (idx) {
4995 case 0:
4996 set_at_ctx = 1;
4997 break;
4998 case 1:
4999 set_at_ssl = 1;
5000 break;
5001 case 2:
5002 set_at_ctx = 1;
2d900758 5003 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5004 break;
5005 case 3:
5006 set_at_ssl = 1;
2d900758 5007 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5008 break;
5009 }
5010
5011 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5012# ifdef OPENSSL_NO_TLS1_2
5013 if (max_ver == TLS1_2_VERSION)
5014 continue;
5015# endif
5016 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 5017 if (is_fips && !t13_ciphers[i].fipscapable)
5018 continue;
5019 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 5020 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5021 TLS_client_method(),
5022 TLS1_VERSION, max_ver,
5023 &sctx, &cctx, cert, privkey)))
5024 goto end;
5025
e0710222
P		 5026 if (t13_ciphers[i].low_security) {
5027 SSL_CTX_set_security_level(sctx, 0);
5028 SSL_CTX_set_security_level(cctx, 0);
5029 }
5030
5bf2eade 5031 if (set_at_ctx) {
5032 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5033 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5034 goto end;
5035 if (t12_cipher != NULL) {
5036 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5037 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5038 t12_cipher)))
5039 goto end;
5040 }
5041 }
5042
5043 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5044 &clientssl, NULL, NULL)))
5045 goto end;
5046
5047 if (set_at_ssl) {
5048 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5049 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5050 goto end;
5051 if (t12_cipher != NULL) {
5052 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5053 || !TEST_true(SSL_set_cipher_list(clientssl,
5054 t12_cipher)))
5055 goto end;
5056 }
5057 }
5058
5059 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5060 SSL_ERROR_NONE)))
5061 goto end;
5062
5063 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5064 serverssl));
5065 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5066 clientssl));
5067 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5068 goto end;
5069
5070 /*
5071 * TEST_strn_eq is used below because t13_cipher can contain
5072 * multiple ciphersuites
5073 */
5074 if (max_ver == TLS1_3_VERSION
5075 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5076 strlen(negotiated_scipher)))
5077 goto end;
5078
5079# ifndef OPENSSL_NO_TLS1_2
5080 /* Below validation is not done when t12_cipher is NULL */
5081 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5082 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5083 goto end;
5084# endif
5085
5086 SSL_free(serverssl);
5087 serverssl = NULL;
5088 SSL_free(clientssl);
5089 clientssl = NULL;
5090 SSL_CTX_free(sctx);
5091 sctx = NULL;
5092 SSL_CTX_free(cctx);
5093 cctx = NULL;
5094 }
5095 }
5096
5097 testresult = 1;
5098 end:
5099 SSL_free(serverssl);
5100 SSL_free(clientssl);
5101 SSL_CTX_free(sctx);
5102 SSL_CTX_free(cctx);
5103 return testresult;
5104}
5105
0d8da779
MC		 5106/*
5107 * Test TLSv1.3 PSKs
5108 * Test 0 = Test new style callbacks
5109 * Test 1 = Test both new and old style callbacks
5110 * Test 2 = Test old style callbacks
5111 * Test 3 = Test old style callbacks with no certificate
5112 */
532f9578 5113static int test_tls13_psk(int idx)
ca8c71ba
MC		 5114{
5115 SSL_CTX *sctx = NULL, *cctx = NULL;
5116 SSL *serverssl = NULL, *clientssl = NULL;
5117 const SSL_CIPHER *cipher = NULL;
5118 const unsigned char key[] = {
5119 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5120 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5121 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5122 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5123 };
5124 int testresult = 0;
5125
5e30f2fd
MC		 5126 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5127 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5128 &sctx, &cctx, idx == 3 ? NULL : cert,
5129 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5130 goto end;
5131
0d8da779
MC		 5132 if (idx != 3) {
5133 /*
5134 * We use a ciphersuite with SHA256 to ease testing old style PSK
5135 * callbacks which will always default to SHA256. This should not be
5136 * necessary if we have no cert/priv key. In that case the server should
5137 * prefer SHA256 automatically.
5138 */
5139 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5140 "TLS_AES_128_GCM_SHA256")))
5141 goto end;
4f6c7044
MC		 5142 } else {
5143 /*
5144 * As noted above the server should prefer SHA256 automatically. However
5145 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5146 * code works even if we are testing with only the FIPS provider loaded.
5147 */
5148 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5149 "TLS_AES_256_GCM_SHA384:"
5150 "TLS_AES_128_GCM_SHA256")))
5151 goto end;
0d8da779 5152 }
532f9578
MC		 5153
5154 /*
5155 * Test 0: New style callbacks only
5156 * Test 1: New and old style callbacks (only the new ones should be used)
5157 * Test 2: Old style callbacks only
5158 */
5159 if (idx == 0 || idx == 1) {
5160 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5161 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5162 }
c2b290c3 5163#ifndef OPENSSL_NO_PSK
0d8da779 5164 if (idx >= 1) {
532f9578
MC		 5165 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5166 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5167 }
c2b290c3 5168#endif
ca8c71ba 5169 srvid = pskid;
02a3ed5a
MC		 5170 use_session_cb_cnt = 0;
5171 find_session_cb_cnt = 0;
532f9578
MC		 5172 psk_client_cb_cnt = 0;
5173 psk_server_cb_cnt = 0;
ca8c71ba 5174
0d8da779
MC		 5175 if (idx != 3) {
5176 /*
5177 * Check we can create a connection if callback decides not to send a
5178 * PSK
5179 */
5180 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5181 NULL, NULL))
5182 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5183 SSL_ERROR_NONE))
5184 || !TEST_false(SSL_session_reused(clientssl))
5185 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5186 goto end;
532f9578 5187
0d8da779
MC		 5188 if (idx == 0 || idx == 1) {
5189 if (!TEST_true(use_session_cb_cnt == 1)
5190 || !TEST_true(find_session_cb_cnt == 0)
5191 /*
5192 * If no old style callback then below should be 0
5193 * otherwise 1
5194 */
5195 || !TEST_true(psk_client_cb_cnt == idx)
5196 || !TEST_true(psk_server_cb_cnt == 0))
5197 goto end;
5198 } else {
5199 if (!TEST_true(use_session_cb_cnt == 0)
5200 || !TEST_true(find_session_cb_cnt == 0)
5201 || !TEST_true(psk_client_cb_cnt == 1)
5202 || !TEST_true(psk_server_cb_cnt == 0))
5203 goto end;
5204 }
5205
5206 shutdown_ssl_connection(serverssl, clientssl);
5207 serverssl = clientssl = NULL;
5208 use_session_cb_cnt = psk_client_cb_cnt = 0;
5209 }
ca8c71ba
MC		 5210
5211 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5212 NULL, NULL)))
5213 goto end;
5214
5215 /* Create the PSK */
532f9578 5216 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5217 clientpsk = SSL_SESSION_new();
5218 if (!TEST_ptr(clientpsk)
ca8c71ba 5219 || !TEST_ptr(cipher)
57dee9bb
MC		 5220 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5221 sizeof(key)))
5222 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5223 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5224 TLS1_3_VERSION))
5225 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5226 goto end;
57dee9bb 5227 serverpsk = clientpsk;
ca8c71ba
MC		 5228
5229 /* Check we can create a connection and the PSK is used */
5230 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5231 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5232 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5233 goto end;
5234
532f9578
MC		 5235 if (idx == 0 || idx == 1) {
5236 if (!TEST_true(use_session_cb_cnt == 1)
5237 || !TEST_true(find_session_cb_cnt == 1)
5238 || !TEST_true(psk_client_cb_cnt == 0)
5239 || !TEST_true(psk_server_cb_cnt == 0))
5240 goto end;
5241 } else {
5242 if (!TEST_true(use_session_cb_cnt == 0)
5243 || !TEST_true(find_session_cb_cnt == 0)
5244 || !TEST_true(psk_client_cb_cnt == 1)
5245 || !TEST_true(psk_server_cb_cnt == 1))
5246 goto end;
5247 }
5248
ca8c71ba
MC		 5249 shutdown_ssl_connection(serverssl, clientssl);
5250 serverssl = clientssl = NULL;
5251 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5252 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5253
5254 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5255 NULL, NULL)))
5256 goto end;
5257
5258 /* Force an HRR */
dbc6268f
MC		 5259#if defined(OPENSSL_NO_EC)
5260 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5261 goto end;
5262#else
ca8c71ba
MC		 5263 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5264 goto end;
dbc6268f 5265#endif
ca8c71ba
MC		 5266
5267 /*
5268 * Check we can create a connection, the PSK is used and the callbacks are
5269 * called twice.
5270 */
5271 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5272 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5273 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5274 goto end;
5275
532f9578
MC		 5276 if (idx == 0 || idx == 1) {
5277 if (!TEST_true(use_session_cb_cnt == 2)
5278 || !TEST_true(find_session_cb_cnt == 2)
5279 || !TEST_true(psk_client_cb_cnt == 0)
5280 || !TEST_true(psk_server_cb_cnt == 0))
5281 goto end;
5282 } else {
5283 if (!TEST_true(use_session_cb_cnt == 0)
5284 || !TEST_true(find_session_cb_cnt == 0)
5285 || !TEST_true(psk_client_cb_cnt == 2)
5286 || !TEST_true(psk_server_cb_cnt == 2))
5287 goto end;
5288 }
5289
ca8c71ba
MC		 5290 shutdown_ssl_connection(serverssl, clientssl);
5291 serverssl = clientssl = NULL;
5292 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5293 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5294
0d8da779
MC		 5295 if (idx != 3) {
5296 /*
5297 * Check that if the server rejects the PSK we can still connect, but with
5298 * a full handshake
5299 */
5300 srvid = "Dummy Identity";
5301 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5302 NULL, NULL))
5303 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5304 SSL_ERROR_NONE))
5305 || !TEST_false(SSL_session_reused(clientssl))
5306 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5307 goto end;
532f9578 5308
0d8da779
MC		 5309 if (idx == 0 || idx == 1) {
5310 if (!TEST_true(use_session_cb_cnt == 1)
5311 || !TEST_true(find_session_cb_cnt == 1)
5312 || !TEST_true(psk_client_cb_cnt == 0)
5313 /*
5314 * If no old style callback then below should be 0
5315 * otherwise 1
5316 */
5317 || !TEST_true(psk_server_cb_cnt == idx))
5318 goto end;
5319 } else {
5320 if (!TEST_true(use_session_cb_cnt == 0)
5321 || !TEST_true(find_session_cb_cnt == 0)
5322 || !TEST_true(psk_client_cb_cnt == 1)
5323 || !TEST_true(psk_server_cb_cnt == 1))
5324 goto end;
5325 }
5326
5327 shutdown_ssl_connection(serverssl, clientssl);
5328 serverssl = clientssl = NULL;
5329 }
ca8c71ba
MC		 5330 testresult = 1;
5331
5332 end:
57dee9bb
MC		 5333 SSL_SESSION_free(clientpsk);
5334 SSL_SESSION_free(serverpsk);
5335 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5336 SSL_free(serverssl);
5337 SSL_free(clientssl);
5338 SSL_CTX_free(sctx);
5339 SSL_CTX_free(cctx);
5340 return testresult;
5341}
5342
c7b8ff25
MC		 5343static unsigned char cookie_magic_value[] = "cookie magic";
5344
5345static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5346 unsigned int *cookie_len)
5347{
5348 /*
5349 * Not suitable as a real cookie generation function but good enough for
5350 * testing!
5351 */
97ea1e7f
MC		 5352 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5353 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5354
5355 return 1;
5356}
5357
5358static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5359 unsigned int cookie_len)
5360{
97ea1e7f 5361 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5362 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5363 return 1;
5364
5365 return 0;
5366}
5367
3fa2812f
BS		 5368static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5369 size_t *cookie_len)
5370{
5371 unsigned int temp;
5372 int res = generate_cookie_callback(ssl, cookie, &temp);
5373 *cookie_len = temp;
5374 return res;
5375}
5376
5377static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5378 size_t cookie_len)
5379{
5380 return verify_cookie_callback(ssl, cookie, cookie_len);
5381}
5382
c7b8ff25
MC		 5383static int test_stateless(void)
5384{
5385 SSL_CTX *sctx = NULL, *cctx = NULL;
5386 SSL *serverssl = NULL, *clientssl = NULL;
5387 int testresult = 0;
5388
5e30f2fd
MC		 5389 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5390 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5391 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5392 goto end;
5393
e440f513
MC		 5394 /* The arrival of CCS messages can confuse the test */
5395 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5396
5397 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5398 NULL, NULL))
5399 /* Send the first ClientHello */
5400 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5401 SSL_ERROR_WANT_READ))
5402 /*
5403 * This should fail with a -1 return because we have no callbacks
5404 * set up
5405 */
5406 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5407 goto end;
5408
5409 /* Fatal error so abandon the connection from this client */
5410 SSL_free(clientssl);
5411 clientssl = NULL;
5412
c7b8ff25 5413 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5414 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5415 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5416
e440f513
MC		 5417 /*
5418 * Create a new connection from the client (we can reuse the server SSL
5419 * object).
5420 */
c7b8ff25
MC		 5421 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5422 NULL, NULL))
5423 /* Send the first ClientHello */
5424 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5425 SSL_ERROR_WANT_READ))
5426 /* This should fail because there is no cookie */
e440f513 5427 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5428 goto end;
5429
5430 /* Abandon the connection from this client */
5431 SSL_free(clientssl);
5432 clientssl = NULL;
5433
5434 /*
5435 * Now create a connection from a new client but with the same server SSL
5436 * object
5437 */
5438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5439 NULL, NULL))
5440 /* Send the first ClientHello */
5441 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5442 SSL_ERROR_WANT_READ))
5443 /* This should fail because there is no cookie */
e440f513 5444 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5445 /* Send the second ClientHello */
5446 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5447 SSL_ERROR_WANT_READ))
5448 /* This should succeed because a cookie is now present */
e440f513 5449 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5450 /* Complete the connection */
5451 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5452 SSL_ERROR_NONE)))
5453 goto end;
5454
5455 shutdown_ssl_connection(serverssl, clientssl);
5456 serverssl = clientssl = NULL;
5457 testresult = 1;
5458
5459 end:
5460 SSL_free(serverssl);
5461 SSL_free(clientssl);
5462 SSL_CTX_free(sctx);
5463 SSL_CTX_free(cctx);
5464 return testresult;
5465
5466}
a763ca11 5467#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5468
a37008d9
MC		 5469static int clntaddoldcb = 0;
5470static int clntparseoldcb = 0;
5471static int srvaddoldcb = 0;
5472static int srvparseoldcb = 0;
5473static int clntaddnewcb = 0;
5474static int clntparsenewcb = 0;
5475static int srvaddnewcb = 0;
5476static int srvparsenewcb = 0;
bb01ef3f 5477static int snicb = 0;
a37008d9
MC		 5478
5479#define TEST_EXT_TYPE1 0xff00
5480
5481static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5482 size_t *outlen, int *al, void *add_arg)
5483{
5484 int *server = (int *)add_arg;
5485 unsigned char *data;
5486
5487 if (SSL_is_server(s))
5488 srvaddoldcb++;
5489 else
5490 clntaddoldcb++;
5491
710756a9
RS		 5492 if (*server != SSL_is_server(s)
5493 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5494 return -1;
5495
5496 *data = 1;
5497 *out = data;
5498 *outlen = sizeof(char);
a37008d9
MC		 5499 return 1;
5500}
5501
5502static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5503 void *add_arg)
5504{
5505 OPENSSL_free((unsigned char *)out);
5506}
5507
5508static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5509 size_t inlen, int *al, void *parse_arg)
5510{
5511 int *server = (int *)parse_arg;
5512
5513 if (SSL_is_server(s))
5514 srvparseoldcb++;
5515 else
5516 clntparseoldcb++;
5517
710756a9
RS		 5518 if (*server != SSL_is_server(s)
5519 || inlen != sizeof(char)
5520 || *in != 1)
a37008d9
MC		 5521 return -1;
5522
5523 return 1;
5524}
5525
5526static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5527 const unsigned char **out, size_t *outlen, X509 *x,
5528 size_t chainidx, int *al, void *add_arg)
5529{
5530 int *server = (int *)add_arg;
5531 unsigned char *data;
5532
5533 if (SSL_is_server(s))
5534 srvaddnewcb++;
5535 else
5536 clntaddnewcb++;
5537
710756a9
RS		 5538 if (*server != SSL_is_server(s)
5539 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5540 return -1;
5541
5542 *data = 1;
5543 *out = data;
710756a9 5544 *outlen = sizeof(*data);
a37008d9
MC		 5545 return 1;
5546}
5547
5548static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5549 const unsigned char *out, void *add_arg)
5550{
5551 OPENSSL_free((unsigned char *)out);
5552}
5553
5554static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5555 const unsigned char *in, size_t inlen, X509 *x,
5556 size_t chainidx, int *al, void *parse_arg)
5557{
5558 int *server = (int *)parse_arg;
5559
5560 if (SSL_is_server(s))
5561 srvparsenewcb++;
5562 else
5563 clntparsenewcb++;
5564
710756a9
RS		 5565 if (*server != SSL_is_server(s)
5566 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5567 return -1;
5568
5569 return 1;
5570}
bb01ef3f
MC		 5571
5572static int sni_cb(SSL *s, int *al, void *arg)
5573{
5574 SSL_CTX *ctx = (SSL_CTX *)arg;
5575
5576 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5577 *al = SSL_AD_INTERNAL_ERROR;
5578 return SSL_TLSEXT_ERR_ALERT_FATAL;
5579 }
5580 snicb++;
5581 return SSL_TLSEXT_ERR_OK;
5582}
5583
0db3a990
MC		 5584static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5585{
5586 return 1;
5587}
5588
a37008d9
MC		 5589/*
5590 * Custom call back tests.
5591 * Test 0: Old style callbacks in TLSv1.2
5592 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5593 * Test 2: New style callbacks in TLSv1.2 with SNI
5594 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5595 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 5596 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 5597 */
710756a9
RS		 5598static int test_custom_exts(int tst)
5599{
bb01ef3f 5600 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5601 SSL *clientssl = NULL, *serverssl = NULL;
5602 int testresult = 0;
5603 static int server = 1;
5604 static int client = 0;
5605 SSL_SESSION *sess = NULL;
5606 unsigned int context;
5607
a763ca11 5608#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5609 /* Skip tests for TLSv1.2 and below in this case */
5610 if (tst < 3)
5611 return 1;
5612#endif
5613
a37008d9
MC		 5614 /* Reset callback counters */
5615 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5616 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5617 snicb = 0;
a37008d9 5618
5e30f2fd
MC		 5619 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5620 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5621 &sctx, &cctx, cert, privkey)))
710756a9 5622 goto end;
a37008d9 5623
bb01ef3f 5624 if (tst == 2
5e30f2fd 5625 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5626 TLS1_VERSION, 0,
7d7f6834 5627 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5628 goto end;
5629
5630
5631 if (tst < 3) {
a37008d9
MC		 5632 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5633 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5634 if (sctx2 != NULL)
5635 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5636 }
5637
0db3a990
MC		 5638 if (tst == 5) {
5639 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5640 | SSL_EXT_TLS1_3_CERTIFICATE;
5641 SSL_CTX_set_verify(sctx,
5642 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5643 verify_cb);
5644 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5645 SSL_FILETYPE_PEM), 1)
5646 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5647 SSL_FILETYPE_PEM), 1)
5648 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5649 goto end;
5650 } else if (tst == 4) {
710756a9
RS		 5651 context = SSL_EXT_CLIENT_HELLO
5652 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5653 | SSL_EXT_TLS1_3_SERVER_HELLO
5654 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5655 | SSL_EXT_TLS1_3_CERTIFICATE
5656 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5657 } else {
710756a9
RS		 5658 context = SSL_EXT_CLIENT_HELLO
5659 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5660 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5661 }
5662
5663 /* Create a client side custom extension */
5664 if (tst == 0) {
710756a9
RS		 5665 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5666 old_add_cb, old_free_cb,
5667 &client, old_parse_cb,
5668 &client)))
5669 goto end;
a37008d9 5670 } else {
710756a9
RS		 5671 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5672 new_add_cb, new_free_cb,
5673 &client, new_parse_cb, &client)))
5674 goto end;
a37008d9
MC		 5675 }
5676
5677 /* Should not be able to add duplicates */
710756a9
RS		 5678 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5679 old_add_cb, old_free_cb,
5680 &client, old_parse_cb,
5681 &client))
5682 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5683 context, new_add_cb,
5684 new_free_cb, &client,
5685 new_parse_cb, &client)))
5686 goto end;
a37008d9
MC		 5687
5688 /* Create a server side custom extension */
5689 if (tst == 0) {
710756a9
RS		 5690 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5691 old_add_cb, old_free_cb,
5692 &server, old_parse_cb,
5693 &server)))
5694 goto end;
a37008d9 5695 } else {
710756a9
RS		 5696 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5697 new_add_cb, new_free_cb,
5698 &server, new_parse_cb, &server)))
5699 goto end;
bb01ef3f
MC		 5700 if (sctx2 != NULL
5701 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5702 context, new_add_cb,
5703 new_free_cb, &server,
5704 new_parse_cb, &server)))
5705 goto end;
a37008d9
MC		 5706 }
5707
5708 /* Should not be able to add duplicates */
710756a9
RS		 5709 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5710 old_add_cb, old_free_cb,
5711 &server, old_parse_cb,
5712 &server))
5713 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5714 context, new_add_cb,
5715 new_free_cb, &server,
5716 new_parse_cb, &server)))
a37008d9 5717 goto end;
a37008d9 5718
bb01ef3f
MC		 5719 if (tst == 2) {
5720 /* Set up SNI */
5721 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5722 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5723 goto end;
5724 }
5725
710756a9
RS		 5726 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5727 &clientssl, NULL, NULL))
5728 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5729 SSL_ERROR_NONE)))
a37008d9 5730 goto end;
a37008d9
MC		 5731
5732 if (tst == 0) {
710756a9
RS		 5733 if (clntaddoldcb != 1
5734 || clntparseoldcb != 1
5735 || srvaddoldcb != 1
5736 || srvparseoldcb != 1)
a37008d9 5737 goto end;
bb01ef3f 5738 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5739 if (clntaddnewcb != 1
5740 || clntparsenewcb != 1
5741 || srvaddnewcb != 1
bb01ef3f
MC		 5742 || srvparsenewcb != 1
5743 || (tst != 2 && snicb != 0)
5744 || (tst == 2 && snicb != 1))
a37008d9 5745 goto end;
0db3a990
MC		 5746 } else if (tst == 5) {
5747 if (clntaddnewcb != 1
5748 || clntparsenewcb != 1
5749 || srvaddnewcb != 1
5750 || srvparsenewcb != 1)
5751 goto end;
a37008d9 5752 } else {
36ff232c 5753 /* In this case there 2 NewSessionTicket messages created */
710756a9 5754 if (clntaddnewcb != 1
36ff232c
MC		 5755 || clntparsenewcb != 5
5756 || srvaddnewcb != 5
710756a9 5757 || srvparsenewcb != 1)
a37008d9 5758 goto end;
a37008d9
MC		 5759 }
5760
5761 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5762 SSL_shutdown(clientssl);
5763 SSL_shutdown(serverssl);
a37008d9
MC		 5764 SSL_free(serverssl);
5765 SSL_free(clientssl);
5766 serverssl = clientssl = NULL;
5767
0db3a990
MC		 5768 if (tst == 3 || tst == 5) {
5769 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 5770 testresult = 1;
5771 goto end;
5772 }
5773
710756a9
RS		 5774 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5775 NULL, NULL))
5776 || !TEST_true(SSL_set_session(clientssl, sess))
5777 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5778 SSL_ERROR_NONE)))
a37008d9 5779 goto end;
a37008d9
MC		 5780
5781 /*
5782 * For a resumed session we expect to add the ClientHello extension. For the
5783 * old style callbacks we ignore it on the server side because they set
5784 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5785 * them.
5786 */
5787 if (tst == 0) {
710756a9
RS		 5788 if (clntaddoldcb != 2
5789 || clntparseoldcb != 1
5790 || srvaddoldcb != 1
5791 || srvparseoldcb != 1)
a37008d9 5792 goto end;
bb01ef3f 5793 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5794 if (clntaddnewcb != 2
5795 || clntparsenewcb != 2
5796 || srvaddnewcb != 2
5797 || srvparsenewcb != 2)
a37008d9 5798 goto end;
a37008d9 5799 } else {
36ff232c
MC		 5800 /*
5801 * No Certificate message extensions in the resumption handshake,
5802 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5803 */
710756a9 5804 if (clntaddnewcb != 2
36ff232c
MC		 5805 || clntparsenewcb != 8
5806 || srvaddnewcb != 8
710756a9 5807 || srvparsenewcb != 2)
a37008d9 5808 goto end;
a37008d9
MC		 5809 }
5810
5811 testresult = 1;
5812
5813end:
5814 SSL_SESSION_free(sess);
5815 SSL_free(serverssl);
5816 SSL_free(clientssl);
bb01ef3f 5817 SSL_CTX_free(sctx2);
a37008d9
MC		 5818 SSL_CTX_free(sctx);
5819 SSL_CTX_free(cctx);
a37008d9
MC		 5820 return testresult;
5821}
5822
16afd71c
MC		 5823/*
5824 * Test loading of serverinfo data in various formats. test_sslmessages actually
5825 * tests to make sure the extensions appear in the handshake
5826 */
5827static int test_serverinfo(int tst)
5828{
5829 unsigned int version;
5830 unsigned char *sibuf;
5831 size_t sibuflen;
5832 int ret, expected, testresult = 0;
5833 SSL_CTX *ctx;
5834
d8652be0 5835 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5836 if (!TEST_ptr(ctx))
5837 goto end;
5838
5839 if ((tst & 0x01) == 0x01)
5840 version = SSL_SERVERINFOV2;
5841 else
5842 version = SSL_SERVERINFOV1;
5843
5844 if ((tst & 0x02) == 0x02) {
5845 sibuf = serverinfov2;
5846 sibuflen = sizeof(serverinfov2);
5847 expected = (version == SSL_SERVERINFOV2);
5848 } else {
5849 sibuf = serverinfov1;
5850 sibuflen = sizeof(serverinfov1);
5851 expected = (version == SSL_SERVERINFOV1);
5852 }
5853
5854 if ((tst & 0x04) == 0x04) {
5855 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5856 } else {
5857 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5858
5859 /*
5860 * The version variable is irrelevant in this case - it's what is in the
5861 * buffer that matters
5862 */
5863 if ((tst & 0x02) == 0x02)
5864 expected = 0;
5865 else
5866 expected = 1;
5867 }
5868
5869 if (!TEST_true(ret == expected))
5870 goto end;
5871
5872 testresult = 1;
5873
5874 end:
5875 SSL_CTX_free(ctx);
5876
5877 return testresult;
5878}
5879
2197d1df
MC		 5880/*
5881 * Test that SSL_export_keying_material() produces expected results. There are
5882 * no test vectors so all we do is test that both sides of the communication
5883 * produce the same results for different protocol versions.
5884 */
0fb2815b
MC		 5885#define SMALL_LABEL_LEN 10
5886#define LONG_LABEL_LEN 249
2197d1df
MC		 5887static int test_export_key_mat(int tst)
5888{
a599574b 5889 int testresult = 0;
2197d1df
MC		 5890 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5891 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5892 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5893 const unsigned char context[] = "context";
5894 const unsigned char *emptycontext = NULL;
5895 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5896 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5897 size_t labellen;
a599574b
MC		 5898 const int protocols[] = {
5899 TLS1_VERSION,
5900 TLS1_1_VERSION,
5901 TLS1_2_VERSION,
0fb2815b
MC		 5902 TLS1_3_VERSION,
5903 TLS1_3_VERSION,
a599574b
MC		 5904 TLS1_3_VERSION
5905 };
2197d1df
MC		 5906
5907#ifdef OPENSSL_NO_TLS1
5908 if (tst == 0)
5909 return 1;
5910#endif
5911#ifdef OPENSSL_NO_TLS1_1
5912 if (tst == 1)
5913 return 1;
5914#endif
4f6c7044
MC		 5915 if (is_fips && (tst == 0 || tst == 1))
5916 return 1;
2197d1df
MC		 5917#ifdef OPENSSL_NO_TLS1_2
5918 if (tst == 2)
5919 return 1;
5920#endif
a763ca11 5921#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 5922 if (tst >= 3)
2197d1df
MC		 5923 return 1;
5924#endif
5e30f2fd
MC		 5925 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5926 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5927 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5928 goto end;
5929
a599574b
MC		 5930 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5931 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5932 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5933 if ((protocols[tst] < TLS1_2_VERSION) &&
5934 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5935 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5936 goto end;
2197d1df
MC		 5937
5938 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5939 NULL)))
5940 goto end;
5941
5942 /*
5943 * Premature call of SSL_export_keying_material should just fail.
5944 */
5945 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5946 sizeof(ckeymat1), label,
5947 SMALL_LABEL_LEN + 1, context,
5948 sizeof(context) - 1, 1), 0))
5949 goto end;
5950
5951 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5952 SSL_ERROR_NONE)))
2197d1df
MC		 5953 goto end;
5954
0fb2815b
MC		 5955 if (tst == 5) {
5956 /*
5957 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5958 * go over that.
5959 */
5960 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5961 sizeof(ckeymat1), label,
5962 LONG_LABEL_LEN + 1, context,
5963 sizeof(context) - 1, 1), 0))
5964 goto end;
5965
5966 testresult = 1;
5967 goto end;
5968 } else if (tst == 4) {
5969 labellen = LONG_LABEL_LEN;
5970 } else {
5971 labellen = SMALL_LABEL_LEN;
5972 }
5973
2197d1df
MC		 5974 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5975 sizeof(ckeymat1), label,
0fb2815b 5976 labellen, context,
2197d1df
MC		 5977 sizeof(context) - 1, 1), 1)
5978 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5979 sizeof(ckeymat2), label,
0fb2815b 5980 labellen,
2197d1df
MC		 5981 emptycontext,
5982 0, 1), 1)
5983 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5984 sizeof(ckeymat3), label,
0fb2815b 5985 labellen,
2197d1df
MC		 5986 NULL, 0, 0), 1)
5987 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5988 sizeof(skeymat1), label,
0fb2815b 5989 labellen,
2197d1df
MC		 5990 context,
5991 sizeof(context) -1, 1),
5992 1)
5993 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5994 sizeof(skeymat2), label,
0fb2815b 5995 labellen,
2197d1df
MC		 5996 emptycontext,
5997 0, 1), 1)
5998 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5999 sizeof(skeymat3), label,
0fb2815b 6000 labellen,
2197d1df
MC		 6001 NULL, 0, 0), 1)
6002 /*
6003 * Check that both sides created the same key material with the
6004 * same context.
6005 */
6006 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6007 sizeof(skeymat1))
6008 /*
6009 * Check that both sides created the same key material with an
6010 * empty context.
6011 */
6012 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6013 sizeof(skeymat2))
6014 /*
6015 * Check that both sides created the same key material without a
6016 * context.
6017 */
6018 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6019 sizeof(skeymat3))
6020 /* Different contexts should produce different results */
6021 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6022 sizeof(ckeymat2)))
6023 goto end;
6024
6025 /*
6026 * Check that an empty context and no context produce different results in
6027 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6028 */
0fb2815b 6029 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6030 sizeof(ckeymat3)))
0fb2815b
MC		 6031 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6032 sizeof(ckeymat3))))
2197d1df
MC		 6033 goto end;
6034
6035 testresult = 1;
6036
6037 end:
6038 SSL_free(serverssl);
6039 SSL_free(clientssl);
6040 SSL_CTX_free(sctx2);
6041 SSL_CTX_free(sctx);
6042 SSL_CTX_free(cctx);
6043
6044 return testresult;
6045}
6046
a763ca11 6047#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6048/*
6049 * Test that SSL_export_keying_material_early() produces expected
6050 * results. There are no test vectors so all we do is test that both
6051 * sides of the communication produce the same results for different
6052 * protocol versions.
6053 */
6054static int test_export_key_mat_early(int idx)
6055{
6056 static const char label[] = "test label";
6057 static const unsigned char context[] = "context";
6058 int testresult = 0;
6059 SSL_CTX *cctx = NULL, *sctx = NULL;
6060 SSL *clientssl = NULL, *serverssl = NULL;
6061 SSL_SESSION *sess = NULL;
6062 const unsigned char *emptycontext = NULL;
6063 unsigned char ckeymat1[80], ckeymat2[80];
6064 unsigned char skeymat1[80], skeymat2[80];
6065 unsigned char buf[1];
6066 size_t readbytes, written;
6067
6068 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6069 &sess, idx)))
6070 goto end;
6071
6072 /* Here writing 0 length early data is enough. */
6073 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6074 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6075 &readbytes),
6076 SSL_READ_EARLY_DATA_ERROR)
6077 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6078 SSL_EARLY_DATA_ACCEPTED))
6079 goto end;
6080
6081 if (!TEST_int_eq(SSL_export_keying_material_early(
6082 clientssl, ckeymat1, sizeof(ckeymat1), label,
6083 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6084 || !TEST_int_eq(SSL_export_keying_material_early(
6085 clientssl, ckeymat2, sizeof(ckeymat2), label,
6086 sizeof(label) - 1, emptycontext, 0), 1)
6087 || !TEST_int_eq(SSL_export_keying_material_early(
6088 serverssl, skeymat1, sizeof(skeymat1), label,
6089 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6090 || !TEST_int_eq(SSL_export_keying_material_early(
6091 serverssl, skeymat2, sizeof(skeymat2), label,
6092 sizeof(label) - 1, emptycontext, 0), 1)
6093 /*
6094 * Check that both sides created the same key material with the
6095 * same context.
6096 */
6097 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6098 sizeof(skeymat1))
6099 /*
6100 * Check that both sides created the same key material with an
6101 * empty context.
6102 */
6103 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6104 sizeof(skeymat2))
6105 /* Different contexts should produce different results */
6106 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6107 sizeof(ckeymat2)))
6108 goto end;
6109
6110 testresult = 1;
6111
6112 end:
c20e3b28 6113 SSL_SESSION_free(sess);
b38ede80
TT		 6114 SSL_SESSION_free(clientpsk);
6115 SSL_SESSION_free(serverpsk);
34ff74eb 6116 clientpsk = serverpsk = NULL;
b38ede80
TT		 6117 SSL_free(serverssl);
6118 SSL_free(clientssl);
6119 SSL_CTX_free(sctx);
6120 SSL_CTX_free(cctx);
6121
6122 return testresult;
6123}
3409a5ff
MC		 6124
6125#define NUM_KEY_UPDATE_MESSAGES 40
6126/*
6127 * Test KeyUpdate.
6128 */
6129static int test_key_update(void)
6130{
6131 SSL_CTX *cctx = NULL, *sctx = NULL;
6132 SSL *clientssl = NULL, *serverssl = NULL;
6133 int testresult = 0, i, j;
6134 char buf[20];
6135 static char *mess = "A test message";
6136
5e30f2fd 6137 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6138 TLS_client_method(),
6139 TLS1_3_VERSION,
6140 0,
6141 &sctx, &cctx, cert, privkey))
6142 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6143 NULL, NULL))
6144 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6145 SSL_ERROR_NONE)))
6146 goto end;
6147
6148 for (j = 0; j < 2; j++) {
6149 /* Send lots of KeyUpdate messages */
6150 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6151 if (!TEST_true(SSL_key_update(clientssl,
6152 (j == 0)
6153 ? SSL_KEY_UPDATE_NOT_REQUESTED
6154 : SSL_KEY_UPDATE_REQUESTED))
6155 || !TEST_true(SSL_do_handshake(clientssl)))
6156 goto end;
6157 }
6158
6159 /* Check that sending and receiving app data is ok */
6160 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6161 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6162 strlen(mess)))
6163 goto end;
a77b4dba
MC		 6164
6165 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6166 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6167 strlen(mess)))
6168 goto end;
3409a5ff
MC		 6169 }
6170
6171 testresult = 1;
6172
6173 end:
6174 SSL_free(serverssl);
6175 SSL_free(clientssl);
6176 SSL_CTX_free(sctx);
6177 SSL_CTX_free(cctx);
6178
6179 return testresult;
6180}
a77b4dba
MC		 6181
6182/*
0c48fda8 6183 * Test we can handle a KeyUpdate (update requested) message while
6184 * write data is pending in peer.
a77b4dba
MC		 6185 * Test 0: Client sends KeyUpdate while Server is writing
6186 * Test 1: Server sends KeyUpdate while Client is writing
6187 */
0c48fda8 6188static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6189{
6190 SSL_CTX *cctx = NULL, *sctx = NULL;
6191 SSL *clientssl = NULL, *serverssl = NULL;
6192 int testresult = 0;
6193 char buf[20];
6194 static char *mess = "A test message";
6195 BIO *bretry = BIO_new(bio_s_always_retry());
6196 BIO *tmp = NULL;
6197 SSL *peerupdate = NULL, *peerwrite = NULL;
6198
6199 if (!TEST_ptr(bretry)
5e30f2fd 6200 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6201 TLS_client_method(),
6202 TLS1_3_VERSION,
6203 0,
6204 &sctx, &cctx, cert, privkey))
6205 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6206 NULL, NULL))
6207 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6208 SSL_ERROR_NONE)))
6209 goto end;
6210
6211 peerupdate = tst == 0 ? clientssl : serverssl;
6212 peerwrite = tst == 0 ? serverssl : clientssl;
6213
6214 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6215 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6216 goto end;
6217
6218 /* Swap the writing endpoint's write BIO to force a retry */
6219 tmp = SSL_get_wbio(peerwrite);
6220 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6221 tmp = NULL;
6222 goto end;
6223 }
6224 SSL_set0_wbio(peerwrite, bretry);
6225 bretry = NULL;
6226
6227 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6228 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6229 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6230 goto end;
6231
6232 /* Reinstate the original writing endpoint's write BIO */
6233 SSL_set0_wbio(peerwrite, tmp);
6234 tmp = NULL;
6235
6236 /* Now read some data - we will read the key update */
6237 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6238 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6239 goto end;
6240
6241 /*
6242 * Complete the write we started previously and read it from the other
6243 * endpoint
6244 */
6245 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6246 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6247 goto end;
6248
6249 /* Write more data to ensure we send the KeyUpdate message back */
6250 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6251 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6252 goto end;
6253
6254 testresult = 1;
6255
6256 end:
6257 SSL_free(serverssl);
6258 SSL_free(clientssl);
6259 SSL_CTX_free(sctx);
6260 SSL_CTX_free(cctx);
6261 BIO_free(bretry);
6262 BIO_free(tmp);
6263
6264 return testresult;
6265}
0c48fda8 6266
6267/*
6268 * Test we can handle a KeyUpdate (update requested) message while
6269 * peer read data is pending after peer accepted keyupdate(the msg header
6270 * had been read 5 bytes).
6271 * Test 0: Client sends KeyUpdate while Server is reading
6272 * Test 1: Server sends KeyUpdate while Client is reading
6273 */
6274static int test_key_update_peer_in_read(int tst)
6275{
6276 SSL_CTX *cctx = NULL, *sctx = NULL;
6277 SSL *clientssl = NULL, *serverssl = NULL;
6278 int testresult = 0;
6279 char prbuf[515], lwbuf[515] = {0};
6280 static char *mess = "A test message";
6281 BIO *lbio = NULL, *pbio = NULL;
6282 SSL *local = NULL, *peer = NULL;
6283
6284 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6285 TLS_client_method(),
6286 TLS1_3_VERSION,
6287 0,
6288 &sctx, &cctx, cert, privkey))
6289 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6290 NULL, NULL))
6291 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6292 SSL_ERROR_NONE)))
6293 goto end;
6294
6295 local = tst == 0 ? clientssl : serverssl;
6296 peer = tst == 0 ? serverssl : clientssl;
6297
6298 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6299 goto end;
6300
6301 SSL_set_bio(local, lbio, lbio);
6302 SSL_set_bio(peer, pbio, pbio);
6303
6304 /*
6305 * we first write keyupdate msg then appdata in local
6306 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6307 * lwbuf app data msg size + key updata msg size > 512(the size of
6308 * the bio pair buffer)
6309 */
6310 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6311 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6312 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6313 goto end;
6314
6315 /*
6316 * first read keyupdate msg in peer in peer
6317 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6318 */
6319 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6320 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6321 goto end;
6322
6323 /* Now write some data in peer - we will write the key update */
6324 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6325 goto end;
6326
6327 /*
6328 * write data in local previously that we will complete
6329 * read data in peer previously that we will complete
6330 */
6331 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6332 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6333 goto end;
6334
6335 /* check that sending and receiving appdata ok */
6336 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6337 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6338 goto end;
6339
6340 testresult = 1;
6341
6342 end:
6343 SSL_free(serverssl);
6344 SSL_free(clientssl);
6345 SSL_CTX_free(sctx);
6346 SSL_CTX_free(cctx);
6347
6348 return testresult;
6349}
6350
6351/*
6352 * Test we can't send a KeyUpdate (update requested) message while
6353 * local write data is pending.
6354 * Test 0: Client sends KeyUpdate while Client is writing
6355 * Test 1: Server sends KeyUpdate while Server is writing
6356 */
6357static int test_key_update_local_in_write(int tst)
6358{
6359 SSL_CTX *cctx = NULL, *sctx = NULL;
6360 SSL *clientssl = NULL, *serverssl = NULL;
6361 int testresult = 0;
6362 char buf[20];
6363 static char *mess = "A test message";
6364 BIO *bretry = BIO_new(bio_s_always_retry());
6365 BIO *tmp = NULL;
6366 SSL *local = NULL, *peer = NULL;
6367
6368 if (!TEST_ptr(bretry)
6369 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6370 TLS_client_method(),
6371 TLS1_3_VERSION,
6372 0,
6373 &sctx, &cctx, cert, privkey))
6374 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6375 NULL, NULL))
6376 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6377 SSL_ERROR_NONE)))
6378 goto end;
6379
6380 local = tst == 0 ? clientssl : serverssl;
6381 peer = tst == 0 ? serverssl : clientssl;
6382
6383 /* Swap the writing endpoint's write BIO to force a retry */
6384 tmp = SSL_get_wbio(local);
6385 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6386 tmp = NULL;
6387 goto end;
6388 }
6389 SSL_set0_wbio(local, bretry);
6390 bretry = NULL;
6391
6392 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6393 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6394 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6395 goto end;
6396
6397 /* Reinstate the original writing endpoint's write BIO */
6398 SSL_set0_wbio(local, tmp);
6399 tmp = NULL;
6400
6401 /* SSL_key_update will fail, because writing in local*/
6402 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6403 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6404 goto end;
6405
6406 ERR_clear_error();
6407 /* write data in local previously that we will complete */
6408 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6409 goto end;
6410
6411 /* SSL_key_update will succeed because there is no pending write data */
6412 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6413 || !TEST_int_eq(SSL_do_handshake(local), 1))
6414 goto end;
6415
6416 /*
6417 * we write some appdata in local
6418 * read data in peer - we will read the keyupdate msg
6419 */
6420 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6421 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6422 goto end;
6423
6424 /* Write more peer more data to ensure we send the keyupdate message back */
6425 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6426 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6427 goto end;
6428
6429 testresult = 1;
6430
6431 end:
6432 SSL_free(serverssl);
6433 SSL_free(clientssl);
6434 SSL_CTX_free(sctx);
6435 SSL_CTX_free(cctx);
6436 BIO_free(bretry);
6437 BIO_free(tmp);
6438
6439 return testresult;
6440}
6441
6442/*
6443 * Test we can handle a KeyUpdate (update requested) message while
6444 * local read data is pending(the msg header had been read 5 bytes).
6445 * Test 0: Client sends KeyUpdate while Client is reading
6446 * Test 1: Server sends KeyUpdate while Server is reading
6447 */
6448static int test_key_update_local_in_read(int tst)
6449{
6450 SSL_CTX *cctx = NULL, *sctx = NULL;
6451 SSL *clientssl = NULL, *serverssl = NULL;
6452 int testresult = 0;
6453 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6454 static char *mess = "A test message";
6455 BIO *lbio = NULL, *pbio = NULL;
6456 SSL *local = NULL, *peer = NULL;
6457
6458 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6459 TLS_client_method(),
6460 TLS1_3_VERSION,
6461 0,
6462 &sctx, &cctx, cert, privkey))
6463 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6464 NULL, NULL))
6465 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6466 SSL_ERROR_NONE)))
6467 goto end;
6468
6469 local = tst == 0 ? clientssl : serverssl;
6470 peer = tst == 0 ? serverssl : clientssl;
6471
6472 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6473 goto end;
6474
6475 SSL_set_bio(local, lbio, lbio);
6476 SSL_set_bio(peer, pbio, pbio);
6477
6478 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6479 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6480 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6481 goto end;
6482
6483 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6484 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6485 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6486 goto end;
6487
6488 /* SSL_do_handshake will send keyupdate msg */
6489 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6490 || !TEST_int_eq(SSL_do_handshake(local), 1))
6491 goto end;
6492
6493 /*
6494 * write data in peer previously that we will complete
6495 * read data in local previously that we will complete
6496 */
6497 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6498 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6499 goto end;
6500
6501 /*
6502 * write data in local
6503 * read data in peer - we will read the key update
6504 */
6505 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6506 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6507 goto end;
6508
6509 /* Write more peer data to ensure we send the keyupdate message back */
6510 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6511 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6512 goto end;
6513
6514 testresult = 1;
6515
6516 end:
6517 SSL_free(serverssl);
6518 SSL_free(clientssl);
6519 SSL_CTX_free(sctx);
6520 SSL_CTX_free(cctx);
6521
6522 return testresult;
6523}
a763ca11 6524#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 6525
e11b6aa4
MC		 6526static int test_ssl_clear(int idx)
6527{
6528 SSL_CTX *cctx = NULL, *sctx = NULL;
6529 SSL *clientssl = NULL, *serverssl = NULL;
6530 int testresult = 0;
6531
6532#ifdef OPENSSL_NO_TLS1_2
6533 if (idx == 1)
6534 return 1;
6535#endif
6536
6537 /* Create an initial connection */
5e30f2fd
MC		 6538 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6539 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6540 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 6541 || (idx == 1
6542 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6543 TLS1_2_VERSION)))
6544 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6545 &clientssl, NULL, NULL))
6546 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6547 SSL_ERROR_NONE)))
6548 goto end;
6549
6550 SSL_shutdown(clientssl);
6551 SSL_shutdown(serverssl);
6552 SSL_free(serverssl);
6553 serverssl = NULL;
6554
6555 /* Clear clientssl - we're going to reuse the object */
6556 if (!TEST_true(SSL_clear(clientssl)))
6557 goto end;
6558
6559 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6560 NULL, NULL))
6561 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6562 SSL_ERROR_NONE))
6563 || !TEST_true(SSL_session_reused(clientssl)))
6564 goto end;
6565
6566 SSL_shutdown(clientssl);
6567 SSL_shutdown(serverssl);
6568
6569 testresult = 1;
6570
6571 end:
6572 SSL_free(serverssl);
6573 SSL_free(clientssl);
6574 SSL_CTX_free(sctx);
6575 SSL_CTX_free(cctx);
6576
6577 return testresult;
6578}
6579
cf72c757
F		 6580/* Parse CH and retrieve any MFL extension value if present */
6581static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6582{
6583 long len;
6584 unsigned char *data;
72962d02 6585 PACKET pkt, pkt2, pkt3;
cf72c757
F		 6586 unsigned int MFL_code = 0, type = 0;
6587
1287dabd 6588 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 6589 goto end;
6590
72962d02
P		 6591 memset(&pkt, 0, sizeof(pkt));
6592 memset(&pkt2, 0, sizeof(pkt2));
6593 memset(&pkt3, 0, sizeof(pkt3));
6594
9ba18520 6595 if (!TEST_long_gt(len, 0)
1287dabd 6596 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 6597 /* Skip the record header */
6598 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6599 /* Skip the handshake message header */
6600 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6601 /* Skip client version and random */
6602 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6603 + SSL3_RANDOM_SIZE))
6604 /* Skip session id */
6605 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6606 /* Skip ciphers */
6607 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6608 /* Skip compression */
6609 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6610 /* Extensions len */
6611 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6612 goto end;
6613
6614 /* Loop through all extensions */
6615 while (PACKET_remaining(&pkt2)) {
6616 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6617 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6618 goto end;
6619
6620 if (type == TLSEXT_TYPE_max_fragment_length) {
6621 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6622 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6623 goto end;
6624
6625 *mfl_codemfl_code = MFL_code;
6626 return 1;
6627 }
6628 }
6629
6630 end:
6631 return 0;
6632}
6633
6634/* Maximum-Fragment-Length TLS extension mode to test */
6635static const unsigned char max_fragment_len_test[] = {
6636 TLSEXT_max_fragment_length_512,
6637 TLSEXT_max_fragment_length_1024,
6638 TLSEXT_max_fragment_length_2048,
6639 TLSEXT_max_fragment_length_4096
6640};
6641
6642static int test_max_fragment_len_ext(int idx_tst)
6643{
a763ca11 6644 SSL_CTX *ctx = NULL;
cf72c757
F		 6645 SSL *con = NULL;
6646 int testresult = 0, MFL_mode = 0;
6647 BIO *rbio, *wbio;
6648
a763ca11
MC		 6649 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6650 TLS1_VERSION, 0, NULL, &ctx, NULL,
6651 NULL)))
6652 return 0;
cf72c757
F		 6653
6654 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6655 ctx, max_fragment_len_test[idx_tst])))
6656 goto end;
6657
6658 con = SSL_new(ctx);
6659 if (!TEST_ptr(con))
6660 goto end;
6661
6662 rbio = BIO_new(BIO_s_mem());
6663 wbio = BIO_new(BIO_s_mem());
6664 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6665 BIO_free(rbio);
6666 BIO_free(wbio);
6667 goto end;
6668 }
6669
6670 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 6671
6672 if (!TEST_int_le(SSL_connect(con), 0)) {
6673 /* This shouldn't succeed because we don't have a server! */
6674 goto end;
6675 }
6676
6677 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6678 /* no MFL in client hello */
6679 goto end;
6680 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6681 goto end;
6682
6683 testresult = 1;
6684
6685end:
6686 SSL_free(con);
6687 SSL_CTX_free(ctx);
6688
6689 return testresult;
6690}
6691
a763ca11 6692#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 6693static int test_pha_key_update(void)
6694{
6695 SSL_CTX *cctx = NULL, *sctx = NULL;
6696 SSL *clientssl = NULL, *serverssl = NULL;
6697 int testresult = 0;
6698
5e30f2fd
MC		 6699 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6700 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6701 &sctx, &cctx, cert, privkey)))
6702 return 0;
6703
6704 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6705 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6706 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6707 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6708 goto end;
6709
e97be718 6710 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6711
6712 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6713 NULL, NULL)))
6714 goto end;
6715
9d75dce3
TS		 6716 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6717 SSL_ERROR_NONE)))
6718 goto end;
6719
6720 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6721 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6722 goto end;
6723
6724 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6725 goto end;
6726
6727 /* Start handshake on the server */
6728 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6729 goto end;
6730
6731 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6732 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6733 SSL_ERROR_NONE)))
6734 goto end;
6735
6736 SSL_shutdown(clientssl);
6737 SSL_shutdown(serverssl);
6738
6739 testresult = 1;
6740
6741 end:
6742 SSL_free(serverssl);
6743 SSL_free(clientssl);
6744 SSL_CTX_free(sctx);
6745 SSL_CTX_free(cctx);
6746 return testresult;
6747}
6748#endif
6749
76fd7a1d
MC		 6750#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6751
6752static SRP_VBASE *vbase = NULL;
6753
6754static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6755{
6756 int ret = SSL3_AL_FATAL;
6757 char *username;
6758 SRP_user_pwd *user = NULL;
6759
6760 username = SSL_get_srp_username(s);
6761 if (username == NULL) {
6762 *ad = SSL_AD_INTERNAL_ERROR;
6763 goto err;
6764 }
6765
6766 user = SRP_VBASE_get1_by_user(vbase, username);
6767 if (user == NULL) {
6768 *ad = SSL_AD_INTERNAL_ERROR;
6769 goto err;
6770 }
6771
6772 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6773 user->info) <= 0) {
6774 *ad = SSL_AD_INTERNAL_ERROR;
6775 goto err;
6776 }
6777
6778 ret = 0;
6779
6780 err:
6781 SRP_user_pwd_free(user);
6782 return ret;
6783}
6784
6785static int create_new_vfile(char *userid, char *password, const char *filename)
6786{
6787 char *gNid = NULL;
6788 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6789 TXT_DB *db = NULL;
6790 int ret = 0;
6791 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6792 size_t i;
6793
6794 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6795 goto end;
6796
20c00d0a 6797 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6798 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6799 if (!TEST_ptr(gNid))
6800 goto end;
6801
6802 /*
6803 * The only way to create an empty TXT_DB is to provide a BIO with no data
6804 * in it!
6805 */
6806 db = TXT_DB_read(dummy, DB_NUMBER);
6807 if (!TEST_ptr(db))
6808 goto end;
6809
6810 out = BIO_new_file(filename, "w");
6811 if (!TEST_ptr(out))
6812 goto end;
6813
6814 row[DB_srpid] = OPENSSL_strdup(userid);
6815 row[DB_srptype] = OPENSSL_strdup("V");
6816 row[DB_srpgN] = OPENSSL_strdup(gNid);
6817
6818 if (!TEST_ptr(row[DB_srpid])
6819 || !TEST_ptr(row[DB_srptype])
6820 || !TEST_ptr(row[DB_srpgN])
6821 || !TEST_true(TXT_DB_insert(db, row)))
6822 goto end;
6823
6824 row = NULL;
6825
aba9943f 6826 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 6827 goto end;
6828
6829 ret = 1;
6830 end:
6831 if (row != NULL) {
6832 for (i = 0; i < DB_NUMBER; i++)
6833 OPENSSL_free(row[i]);
6834 }
6835 OPENSSL_free(row);
6836 BIO_free(dummy);
6837 BIO_free(out);
6838 TXT_DB_free(db);
6839
6840 return ret;
6841}
6842
6843static int create_new_vbase(char *userid, char *password)
6844{
6845 BIGNUM *verifier = NULL, *salt = NULL;
6846 const SRP_gN *lgN = NULL;
6847 SRP_user_pwd *user_pwd = NULL;
6848 int ret = 0;
6849
6850 lgN = SRP_get_default_gN(NULL);
6851 if (!TEST_ptr(lgN))
6852 goto end;
6853
20c00d0a 6854 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6855 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6856 goto end;
6857
6858 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6859 if (!TEST_ptr(user_pwd))
6860 goto end;
6861
6862 user_pwd->N = lgN->N;
6863 user_pwd->g = lgN->g;
6864 user_pwd->id = OPENSSL_strdup(userid);
6865 if (!TEST_ptr(user_pwd->id))
6866 goto end;
6867
6868 user_pwd->v = verifier;
6869 user_pwd->s = salt;
6870 verifier = salt = NULL;
6871
6872 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6873 goto end;
6874 user_pwd = NULL;
6875
6876 ret = 1;
6877end:
6878 SRP_user_pwd_free(user_pwd);
6879 BN_free(salt);
6880 BN_free(verifier);
6881
6882 return ret;
6883}
6884
6885/*
6886 * SRP tests
6887 *
6888 * Test 0: Simple successful SRP connection, new vbase
6889 * Test 1: Connection failure due to bad password, new vbase
6890 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6891 * Test 3: Connection failure due to bad password, vbase loaded from existing
6892 * file
6893 * Test 4: Simple successful SRP connection, vbase loaded from new file
6894 * Test 5: Connection failure due to bad password, vbase loaded from new file
6895 */
6896static int test_srp(int tst)
6897{
6898 char *userid = "test", *password = "password", *tstsrpfile;
6899 SSL_CTX *cctx = NULL, *sctx = NULL;
6900 SSL *clientssl = NULL, *serverssl = NULL;
6901 int ret, testresult = 0;
6902
6903 vbase = SRP_VBASE_new(NULL);
6904 if (!TEST_ptr(vbase))
6905 goto end;
6906
6907 if (tst == 0 || tst == 1) {
6908 if (!TEST_true(create_new_vbase(userid, password)))
6909 goto end;
6910 } else {
6911 if (tst == 4 || tst == 5) {
6912 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6913 goto end;
6914 tstsrpfile = tmpfilename;
6915 } else {
6916 tstsrpfile = srpvfile;
6917 }
6918 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6919 goto end;
6920 }
6921
5e30f2fd
MC		 6922 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6923 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6924 &sctx, &cctx, cert, privkey)))
6925 goto end;
6926
6927 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6928 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6929 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6930 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6931 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6932 goto end;
6933
6934 if (tst % 2 == 1) {
6935 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6936 goto end;
6937 } else {
6938 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6939 goto end;
6940 }
6941
6942 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6943 NULL, NULL)))
6944 goto end;
6945
6946 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6947 if (ret) {
6948 if (!TEST_true(tst % 2 == 0))
6949 goto end;
6950 } else {
6951 if (!TEST_true(tst % 2 == 1))
6952 goto end;
6953 }
6954
6955 testresult = 1;
6956
6957 end:
6958 SRP_VBASE_free(vbase);
6959 vbase = NULL;
6960 SSL_free(serverssl);
6961 SSL_free(clientssl);
6962 SSL_CTX_free(sctx);
6963 SSL_CTX_free(cctx);
6964
6965 return testresult;
6966}
6967#endif
6968
5718fe45
MC		 6969static int info_cb_failed = 0;
6970static int info_cb_offset = 0;
6971static int info_cb_this_state = -1;
6972
6973static struct info_cb_states_st {
6974 int where;
6975 const char *statestr;
6976} info_cb_states[][60] = {
6977 {
6978 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 6979 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
6980 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 6981 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6982 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6983 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6984 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6985 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6986 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 6987 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 6988 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6989 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6990 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6991 {SSL_CB_EXIT, NULL}, {0, NULL},
6992 }, {
6993 /* TLSv1.2 client followed by resumption */
e0f69c35 6994 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 6995 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6996 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6997 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6998 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6999 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7000 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 7001 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7002 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7003 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7004 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7005 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7006 }, {
7007 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 7008 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7009 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 7010 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 7011 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 7012 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 7013 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7014 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 7015 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7016 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 7017 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7018 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7019 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7020 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7021 }, {
7022 /* TLSv1.3 client followed by resumption */
e0f69c35 7023 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7024 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7025 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7026 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7027 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7028 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7029 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7030 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7031 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7032 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7033 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7034 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7035 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7036 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7037 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7038 }, {
7039 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7040 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7041 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7042 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7043 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7044 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7045 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7046 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7047 {SSL_CB_EXIT, NULL}, {0, NULL},
7048 }, {
7049 /* TLSv1.3 client, early_data */
e0f69c35 7050 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7051 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7052 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7053 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7054 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7055 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7056 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7057 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7058 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7059 }, {
7060 {0, NULL},
7061 }
7062};
7063
7064static void sslapi_info_callback(const SSL *s, int where, int ret)
7065{
7066 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7067
7068 /* We do not ever expect a connection to fail in this test */
7069 if (!TEST_false(ret == 0)) {
7070 info_cb_failed = 1;
7071 return;
7072 }
7073
7074 /*
7075 * Do some sanity checks. We never expect these things to happen in this
7076 * test
7077 */
7078 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7079 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7080 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7081 info_cb_failed = 1;
7082 return;
7083 }
7084
7085 /* Now check we're in the right state */
7086 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7087 info_cb_failed = 1;
7088 return;
7089 }
7090 if ((where & SSL_CB_LOOP) != 0
7091 && !TEST_int_eq(strcmp(SSL_state_string(s),
7092 state[info_cb_this_state].statestr), 0)) {
7093 info_cb_failed = 1;
7094 return;
7095 }
033c181b 7096
4af5836b
MC		 7097 /*
7098 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7099 */
7100 if ((where & SSL_CB_HANDSHAKE_DONE)
7101 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7102 info_cb_failed = 1;
7103 return;
7104 }
5718fe45
MC		 7105}
7106
7107/*
7108 * Test the info callback gets called when we expect it to.
7109 *
7110 * Test 0: TLSv1.2, server
7111 * Test 1: TLSv1.2, client
7112 * Test 2: TLSv1.3, server
7113 * Test 3: TLSv1.3, client
7114 * Test 4: TLSv1.3, server, early_data
7115 * Test 5: TLSv1.3, client, early_data
7116 */
7117static int test_info_callback(int tst)
7118{
7119 SSL_CTX *cctx = NULL, *sctx = NULL;
7120 SSL *clientssl = NULL, *serverssl = NULL;
7121 SSL_SESSION *clntsess = NULL;
7122 int testresult = 0;
7123 int tlsvers;
7124
7125 if (tst < 2) {
1aac20f5
MC		 7126/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7127#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7128 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7129 tlsvers = TLS1_2_VERSION;
7130#else
7131 return 1;
7132#endif
7133 } else {
a763ca11 7134#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7135 tlsvers = TLS1_3_VERSION;
7136#else
7137 return 1;
7138#endif
7139 }
7140
7141 /* Reset globals */
7142 info_cb_failed = 0;
7143 info_cb_this_state = -1;
7144 info_cb_offset = tst;
7145
a763ca11 7146#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7147 if (tst >= 4) {
7148 SSL_SESSION *sess = NULL;
7149 size_t written, readbytes;
7150 unsigned char buf[80];
7151
7152 /* early_data tests */
7153 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7154 &serverssl, &sess, 0)))
7155 goto end;
7156
7157 /* We don't actually need this reference */
7158 SSL_SESSION_free(sess);
7159
7160 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7161 sslapi_info_callback);
7162
7163 /* Write and read some early data and then complete the connection */
7164 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7165 &written))
7166 || !TEST_size_t_eq(written, strlen(MSG1))
7167 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7168 sizeof(buf), &readbytes),
7169 SSL_READ_EARLY_DATA_SUCCESS)
7170 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7171 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7172 SSL_EARLY_DATA_ACCEPTED)
7173 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7174 SSL_ERROR_NONE))
7175 || !TEST_false(info_cb_failed))
7176 goto end;
7177
7178 testresult = 1;
7179 goto end;
7180 }
6e07834c 7181#endif
5718fe45 7182
5e30f2fd 7183 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7184 TLS_client_method(),
7185 tlsvers, tlsvers, &sctx, &cctx, cert,
7186 privkey)))
7187 goto end;
7188
33c39a06
MC		 7189 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7190 goto end;
7191
5718fe45
MC		 7192 /*
7193 * For even numbered tests we check the server callbacks. For odd numbers we
7194 * check the client.
7195 */
7196 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7197 sslapi_info_callback);
7198
7199 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7200 &clientssl, NULL, NULL))
7201 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7202 SSL_ERROR_NONE))
7203 || !TEST_false(info_cb_failed))
7204 goto end;
7205
7206
7207
7208 clntsess = SSL_get1_session(clientssl);
7209 SSL_shutdown(clientssl);
7210 SSL_shutdown(serverssl);
7211 SSL_free(serverssl);
7212 SSL_free(clientssl);
7213 serverssl = clientssl = NULL;
7214
7215 /* Now do a resumption */
7216 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7217 NULL))
7218 || !TEST_true(SSL_set_session(clientssl, clntsess))
7219 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7220 SSL_ERROR_NONE))
7221 || !TEST_true(SSL_session_reused(clientssl))
7222 || !TEST_false(info_cb_failed))
7223 goto end;
7224
7225 testresult = 1;
7226
7227 end:
7228 SSL_free(serverssl);
7229 SSL_free(clientssl);
7230 SSL_SESSION_free(clntsess);
7231 SSL_CTX_free(sctx);
7232 SSL_CTX_free(cctx);
7233 return testresult;
7234}
7235
4a432af8
MC		 7236static int test_ssl_pending(int tst)
7237{
7238 SSL_CTX *cctx = NULL, *sctx = NULL;
7239 SSL *clientssl = NULL, *serverssl = NULL;
7240 int testresult = 0;
7241 char msg[] = "A test message";
7242 char buf[5];
7243 size_t written, readbytes;
7244
7245 if (tst == 0) {
5e30f2fd 7246 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7247 TLS_client_method(),
5c587fb6 7248 TLS1_VERSION, 0,
4a432af8
MC		 7249 &sctx, &cctx, cert, privkey)))
7250 goto end;
7251 } else {
7252#ifndef OPENSSL_NO_DTLS
5e30f2fd 7253 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7254 DTLS_client_method(),
5c587fb6 7255 DTLS1_VERSION, 0,
4a432af8
MC		 7256 &sctx, &cctx, cert, privkey)))
7257 goto end;
8ce390e1
MC		 7258
7259# ifdef OPENSSL_NO_DTLS1_2
7260 /* Not supported in the FIPS provider */
7261 if (is_fips) {
7262 testresult = 1;
7263 goto end;
7264 };
7265 /*
7266 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7267 * level 0
7268 */
7269 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7270 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7271 "DEFAULT:@SECLEVEL=0")))
7272 goto end;
7273# endif
4a432af8
MC		 7274#else
7275 return 1;
7276#endif
7277 }
7278
7279 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7280 NULL, NULL))
7281 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7282 SSL_ERROR_NONE)))
7283 goto end;
7284
e8251092
MC		 7285 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7286 || !TEST_false(SSL_has_pending(clientssl))
7287 || !TEST_int_eq(SSL_pending(serverssl), 0)
7288 || !TEST_false(SSL_has_pending(serverssl))
7289 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 7290 || !TEST_size_t_eq(written, sizeof(msg))
7291 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7292 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 7293 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7294 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 7295 goto end;
7296
7297 testresult = 1;
7298
7299 end:
7300 SSL_free(serverssl);
7301 SSL_free(clientssl);
7302 SSL_CTX_free(sctx);
7303 SSL_CTX_free(cctx);
7304
7305 return testresult;
7306}
7307
e401389a
MC		 7308static struct {
7309 unsigned int maxprot;
7310 const char *clntciphers;
7311 const char *clnttls13ciphers;
7312 const char *srvrciphers;
7313 const char *srvrtls13ciphers;
7314 const char *shared;
a96e6c34 7315 const char *fipsshared;
e401389a 7316} shared_ciphers_data[] = {
60155b9a
MC		 7317/*
7318 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7319 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7320 */
a763ca11 7321#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 7322 {
7323 TLS1_2_VERSION,
7324 "AES128-SHA:AES256-SHA",
7325 NULL,
7326 "AES256-SHA:DHE-RSA-AES128-SHA",
7327 NULL,
a96e6c34 7328 "AES256-SHA",
e401389a
MC		 7329 "AES256-SHA"
7330 },
a96e6c34
MC		 7331# if !defined(OPENSSL_NO_CHACHA) \
7332 && !defined(OPENSSL_NO_POLY1305) \
7333 && !defined(OPENSSL_NO_EC)
7334 {
7335 TLS1_2_VERSION,
7336 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7337 NULL,
7338 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7339 NULL,
7340 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7341 "AES128-SHA"
7342 },
7343# endif
e401389a
MC		 7344 {
7345 TLS1_2_VERSION,
7346 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7347 NULL,
7348 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7349 NULL,
a96e6c34 7350 "AES128-SHA:AES256-SHA",
e401389a
MC		 7351 "AES128-SHA:AES256-SHA"
7352 },
7353 {
7354 TLS1_2_VERSION,
7355 "AES128-SHA:AES256-SHA",
7356 NULL,
7357 "AES128-SHA:DHE-RSA-AES128-SHA",
7358 NULL,
a96e6c34 7359 "AES128-SHA",
e401389a
MC		 7360 "AES128-SHA"
7361 },
60155b9a
MC		 7362#endif
7363/*
7364 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7365 * enabled.
7366 */
a763ca11 7367#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7368 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7369 {
7370 TLS1_3_VERSION,
7371 "AES128-SHA:AES256-SHA",
7372 NULL,
7373 "AES256-SHA:AES128-SHA256",
7374 NULL,
7375 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 7376 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7377 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 7378 },
60155b9a 7379#endif
a763ca11 7380#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 7381 {
7382 TLS1_3_VERSION,
7383 "AES128-SHA",
7384 "TLS_AES_256_GCM_SHA384",
7385 "AES256-SHA",
7386 "TLS_AES_256_GCM_SHA384",
a96e6c34 7387 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 7388 "TLS_AES_256_GCM_SHA384"
7389 },
7390#endif
7391};
7392
a96e6c34 7393static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 7394{
7395 SSL_CTX *cctx = NULL, *sctx = NULL;
7396 SSL *clientssl = NULL, *serverssl = NULL;
7397 int testresult = 0;
7398 char buf[1024];
b4250010 7399 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 7400
7401 if (!TEST_ptr(tmplibctx))
7402 goto end;
7403
7404 /*
7405 * Regardless of whether we're testing with the FIPS provider loaded into
7406 * libctx, we want one peer to always use the full set of ciphersuites
7407 * available. Therefore we use a separate libctx with the default provider
7408 * loaded into it. We run the same tests twice - once with the client side
7409 * having the full set of ciphersuites and once with the server side.
7410 */
7411 if (clnt) {
d8652be0 7412 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 7413 if (!TEST_ptr(cctx))
7414 goto end;
7415 } else {
d8652be0 7416 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 7417 if (!TEST_ptr(sctx))
7418 goto end;
7419 }
e401389a 7420
5e30f2fd 7421 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 7422 TLS_client_method(),
7423 TLS1_VERSION,
7424 shared_ciphers_data[tst].maxprot,
7425 &sctx, &cctx, cert, privkey)))
7426 goto end;
7427
7428 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7429 shared_ciphers_data[tst].clntciphers))
7430 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7431 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7432 shared_ciphers_data[tst].clnttls13ciphers)))
7433 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7434 shared_ciphers_data[tst].srvrciphers))
7435 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7436 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7437 shared_ciphers_data[tst].srvrtls13ciphers))))
7438 goto end;
7439
7440
7441 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7442 NULL, NULL))
7443 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7444 SSL_ERROR_NONE)))
7445 goto end;
7446
7447 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 7448 || !TEST_int_eq(strcmp(buf,
7449 is_fips
7450 ? shared_ciphers_data[tst].fipsshared
7451 : shared_ciphers_data[tst].shared),
7452 0)) {
e401389a
MC		 7453 TEST_info("Shared ciphers are: %s\n", buf);
7454 goto end;
7455 }
7456
7457 testresult = 1;
7458
7459 end:
7460 SSL_free(serverssl);
7461 SSL_free(clientssl);
7462 SSL_CTX_free(sctx);
7463 SSL_CTX_free(cctx);
b4250010 7464 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 7465
7466 return testresult;
7467}
7468
a96e6c34
MC		 7469static int test_ssl_get_shared_ciphers(int tst)
7470{
7471 return int_test_ssl_get_shared_ciphers(tst, 0)
7472 && int_test_ssl_get_shared_ciphers(tst, 1);
7473}
7474
7475
d0191fe0 7476static const char *appdata = "Hello World";
61fb5923
MC		 7477static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7478static int tick_key_renew = 0;
7479static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 7480
7481static int gen_tick_cb(SSL *s, void *arg)
7482{
7483 gen_tick_called = 1;
7484
7485 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7486 strlen(appdata));
7487}
7488
7489static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7490 const unsigned char *keyname,
7491 size_t keyname_length,
61fb5923
MC		 7492 SSL_TICKET_STATUS status,
7493 void *arg)
d0191fe0
MC		 7494{
7495 void *tickdata;
7496 size_t tickdlen;
7497
7498 dec_tick_called = 1;
7499
61fb5923
MC		 7500 if (status == SSL_TICKET_EMPTY)
7501 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 7502
61fb5923
MC		 7503 if (!TEST_true(status == SSL_TICKET_SUCCESS
7504 || status == SSL_TICKET_SUCCESS_RENEW))
7505 return SSL_TICKET_RETURN_ABORT;
7506
7507 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7508 &tickdlen))
d0191fe0
MC		 7509 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7510 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 7511 return SSL_TICKET_RETURN_ABORT;
d0191fe0 7512
61fb5923
MC		 7513 if (tick_key_cb_called) {
7514 /* Don't change what the ticket key callback wanted to do */
7515 switch (status) {
7516 case SSL_TICKET_NO_DECRYPT:
7517 return SSL_TICKET_RETURN_IGNORE_RENEW;
7518
7519 case SSL_TICKET_SUCCESS:
7520 return SSL_TICKET_RETURN_USE;
d0191fe0 7521
61fb5923
MC		 7522 case SSL_TICKET_SUCCESS_RENEW:
7523 return SSL_TICKET_RETURN_USE_RENEW;
7524
7525 default:
7526 return SSL_TICKET_RETURN_ABORT;
7527 }
7528 }
7529 return tick_dec_ret;
7530
7531}
d0191fe0 7532
a76ce286 7533#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 7534static int tick_key_cb(SSL *s, unsigned char key_name[16],
7535 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7536 HMAC_CTX *hctx, int enc)
7537{
7538 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7539 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 7540 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7541 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7542 int ret;
d0191fe0 7543
61fb5923 7544 tick_key_cb_called = 1;
d0191fe0
MC		 7545 memset(iv, 0, AES_BLOCK_SIZE);
7546 memset(key_name, 0, 16);
5e30f2fd
MC		 7547 if (aes128cbc == NULL
7548 || sha256 == NULL
7549 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7550 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7551 NULL))
7552 ret = -1;
7553 else
7554 ret = tick_key_renew ? 2 : 1;
d0191fe0 7555
5e30f2fd
MC		 7556 EVP_CIPHER_free(aes128cbc);
7557 EVP_MD_free(sha256);
7558
7559 return ret;
d0191fe0 7560}
a76ce286
P		 7561#endif
7562
7563static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7564 unsigned char iv[EVP_MAX_IV_LENGTH],
7565 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7566{
7567 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7568 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 7569 OSSL_PARAM params[2];
5e30f2fd
MC		 7570 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7571 int ret;
a76ce286
P		 7572
7573 tick_key_cb_called = 1;
7574 memset(iv, 0, AES_BLOCK_SIZE);
7575 memset(key_name, 0, 16);
7576 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7577 "SHA256", 0);
77e4ae58 7578 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 7579 if (aes128cbc == NULL
7580 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 7581 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7582 params))
5e30f2fd
MC		 7583 ret = -1;
7584 else
7585 ret = tick_key_renew ? 2 : 1;
7586
7587 EVP_CIPHER_free(aes128cbc);
a76ce286 7588
5e30f2fd 7589 return ret;
a76ce286 7590}
d0191fe0
MC		 7591
7592/*
7593 * Test the various ticket callbacks
61fb5923
MC		 7594 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7595 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7596 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7597 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7598 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7599 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7600 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7601 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 7602 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7603 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7604 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7605 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7606 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7607 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7608 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7609 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 7610 */
7611static int test_ticket_callbacks(int tst)
7612{
7613 SSL_CTX *cctx = NULL, *sctx = NULL;
7614 SSL *clientssl = NULL, *serverssl = NULL;
7615 SSL_SESSION *clntsess = NULL;
7616 int testresult = 0;
7617
7618#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 7619 if (tst % 2 == 0)
d0191fe0
MC		 7620 return 1;
7621#endif
a763ca11 7622#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 7623 if (tst % 2 == 1)
d0191fe0
MC		 7624 return 1;
7625#endif
a76ce286
P		 7626#ifdef OPENSSL_NO_DEPRECATED_3_0
7627 if (tst >= 8 && tst <= 11)
7628 return 1;
7629#endif
d0191fe0 7630
61fb5923 7631 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 7632
7633 /* Which tests the ticket key callback should request renewal for */
a76ce286 7634 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 7635 tick_key_renew = 1;
d0191fe0 7636 else
61fb5923
MC		 7637 tick_key_renew = 0;
7638
7639 /* Which tests the decrypt ticket callback should request renewal for */
7640 switch (tst) {
7641 case 0:
7642 case 1:
7643 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7644 break;
7645
7646 case 2:
7647 case 3:
7648 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7649 break;
7650
7651 case 4:
7652 case 5:
7653 tick_dec_ret = SSL_TICKET_RETURN_USE;
7654 break;
7655
7656 case 6:
7657 case 7:
7658 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7659 break;
7660
7661 default:
7662 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7663 }
d0191fe0 7664
5e30f2fd 7665 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 7666 TLS_client_method(),
7667 TLS1_VERSION,
61fb5923
MC		 7668 ((tst % 2) == 0) ? TLS1_2_VERSION
7669 : TLS1_3_VERSION,
d0191fe0
MC		 7670 &sctx, &cctx, cert, privkey)))
7671 goto end;
7672
61fb5923
MC		 7673 /*
7674 * We only want sessions to resume from tickets - not the session cache. So
7675 * switch the cache off.
7676 */
7677 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7678 goto end;
7679
d0191fe0
MC		 7680 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7681 NULL)))
7682 goto end;
7683
a76ce286
P		 7684 if (tst >= 12) {
7685 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7686 goto end;
7687#ifndef OPENSSL_NO_DEPRECATED_3_0
7688 } else if (tst >= 8) {
7689 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7690 goto end;
7691#endif
7692 }
d0191fe0
MC		 7693
7694 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7695 NULL, NULL))
7696 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7697 SSL_ERROR_NONE)))
7698 goto end;
7699
61fb5923
MC		 7700 /*
7701 * The decrypt ticket key callback in TLSv1.2 should be called even though
7702 * we have no ticket yet, because it gets called with a status of
7703 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7704 * actually send any ticket data). This does not happen in TLSv1.3 because
7705 * it is not valid to send empty ticket data in TLSv1.3.
7706 */
d0191fe0 7707 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7708 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7709 goto end;
7710
7711 gen_tick_called = dec_tick_called = 0;
7712
7713 clntsess = SSL_get1_session(clientssl);
7714 SSL_shutdown(clientssl);
7715 SSL_shutdown(serverssl);
7716 SSL_free(serverssl);
7717 SSL_free(clientssl);
7718 serverssl = clientssl = NULL;
7719
7720 /* Now do a resumption */
7721 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7722 NULL))
7723 || !TEST_true(SSL_set_session(clientssl, clntsess))
7724 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7725 SSL_ERROR_NONE)))
d0191fe0
MC		 7726 goto end;
7727
61fb5923
MC		 7728 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7729 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7730 if (!TEST_false(SSL_session_reused(clientssl)))
7731 goto end;
7732 } else {
7733 if (!TEST_true(SSL_session_reused(clientssl)))
7734 goto end;
7735 }
7736
d0191fe0 7737 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7738 (tick_key_renew
7739 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7740 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7741 ? 1 : 0)
d0191fe0
MC		 7742 || !TEST_int_eq(dec_tick_called, 1))
7743 goto end;
7744
7745 testresult = 1;
7746
7747 end:
7748 SSL_SESSION_free(clntsess);
7749 SSL_free(serverssl);
7750 SSL_free(clientssl);
7751 SSL_CTX_free(sctx);
7752 SSL_CTX_free(cctx);
7753
7754 return testresult;
7755}
7756
e638112e
DB		 7757/*
7758 * Test incorrect shutdown.
7759 * Test 0: client does not shutdown properly,
7760 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7761 * server should get SSL_ERROR_SSL
7762 * Test 1: client does not shutdown properly,
7763 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7764 * server should get SSL_ERROR_ZERO_RETURN
7765 */
7766static int test_incorrect_shutdown(int tst)
7767{
7768 SSL_CTX *cctx = NULL, *sctx = NULL;
7769 SSL *clientssl = NULL, *serverssl = NULL;
7770 int testresult = 0;
7771 char buf[80];
7772 BIO *c2s;
7773
7774 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7775 TLS_client_method(), 0, 0,
7776 &sctx, &cctx, cert, privkey)))
7777 goto end;
7778
7779 if (tst == 1)
7780 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7781
7782 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7783 NULL, NULL)))
7784 goto end;
7785
7786 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7787 SSL_ERROR_NONE)))
7788 goto end;
7789
7790 c2s = SSL_get_rbio(serverssl);
7791 BIO_set_mem_eof_return(c2s, 0);
7792
7793 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7794 goto end;
7795
7796 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7797 goto end;
7798 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7799 goto end;
7800
7801 testresult = 1;
7802
7803 end:
7804 SSL_free(serverssl);
7805 SSL_free(clientssl);
7806 SSL_CTX_free(sctx);
7807 SSL_CTX_free(cctx);
7808
7809 return testresult;
7810}
7811
c748834f
MC		 7812/*
7813 * Test bi-directional shutdown.
7814 * Test 0: TLSv1.2
7815 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7816 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7817 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7818 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7819 * sends key update, client reads it
57d7b988
MC		 7820 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7821 * sends CertificateRequest, client reads and ignores it
7822 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7823 * doesn't read it
7824 */
7825static int test_shutdown(int tst)
7826{
7827 SSL_CTX *cctx = NULL, *sctx = NULL;
7828 SSL *clientssl = NULL, *serverssl = NULL;
7829 int testresult = 0;
7830 char msg[] = "A test message";
7831 char buf[80];
7832 size_t written, readbytes;
80eff008 7833 SSL_SESSION *sess;
c748834f
MC		 7834
7835#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7836 if (tst <= 1)
c748834f
MC		 7837 return 1;
7838#endif
a763ca11 7839#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 7840 if (tst >= 2)
c748834f
MC		 7841 return 1;
7842#endif
7843
5e30f2fd 7844 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7845 TLS_client_method(),
7846 TLS1_VERSION,
7847 (tst <= 1) ? TLS1_2_VERSION
7848 : TLS1_3_VERSION,
57d7b988
MC		 7849 &sctx, &cctx, cert, privkey)))
7850 goto end;
7851
7852 if (tst == 5)
7853 SSL_CTX_set_post_handshake_auth(cctx, 1);
7854
7855 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7856 NULL, NULL)))
7857 goto end;
7858
7859 if (tst == 3) {
7860 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7861 SSL_ERROR_NONE, 1))
80eff008
KR		 7862 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7863 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7864 goto end;
7865 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7866 SSL_ERROR_NONE))
7867 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7868 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7869 goto end;
7870 }
7871
7872 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7873 goto end;
7874
7875 if (tst >= 4) {
7876 /*
7877 * Reading on the server after the client has sent close_notify should
7878 * fail and provide SSL_ERROR_ZERO_RETURN
7879 */
7880 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7881 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7882 SSL_ERROR_ZERO_RETURN)
7883 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7884 SSL_RECEIVED_SHUTDOWN)
7885 /*
7886 * Even though we're shutdown on receive we should still be
7887 * able to write.
7888 */
80eff008
KR		 7889 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7890 goto end;
57d7b988
MC		 7891 if (tst == 4
7892 && !TEST_true(SSL_key_update(serverssl,
7893 SSL_KEY_UPDATE_REQUESTED)))
7894 goto end;
7895 if (tst == 5) {
7896 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7897 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7898 goto end;
7899 }
7900 if ((tst == 4 || tst == 5)
7901 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7902 goto end;
7903 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7904 goto end;
57d7b988 7905 if (tst == 4 || tst == 5) {
80eff008 7906 /* Should still be able to read data from server */
c748834f 7907 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7908 &readbytes))
7909 || !TEST_size_t_eq(readbytes, sizeof(msg))
7910 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7911 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7912 &readbytes))
c748834f
MC		 7913 || !TEST_size_t_eq(readbytes, sizeof(msg))
7914 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7915 goto end;
7916 }
7917 }
7918
7919 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7920 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7921 goto end;
7922
7923 if (tst < 4) {
7924 /*
7925 * For these tests the client has sent close_notify but it has not yet
7926 * been received by the server. The server has not sent close_notify
7927 * yet.
7928 */
7929 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7930 /*
7931 * Writing on the server after sending close_notify shouldn't
7932 * be possible.
7933 */
7934 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7935 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7936 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7937 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7938 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7939 goto end;
57d7b988 7940 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7941 /*
7942 * In this test the client has sent close_notify and it has been
7943 * received by the server which has responded with a close_notify. The
358ffa05 7944 * client needs to read the close_notify sent by the server.
c748834f 7945 */
80eff008
KR		 7946 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7947 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7948 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7949 goto end;
358ffa05
MC		 7950 } else {
7951 /*
57d7b988 7952 * tst == 6
358ffa05
MC		 7953 *
7954 * The client has sent close_notify and is expecting a close_notify
7955 * back, but instead there is application data first. The shutdown
7956 * should fail with a fatal error.
7957 */
7958 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7959 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7960 goto end;
c748834f
MC		 7961 }
7962
7963 testresult = 1;
7964
7965 end:
7966 SSL_free(serverssl);
7967 SSL_free(clientssl);
7968 SSL_CTX_free(sctx);
7969 SSL_CTX_free(cctx);
7970
7971 return testresult;
7972}
7973
a763ca11 7974#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 7975static int cert_cb_cnt;
7976
7977static int cert_cb(SSL *s, void *arg)
7978{
7979 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7980 BIO *in = NULL;
7981 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7982 X509 *x509 = NULL, *rootx = NULL;
7983 STACK_OF(X509) *chain = NULL;
7984 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7985 int ret = 0;
cd6fe29f
MC		 7986
7987 if (cert_cb_cnt == 0) {
7988 /* Suspend the handshake */
7989 cert_cb_cnt++;
7990 return -1;
7991 } else if (cert_cb_cnt == 1) {
7992 /*
7993 * Update the SSL_CTX, set the certificate and private key and then
7994 * continue the handshake normally.
7995 */
7996 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7997 return 0;
7998
7999 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8000 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8001 SSL_FILETYPE_PEM))
8002 || !TEST_true(SSL_check_private_key(s)))
8003 return 0;
8004 cert_cb_cnt++;
8005 return 1;
7cb8fb07
BK		 8006 } else if (cert_cb_cnt == 3) {
8007 int rv;
1a2a3a42
MC		 8008
8009 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8010 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8011 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8012 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8013 goto out;
8014 chain = sk_X509_new_null();
8015 if (!TEST_ptr(chain))
8016 goto out;
7cb8fb07 8017 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8018 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 8019 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 8020 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8021 || !TEST_true(sk_X509_push(chain, rootx)))
8022 goto out;
8023 rootx = NULL;
8024 BIO_free(in);
8025 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8026 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8027 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8028 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8029 goto out;
8030 BIO_free(in);
8031 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8032 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8033 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8034 NULL, NULL,
8035 libctx, NULL)))
7cb8fb07 8036 goto out;
1a2a3a42 8037 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8038 /*
8039 * If the cert doesn't show as valid here (e.g., because we don't
8040 * have any shared sigalgs), then we will not set it, and there will
8041 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8042 * will cause tls_choose_sigalgs() to fail the connection.
8043 */
1a2a3a42
MC		 8044 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8045 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8046 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8047 goto out;
8048 }
1a2a3a42
MC		 8049
8050 ret = 1;
cd6fe29f
MC		 8051 }
8052
8053 /* Abort the handshake */
7cb8fb07 8054 out:
1a2a3a42
MC		 8055 OPENSSL_free(ecdsacert);
8056 OPENSSL_free(ecdsakey);
8057 OPENSSL_free(rootfile);
7cb8fb07
BK		 8058 BIO_free(in);
8059 EVP_PKEY_free(pkey);
8060 X509_free(x509);
1a2a3a42 8061 X509_free(rootx);
79b2a2f2 8062 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8063 return ret;
cd6fe29f
MC		 8064}
8065
8066/*
8067 * Test the certificate callback.
8068 * Test 0: Callback fails
8069 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8070 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8071 * Test 3: Success - Call SSL_check_chain from the callback
8072 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8073 * chain
8074 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8075 */
8076static int test_cert_cb_int(int prot, int tst)
8077{
8078 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8079 SSL *clientssl = NULL, *serverssl = NULL;
8080 int testresult = 0, ret;
8081
1a2a3a42
MC		 8082#ifdef OPENSSL_NO_EC
8083 /* We use an EC cert in these tests, so we skip in a no-ec build */
8084 if (tst >= 3)
8085 return 1;
8086#endif
8087
5e30f2fd 8088 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8089 TLS_client_method(),
8090 TLS1_VERSION,
8091 prot,
8092 &sctx, &cctx, NULL, NULL)))
8093 goto end;
8094
8095 if (tst == 0)
8096 cert_cb_cnt = -1;
1a2a3a42 8097 else if (tst >= 3)
7cb8fb07 8098 cert_cb_cnt = 3;
cd6fe29f
MC		 8099 else
8100 cert_cb_cnt = 0;
1a2a3a42 8101
b0317df2 8102 if (tst == 2) {
7e1eda48 8103 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
b0317df2
JJ		 8104 if (!TEST_ptr(snictx))
8105 goto end;
8106 }
8107
cd6fe29f
MC		 8108 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8109
8110 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8111 NULL, NULL)))
8112 goto end;
8113
1a2a3a42
MC		 8114 if (tst == 4) {
8115 /*
8116 * We cause SSL_check_chain() to fail by specifying sig_algs that
8117 * the chain doesn't meet (the root uses an RSA cert)
8118 */
8119 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8120 "ecdsa_secp256r1_sha256")))
8121 goto end;
8122 } else if (tst == 5) {
8123 /*
8124 * We cause SSL_check_chain() to fail by specifying sig_algs that
8125 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8126 */
8127 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8128 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8129 goto end;
8130 }
8131
cd6fe29f 8132 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8133 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8134 || (tst > 0
8135 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8136 goto end;
8137 }
8138
8139 testresult = 1;
8140
8141 end:
8142 SSL_free(serverssl);
8143 SSL_free(clientssl);
8144 SSL_CTX_free(sctx);
8145 SSL_CTX_free(cctx);
8146 SSL_CTX_free(snictx);
8147
8148 return testresult;
8149}
7f1d923a 8150#endif
cd6fe29f
MC		 8151
8152static int test_cert_cb(int tst)
8153{
8154 int testresult = 1;
8155
8156#ifndef OPENSSL_NO_TLS1_2
8157 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8158#endif
a763ca11 8159#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8160 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8161#endif
8162
8163 return testresult;
8164}
8165
6e46c065
MC		 8166static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8167{
8c2bfd25 8168 X509 *xcert;
6e46c065
MC		 8169 EVP_PKEY *privpkey;
8170 BIO *in = NULL;
6725682d 8171 BIO *priv_in = NULL;
6e46c065 8172
8c2bfd25
TS		 8173 /* Check that SSL_get0_peer_certificate() returns something sensible */
8174 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8175 return 0;
6e46c065
MC		 8176
8177 in = BIO_new_file(cert, "r");
8178 if (!TEST_ptr(in))
8179 return 0;
8180
d8652be0 8181 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 8182 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8183 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 8184 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8185 NULL, NULL,
8186 libctx, NULL)))
6725682d 8187 goto err;
6e46c065
MC		 8188
8189 *x509 = xcert;
8190 *pkey = privpkey;
8191
6725682d
SL		 8192 BIO_free(in);
8193 BIO_free(priv_in);
6e46c065 8194 return 1;
6725682d
SL		 8195err:
8196 X509_free(xcert);
8197 BIO_free(in);
8198 BIO_free(priv_in);
8199 return 0;
6e46c065
MC		 8200}
8201
6e46c065
MC		 8202static int test_client_cert_cb(int tst)
8203{
8204 SSL_CTX *cctx = NULL, *sctx = NULL;
8205 SSL *clientssl = NULL, *serverssl = NULL;
8206 int testresult = 0;
8207
8208#ifdef OPENSSL_NO_TLS1_2
8209 if (tst == 0)
8210 return 1;
8211#endif
a763ca11 8212#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 8213 if (tst == 1)
8214 return 1;
8215#endif
8216
5e30f2fd 8217 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 8218 TLS_client_method(),
8219 TLS1_VERSION,
8220 tst == 0 ? TLS1_2_VERSION
8221 : TLS1_3_VERSION,
8222 &sctx, &cctx, cert, privkey)))
8223 goto end;
8224
8225 /*
8226 * Test that setting a client_cert_cb results in a client certificate being
8227 * sent.
8228 */
8229 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8230 SSL_CTX_set_verify(sctx,
8231 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8232 verify_cb);
fb8c8359
MC		 8233
8234 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8235 NULL, NULL))
8236 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8237 SSL_ERROR_NONE)))
8238 goto end;
8239
8240 testresult = 1;
8241
8242 end:
8243 SSL_free(serverssl);
8244 SSL_free(clientssl);
8245 SSL_CTX_free(sctx);
8246 SSL_CTX_free(cctx);
8247
8248 return testresult;
8249}
8250
a763ca11 8251#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 8252/*
8253 * Test setting certificate authorities on both client and server.
8254 *
8255 * Test 0: SSL_CTX_set0_CA_list() only
8256 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8257 * Test 2: Only SSL_CTX_set_client_CA_list()
8258 */
8259static int test_ca_names_int(int prot, int tst)
8260{
8261 SSL_CTX *cctx = NULL, *sctx = NULL;
8262 SSL *clientssl = NULL, *serverssl = NULL;
8263 int testresult = 0;
8264 size_t i;
8265 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8266 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8267 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8268 const STACK_OF(X509_NAME) *sktmp = NULL;
8269
8270 for (i = 0; i < OSSL_NELEM(name); i++) {
8271 name[i] = X509_NAME_new();
8272 if (!TEST_ptr(name[i])
8273 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8274 MBSTRING_ASC,
8275 (unsigned char *)
8276 strnames[i],
8277 -1, -1, 0)))
8278 goto end;
8279 }
8280
5e30f2fd 8281 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 8282 TLS_client_method(),
8283 TLS1_VERSION,
8284 prot,
8285 &sctx, &cctx, cert, privkey)))
8286 goto end;
8287
8288 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8289
8290 if (tst == 0 || tst == 1) {
8291 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8292 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8293 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8294 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8295 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8296 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8297 goto end;
8298
8299 SSL_CTX_set0_CA_list(sctx, sk1);
8300 SSL_CTX_set0_CA_list(cctx, sk2);
8301 sk1 = sk2 = NULL;
8302 }
8303 if (tst == 1 || tst == 2) {
8304 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8305 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8306 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8307 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8308 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8309 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8310 goto end;
8311
8312 SSL_CTX_set_client_CA_list(sctx, sk1);
8313 SSL_CTX_set_client_CA_list(cctx, sk2);
8314 sk1 = sk2 = NULL;
8315 }
8316
6e46c065
MC		 8317 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8318 NULL, NULL))
8319 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8320 SSL_ERROR_NONE)))
8321 goto end;
8322
fb8c8359
MC		 8323 /*
8324 * We only expect certificate authorities to have been sent to the server
8325 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8326 */
8327 sktmp = SSL_get0_peer_CA_list(serverssl);
8328 if (prot == TLS1_3_VERSION
8329 && (tst == 0 || tst == 1)) {
8330 if (!TEST_ptr(sktmp)
8331 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8332 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8333 name[0]), 0)
8334 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8335 name[1]), 0))
8336 goto end;
8337 } else if (!TEST_ptr_null(sktmp)) {
8338 goto end;
8339 }
8340
8341 /*
8342 * In all tests we expect certificate authorities to have been sent to the
8343 * client. However, SSL_set_client_CA_list() should override
8344 * SSL_set0_CA_list()
8345 */
8346 sktmp = SSL_get0_peer_CA_list(clientssl);
8347 if (!TEST_ptr(sktmp)
8348 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8349 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8350 name[tst == 0 ? 0 : 2]), 0)
8351 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8352 name[tst == 0 ? 1 : 3]), 0))
8353 goto end;
8354
6e46c065
MC		 8355 testresult = 1;
8356
8357 end:
8358 SSL_free(serverssl);
8359 SSL_free(clientssl);
8360 SSL_CTX_free(sctx);
8361 SSL_CTX_free(cctx);
fb8c8359
MC		 8362 for (i = 0; i < OSSL_NELEM(name); i++)
8363 X509_NAME_free(name[i]);
8364 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8365 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8366
8367 return testresult;
8368}
8369#endif
8370
8371static int test_ca_names(int tst)
8372{
8373 int testresult = 1;
8374
8375#ifndef OPENSSL_NO_TLS1_2
8376 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8377#endif
a763ca11 8378#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 8379 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8380#endif
6e46c065
MC		 8381
8382 return testresult;
8383}
8384
0d2bfe52
SL		 8385#ifndef OPENSSL_NO_TLS1_2
8386static const char *multiblock_cipherlist_data[]=
8387{
8388 "AES128-SHA",
8389 "AES128-SHA256",
8390 "AES256-SHA",
8391 "AES256-SHA256",
8392};
8393
8394/* Reduce the fragment size - so the multiblock test buffer can be small */
8395# define MULTIBLOCK_FRAGSIZE 512
8396
8397static int test_multiblock_write(int test_index)
8398{
8399 static const char *fetchable_ciphers[]=
8400 {
8401 "AES-128-CBC-HMAC-SHA1",
8402 "AES-128-CBC-HMAC-SHA256",
8403 "AES-256-CBC-HMAC-SHA1",
8404 "AES-256-CBC-HMAC-SHA256"
8405 };
8406 const char *cipherlist = multiblock_cipherlist_data[test_index];
8407 const SSL_METHOD *smeth = TLS_server_method();
8408 const SSL_METHOD *cmeth = TLS_client_method();
8409 int min_version = TLS1_VERSION;
8410 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8411 SSL_CTX *cctx = NULL, *sctx = NULL;
8412 SSL *clientssl = NULL, *serverssl = NULL;
8413 int testresult = 0;
8414
8415 /*
8416 * Choose a buffer large enough to perform a multi-block operation
8417 * i.e: write_len >= 4 * frag_size
8418 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8419 */
8420 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8421 unsigned char buf[sizeof(msg)], *p = buf;
8422 size_t readbytes, written, len;
8423 EVP_CIPHER *ciph = NULL;
8424
8425 /*
8426 * Check if the cipher exists before attempting to use it since it only has
8427 * a hardware specific implementation.
8428 */
8429 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8430 if (ciph == NULL) {
8431 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8432 return 1;
8433 }
8434 EVP_CIPHER_free(ciph);
8435
8436 /* Set up a buffer with some data that will be sent to the client */
8437 RAND_bytes(msg, sizeof(msg));
8438
5e30f2fd
MC		 8439 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8440 max_version, &sctx, &cctx, cert,
8441 privkey)))
0d2bfe52
SL		 8442 goto end;
8443
8444 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8445 goto end;
8446
8447 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8448 NULL, NULL)))
8449 goto end;
8450
8451 /* settings to force it to use AES-CBC-HMAC_SHA */
8452 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8453 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8454 goto end;
8455
8456 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8457 goto end;
8458
8459 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8460 || !TEST_size_t_eq(written, sizeof(msg)))
8461 goto end;
8462
8463 len = written;
8464 while (len > 0) {
8465 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8466 goto end;
8467 p += readbytes;
8468 len -= readbytes;
8469 }
8470 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8471 goto end;
8472
8473 testresult = 1;
8474end:
8475 SSL_free(serverssl);
8476 SSL_free(clientssl);
8477 SSL_CTX_free(sctx);
8478 SSL_CTX_free(cctx);
8479
8480 return testresult;
8481}
8482#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 8483
25959e04
TS		 8484static int test_session_timeout(int test)
8485{
8486 /*
8487 * Test session ordering and timeout
8488 * Can't explicitly test performance of the new code,
8489 * but can test to see if the ordering of the sessions
8490 * are correct, and they they are removed as expected
8491 */
8492 SSL_SESSION *early = NULL;
8493 SSL_SESSION *middle = NULL;
8494 SSL_SESSION *late = NULL;
8495 SSL_CTX *ctx;
8496 int testresult = 0;
8497 long now = (long)time(NULL);
8498#define TIMEOUT 10
8499
8500 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8501 || !TEST_ptr(early = SSL_SESSION_new())
8502 || !TEST_ptr(middle = SSL_SESSION_new())
8503 || !TEST_ptr(late = SSL_SESSION_new()))
8504 goto end;
8505
8506 /* assign unique session ids */
8507 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8508 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8509 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8510 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8511 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8512 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8513
8514 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8515 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8516 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8517 goto end;
8518
8519 /* Make sure they are all added */
8520 if (!TEST_ptr(early->prev)
8521 || !TEST_ptr(middle->prev)
8522 || !TEST_ptr(late->prev))
8523 goto end;
8524
8525 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8526 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8527 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8528 goto end;
8529
8530 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8531 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8532 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8533 goto end;
8534
8535 /* Make sure they are all still there */
8536 if (!TEST_ptr(early->prev)
8537 || !TEST_ptr(middle->prev)
8538 || !TEST_ptr(late->prev))
8539 goto end;
8540
8541 /* Make sure they are in the expected order */
8542 if (!TEST_ptr_eq(late->next, middle)
8543 || !TEST_ptr_eq(middle->next, early)
8544 || !TEST_ptr_eq(early->prev, middle)
8545 || !TEST_ptr_eq(middle->prev, late))
8546 goto end;
8547
8548 /* This should remove "early" */
8549 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8550 if (!TEST_ptr_null(early->prev)
8551 || !TEST_ptr(middle->prev)
8552 || !TEST_ptr(late->prev))
8553 goto end;
8554
8555 /* This should remove "middle" */
8556 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8557 if (!TEST_ptr_null(early->prev)
8558 || !TEST_ptr_null(middle->prev)
8559 || !TEST_ptr(late->prev))
8560 goto end;
8561
8562 /* This should remove "late" */
8563 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8564 if (!TEST_ptr_null(early->prev)
8565 || !TEST_ptr_null(middle->prev)
8566 || !TEST_ptr_null(late->prev))
8567 goto end;
8568
8569 /* Add them back in again */
8570 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8571 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8572 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8573 goto end;
8574
8575 /* Make sure they are all added */
8576 if (!TEST_ptr(early->prev)
8577 || !TEST_ptr(middle->prev)
8578 || !TEST_ptr(late->prev))
8579 goto end;
8580
8581 /* This should remove all of them */
8582 SSL_CTX_flush_sessions(ctx, 0);
8583 if (!TEST_ptr_null(early->prev)
8584 || !TEST_ptr_null(middle->prev)
8585 || !TEST_ptr_null(late->prev))
8586 goto end;
8587
8588 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8589 | SSL_CTX_get_session_cache_mode(ctx));
8590
8591 /* make sure |now| is NOT equal to the current time */
8592 now -= 10;
8593 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8594 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8595 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8596 goto end;
8597
8598 testresult = 1;
8599 end:
8600 SSL_CTX_free(ctx);
8601 SSL_SESSION_free(early);
8602 SSL_SESSION_free(middle);
8603 SSL_SESSION_free(late);
8604 return testresult;
8605}
8606
49ef3d07
MC		 8607/*
8608 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8609 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8610 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8611 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8612 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8613 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8614 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8615 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8616 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8617 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8618 */
8619static int test_servername(int tst)
8620{
8621 SSL_CTX *cctx = NULL, *sctx = NULL;
8622 SSL *clientssl = NULL, *serverssl = NULL;
8623 int testresult = 0;
8624 SSL_SESSION *sess = NULL;
8625 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8626
8627#ifdef OPENSSL_NO_TLS1_2
8628 if (tst <= 4)
8629 return 1;
8630#endif
a763ca11 8631#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 8632 if (tst >= 5)
8633 return 1;
8634#endif
8635
5e30f2fd 8636 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 8637 TLS_client_method(),
8638 TLS1_VERSION,
8639 (tst <= 4) ? TLS1_2_VERSION
8640 : TLS1_3_VERSION,
8641 &sctx, &cctx, cert, privkey))
8642 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8643 NULL, NULL)))
8644 goto end;
8645
8646 if (tst != 1 && tst != 6) {
8647 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8648 hostname_cb)))
8649 goto end;
8650 }
8651
8652 if (tst != 3 && tst != 8) {
8653 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8654 goto end;
8655 sexpectedhost = cexpectedhost = "goodhost";
8656 }
8657
8658 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8659 goto end;
8660
8661 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8662 cexpectedhost)
8663 || !TEST_str_eq(SSL_get_servername(serverssl,
8664 TLSEXT_NAMETYPE_host_name),
8665 sexpectedhost))
8666 goto end;
8667
8668 /* Now repeat with a resumption handshake */
8669
8670 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8671 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8672 || !TEST_true(SSL_SESSION_is_resumable(sess))
8673 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8674 goto end;
8675
8676 SSL_free(clientssl);
8677 SSL_free(serverssl);
8678 clientssl = serverssl = NULL;
8679
8680 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8681 NULL)))
8682 goto end;
8683
8684 if (!TEST_true(SSL_set_session(clientssl, sess)))
8685 goto end;
8686
8687 sexpectedhost = cexpectedhost = "goodhost";
8688 if (tst == 2 || tst == 7) {
8689 /* Set an inconsistent hostname */
8690 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8691 goto end;
8692 /*
8693 * In TLSv1.2 we expect the hostname from the original handshake, in
8694 * TLSv1.3 we expect the hostname from this handshake
8695 */
8696 if (tst == 7)
8697 sexpectedhost = cexpectedhost = "altgoodhost";
8698
8699 if (!TEST_str_eq(SSL_get_servername(clientssl,
8700 TLSEXT_NAMETYPE_host_name),
8701 "altgoodhost"))
8702 goto end;
8703 } else if (tst == 4 || tst == 9) {
8704 /*
8705 * A TLSv1.3 session does not associate a session with a servername,
8706 * but a TLSv1.2 session does.
8707 */
8708 if (tst == 9)
8709 sexpectedhost = cexpectedhost = NULL;
8710
8711 if (!TEST_str_eq(SSL_get_servername(clientssl,
8712 TLSEXT_NAMETYPE_host_name),
8713 cexpectedhost))
8714 goto end;
8715 } else {
8716 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8717 goto end;
8718 /*
8719 * In a TLSv1.2 resumption where the hostname was not acknowledged
8720 * we expect the hostname on the server to be empty. On the client we
8721 * return what was requested in this case.
8722 *
8723 * Similarly if the client didn't set a hostname on an original TLSv1.2
8724 * session but is now, the server hostname will be empty, but the client
8725 * is as we set it.
8726 */
8727 if (tst == 1 || tst == 3)
8728 sexpectedhost = NULL;
8729
8730 if (!TEST_str_eq(SSL_get_servername(clientssl,
8731 TLSEXT_NAMETYPE_host_name),
8732 "goodhost"))
8733 goto end;
8734 }
8735
8736 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8737 goto end;
8738
8739 if (!TEST_true(SSL_session_reused(clientssl))
8740 || !TEST_true(SSL_session_reused(serverssl))
8741 || !TEST_str_eq(SSL_get_servername(clientssl,
8742 TLSEXT_NAMETYPE_host_name),
8743 cexpectedhost)
8744 || !TEST_str_eq(SSL_get_servername(serverssl,
8745 TLSEXT_NAMETYPE_host_name),
8746 sexpectedhost))
8747 goto end;
8748
8749 testresult = 1;
8750
8751 end:
8752 SSL_SESSION_free(sess);
8753 SSL_free(serverssl);
8754 SSL_free(clientssl);
8755 SSL_CTX_free(sctx);
8756 SSL_CTX_free(cctx);
8757
8758 return testresult;
8759}
8760
b1fdbc68 8761#if !defined(OPENSSL_NO_EC) \
a763ca11 8762 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 8763/*
8764 * Test that if signature algorithms are not available, then we do not offer or
8765 * accept them.
8766 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8767 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8768 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8769 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8770 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8771 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8772 */
8773static int test_sigalgs_available(int idx)
8774{
8775 SSL_CTX *cctx = NULL, *sctx = NULL;
8776 SSL *clientssl = NULL, *serverssl = NULL;
8777 int testresult = 0;
b4250010
DMSP		 8778 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8779 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 8780 OSSL_PROVIDER *filterprov = NULL;
8781 int sig, hash;
8782
8783 if (!TEST_ptr(tmpctx))
8784 goto end;
8785
8786 if (idx != 0 && idx != 3) {
8787 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8788 filter_provider_init)))
8789 goto end;
8790
8791 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8792 if (!TEST_ptr(filterprov))
8793 goto end;
8794
8795 if (idx < 3) {
8796 /*
8797 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8798 * or accepted for the peer that uses this libctx. Note that libssl
8799 * *requires* SHA2-256 to be available so we cannot disable that. We
8800 * also need SHA1 for our certificate.
8801 */
8802 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8803 "SHA2-256:SHA1")))
8804 goto end;
8805 } else {
8806 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8807 "ECDSA"))
8808 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8809 "EC:X25519:X448")))
8810 goto end;
8811 }
8812
8813 if (idx == 1 || idx == 4)
8814 clientctx = tmpctx;
8815 else
8816 serverctx = tmpctx;
8817 }
8818
d8652be0
MC		 8819 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8820 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 8821 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8822 goto end;
b3842539 8823
b4c4a2c6
TM		 8824 if (idx != 5) {
8825 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8826 TLS_client_method(),
8827 TLS1_VERSION,
8828 0,
8829 &sctx, &cctx, cert, privkey)))
8830 goto end;
8831 } else {
8832 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8833 TLS_client_method(),
8834 TLS1_VERSION,
8835 0,
8836 &sctx, &cctx, cert2, privkey2)))
8837 goto end;
8838 }
b3842539 8839
b1fdbc68
MC		 8840 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8841 if (idx < 4) {
8842 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8843 "ECDHE-RSA-AES128-GCM-SHA256")))
8844 goto end;
8845 } else {
8846 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8847 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8848 goto end;
8849 }
8850
b3842539
MC		 8851 if (idx < 3) {
8852 if (!SSL_CTX_set1_sigalgs_list(cctx,
8853 "rsa_pss_rsae_sha384"
8854 ":rsa_pss_rsae_sha256")
8855 || !SSL_CTX_set1_sigalgs_list(sctx,
8856 "rsa_pss_rsae_sha384"
8857 ":rsa_pss_rsae_sha256"))
8858 goto end;
8859 } else {
8860 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8861 || !SSL_CTX_set1_sigalgs_list(sctx,
8862 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8863 goto end;
8864 }
8865
b4c4a2c6
TM		 8866 if (idx != 5
8867 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8868 SSL_FILETYPE_PEM), 1)
b3842539
MC		 8869 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8870 privkey2,
8871 SSL_FILETYPE_PEM), 1)
b4c4a2c6 8872 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 8873 goto end;
8874
8875 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 8876 NULL, NULL)))
b3842539
MC		 8877 goto end;
8878
8879 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8880 goto end;
8881
8882 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8883 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8884 NULL, NULL),
8885 (idx == 0 || idx == 3) ? 2 : 1))
8886 goto end;
8887
8888 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8889 goto end;
8890
8891 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8892 : NID_rsassaPss))
8893 goto end;
8894
b0001d0c 8895 testresult = filter_provider_check_clean_finish();
b3842539
MC		 8896
8897 end:
8898 SSL_free(serverssl);
8899 SSL_free(clientssl);
8900 SSL_CTX_free(sctx);
8901 SSL_CTX_free(cctx);
8902 OSSL_PROVIDER_unload(filterprov);
b4250010 8903 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 8904
8905 return testresult;
8906}
b1fdbc68
MC		 8907#endif /*
8908 * !defined(OPENSSL_NO_EC) \
a763ca11 8909 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 8910 */
b3842539 8911
0c13cdf8 8912#ifndef OPENSSL_NO_TLS1_3
a763ca11 8913/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 8914static int test_pluggable_group(int idx)
0c13cdf8
MC		 8915{
8916 SSL_CTX *cctx = NULL, *sctx = NULL;
8917 SSL *clientssl = NULL, *serverssl = NULL;
8918 int testresult = 0;
8919 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 8920 /* Check that we are not impacted by a provider without any groups */
8921 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 8922 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 8923
5ae54dba 8924 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 8925 goto end;
8926
5ae54dba
MC		 8927 if (legacyprov == NULL) {
8928 /*
8929 * In this case we assume we've been built with "no-legacy" and skip
8930 * this test (there is no OPENSSL_NO_LEGACY)
8931 */
8932 testresult = 1;
8933 goto end;
8934 }
8935
0c13cdf8
MC		 8936 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8937 TLS_client_method(),
8938 TLS1_3_VERSION,
8939 TLS1_3_VERSION,
8940 &sctx, &cctx, cert, privkey))
8941 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8942 NULL, NULL)))
8943 goto end;
8944
c8e3a4c6
NT		 8945 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8946 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 8947 goto end;
8948
8949 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8950 goto end;
8951
becbacd7
MB		 8952 if (!TEST_str_eq(group_name,
8953 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8954 goto end;
8955
0c13cdf8
MC		 8956 testresult = 1;
8957
8958 end:
8959 SSL_free(serverssl);
8960 SSL_free(clientssl);
8961 SSL_CTX_free(sctx);
8962 SSL_CTX_free(cctx);
8963 OSSL_PROVIDER_unload(tlsprov);
146aebc6 8964 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 8965
8966 return testresult;
8967}
8968#endif
b3842539 8969
49a36a52
MC		 8970#ifndef OPENSSL_NO_TLS1_2
8971static int test_ssl_dup(void)
8972{
8973 SSL_CTX *cctx = NULL, *sctx = NULL;
8974 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8975 int testresult = 0;
8976 BIO *rbio = NULL, *wbio = NULL;
8977
8978 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8979 TLS_client_method(),
8980 0,
8981 0,
8982 &sctx, &cctx, cert, privkey)))
8983 goto end;
8984
8985 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8986 NULL, NULL)))
8987 goto end;
8988
8989 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8990 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8991 goto end;
8992
8993 client2ssl = SSL_dup(clientssl);
8994 rbio = SSL_get_rbio(clientssl);
8995 if (!TEST_ptr(rbio)
8996 || !TEST_true(BIO_up_ref(rbio)))
8997 goto end;
8998 SSL_set0_rbio(client2ssl, rbio);
8999 rbio = NULL;
9000
9001 wbio = SSL_get_wbio(clientssl);
9002 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9003 goto end;
9004 SSL_set0_wbio(client2ssl, wbio);
9005 rbio = NULL;
9006
9007 if (!TEST_ptr(client2ssl)
9008 /* Handshake not started so pointers should be different */
9009 || !TEST_ptr_ne(clientssl, client2ssl))
9010 goto end;
9011
9012 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9013 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9014 goto end;
9015
9016 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9017 goto end;
9018
9019 SSL_free(clientssl);
9020 clientssl = SSL_dup(client2ssl);
9021 if (!TEST_ptr(clientssl)
9022 /* Handshake has finished so pointers should be the same */
9023 || !TEST_ptr_eq(clientssl, client2ssl))
9024 goto end;
9025
9026 testresult = 1;
9027
9028 end:
9029 SSL_free(serverssl);
9030 SSL_free(clientssl);
9031 SSL_free(client2ssl);
9032 SSL_CTX_free(sctx);
9033 SSL_CTX_free(cctx);
9034
9035 return testresult;
9036}
33c39a06
MC		 9037
9038# ifndef OPENSSL_NO_DH
9039
9040static EVP_PKEY *tmp_dh_params = NULL;
9041
9042/* Helper function for the test_set_tmp_dh() tests */
9043static EVP_PKEY *get_tmp_dh_params(void)
9044{
9045 if (tmp_dh_params == NULL) {
9046 BIGNUM *p = NULL;
9047 OSSL_PARAM_BLD *tmpl = NULL;
9048 EVP_PKEY_CTX *pctx = NULL;
9049 OSSL_PARAM *params = NULL;
9050 EVP_PKEY *dhpkey = NULL;
9051
9052 p = BN_get_rfc3526_prime_2048(NULL);
9053 if (!TEST_ptr(p))
9054 goto end;
9055
9056 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9057 if (!TEST_ptr(pctx)
884400d7 9058 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 9059 goto end;
9060
9061 tmpl = OSSL_PARAM_BLD_new();
9062 if (!TEST_ptr(tmpl)
9063 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9064 OSSL_PKEY_PARAM_FFC_P,
9065 p))
9066 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9067 OSSL_PKEY_PARAM_FFC_G,
9068 2)))
9069 goto end;
9070
9071 params = OSSL_PARAM_BLD_to_param(tmpl);
9072 if (!TEST_ptr(params)
884400d7 9073 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9074 EVP_PKEY_KEY_PARAMETERS,
9075 params), 1))
33c39a06
MC		 9076 goto end;
9077
9078 tmp_dh_params = dhpkey;
9079 end:
9080 BN_free(p);
9081 EVP_PKEY_CTX_free(pctx);
9082 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 9083 OSSL_PARAM_free(params);
33c39a06
MC		 9084 }
9085
f1619160 9086 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 9087 return NULL;
9088
9089 return tmp_dh_params;
9090}
9091
39f3427d 9092# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 9093/* Callback used by test_set_tmp_dh() */
9094static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9095{
9096 EVP_PKEY *dhpkey = get_tmp_dh_params();
9097 DH *ret = NULL;
9098
9099 if (!TEST_ptr(dhpkey))
9100 return NULL;
9101
7bc0fdd3
MC		 9102 /*
9103 * libssl does not free the returned DH, so we free it now knowing that even
9104 * after we free dhpkey, there will still be a reference to the owning
9105 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9106 * of time we need it for.
9107 */
9108 ret = EVP_PKEY_get1_DH(dhpkey);
9109 DH_free(ret);
33c39a06
MC		 9110
9111 EVP_PKEY_free(dhpkey);
9112
9113 return ret;
9114}
9115# endif
9116
9117/*
9118 * Test the various methods for setting temporary DH parameters
9119 *
9120 * Test 0: Default (no auto) setting
9121 * Test 1: Explicit SSL_CTX auto off
9122 * Test 2: Explicit SSL auto off
9123 * Test 3: Explicit SSL_CTX auto on
9124 * Test 4: Explicit SSL auto on
9125 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9126 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9127 *
9128 * The following are testing deprecated APIs, so we only run them if available
9129 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9130 * Test 8: Explicit SSL auto off, custom DH params via DH
9131 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9132 * Test 10: Explicit SSL auto off, custom DH params via callback
9133 */
9134static int test_set_tmp_dh(int idx)
9135{
9136 SSL_CTX *cctx = NULL, *sctx = NULL;
9137 SSL *clientssl = NULL, *serverssl = NULL;
9138 int testresult = 0;
9139 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9140 int expected = (idx <= 2) ? 0 : 1;
9141 EVP_PKEY *dhpkey = NULL;
9142# ifndef OPENSSL_NO_DEPRECATED_3_0
9143 DH *dh = NULL;
9144# else
9145
9146 if (idx >= 7)
9147 return 1;
9148# endif
9149
9150 if (idx >= 5 && idx <= 8) {
9151 dhpkey = get_tmp_dh_params();
9152 if (!TEST_ptr(dhpkey))
9153 goto end;
9154 }
9155# ifndef OPENSSL_NO_DEPRECATED_3_0
9156 if (idx == 7 || idx == 8) {
7bc0fdd3 9157 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 9158 if (!TEST_ptr(dh))
9159 goto end;
9160 }
9161# endif
9162
9163 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9164 TLS_client_method(),
9165 0,
9166 0,
9167 &sctx, &cctx, cert, privkey)))
9168 goto end;
9169
9170 if ((idx & 1) == 1) {
9171 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9172 goto end;
9173 }
9174
9175 if (idx == 5) {
9176 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9177 goto end;
9178 dhpkey = NULL;
9179 }
9180# ifndef OPENSSL_NO_DEPRECATED_3_0
9181 else if (idx == 7) {
9182 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9183 goto end;
9184 } else if (idx == 9) {
9185 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9186 }
9187# endif
9188
9189 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9190 NULL, NULL)))
9191 goto end;
9192
9193 if ((idx & 1) == 0 && idx != 0) {
9194 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9195 goto end;
9196 }
9197 if (idx == 6) {
9198 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9199 goto end;
9200 dhpkey = NULL;
9201 }
9202# ifndef OPENSSL_NO_DEPRECATED_3_0
9203 else if (idx == 8) {
9204 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9205 goto end;
9206 } else if (idx == 10) {
9207 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9208 }
9209# endif
9210
9211 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9212 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9213 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9214 goto end;
9215
9216 /*
9217 * If autoon then we should succeed. Otherwise we expect failure because
9218 * there are no parameters
9219 */
9220 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9221 SSL_ERROR_NONE), expected))
9222 goto end;
9223
9224 testresult = 1;
9225
9226 end:
7bc0fdd3
MC		 9227# ifndef OPENSSL_NO_DEPRECATED_3_0
9228 DH_free(dh);
9229# endif
33c39a06
MC		 9230 SSL_free(serverssl);
9231 SSL_free(clientssl);
9232 SSL_CTX_free(sctx);
9233 SSL_CTX_free(cctx);
9234 EVP_PKEY_free(dhpkey);
9235
9236 return testresult;
9237}
3105d846
MC		 9238
9239/*
9240 * Test the auto DH keys are appropriately sized
9241 */
9242static int test_dh_auto(int idx)
9243{
61cab650
MC		 9244 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9245 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 9246 SSL *clientssl = NULL, *serverssl = NULL;
9247 int testresult = 0;
9248 EVP_PKEY *tmpkey = NULL;
9249 char *thiscert = NULL, *thiskey = NULL;
9250 size_t expdhsize = 0;
9251 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9252
61cab650
MC		 9253 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9254 goto end;
9255
3105d846
MC		 9256 switch (idx) {
9257 case 0:
9258 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9259 if (is_fips) {
9260 testresult = 1;
9261 goto end;
9262 }
3105d846
MC		 9263 thiscert = cert1024;
9264 thiskey = privkey1024;
9265 expdhsize = 1024;
61cab650
MC		 9266 SSL_CTX_set_security_level(sctx, 1);
9267 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 9268 break;
9269 case 1:
9270 /* 2048 bit prime */
9271 thiscert = cert;
9272 thiskey = privkey;
9273 expdhsize = 2048;
9274 break;
9275 case 2:
9276 thiscert = cert3072;
9277 thiskey = privkey3072;
9278 expdhsize = 3072;
9279 break;
9280 case 3:
9281 thiscert = cert4096;
9282 thiskey = privkey4096;
9283 expdhsize = 4096;
9284 break;
9285 case 4:
9286 thiscert = cert8192;
9287 thiskey = privkey8192;
9288 expdhsize = 8192;
9289 break;
9290 /* No certificate cases */
9291 case 5:
9292 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9293 if (is_fips) {
9294 testresult = 1;
9295 goto end;
9296 }
3105d846
MC		 9297 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9298 expdhsize = 1024;
9299 break;
9300 case 6:
9301 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9302 expdhsize = 3072;
9303 break;
9304 default:
9305 TEST_error("Invalid text index");
9306 goto end;
9307 }
9308
61cab650
MC		 9309 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9310 NULL,
3105d846
MC		 9311 0,
9312 0,
9313 &sctx, &cctx, thiscert, thiskey)))
9314 goto end;
9315
9316 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9317 NULL, NULL)))
9318 goto end;
9319
9320 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9321 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9322 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9323 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9324 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9325 goto end;
9326
9327 /*
9328 * Send the server's first flight. At this point the server has created the
9329 * temporary DH key but hasn't finished using it yet. Once used it is
9330 * removed, so we cannot test it.
9331 */
9332 if (!TEST_int_le(SSL_connect(clientssl), 0)
9333 || !TEST_int_le(SSL_accept(serverssl), 0))
9334 goto end;
9335
9336 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9337 goto end;
ed576acd 9338 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 9339 goto end;
9340
9341 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9342 goto end;
9343
9344 testresult = 1;
9345
9346 end:
9347 SSL_free(serverssl);
9348 SSL_free(clientssl);
9349 SSL_CTX_free(sctx);
9350 SSL_CTX_free(cctx);
9351 EVP_PKEY_free(tmpkey);
9352
9353 return testresult;
9354
9355}
33c39a06
MC		 9356# endif /* OPENSSL_NO_DH */
9357#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 9358
a763ca11 9359#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 9360/*
9361 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9362 * that it works even without a certificate configured for the original
9363 * SSL_CTX
9364 */
9365static int test_sni_tls13(void)
9366{
9367 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9368 SSL *clientssl = NULL, *serverssl = NULL;
9369 int testresult = 0;
9370
9371 /* Reset callback counter */
9372 snicb = 0;
9373
9374 /* Create an initial SSL_CTX with no certificate configured */
9375 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9376 if (!TEST_ptr(sctx))
9377 goto end;
9378 /* Require TLSv1.3 as a minimum */
9379 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9380 TLS_client_method(), TLS1_3_VERSION, 0,
9381 &sctx2, &cctx, cert, privkey)))
9382 goto end;
9383
9384 /* Set up SNI */
9385 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9386 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9387 goto end;
9388
9389 /*
9390 * Connection should still succeed because the final SSL_CTX has the right
9391 * certificates configured.
9392 */
9393 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9394 &clientssl, NULL, NULL))
9395 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9396 SSL_ERROR_NONE)))
9397 goto end;
9398
9399 /* We should have had the SNI callback called exactly once */
9400 if (!TEST_int_eq(snicb, 1))
9401 goto end;
9402
9403 testresult = 1;
9404
9405end:
9406 SSL_free(serverssl);
9407 SSL_free(clientssl);
9408 SSL_CTX_free(sctx2);
9409 SSL_CTX_free(sctx);
9410 SSL_CTX_free(cctx);
9411 return testresult;
9412}
0089cc7f
TS		 9413
9414/*
9415 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9416 * 0 = TLSv1.2
9417 * 1 = TLSv1.3
9418 */
9419static int test_ticket_lifetime(int idx)
9420{
9421 SSL_CTX *cctx = NULL, *sctx = NULL;
9422 SSL *clientssl = NULL, *serverssl = NULL;
9423 int testresult = 0;
9424 int version = TLS1_3_VERSION;
9425
9426#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9427#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9428
9429 if (idx == 0) {
9430 version = TLS1_2_VERSION;
9431 }
9432
9433 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9434 TLS_client_method(), version, version,
9435 &sctx, &cctx, cert, privkey)))
9436 goto end;
9437
9438 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9439 &clientssl, NULL, NULL)))
9440 goto end;
9441
9442 /*
9443 * Set the timeout to be more than 1 week
9444 * make sure the returned value is the default
9445 */
9446 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9447 SSL_get_default_timeout(serverssl)))
9448 goto end;
9449
9450 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9451 goto end;
9452
9453 if (idx == 0) {
9454 /* TLSv1.2 uses the set value */
9455 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9456 goto end;
9457 } else {
9458 /* TLSv1.3 uses the limited value */
9459 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9460 goto end;
9461 }
9462 testresult = 1;
9463
9464end:
9465 SSL_free(serverssl);
9466 SSL_free(clientssl);
9467 SSL_CTX_free(sctx);
9468 SSL_CTX_free(cctx);
9469 return testresult;
9470}
6582661f 9471#endif
feba11cf
TS		 9472/*
9473 * Test that setting an ALPN does not violate RFC
9474 */
9475static int test_set_alpn(void)
9476{
9477 SSL_CTX *ctx = NULL;
9478 SSL *ssl = NULL;
9479 int testresult = 0;
9480
9481 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9482 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9483 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9484 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9485 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9486 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9487
9488 /* Create an initial SSL_CTX with no certificate configured */
9489 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9490 if (!TEST_ptr(ctx))
9491 goto end;
9492
9493 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9494 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9495 goto end;
9496 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9497 goto end;
9498 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9499 goto end;
9500 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9501 goto end;
9502 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9503 goto end;
9504 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9505 goto end;
9506 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9507 goto end;
9508 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9509 goto end;
9510 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9511 goto end;
9512
9513 ssl = SSL_new(ctx);
9514 if (!TEST_ptr(ssl))
9515 goto end;
9516
9517 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9518 goto end;
9519 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9520 goto end;
9521 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9522 goto end;
9523 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9524 goto end;
9525 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9526 goto end;
9527 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9528 goto end;
9529 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9530 goto end;
9531 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9532 goto end;
9533 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9534 goto end;
9535
9536 testresult = 1;
9537
9538end:
9539 SSL_free(ssl);
9540 SSL_CTX_free(ctx);
9541 return testresult;
9542}
6582661f 9543
dfccfde0
CH		 9544static int test_inherit_verify_param(void)
9545{
9546 int testresult = 0;
9547
9548 SSL_CTX *ctx = NULL;
9549 X509_VERIFY_PARAM *cp = NULL;
9550 SSL *ssl = NULL;
9551 X509_VERIFY_PARAM *sp = NULL;
9552 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9553
9554 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9555 if (!TEST_ptr(ctx))
9556 goto end;
9557
9558 cp = SSL_CTX_get0_param(ctx);
9559 if (!TEST_ptr(cp))
9560 goto end;
9561 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9562 goto end;
9563
9564 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9565
9566 ssl = SSL_new(ctx);
9567 if (!TEST_ptr(ssl))
9568 goto end;
9569
9570 sp = SSL_get0_param(ssl);
9571 if (!TEST_ptr(sp))
9572 goto end;
9573 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9574 goto end;
9575
9576 testresult = 1;
9577
9578 end:
9579 SSL_free(ssl);
9580 SSL_CTX_free(ctx);
9581
9582 return testresult;
9583}
9584
5e30f2fd 9585OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 9586
ad887416 9587int setup_tests(void)
2cb4b5f6 9588{
5e30f2fd
MC		 9589 char *modulename;
9590 char *configfile;
9591
b4250010 9592 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 9593 if (!TEST_ptr(libctx))
9594 return 0;
9595
9596 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9597
9598 /*
9599 * Verify that the default and fips providers in the default libctx are not
9600 * available
9601 */
9602 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9603 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9604 return 0;
9605
8d242823
MC		 9606 if (!test_skip_common_options()) {
9607 TEST_error("Error parsing test options\n");
9608 return 0;
9609 }
9610
1a2a3a42
MC		 9611 if (!TEST_ptr(certsdir = test_get_argument(0))
9612 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 9613 || !TEST_ptr(tmpfilename = test_get_argument(2))
9614 || !TEST_ptr(modulename = test_get_argument(3))
9615 || !TEST_ptr(configfile = test_get_argument(4)))
9616 return 0;
9617
b4250010 9618 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 9619 return 0;
9620
9621 /* Check we have the expected provider available */
9622 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9623 return 0;
9624
9625 /* Check the default provider is not available */
9626 if (strcmp(modulename, "default") != 0
9627 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 9628 return 0;
2cb4b5f6 9629
4f6c7044
MC		 9630 if (strcmp(modulename, "fips") == 0)
9631 is_fips = 1;
9632
0c13cdf8
MC		 9633 /*
9634 * We add, but don't load the test "tls-provider". We'll load it when we
9635 * need it.
9636 */
9637 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9638 tls_provider_init)))
9639 return 0;
9640
9641
f297e4ec
RS		 9642 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9643#ifdef OPENSSL_NO_CRYPTO_MDEBUG
9644 TEST_error("not supported in this build");
9645 return 0;
9646#else
9647 int i, mcount, rcount, fcount;
9648
9649 for (i = 0; i < 4; i++)
9650 test_export_key_mat(i);
9651 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9652 test_printf_stdout("malloc %d realloc %d free %d\n",
9653 mcount, rcount, fcount);
9654 return 1;
9655#endif
9656 }
9657
1a2a3a42
MC		 9658 cert = test_mk_file_path(certsdir, "servercert.pem");
9659 if (cert == NULL)
b3842539 9660 goto err;
1a2a3a42
MC		 9661
9662 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 9663 if (privkey == NULL)
9664 goto err;
9665
9666 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9667 if (cert2 == NULL)
9668 goto err;
9669
9670 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9671 if (privkey2 == NULL)
9672 goto err;
1a2a3a42 9673
3105d846
MC		 9674 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9675 if (cert1024 == NULL)
9676 goto err;
9677
9678 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9679 if (privkey1024 == NULL)
9680 goto err;
9681
9682 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9683 if (cert3072 == NULL)
9684 goto err;
9685
9686 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9687 if (privkey3072 == NULL)
9688 goto err;
9689
9690 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9691 if (cert4096 == NULL)
9692 goto err;
9693
9694 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9695 if (privkey4096 == NULL)
9696 goto err;
9697
9698 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9699 if (cert8192 == NULL)
9700 goto err;
9701
9702 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9703 if (privkey8192 == NULL)
9704 goto err;
9705
da4db160 9706#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 9707# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526
JB		 9708 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9709 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
c8e3a4c6 9710# endif
fe5d9450 9711#endif
84d5549e 9712 ADD_TEST(test_large_message_tls);
7856332e 9713 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 9714#ifndef OPENSSL_NO_DTLS
84d5549e 9715 ADD_TEST(test_large_message_dtls);
55386bef 9716#endif
163b8016 9717 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 9718#ifndef OPENSSL_NO_OCSP
c887104f 9719 ADD_TEST(test_tlsext_status_type);
8f8c11d8 9720#endif
eaa776da
MC		 9721 ADD_TEST(test_session_with_only_int_cache);
9722 ADD_TEST(test_session_with_only_ext_cache);
9723 ADD_TEST(test_session_with_both_cache);
90fc2c26 9724 ADD_TEST(test_session_wo_ca_names);
a763ca11 9725#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 9726 ADD_ALL_TESTS(test_stateful_tickets, 3);
9727 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 9728 ADD_TEST(test_psk_tickets);
f0049b86 9729 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 9730#endif
7fb4c820 9731 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 9732 ADD_TEST(test_ssl_bio_pop_next_bio);
9733 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9734 ADD_TEST(test_ssl_bio_change_rbio);
9735 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 9736#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 9737 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 9738 ADD_TEST(test_keylog);
c423ecaa 9739#endif
a763ca11 9740#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 9741 ADD_TEST(test_keylog_no_master_key);
9742#endif
0c3eb279 9743 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 9744 ADD_TEST(test_ssl_build_cert_chain);
9745 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 9746#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 9747 ADD_TEST(test_client_hello_cb);
088dfa13 9748 ADD_TEST(test_no_ems);
3cd14e5e 9749 ADD_TEST(test_ccs_change_cipher);
5f982038 9750#endif
a763ca11 9751#ifndef OSSL_NO_USABLE_TLS1_3
02a3ed5a 9752 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 9753 /*
9754 * We don't do replay tests for external PSK. Replay protection isn't used
9755 * in that scenario.
9756 */
9757 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 9758 ADD_ALL_TESTS(test_early_data_skip, 3);
9759 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 9760 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 9761 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 9762 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 9763 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 9764 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 9765 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 9766# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 9767 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 9768# endif
e9ee6536 9769#endif
a763ca11 9770#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 9771 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 9772 ADD_TEST(test_ciphersuite_change);
5bf2eade 9773 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9774# ifdef OPENSSL_NO_PSK
c2b290c3 9775 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 9776# else
0d8da779 9777 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 9778# endif /* OPENSSL_NO_PSK */
9779# ifndef OPENSSL_NO_TLS1_2
9780 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 9781 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 9782# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9783 ADD_ALL_TESTS(test_negotiated_group,
9784 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9785 + OSSL_NELEM(ffdhe_kexch_groups)));
9786# endif
5bf2eade 9787# else
9788 /* Test with only TLSv1.3 versions */
9789 ADD_ALL_TESTS(test_key_exchange, 12);
9790# endif
0db3a990 9791 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 9792 ADD_TEST(test_stateless);
9d75dce3 9793 ADD_TEST(test_pha_key_update);
a273157a 9794#else
bb01ef3f 9795 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 9796#endif
16afd71c 9797 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 9798 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 9799#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 9800 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 9801 ADD_TEST(test_key_update);
0c48fda8 9802 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
9803 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
9804 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
9805 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 9806#endif
e11b6aa4 9807 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 9808 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 9809#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9810 ADD_ALL_TESTS(test_srp, 6);
9811#endif
5718fe45 9812 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 9813 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 9814 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 9815 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 9816 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 9817 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 9818 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 9819 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 9820 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 9821#ifndef OPENSSL_NO_TLS1_2
9822 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9823#endif
49ef3d07 9824 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 9825#if !defined(OPENSSL_NO_EC) \
a763ca11 9826 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 9827 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 9828#endif
9829#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 9830 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 9831#endif
9832#ifndef OPENSSL_NO_TLS1_2
9833 ADD_TEST(test_ssl_dup);
33c39a06
MC		 9834# ifndef OPENSSL_NO_DH
9835 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 9836 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 9837# endif
6582661f 9838#endif
a763ca11 9839#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 9840 ADD_TEST(test_sni_tls13);
0089cc7f 9841 ADD_ALL_TESTS(test_ticket_lifetime, 2);
b3842539 9842#endif
dfccfde0 9843 ADD_TEST(test_inherit_verify_param);
feba11cf 9844 ADD_TEST(test_set_alpn);
25959e04 9845 ADD_ALL_TESTS(test_session_timeout, 1);
ad887416 9846 return 1;
b3842539
MC		 9847
9848 err:
9849 OPENSSL_free(cert);
9850 OPENSSL_free(privkey);
9851 OPENSSL_free(cert2);
9852 OPENSSL_free(privkey2);
9853 return 0;
ad887416 9854}
2cb4b5f6 9855
ad887416
P		 9856void cleanup_tests(void)
9857{
8778f0eb 9858# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 9859 EVP_PKEY_free(tmp_dh_params);
9860#endif
1a2a3a42
MC		 9861 OPENSSL_free(cert);
9862 OPENSSL_free(privkey);
b3842539
MC		 9863 OPENSSL_free(cert2);
9864 OPENSSL_free(privkey2);
3105d846
MC		 9865 OPENSSL_free(cert1024);
9866 OPENSSL_free(privkey1024);
9867 OPENSSL_free(cert3072);
9868 OPENSSL_free(privkey3072);
9869 OPENSSL_free(cert4096);
9870 OPENSSL_free(privkey4096);
9871 OPENSSL_free(cert8192);
9872 OPENSSL_free(privkey8192);
fa454945 9873 bio_s_mempacket_test_free();
a77b4dba 9874 bio_s_always_retry_free();
5e30f2fd 9875 OSSL_PROVIDER_unload(defctxnull);
b4250010 9876 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 9877}
A mirror of the official openssl repository