]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Release the drbg in the global default context before engines
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
fecb3aae 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
2cb4b5f6 36
20f8bc72 37#include "helpers/ssltestlib.h"
c887104f 38#include "testutil.h"
f297e4ec 39#include "testutil/output.h"
176db6dc 40#include "internal/nelem.h"
fe5d9450 41#include "internal/ktls.h"
706457b7 42#include "../ssl/ssl_local.h"
0755722c 43#include "../ssl/record/methods/recmethod_local.h"
b0001d0c 44#include "filterprov.h"
2cb4b5f6 45
a763ca11
MC		 46#undef OSSL_NO_USABLE_TLS1_3
47#if defined(OPENSSL_NO_TLS1_3) \
48 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
49/*
50 * If we don't have ec or dh then there are no built-in groups that are usable
51 * with TLSv1.3
52 */
53# define OSSL_NO_USABLE_TLS1_3
54#endif
55
0c13cdf8
MC		 56/* Defined in tls-provider.c */
57int tls_provider_init(const OSSL_CORE_HANDLE *handle,
58 const OSSL_DISPATCH *in,
59 const OSSL_DISPATCH **out,
60 void **provctx);
852c2ed2 61
b4250010 62static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 63static OSSL_PROVIDER *defctxnull = NULL;
64
a763ca11 65#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 66
67static SSL_SESSION *clientpsk = NULL;
68static SSL_SESSION *serverpsk = NULL;
69static const char *pskid = "Identity";
70static const char *srvid;
71
72static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
73 size_t *idlen, SSL_SESSION **sess);
74static int find_session_cb(SSL *ssl, const unsigned char *identity,
75 size_t identity_len, SSL_SESSION **sess);
76
77static int use_session_cb_cnt = 0;
78static int find_session_cb_cnt = 0;
79
80static SSL_SESSION *create_a_psk(SSL *ssl);
81#endif
82
1a2a3a42 83static char *certsdir = NULL;
2cb4b5f6
MC		 84static char *cert = NULL;
85static char *privkey = NULL;
b3842539
MC		 86static char *cert2 = NULL;
87static char *privkey2 = NULL;
3105d846
MC		 88static char *cert1024 = NULL;
89static char *privkey1024 = NULL;
90static char *cert3072 = NULL;
91static char *privkey3072 = NULL;
92static char *cert4096 = NULL;
93static char *privkey4096 = NULL;
94static char *cert8192 = NULL;
95static char *privkey8192 = NULL;
76fd7a1d
MC		 96static char *srpvfile = NULL;
97static char *tmpfilename = NULL;
b2b8d188 98static char *dhfile = NULL;
2cb4b5f6 99
4f6c7044
MC		 100static int is_fips = 0;
101
cffe973c 102#define LOG_BUFFER_SIZE 2048
6acdd3e5 103static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 104static size_t server_log_buffer_index = 0;
6acdd3e5 105static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 106static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 107static int error_writing_log = 0;
108
8f8c11d8 109#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 110static const unsigned char orespder[] = "Dummy OCSP Response";
111static int ocsp_server_called = 0;
112static int ocsp_client_called = 0;
113
114static int cdummyarg = 1;
115static X509 *ocspcert = NULL;
8f8c11d8 116#endif
ba881d3b 117
84d5549e 118#define NUM_EXTRA_CERTS 40
cf72c757 119#define CLIENT_VERSION_LEN 2
84d5549e 120
f1a5939f
CB		 121/*
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
124 */
125struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
cffe973c 128 unsigned int client_early_secret_count;
f1a5939f
CB		 129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
01a2a654 133 unsigned int early_exporter_secret_count;
6329ce8f 134 unsigned int exporter_secret_count;
f1a5939f
CB		 135};
136
16afd71c 137
104a733d
MC		 138static int hostname_cb(SSL *s, int *al, void *arg)
139{
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
145
146 return SSL_TLSEXT_ERR_NOACK;
147}
148
710756a9
RS		 149static void client_keylog_callback(const SSL *ssl, const char *line)
150{
6acdd3e5
CB		 151 int line_length = strlen(line);
152
153 /* If the log doesn't fit, error out. */
710756a9
RS		 154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
6acdd3e5
CB		 156 error_writing_log = 1;
157 return;
158 }
159
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
710756a9 162 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 163}
164
710756a9
RS		 165static void server_keylog_callback(const SSL *ssl, const char *line)
166{
6acdd3e5
CB		 167 int line_length = strlen(line);
168
169 /* If the log doesn't fit, error out. */
710756a9 170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 171 TEST_info("Server log too full");
6acdd3e5
CB		 172 error_writing_log = 1;
173 return;
174 }
175
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
710756a9 178 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 179}
180
181static int compare_hex_encoded_buffer(const char *hex_encoded,
182 size_t hex_length,
183 const uint8_t *raw,
710756a9
RS		 184 size_t raw_length)
185{
186 size_t i, j;
187 char hexed[3];
6acdd3e5 188
710756a9 189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 190 return 1;
6acdd3e5 191
710756a9 192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 193 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 196 return 1;
6acdd3e5
CB		 197 }
198
199 return 0;
200}
201
202static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 203 const SSL_SESSION *session,
710756a9
RS		 204 struct sslapitest_log_counts *expected)
205{
6acdd3e5
CB		 206 char *token = NULL;
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
cffe973c 213 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
01a2a654 218 unsigned int early_exporter_secret_count = 0;
6329ce8f 219 unsigned int exporter_secret_count = 0;
6acdd3e5 220
710756a9
RS		 221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
6acdd3e5 223 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 224 /*
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 226 * hex-encoded encrypted secret, then the hex-encoded pre-master
227 * secret.
228 */
710756a9 229 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 230 return 0;
710756a9 231 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 232 return 0;
710756a9 233 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 234 return 0;
f1a5939f
CB		 235 /*
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
239 */
240 rsa_key_exchange_count++;
6acdd3e5 241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 242 /*
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 244 * client random, then the hex-encoded master secret.
245 */
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
248 SSL3_RANDOM_SIZE);
710756a9 249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 250 return 0;
6acdd3e5 251
710756a9 252 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 253 return 0;
710756a9 254 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 255 return 0;
710756a9
RS		 256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
f1a5939f 259 return 0;
6acdd3e5 260
710756a9 261 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 262 return 0;
6acdd3e5
CB		 263 master_key_size = SSL_SESSION_get_master_key(session,
264 actual_master_key,
265 master_key_size);
710756a9 266 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 267 return 0;
710756a9
RS		 268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 actual_master_key,
270 master_key_size)))
f1a5939f 271 return 0;
f1a5939f 272 master_secret_count++;
cffe973c
PW		 273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 279 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 280 /*
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
285 */
cffe973c
PW		 286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
01a2a654
PW		 296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
6329ce8f
PW		 298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
f1a5939f
CB		 300
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
303 SSL3_RANDOM_SIZE);
710756a9 304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 305 return 0;
f1a5939f 306
710756a9 307 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 308 return 0;
710756a9 309 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 310 return 0;
710756a9
RS		 311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
f1a5939f 314 return 0;
6acdd3e5 315
710756a9 316 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 317 return 0;
6acdd3e5 318 } else {
710756a9 319 TEST_info("Unexpected token %s\n", token);
f1a5939f 320 return 0;
6acdd3e5 321 }
6acdd3e5
CB		 322 }
323
710756a9
RS		 324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
cffe973c
PW		 329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
710756a9
RS		 331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 338 expected->server_application_secret_count)
01a2a654
PW		 339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
6329ce8f
PW		 341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
710756a9
RS		 343 return 0;
344 return 1;
6acdd3e5
CB		 345}
346
a763ca11 347#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 348static int test_keylog(void)
349{
6acdd3e5
CB		 350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
352 int testresult = 0;
6fc1e624 353 struct sslapitest_log_counts expected;
6acdd3e5
CB		 354
355 /* Clean up logging space */
6fc1e624 356 memset(&expected, 0, sizeof(expected));
710756a9
RS		 357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
362
5e30f2fd 363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 364 TLS_client_method(),
5c587fb6 365 TLS1_VERSION, 0,
710756a9 366 &sctx, &cctx, cert, privkey)))
6acdd3e5 367 return 0;
6acdd3e5
CB		 368
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372
f0deb4d3 373 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 375 goto end;
f0deb4d3 376
cf10df81
RS		 377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 379 goto end;
6acdd3e5 380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
6acdd3e5 383 goto end;
710756a9 384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
6acdd3e5 387 goto end;
6acdd3e5 388
710756a9
RS		 389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
393 SSL_ERROR_NONE))
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 397 goto end;
6acdd3e5 398
f1a5939f
CB		 399 /*
400 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 401 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 402 * data we expect. For both client and server, we expect to see one master
403 * secret. The client should also see a RSA key exchange.
6acdd3e5 404 */
f1a5939f
CB		 405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
710756a9
RS		 407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
6acdd3e5 409 goto end;
f1a5939f
CB		 410
411 expected.rsa_key_exchange_count = 0;
710756a9
RS		 412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
6acdd3e5 414 goto end;
6acdd3e5
CB		 415
416 testresult = 1;
417
418end:
419 SSL_free(serverssl);
420 SSL_free(clientssl);
421 SSL_CTX_free(sctx);
422 SSL_CTX_free(cctx);
423
424 return testresult;
425}
c423ecaa 426#endif
6acdd3e5 427
a763ca11 428#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 429static int test_keylog_no_master_key(void)
430{
6acdd3e5
CB		 431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 433 SSL_SESSION *sess = NULL;
6acdd3e5 434 int testresult = 0;
6fc1e624 435 struct sslapitest_log_counts expected;
cffe973c
PW		 436 unsigned char buf[1];
437 size_t readbytes, written;
6acdd3e5
CB		 438
439 /* Clean up logging space */
6fc1e624 440 memset(&expected, 0, sizeof(expected));
710756a9
RS		 441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
446
5e30f2fd
MC		 447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 451 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 452 return 0;
6acdd3e5 453
cf10df81
RS		 454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 456 goto end;
6acdd3e5
CB		 457
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
6acdd3e5 461 goto end;
6acdd3e5 462
710756a9 463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
6acdd3e5 466 goto end;
6acdd3e5 467
710756a9
RS		 468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_false(error_writing_log))
6acdd3e5 474 goto end;
6acdd3e5 475
f1a5939f
CB		 476 /*
477 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 479 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 480 */
f1a5939f
CB		 481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
6329ce8f 485 expected.exporter_secret_count = 1;
710756a9
RS		 486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
490 &expected)))
6acdd3e5 491 goto end;
6acdd3e5 492
cffe973c
PW		 493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
497 SSL_free(serverssl);
498 SSL_free(clientssl);
499 serverssl = clientssl = NULL;
500
501 /* Reset key log */
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
506
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513 &readbytes),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
518 SSL_ERROR_NONE))
519 || !TEST_true(SSL_session_reused(clientssl)))
520 goto end;
521
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
01a2a654 524 expected.early_exporter_secret_count = 1;
cffe973c
PW		 525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
529 &expected)))
530 goto end;
531
6acdd3e5
CB		 532 testresult = 1;
533
534end:
cffe973c 535 SSL_SESSION_free(sess);
6acdd3e5
CB		 536 SSL_free(serverssl);
537 SSL_free(clientssl);
538 SSL_CTX_free(sctx);
539 SSL_CTX_free(cctx);
540
541 return testresult;
542}
543#endif
544
0c3eb279
DDO		 545static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546{
547 int res = X509_verify_cert(ctx);
dfb39f73
TM		 548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
549 SSL *ssl;
550
551 /* this should not happen but check anyway */
552 if (idx < 0
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
554 return 0;
0c3eb279
DDO		 555
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
dfb39f73
TM		 558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
560
0c3eb279
DDO		 561 return res;
562}
563
564static int test_client_cert_verify_cb(void)
565{
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testresult = 0;
577
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
581 goto end;
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586 goto end;
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588 goto end;
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
593 goto end;
594
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
598 goto end;
599
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604 goto end;
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
607 goto end;
608 crt1 = NULL;
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
610 goto end;
611 crt2 = NULL;
612
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
615 SSL_ERROR_NONE)))
616 goto end;
617
618 testresult = 1;
619
620end:
621 X509_free(crt1);
622 X509_free(crt2);
c38048e7
P		 623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
625 SSL_free(clientssl);
626 }
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
629 SSL_free(serverssl);
630 }
0c3eb279
DDO		 631 SSL_CTX_free(sctx);
632 SSL_CTX_free(cctx);
633
634 OPENSSL_free(skey);
635 OPENSSL_free(leaf);
636 OPENSSL_free(int2);
637 OPENSSL_free(int1);
638 OPENSSL_free(root);
639
640 return testresult;
641}
642
4e4ae840
SL		 643static int test_ssl_build_cert_chain(void)
644{
645 int ret = 0;
646 SSL_CTX *ssl_ctx = NULL;
647 SSL *ssl = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652 goto end;
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654 goto end;
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659 goto end;
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
662 goto end;
663 ret = 1;
664end:
665 SSL_free(ssl);
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
668 OPENSSL_free(skey);
669 return ret;
670}
671
c7debe81
TM		 672static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673{
674 static const char pass[] = "testpass";
675
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
677 return -1;
678
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
681}
682
4e4ae840
SL		 683static int test_ssl_ctx_build_cert_chain(void)
684{
685 int ret = 0;
686 SSL_CTX *ctx = NULL;
c7debe81 687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
4e4ae840
SL		 688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691 goto end;
c7debe81 692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
4e4ae840
SL		 693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698 goto end;
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
701 goto end;
702 ret = 1;
703end:
704 SSL_CTX_free(ctx);
705 OPENSSL_free(leaf_chain);
706 OPENSSL_free(skey);
707 return ret;
708}
709
e9ee6536 710#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 711static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 712{
713 int *ctr = arg;
714 const unsigned char *p;
8ea404fb 715 int *exts;
2afaee51
BK		 716 /* We only configure two ciphers, but the SCSV is added automatically. */
717#ifdef OPENSSL_NO_EC
718 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
719#else
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
721 0x2c, 0x00, 0xff};
722#endif
8ea404fb
BK		 723 const int expected_extensions[] = {
724#ifndef OPENSSL_NO_EC
725 11, 10,
726#endif
10ed1b72 727 35, 22, 23, 13};
2afaee51
BK		 728 size_t len;
729
730 /* Make sure we can defer processing and get called back. */
731 if ((*ctr)++ == 0)
f1b97da1 732 return SSL_CLIENT_HELLO_RETRY;
2afaee51 733
a9c0d8be 734 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 736 || !TEST_size_t_eq(
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 738 || !TEST_int_eq(*p, 0))
f1b97da1 739 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 741 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 744 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 745 OPENSSL_free(exts);
f1b97da1 746 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 747 }
748 OPENSSL_free(exts);
f1b97da1 749 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 750}
751
a9c0d8be 752static int test_client_hello_cb(void)
710756a9 753{
2afaee51
BK		 754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
757
5e30f2fd
MC		 758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 760 &sctx, &cctx, cert, privkey)))
2afaee51 761 goto end;
a9c0d8be 762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 763
2afaee51
BK		 764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 766
710756a9
RS		 767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 773 /*
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
776 * */
a9c0d8be
DB		 777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
780 SSL_ERROR_NONE)))
2afaee51 781 goto end;
2afaee51
BK		 782
783 testresult = 1;
784
088dfa13
TS		 785end:
786 SSL_free(serverssl);
787 SSL_free(clientssl);
788 SSL_CTX_free(sctx);
789 SSL_CTX_free(cctx);
790
791 return testresult;
792}
793
794static int test_no_ems(void)
795{
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
798 int testresult = 0;
799
5e30f2fd 800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
804 goto end;
805 }
806
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
808
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
811 goto end;
812 }
813
814 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
815 printf("Creating SSL connection failed\n");
816 goto end;
817 }
818
819 if (SSL_get_extms_support(serverssl)) {
820 printf("Server reports Extended Master Secret support\n");
821 goto end;
822 }
823
824 if (SSL_get_extms_support(clientssl)) {
825 printf("Client reports Extended Master Secret support\n");
826 goto end;
827 }
828 testresult = 1;
829
2afaee51
BK		 830end:
831 SSL_free(serverssl);
832 SSL_free(clientssl);
833 SSL_CTX_free(sctx);
834 SSL_CTX_free(cctx);
835
836 return testresult;
837}
838
3cd14e5e
BK		 839/*
840 * Very focused test to exercise a single case in the server-side state
841 * machine, when the ChangeCipherState message needs to actually change
842 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 843 * encryption to real encryption).
3cd14e5e
BK		 844 */
845static int test_ccs_change_cipher(void)
846{
847 SSL_CTX *cctx = NULL, *sctx = NULL;
848 SSL *clientssl = NULL, *serverssl = NULL;
849 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
850 int testresult = 0;
851 int i;
852 unsigned char buf;
853 size_t readbytes;
854
855 /*
e304aa87 856 * Create a connection so we can resume and potentially (but not) use
3cd14e5e
BK		 857 * a different cipher in the second connection.
858 */
5e30f2fd 859 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 860 TLS_client_method(),
861 TLS1_VERSION, TLS1_2_VERSION,
862 &sctx, &cctx, cert, privkey))
863 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
864 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
865 NULL, NULL))
866 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
867 || !TEST_true(create_ssl_connection(serverssl, clientssl,
868 SSL_ERROR_NONE))
869 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
870 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
871 goto end;
872
873 shutdown_ssl_connection(serverssl, clientssl);
874 serverssl = clientssl = NULL;
875
876 /* Resume, preferring a different cipher. Our server will force the
877 * same cipher to be used as the initial handshake. */
878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
879 NULL, NULL))
880 || !TEST_true(SSL_set_session(clientssl, sess))
881 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
882 || !TEST_true(create_ssl_connection(serverssl, clientssl,
883 SSL_ERROR_NONE))
884 || !TEST_true(SSL_session_reused(clientssl))
885 || !TEST_true(SSL_session_reused(serverssl))
886 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
887 || !TEST_ptr_eq(sesspre, sesspost)
888 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
889 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
890 goto end;
891 shutdown_ssl_connection(serverssl, clientssl);
892 serverssl = clientssl = NULL;
893
894 /*
895 * Now create a fresh connection and try to renegotiate a different
896 * cipher on it.
897 */
b3e6d666
BK		 898 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
899 NULL, NULL))
3cd14e5e
BK		 900 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
901 || !TEST_true(create_ssl_connection(serverssl, clientssl,
902 SSL_ERROR_NONE))
903 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
904 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
905 || !TEST_true(SSL_renegotiate(clientssl))
906 || !TEST_true(SSL_renegotiate_pending(clientssl)))
907 goto end;
908 /* Actually drive the renegotiation. */
909 for (i = 0; i < 3; i++) {
910 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
911 if (!TEST_ulong_eq(readbytes, 0))
912 goto end;
913 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
914 SSL_ERROR_WANT_READ)) {
915 goto end;
916 }
917 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
918 if (!TEST_ulong_eq(readbytes, 0))
919 goto end;
920 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
921 SSL_ERROR_WANT_READ)) {
922 goto end;
923 }
924 }
925 /* sesspre and sesspost should be different since the cipher changed. */
926 if (!TEST_false(SSL_renegotiate_pending(clientssl))
927 || !TEST_false(SSL_session_reused(clientssl))
928 || !TEST_false(SSL_session_reused(serverssl))
929 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
930 || !TEST_ptr_ne(sesspre, sesspost)
931 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
932 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
933 goto end;
934
935 shutdown_ssl_connection(serverssl, clientssl);
936 serverssl = clientssl = NULL;
937
938 testresult = 1;
939
940end:
941 SSL_free(serverssl);
942 SSL_free(clientssl);
943 SSL_CTX_free(sctx);
944 SSL_CTX_free(cctx);
945 SSL_SESSION_free(sess);
946
947 return testresult;
948}
fb121631 949#endif
3cd14e5e 950
84d5549e 951static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 952 const SSL_METHOD *cmeth,
953 int min_version, int max_version,
954 int read_ahead)
84d5549e
MC		 955{
956 SSL_CTX *cctx = NULL, *sctx = NULL;
957 SSL *clientssl = NULL, *serverssl = NULL;
958 int testresult = 0;
959 int i;
710756a9 960 BIO *certbio = NULL;
84d5549e
MC		 961 X509 *chaincert = NULL;
962 int certlen;
963
710756a9 964 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 965 goto end;
6725682d 966
d8652be0 967 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 968 goto end;
969
970 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
971 goto end;
fa454945
MC		 972 BIO_free(certbio);
973 certbio = NULL;
84d5549e 974
5e30f2fd
MC		 975 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
976 max_version, &sctx, &cctx, cert,
977 privkey)))
84d5549e 978 goto end;
84d5549e 979
8ce390e1
MC		 980#ifdef OPENSSL_NO_DTLS1_2
981 if (smeth == DTLS_server_method()) {
982 /*
983 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
984 * level 0
985 */
986 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
987 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
988 "DEFAULT:@SECLEVEL=0")))
989 goto end;
990 }
991#endif
992
710756a9 993 if (read_ahead) {
7856332e
MC		 994 /*
995 * Test that read_ahead works correctly when dealing with large
996 * records
997 */
998 SSL_CTX_set_read_ahead(cctx, 1);
999 }
1000
84d5549e
MC		 1001 /*
1002 * We assume the supplied certificate is big enough so that if we add
1003 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1004 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 1005 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1006 * test we need to have a message larger than that.
84d5549e
MC		 1007 */
1008 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 1009 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1010 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 1011 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 1012 if (!X509_up_ref(chaincert))
84d5549e 1013 goto end;
84d5549e 1014 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 1015 X509_free(chaincert);
1016 goto end;
1017 }
1018 }
1019
710756a9
RS		 1020 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1021 NULL, NULL))
1022 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1023 SSL_ERROR_NONE)))
84d5549e 1024 goto end;
84d5549e 1025
4bf08600
MC		 1026 /*
1027 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1028 * doesn't leak.
4bf08600 1029 */
710756a9 1030 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1031 goto end;
84d5549e 1032
4bf08600 1033 testresult = 1;
84d5549e 1034 end:
6725682d 1035 BIO_free(certbio);
84d5549e
MC		 1036 X509_free(chaincert);
1037 SSL_free(serverssl);
1038 SSL_free(clientssl);
1039 SSL_CTX_free(sctx);
1040 SSL_CTX_free(cctx);
1041
1042 return testresult;
1043}
1044
da4db160 1045#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1046 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1047/* sock must be connected */
1048static int ktls_chk_platform(int sock)
1049{
1050 if (!ktls_enable(sock))
1051 return 0;
1052 return 1;
1053}
1054
e1fdd526 1055static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1056{
1057 static char count = 1;
1058 unsigned char cbuf[16000] = {0};
1059 unsigned char sbuf[16000];
1060 size_t err = 0;
e1fdd526
JB		 1061 char crec_wseq_before[SEQ_NUM_SIZE];
1062 char crec_wseq_after[SEQ_NUM_SIZE];
1063 char crec_rseq_before[SEQ_NUM_SIZE];
1064 char crec_rseq_after[SEQ_NUM_SIZE];
1065 char srec_wseq_before[SEQ_NUM_SIZE];
1066 char srec_wseq_after[SEQ_NUM_SIZE];
1067 char srec_rseq_before[SEQ_NUM_SIZE];
1068 char srec_rseq_after[SEQ_NUM_SIZE];
38b051a1
TM		 1069 SSL_CONNECTION *clientsc, *serversc;
1070
1071 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1072 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1073 goto end;
fe5d9450
BP		 1074
1075 cbuf[0] = count++;
2c50d7fb
MC		 1076 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1077 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1078 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1079 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1080
1081 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1082 goto end;
1083
1084 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1085 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1086 goto end;
1087 }
1088 }
1089
1090 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1091 goto end;
1092
1093 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1094 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1095 goto end;
1096 }
1097 }
1098
2c50d7fb
MC		 1099 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1100 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1101 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1102 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1103
1104 /* verify the payload */
1105 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1106 goto end;
1107
e1fdd526
JB		 1108 /*
1109 * If ktls is used then kernel sequences are used instead of
1110 * OpenSSL sequences
1111 */
38b051a1 1112 if (!BIO_get_ktls_send(clientsc->wbio)) {
e1fdd526
JB		 1113 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1114 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1115 goto end;
1116 } else {
e1fdd526
JB		 1117 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1118 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1119 goto end;
1120 }
1121
38b051a1 1122 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1123 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1124 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1125 goto end;
1126 } else {
e1fdd526
JB		 1127 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1128 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1129 goto end;
1130 }
1131
38b051a1 1132 if (!BIO_get_ktls_recv(clientsc->wbio)) {
e1fdd526
JB		 1133 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1134 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1135 goto end;
1136 } else {
e1fdd526
JB		 1137 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1138 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1139 goto end;
1140 }
1141
38b051a1 1142 if (!BIO_get_ktls_recv(serversc->wbio)) {
e1fdd526
JB		 1143 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1144 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1145 goto end;
1146 } else {
e1fdd526
JB		 1147 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1148 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1149 goto end;
1150 }
fe5d9450
BP		 1151
1152 return 1;
1153end:
1154 return 0;
1155}
1156
a3a54179 1157static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1158 int tls_version, const char *cipher)
fe5d9450
BP		 1159{
1160 SSL_CTX *cctx = NULL, *sctx = NULL;
1161 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1162 int ktls_used = 0, testresult = 0;
1163 int cfd = -1, sfd = -1;
1164 int rx_supported;
38b051a1 1165 SSL_CONNECTION *clientsc, *serversc;
fe5d9450
BP		 1166
1167 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1168 goto end;
1169
1170 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1171 if (!ktls_chk_platform(cfd)) {
1172 testresult = TEST_skip("Kernel does not support KTLS");
1173 goto end;
1174 }
fe5d9450 1175
a5d8a2f8
DB		 1176 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1177 testresult = TEST_skip("CHACHA is not supported in FIPS");
1178 goto end;
1179 }
1180
fe5d9450 1181 /* Create a session based on SHA-256 */
5e30f2fd 1182 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1183 TLS_client_method(),
da4db160 1184 tls_version, tls_version,
e1fdd526
JB		 1185 &sctx, &cctx, cert, privkey)))
1186 goto end;
1187
1188 if (tls_version == TLS1_3_VERSION) {
1189 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1190 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1191 goto end;
1192 } else {
1193 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1194 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1195 goto end;
1196 }
1197
1198 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1199 &clientssl, sfd, cfd)))
fe5d9450
BP		 1200 goto end;
1201
38b051a1
TM		 1202 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1203 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1204 goto end;
1205
a3a54179
MC		 1206 if (cis_ktls) {
1207 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1208 goto end;
1209 }
1210
a3a54179 1211 if (sis_ktls) {
e1fdd526 1212 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1213 goto end;
1214 }
1215
e1fdd526 1216 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1217 goto end;
1218
e1fdd526
JB		 1219 /*
1220 * The running kernel may not support a given cipher suite
1221 * or direction, so just check that KTLS isn't used when it
1222 * isn't enabled.
1223 */
a3a54179 1224 if (!cis_ktls) {
38b051a1 1225 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
fe5d9450
BP		 1226 goto end;
1227 } else {
38b051a1 1228 if (BIO_get_ktls_send(clientsc->wbio))
e1fdd526 1229 ktls_used = 1;
fe5d9450
BP		 1230 }
1231
a3a54179 1232 if (!sis_ktls) {
38b051a1 1233 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
fe5d9450
BP		 1234 goto end;
1235 } else {
38b051a1 1236 if (BIO_get_ktls_send(serversc->wbio))
e1fdd526 1237 ktls_used = 1;
fe5d9450
BP		 1238 }
1239
a3a54179 1240#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1241 rx_supported = 0;
1242#else
7c78932b 1243 rx_supported = 1;
a3a54179 1244#endif
e1fdd526 1245 if (!cis_ktls || !rx_supported) {
38b051a1 1246 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
2fab79af
BP		 1247 goto end;
1248 } else {
38b051a1 1249 if (BIO_get_ktls_send(clientsc->rbio))
e1fdd526 1250 ktls_used = 1;
2fab79af
BP		 1251 }
1252
e1fdd526 1253 if (!sis_ktls || !rx_supported) {
38b051a1 1254 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
2fab79af
BP		 1255 goto end;
1256 } else {
38b051a1 1257 if (BIO_get_ktls_send(serversc->rbio))
e1fdd526
JB		 1258 ktls_used = 1;
1259 }
1260
1261 if ((cis_ktls || sis_ktls) && !ktls_used) {
1262 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1263 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1264 "TLS 1.2", cipher);
1265 goto end;
2fab79af
BP		 1266 }
1267
e1fdd526 1268 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1269 goto end;
1270
1271 testresult = 1;
1272end:
1273 if (clientssl) {
1274 SSL_shutdown(clientssl);
1275 SSL_free(clientssl);
1276 }
1277 if (serverssl) {
1278 SSL_shutdown(serverssl);
1279 SSL_free(serverssl);
1280 }
1281 SSL_CTX_free(sctx);
1282 SSL_CTX_free(cctx);
1283 serverssl = clientssl = NULL;
e1fdd526
JB		 1284 if (cfd != -1)
1285 close(cfd);
1286 if (sfd != -1)
1287 close(sfd);
fe5d9450
BP		 1288 return testresult;
1289}
1290
7c3a7561
BP		 1291#define SENDFILE_SZ (16 * 4096)
1292#define SENDFILE_CHUNK (4 * 4096)
1293#define min(a,b) ((a) > (b) ? (b) : (a))
1294
e1fdd526 1295static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1296{
1297 SSL_CTX *cctx = NULL, *sctx = NULL;
1298 SSL *clientssl = NULL, *serverssl = NULL;
1299 unsigned char *buf, *buf_dst;
1300 BIO *out = NULL, *in = NULL;
e1fdd526 1301 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1302 ssize_t chunk_size = 0;
1303 off_t chunk_off = 0;
1304 int testresult = 0;
1305 FILE *ffdp;
38b051a1 1306 SSL_CONNECTION *serversc;
7c3a7561
BP		 1307
1308 buf = OPENSSL_zalloc(SENDFILE_SZ);
1309 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1310 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1311 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1312 goto end;
1313
1314 /* Skip this test if the platform does not support ktls */
1315 if (!ktls_chk_platform(sfd)) {
e1fdd526 1316 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1317 goto end;
1318 }
1319
a5d8a2f8
DB		 1320 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1321 testresult = TEST_skip("CHACHA is not supported in FIPS");
1322 goto end;
1323 }
1324
7c3a7561 1325 /* Create a session based on SHA-256 */
5e30f2fd 1326 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1327 TLS_client_method(),
da4db160 1328 tls_version, tls_version,
e1fdd526
JB		 1329 &sctx, &cctx, cert, privkey)))
1330 goto end;
1331
1332 if (tls_version == TLS1_3_VERSION) {
1333 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1334 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1335 goto end;
1336 } else {
1337 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1338 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1339 goto end;
1340 }
1341
1342 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1343 &clientssl, sfd, cfd)))
1344 goto end;
1345
38b051a1
TM		 1346 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1347 goto end;
1348
e1fdd526 1349 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1350 goto end;
1351
1352 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1353 SSL_ERROR_NONE)))
7c3a7561
BP		 1354 goto end;
1355
38b051a1 1356 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1357 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1358 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1359 "TLS 1.2", cipher);
1360 goto end;
1361 }
1362
c9007bda 1363 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1364 goto end;
1365
7c3a7561
BP		 1366 out = BIO_new_file(tmpfilename, "wb");
1367 if (!TEST_ptr(out))
1368 goto end;
1369
1370 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1371 goto end;
1372
1373 BIO_free(out);
1374 out = NULL;
1375 in = BIO_new_file(tmpfilename, "rb");
1376 BIO_get_fp(in, &ffdp);
1377 ffd = fileno(ffdp);
1378
1379 while (chunk_off < SENDFILE_SZ) {
1380 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1381 while ((err = SSL_sendfile(serverssl,
1382 ffd,
1383 chunk_off,
1384 chunk_size,
1385 0)) != chunk_size) {
1386 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1387 goto end;
1388 }
1389 while ((err = SSL_read(clientssl,
1390 buf_dst + chunk_off,
1391 chunk_size)) != chunk_size) {
1392 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1393 goto end;
1394 }
1395
1396 /* verify the payload */
1397 if (!TEST_mem_eq(buf_dst + chunk_off,
1398 chunk_size,
1399 buf + chunk_off,
1400 chunk_size))
1401 goto end;
1402
1403 chunk_off += chunk_size;
1404 }
1405
1406 testresult = 1;
1407end:
1408 if (clientssl) {
1409 SSL_shutdown(clientssl);
1410 SSL_free(clientssl);
1411 }
1412 if (serverssl) {
1413 SSL_shutdown(serverssl);
1414 SSL_free(serverssl);
1415 }
1416 SSL_CTX_free(sctx);
1417 SSL_CTX_free(cctx);
1418 serverssl = clientssl = NULL;
1419 BIO_free(out);
1420 BIO_free(in);
e1fdd526
JB		 1421 if (cfd != -1)
1422 close(cfd);
1423 if (sfd != -1)
1424 close(sfd);
7c3a7561
BP		 1425 OPENSSL_free(buf);
1426 OPENSSL_free(buf_dst);
1427 return testresult;
1428}
1429
e1fdd526
JB		 1430static struct ktls_test_cipher {
1431 int tls_version;
1432 const char *cipher;
1433} ktls_test_ciphers[] = {
1434# if !defined(OPENSSL_NO_TLS1_2)
1435# ifdef OPENSSL_KTLS_AES_GCM_128
1436 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1437# endif
1438# ifdef OPENSSL_KTLS_AES_CCM_128
1439 { TLS1_2_VERSION, "AES128-CCM"},
1440# endif
1441# ifdef OPENSSL_KTLS_AES_GCM_256
1442 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1443# endif
11bac1b4
JB		 1444# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1445 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1446# endif
e1fdd526
JB		 1447# endif
1448# if !defined(OSSL_NO_USABLE_TLS1_3)
1449# ifdef OPENSSL_KTLS_AES_GCM_128
1450 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1451# endif
1452# ifdef OPENSSL_KTLS_AES_CCM_128
1453 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1454# endif
1455# ifdef OPENSSL_KTLS_AES_GCM_256
1456 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1457# endif
11bac1b4
JB		 1458# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1459 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1460# endif
e1fdd526
JB		 1461# endif
1462};
1463
1464#define NUM_KTLS_TEST_CIPHERS \
1465 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1466
da4db160
VF		 1467static int test_ktls(int test)
1468{
e1fdd526 1469 struct ktls_test_cipher *cipher;
a3a54179 1470 int cis_ktls, sis_ktls;
da4db160 1471
2cff17fd 1472 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1473 cipher = &ktls_test_ciphers[test / 4];
da4db160 1474
a3a54179
MC		 1475 cis_ktls = (test & 1) != 0;
1476 sis_ktls = (test & 2) != 0;
cd03b5dc 1477
e1fdd526
JB		 1478 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1479 cipher->cipher);
2fab79af
BP		 1480}
1481
e1fdd526 1482static int test_ktls_sendfile(int tst)
fe5d9450 1483{
e1fdd526 1484 struct ktls_test_cipher *cipher;
da4db160 1485
2cff17fd 1486 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1487 cipher = &ktls_test_ciphers[tst];
da4db160 1488
e1fdd526 1489 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
fe5d9450 1490}
fe5d9450
BP		 1491#endif
1492
84d5549e
MC		 1493static int test_large_message_tls(void)
1494{
7856332e 1495 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1496 TLS1_VERSION, 0, 0);
7856332e
MC		 1497}
1498
1499static int test_large_message_tls_read_ahead(void)
1500{
1501 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1502 TLS1_VERSION, 0, 1);
84d5549e
MC		 1503}
1504
55386bef 1505#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1506static int test_large_message_dtls(void)
1507{
8ce390e1
MC		 1508# ifdef OPENSSL_NO_DTLS1_2
1509 /* Not supported in the FIPS provider */
1510 if (is_fips)
1511 return 1;
1512# endif
7856332e
MC		 1513 /*
1514 * read_ahead is not relevant to DTLS because DTLS always acts as if
1515 * read_ahead is set.
1516 */
84d5549e 1517 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1518 DTLS_client_method(),
5c587fb6 1519 DTLS1_VERSION, 0, 0);
84d5549e 1520}
55386bef 1521#endif
84d5549e 1522
163b8016
ME		 1523static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1524 const SSL_METHOD *cmeth,
1525 int min_version, int max_version)
1526{
1527 size_t i;
1528 SSL_CTX *cctx = NULL, *sctx = NULL;
1529 SSL *clientssl = NULL, *serverssl = NULL;
1530 int testresult = 0;
163b8016 1531 void *zbuf;
38b051a1 1532 SSL_CONNECTION *serversc;
eddb067e 1533 TLS_RECORD *rr;
163b8016
ME		 1534
1535 static unsigned char cbuf[16000];
1536 static unsigned char sbuf[16000];
1537
1538 if (!TEST_true(create_ssl_ctx_pair(libctx,
1539 smeth, cmeth,
1540 min_version, max_version,
1541 &sctx, &cctx, cert,
1542 privkey)))
1543 goto end;
1544
8ce390e1
MC		 1545#ifdef OPENSSL_NO_DTLS1_2
1546 if (smeth == DTLS_server_method()) {
1547# ifdef OPENSSL_NO_DTLS1_2
1548 /* Not supported in the FIPS provider */
1549 if (is_fips) {
1550 testresult = 1;
1551 goto end;
1552 };
1553# endif
1554 /*
1555 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1556 * level 0
1557 */
1558 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1559 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1560 "DEFAULT:@SECLEVEL=0")))
1561 goto end;
1562 }
1563#endif
1564
163b8016
ME		 1565 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1566 NULL, NULL)))
1567 goto end;
1568
1569 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1570 goto end;
1571
1572 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1573 SSL_ERROR_NONE)))
1574 goto end;
1575
1576 for (i = 0; i < sizeof(cbuf); i++) {
1577 cbuf[i] = i & 0xff;
1578 }
1579
1580 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1581 goto end;
1582
1583 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1584 goto end;
1585
1586 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1587 goto end;
1588
1589 /*
1590 * Since we called SSL_peek(), we know the data in the record
1591 * layer is a plaintext record. We can gather the pointer to check
1592 * for zeroization after SSL_read().
1593 */
38b051a1
TM		 1594 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1595 goto end;
eddb067e 1596 rr = serversc->rlayer.tlsrecs;
4030869d 1597
eddb067e
MC		 1598 zbuf = &rr->data[rr->off];
1599 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1600 goto end;
163b8016
ME		 1601
1602 /*
1603 * After SSL_peek() the plaintext must still be stored in the
1604 * record.
1605 */
1606 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1607 goto end;
1608
1609 memset(sbuf, 0, sizeof(sbuf));
1610 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1611 goto end;
1612
1613 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1614 goto end;
1615
1616 /* Check if rbuf is cleansed */
1617 memset(cbuf, 0, sizeof(cbuf));
1618 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1619 goto end;
1620
1621 testresult = 1;
1622 end:
1623 SSL_free(serverssl);
1624 SSL_free(clientssl);
1625 SSL_CTX_free(sctx);
1626 SSL_CTX_free(cctx);
1627
1628 return testresult;
1629}
1630
1631static int test_cleanse_plaintext(void)
1632{
1633#if !defined(OPENSSL_NO_TLS1_2)
1634 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1635 TLS_client_method(),
1636 TLS1_2_VERSION,
1637 TLS1_2_VERSION)))
1638 return 0;
1639
1640#endif
1641
a763ca11 1642#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1643 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1644 TLS_client_method(),
1645 TLS1_3_VERSION,
1646 TLS1_3_VERSION)))
1647 return 0;
1648#endif
1649
1650#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1651
163b8016
ME		 1652 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1653 DTLS_client_method(),
1654 DTLS1_VERSION,
1655 0)))
1656 return 0;
1657#endif
1658 return 1;
1659}
1660
8f8c11d8 1661#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1662static int ocsp_server_cb(SSL *s, void *arg)
1663{
1664 int *argi = (int *)arg;
710756a9 1665 unsigned char *copy = NULL;
ba881d3b
MC		 1666 STACK_OF(OCSP_RESPID) *ids = NULL;
1667 OCSP_RESPID *id = NULL;
1668
1669 if (*argi == 2) {
1670 /* In this test we are expecting exactly 1 OCSP_RESPID */
1671 SSL_get_tlsext_status_ids(s, &ids);
1672 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1673 return SSL_TLSEXT_ERR_ALERT_FATAL;
1674
1675 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1676 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1677 return SSL_TLSEXT_ERR_ALERT_FATAL;
1678 } else if (*argi != 1) {
1679 return SSL_TLSEXT_ERR_ALERT_FATAL;
1680 }
1681
710756a9 1682 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1683 return SSL_TLSEXT_ERR_ALERT_FATAL;
1684
711d5a2f
P		 1685 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1686 sizeof(orespder)))) {
1687 OPENSSL_free(copy);
1688 return SSL_TLSEXT_ERR_ALERT_FATAL;
1689 }
ba881d3b 1690 ocsp_server_called = 1;
ba881d3b
MC		 1691 return SSL_TLSEXT_ERR_OK;
1692}
1693
1694static int ocsp_client_cb(SSL *s, void *arg)
1695{
1696 int *argi = (int *)arg;
1697 const unsigned char *respderin;
1698 size_t len;
1699
1700 if (*argi != 1 && *argi != 2)
1701 return 0;
1702
1703 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1704 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1705 return 0;
1706
1707 ocsp_client_called = 1;
ba881d3b
MC		 1708 return 1;
1709}
1710
2cb4b5f6
MC		 1711static int test_tlsext_status_type(void)
1712{
ba881d3b
MC		 1713 SSL_CTX *cctx = NULL, *sctx = NULL;
1714 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1715 int testresult = 0;
ba881d3b
MC		 1716 STACK_OF(OCSP_RESPID) *ids = NULL;
1717 OCSP_RESPID *id = NULL;
1718 BIO *certbio = NULL;
2cb4b5f6 1719
5e30f2fd 1720 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1721 TLS1_VERSION, 0,
7d7f6834 1722 &sctx, &cctx, cert, privkey))
ba881d3b 1723 return 0;
2cb4b5f6 1724
710756a9 1725 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1726 goto end;
2cb4b5f6 1727
ba881d3b 1728 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1729
ba881d3b 1730 clientssl = SSL_new(cctx);
710756a9
RS		 1731 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1732 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1733 TLSEXT_STATUSTYPE_ocsp))
1734 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1735 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1736 goto end;
2cb4b5f6 1737
ba881d3b
MC		 1738 SSL_free(clientssl);
1739 clientssl = NULL;
2cb4b5f6 1740
710756a9
RS		 1741 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1742 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1743 goto end;
2cb4b5f6 1744
ba881d3b 1745 clientssl = SSL_new(cctx);
710756a9 1746 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1747 goto end;
ba881d3b
MC		 1748 SSL_free(clientssl);
1749 clientssl = NULL;
1750
1751 /*
1752 * Now actually do a handshake and check OCSP information is exchanged and
1753 * the callbacks get called
1754 */
ba881d3b
MC		 1755 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1756 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1757 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1758 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1759 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1760 &clientssl, NULL, NULL))
1761 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1762 SSL_ERROR_NONE))
1763 || !TEST_true(ocsp_client_called)
1764 || !TEST_true(ocsp_server_called))
ba881d3b 1765 goto end;
ba881d3b
MC		 1766 SSL_free(serverssl);
1767 SSL_free(clientssl);
1768 serverssl = NULL;
1769 clientssl = NULL;
1770
1771 /* Try again but this time force the server side callback to fail */
1772 ocsp_client_called = 0;
1773 ocsp_server_called = 0;
1774 cdummyarg = 0;
710756a9
RS		 1775 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1776 &clientssl, NULL, NULL))
1777 /* This should fail because the callback will fail */
1778 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1779 SSL_ERROR_NONE))
1780 || !TEST_false(ocsp_client_called)
1781 || !TEST_false(ocsp_server_called))
ba881d3b 1782 goto end;
ba881d3b
MC		 1783 SSL_free(serverssl);
1784 SSL_free(clientssl);
1785 serverssl = NULL;
1786 clientssl = NULL;
1787
1788 /*
1789 * This time we'll get the client to send an OCSP_RESPID that it will
1790 * accept.
1791 */
1792 ocsp_client_called = 0;
1793 ocsp_server_called = 0;
1794 cdummyarg = 2;
710756a9
RS		 1795 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1796 &clientssl, NULL, NULL)))
ba881d3b 1797 goto end;
ba881d3b
MC		 1798
1799 /*
1800 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1801 * specific one. We'll use the server cert.
ba881d3b 1802 */
710756a9
RS		 1803 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1804 || !TEST_ptr(id = OCSP_RESPID_new())
1805 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1806 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1807 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1808 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1809 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1810 goto end;
ba881d3b
MC		 1811 id = NULL;
1812 SSL_set_tlsext_status_ids(clientssl, ids);
1813 /* Control has been transferred */
1814 ids = NULL;
1815
1816 BIO_free(certbio);
1817 certbio = NULL;
1818
710756a9
RS		 1819 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1820 SSL_ERROR_NONE))
1821 || !TEST_true(ocsp_client_called)
1822 || !TEST_true(ocsp_server_called))
ba881d3b 1823 goto end;
ba881d3b 1824
2cb4b5f6
MC		 1825 testresult = 1;
1826
1827 end:
ba881d3b
MC		 1828 SSL_free(serverssl);
1829 SSL_free(clientssl);
1830 SSL_CTX_free(sctx);
1831 SSL_CTX_free(cctx);
1832 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1833 OCSP_RESPID_free(id);
1834 BIO_free(certbio);
1835 X509_free(ocspcert);
1836 ocspcert = NULL;
2cb4b5f6
MC		 1837
1838 return testresult;
1839}
8f8c11d8 1840#endif
2cb4b5f6 1841
a763ca11 1842#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1843static int new_called, remove_called, get_called;
eaa776da 1844
eaa776da
MC		 1845static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1846{
1847 new_called++;
c0537ebd
MC		 1848 /*
1849 * sess has been up-refed for us, but we don't actually need it so free it
1850 * immediately.
1851 */
1852 SSL_SESSION_free(sess);
eaa776da
MC		 1853 return 1;
1854}
1855
1856static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1857{
1858 remove_called++;
1859}
1860
7a301f08
MC		 1861static SSL_SESSION *get_sess_val = NULL;
1862
1863static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1864 int *copy)
1865{
0afca811 1866 get_called++;
7a301f08
MC		 1867 *copy = 1;
1868 return get_sess_val;
1869}
1870
7a301f08 1871static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1872 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1873{
1874 SSL_CTX *sctx = NULL, *cctx = NULL;
1875 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1876 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1877# ifndef OPENSSL_NO_TLS1_1
eaa776da 1878 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1879# endif
2cb4b5f6 1880 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1881 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1882
7e885b7b
P		 1883 new_called = remove_called = 0;
1884
36ff232c
MC		 1885 /* TLSv1.3 sends 2 NewSessionTickets */
1886 if (maxprot == TLS1_3_VERSION)
1887 numnewsesstick = 2;
1888
5e30f2fd
MC		 1889 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1890 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1891 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1892 return 0;
2cb4b5f6 1893
7a301f08
MC		 1894 /*
1895 * Only allow the max protocol version so we can force a connection failure
1896 * later
1897 */
1898 SSL_CTX_set_min_proto_version(cctx, maxprot);
1899 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1900
1901 /* Set up session cache */
7e885b7b 1902 if (use_ext_cache) {
eaa776da
MC		 1903 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1904 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1905 }
7e885b7b 1906 if (use_int_cache) {
eaa776da
MC		 1907 /* Also covers instance where both are set */
1908 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1909 } else {
1910 SSL_CTX_set_session_cache_mode(cctx,
1911 SSL_SESS_CACHE_CLIENT
1912 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1913 }
2cb4b5f6 1914
90fc2c26
NM		 1915 if (s_options) {
1916 SSL_CTX_set_options(sctx, s_options);
1917 }
1918
710756a9
RS		 1919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1920 NULL, NULL))
1921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1922 SSL_ERROR_NONE))
1923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1924 goto end;
2cb4b5f6 1925
710756a9 1926 /* Should fail because it should already be in the cache */
7e885b7b 1927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1928 goto end;
7a301f08 1929 if (use_ext_cache
36ff232c
MC		 1930 && (!TEST_int_eq(new_called, numnewsesstick)
1931
1932 || !TEST_int_eq(remove_called, 0)))
b4982125 1933 goto end;
b4982125 1934
c0537ebd
MC		 1935 new_called = remove_called = 0;
1936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1937 &clientssl2, NULL, NULL))
1938 || !TEST_true(SSL_set_session(clientssl2, sess1))
1939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1940 SSL_ERROR_NONE))
1941 || !TEST_true(SSL_session_reused(clientssl2)))
1942 goto end;
1943
7a301f08
MC		 1944 if (maxprot == TLS1_3_VERSION) {
1945 /*
1946 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1947 * resumed. Since we attempted a resume we should also have removed the
1948 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1949 */
1950 if (use_ext_cache
1951 && (!TEST_int_eq(new_called, 1)
4cb00457 1952 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1953 goto end;
1954 } else {
1955 /*
1956 * In TLSv1.2 we expect to have resumed so no sessions added or
1957 * removed.
1958 */
1959 if (use_ext_cache
1960 && (!TEST_int_eq(new_called, 0)
1961 || !TEST_int_eq(remove_called, 0)))
1962 goto end;
1963 }
c0537ebd
MC		 1964
1965 SSL_SESSION_free(sess1);
1966 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1967 goto end;
1968 shutdown_ssl_connection(serverssl2, clientssl2);
1969 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1970
1971 new_called = remove_called = 0;
710756a9
RS		 1972 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1973 &clientssl2, NULL, NULL))
1974 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1975 SSL_ERROR_NONE)))
2cb4b5f6 1976 goto end;
2cb4b5f6 1977
710756a9 1978 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1979 goto end;
2cb4b5f6 1980
7a301f08 1981 if (use_ext_cache
36ff232c
MC		 1982 && (!TEST_int_eq(new_called, numnewsesstick)
1983 || !TEST_int_eq(remove_called, 0)))
eaa776da 1984 goto end;
eaa776da 1985
c0537ebd 1986 new_called = remove_called = 0;
2cb4b5f6 1987 /*
710756a9
RS		 1988 * This should clear sess2 from the cache because it is a "bad" session.
1989 * See SSL_set_session() documentation.
2cb4b5f6 1990 */
710756a9 1991 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1992 goto end;
7a301f08
MC		 1993 if (use_ext_cache
1994 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1995 goto end;
710756a9 1996 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1997 goto end;
2cb4b5f6 1998
7e885b7b 1999 if (use_int_cache) {
710756a9
RS		 2000 /* Should succeeded because it should not already be in the cache */
2001 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2002 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 2003 goto end;
eaa776da
MC		 2004 }
2005
c0537ebd 2006 new_called = remove_called = 0;
eaa776da 2007 /* This shouldn't be in the cache so should fail */
710756a9 2008 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2009 goto end;
2cb4b5f6 2010
7a301f08
MC		 2011 if (use_ext_cache
2012 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2013 goto end;
2cb4b5f6 2014
bf208d95 2015# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2016 new_called = remove_called = 0;
eaa776da
MC		 2017 /* Force a connection failure */
2018 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2019 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2020 &clientssl3, NULL, NULL))
2021 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2022 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2023 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2024 SSL_ERROR_NONE)))
eaa776da 2025 goto end;
b4982125 2026
eaa776da 2027 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2028 if (use_ext_cache
2029 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2030 goto end;
2cb4b5f6 2031
710756a9 2032 /* Should succeed because it should not already be in the cache */
7e885b7b 2033 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2034 goto end;
bf208d95 2035# endif
eaa776da 2036
7a301f08
MC		 2037 /* Now do some tests for server side caching */
2038 if (use_ext_cache) {
2039 SSL_CTX_sess_set_new_cb(cctx, NULL);
2040 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2041 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2042 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2043 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2044 get_sess_val = NULL;
2045 }
2046
2047 SSL_CTX_set_session_cache_mode(cctx, 0);
2048 /* Internal caching is the default on the server side */
2049 if (!use_int_cache)
2050 SSL_CTX_set_session_cache_mode(sctx,
2051 SSL_SESS_CACHE_SERVER
2052 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2053
2054 SSL_free(serverssl1);
2055 SSL_free(clientssl1);
2056 serverssl1 = clientssl1 = NULL;
2057 SSL_free(serverssl2);
2058 SSL_free(clientssl2);
2059 serverssl2 = clientssl2 = NULL;
2060 SSL_SESSION_free(sess1);
2061 sess1 = NULL;
2062 SSL_SESSION_free(sess2);
2063 sess2 = NULL;
2064
2065 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2066 if (maxprot == TLS1_2_VERSION)
2067 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2068 new_called = remove_called = get_called = 0;
7a301f08
MC		 2069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2070 NULL, NULL))
2071 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2072 SSL_ERROR_NONE))
2073 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2074 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2075 goto end;
2076
ee94ec2e
MC		 2077 if (use_int_cache) {
2078 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2079 /*
2080 * In TLSv1.3 it should not have been added to the internal cache,
2081 * except in the case where we also have an external cache (in that
2082 * case it gets added to the cache in order to generate remove
2083 * events after timeout).
2084 */
2085 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2086 goto end;
2087 } else {
2088 /* Should fail because it should already be in the cache */
2089 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2090 goto end;
2091 }
2092 }
7a301f08
MC		 2093
2094 if (use_ext_cache) {
2095 SSL_SESSION *tmp = sess2;
2096
36ff232c 2097 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2098 || !TEST_int_eq(remove_called, 0)
2099 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2100 goto end;
2101 /*
2102 * Delete the session from the internal cache to force a lookup from
2103 * the external cache. We take a copy first because
2104 * SSL_CTX_remove_session() also marks the session as non-resumable.
2105 */
ee94ec2e 2106 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2107 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2108 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2109 goto end;
2110 SSL_SESSION_free(sess2);
2111 }
7a301f08
MC		 2112 sess2 = tmp;
2113 }
2114
0afca811 2115 new_called = remove_called = get_called = 0;
7a301f08
MC		 2116 get_sess_val = sess2;
2117 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2118 &clientssl2, NULL, NULL))
2119 || !TEST_true(SSL_set_session(clientssl2, sess1))
2120 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2121 SSL_ERROR_NONE))
2122 || !TEST_true(SSL_session_reused(clientssl2)))
2123 goto end;
2124
0afca811 2125 if (use_ext_cache) {
32305f88 2126 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2127 goto end;
2128
2129 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2130 if (!TEST_int_eq(new_called, 1)
2131 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2132 goto end;
2133 } else {
32305f88
MC		 2134 if (!TEST_int_eq(new_called, 0)
2135 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2136 goto end;
2137 }
2138 }
4842a27b
TS		 2139 /*
2140 * Make a small cache, force out all other sessions but
2141 * sess2, try to add sess1, which should succeed. Then
2142 * make sure it's there by checking the owners. Despite
2143 * the timeouts, sess1 should have kicked out sess2
2144 */
2145
2146 /* Make sess1 expire before sess2 */
2147 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2148 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2149 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2150 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2151 goto end;
2152
2153 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2154 goto end;
2155
2156 /* Don't care about results - cache should only be sess2 at end */
2157 SSL_CTX_add_session(sctx, sess1);
2158 SSL_CTX_add_session(sctx, sess2);
2159
2160 /* Now add sess1, and make sure it remains, despite timeout */
2161 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2162 || !TEST_ptr(sess1->owner)
2163 || !TEST_ptr_null(sess2->owner))
2164 goto end;
7a301f08 2165
2cb4b5f6 2166 testresult = 1;
eaa776da 2167
2cb4b5f6
MC		 2168 end:
2169 SSL_free(serverssl1);
2170 SSL_free(clientssl1);
2171 SSL_free(serverssl2);
2172 SSL_free(clientssl2);
bf208d95 2173# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2174 SSL_free(serverssl3);
2175 SSL_free(clientssl3);
bf208d95 2176# endif
2cb4b5f6
MC		 2177 SSL_SESSION_free(sess1);
2178 SSL_SESSION_free(sess2);
2179 SSL_CTX_free(sctx);
2180 SSL_CTX_free(cctx);
2181
2182 return testresult;
2183}
a763ca11 2184#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2185
7fb4c820
MC		 2186static int test_session_with_only_int_cache(void)
2187{
a763ca11 2188#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2189 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2190 return 0;
2191#endif
2192
2193#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2194 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2195#else
2196 return 1;
2197#endif
eaa776da
MC		 2198}
2199
7fb4c820
MC		 2200static int test_session_with_only_ext_cache(void)
2201{
a763ca11 2202#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2203 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2204 return 0;
2205#endif
2206
2207#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2208 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2209#else
2210 return 1;
2211#endif
eaa776da
MC		 2212}
2213
7fb4c820
MC		 2214static int test_session_with_both_cache(void)
2215{
a763ca11 2216#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2217 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2218 return 0;
2219#endif
2220
2221#ifndef OPENSSL_NO_TLS1_2
2222 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2223#else
2224 return 1;
2225#endif
2226}
2227
2228static int test_session_wo_ca_names(void)
2229{
a763ca11 2230#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2231 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2232 return 0;
2233#endif
2234
2235#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2236 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2237#else
2238 return 1;
2239#endif
eaa776da
MC		 2240}
2241
90fc2c26 2242
a763ca11 2243#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2244static SSL_SESSION *sesscache[6];
2245static int do_cache;
36ff232c
MC		 2246
2247static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2248{
c22365b3
MC		 2249 if (do_cache) {
2250 sesscache[new_called] = sess;
2251 } else {
2252 /* We don't need the reference to the session, so free it */
2253 SSL_SESSION_free(sess);
2254 }
2255 new_called++;
2256
2257 return 1;
2258}
2259
2260static int post_handshake_verify(SSL *sssl, SSL *cssl)
2261{
2262 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2263 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2264 return 0;
2265
2266 /* Start handshake on the server and client */
2267 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2268 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2269 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2270 || !TEST_true(create_ssl_connection(sssl, cssl,
2271 SSL_ERROR_NONE)))
2272 return 0;
36ff232c
MC		 2273
2274 return 1;
2275}
2276
fbe9dafd 2277static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2278 SSL_CTX **cctx)
2279{
2280 int sess_id_ctx = 1;
2281
5e30f2fd
MC		 2282 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2283 TLS_client_method(), TLS1_VERSION, 0,
2284 sctx, cctx, cert, privkey))
03cdf559
MC		 2285 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2286 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2287 (void *)&sess_id_ctx,
2288 sizeof(sess_id_ctx))))
2289 return 0;
2290
2291 if (stateful)
2292 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2293
2294 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2295 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2296 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2297
2298 return 1;
2299}
2300
2301static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2302{
2303 SSL *serverssl = NULL, *clientssl = NULL;
2304 int i;
2305
2306 /* Test that we can resume with all the tickets we got given */
2307 for (i = 0; i < idx * 2; i++) {
2308 new_called = 0;
2309 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2310 &clientssl, NULL, NULL))
2311 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2312 goto end;
2313
32097b33 2314 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2315
2316 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2317 SSL_ERROR_NONE)))
2318 goto end;
2319
2320 /*
2321 * Following a successful resumption we only get 1 ticket. After a
2322 * failed one we should get idx tickets.
2323 */
2324 if (succ) {
2325 if (!TEST_true(SSL_session_reused(clientssl))
2326 || !TEST_int_eq(new_called, 1))
2327 goto end;
2328 } else {
2329 if (!TEST_false(SSL_session_reused(clientssl))
2330 || !TEST_int_eq(new_called, idx))
2331 goto end;
2332 }
2333
2334 new_called = 0;
2335 /* After a post-handshake authentication we should get 1 new ticket */
2336 if (succ
2337 && (!post_handshake_verify(serverssl, clientssl)
2338 || !TEST_int_eq(new_called, 1)))
2339 goto end;
2340
2341 SSL_shutdown(clientssl);
2342 SSL_shutdown(serverssl);
2343 SSL_free(serverssl);
2344 SSL_free(clientssl);
2345 serverssl = clientssl = NULL;
2346 SSL_SESSION_free(sesscache[i]);
2347 sesscache[i] = NULL;
2348 }
2349
2350 return 1;
2351
2352 end:
2353 SSL_free(clientssl);
2354 SSL_free(serverssl);
2355 return 0;
2356}
2357
04d7814a 2358static int test_tickets(int stateful, int idx)
36ff232c
MC		 2359{
2360 SSL_CTX *sctx = NULL, *cctx = NULL;
2361 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2362 int testresult = 0;
36ff232c
MC		 2363 size_t j;
2364
2365 /* idx is the test number, but also the number of tickets we want */
2366
2367 new_called = 0;
c22365b3 2368 do_cache = 1;
36ff232c 2369
fbe9dafd 2370 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2371 goto end;
2372
03cdf559
MC		 2373 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2374 &clientssl, NULL, NULL)))
2375 goto end;
2376
2377 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2378 SSL_ERROR_NONE))
2379 /* Check we got the number of tickets we were expecting */
2380 || !TEST_int_eq(idx, new_called))
2381 goto end;
04d7814a 2382
03cdf559
MC		 2383 SSL_shutdown(clientssl);
2384 SSL_shutdown(serverssl);
2385 SSL_free(serverssl);
2386 SSL_free(clientssl);
2387 SSL_CTX_free(sctx);
2388 SSL_CTX_free(cctx);
2389 clientssl = serverssl = NULL;
2390 sctx = cctx = NULL;
2391
2392 /*
2393 * Now we try to resume with the tickets we previously created. The
2394 * resumption attempt is expected to fail (because we're now using a new
2395 * SSL_CTX). We should see idx number of tickets issued again.
2396 */
2397
2398 /* Stop caching sessions - just count them */
2399 do_cache = 0;
2400
fbe9dafd 2401 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2402 goto end;
2403
2404 if (!check_resumption(idx, sctx, cctx, 0))
2405 goto end;
2406
2407 /* Start again with caching sessions */
2408 new_called = 0;
2409 do_cache = 1;
fbe9dafd
MC		 2410 SSL_CTX_free(sctx);
2411 SSL_CTX_free(cctx);
2412 sctx = cctx = NULL;
03cdf559 2413
fbe9dafd 2414 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2415 goto end;
36ff232c
MC		 2416
2417 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2418 &clientssl, NULL, NULL)))
2419 goto end;
2420
32097b33 2421 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2422
2423 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2424 SSL_ERROR_NONE))
2425 /* Check we got the number of tickets we were expecting */
2426 || !TEST_int_eq(idx, new_called))
2427 goto end;
2428
2429 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2430 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2431 || !TEST_int_eq(idx * 2, new_called))
2432 goto end;
2433
36ff232c
MC		 2434 SSL_shutdown(clientssl);
2435 SSL_shutdown(serverssl);
2436 SSL_free(serverssl);
2437 SSL_free(clientssl);
2438 serverssl = clientssl = NULL;
2439
c22365b3
MC		 2440 /* Stop caching sessions - just count them */
2441 do_cache = 0;
2442
03cdf559
MC		 2443 /*
2444 * Check we can resume with all the tickets we created. This time around the
2445 * resumptions should all be successful.
2446 */
2447 if (!check_resumption(idx, sctx, cctx, 1))
2448 goto end;
36ff232c
MC		 2449
2450 testresult = 1;
2451
2452 end:
2453 SSL_free(serverssl);
2454 SSL_free(clientssl);
c22365b3 2455 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2456 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2457 sesscache[j] = NULL;
2458 }
36ff232c
MC		 2459 SSL_CTX_free(sctx);
2460 SSL_CTX_free(cctx);
2461
2462 return testresult;
2463}
04d7814a
MC		 2464
2465static int test_stateless_tickets(int idx)
2466{
2467 return test_tickets(0, idx);
2468}
2469
2470static int test_stateful_tickets(int idx)
2471{
2472 return test_tickets(1, idx);
2473}
8614a4eb
MC		 2474
2475static int test_psk_tickets(void)
2476{
2477 SSL_CTX *sctx = NULL, *cctx = NULL;
2478 SSL *serverssl = NULL, *clientssl = NULL;
2479 int testresult = 0;
2480 int sess_id_ctx = 1;
2481
5e30f2fd
MC		 2482 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2483 TLS_client_method(), TLS1_VERSION, 0,
2484 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2485 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2486 (void *)&sess_id_ctx,
2487 sizeof(sess_id_ctx))))
2488 goto end;
2489
2490 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2491 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2492 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2493 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2494 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2495 use_session_cb_cnt = 0;
2496 find_session_cb_cnt = 0;
2497 srvid = pskid;
2498 new_called = 0;
2499
2500 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2501 NULL, NULL)))
2502 goto end;
2503 clientpsk = serverpsk = create_a_psk(clientssl);
2504 if (!TEST_ptr(clientpsk))
2505 goto end;
2506 SSL_SESSION_up_ref(clientpsk);
2507
2508 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2509 SSL_ERROR_NONE))
2510 || !TEST_int_eq(1, find_session_cb_cnt)
2511 || !TEST_int_eq(1, use_session_cb_cnt)
2512 /* We should always get 1 ticket when using external PSK */
2513 || !TEST_int_eq(1, new_called))
2514 goto end;
2515
2516 testresult = 1;
2517
2518 end:
2519 SSL_free(serverssl);
2520 SSL_free(clientssl);
2521 SSL_CTX_free(sctx);
2522 SSL_CTX_free(cctx);
2523 SSL_SESSION_free(clientpsk);
2524 SSL_SESSION_free(serverpsk);
2525 clientpsk = serverpsk = NULL;
2526
2527 return testresult;
2528}
f0049b86
BK		 2529
2530static int test_extra_tickets(int idx)
2531{
2532 SSL_CTX *sctx = NULL, *cctx = NULL;
2533 SSL *serverssl = NULL, *clientssl = NULL;
2534 BIO *bretry = BIO_new(bio_s_always_retry());
2535 BIO *tmp = NULL;
2536 int testresult = 0;
2537 int stateful = 0;
2538 size_t nbytes;
2539 unsigned char c, buf[1];
2540
2541 new_called = 0;
2542 do_cache = 1;
2543
2544 if (idx >= 3) {
2545 idx -= 3;
2546 stateful = 1;
2547 }
2548
2549 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2550 goto end;
2551 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2552 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2553 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2554
2555 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2556 &clientssl, NULL, NULL)))
2557 goto end;
2558
2559 /*
2560 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2561 * incremented by both client and server.
2562 */
2563 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2564 SSL_ERROR_NONE))
2565 /* Check we got the number of tickets we were expecting */
2566 || !TEST_int_eq(idx * 2, new_called)
2567 || !TEST_true(SSL_new_session_ticket(serverssl))
2568 || !TEST_true(SSL_new_session_ticket(serverssl))
2569 || !TEST_int_eq(idx * 2, new_called))
2570 goto end;
2571
2572 /* Now try a (real) write to actually send the tickets */
2573 c = '1';
2574 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2575 || !TEST_size_t_eq(1, nbytes)
2576 || !TEST_int_eq(idx * 2 + 2, new_called)
2577 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2578 || !TEST_int_eq(idx * 2 + 4, new_called)
2579 || !TEST_int_eq(sizeof(buf), nbytes)
2580 || !TEST_int_eq(c, buf[0])
2581 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2582 goto end;
2583
2584 /* Try with only requesting one new ticket, too */
2585 c = '2';
2586 new_called = 0;
2587 if (!TEST_true(SSL_new_session_ticket(serverssl))
2588 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2589 || !TEST_size_t_eq(sizeof(c), nbytes)
2590 || !TEST_int_eq(1, new_called)
2591 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2592 || !TEST_int_eq(2, new_called)
2593 || !TEST_size_t_eq(sizeof(buf), nbytes)
2594 || !TEST_int_eq(c, buf[0]))
2595 goto end;
2596
2597 /* Do it again but use dummy writes to drive the ticket generation */
2598 c = '3';
2599 new_called = 0;
2600 if (!TEST_true(SSL_new_session_ticket(serverssl))
2601 || !TEST_true(SSL_new_session_ticket(serverssl))
2602 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2603 || !TEST_size_t_eq(0, nbytes)
2604 || !TEST_int_eq(2, new_called)
2605 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2606 || !TEST_int_eq(4, new_called))
2607 goto end;
2608
a0bbcb42
BK		 2609 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2610 c = '4';
2611 new_called = 0;
2612 if (!TEST_true(SSL_new_session_ticket(serverssl))
2613 || !TEST_true(SSL_new_session_ticket(serverssl))
2614 || !TEST_true(SSL_do_handshake(serverssl))
2615 || !TEST_int_eq(2, new_called)
2616 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2617 || !TEST_int_eq(4, new_called))
2618 goto end;
2619
f0049b86
BK		 2620 /*
2621 * Use the always-retry BIO to exercise the logic that forces ticket
2622 * generation to wait until a record boundary.
2623 */
a0bbcb42 2624 c = '5';
f0049b86
BK		 2625 new_called = 0;
2626 tmp = SSL_get_wbio(serverssl);
2627 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2628 tmp = NULL;
2629 goto end;
2630 }
2631 SSL_set0_wbio(serverssl, bretry);
2632 bretry = NULL;
2633 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2634 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2635 || !TEST_size_t_eq(nbytes, 0))
2636 goto end;
2637 /* Restore a BIO that will let the write succeed */
2638 SSL_set0_wbio(serverssl, tmp);
2639 tmp = NULL;
a0bbcb42
BK		 2640 /*
2641 * These calls should just queue the request and not send anything
2642 * even if we explicitly try to hit the state machine.
2643 */
f0049b86
BK		 2644 if (!TEST_true(SSL_new_session_ticket(serverssl))
2645 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2646 || !TEST_int_eq(0, new_called)
2647 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2648 || !TEST_int_eq(0, new_called))
2649 goto end;
2650 /* Re-do the write; still no tickets sent */
2651 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2652 || !TEST_size_t_eq(1, nbytes)
2653 || !TEST_int_eq(0, new_called)
2654 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2655 || !TEST_int_eq(0, new_called)
2656 || !TEST_int_eq(sizeof(buf), nbytes)
2657 || !TEST_int_eq(c, buf[0])
2658 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2659 goto end;
a0bbcb42
BK		 2660 /* Even trying to hit the state machine now will still not send tickets */
2661 if (!TEST_true(SSL_do_handshake(serverssl))
2662 || !TEST_int_eq(0, new_called))
2663 goto end;
f0049b86 2664 /* Now the *next* write should send the tickets */
a0bbcb42 2665 c = '6';
f0049b86
BK		 2666 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2667 || !TEST_size_t_eq(1, nbytes)
2668 || !TEST_int_eq(2, new_called)
2669 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2670 || !TEST_int_eq(4, new_called)
2671 || !TEST_int_eq(sizeof(buf), nbytes)
2672 || !TEST_int_eq(c, buf[0])
2673 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2674 goto end;
2675
2676 SSL_shutdown(clientssl);
2677 SSL_shutdown(serverssl);
2678 testresult = 1;
2679
2680 end:
2681 BIO_free(bretry);
2682 BIO_free(tmp);
2683 SSL_free(serverssl);
2684 SSL_free(clientssl);
2685 SSL_CTX_free(sctx);
2686 SSL_CTX_free(cctx);
2687 clientssl = serverssl = NULL;
2688 sctx = cctx = NULL;
2689 return testresult;
2690}
04225915 2691#endif
36ff232c 2692
7d4488bb
MC		 2693#define USE_NULL 0
2694#define USE_BIO_1 1
2695#define USE_BIO_2 2
2696#define USE_DEFAULT 3
2697
2698#define CONNTYPE_CONNECTION_SUCCESS 0
2699#define CONNTYPE_CONNECTION_FAIL 1
2700#define CONNTYPE_NO_CONNECTION 2
2701
2702#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2703#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2704#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2705# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2706#else
2707# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2708#endif
2709
7d4488bb
MC		 2710#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2711 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2712 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2713
2714static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2715{
2716 switch (type) {
2717 case USE_NULL:
2718 *res = NULL;
2719 break;
2720 case USE_BIO_1:
2721 *res = bio1;
2722 break;
2723 case USE_BIO_2:
2724 *res = bio2;
2725 break;
2726 }
2727}
2728
7d4488bb
MC		 2729
2730/*
2731 * Tests calls to SSL_set_bio() under various conditions.
2732 *
2733 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2734 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2735 * then do more tests where we create a successful connection first using our
2736 * standard connection setup functions, and then call SSL_set_bio() with
2737 * various combinations of valid BIOs or NULL. We then repeat these tests
2738 * following a failed connection. In this last case we are looking to check that
2739 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2740 */
7fb4c820
MC		 2741static int test_ssl_set_bio(int idx)
2742{
7d4488bb 2743 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2744 BIO *bio1 = NULL;
2745 BIO *bio2 = NULL;
0fae8150 2746 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2747 SSL *serverssl = NULL, *clientssl = NULL;
2748 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2749 int testresult = 0;
2750
7d4488bb
MC		 2751 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2752 initrbio = idx % 3;
2753 idx /= 3;
2754 initwbio = idx % 3;
2755 idx /= 3;
2756 newrbio = idx % 3;
2757 idx /= 3;
2758 newwbio = idx % 3;
2759 conntype = CONNTYPE_NO_CONNECTION;
2760 } else {
2761 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2762 initrbio = initwbio = USE_DEFAULT;
2763 newrbio = idx % 2;
2764 idx /= 2;
2765 newwbio = idx % 2;
2766 idx /= 2;
2767 conntype = idx % 2;
2768 }
710756a9 2769
5e30f2fd
MC		 2770 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2771 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2772 &sctx, &cctx, cert, privkey)))
2773 goto end;
2774
2775 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2776 /*
2777 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2778 * because we reduced the number of tests in the definition of
2779 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2780 * mismatched protocol versions we will force a connection failure.
2781 */
2782 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2783 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2784 }
2785
2786 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2787 NULL, NULL)))
710756a9 2788 goto end;
7fb4c820 2789
710756a9
RS		 2790 if (initrbio == USE_BIO_1
2791 || initwbio == USE_BIO_1
2792 || newrbio == USE_BIO_1
7fb4c820 2793 || newwbio == USE_BIO_1) {
710756a9 2794 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2795 goto end;
7fb4c820
MC		 2796 }
2797
710756a9
RS		 2798 if (initrbio == USE_BIO_2
2799 || initwbio == USE_BIO_2
2800 || newrbio == USE_BIO_2
7fb4c820 2801 || newwbio == USE_BIO_2) {
710756a9 2802 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2803 goto end;
7fb4c820
MC		 2804 }
2805
7d4488bb
MC		 2806 if (initrbio != USE_DEFAULT) {
2807 setupbio(&irbio, bio1, bio2, initrbio);
2808 setupbio(&iwbio, bio1, bio2, initwbio);
2809 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2810
7d4488bb
MC		 2811 /*
2812 * We want to maintain our own refs to these BIO, so do an up ref for
2813 * each BIO that will have ownership transferred in the SSL_set_bio()
2814 * call
2815 */
2816 if (irbio != NULL)
2817 BIO_up_ref(irbio);
2818 if (iwbio != NULL && iwbio != irbio)
2819 BIO_up_ref(iwbio);
2820 }
7fb4c820 2821
7d4488bb
MC		 2822 if (conntype != CONNTYPE_NO_CONNECTION
2823 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2824 SSL_ERROR_NONE)
2825 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2826 goto end;
7fb4c820
MC		 2827
2828 setupbio(&nrbio, bio1, bio2, newrbio);
2829 setupbio(&nwbio, bio1, bio2, newwbio);
2830
2831 /*
2832 * We will (maybe) transfer ownership again so do more up refs.
2833 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2834 * already been set!
2835 */
710756a9
RS		 2836 if (nrbio != NULL
2837 && nrbio != irbio
2838 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2839 BIO_up_ref(nrbio);
710756a9
RS		 2840 if (nwbio != NULL
2841 && nwbio != nrbio
2842 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2843 BIO_up_ref(nwbio);
2844
7d4488bb 2845 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2846
2847 testresult = 1;
2848
2849 end:
7fb4c820
MC		 2850 BIO_free(bio1);
2851 BIO_free(bio2);
710756a9 2852
7fb4c820
MC		 2853 /*
2854 * This test is checking that the ref counting for SSL_set_bio is correct.
2855 * If we get here and we did too many frees then we will fail in the above
742ccab3 2856 * functions.
7fb4c820 2857 */
7d4488bb
MC		 2858 SSL_free(serverssl);
2859 SSL_free(clientssl);
2860 SSL_CTX_free(sctx);
2861 SSL_CTX_free(cctx);
7fb4c820
MC		 2862 return testresult;
2863}
2864
7e885b7b 2865typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2866
7e885b7b 2867static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2868{
2869 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2870 SSL_CTX *ctx;
9a716987
MC		 2871 SSL *ssl = NULL;
2872 int testresult = 0;
2873
d8652be0 2874 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2875 || !TEST_ptr(ssl = SSL_new(ctx))
2876 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2877 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2878 goto end;
9a716987
MC		 2879
2880 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2881
2882 /*
742ccab3 2883 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2884 */
2885 BIO_push(sslbio, membio1);
2886
69687aa8 2887 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2888 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 2889 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2890 ssl = NULL;
9a716987 2891 goto end;
493e7898 2892 }
7e885b7b 2893 if (change_bio == CHANGE_RBIO)
65e2d672 2894 SSL_set0_rbio(ssl, membio2);
9a716987 2895 else
65e2d672 2896 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2897 }
2898 ssl = NULL;
2899
7e885b7b 2900 if (pop_ssl)
9a716987
MC		 2901 BIO_pop(sslbio);
2902 else
2903 BIO_pop(membio1);
2904
2905 testresult = 1;
2906 end:
2907 BIO_free(membio1);
2908 BIO_free(sslbio);
2909 SSL_free(ssl);
2910 SSL_CTX_free(ctx);
2911
2912 return testresult;
2913}
2914
2915static int test_ssl_bio_pop_next_bio(void)
2916{
7e885b7b 2917 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2918}
2919
2920static int test_ssl_bio_pop_ssl_bio(void)
2921{
7e885b7b 2922 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2923}
2924
2925static int test_ssl_bio_change_rbio(void)
2926{
7e885b7b 2927 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2928}
2929
2930static int test_ssl_bio_change_wbio(void)
2931{
7e885b7b 2932 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2933}
2934
a763ca11 2935#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 2936typedef struct {
2937 /* The list of sig algs */
2938 const int *list;
2939 /* The length of the list */
2940 size_t listlen;
2941 /* A sigalgs list in string format */
2942 const char *liststr;
2943 /* Whether setting the list should succeed */
2944 int valid;
2945 /* Whether creating a connection with the list should succeed */
2946 int connsuccess;
2947} sigalgs_list;
2948
2949static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2950# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2951static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2952static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2953# endif
f1b25aae
MC		 2954static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2955static const int invalidlist2[] = {NID_sha256, NID_undef};
2956static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2957static const int invalidlist4[] = {NID_sha256};
2958static const sigalgs_list testsigalgs[] = {
2959 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2960# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2961 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2962 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2963# endif
f1b25aae 2964 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2965# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2966 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2967 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2968# endif
f1b25aae
MC		 2969 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2970 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2971 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2972 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2973 {NULL, 0, "RSA", 0, 0},
2974 {NULL, 0, "SHA256", 0, 0},
2975 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2976 {NULL, 0, "Invalid", 0, 0}
2977};
f1b25aae
MC		 2978
2979static int test_set_sigalgs(int idx)
2980{
2981 SSL_CTX *cctx = NULL, *sctx = NULL;
2982 SSL *clientssl = NULL, *serverssl = NULL;
2983 int testresult = 0;
2984 const sigalgs_list *curr;
2985 int testctx;
2986
2987 /* Should never happen */
710756a9 2988 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2989 return 0;
2990
2991 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2992 curr = testctx ? &testsigalgs[idx]
2993 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2994
5e30f2fd
MC		 2995 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2996 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2997 &sctx, &cctx, cert, privkey)))
f1b25aae 2998 return 0;
f1b25aae 2999
d2e491f2
MC		 3000 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3001
f1b25aae
MC		 3002 if (testctx) {
3003 int ret;
710756a9 3004
f1b25aae
MC		 3005 if (curr->list != NULL)
3006 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3007 else
3008 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3009
3010 if (!ret) {
3011 if (curr->valid)
710756a9 3012 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3013 else
3014 testresult = 1;
3015 goto end;
3016 }
3017 if (!curr->valid) {
710756a9 3018 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3019 goto end;
3020 }
3021 }
3022
710756a9
RS		 3023 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3024 &clientssl, NULL, NULL)))
f1b25aae 3025 goto end;
f1b25aae
MC		 3026
3027 if (!testctx) {
3028 int ret;
3029
3030 if (curr->list != NULL)
3031 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3032 else
3033 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3034 if (!ret) {
3035 if (curr->valid)
710756a9 3036 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3037 else
3038 testresult = 1;
3039 goto end;
3040 }
710756a9 3041 if (!curr->valid)
f1b25aae 3042 goto end;
f1b25aae
MC		 3043 }
3044
710756a9
RS		 3045 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3046 SSL_ERROR_NONE),
3047 curr->connsuccess))
f1b25aae 3048 goto end;
f1b25aae
MC		 3049
3050 testresult = 1;
3051
3052 end:
3053 SSL_free(serverssl);
3054 SSL_free(clientssl);
3055 SSL_CTX_free(sctx);
3056 SSL_CTX_free(cctx);
3057
3058 return testresult;
3059}
c423ecaa 3060#endif
f1b25aae 3061
a763ca11 3062#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3063static int psk_client_cb_cnt = 0;
3064static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3065
3066static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3067 size_t *idlen, SSL_SESSION **sess)
3068{
3069 switch (++use_session_cb_cnt) {
3070 case 1:
3071 /* The first call should always have a NULL md */
3072 if (md != NULL)
3073 return 0;
3074 break;
3075
3076 case 2:
3077 /* The second call should always have an md */
3078 if (md == NULL)
3079 return 0;
3080 break;
3081
3082 default:
3083 /* We should only be called a maximum of twice */
3084 return 0;
3085 }
3086
57dee9bb
MC		 3087 if (clientpsk != NULL)
3088 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3089
57dee9bb 3090 *sess = clientpsk;
02a3ed5a
MC		 3091 *id = (const unsigned char *)pskid;
3092 *idlen = strlen(pskid);
3093
3094 return 1;
3095}
3096
c2b290c3 3097#ifndef OPENSSL_NO_PSK
532f9578
MC		 3098static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3099 unsigned int max_id_len,
3100 unsigned char *psk,
3101 unsigned int max_psk_len)
3102{
3103 unsigned int psklen = 0;
3104
3105 psk_client_cb_cnt++;
3106
3107 if (strlen(pskid) + 1 > max_id_len)
3108 return 0;
3109
3110 /* We should only ever be called a maximum of twice per connection */
3111 if (psk_client_cb_cnt > 2)
3112 return 0;
3113
3114 if (clientpsk == NULL)
3115 return 0;
3116
3117 /* We'll reuse the PSK we set up for TLSv1.3 */
3118 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3119 return 0;
3120 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3121 strncpy(id, pskid, max_id_len);
3122
3123 return psklen;
3124}
c2b290c3 3125#endif /* OPENSSL_NO_PSK */
532f9578 3126
02a3ed5a
MC		 3127static int find_session_cb(SSL *ssl, const unsigned char *identity,
3128 size_t identity_len, SSL_SESSION **sess)
3129{
3130 find_session_cb_cnt++;
3131
3132 /* We should only ever be called a maximum of twice per connection */
3133 if (find_session_cb_cnt > 2)
3134 return 0;
3135
57dee9bb 3136 if (serverpsk == NULL)
02a3ed5a
MC		 3137 return 0;
3138
3139 /* Identity should match that set by the client */
3140 if (strlen(srvid) != identity_len
3141 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3142 /* No PSK found, continue but without a PSK */
3143 *sess = NULL;
3144 return 1;
3145 }
3146
57dee9bb
MC		 3147 SSL_SESSION_up_ref(serverpsk);
3148 *sess = serverpsk;
02a3ed5a
MC		 3149
3150 return 1;
3151}
3152
c2b290c3 3153#ifndef OPENSSL_NO_PSK
532f9578
MC		 3154static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3155 unsigned char *psk, unsigned int max_psk_len)
3156{
3157 unsigned int psklen = 0;
3158
3159 psk_server_cb_cnt++;
3160
3161 /* We should only ever be called a maximum of twice per connection */
3162 if (find_session_cb_cnt > 2)
3163 return 0;
3164
3165 if (serverpsk == NULL)
3166 return 0;
3167
3168 /* Identity should match that set by the client */
3169 if (strcmp(srvid, identity) != 0) {
3170 return 0;
3171 }
3172
3173 /* We'll reuse the PSK we set up for TLSv1.3 */
3174 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3175 return 0;
3176 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3177
3178 return psklen;
3179}
c2b290c3 3180#endif /* OPENSSL_NO_PSK */
532f9578 3181
5f982038
MC		 3182#define MSG1 "Hello"
3183#define MSG2 "World."
3184#define MSG3 "This"
3185#define MSG4 "is"
3186#define MSG5 "a"
90049cea
MC		 3187#define MSG6 "test"
3188#define MSG7 "message."
5f982038 3189
532f9578 3190#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3191#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3192#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3193#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3194#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3195
8614a4eb
MC		 3196
3197static SSL_SESSION *create_a_psk(SSL *ssl)
3198{
3199 const SSL_CIPHER *cipher = NULL;
3200 const unsigned char key[] = {
3201 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3202 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3203 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3204 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3205 0x2c, 0x2d, 0x2e, 0x2f
3206 };
3207 SSL_SESSION *sess = NULL;
3208
3209 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3210 sess = SSL_SESSION_new();
3211 if (!TEST_ptr(sess)
3212 || !TEST_ptr(cipher)
3213 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3214 sizeof(key)))
3215 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3216 || !TEST_true(
3217 SSL_SESSION_set_protocol_version(sess,
3218 TLS1_3_VERSION))) {
3219 SSL_SESSION_free(sess);
3220 return NULL;
3221 }
3222 return sess;
3223}
3224
5f982038
MC		 3225/*
3226 * Helper method to setup objects for early data test. Caller frees objects on
3227 * error.
3228 */
3229static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3230 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3231{
5a421415 3232 if (*sctx == NULL
5e30f2fd 3233 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3234 TLS_client_method(),
5c587fb6 3235 TLS1_VERSION, 0,
5a421415
MC		 3236 sctx, cctx, cert, privkey)))
3237 return 0;
3238
3239 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3240 return 0;
5f982038 3241
02a3ed5a
MC		 3242 if (idx == 1) {
3243 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3244 SSL_CTX_set_read_ahead(*cctx, 1);
3245 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3246 } else if (idx == 2) {
3247 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3248 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3249 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3250 use_session_cb_cnt = 0;
3251 find_session_cb_cnt = 0;
3252 srvid = pskid;
3cb47b4e
MC		 3253 }
3254
710756a9 3255 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3256 NULL, NULL)))
3257 return 0;
3258
141e4709
MC		 3259 /*
3260 * For one of the run throughs (doesn't matter which one), we'll try sending
3261 * some SNI data in the initial ClientHello. This will be ignored (because
3262 * there is no SNI cb set up by the server), so it should not impact
3263 * early_data.
3264 */
3265 if (idx == 1
3266 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3267 return 0;
3268
02a3ed5a 3269 if (idx == 2) {
8614a4eb 3270 clientpsk = create_a_psk(*clientssl);
57dee9bb 3271 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3272 /*
3273 * We just choose an arbitrary value for max_early_data which
3274 * should be big enough for testing purposes.
3275 */
57dee9bb
MC		 3276 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3277 0x100))
3278 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3279 SSL_SESSION_free(clientpsk);
3280 clientpsk = NULL;
02a3ed5a
MC		 3281 return 0;
3282 }
57dee9bb 3283 serverpsk = clientpsk;
02a3ed5a 3284
c20e3b28
MC		 3285 if (sess != NULL) {
3286 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3287 SSL_SESSION_free(clientpsk);
3288 SSL_SESSION_free(serverpsk);
3289 clientpsk = serverpsk = NULL;
3290 return 0;
3291 }
57dee9bb 3292 *sess = clientpsk;
c20e3b28 3293 }
02a3ed5a
MC		 3294 return 1;
3295 }
3296
3297 if (sess == NULL)
3298 return 1;
3299
3300 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3301 SSL_ERROR_NONE)))
5f982038 3302 return 0;
5f982038
MC		 3303
3304 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3305 SSL_shutdown(*clientssl);
3306 SSL_shutdown(*serverssl);
5f982038
MC		 3307 SSL_free(*serverssl);
3308 SSL_free(*clientssl);
3309 *serverssl = *clientssl = NULL;
3310
710756a9
RS		 3311 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3312 clientssl, NULL, NULL))
3313 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3314 return 0;
5f982038
MC		 3315
3316 return 1;
3317}
3318
3cb47b4e 3319static int test_early_data_read_write(int idx)
5f982038
MC		 3320{
3321 SSL_CTX *cctx = NULL, *sctx = NULL;
3322 SSL *clientssl = NULL, *serverssl = NULL;
3323 int testresult = 0;
3324 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3325 unsigned char buf[20], data[1024];
3326 size_t readbytes, written, eoedlen, rawread, rawwritten;
3327 BIO *rbio;
5f982038 3328
710756a9
RS		 3329 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3330 &serverssl, &sess, idx)))
5f982038
MC		 3331 goto end;
3332
3333 /* Write and read some early data */
710756a9
RS		 3334 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3335 &written))
3336 || !TEST_size_t_eq(written, strlen(MSG1))
3337 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3338 sizeof(buf), &readbytes),
3339 SSL_READ_EARLY_DATA_SUCCESS)
3340 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3341 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3342 SSL_EARLY_DATA_ACCEPTED))
5f982038 3343 goto end;
5f982038
MC		 3344
3345 /*
09f28874 3346 * Server should be able to write data, and client should be able to
5f982038
MC		 3347 * read it.
3348 */
710756a9
RS		 3349 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3350 &written))
3351 || !TEST_size_t_eq(written, strlen(MSG2))
3352 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3353 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3354 goto end;
5f982038
MC		 3355
3356 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3357 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3358 &written))
3359 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3360 goto end;
5f982038 3361
09f28874 3362 /* Server should still be able read early data after writing data */
710756a9
RS		 3363 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3364 &readbytes),
3365 SSL_READ_EARLY_DATA_SUCCESS)
3366 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3367 goto end;
5f982038 3368
09f28874 3369 /* Write more data from server and read it from client */
710756a9
RS		 3370 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3371 &written))
3372 || !TEST_size_t_eq(written, strlen(MSG4))
3373 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3374 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3375 goto end;
5f982038
MC		 3376
3377 /*
3378 * If client writes normal data it should mean writing early data is no
3379 * longer possible.
3380 */
710756a9
RS		 3381 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3382 || !TEST_size_t_eq(written, strlen(MSG5))
3383 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3384 SSL_EARLY_DATA_ACCEPTED))
5f982038 3385 goto end;
5f982038 3386
9b5c865d
MC		 3387 /*
3388 * At this point the client has written EndOfEarlyData, ClientFinished and
3389 * normal (fully protected) data. We are going to cause a delay between the
3390 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3391 * in the read BIO, and then just put back the EndOfEarlyData message.
3392 */
3393 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3394 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3395 || !TEST_size_t_lt(rawread, sizeof(data))
3396 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3397 goto end;
710756a9 3398
9b5c865d
MC		 3399 /* Record length is in the 4th and 5th bytes of the record header */
3400 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3401 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3402 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3403 goto end;
9b5c865d 3404
5f982038 3405 /* Server should be told that there is no more early data */
710756a9
RS		 3406 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3407 &readbytes),
3408 SSL_READ_EARLY_DATA_FINISH)
3409 || !TEST_size_t_eq(readbytes, 0))
5f982038 3410 goto end;
5f982038 3411
9b5c865d
MC		 3412 /*
3413 * Server has not finished init yet, so should still be able to write early
3414 * data.
3415 */
710756a9
RS		 3416 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3417 &written))
3418 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3419 goto end;
9b5c865d 3420
f8a303fa 3421 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3422 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3423 &rawwritten))
3424 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3425 goto end;
f8a303fa 3426
5f982038 3427 /* Server should be able to read normal data */
710756a9
RS		 3428 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3429 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3430 goto end;
5f982038 3431
09f28874 3432 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3433 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3434 &written)))
5f982038 3435 goto end;
5f982038 3436 ERR_clear_error();
710756a9
RS		 3437 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3438 &readbytes),
3439 SSL_READ_EARLY_DATA_ERROR))
5f982038 3440 goto end;
5f982038
MC		 3441 ERR_clear_error();
3442
9b5c865d 3443 /* Client should be able to read the data sent by the server */
710756a9
RS		 3444 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3445 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3446 goto end;
710756a9 3447
f8a303fa 3448 /*
36ff232c
MC		 3449 * Make sure we process the two NewSessionTickets. These arrive
3450 * post-handshake. We attempt reads which we do not expect to return any
3451 * data.
f8a303fa 3452 */
36ff232c
MC		 3453 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3454 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3455 &readbytes)))
f8a303fa 3456 goto end;
5f982038 3457
90049cea 3458 /* Server should be able to write normal data */
710756a9
RS		 3459 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3460 || !TEST_size_t_eq(written, strlen(MSG7))
3461 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3462 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3463 goto end;
90049cea 3464
c20e3b28 3465 SSL_SESSION_free(sess);
5f982038 3466 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3467 use_session_cb_cnt = 0;
3468 find_session_cb_cnt = 0;
5f982038
MC		 3469
3470 SSL_shutdown(clientssl);
3471 SSL_shutdown(serverssl);
5f982038
MC		 3472 SSL_free(serverssl);
3473 SSL_free(clientssl);
3474 serverssl = clientssl = NULL;
710756a9
RS		 3475 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3476 &clientssl, NULL, NULL))
3477 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3478 goto end;
5f982038
MC		 3479
3480 /* Write and read some early data */
710756a9
RS		 3481 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3482 &written))
3483 || !TEST_size_t_eq(written, strlen(MSG1))
3484 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3485 &readbytes),
3486 SSL_READ_EARLY_DATA_SUCCESS)
3487 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3488 goto end;
5f982038 3489
710756a9
RS		 3490 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3491 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3492 goto end;
5f982038 3493
09f28874 3494 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3495 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3496 &written)))
5f982038 3497 goto end;
5f982038 3498 ERR_clear_error();
710756a9
RS		 3499 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3500 &readbytes),
3501 SSL_READ_EARLY_DATA_ERROR))
5f982038 3502 goto end;
5f982038
MC		 3503 ERR_clear_error();
3504
3505 /* Client and server should be able to write/read normal data */
710756a9
RS		 3506 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3507 || !TEST_size_t_eq(written, strlen(MSG5))
3508 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3509 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3510 goto end;
5f982038
MC		 3511
3512 testresult = 1;
3513
3514 end:
c20e3b28 3515 SSL_SESSION_free(sess);
57dee9bb
MC		 3516 SSL_SESSION_free(clientpsk);
3517 SSL_SESSION_free(serverpsk);
3518 clientpsk = serverpsk = NULL;
5f982038
MC		 3519 SSL_free(serverssl);
3520 SSL_free(clientssl);
3521 SSL_CTX_free(sctx);
3522 SSL_CTX_free(cctx);
5f982038
MC		 3523 return testresult;
3524}
3525
5a421415
MC		 3526static int allow_ed_cb_called = 0;
3527
3528static int allow_early_data_cb(SSL *s, void *arg)
3529{
3530 int *usecb = (int *)arg;
3531
3532 allow_ed_cb_called++;
3533
3534 if (*usecb == 1)
3535 return 0;
3536
3537 return 1;
3538}
3539
3540/*
3541 * idx == 0: Standard early_data setup
3542 * idx == 1: early_data setup using read_ahead
3543 * usecb == 0: Don't use a custom early data callback
3544 * usecb == 1: Use a custom early data callback and reject the early data
3545 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3546 * confopt == 0: Configure anti-replay directly
3547 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3548 */
3bb5e5b0 3549static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3550{
3551 SSL_CTX *cctx = NULL, *sctx = NULL;
3552 SSL *clientssl = NULL, *serverssl = NULL;
3553 int testresult = 0;
3554 SSL_SESSION *sess = NULL;
5a421415
MC		 3555 size_t readbytes, written;
3556 unsigned char buf[20];
3557
3558 allow_ed_cb_called = 0;
3559
5e30f2fd
MC		 3560 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3561 TLS_client_method(), TLS1_VERSION, 0,
3562 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3563 return 0;
3564
3565 if (usecb > 0) {
3bb5e5b0
MC		 3566 if (confopt == 0) {
3567 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3568 } else {
3569 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3570
3571 if (!TEST_ptr(confctx))
3572 goto end;
3573 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3574 | SSL_CONF_FLAG_SERVER);
3575 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3576 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3577 2)) {
3578 SSL_CONF_CTX_free(confctx);
3579 goto end;
3580 }
3581 SSL_CONF_CTX_free(confctx);
3582 }
5a421415
MC		 3583 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3584 }
78fb5374
MC		 3585
3586 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3587 &serverssl, &sess, idx)))
3588 goto end;
3589
3590 /*
3591 * The server is configured to accept early data. Create a connection to
3592 * "use up" the ticket
3593 */
3594 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3595 || !TEST_true(SSL_session_reused(clientssl)))
3596 goto end;
3597
3598 SSL_shutdown(clientssl);
3599 SSL_shutdown(serverssl);
3600 SSL_free(serverssl);
3601 SSL_free(clientssl);
3602 serverssl = clientssl = NULL;
3603
3604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3605 &clientssl, NULL, NULL))
5a421415
MC		 3606 || !TEST_true(SSL_set_session(clientssl, sess)))
3607 goto end;
3608
3609 /* Write and read some early data */
3610 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3611 &written))
3612 || !TEST_size_t_eq(written, strlen(MSG1)))
3613 goto end;
3614
3615 if (usecb <= 1) {
3616 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3617 &readbytes),
3618 SSL_READ_EARLY_DATA_FINISH)
3619 /*
3620 * The ticket was reused, so the we should have rejected the
3621 * early data
3622 */
3623 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3624 SSL_EARLY_DATA_REJECTED))
3625 goto end;
3626 } else {
3627 /* In this case the callback decides to accept the early data */
3628 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3629 &readbytes),
3630 SSL_READ_EARLY_DATA_SUCCESS)
3631 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3632 /*
3633 * Server will have sent its flight so client can now send
3634 * end of early data and complete its half of the handshake
3635 */
3636 || !TEST_int_gt(SSL_connect(clientssl), 0)
3637 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3638 &readbytes),
3639 SSL_READ_EARLY_DATA_FINISH)
3640 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3641 SSL_EARLY_DATA_ACCEPTED))
3642 goto end;
3643 }
3644
3645 /* Complete the connection */
3646 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3647 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3648 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3649 goto end;
3650
3651 testresult = 1;
3652
3653 end:
c20e3b28 3654 SSL_SESSION_free(sess);
78fb5374
MC		 3655 SSL_SESSION_free(clientpsk);
3656 SSL_SESSION_free(serverpsk);
3657 clientpsk = serverpsk = NULL;
3658 SSL_free(serverssl);
3659 SSL_free(clientssl);
3660 SSL_CTX_free(sctx);
3661 SSL_CTX_free(cctx);
3662 return testresult;
3663}
3664
5a421415
MC		 3665static int test_early_data_replay(int idx)
3666{
3bb5e5b0 3667 int ret = 1, usecb, confopt;
5a421415 3668
3bb5e5b0
MC		 3669 for (usecb = 0; usecb < 3; usecb++) {
3670 for (confopt = 0; confopt < 2; confopt++)
3671 ret &= test_early_data_replay_int(idx, usecb, confopt);
3672 }
5a421415
MC		 3673
3674 return ret;
3675}
3676
710756a9 3677/*
6b84e6bf
MC		 3678 * Helper function to test that a server attempting to read early data can
3679 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3680 * testtype: 0 == No HRR
3681 * testtype: 1 == HRR
0efa0ba4
MC		 3682 * testtype: 2 == HRR, invalid early_data sent after HRR
3683 * testtype: 3 == recv_max_early_data set to 0
710756a9 3684 */
0d1b7789 3685static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3686{
3687 SSL_CTX *cctx = NULL, *sctx = NULL;
3688 SSL *clientssl = NULL, *serverssl = NULL;
3689 int testresult = 0;
018fcbec 3690 SSL_SESSION *sess = NULL;
5f982038
MC		 3691 unsigned char buf[20];
3692 size_t readbytes, written;
3693
710756a9
RS		 3694 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3695 &serverssl, &sess, idx)))
5f982038
MC		 3696 goto end;
3697
0efa0ba4 3698 if (testtype == 1 || testtype == 2) {
6b84e6bf 3699 /* Force an HRR to occur */
dbc6268f
MC		 3700#if defined(OPENSSL_NO_EC)
3701 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3702 goto end;
3703#else
6b84e6bf
MC		 3704 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3705 goto end;
dbc6268f 3706#endif
02a3ed5a
MC		 3707 } else if (idx == 2) {
3708 /*
3709 * We force early_data rejection by ensuring the PSK identity is
3710 * unrecognised
3711 */
3712 srvid = "Dummy Identity";
6b84e6bf
MC		 3713 } else {
3714 /*
3715 * Deliberately corrupt the creation time. We take 20 seconds off the
3716 * time. It could be any value as long as it is not within tolerance.
3717 * This should mean the ticket is rejected.
3718 */
5d99881e 3719 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3720 goto end;
3721 }
5f982038 3722
0efa0ba4 3723 if (testtype == 3
0d1b7789
MC		 3724 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3725 goto end;
3726
5f982038 3727 /* Write some early data */
710756a9
RS		 3728 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3729 &written))
3730 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3731 goto end;
5f982038 3732
0d1b7789 3733 /* Server should reject the early data */
710756a9
RS		 3734 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3735 &readbytes),
3736 SSL_READ_EARLY_DATA_FINISH)
3737 || !TEST_size_t_eq(readbytes, 0)
3738 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3739 SSL_EARLY_DATA_REJECTED))
5f982038 3740 goto end;
5f982038 3741
0efa0ba4
MC		 3742 switch (testtype) {
3743 case 0:
3744 /* Nothing to do */
3745 break;
3746
3747 case 1:
6b84e6bf
MC		 3748 /*
3749 * Finish off the handshake. We perform the same writes and reads as
3750 * further down but we expect them to fail due to the incomplete
3751 * handshake.
3752 */
3753 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3754 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3755 &readbytes)))
3756 goto end;
0efa0ba4
MC		 3757 break;
3758
3759 case 2:
3760 {
3761 BIO *wbio = SSL_get_wbio(clientssl);
3762 /* A record that will appear as bad early_data */
3763 const unsigned char bad_early_data[] = {
3764 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3765 };
3766
3767 /*
3768 * We force the client to attempt a write. This will fail because
3769 * we're still in the handshake. It will cause the second
3770 * ClientHello to be sent.
3771 */
3772 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3773 &written)))
3774 goto end;
3775
3776 /*
3777 * Inject some early_data after the second ClientHello. This should
3778 * cause the server to fail
3779 */
3780 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3781 sizeof(bad_early_data), &written)))
3782 goto end;
3783 }
3784 /* fallthrough */
3785
3786 case 3:
0d1b7789 3787 /*
0efa0ba4
MC		 3788 * This client has sent more early_data than we are willing to skip
3789 * (case 3) or sent invalid early_data (case 2) so the connection should
3790 * abort.
0d1b7789
MC		 3791 */
3792 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3793 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3794 goto end;
3795
3796 /* Connection has failed - nothing more to do */
3797 testresult = 1;
3798 goto end;
0efa0ba4
MC		 3799
3800 default:
3801 TEST_error("Invalid test type");
3802 goto end;
6b84e6bf
MC		 3803 }
3804
0d1b7789
MC		 3805 /*
3806 * Should be able to send normal data despite rejection of early data. The
3807 * early_data should be skipped.
3808 */
710756a9
RS		 3809 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3810 || !TEST_size_t_eq(written, strlen(MSG2))
3811 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3812 SSL_EARLY_DATA_REJECTED)
3813 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3814 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3815 goto end;
5f982038
MC		 3816
3817 testresult = 1;
3818
3819 end:
c20e3b28 3820 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3821 SSL_SESSION_free(serverpsk);
3822 clientpsk = serverpsk = NULL;
5f982038
MC		 3823 SSL_SESSION_free(sess);
3824 SSL_free(serverssl);
3825 SSL_free(clientssl);
3826 SSL_CTX_free(sctx);
3827 SSL_CTX_free(cctx);
5f982038
MC		 3828 return testresult;
3829}
3830
6b84e6bf
MC		 3831/*
3832 * Test that a server attempting to read early data can handle a connection
3833 * from a client where the early data is not acceptable.
3834 */
3835static int test_early_data_skip(int idx)
3836{
3837 return early_data_skip_helper(0, idx);
3838}
3839
3840/*
3841 * Test that a server attempting to read early data can handle a connection
3842 * from a client where an HRR occurs.
3843 */
3844static int test_early_data_skip_hrr(int idx)
3845{
3846 return early_data_skip_helper(1, idx);
3847}
3848
0efa0ba4
MC		 3849/*
3850 * Test that a server attempting to read early data can handle a connection
3851 * from a client where an HRR occurs and correctly fails if early_data is sent
3852 * after the HRR
3853 */
3854static int test_early_data_skip_hrr_fail(int idx)
3855{
3856 return early_data_skip_helper(2, idx);
3857}
3858
0d1b7789
MC		 3859/*
3860 * Test that a server attempting to read early data will abort if it tries to
3861 * skip over too much.
3862 */
3863static int test_early_data_skip_abort(int idx)
3864{
0efa0ba4 3865 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3866}
3867
710756a9
RS		 3868/*
3869 * Test that a server attempting to read early data can handle a connection
3870 * from a client that doesn't send any.
3871 */
3cb47b4e 3872static int test_early_data_not_sent(int idx)
5f982038
MC		 3873{
3874 SSL_CTX *cctx = NULL, *sctx = NULL;
3875 SSL *clientssl = NULL, *serverssl = NULL;
3876 int testresult = 0;
018fcbec 3877 SSL_SESSION *sess = NULL;
5f982038
MC		 3878 unsigned char buf[20];
3879 size_t readbytes, written;
3880
710756a9
RS		 3881 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3882 &serverssl, &sess, idx)))
5f982038
MC		 3883 goto end;
3884
3885 /* Write some data - should block due to handshake with server */
3886 SSL_set_connect_state(clientssl);
710756a9 3887 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3888 goto end;
5f982038
MC		 3889
3890 /* Server should detect that early data has not been sent */
710756a9
RS		 3891 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3892 &readbytes),
3893 SSL_READ_EARLY_DATA_FINISH)
3894 || !TEST_size_t_eq(readbytes, 0)
3895 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3896 SSL_EARLY_DATA_NOT_SENT)
3897 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3898 SSL_EARLY_DATA_NOT_SENT))
5f982038 3899 goto end;
5f982038
MC		 3900
3901 /* Continue writing the message we started earlier */
710756a9
RS		 3902 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3903 || !TEST_size_t_eq(written, strlen(MSG1))
3904 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3905 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3906 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3907 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3908 goto end;
5f982038 3909
710756a9
RS		 3910 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3911 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3912 goto end;
5f982038
MC		 3913
3914 testresult = 1;
3915
3916 end:
5f982038 3917 SSL_SESSION_free(sess);
c20e3b28 3918 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3919 SSL_SESSION_free(serverpsk);
3920 clientpsk = serverpsk = NULL;
5f982038
MC		 3921 SSL_free(serverssl);
3922 SSL_free(clientssl);
3923 SSL_CTX_free(sctx);
3924 SSL_CTX_free(cctx);
5f982038
MC		 3925 return testresult;
3926}
3927
976e5323
MC		 3928static const char *servalpn;
3929
c7558d5b
PY		 3930static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3931 unsigned char *outlen, const unsigned char *in,
3932 unsigned int inlen, void *arg)
976e5323 3933{
c7558d5b 3934 unsigned int protlen = 0;
976e5323
MC		 3935 const unsigned char *prot;
3936
c7558d5b
PY		 3937 for (prot = in; prot < in + inlen; prot += protlen) {
3938 protlen = *prot++;
5d99881e 3939 if (in + inlen < prot + protlen)
976e5323
MC		 3940 return SSL_TLSEXT_ERR_NOACK;
3941
3942 if (protlen == strlen(servalpn)
0bd42fde 3943 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3944 *out = prot;
3945 *outlen = protlen;
3946 return SSL_TLSEXT_ERR_OK;
3947 }
3948 }
3949
3950 return SSL_TLSEXT_ERR_NOACK;
3951}
3952
57dee9bb 3953/* Test that a PSK can be used to send early_data */
976e5323
MC		 3954static int test_early_data_psk(int idx)
3955{
3956 SSL_CTX *cctx = NULL, *sctx = NULL;
3957 SSL *clientssl = NULL, *serverssl = NULL;
3958 int testresult = 0;
3959 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3960 unsigned char alpnlist[] = {
3961 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3962 'l', 'p', 'n'
3963 };
3964#define GOODALPNLEN 9
3965#define BADALPNLEN 8
3966#define GOODALPN (alpnlist)
3967#define BADALPN (alpnlist + GOODALPNLEN)
3968 int err = 0;
976e5323
MC		 3969 unsigned char buf[20];
3970 size_t readbytes, written;
57dee9bb 3971 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3972 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3973
3974 /* We always set this up with a final parameter of "2" for PSK */
3975 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3976 &serverssl, &sess, 2)))
3977 goto end;
3978
976e5323
MC		 3979 servalpn = "goodalpn";
3980
57dee9bb
MC		 3981 /*
3982 * Note: There is no test for inconsistent SNI with late client detection.
3983 * This is because servers do not acknowledge SNI even if they are using
3984 * it in a resumption handshake - so it is not actually possible for a
3985 * client to detect a problem.
3986 */
976e5323
MC		 3987 switch (idx) {
3988 case 0:
57dee9bb 3989 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3990 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3991 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3992 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3993 goto end;
3994 break;
3995
3996 case 1:
57dee9bb 3997 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3998 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3999 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 4000 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4001 GOODALPNLEN))
4002 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4003 BADALPNLEN)))
976e5323
MC		 4004 goto end;
4005 break;
4006
4007 case 2:
4008 /*
4009 * Set invalid protocol version. Technically this affects PSKs without
4010 * early_data too, but we test it here because it is similar to the
4011 * SNI/ALPN consistency tests.
4012 */
4013 err = SSL_R_BAD_PSK;
4014 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4015 goto end;
4016 break;
4017
4018 case 3:
4019 /*
49ef3d07
MC		 4020 * Set inconsistent SNI (server side). In this case the connection
4021 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4022 * is associated with each handshake - not the session. Therefore it
4023 * should not matter that we used a different server name last time.
976e5323 4024 */
281bf233
MC		 4025 SSL_SESSION_free(serverpsk);
4026 serverpsk = SSL_SESSION_dup(clientpsk);
4027 if (!TEST_ptr(serverpsk)
4028 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4029 goto end;
976e5323
MC		 4030 /* Fall through */
4031 case 4:
4032 /* Set consistent SNI */
976e5323
MC		 4033 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4034 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4035 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4036 hostname_cb)))
4037 goto end;
4038 break;
4039
4040 case 5:
4041 /*
4042 * Set inconsistent ALPN (server detected). In this case the connection
4043 * will succeed but reject early_data.
4044 */
4045 servalpn = "badalpn";
4046 edstatus = SSL_EARLY_DATA_REJECTED;
4047 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4048 /* Fall through */
4049 case 6:
976e5323 4050 /*
57dee9bb 4051 * Set consistent ALPN.
976e5323
MC		 4052 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4053 * accepts a list of protos (each one length prefixed).
4054 * SSL_set1_alpn_selected accepts a single protocol (not length
4055 * prefixed)
4056 */
57dee9bb
MC		 4057 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4058 GOODALPNLEN - 1))
4059 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4060 GOODALPNLEN)))
976e5323
MC		 4061 goto end;
4062
4063 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4064 break;
4065
57dee9bb
MC		 4066 case 7:
4067 /* Set inconsistent ALPN (late client detection) */
4068 SSL_SESSION_free(serverpsk);
4069 serverpsk = SSL_SESSION_dup(clientpsk);
4070 if (!TEST_ptr(serverpsk)
4071 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4072 BADALPN + 1,
4073 BADALPNLEN - 1))
4074 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4075 GOODALPN + 1,
4076 GOODALPNLEN - 1))
4077 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4078 sizeof(alpnlist))))
4079 goto end;
4080 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4081 edstatus = SSL_EARLY_DATA_ACCEPTED;
4082 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4083 /* SSL_connect() call should fail */
4084 connectres = -1;
4085 break;
4086
976e5323
MC		 4087 default:
4088 TEST_error("Bad test index");
4089 goto end;
4090 }
4091
4092 SSL_set_connect_state(clientssl);
4093 if (err != 0) {
4094 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4095 &written))
4096 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4097 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4098 goto end;
4099 } else {
4100 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4101 &written)))
4102 goto end;
4103
4104 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4105 &readbytes), readearlyres)
976e5323
MC		 4106 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4107 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4108 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4109 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4110 goto end;
4111 }
4112
4113 testresult = 1;
4114
4115 end:
c20e3b28 4116 SSL_SESSION_free(sess);
57dee9bb
MC		 4117 SSL_SESSION_free(clientpsk);
4118 SSL_SESSION_free(serverpsk);
4119 clientpsk = serverpsk = NULL;
976e5323
MC		 4120 SSL_free(serverssl);
4121 SSL_free(clientssl);
4122 SSL_CTX_free(sctx);
4123 SSL_CTX_free(cctx);
4124 return testresult;
4125}
4126
0b2b0be9 4127/*
4128 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4129 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4130 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4131 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4132 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4133 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4134 */
4135static int test_early_data_psk_with_all_ciphers(int idx)
4136{
4137 SSL_CTX *cctx = NULL, *sctx = NULL;
4138 SSL *clientssl = NULL, *serverssl = NULL;
4139 int testresult = 0;
4140 SSL_SESSION *sess = NULL;
4141 unsigned char buf[20];
4142 size_t readbytes, written;
4143 const SSL_CIPHER *cipher;
4144 const char *cipher_str[] = {
4145 TLS1_3_RFC_AES_128_GCM_SHA256,
4146 TLS1_3_RFC_AES_256_GCM_SHA384,
4147# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4148 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4149# else
4150 NULL,
4151# endif
4152 TLS1_3_RFC_AES_128_CCM_SHA256,
4153 TLS1_3_RFC_AES_128_CCM_8_SHA256
4154 };
4155 const unsigned char *cipher_bytes[] = {
4156 TLS13_AES_128_GCM_SHA256_BYTES,
4157 TLS13_AES_256_GCM_SHA384_BYTES,
4158# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4159 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4160# else
4161 NULL,
4162# endif
4163 TLS13_AES_128_CCM_SHA256_BYTES,
4164 TLS13_AES_128_CCM_8_SHA256_BYTES
4165 };
4166
4167 if (cipher_str[idx] == NULL)
4168 return 1;
4169 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4170 if (idx == 2 && is_fips == 1)
4171 return 1;
4172
4173 /* We always set this up with a final parameter of "2" for PSK */
4174 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4175 &serverssl, &sess, 2)))
4176 goto end;
4177
e0710222
P		 4178 if (idx == 4) {
4179 /* CCM8 ciphers are considered low security due to their short tag */
4180 SSL_set_security_level(clientssl, 0);
4181 SSL_set_security_level(serverssl, 0);
4182 }
4183
0b2b0be9 4184 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4185 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4186 goto end;
4187
4188 /*
4189 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4190 * and assigns to both client and server with incremented reference
4191 * and the same instance is updated in 'sess'.
4192 * So updating ciphersuite in 'sess' which will get reflected in
4193 * PSK handshake using psk use sess and find sess cb.
4194 */
4195 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4196 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4197 goto end;
4198
4199 SSL_set_connect_state(clientssl);
4200 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4201 &written)))
4202 goto end;
4203
4204 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4205 &readbytes),
4206 SSL_READ_EARLY_DATA_SUCCESS)
4207 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4208 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4209 SSL_EARLY_DATA_ACCEPTED)
4210 || !TEST_int_eq(SSL_connect(clientssl), 1)
4211 || !TEST_int_eq(SSL_accept(serverssl), 1))
4212 goto end;
4213
4214 /* Send some normal data from client to server */
4215 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4216 || !TEST_size_t_eq(written, strlen(MSG2)))
4217 goto end;
4218
4219 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4220 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4221 goto end;
4222
4223 testresult = 1;
4224 end:
4225 SSL_SESSION_free(sess);
4226 SSL_SESSION_free(clientpsk);
4227 SSL_SESSION_free(serverpsk);
4228 clientpsk = serverpsk = NULL;
4229 if (clientssl != NULL)
4230 SSL_shutdown(clientssl);
4231 if (serverssl != NULL)
4232 SSL_shutdown(serverssl);
4233 SSL_free(serverssl);
4234 SSL_free(clientssl);
4235 SSL_CTX_free(sctx);
4236 SSL_CTX_free(cctx);
4237 return testresult;
4238}
4239
710756a9
RS		 4240/*
4241 * Test that a server that doesn't try to read early data can handle a
4242 * client sending some.
4243 */
3cb47b4e 4244static int test_early_data_not_expected(int idx)
5f982038
MC		 4245{
4246 SSL_CTX *cctx = NULL, *sctx = NULL;
4247 SSL *clientssl = NULL, *serverssl = NULL;
4248 int testresult = 0;
018fcbec 4249 SSL_SESSION *sess = NULL;
5f982038
MC		 4250 unsigned char buf[20];
4251 size_t readbytes, written;
4252
710756a9
RS		 4253 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4254 &serverssl, &sess, idx)))
5f982038
MC		 4255 goto end;
4256
4257 /* Write some early data */
710756a9
RS		 4258 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4259 &written)))
5f982038 4260 goto end;
5f982038
MC		 4261
4262 /*
4263 * Server should skip over early data and then block waiting for client to
4264 * continue handshake
4265 */
710756a9
RS		 4266 if (!TEST_int_le(SSL_accept(serverssl), 0)
4267 || !TEST_int_gt(SSL_connect(clientssl), 0)
4268 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4269 SSL_EARLY_DATA_REJECTED)
4270 || !TEST_int_gt(SSL_accept(serverssl), 0)
4271 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4272 SSL_EARLY_DATA_REJECTED))
5f982038 4273 goto end;
5f982038
MC		 4274
4275 /* Send some normal data from client to server */
710756a9
RS		 4276 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4277 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4278 goto end;
5f982038 4279
710756a9
RS		 4280 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4281 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4282 goto end;
5f982038
MC		 4283
4284 testresult = 1;
4285
4286 end:
5f982038 4287 SSL_SESSION_free(sess);
c20e3b28 4288 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4289 SSL_SESSION_free(serverpsk);
4290 clientpsk = serverpsk = NULL;
5f982038
MC		 4291 SSL_free(serverssl);
4292 SSL_free(clientssl);
4293 SSL_CTX_free(sctx);
4294 SSL_CTX_free(cctx);
5f982038
MC		 4295 return testresult;
4296}
4297
4298
4299# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4300/*
4301 * Test that a server attempting to read early data can handle a connection
4302 * from a TLSv1.2 client.
4303 */
3cb47b4e 4304static int test_early_data_tls1_2(int idx)
5f982038
MC		 4305{
4306 SSL_CTX *cctx = NULL, *sctx = NULL;
4307 SSL *clientssl = NULL, *serverssl = NULL;
4308 int testresult = 0;
4309 unsigned char buf[20];
4310 size_t readbytes, written;
4311
02a3ed5a
MC		 4312 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4313 &serverssl, NULL, idx)))
5f982038 4314 goto end;
5f982038
MC		 4315
4316 /* Write some data - should block due to handshake with server */
4317 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4318 SSL_set_connect_state(clientssl);
710756a9 4319 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4320 goto end;
5f982038
MC		 4321
4322 /*
4323 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4324 * messages from client after ServerDone. Then SSL_read_early_data should
4325 * finish and detect that early data has not been sent
5f982038 4326 */
710756a9
RS		 4327 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4328 &readbytes),
4329 SSL_READ_EARLY_DATA_ERROR))
5f982038 4330 goto end;
5f982038
MC		 4331
4332 /*
4333 * Continue writing the message we started earlier. Will still block waiting
4334 * for the CCS/Finished from server
4335 */
710756a9
RS		 4336 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4337 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4338 &readbytes),
4339 SSL_READ_EARLY_DATA_FINISH)
4340 || !TEST_size_t_eq(readbytes, 0)
4341 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4342 SSL_EARLY_DATA_NOT_SENT))
5f982038 4343 goto end;
5f982038
MC		 4344
4345 /* Continue writing the message we started earlier */
710756a9
RS		 4346 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4347 || !TEST_size_t_eq(written, strlen(MSG1))
4348 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4349 SSL_EARLY_DATA_NOT_SENT)
4350 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4351 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4352 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4353 || !TEST_size_t_eq(written, strlen(MSG2))
4354 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4355 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4356 goto end;
5f982038
MC		 4357
4358 testresult = 1;
4359
4360 end:
57dee9bb
MC		 4361 SSL_SESSION_free(clientpsk);
4362 SSL_SESSION_free(serverpsk);
4363 clientpsk = serverpsk = NULL;
5f982038
MC		 4364 SSL_free(serverssl);
4365 SSL_free(clientssl);
4366 SSL_CTX_free(sctx);
4367 SSL_CTX_free(cctx);
4368
4369 return testresult;
4370}
ca0413ae
MC		 4371# endif /* OPENSSL_NO_TLS1_2 */
4372
034cb87b
MC		 4373/*
4374 * Test configuring the TLSv1.3 ciphersuites
4375 *
4376 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4377 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4378 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4379 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4380 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4381 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4382 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4383 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4384 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4385 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4386 */
4387static int test_set_ciphersuite(int idx)
4388{
4389 SSL_CTX *cctx = NULL, *sctx = NULL;
4390 SSL *clientssl = NULL, *serverssl = NULL;
4391 int testresult = 0;
4392
5e30f2fd
MC		 4393 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4394 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4395 &sctx, &cctx, cert, privkey))
4396 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4397 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4398 goto end;
4399
4400 if (idx >=4 && idx <= 7) {
4401 /* SSL_CTX explicit cipher list */
4402 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4403 goto end;
4404 }
4405
4406 if (idx == 0 || idx == 4) {
4407 /* Default ciphersuite */
4408 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4409 "TLS_AES_128_GCM_SHA256")))
4410 goto end;
4411 } else if (idx == 1 || idx == 5) {
4412 /* Non default ciphersuite */
4413 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4414 "TLS_AES_128_CCM_SHA256")))
4415 goto end;
4416 }
4417
4418 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4419 &clientssl, NULL, NULL)))
4420 goto end;
4421
4422 if (idx == 8 || idx == 9) {
4423 /* SSL explicit cipher list */
4424 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4425 goto end;
4426 }
4427
4428 if (idx == 2 || idx == 6 || idx == 8) {
4429 /* Default ciphersuite */
4430 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4431 "TLS_AES_128_GCM_SHA256")))
4432 goto end;
4433 } else if (idx == 3 || idx == 7 || idx == 9) {
4434 /* Non default ciphersuite */
4435 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4436 "TLS_AES_128_CCM_SHA256")))
4437 goto end;
4438 }
4439
4440 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4441 goto end;
4442
4443 testresult = 1;
4444
4445 end:
4446 SSL_free(serverssl);
4447 SSL_free(clientssl);
4448 SSL_CTX_free(sctx);
4449 SSL_CTX_free(cctx);
4450
4451 return testresult;
4452}
4453
ca0413ae
MC		 4454static int test_ciphersuite_change(void)
4455{
4456 SSL_CTX *cctx = NULL, *sctx = NULL;
4457 SSL *clientssl = NULL, *serverssl = NULL;
4458 SSL_SESSION *clntsess = NULL;
4459 int testresult = 0;
4460 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4461
4462 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4463 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4464 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4465 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4466 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4467 "TLS_AES_128_GCM_SHA256:"
4468 "TLS_AES_256_GCM_SHA384:"
4469 "TLS_AES_128_CCM_SHA256"))
f865b081 4470 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4471 "TLS_AES_128_GCM_SHA256")))
4472 goto end;
4473
4474 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4475 NULL, NULL))
ca0413ae
MC		 4476 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4477 SSL_ERROR_NONE)))
4478 goto end;
4479
4480 clntsess = SSL_get1_session(clientssl);
4481 /* Save for later */
4482 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4483 SSL_shutdown(clientssl);
4484 SSL_shutdown(serverssl);
4485 SSL_free(serverssl);
4486 SSL_free(clientssl);
4487 serverssl = clientssl = NULL;
4488
4489 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4490 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4491 "TLS_AES_128_CCM_SHA256"))
4492 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4493 &clientssl, NULL, NULL))
ca0413ae
MC		 4494 || !TEST_true(SSL_set_session(clientssl, clntsess))
4495 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4496 SSL_ERROR_NONE))
4497 || !TEST_true(SSL_session_reused(clientssl)))
4498 goto end;
4499
4500 SSL_SESSION_free(clntsess);
4501 clntsess = SSL_get1_session(clientssl);
4502 SSL_shutdown(clientssl);
4503 SSL_shutdown(serverssl);
4504 SSL_free(serverssl);
4505 SSL_free(clientssl);
4506 serverssl = clientssl = NULL;
4507
4508 /*
4509 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4510 * succeeds but does not resume.
ca0413ae 4511 */
f865b081 4512 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4513 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4514 NULL, NULL))
4515 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4516 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4517 SSL_ERROR_SSL))
0de6d66d 4518 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4519 goto end;
4520
4521 SSL_SESSION_free(clntsess);
4522 clntsess = NULL;
4523 SSL_shutdown(clientssl);
4524 SSL_shutdown(serverssl);
4525 SSL_free(serverssl);
4526 SSL_free(clientssl);
4527 serverssl = clientssl = NULL;
4528
4529 /* Create a session based on SHA384 */
f865b081 4530 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4531 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4532 &clientssl, NULL, NULL))
4533 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4534 SSL_ERROR_NONE)))
4535 goto end;
4536
4537 clntsess = SSL_get1_session(clientssl);
4538 SSL_shutdown(clientssl);
4539 SSL_shutdown(serverssl);
4540 SSL_free(serverssl);
4541 SSL_free(clientssl);
4542 serverssl = clientssl = NULL;
4543
f865b081
MC		 4544 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4545 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4546 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4547 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4548 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4549 NULL, NULL))
4550 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4551 /*
4552 * We use SSL_ERROR_WANT_READ below so that we can pause the
4553 * connection after the initial ClientHello has been sent to
4554 * enable us to make some session changes.
4555 */
ca0413ae
MC		 4556 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4557 SSL_ERROR_WANT_READ)))
4558 goto end;
4559
4560 /* Trick the client into thinking this session is for a different digest */
4561 clntsess->cipher = aes_128_gcm_sha256;
4562 clntsess->cipher_id = clntsess->cipher->id;
4563
4564 /*
3b0e88d3
MC		 4565 * Continue the previously started connection. Server has selected a SHA-384
4566 * ciphersuite, but client thinks the session is for SHA-256, so it should
4567 * bail out.
ca0413ae
MC		 4568 */
4569 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4570 SSL_ERROR_SSL))
4571 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4572 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4573 goto end;
4574
4575 testresult = 1;
4576
4577 end:
4578 SSL_SESSION_free(clntsess);
4579 SSL_free(serverssl);
4580 SSL_free(clientssl);
4581 SSL_CTX_free(sctx);
4582 SSL_CTX_free(cctx);
4583
4584 return testresult;
4585}
4586
8e63900a 4587/*
5bf2eade 4588 * Test TLSv1.3 Key exchange
4589 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4590 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4591 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4592 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4593 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4594 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4595 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4596 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4597 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4598 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4599 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4600 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4601 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4602 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4603 */
f89d3d69
BK		 4604# ifndef OPENSSL_NO_EC
4605static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4606 NID_secp521r1, NID_X25519, NID_X448};
4607# endif
4608# ifndef OPENSSL_NO_DH
4609static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4610 NID_ffdhe6144, NID_ffdhe8192};
4611# endif
db26ec80 4612static int test_key_exchange(int idx)
8e63900a 4613{
4614 SSL_CTX *sctx = NULL, *cctx = NULL;
4615 SSL *serverssl = NULL, *clientssl = NULL;
4616 int testresult = 0;
fb8c6db4 4617 int kexch_alg;
4618 int *kexch_groups = &kexch_alg;
4619 int kexch_groups_size = 1;
8e63900a 4620 int max_version = TLS1_3_VERSION;
becbacd7 4621 char *kexch_name0 = NULL;
8e63900a 4622
4623 switch (idx) {
5bf2eade 4624# ifndef OPENSSL_NO_EC
db26ec80 4625# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4626 case 12:
fb8c6db4 4627 max_version = TLS1_2_VERSION;
db26ec80 4628# endif
fb8c6db4 4629 /* Fall through */
4630 case 0:
4631 kexch_groups = ecdhe_kexch_groups;
4632 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4633 kexch_name0 = "secp256r1";
fb8c6db4 4634 break;
5bf2eade 4635 case 1:
fb8c6db4 4636 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4637 kexch_name0 = "secp256r1";
fb8c6db4 4638 break;
5bf2eade 4639 case 2:
fb8c6db4 4640 kexch_alg = NID_secp384r1;
becbacd7 4641 kexch_name0 = "secp384r1";
fb8c6db4 4642 break;
5bf2eade 4643 case 3:
fb8c6db4 4644 kexch_alg = NID_secp521r1;
becbacd7 4645 kexch_name0 = "secp521r1";
fb8c6db4 4646 break;
5bf2eade 4647 case 4:
fb8c6db4 4648 kexch_alg = NID_X25519;
becbacd7 4649 kexch_name0 = "x25519";
fb8c6db4 4650 break;
5bf2eade 4651 case 5:
fb8c6db4 4652 kexch_alg = NID_X448;
becbacd7 4653 kexch_name0 = "x448";
fb8c6db4 4654 break;
5bf2eade 4655# endif
4656# ifndef OPENSSL_NO_DH
db26ec80 4657# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4658 case 13:
dbc6268f 4659 max_version = TLS1_2_VERSION;
becbacd7 4660 kexch_name0 = "ffdhe2048";
db26ec80 4661# endif
dbc6268f 4662 /* Fall through */
5bf2eade 4663 case 6:
8e63900a 4664 kexch_groups = ffdhe_kexch_groups;
4665 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4666 kexch_name0 = "ffdhe2048";
8e63900a 4667 break;
5bf2eade 4668 case 7:
fb8c6db4 4669 kexch_alg = NID_ffdhe2048;
becbacd7 4670 kexch_name0 = "ffdhe2048";
fb8c6db4 4671 break;
5bf2eade 4672 case 8:
fb8c6db4 4673 kexch_alg = NID_ffdhe3072;
becbacd7 4674 kexch_name0 = "ffdhe3072";
fb8c6db4 4675 break;
5bf2eade 4676 case 9:
fb8c6db4 4677 kexch_alg = NID_ffdhe4096;
becbacd7 4678 kexch_name0 = "ffdhe4096";
fb8c6db4 4679 break;
5bf2eade 4680 case 10:
fb8c6db4 4681 kexch_alg = NID_ffdhe6144;
becbacd7 4682 kexch_name0 = "ffdhe6144";
fb8c6db4 4683 break;
5bf2eade 4684 case 11:
fb8c6db4 4685 kexch_alg = NID_ffdhe8192;
becbacd7 4686 kexch_name0 = "ffdhe8192";
8e63900a 4687 break;
5bf2eade 4688# endif
6597d62b
MC		 4689 default:
4690 /* We're skipping this test */
4691 return 1;
8e63900a 4692 }
4693
5e30f2fd
MC		 4694 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4695 TLS_client_method(), TLS1_VERSION,
4696 max_version, &sctx, &cctx, cert,
4697 privkey)))
8e63900a 4698 goto end;
4699
5bf2eade 4700 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4701 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4702 goto end;
4703
5bf2eade 4704 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4705 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4706 goto end;
4707
5bf2eade 4708 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4709 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4710 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4711 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4712 goto end;
4713
dbc6268f
MC		 4714 /*
4715 * Must include an EC ciphersuite so that we send supported groups in
4716 * TLSv1.2
4717 */
5bf2eade 4718# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4719 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4720 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4721 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4722 goto end;
5bf2eade 4723# endif
8e63900a 4724
4725 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4726 NULL, NULL)))
4727 goto end;
4728
4729 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4730 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4731 goto end;
4732
5bf2eade 4733 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4734 goto end;
8e63900a 4735
dbc6268f 4736 /*
5bf2eade 4737 * If Handshake succeeds the negotiated kexch alg should be the first one in
4738 * configured, except in the case of FFDHE groups (idx 13), which are
4739 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4740 */
4741 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4742 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4743 goto end;
becbacd7
MB		 4744
4745 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4746 kexch_name0))
4747 goto end;
4748
75d48520
BK		 4749 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4750 if (idx != 13) {
fb8c6db4 4751 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4752 goto end;
4753 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4754 goto end;
4755 }
8e63900a 4756
4757 testresult = 1;
4758 end:
4759 SSL_free(serverssl);
4760 SSL_free(clientssl);
4761 SSL_CTX_free(sctx);
4762 SSL_CTX_free(cctx);
4763 return testresult;
4764}
4765
c9cddf05
P		 4766# if !defined(OPENSSL_NO_TLS1_2) \
4767 && !defined(OPENSSL_NO_EC) \
4768 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 4769static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4770 int isecdhe, int idx)
4771{
4772 int kexch_alg;
4773 int *kexch_groups = &kexch_alg;
4774 int numec, numff;
4775
4776 numec = OSSL_NELEM(ecdhe_kexch_groups);
4777 numff = OSSL_NELEM(ffdhe_kexch_groups);
4778 if (isecdhe)
4779 kexch_alg = ecdhe_kexch_groups[idx];
4780 else
4781 kexch_alg = ffdhe_kexch_groups[idx];
4782
4783 if (clientmulti) {
4784 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4785 return 0;
4786 if (isecdhe) {
4787 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4788 numec)))
4789 return 0;
4790 } else {
4791 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4792 numff)))
4793 return 0;
4794 }
4795 } else {
4796 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4797 return 0;
4798 if (isecdhe) {
4799 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4800 numec)))
4801 return 0;
4802 } else {
4803 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4804 numff)))
4805 return 0;
4806 }
4807 }
4808 return 1;
4809}
4810
4811/*-
4812 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4813 * Run through both the ECDHE and FFDHE group lists used in the previous
4814 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4815 * confirming the expected result; then perform a resumption handshake
4816 * while offering the same group list, and another resumption handshake
4817 * offering a different group list. The returned value should be the
4818 * negotiated group for the initial handshake; for TLS 1.3 resumption
4819 * handshakes the returned value will be negotiated on the resumption
4820 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4821 * be cached in the session from the original handshake, regardless of what
4822 * was offered in the resumption ClientHello.
4823 *
4824 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 4825 * E tests of ECDHE with TLS 1.3, server only has one group
4826 * F tests of FFDHE with TLS 1.3, server only has one group
4827 * E tests of ECDHE with TLS 1.2, server only has one group
4828 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 4829 * E tests of ECDHE with TLS 1.3, client sends only one group
4830 * F tests of FFDHE with TLS 1.3, client sends only one group
4831 * E tests of ECDHE with TLS 1.2, client sends only one group
4832 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 4833 */
4834static int test_negotiated_group(int idx)
4835{
4836 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4837 int expectednid;
4838 SSL_CTX *sctx = NULL, *cctx = NULL;
4839 SSL *serverssl = NULL, *clientssl = NULL;
4840 SSL_SESSION *origsess = NULL;
4841 int testresult = 0;
4842 int kexch_alg;
4843 int max_version = TLS1_3_VERSION;
4844
4845 numec = OSSL_NELEM(ecdhe_kexch_groups);
4846 numff = OSSL_NELEM(ffdhe_kexch_groups);
4847 numgroups = numec + numff;
4848 clientmulti = (idx < 2 * numgroups);
4849 idx = idx % (2 * numgroups);
4850 istls13 = (idx < numgroups);
4851 idx = idx % numgroups;
4852 isecdhe = (idx < numec);
4853 if (!isecdhe)
4854 idx -= numec;
4855 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4856 if (isecdhe)
4857 kexch_alg = ecdhe_kexch_groups[idx];
4858 else
4859 kexch_alg = ffdhe_kexch_groups[idx];
4860 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4861 if (!istls13 && !isecdhe)
4862 expectednid = NID_undef;
4863 else
4864 expectednid = kexch_alg;
4865
4866 if (!istls13)
4867 max_version = TLS1_2_VERSION;
4868
4869 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4870 TLS_client_method(), TLS1_VERSION,
4871 max_version, &sctx, &cctx, cert,
4872 privkey)))
4873 goto end;
4874
4875 /*
4876 * Force (EC)DHE ciphers for TLS 1.2.
4877 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4878 */
4879 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4880 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4881 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4882 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4883 goto end;
4884 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4885 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4886 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4887 goto end;
4888
4889 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4890 NULL, NULL)))
4891 goto end;
4892
4893 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4894 idx)))
4895 goto end;
4896
4897 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4898 goto end;
4899
4900 /* Initial handshake; always the configured one */
4901 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4902 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4903 goto end;
4904
4905 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4906 goto end;
4907
4908 SSL_shutdown(clientssl);
4909 SSL_shutdown(serverssl);
4910 SSL_free(serverssl);
4911 SSL_free(clientssl);
4912 serverssl = clientssl = NULL;
4913
4914 /* First resumption attempt; use the same config as initial handshake */
4915 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4916 NULL, NULL))
4917 || !TEST_true(SSL_set_session(clientssl, origsess))
4918 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4919 isecdhe, idx)))
4920 goto end;
4921
4922 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4923 || !TEST_true(SSL_session_reused(clientssl)))
4924 goto end;
4925
4926 /* Still had better agree, since nothing changed... */
4927 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4928 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4929 goto end;
4930
4931 SSL_shutdown(clientssl);
4932 SSL_shutdown(serverssl);
4933 SSL_free(serverssl);
4934 SSL_free(clientssl);
4935 serverssl = clientssl = NULL;
4936
4937 /*-
4938 * Second resumption attempt
4939 * The party that picks one group changes it, which we effectuate by
4940 * changing 'idx' and updating what we expect.
4941 */
4942 if (idx == 0)
4943 idx = 1;
4944 else
4945 idx--;
4946 if (istls13) {
4947 if (isecdhe)
4948 expectednid = ecdhe_kexch_groups[idx];
4949 else
4950 expectednid = ffdhe_kexch_groups[idx];
4951 /* Verify that we are changing what we expect. */
4952 if (!TEST_int_ne(expectednid, kexch_alg))
4953 goto end;
4954 } else {
4955 /* TLS 1.2 only supports named groups for ECDHE. */
4956 if (isecdhe)
4957 expectednid = kexch_alg;
4958 else
4959 expectednid = 0;
4960 }
4961 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4962 NULL, NULL))
4963 || !TEST_true(SSL_set_session(clientssl, origsess))
4964 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4965 isecdhe, idx)))
4966 goto end;
4967
4968 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4969 || !TEST_true(SSL_session_reused(clientssl)))
4970 goto end;
4971
4972 /* Check that we get what we expected */
4973 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4974 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4975 goto end;
4976
4977 testresult = 1;
4978 end:
4979 SSL_free(serverssl);
4980 SSL_free(clientssl);
4981 SSL_CTX_free(sctx);
4982 SSL_CTX_free(cctx);
4983 SSL_SESSION_free(origsess);
4984 return testresult;
4985}
4986# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4987
5bf2eade 4988/*
4989 * Test TLSv1.3 Cipher Suite
4990 * Test 0 = Set TLS1.3 cipher on context
4991 * Test 1 = Set TLS1.3 cipher on SSL
4992 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4993 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4994 */
4995static int test_tls13_ciphersuite(int idx)
4996{
4997 SSL_CTX *sctx = NULL, *cctx = NULL;
4998 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4999 static const struct {
5000 const char *ciphername;
5001 int fipscapable;
e0710222 5002 int low_security;
4f6c7044 5003 } t13_ciphers[] = {
e0710222
P		 5004 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5005 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5006 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 5007# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 5008 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 5009 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 5010 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 5011# endif
e0710222
P		 5012 /* CCM8 ciphers are considered low security due to their short tag */
5013 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5014 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5bf2eade 5015 };
5016 const char *t13_cipher = NULL;
5017 const char *t12_cipher = NULL;
5018 const char *negotiated_scipher;
5019 const char *negotiated_ccipher;
5020 int set_at_ctx = 0;
5021 int set_at_ssl = 0;
5022 int testresult = 0;
5023 int max_ver;
5024 size_t i;
5025
5026 switch (idx) {
5027 case 0:
5028 set_at_ctx = 1;
5029 break;
5030 case 1:
5031 set_at_ssl = 1;
5032 break;
5033 case 2:
5034 set_at_ctx = 1;
2d900758 5035 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5036 break;
5037 case 3:
5038 set_at_ssl = 1;
2d900758 5039 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5040 break;
5041 }
5042
5043 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5044# ifdef OPENSSL_NO_TLS1_2
5045 if (max_ver == TLS1_2_VERSION)
5046 continue;
5047# endif
5048 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 5049 if (is_fips && !t13_ciphers[i].fipscapable)
5050 continue;
5051 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 5052 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5053 TLS_client_method(),
5054 TLS1_VERSION, max_ver,
5055 &sctx, &cctx, cert, privkey)))
5056 goto end;
5057
e0710222
P		 5058 if (t13_ciphers[i].low_security) {
5059 SSL_CTX_set_security_level(sctx, 0);
5060 SSL_CTX_set_security_level(cctx, 0);
5061 }
5062
5bf2eade 5063 if (set_at_ctx) {
5064 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5065 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5066 goto end;
5067 if (t12_cipher != NULL) {
5068 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5069 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5070 t12_cipher)))
5071 goto end;
5072 }
5073 }
5074
5075 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5076 &clientssl, NULL, NULL)))
5077 goto end;
5078
5079 if (set_at_ssl) {
5080 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5081 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5082 goto end;
5083 if (t12_cipher != NULL) {
5084 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5085 || !TEST_true(SSL_set_cipher_list(clientssl,
5086 t12_cipher)))
5087 goto end;
5088 }
5089 }
5090
5091 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5092 SSL_ERROR_NONE)))
5093 goto end;
5094
5095 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5096 serverssl));
5097 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5098 clientssl));
5099 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5100 goto end;
5101
5102 /*
5103 * TEST_strn_eq is used below because t13_cipher can contain
5104 * multiple ciphersuites
5105 */
5106 if (max_ver == TLS1_3_VERSION
5107 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5108 strlen(negotiated_scipher)))
5109 goto end;
5110
5111# ifndef OPENSSL_NO_TLS1_2
5112 /* Below validation is not done when t12_cipher is NULL */
5113 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5114 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5115 goto end;
5116# endif
5117
5118 SSL_free(serverssl);
5119 serverssl = NULL;
5120 SSL_free(clientssl);
5121 clientssl = NULL;
5122 SSL_CTX_free(sctx);
5123 sctx = NULL;
5124 SSL_CTX_free(cctx);
5125 cctx = NULL;
5126 }
5127 }
5128
5129 testresult = 1;
5130 end:
5131 SSL_free(serverssl);
5132 SSL_free(clientssl);
5133 SSL_CTX_free(sctx);
5134 SSL_CTX_free(cctx);
5135 return testresult;
5136}
5137
0d8da779
MC		 5138/*
5139 * Test TLSv1.3 PSKs
5140 * Test 0 = Test new style callbacks
5141 * Test 1 = Test both new and old style callbacks
5142 * Test 2 = Test old style callbacks
5143 * Test 3 = Test old style callbacks with no certificate
5144 */
532f9578 5145static int test_tls13_psk(int idx)
ca8c71ba
MC		 5146{
5147 SSL_CTX *sctx = NULL, *cctx = NULL;
5148 SSL *serverssl = NULL, *clientssl = NULL;
5149 const SSL_CIPHER *cipher = NULL;
5150 const unsigned char key[] = {
5151 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5152 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5153 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5154 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5155 };
5156 int testresult = 0;
5157
5e30f2fd
MC		 5158 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5159 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5160 &sctx, &cctx, idx == 3 ? NULL : cert,
5161 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5162 goto end;
5163
0d8da779
MC		 5164 if (idx != 3) {
5165 /*
5166 * We use a ciphersuite with SHA256 to ease testing old style PSK
5167 * callbacks which will always default to SHA256. This should not be
5168 * necessary if we have no cert/priv key. In that case the server should
5169 * prefer SHA256 automatically.
5170 */
5171 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5172 "TLS_AES_128_GCM_SHA256")))
5173 goto end;
4f6c7044
MC		 5174 } else {
5175 /*
5176 * As noted above the server should prefer SHA256 automatically. However
5177 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5178 * code works even if we are testing with only the FIPS provider loaded.
5179 */
5180 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5181 "TLS_AES_256_GCM_SHA384:"
5182 "TLS_AES_128_GCM_SHA256")))
5183 goto end;
0d8da779 5184 }
532f9578
MC		 5185
5186 /*
5187 * Test 0: New style callbacks only
5188 * Test 1: New and old style callbacks (only the new ones should be used)
5189 * Test 2: Old style callbacks only
5190 */
5191 if (idx == 0 || idx == 1) {
5192 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5193 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5194 }
c2b290c3 5195#ifndef OPENSSL_NO_PSK
0d8da779 5196 if (idx >= 1) {
532f9578
MC		 5197 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5198 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5199 }
c2b290c3 5200#endif
ca8c71ba 5201 srvid = pskid;
02a3ed5a
MC		 5202 use_session_cb_cnt = 0;
5203 find_session_cb_cnt = 0;
532f9578
MC		 5204 psk_client_cb_cnt = 0;
5205 psk_server_cb_cnt = 0;
ca8c71ba 5206
0d8da779
MC		 5207 if (idx != 3) {
5208 /*
5209 * Check we can create a connection if callback decides not to send a
5210 * PSK
5211 */
5212 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5213 NULL, NULL))
5214 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5215 SSL_ERROR_NONE))
5216 || !TEST_false(SSL_session_reused(clientssl))
5217 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5218 goto end;
532f9578 5219
0d8da779
MC		 5220 if (idx == 0 || idx == 1) {
5221 if (!TEST_true(use_session_cb_cnt == 1)
5222 || !TEST_true(find_session_cb_cnt == 0)
5223 /*
5224 * If no old style callback then below should be 0
5225 * otherwise 1
5226 */
5227 || !TEST_true(psk_client_cb_cnt == idx)
5228 || !TEST_true(psk_server_cb_cnt == 0))
5229 goto end;
5230 } else {
5231 if (!TEST_true(use_session_cb_cnt == 0)
5232 || !TEST_true(find_session_cb_cnt == 0)
5233 || !TEST_true(psk_client_cb_cnt == 1)
5234 || !TEST_true(psk_server_cb_cnt == 0))
5235 goto end;
5236 }
5237
5238 shutdown_ssl_connection(serverssl, clientssl);
5239 serverssl = clientssl = NULL;
5240 use_session_cb_cnt = psk_client_cb_cnt = 0;
5241 }
ca8c71ba
MC		 5242
5243 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5244 NULL, NULL)))
5245 goto end;
5246
5247 /* Create the PSK */
532f9578 5248 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5249 clientpsk = SSL_SESSION_new();
5250 if (!TEST_ptr(clientpsk)
ca8c71ba 5251 || !TEST_ptr(cipher)
57dee9bb
MC		 5252 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5253 sizeof(key)))
5254 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5255 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5256 TLS1_3_VERSION))
5257 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5258 goto end;
57dee9bb 5259 serverpsk = clientpsk;
ca8c71ba
MC		 5260
5261 /* Check we can create a connection and the PSK is used */
5262 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5263 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5264 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5265 goto end;
5266
532f9578
MC		 5267 if (idx == 0 || idx == 1) {
5268 if (!TEST_true(use_session_cb_cnt == 1)
5269 || !TEST_true(find_session_cb_cnt == 1)
5270 || !TEST_true(psk_client_cb_cnt == 0)
5271 || !TEST_true(psk_server_cb_cnt == 0))
5272 goto end;
5273 } else {
5274 if (!TEST_true(use_session_cb_cnt == 0)
5275 || !TEST_true(find_session_cb_cnt == 0)
5276 || !TEST_true(psk_client_cb_cnt == 1)
5277 || !TEST_true(psk_server_cb_cnt == 1))
5278 goto end;
5279 }
5280
ca8c71ba
MC		 5281 shutdown_ssl_connection(serverssl, clientssl);
5282 serverssl = clientssl = NULL;
5283 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5284 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5285
5286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5287 NULL, NULL)))
5288 goto end;
5289
5290 /* Force an HRR */
dbc6268f
MC		 5291#if defined(OPENSSL_NO_EC)
5292 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5293 goto end;
5294#else
ca8c71ba
MC		 5295 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5296 goto end;
dbc6268f 5297#endif
ca8c71ba
MC		 5298
5299 /*
5300 * Check we can create a connection, the PSK is used and the callbacks are
5301 * called twice.
5302 */
5303 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5304 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5305 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5306 goto end;
5307
532f9578
MC		 5308 if (idx == 0 || idx == 1) {
5309 if (!TEST_true(use_session_cb_cnt == 2)
5310 || !TEST_true(find_session_cb_cnt == 2)
5311 || !TEST_true(psk_client_cb_cnt == 0)
5312 || !TEST_true(psk_server_cb_cnt == 0))
5313 goto end;
5314 } else {
5315 if (!TEST_true(use_session_cb_cnt == 0)
5316 || !TEST_true(find_session_cb_cnt == 0)
5317 || !TEST_true(psk_client_cb_cnt == 2)
5318 || !TEST_true(psk_server_cb_cnt == 2))
5319 goto end;
5320 }
5321
ca8c71ba
MC		 5322 shutdown_ssl_connection(serverssl, clientssl);
5323 serverssl = clientssl = NULL;
5324 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5325 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5326
0d8da779
MC		 5327 if (idx != 3) {
5328 /*
5329 * Check that if the server rejects the PSK we can still connect, but with
5330 * a full handshake
5331 */
5332 srvid = "Dummy Identity";
5333 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5334 NULL, NULL))
5335 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5336 SSL_ERROR_NONE))
5337 || !TEST_false(SSL_session_reused(clientssl))
5338 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5339 goto end;
532f9578 5340
0d8da779
MC		 5341 if (idx == 0 || idx == 1) {
5342 if (!TEST_true(use_session_cb_cnt == 1)
5343 || !TEST_true(find_session_cb_cnt == 1)
5344 || !TEST_true(psk_client_cb_cnt == 0)
5345 /*
5346 * If no old style callback then below should be 0
5347 * otherwise 1
5348 */
5349 || !TEST_true(psk_server_cb_cnt == idx))
5350 goto end;
5351 } else {
5352 if (!TEST_true(use_session_cb_cnt == 0)
5353 || !TEST_true(find_session_cb_cnt == 0)
5354 || !TEST_true(psk_client_cb_cnt == 1)
5355 || !TEST_true(psk_server_cb_cnt == 1))
5356 goto end;
5357 }
5358
5359 shutdown_ssl_connection(serverssl, clientssl);
5360 serverssl = clientssl = NULL;
5361 }
ca8c71ba
MC		 5362 testresult = 1;
5363
5364 end:
57dee9bb
MC		 5365 SSL_SESSION_free(clientpsk);
5366 SSL_SESSION_free(serverpsk);
5367 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5368 SSL_free(serverssl);
5369 SSL_free(clientssl);
5370 SSL_CTX_free(sctx);
5371 SSL_CTX_free(cctx);
5372 return testresult;
5373}
5374
c7b8ff25
MC		 5375static unsigned char cookie_magic_value[] = "cookie magic";
5376
5377static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5378 unsigned int *cookie_len)
5379{
5380 /*
5381 * Not suitable as a real cookie generation function but good enough for
5382 * testing!
5383 */
97ea1e7f
MC		 5384 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5385 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5386
5387 return 1;
5388}
5389
5390static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5391 unsigned int cookie_len)
5392{
97ea1e7f 5393 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5394 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5395 return 1;
5396
5397 return 0;
5398}
5399
3fa2812f
BS		 5400static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5401 size_t *cookie_len)
5402{
5403 unsigned int temp;
5404 int res = generate_cookie_callback(ssl, cookie, &temp);
5405 *cookie_len = temp;
5406 return res;
5407}
5408
5409static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5410 size_t cookie_len)
5411{
5412 return verify_cookie_callback(ssl, cookie, cookie_len);
5413}
5414
c7b8ff25
MC		 5415static int test_stateless(void)
5416{
5417 SSL_CTX *sctx = NULL, *cctx = NULL;
5418 SSL *serverssl = NULL, *clientssl = NULL;
5419 int testresult = 0;
5420
5e30f2fd
MC		 5421 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5422 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5423 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5424 goto end;
5425
e440f513
MC		 5426 /* The arrival of CCS messages can confuse the test */
5427 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5428
5429 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5430 NULL, NULL))
5431 /* Send the first ClientHello */
5432 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5433 SSL_ERROR_WANT_READ))
5434 /*
5435 * This should fail with a -1 return because we have no callbacks
5436 * set up
5437 */
5438 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5439 goto end;
5440
5441 /* Fatal error so abandon the connection from this client */
5442 SSL_free(clientssl);
5443 clientssl = NULL;
5444
c7b8ff25 5445 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5446 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5447 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5448
e440f513
MC		 5449 /*
5450 * Create a new connection from the client (we can reuse the server SSL
5451 * object).
5452 */
c7b8ff25
MC		 5453 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5454 NULL, NULL))
5455 /* Send the first ClientHello */
5456 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5457 SSL_ERROR_WANT_READ))
5458 /* This should fail because there is no cookie */
e440f513 5459 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5460 goto end;
5461
5462 /* Abandon the connection from this client */
5463 SSL_free(clientssl);
5464 clientssl = NULL;
5465
5466 /*
5467 * Now create a connection from a new client but with the same server SSL
5468 * object
5469 */
5470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5471 NULL, NULL))
5472 /* Send the first ClientHello */
5473 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5474 SSL_ERROR_WANT_READ))
5475 /* This should fail because there is no cookie */
e440f513 5476 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5477 /* Send the second ClientHello */
5478 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5479 SSL_ERROR_WANT_READ))
5480 /* This should succeed because a cookie is now present */
e440f513 5481 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5482 /* Complete the connection */
5483 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5484 SSL_ERROR_NONE)))
5485 goto end;
5486
5487 shutdown_ssl_connection(serverssl, clientssl);
5488 serverssl = clientssl = NULL;
5489 testresult = 1;
5490
5491 end:
5492 SSL_free(serverssl);
5493 SSL_free(clientssl);
5494 SSL_CTX_free(sctx);
5495 SSL_CTX_free(cctx);
5496 return testresult;
5497
5498}
a763ca11 5499#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5500
a37008d9
MC		 5501static int clntaddoldcb = 0;
5502static int clntparseoldcb = 0;
5503static int srvaddoldcb = 0;
5504static int srvparseoldcb = 0;
5505static int clntaddnewcb = 0;
5506static int clntparsenewcb = 0;
5507static int srvaddnewcb = 0;
5508static int srvparsenewcb = 0;
bb01ef3f 5509static int snicb = 0;
a37008d9
MC		 5510
5511#define TEST_EXT_TYPE1 0xff00
5512
5513static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5514 size_t *outlen, int *al, void *add_arg)
5515{
5516 int *server = (int *)add_arg;
5517 unsigned char *data;
5518
5519 if (SSL_is_server(s))
5520 srvaddoldcb++;
5521 else
5522 clntaddoldcb++;
5523
710756a9
RS		 5524 if (*server != SSL_is_server(s)
5525 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5526 return -1;
5527
5528 *data = 1;
5529 *out = data;
5530 *outlen = sizeof(char);
a37008d9
MC		 5531 return 1;
5532}
5533
5534static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5535 void *add_arg)
5536{
5537 OPENSSL_free((unsigned char *)out);
5538}
5539
5540static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5541 size_t inlen, int *al, void *parse_arg)
5542{
5543 int *server = (int *)parse_arg;
5544
5545 if (SSL_is_server(s))
5546 srvparseoldcb++;
5547 else
5548 clntparseoldcb++;
5549
710756a9
RS		 5550 if (*server != SSL_is_server(s)
5551 || inlen != sizeof(char)
5552 || *in != 1)
a37008d9
MC		 5553 return -1;
5554
5555 return 1;
5556}
5557
5558static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5559 const unsigned char **out, size_t *outlen, X509 *x,
5560 size_t chainidx, int *al, void *add_arg)
5561{
5562 int *server = (int *)add_arg;
5563 unsigned char *data;
5564
5565 if (SSL_is_server(s))
5566 srvaddnewcb++;
5567 else
5568 clntaddnewcb++;
5569
710756a9
RS		 5570 if (*server != SSL_is_server(s)
5571 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5572 return -1;
5573
5574 *data = 1;
5575 *out = data;
710756a9 5576 *outlen = sizeof(*data);
a37008d9
MC		 5577 return 1;
5578}
5579
5580static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5581 const unsigned char *out, void *add_arg)
5582{
5583 OPENSSL_free((unsigned char *)out);
5584}
5585
5586static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5587 const unsigned char *in, size_t inlen, X509 *x,
5588 size_t chainidx, int *al, void *parse_arg)
5589{
5590 int *server = (int *)parse_arg;
5591
5592 if (SSL_is_server(s))
5593 srvparsenewcb++;
5594 else
5595 clntparsenewcb++;
5596
710756a9
RS		 5597 if (*server != SSL_is_server(s)
5598 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5599 return -1;
5600
5601 return 1;
5602}
bb01ef3f
MC		 5603
5604static int sni_cb(SSL *s, int *al, void *arg)
5605{
5606 SSL_CTX *ctx = (SSL_CTX *)arg;
5607
5608 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5609 *al = SSL_AD_INTERNAL_ERROR;
5610 return SSL_TLSEXT_ERR_ALERT_FATAL;
5611 }
5612 snicb++;
5613 return SSL_TLSEXT_ERR_OK;
5614}
5615
0db3a990
MC		 5616static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5617{
5618 return 1;
5619}
5620
a37008d9
MC		 5621/*
5622 * Custom call back tests.
5623 * Test 0: Old style callbacks in TLSv1.2
5624 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5625 * Test 2: New style callbacks in TLSv1.2 with SNI
5626 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5627 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 5628 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 5629 */
710756a9
RS		 5630static int test_custom_exts(int tst)
5631{
bb01ef3f 5632 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5633 SSL *clientssl = NULL, *serverssl = NULL;
5634 int testresult = 0;
5635 static int server = 1;
5636 static int client = 0;
5637 SSL_SESSION *sess = NULL;
5638 unsigned int context;
5639
a763ca11 5640#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5641 /* Skip tests for TLSv1.2 and below in this case */
5642 if (tst < 3)
5643 return 1;
5644#endif
5645
a37008d9
MC		 5646 /* Reset callback counters */
5647 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5648 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5649 snicb = 0;
a37008d9 5650
5e30f2fd
MC		 5651 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5652 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5653 &sctx, &cctx, cert, privkey)))
710756a9 5654 goto end;
a37008d9 5655
bb01ef3f 5656 if (tst == 2
5e30f2fd 5657 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5658 TLS1_VERSION, 0,
7d7f6834 5659 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5660 goto end;
5661
5662
5663 if (tst < 3) {
a37008d9
MC		 5664 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5665 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5666 if (sctx2 != NULL)
5667 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5668 }
5669
0db3a990
MC		 5670 if (tst == 5) {
5671 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5672 | SSL_EXT_TLS1_3_CERTIFICATE;
5673 SSL_CTX_set_verify(sctx,
5674 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5675 verify_cb);
5676 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5677 SSL_FILETYPE_PEM), 1)
5678 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5679 SSL_FILETYPE_PEM), 1)
5680 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5681 goto end;
5682 } else if (tst == 4) {
710756a9
RS		 5683 context = SSL_EXT_CLIENT_HELLO
5684 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5685 | SSL_EXT_TLS1_3_SERVER_HELLO
5686 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5687 | SSL_EXT_TLS1_3_CERTIFICATE
5688 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5689 } else {
710756a9
RS		 5690 context = SSL_EXT_CLIENT_HELLO
5691 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5692 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5693 }
5694
5695 /* Create a client side custom extension */
5696 if (tst == 0) {
710756a9
RS		 5697 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5698 old_add_cb, old_free_cb,
5699 &client, old_parse_cb,
5700 &client)))
5701 goto end;
a37008d9 5702 } else {
710756a9
RS		 5703 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5704 new_add_cb, new_free_cb,
5705 &client, new_parse_cb, &client)))
5706 goto end;
a37008d9
MC		 5707 }
5708
5709 /* Should not be able to add duplicates */
710756a9
RS		 5710 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5711 old_add_cb, old_free_cb,
5712 &client, old_parse_cb,
5713 &client))
5714 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5715 context, new_add_cb,
5716 new_free_cb, &client,
5717 new_parse_cb, &client)))
5718 goto end;
a37008d9
MC		 5719
5720 /* Create a server side custom extension */
5721 if (tst == 0) {
710756a9
RS		 5722 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5723 old_add_cb, old_free_cb,
5724 &server, old_parse_cb,
5725 &server)))
5726 goto end;
a37008d9 5727 } else {
710756a9
RS		 5728 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5729 new_add_cb, new_free_cb,
5730 &server, new_parse_cb, &server)))
5731 goto end;
bb01ef3f
MC		 5732 if (sctx2 != NULL
5733 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5734 context, new_add_cb,
5735 new_free_cb, &server,
5736 new_parse_cb, &server)))
5737 goto end;
a37008d9
MC		 5738 }
5739
5740 /* Should not be able to add duplicates */
710756a9
RS		 5741 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5742 old_add_cb, old_free_cb,
5743 &server, old_parse_cb,
5744 &server))
5745 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5746 context, new_add_cb,
5747 new_free_cb, &server,
5748 new_parse_cb, &server)))
a37008d9 5749 goto end;
a37008d9 5750
bb01ef3f
MC		 5751 if (tst == 2) {
5752 /* Set up SNI */
5753 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5754 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5755 goto end;
5756 }
5757
710756a9
RS		 5758 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5759 &clientssl, NULL, NULL))
5760 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5761 SSL_ERROR_NONE)))
a37008d9 5762 goto end;
a37008d9
MC		 5763
5764 if (tst == 0) {
710756a9
RS		 5765 if (clntaddoldcb != 1
5766 || clntparseoldcb != 1
5767 || srvaddoldcb != 1
5768 || srvparseoldcb != 1)
a37008d9 5769 goto end;
bb01ef3f 5770 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5771 if (clntaddnewcb != 1
5772 || clntparsenewcb != 1
5773 || srvaddnewcb != 1
bb01ef3f
MC		 5774 || srvparsenewcb != 1
5775 || (tst != 2 && snicb != 0)
5776 || (tst == 2 && snicb != 1))
a37008d9 5777 goto end;
0db3a990
MC		 5778 } else if (tst == 5) {
5779 if (clntaddnewcb != 1
5780 || clntparsenewcb != 1
5781 || srvaddnewcb != 1
5782 || srvparsenewcb != 1)
5783 goto end;
a37008d9 5784 } else {
36ff232c 5785 /* In this case there 2 NewSessionTicket messages created */
710756a9 5786 if (clntaddnewcb != 1
36ff232c
MC		 5787 || clntparsenewcb != 5
5788 || srvaddnewcb != 5
710756a9 5789 || srvparsenewcb != 1)
a37008d9 5790 goto end;
a37008d9
MC		 5791 }
5792
5793 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5794 SSL_shutdown(clientssl);
5795 SSL_shutdown(serverssl);
a37008d9
MC		 5796 SSL_free(serverssl);
5797 SSL_free(clientssl);
5798 serverssl = clientssl = NULL;
5799
0db3a990
MC		 5800 if (tst == 3 || tst == 5) {
5801 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 5802 testresult = 1;
5803 goto end;
5804 }
5805
710756a9
RS		 5806 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5807 NULL, NULL))
5808 || !TEST_true(SSL_set_session(clientssl, sess))
5809 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5810 SSL_ERROR_NONE)))
a37008d9 5811 goto end;
a37008d9
MC		 5812
5813 /*
5814 * For a resumed session we expect to add the ClientHello extension. For the
5815 * old style callbacks we ignore it on the server side because they set
5816 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5817 * them.
5818 */
5819 if (tst == 0) {
710756a9
RS		 5820 if (clntaddoldcb != 2
5821 || clntparseoldcb != 1
5822 || srvaddoldcb != 1
5823 || srvparseoldcb != 1)
a37008d9 5824 goto end;
bb01ef3f 5825 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5826 if (clntaddnewcb != 2
5827 || clntparsenewcb != 2
5828 || srvaddnewcb != 2
5829 || srvparsenewcb != 2)
a37008d9 5830 goto end;
a37008d9 5831 } else {
36ff232c
MC		 5832 /*
5833 * No Certificate message extensions in the resumption handshake,
5834 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5835 */
710756a9 5836 if (clntaddnewcb != 2
36ff232c
MC		 5837 || clntparsenewcb != 8
5838 || srvaddnewcb != 8
710756a9 5839 || srvparsenewcb != 2)
a37008d9 5840 goto end;
a37008d9
MC		 5841 }
5842
5843 testresult = 1;
5844
5845end:
5846 SSL_SESSION_free(sess);
5847 SSL_free(serverssl);
5848 SSL_free(clientssl);
bb01ef3f 5849 SSL_CTX_free(sctx2);
a37008d9
MC		 5850 SSL_CTX_free(sctx);
5851 SSL_CTX_free(cctx);
a37008d9
MC		 5852 return testresult;
5853}
5854
555dd939 5855#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
16afd71c 5856
555dd939
DF		 5857#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
5858 | SSL_EXT_CLIENT_HELLO \
5859 | SSL_EXT_TLS1_2_SERVER_HELLO \
5860 | SSL_EXT_IGNORE_ON_RESUMPTION)
16afd71c 5861
555dd939
DF		 5862#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
5863 | SSL_EXT_TLS1_2_SERVER_HELLO \
5864 | SSL_EXT_CLIENT_HELLO)
16afd71c 5865
555dd939
DF		 5866#define SERVERINFO_CUSTOM \
5867 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
5868 0x00, 0x03, \
5869 0x04, 0x05, 0x06 \
5870
5871static const unsigned char serverinfo_custom_tls13[] = {
5872 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
5873 SERVERINFO_CUSTOM
5874};
5875static const unsigned char serverinfo_custom_v2[] = {
5876 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
5877 SERVERINFO_CUSTOM
5878};
5879static const unsigned char serverinfo_custom_v1[] = {
5880 SERVERINFO_CUSTOM
5881};
5882static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
5883static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
5884static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
5885
5886static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
5887 unsigned int context,
5888 const unsigned char *in,
5889 size_t inlen, X509 *x,
5890 size_t chainidx, int *al,
5891 void *parse_arg)
5892{
5893 const size_t len = serverinfo_custom_v1_len;
5894 const unsigned char *si = &serverinfo_custom_v1[len - 3];
5895 int *p_cb_result = (int*)parse_arg;
5896 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
5897 return 1;
5898}
5899
5900static int test_serverinfo_custom(const int idx)
5901{
5902 SSL_CTX *sctx = NULL, *cctx = NULL;
5903 SSL *clientssl = NULL, *serverssl = NULL;
5904 int testresult = 0;
5905 int cb_result = 0;
5906
5907 /*
5908 * Following variables are set in the switch statement
5909 * according to the test iteration.
5910 * Default values do not make much sense: test would fail with them.
5911 */
5912 int serverinfo_version = 0;
5913 int protocol_version = 0;
5914 unsigned int extension_context = 0;
5915 const unsigned char *si = NULL;
5916 size_t si_len = 0;
5917
5918 const int call_use_serverinfo_ex = idx > 0;
5919 switch (idx) {
5920 case 0: /* FALLTHROUGH */
5921 case 1:
5922 serverinfo_version = SSL_SERVERINFOV1;
5923 protocol_version = TLS1_2_VERSION;
5924 extension_context = SYNTHV1CONTEXT;
5925 si = serverinfo_custom_v1;
5926 si_len = serverinfo_custom_v1_len;
5927 break;
5928 case 2:
5929 serverinfo_version = SSL_SERVERINFOV2;
5930 protocol_version = TLS1_2_VERSION;
5931 extension_context = SYNTHV1CONTEXT;
5932 si = serverinfo_custom_v2;
5933 si_len = serverinfo_custom_v2_len;
5934 break;
5935 case 3:
5936 serverinfo_version = SSL_SERVERINFOV2;
5937 protocol_version = TLS1_3_VERSION;
5938 extension_context = TLS13CONTEXT;
5939 si = serverinfo_custom_tls13;
5940 si_len = serverinfo_custom_tls13_len;
5941 break;
16afd71c
MC		 5942 }
5943
555dd939
DF		 5944 if (!TEST_true(create_ssl_ctx_pair(libctx,
5945 TLS_method(),
5946 TLS_method(),
5947 protocol_version,
5948 protocol_version,
5949 &sctx, &cctx, cert, privkey)))
5950 goto end;
16afd71c 5951
555dd939
DF		 5952 if (call_use_serverinfo_ex) {
5953 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
5954 si, si_len)))
5955 goto end;
5956 } else {
5957 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
5958 goto end;
16afd71c
MC		 5959 }
5960
555dd939
DF		 5961 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
5962 extension_context,
5963 NULL, NULL, NULL,
5964 serverinfo_custom_parse_cb,
5965 &cb_result))
5966 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5967 NULL, NULL))
5968 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5969 SSL_ERROR_NONE))
5970 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
5971 goto end;
5972
5973 if (!TEST_true(cb_result))
16afd71c
MC		 5974 goto end;
5975
5976 testresult = 1;
5977
5978 end:
555dd939
DF		 5979 SSL_free(serverssl);
5980 SSL_free(clientssl);
5981 SSL_CTX_free(sctx);
5982 SSL_CTX_free(cctx);
16afd71c
MC		 5983
5984 return testresult;
5985}
555dd939 5986#endif
16afd71c 5987
2197d1df
MC		 5988/*
5989 * Test that SSL_export_keying_material() produces expected results. There are
5990 * no test vectors so all we do is test that both sides of the communication
5991 * produce the same results for different protocol versions.
5992 */
0fb2815b
MC		 5993#define SMALL_LABEL_LEN 10
5994#define LONG_LABEL_LEN 249
2197d1df
MC		 5995static int test_export_key_mat(int tst)
5996{
a599574b 5997 int testresult = 0;
2197d1df
MC		 5998 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5999 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 6000 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 6001 const unsigned char context[] = "context";
6002 const unsigned char *emptycontext = NULL;
6003 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
6004 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 6005 size_t labellen;
a599574b
MC		 6006 const int protocols[] = {
6007 TLS1_VERSION,
6008 TLS1_1_VERSION,
6009 TLS1_2_VERSION,
0fb2815b
MC		 6010 TLS1_3_VERSION,
6011 TLS1_3_VERSION,
a599574b
MC		 6012 TLS1_3_VERSION
6013 };
2197d1df
MC		 6014
6015#ifdef OPENSSL_NO_TLS1
6016 if (tst == 0)
6017 return 1;
6018#endif
6019#ifdef OPENSSL_NO_TLS1_1
6020 if (tst == 1)
6021 return 1;
6022#endif
4f6c7044
MC		 6023 if (is_fips && (tst == 0 || tst == 1))
6024 return 1;
2197d1df
MC		 6025#ifdef OPENSSL_NO_TLS1_2
6026 if (tst == 2)
6027 return 1;
6028#endif
a763ca11 6029#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 6030 if (tst >= 3)
2197d1df
MC		 6031 return 1;
6032#endif
5e30f2fd
MC		 6033 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6034 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6035 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 6036 goto end;
6037
a599574b
MC		 6038 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6039 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6040 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 6041 if ((protocols[tst] < TLS1_2_VERSION) &&
6042 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6043 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6044 goto end;
2197d1df
MC		 6045
6046 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 6047 NULL)))
6048 goto end;
6049
6050 /*
6051 * Premature call of SSL_export_keying_material should just fail.
6052 */
6053 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6054 sizeof(ckeymat1), label,
6055 SMALL_LABEL_LEN + 1, context,
6056 sizeof(context) - 1, 1), 0))
6057 goto end;
6058
6059 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6060 SSL_ERROR_NONE)))
2197d1df
MC		 6061 goto end;
6062
0fb2815b
MC		 6063 if (tst == 5) {
6064 /*
6065 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6066 * go over that.
6067 */
6068 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6069 sizeof(ckeymat1), label,
6070 LONG_LABEL_LEN + 1, context,
6071 sizeof(context) - 1, 1), 0))
6072 goto end;
6073
6074 testresult = 1;
6075 goto end;
6076 } else if (tst == 4) {
6077 labellen = LONG_LABEL_LEN;
6078 } else {
6079 labellen = SMALL_LABEL_LEN;
6080 }
6081
2197d1df
MC		 6082 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6083 sizeof(ckeymat1), label,
0fb2815b 6084 labellen, context,
2197d1df
MC		 6085 sizeof(context) - 1, 1), 1)
6086 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6087 sizeof(ckeymat2), label,
0fb2815b 6088 labellen,
2197d1df
MC		 6089 emptycontext,
6090 0, 1), 1)
6091 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6092 sizeof(ckeymat3), label,
0fb2815b 6093 labellen,
2197d1df
MC		 6094 NULL, 0, 0), 1)
6095 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6096 sizeof(skeymat1), label,
0fb2815b 6097 labellen,
2197d1df
MC		 6098 context,
6099 sizeof(context) -1, 1),
6100 1)
6101 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6102 sizeof(skeymat2), label,
0fb2815b 6103 labellen,
2197d1df
MC		 6104 emptycontext,
6105 0, 1), 1)
6106 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6107 sizeof(skeymat3), label,
0fb2815b 6108 labellen,
2197d1df
MC		 6109 NULL, 0, 0), 1)
6110 /*
6111 * Check that both sides created the same key material with the
6112 * same context.
6113 */
6114 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6115 sizeof(skeymat1))
6116 /*
6117 * Check that both sides created the same key material with an
6118 * empty context.
6119 */
6120 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6121 sizeof(skeymat2))
6122 /*
6123 * Check that both sides created the same key material without a
6124 * context.
6125 */
6126 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6127 sizeof(skeymat3))
6128 /* Different contexts should produce different results */
6129 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6130 sizeof(ckeymat2)))
6131 goto end;
6132
6133 /*
6134 * Check that an empty context and no context produce different results in
6135 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6136 */
0fb2815b 6137 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6138 sizeof(ckeymat3)))
0fb2815b
MC		 6139 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6140 sizeof(ckeymat3))))
2197d1df
MC		 6141 goto end;
6142
6143 testresult = 1;
6144
6145 end:
6146 SSL_free(serverssl);
6147 SSL_free(clientssl);
6148 SSL_CTX_free(sctx2);
6149 SSL_CTX_free(sctx);
6150 SSL_CTX_free(cctx);
6151
6152 return testresult;
6153}
6154
a763ca11 6155#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6156/*
6157 * Test that SSL_export_keying_material_early() produces expected
6158 * results. There are no test vectors so all we do is test that both
6159 * sides of the communication produce the same results for different
6160 * protocol versions.
6161 */
6162static int test_export_key_mat_early(int idx)
6163{
6164 static const char label[] = "test label";
6165 static const unsigned char context[] = "context";
6166 int testresult = 0;
6167 SSL_CTX *cctx = NULL, *sctx = NULL;
6168 SSL *clientssl = NULL, *serverssl = NULL;
6169 SSL_SESSION *sess = NULL;
6170 const unsigned char *emptycontext = NULL;
6171 unsigned char ckeymat1[80], ckeymat2[80];
6172 unsigned char skeymat1[80], skeymat2[80];
6173 unsigned char buf[1];
6174 size_t readbytes, written;
6175
6176 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6177 &sess, idx)))
6178 goto end;
6179
6180 /* Here writing 0 length early data is enough. */
6181 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6182 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6183 &readbytes),
6184 SSL_READ_EARLY_DATA_ERROR)
6185 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6186 SSL_EARLY_DATA_ACCEPTED))
6187 goto end;
6188
6189 if (!TEST_int_eq(SSL_export_keying_material_early(
6190 clientssl, ckeymat1, sizeof(ckeymat1), label,
6191 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6192 || !TEST_int_eq(SSL_export_keying_material_early(
6193 clientssl, ckeymat2, sizeof(ckeymat2), label,
6194 sizeof(label) - 1, emptycontext, 0), 1)
6195 || !TEST_int_eq(SSL_export_keying_material_early(
6196 serverssl, skeymat1, sizeof(skeymat1), label,
6197 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6198 || !TEST_int_eq(SSL_export_keying_material_early(
6199 serverssl, skeymat2, sizeof(skeymat2), label,
6200 sizeof(label) - 1, emptycontext, 0), 1)
6201 /*
6202 * Check that both sides created the same key material with the
6203 * same context.
6204 */
6205 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6206 sizeof(skeymat1))
6207 /*
6208 * Check that both sides created the same key material with an
6209 * empty context.
6210 */
6211 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6212 sizeof(skeymat2))
6213 /* Different contexts should produce different results */
6214 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6215 sizeof(ckeymat2)))
6216 goto end;
6217
6218 testresult = 1;
6219
6220 end:
c20e3b28 6221 SSL_SESSION_free(sess);
b38ede80
TT		 6222 SSL_SESSION_free(clientpsk);
6223 SSL_SESSION_free(serverpsk);
34ff74eb 6224 clientpsk = serverpsk = NULL;
b38ede80
TT		 6225 SSL_free(serverssl);
6226 SSL_free(clientssl);
6227 SSL_CTX_free(sctx);
6228 SSL_CTX_free(cctx);
6229
6230 return testresult;
6231}
3409a5ff
MC		 6232
6233#define NUM_KEY_UPDATE_MESSAGES 40
6234/*
6235 * Test KeyUpdate.
6236 */
6237static int test_key_update(void)
6238{
6239 SSL_CTX *cctx = NULL, *sctx = NULL;
6240 SSL *clientssl = NULL, *serverssl = NULL;
6241 int testresult = 0, i, j;
6242 char buf[20];
6243 static char *mess = "A test message";
6244
5e30f2fd 6245 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6246 TLS_client_method(),
6247 TLS1_3_VERSION,
6248 0,
6249 &sctx, &cctx, cert, privkey))
6250 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6251 NULL, NULL))
6252 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6253 SSL_ERROR_NONE)))
6254 goto end;
6255
6256 for (j = 0; j < 2; j++) {
6257 /* Send lots of KeyUpdate messages */
6258 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6259 if (!TEST_true(SSL_key_update(clientssl,
6260 (j == 0)
6261 ? SSL_KEY_UPDATE_NOT_REQUESTED
6262 : SSL_KEY_UPDATE_REQUESTED))
6263 || !TEST_true(SSL_do_handshake(clientssl)))
6264 goto end;
6265 }
6266
6267 /* Check that sending and receiving app data is ok */
6268 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6269 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6270 strlen(mess)))
6271 goto end;
a77b4dba
MC		 6272
6273 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6274 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6275 strlen(mess)))
6276 goto end;
3409a5ff
MC		 6277 }
6278
6279 testresult = 1;
6280
6281 end:
6282 SSL_free(serverssl);
6283 SSL_free(clientssl);
6284 SSL_CTX_free(sctx);
6285 SSL_CTX_free(cctx);
6286
6287 return testresult;
6288}
a77b4dba
MC		 6289
6290/*
0c48fda8 6291 * Test we can handle a KeyUpdate (update requested) message while
6292 * write data is pending in peer.
a77b4dba
MC		 6293 * Test 0: Client sends KeyUpdate while Server is writing
6294 * Test 1: Server sends KeyUpdate while Client is writing
6295 */
0c48fda8 6296static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6297{
6298 SSL_CTX *cctx = NULL, *sctx = NULL;
6299 SSL *clientssl = NULL, *serverssl = NULL;
6300 int testresult = 0;
6301 char buf[20];
6302 static char *mess = "A test message";
6303 BIO *bretry = BIO_new(bio_s_always_retry());
6304 BIO *tmp = NULL;
6305 SSL *peerupdate = NULL, *peerwrite = NULL;
6306
6307 if (!TEST_ptr(bretry)
5e30f2fd 6308 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6309 TLS_client_method(),
6310 TLS1_3_VERSION,
6311 0,
6312 &sctx, &cctx, cert, privkey))
6313 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6314 NULL, NULL))
6315 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6316 SSL_ERROR_NONE)))
6317 goto end;
6318
6319 peerupdate = tst == 0 ? clientssl : serverssl;
6320 peerwrite = tst == 0 ? serverssl : clientssl;
6321
6322 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6323 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6324 goto end;
6325
6326 /* Swap the writing endpoint's write BIO to force a retry */
6327 tmp = SSL_get_wbio(peerwrite);
6328 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6329 tmp = NULL;
6330 goto end;
6331 }
6332 SSL_set0_wbio(peerwrite, bretry);
6333 bretry = NULL;
6334
6335 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6336 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6337 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6338 goto end;
6339
6340 /* Reinstate the original writing endpoint's write BIO */
6341 SSL_set0_wbio(peerwrite, tmp);
6342 tmp = NULL;
6343
6344 /* Now read some data - we will read the key update */
6345 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6346 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6347 goto end;
6348
6349 /*
6350 * Complete the write we started previously and read it from the other
6351 * endpoint
6352 */
6353 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6354 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6355 goto end;
6356
6357 /* Write more data to ensure we send the KeyUpdate message back */
6358 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6359 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6360 goto end;
6361
6362 testresult = 1;
6363
6364 end:
6365 SSL_free(serverssl);
6366 SSL_free(clientssl);
6367 SSL_CTX_free(sctx);
6368 SSL_CTX_free(cctx);
6369 BIO_free(bretry);
6370 BIO_free(tmp);
6371
6372 return testresult;
6373}
0c48fda8 6374
6375/*
6376 * Test we can handle a KeyUpdate (update requested) message while
6377 * peer read data is pending after peer accepted keyupdate(the msg header
6378 * had been read 5 bytes).
6379 * Test 0: Client sends KeyUpdate while Server is reading
6380 * Test 1: Server sends KeyUpdate while Client is reading
6381 */
6382static int test_key_update_peer_in_read(int tst)
6383{
6384 SSL_CTX *cctx = NULL, *sctx = NULL;
6385 SSL *clientssl = NULL, *serverssl = NULL;
6386 int testresult = 0;
6387 char prbuf[515], lwbuf[515] = {0};
6388 static char *mess = "A test message";
6389 BIO *lbio = NULL, *pbio = NULL;
6390 SSL *local = NULL, *peer = NULL;
6391
6392 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6393 TLS_client_method(),
6394 TLS1_3_VERSION,
6395 0,
6396 &sctx, &cctx, cert, privkey))
6397 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6398 NULL, NULL))
6399 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6400 SSL_ERROR_NONE)))
6401 goto end;
6402
6403 local = tst == 0 ? clientssl : serverssl;
6404 peer = tst == 0 ? serverssl : clientssl;
6405
6406 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6407 goto end;
6408
6409 SSL_set_bio(local, lbio, lbio);
6410 SSL_set_bio(peer, pbio, pbio);
6411
6412 /*
6413 * we first write keyupdate msg then appdata in local
6414 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6415 * lwbuf app data msg size + key updata msg size > 512(the size of
6416 * the bio pair buffer)
6417 */
6418 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6419 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6420 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6421 goto end;
6422
6423 /*
6424 * first read keyupdate msg in peer in peer
6425 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6426 */
6427 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6428 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6429 goto end;
6430
6431 /* Now write some data in peer - we will write the key update */
6432 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6433 goto end;
6434
6435 /*
6436 * write data in local previously that we will complete
6437 * read data in peer previously that we will complete
6438 */
6439 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6440 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6441 goto end;
6442
6443 /* check that sending and receiving appdata ok */
6444 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6445 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6446 goto end;
6447
6448 testresult = 1;
6449
6450 end:
6451 SSL_free(serverssl);
6452 SSL_free(clientssl);
6453 SSL_CTX_free(sctx);
6454 SSL_CTX_free(cctx);
6455
6456 return testresult;
6457}
6458
6459/*
6460 * Test we can't send a KeyUpdate (update requested) message while
6461 * local write data is pending.
6462 * Test 0: Client sends KeyUpdate while Client is writing
6463 * Test 1: Server sends KeyUpdate while Server is writing
6464 */
6465static int test_key_update_local_in_write(int tst)
6466{
6467 SSL_CTX *cctx = NULL, *sctx = NULL;
6468 SSL *clientssl = NULL, *serverssl = NULL;
6469 int testresult = 0;
6470 char buf[20];
6471 static char *mess = "A test message";
6472 BIO *bretry = BIO_new(bio_s_always_retry());
6473 BIO *tmp = NULL;
6474 SSL *local = NULL, *peer = NULL;
6475
6476 if (!TEST_ptr(bretry)
6477 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6478 TLS_client_method(),
6479 TLS1_3_VERSION,
6480 0,
6481 &sctx, &cctx, cert, privkey))
6482 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6483 NULL, NULL))
6484 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6485 SSL_ERROR_NONE)))
6486 goto end;
6487
6488 local = tst == 0 ? clientssl : serverssl;
6489 peer = tst == 0 ? serverssl : clientssl;
6490
6491 /* Swap the writing endpoint's write BIO to force a retry */
6492 tmp = SSL_get_wbio(local);
6493 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6494 tmp = NULL;
6495 goto end;
6496 }
6497 SSL_set0_wbio(local, bretry);
6498 bretry = NULL;
6499
6500 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6501 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6502 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6503 goto end;
6504
6505 /* Reinstate the original writing endpoint's write BIO */
6506 SSL_set0_wbio(local, tmp);
6507 tmp = NULL;
6508
6509 /* SSL_key_update will fail, because writing in local*/
6510 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6511 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6512 goto end;
6513
6514 ERR_clear_error();
6515 /* write data in local previously that we will complete */
6516 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6517 goto end;
6518
6519 /* SSL_key_update will succeed because there is no pending write data */
6520 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6521 || !TEST_int_eq(SSL_do_handshake(local), 1))
6522 goto end;
6523
6524 /*
6525 * we write some appdata in local
6526 * read data in peer - we will read the keyupdate msg
6527 */
6528 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6529 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6530 goto end;
6531
6532 /* Write more peer more data to ensure we send the keyupdate message back */
6533 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6534 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6535 goto end;
6536
6537 testresult = 1;
6538
6539 end:
6540 SSL_free(serverssl);
6541 SSL_free(clientssl);
6542 SSL_CTX_free(sctx);
6543 SSL_CTX_free(cctx);
6544 BIO_free(bretry);
6545 BIO_free(tmp);
6546
6547 return testresult;
6548}
6549
6550/*
6551 * Test we can handle a KeyUpdate (update requested) message while
6552 * local read data is pending(the msg header had been read 5 bytes).
6553 * Test 0: Client sends KeyUpdate while Client is reading
6554 * Test 1: Server sends KeyUpdate while Server is reading
6555 */
6556static int test_key_update_local_in_read(int tst)
6557{
6558 SSL_CTX *cctx = NULL, *sctx = NULL;
6559 SSL *clientssl = NULL, *serverssl = NULL;
6560 int testresult = 0;
6561 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6562 static char *mess = "A test message";
6563 BIO *lbio = NULL, *pbio = NULL;
6564 SSL *local = NULL, *peer = NULL;
6565
6566 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6567 TLS_client_method(),
6568 TLS1_3_VERSION,
6569 0,
6570 &sctx, &cctx, cert, privkey))
6571 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6572 NULL, NULL))
6573 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6574 SSL_ERROR_NONE)))
6575 goto end;
6576
6577 local = tst == 0 ? clientssl : serverssl;
6578 peer = tst == 0 ? serverssl : clientssl;
6579
6580 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6581 goto end;
6582
6583 SSL_set_bio(local, lbio, lbio);
6584 SSL_set_bio(peer, pbio, pbio);
6585
6586 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6587 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6588 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6589 goto end;
6590
6591 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6592 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6593 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6594 goto end;
6595
6596 /* SSL_do_handshake will send keyupdate msg */
6597 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6598 || !TEST_int_eq(SSL_do_handshake(local), 1))
6599 goto end;
6600
6601 /*
6602 * write data in peer previously that we will complete
6603 * read data in local previously that we will complete
6604 */
6605 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6606 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6607 goto end;
6608
6609 /*
6610 * write data in local
6611 * read data in peer - we will read the key update
6612 */
6613 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6614 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6615 goto end;
6616
6617 /* Write more peer data to ensure we send the keyupdate message back */
6618 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6619 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6620 goto end;
6621
6622 testresult = 1;
6623
6624 end:
6625 SSL_free(serverssl);
6626 SSL_free(clientssl);
6627 SSL_CTX_free(sctx);
6628 SSL_CTX_free(cctx);
6629
6630 return testresult;
6631}
a763ca11 6632#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 6633
e11b6aa4
MC		 6634static int test_ssl_clear(int idx)
6635{
6636 SSL_CTX *cctx = NULL, *sctx = NULL;
6637 SSL *clientssl = NULL, *serverssl = NULL;
6638 int testresult = 0;
6639
6640#ifdef OPENSSL_NO_TLS1_2
6641 if (idx == 1)
6642 return 1;
6643#endif
6644
6645 /* Create an initial connection */
5e30f2fd
MC		 6646 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6647 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6648 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 6649 || (idx == 1
6650 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6651 TLS1_2_VERSION)))
6652 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6653 &clientssl, NULL, NULL))
6654 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6655 SSL_ERROR_NONE)))
6656 goto end;
6657
6658 SSL_shutdown(clientssl);
6659 SSL_shutdown(serverssl);
6660 SSL_free(serverssl);
6661 serverssl = NULL;
6662
6663 /* Clear clientssl - we're going to reuse the object */
6664 if (!TEST_true(SSL_clear(clientssl)))
6665 goto end;
6666
6667 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6668 NULL, NULL))
6669 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6670 SSL_ERROR_NONE))
6671 || !TEST_true(SSL_session_reused(clientssl)))
6672 goto end;
6673
6674 SSL_shutdown(clientssl);
6675 SSL_shutdown(serverssl);
6676
6677 testresult = 1;
6678
6679 end:
6680 SSL_free(serverssl);
6681 SSL_free(clientssl);
6682 SSL_CTX_free(sctx);
6683 SSL_CTX_free(cctx);
6684
6685 return testresult;
6686}
6687
cf72c757
F		 6688/* Parse CH and retrieve any MFL extension value if present */
6689static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6690{
6691 long len;
6692 unsigned char *data;
72962d02 6693 PACKET pkt, pkt2, pkt3;
cf72c757
F		 6694 unsigned int MFL_code = 0, type = 0;
6695
1287dabd 6696 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 6697 goto end;
6698
72962d02
P		 6699 memset(&pkt, 0, sizeof(pkt));
6700 memset(&pkt2, 0, sizeof(pkt2));
6701 memset(&pkt3, 0, sizeof(pkt3));
6702
9ba18520 6703 if (!TEST_long_gt(len, 0)
1287dabd 6704 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 6705 /* Skip the record header */
6706 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6707 /* Skip the handshake message header */
6708 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6709 /* Skip client version and random */
6710 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6711 + SSL3_RANDOM_SIZE))
6712 /* Skip session id */
6713 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6714 /* Skip ciphers */
6715 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6716 /* Skip compression */
6717 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6718 /* Extensions len */
6719 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6720 goto end;
6721
6722 /* Loop through all extensions */
6723 while (PACKET_remaining(&pkt2)) {
6724 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6725 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6726 goto end;
6727
6728 if (type == TLSEXT_TYPE_max_fragment_length) {
6729 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6730 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6731 goto end;
6732
6733 *mfl_codemfl_code = MFL_code;
6734 return 1;
6735 }
6736 }
6737
6738 end:
6739 return 0;
6740}
6741
6742/* Maximum-Fragment-Length TLS extension mode to test */
6743static const unsigned char max_fragment_len_test[] = {
6744 TLSEXT_max_fragment_length_512,
6745 TLSEXT_max_fragment_length_1024,
6746 TLSEXT_max_fragment_length_2048,
6747 TLSEXT_max_fragment_length_4096
6748};
6749
6750static int test_max_fragment_len_ext(int idx_tst)
6751{
a763ca11 6752 SSL_CTX *ctx = NULL;
cf72c757
F		 6753 SSL *con = NULL;
6754 int testresult = 0, MFL_mode = 0;
6755 BIO *rbio, *wbio;
6756
a763ca11
MC		 6757 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6758 TLS1_VERSION, 0, NULL, &ctx, NULL,
6759 NULL)))
6760 return 0;
cf72c757
F		 6761
6762 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6763 ctx, max_fragment_len_test[idx_tst])))
6764 goto end;
6765
6766 con = SSL_new(ctx);
6767 if (!TEST_ptr(con))
6768 goto end;
6769
6770 rbio = BIO_new(BIO_s_mem());
6771 wbio = BIO_new(BIO_s_mem());
6772 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6773 BIO_free(rbio);
6774 BIO_free(wbio);
6775 goto end;
6776 }
6777
6778 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 6779
6780 if (!TEST_int_le(SSL_connect(con), 0)) {
6781 /* This shouldn't succeed because we don't have a server! */
6782 goto end;
6783 }
6784
6785 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6786 /* no MFL in client hello */
6787 goto end;
6788 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6789 goto end;
6790
6791 testresult = 1;
6792
6793end:
6794 SSL_free(con);
6795 SSL_CTX_free(ctx);
6796
6797 return testresult;
6798}
6799
a763ca11 6800#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 6801static int test_pha_key_update(void)
6802{
6803 SSL_CTX *cctx = NULL, *sctx = NULL;
6804 SSL *clientssl = NULL, *serverssl = NULL;
6805 int testresult = 0;
6806
5e30f2fd
MC		 6807 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6808 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6809 &sctx, &cctx, cert, privkey)))
6810 return 0;
6811
6812 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6813 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6814 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6815 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6816 goto end;
6817
e97be718 6818 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6819
6820 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6821 NULL, NULL)))
6822 goto end;
6823
9d75dce3
TS		 6824 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6825 SSL_ERROR_NONE)))
6826 goto end;
6827
6828 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6829 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6830 goto end;
6831
6832 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6833 goto end;
6834
6835 /* Start handshake on the server */
6836 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6837 goto end;
6838
6839 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6840 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6841 SSL_ERROR_NONE)))
6842 goto end;
6843
6844 SSL_shutdown(clientssl);
6845 SSL_shutdown(serverssl);
6846
6847 testresult = 1;
6848
6849 end:
6850 SSL_free(serverssl);
6851 SSL_free(clientssl);
6852 SSL_CTX_free(sctx);
6853 SSL_CTX_free(cctx);
6854 return testresult;
6855}
6856#endif
6857
76fd7a1d
MC		 6858#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6859
6860static SRP_VBASE *vbase = NULL;
6861
6862static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6863{
6864 int ret = SSL3_AL_FATAL;
6865 char *username;
6866 SRP_user_pwd *user = NULL;
6867
6868 username = SSL_get_srp_username(s);
6869 if (username == NULL) {
6870 *ad = SSL_AD_INTERNAL_ERROR;
6871 goto err;
6872 }
6873
6874 user = SRP_VBASE_get1_by_user(vbase, username);
6875 if (user == NULL) {
6876 *ad = SSL_AD_INTERNAL_ERROR;
6877 goto err;
6878 }
6879
6880 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6881 user->info) <= 0) {
6882 *ad = SSL_AD_INTERNAL_ERROR;
6883 goto err;
6884 }
6885
6886 ret = 0;
6887
6888 err:
6889 SRP_user_pwd_free(user);
6890 return ret;
6891}
6892
6893static int create_new_vfile(char *userid, char *password, const char *filename)
6894{
6895 char *gNid = NULL;
6896 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6897 TXT_DB *db = NULL;
6898 int ret = 0;
6899 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6900 size_t i;
6901
6902 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6903 goto end;
6904
20c00d0a 6905 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6906 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6907 if (!TEST_ptr(gNid))
6908 goto end;
6909
6910 /*
6911 * The only way to create an empty TXT_DB is to provide a BIO with no data
6912 * in it!
6913 */
6914 db = TXT_DB_read(dummy, DB_NUMBER);
6915 if (!TEST_ptr(db))
6916 goto end;
6917
6918 out = BIO_new_file(filename, "w");
6919 if (!TEST_ptr(out))
6920 goto end;
6921
6922 row[DB_srpid] = OPENSSL_strdup(userid);
6923 row[DB_srptype] = OPENSSL_strdup("V");
6924 row[DB_srpgN] = OPENSSL_strdup(gNid);
6925
6926 if (!TEST_ptr(row[DB_srpid])
6927 || !TEST_ptr(row[DB_srptype])
6928 || !TEST_ptr(row[DB_srpgN])
6929 || !TEST_true(TXT_DB_insert(db, row)))
6930 goto end;
6931
6932 row = NULL;
6933
aba9943f 6934 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 6935 goto end;
6936
6937 ret = 1;
6938 end:
6939 if (row != NULL) {
6940 for (i = 0; i < DB_NUMBER; i++)
6941 OPENSSL_free(row[i]);
6942 }
6943 OPENSSL_free(row);
6944 BIO_free(dummy);
6945 BIO_free(out);
6946 TXT_DB_free(db);
6947
6948 return ret;
6949}
6950
6951static int create_new_vbase(char *userid, char *password)
6952{
6953 BIGNUM *verifier = NULL, *salt = NULL;
6954 const SRP_gN *lgN = NULL;
6955 SRP_user_pwd *user_pwd = NULL;
6956 int ret = 0;
6957
6958 lgN = SRP_get_default_gN(NULL);
6959 if (!TEST_ptr(lgN))
6960 goto end;
6961
20c00d0a 6962 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6963 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6964 goto end;
6965
6966 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6967 if (!TEST_ptr(user_pwd))
6968 goto end;
6969
6970 user_pwd->N = lgN->N;
6971 user_pwd->g = lgN->g;
6972 user_pwd->id = OPENSSL_strdup(userid);
6973 if (!TEST_ptr(user_pwd->id))
6974 goto end;
6975
6976 user_pwd->v = verifier;
6977 user_pwd->s = salt;
6978 verifier = salt = NULL;
6979
6980 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6981 goto end;
6982 user_pwd = NULL;
6983
6984 ret = 1;
6985end:
6986 SRP_user_pwd_free(user_pwd);
6987 BN_free(salt);
6988 BN_free(verifier);
6989
6990 return ret;
6991}
6992
6993/*
6994 * SRP tests
6995 *
6996 * Test 0: Simple successful SRP connection, new vbase
6997 * Test 1: Connection failure due to bad password, new vbase
6998 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6999 * Test 3: Connection failure due to bad password, vbase loaded from existing
7000 * file
7001 * Test 4: Simple successful SRP connection, vbase loaded from new file
7002 * Test 5: Connection failure due to bad password, vbase loaded from new file
7003 */
7004static int test_srp(int tst)
7005{
7006 char *userid = "test", *password = "password", *tstsrpfile;
7007 SSL_CTX *cctx = NULL, *sctx = NULL;
7008 SSL *clientssl = NULL, *serverssl = NULL;
7009 int ret, testresult = 0;
7010
7011 vbase = SRP_VBASE_new(NULL);
7012 if (!TEST_ptr(vbase))
7013 goto end;
7014
7015 if (tst == 0 || tst == 1) {
7016 if (!TEST_true(create_new_vbase(userid, password)))
7017 goto end;
7018 } else {
7019 if (tst == 4 || tst == 5) {
7020 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7021 goto end;
7022 tstsrpfile = tmpfilename;
7023 } else {
7024 tstsrpfile = srpvfile;
7025 }
7026 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7027 goto end;
7028 }
7029
5e30f2fd
MC		 7030 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7031 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 7032 &sctx, &cctx, cert, privkey)))
7033 goto end;
7034
7035 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7036 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7037 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7038 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7039 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7040 goto end;
7041
7042 if (tst % 2 == 1) {
7043 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7044 goto end;
7045 } else {
7046 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7047 goto end;
7048 }
7049
7050 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7051 NULL, NULL)))
7052 goto end;
7053
7054 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7055 if (ret) {
7056 if (!TEST_true(tst % 2 == 0))
7057 goto end;
7058 } else {
7059 if (!TEST_true(tst % 2 == 1))
7060 goto end;
7061 }
7062
7063 testresult = 1;
7064
7065 end:
7066 SRP_VBASE_free(vbase);
7067 vbase = NULL;
7068 SSL_free(serverssl);
7069 SSL_free(clientssl);
7070 SSL_CTX_free(sctx);
7071 SSL_CTX_free(cctx);
7072
7073 return testresult;
7074}
7075#endif
7076
5718fe45
MC		 7077static int info_cb_failed = 0;
7078static int info_cb_offset = 0;
7079static int info_cb_this_state = -1;
7080
7081static struct info_cb_states_st {
7082 int where;
7083 const char *statestr;
7084} info_cb_states[][60] = {
7085 {
7086 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 7087 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7088 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7089 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7090 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7091 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7092 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7093 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7094 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7095 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 7096 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7097 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7098 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7099 {SSL_CB_EXIT, NULL}, {0, NULL},
7100 }, {
7101 /* TLSv1.2 client followed by resumption */
e0f69c35 7102 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7103 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7104 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7105 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7106 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7107 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7108 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 7109 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7110 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7111 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7112 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7113 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7114 }, {
7115 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 7116 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7117 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 7118 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 7119 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 7120 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 7121 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7122 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 7123 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7124 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 7125 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7126 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7127 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7128 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7129 }, {
7130 /* TLSv1.3 client followed by resumption */
e0f69c35 7131 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7132 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7133 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7134 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7135 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7136 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7137 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7138 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7139 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7140 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7141 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7142 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7143 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7144 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7145 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7146 }, {
7147 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7148 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7149 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7150 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7151 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7152 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7153 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7154 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7155 {SSL_CB_EXIT, NULL}, {0, NULL},
7156 }, {
7157 /* TLSv1.3 client, early_data */
e0f69c35 7158 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7159 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7160 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7161 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7162 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7163 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7164 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7165 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7166 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
b67cb09f
TS		 7167 }, {
7168 /* TLSv1.3 server, certificate compression, followed by resumption */
7169 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7170 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7171 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7172 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7173 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7174 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7175 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7176 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7177 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7178 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7179 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7180 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7181 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7182 }, {
7183 /* TLSv1.3 client, certificate compression, followed by resumption */
7184 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7185 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7186 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7187 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7188 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7189 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7190 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7191 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7192 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7193 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7194 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7195 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7196 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7197 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7198 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7199 }, {
7200 {0, NULL},
7201 }
7202};
7203
7204static void sslapi_info_callback(const SSL *s, int where, int ret)
7205{
7206 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7207
7208 /* We do not ever expect a connection to fail in this test */
7209 if (!TEST_false(ret == 0)) {
7210 info_cb_failed = 1;
7211 return;
7212 }
7213
7214 /*
7215 * Do some sanity checks. We never expect these things to happen in this
7216 * test
7217 */
7218 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7219 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7220 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7221 info_cb_failed = 1;
7222 return;
7223 }
7224
7225 /* Now check we're in the right state */
7226 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7227 info_cb_failed = 1;
7228 return;
7229 }
7230 if ((where & SSL_CB_LOOP) != 0
7231 && !TEST_int_eq(strcmp(SSL_state_string(s),
7232 state[info_cb_this_state].statestr), 0)) {
7233 info_cb_failed = 1;
7234 return;
7235 }
033c181b 7236
4af5836b
MC		 7237 /*
7238 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7239 */
7240 if ((where & SSL_CB_HANDSHAKE_DONE)
7241 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7242 info_cb_failed = 1;
7243 return;
7244 }
5718fe45
MC		 7245}
7246
7247/*
7248 * Test the info callback gets called when we expect it to.
7249 *
7250 * Test 0: TLSv1.2, server
7251 * Test 1: TLSv1.2, client
7252 * Test 2: TLSv1.3, server
7253 * Test 3: TLSv1.3, client
7254 * Test 4: TLSv1.3, server, early_data
7255 * Test 5: TLSv1.3, client, early_data
b67cb09f
TS		 7256 * Test 6: TLSv1.3, server, compressed certificate
7257 * Test 7: TLSv1.3, client, compressed certificate
5718fe45
MC		 7258 */
7259static int test_info_callback(int tst)
7260{
7261 SSL_CTX *cctx = NULL, *sctx = NULL;
7262 SSL *clientssl = NULL, *serverssl = NULL;
7263 SSL_SESSION *clntsess = NULL;
7264 int testresult = 0;
7265 int tlsvers;
7266
7267 if (tst < 2) {
1aac20f5
MC		 7268/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7269#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7270 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7271 tlsvers = TLS1_2_VERSION;
7272#else
7273 return 1;
7274#endif
7275 } else {
a763ca11 7276#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7277 tlsvers = TLS1_3_VERSION;
7278#else
7279 return 1;
7280#endif
7281 }
7282
7283 /* Reset globals */
7284 info_cb_failed = 0;
7285 info_cb_this_state = -1;
7286 info_cb_offset = tst;
7287
a763ca11 7288#ifndef OSSL_NO_USABLE_TLS1_3
b67cb09f 7289 if (tst >= 4 && tst < 6) {
5718fe45
MC		 7290 SSL_SESSION *sess = NULL;
7291 size_t written, readbytes;
7292 unsigned char buf[80];
7293
7294 /* early_data tests */
7295 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7296 &serverssl, &sess, 0)))
7297 goto end;
7298
7299 /* We don't actually need this reference */
7300 SSL_SESSION_free(sess);
7301
7302 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7303 sslapi_info_callback);
7304
7305 /* Write and read some early data and then complete the connection */
7306 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7307 &written))
7308 || !TEST_size_t_eq(written, strlen(MSG1))
7309 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7310 sizeof(buf), &readbytes),
7311 SSL_READ_EARLY_DATA_SUCCESS)
7312 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7313 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7314 SSL_EARLY_DATA_ACCEPTED)
7315 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7316 SSL_ERROR_NONE))
7317 || !TEST_false(info_cb_failed))
7318 goto end;
7319
7320 testresult = 1;
7321 goto end;
7322 }
6e07834c 7323#endif
5718fe45 7324
5e30f2fd 7325 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7326 TLS_client_method(),
7327 tlsvers, tlsvers, &sctx, &cctx, cert,
7328 privkey)))
7329 goto end;
7330
33c39a06
MC		 7331 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7332 goto end;
7333
5718fe45
MC		 7334 /*
7335 * For even numbered tests we check the server callbacks. For odd numbers we
7336 * check the client.
7337 */
7338 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7339 sslapi_info_callback);
b67cb09f
TS		 7340 if (tst >= 6) {
7341 if (!SSL_CTX_compress_certs(sctx, 0))
7342 goto end;
7343 }
5718fe45
MC		 7344
7345 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7346 &clientssl, NULL, NULL))
7347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7348 SSL_ERROR_NONE))
7349 || !TEST_false(info_cb_failed))
7350 goto end;
7351
7352
7353
7354 clntsess = SSL_get1_session(clientssl);
7355 SSL_shutdown(clientssl);
7356 SSL_shutdown(serverssl);
7357 SSL_free(serverssl);
7358 SSL_free(clientssl);
7359 serverssl = clientssl = NULL;
7360
7361 /* Now do a resumption */
7362 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7363 NULL))
7364 || !TEST_true(SSL_set_session(clientssl, clntsess))
7365 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7366 SSL_ERROR_NONE))
7367 || !TEST_true(SSL_session_reused(clientssl))
7368 || !TEST_false(info_cb_failed))
7369 goto end;
7370
7371 testresult = 1;
7372
7373 end:
7374 SSL_free(serverssl);
7375 SSL_free(clientssl);
7376 SSL_SESSION_free(clntsess);
7377 SSL_CTX_free(sctx);
7378 SSL_CTX_free(cctx);
7379 return testresult;
7380}
7381
4a432af8
MC		 7382static int test_ssl_pending(int tst)
7383{
7384 SSL_CTX *cctx = NULL, *sctx = NULL;
7385 SSL *clientssl = NULL, *serverssl = NULL;
7386 int testresult = 0;
7387 char msg[] = "A test message";
7388 char buf[5];
7389 size_t written, readbytes;
7390
7391 if (tst == 0) {
5e30f2fd 7392 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7393 TLS_client_method(),
5c587fb6 7394 TLS1_VERSION, 0,
4a432af8
MC		 7395 &sctx, &cctx, cert, privkey)))
7396 goto end;
7397 } else {
7398#ifndef OPENSSL_NO_DTLS
5e30f2fd 7399 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7400 DTLS_client_method(),
5c587fb6 7401 DTLS1_VERSION, 0,
4a432af8
MC		 7402 &sctx, &cctx, cert, privkey)))
7403 goto end;
8ce390e1
MC		 7404
7405# ifdef OPENSSL_NO_DTLS1_2
7406 /* Not supported in the FIPS provider */
7407 if (is_fips) {
7408 testresult = 1;
7409 goto end;
7410 };
7411 /*
7412 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7413 * level 0
7414 */
7415 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7416 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7417 "DEFAULT:@SECLEVEL=0")))
7418 goto end;
7419# endif
4a432af8
MC		 7420#else
7421 return 1;
7422#endif
7423 }
7424
7425 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7426 NULL, NULL))
7427 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7428 SSL_ERROR_NONE)))
7429 goto end;
7430
e8251092
MC		 7431 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7432 || !TEST_false(SSL_has_pending(clientssl))
7433 || !TEST_int_eq(SSL_pending(serverssl), 0)
7434 || !TEST_false(SSL_has_pending(serverssl))
7435 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 7436 || !TEST_size_t_eq(written, sizeof(msg))
7437 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7438 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 7439 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7440 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 7441 goto end;
7442
7443 testresult = 1;
7444
7445 end:
7446 SSL_free(serverssl);
7447 SSL_free(clientssl);
7448 SSL_CTX_free(sctx);
7449 SSL_CTX_free(cctx);
7450
7451 return testresult;
7452}
7453
e401389a
MC		 7454static struct {
7455 unsigned int maxprot;
7456 const char *clntciphers;
7457 const char *clnttls13ciphers;
7458 const char *srvrciphers;
7459 const char *srvrtls13ciphers;
7460 const char *shared;
a96e6c34 7461 const char *fipsshared;
e401389a 7462} shared_ciphers_data[] = {
60155b9a
MC		 7463/*
7464 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7465 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7466 */
a763ca11 7467#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 7468 {
7469 TLS1_2_VERSION,
7470 "AES128-SHA:AES256-SHA",
7471 NULL,
7472 "AES256-SHA:DHE-RSA-AES128-SHA",
7473 NULL,
a96e6c34 7474 "AES256-SHA",
e401389a
MC		 7475 "AES256-SHA"
7476 },
a96e6c34
MC		 7477# if !defined(OPENSSL_NO_CHACHA) \
7478 && !defined(OPENSSL_NO_POLY1305) \
7479 && !defined(OPENSSL_NO_EC)
7480 {
7481 TLS1_2_VERSION,
7482 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7483 NULL,
7484 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7485 NULL,
7486 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7487 "AES128-SHA"
7488 },
7489# endif
e401389a
MC		 7490 {
7491 TLS1_2_VERSION,
7492 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7493 NULL,
7494 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7495 NULL,
a96e6c34 7496 "AES128-SHA:AES256-SHA",
e401389a
MC		 7497 "AES128-SHA:AES256-SHA"
7498 },
7499 {
7500 TLS1_2_VERSION,
7501 "AES128-SHA:AES256-SHA",
7502 NULL,
7503 "AES128-SHA:DHE-RSA-AES128-SHA",
7504 NULL,
a96e6c34 7505 "AES128-SHA",
e401389a
MC		 7506 "AES128-SHA"
7507 },
60155b9a
MC		 7508#endif
7509/*
7510 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7511 * enabled.
7512 */
a763ca11 7513#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7514 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7515 {
7516 TLS1_3_VERSION,
7517 "AES128-SHA:AES256-SHA",
7518 NULL,
7519 "AES256-SHA:AES128-SHA256",
7520 NULL,
7521 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 7522 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7523 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 7524 },
60155b9a 7525#endif
a763ca11 7526#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 7527 {
7528 TLS1_3_VERSION,
7529 "AES128-SHA",
7530 "TLS_AES_256_GCM_SHA384",
7531 "AES256-SHA",
7532 "TLS_AES_256_GCM_SHA384",
a96e6c34 7533 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 7534 "TLS_AES_256_GCM_SHA384"
7535 },
7536#endif
7537};
7538
a96e6c34 7539static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 7540{
7541 SSL_CTX *cctx = NULL, *sctx = NULL;
7542 SSL *clientssl = NULL, *serverssl = NULL;
7543 int testresult = 0;
7544 char buf[1024];
b4250010 7545 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 7546
7547 if (!TEST_ptr(tmplibctx))
7548 goto end;
7549
7550 /*
7551 * Regardless of whether we're testing with the FIPS provider loaded into
7552 * libctx, we want one peer to always use the full set of ciphersuites
7553 * available. Therefore we use a separate libctx with the default provider
7554 * loaded into it. We run the same tests twice - once with the client side
7555 * having the full set of ciphersuites and once with the server side.
7556 */
7557 if (clnt) {
d8652be0 7558 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 7559 if (!TEST_ptr(cctx))
7560 goto end;
7561 } else {
d8652be0 7562 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 7563 if (!TEST_ptr(sctx))
7564 goto end;
7565 }
e401389a 7566
5e30f2fd 7567 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 7568 TLS_client_method(),
7569 TLS1_VERSION,
7570 shared_ciphers_data[tst].maxprot,
7571 &sctx, &cctx, cert, privkey)))
7572 goto end;
7573
7574 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7575 shared_ciphers_data[tst].clntciphers))
7576 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7577 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7578 shared_ciphers_data[tst].clnttls13ciphers)))
7579 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7580 shared_ciphers_data[tst].srvrciphers))
7581 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7582 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7583 shared_ciphers_data[tst].srvrtls13ciphers))))
7584 goto end;
7585
7586
7587 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7588 NULL, NULL))
7589 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7590 SSL_ERROR_NONE)))
7591 goto end;
7592
7593 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 7594 || !TEST_int_eq(strcmp(buf,
7595 is_fips
7596 ? shared_ciphers_data[tst].fipsshared
7597 : shared_ciphers_data[tst].shared),
7598 0)) {
e401389a
MC		 7599 TEST_info("Shared ciphers are: %s\n", buf);
7600 goto end;
7601 }
7602
7603 testresult = 1;
7604
7605 end:
7606 SSL_free(serverssl);
7607 SSL_free(clientssl);
7608 SSL_CTX_free(sctx);
7609 SSL_CTX_free(cctx);
b4250010 7610 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 7611
7612 return testresult;
7613}
7614
a96e6c34
MC		 7615static int test_ssl_get_shared_ciphers(int tst)
7616{
7617 return int_test_ssl_get_shared_ciphers(tst, 0)
7618 && int_test_ssl_get_shared_ciphers(tst, 1);
7619}
7620
7621
d0191fe0 7622static const char *appdata = "Hello World";
61fb5923
MC		 7623static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7624static int tick_key_renew = 0;
7625static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 7626
7627static int gen_tick_cb(SSL *s, void *arg)
7628{
7629 gen_tick_called = 1;
7630
7631 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7632 strlen(appdata));
7633}
7634
7635static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7636 const unsigned char *keyname,
7637 size_t keyname_length,
61fb5923
MC		 7638 SSL_TICKET_STATUS status,
7639 void *arg)
d0191fe0
MC		 7640{
7641 void *tickdata;
7642 size_t tickdlen;
7643
7644 dec_tick_called = 1;
7645
61fb5923
MC		 7646 if (status == SSL_TICKET_EMPTY)
7647 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 7648
61fb5923
MC		 7649 if (!TEST_true(status == SSL_TICKET_SUCCESS
7650 || status == SSL_TICKET_SUCCESS_RENEW))
7651 return SSL_TICKET_RETURN_ABORT;
7652
7653 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7654 &tickdlen))
d0191fe0
MC		 7655 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7656 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 7657 return SSL_TICKET_RETURN_ABORT;
d0191fe0 7658
61fb5923
MC		 7659 if (tick_key_cb_called) {
7660 /* Don't change what the ticket key callback wanted to do */
7661 switch (status) {
7662 case SSL_TICKET_NO_DECRYPT:
7663 return SSL_TICKET_RETURN_IGNORE_RENEW;
7664
7665 case SSL_TICKET_SUCCESS:
7666 return SSL_TICKET_RETURN_USE;
d0191fe0 7667
61fb5923
MC		 7668 case SSL_TICKET_SUCCESS_RENEW:
7669 return SSL_TICKET_RETURN_USE_RENEW;
7670
7671 default:
7672 return SSL_TICKET_RETURN_ABORT;
7673 }
7674 }
7675 return tick_dec_ret;
7676
7677}
d0191fe0 7678
a76ce286 7679#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 7680static int tick_key_cb(SSL *s, unsigned char key_name[16],
7681 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7682 HMAC_CTX *hctx, int enc)
7683{
7684 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7685 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
3b7a3241
MC		 7686 EVP_CIPHER *aes128cbc;
7687 EVP_MD *sha256;
5e30f2fd 7688 int ret;
d0191fe0 7689
61fb5923 7690 tick_key_cb_called = 1;
3b7a3241
MC		 7691
7692 if (tick_key_renew == -1)
7693 return 0;
7694
7695 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7696 if (!TEST_ptr(aes128cbc))
7697 return 0;
7698 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7699 if (!TEST_ptr(sha256)) {
7700 EVP_CIPHER_free(aes128cbc);
7701 return 0;
7702 }
7703
d0191fe0
MC		 7704 memset(iv, 0, AES_BLOCK_SIZE);
7705 memset(key_name, 0, 16);
5e30f2fd
MC		 7706 if (aes128cbc == NULL
7707 || sha256 == NULL
7708 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7709 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7710 NULL))
7711 ret = -1;
7712 else
7713 ret = tick_key_renew ? 2 : 1;
d0191fe0 7714
5e30f2fd
MC		 7715 EVP_CIPHER_free(aes128cbc);
7716 EVP_MD_free(sha256);
7717
7718 return ret;
d0191fe0 7719}
a76ce286
P		 7720#endif
7721
7722static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7723 unsigned char iv[EVP_MAX_IV_LENGTH],
7724 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7725{
7726 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7727 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 7728 OSSL_PARAM params[2];
3b7a3241 7729 EVP_CIPHER *aes128cbc;
5e30f2fd 7730 int ret;
a76ce286
P		 7731
7732 tick_key_cb_called = 1;
3b7a3241
MC		 7733
7734 if (tick_key_renew == -1)
7735 return 0;
7736
7737 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7738 if (!TEST_ptr(aes128cbc))
7739 return 0;
7740
a76ce286
P		 7741 memset(iv, 0, AES_BLOCK_SIZE);
7742 memset(key_name, 0, 16);
7743 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7744 "SHA256", 0);
77e4ae58 7745 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 7746 if (aes128cbc == NULL
7747 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 7748 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7749 params))
5e30f2fd
MC		 7750 ret = -1;
7751 else
7752 ret = tick_key_renew ? 2 : 1;
7753
7754 EVP_CIPHER_free(aes128cbc);
a76ce286 7755
5e30f2fd 7756 return ret;
a76ce286 7757}
d0191fe0
MC		 7758
7759/*
7760 * Test the various ticket callbacks
61fb5923
MC		 7761 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7762 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7763 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7764 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7765 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7766 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7767 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7768 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 7769 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7770 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7771 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7772 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
3b7a3241
MC		 7773 * Test 12: TLSv1.2, old ticket key callback, no ticket
7774 * Test 13: TLSv1.3, old ticket key callback, no ticket
7775 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
7776 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
7777 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
7778 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
7779 * Test 18: TLSv1.2, ticket key callback, no ticket
7780 * Test 19: TLSv1.3, ticket key callback, no ticket
d0191fe0
MC		 7781 */
7782static int test_ticket_callbacks(int tst)
7783{
7784 SSL_CTX *cctx = NULL, *sctx = NULL;
7785 SSL *clientssl = NULL, *serverssl = NULL;
7786 SSL_SESSION *clntsess = NULL;
7787 int testresult = 0;
7788
7789#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 7790 if (tst % 2 == 0)
d0191fe0
MC		 7791 return 1;
7792#endif
a763ca11 7793#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 7794 if (tst % 2 == 1)
d0191fe0
MC		 7795 return 1;
7796#endif
a76ce286 7797#ifdef OPENSSL_NO_DEPRECATED_3_0
3b7a3241 7798 if (tst >= 8 && tst <= 13)
a76ce286
P		 7799 return 1;
7800#endif
d0191fe0 7801
61fb5923 7802 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 7803
7804 /* Which tests the ticket key callback should request renewal for */
3b7a3241
MC		 7805
7806 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
61fb5923 7807 tick_key_renew = 1;
3b7a3241
MC		 7808 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
7809 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
d0191fe0 7810 else
61fb5923
MC		 7811 tick_key_renew = 0;
7812
7813 /* Which tests the decrypt ticket callback should request renewal for */
7814 switch (tst) {
7815 case 0:
7816 case 1:
7817 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7818 break;
7819
7820 case 2:
7821 case 3:
7822 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7823 break;
7824
7825 case 4:
7826 case 5:
7827 tick_dec_ret = SSL_TICKET_RETURN_USE;
7828 break;
7829
7830 case 6:
7831 case 7:
7832 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7833 break;
7834
7835 default:
7836 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7837 }
d0191fe0 7838
5e30f2fd 7839 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 7840 TLS_client_method(),
7841 TLS1_VERSION,
61fb5923
MC		 7842 ((tst % 2) == 0) ? TLS1_2_VERSION
7843 : TLS1_3_VERSION,
d0191fe0
MC		 7844 &sctx, &cctx, cert, privkey)))
7845 goto end;
7846
61fb5923
MC		 7847 /*
7848 * We only want sessions to resume from tickets - not the session cache. So
7849 * switch the cache off.
7850 */
7851 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7852 goto end;
7853
d0191fe0
MC		 7854 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7855 NULL)))
7856 goto end;
7857
3b7a3241 7858 if (tst >= 14) {
a76ce286
P		 7859 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7860 goto end;
7861#ifndef OPENSSL_NO_DEPRECATED_3_0
7862 } else if (tst >= 8) {
7863 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7864 goto end;
7865#endif
7866 }
d0191fe0
MC		 7867
7868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7869 NULL, NULL))
7870 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7871 SSL_ERROR_NONE)))
7872 goto end;
7873
61fb5923
MC		 7874 /*
7875 * The decrypt ticket key callback in TLSv1.2 should be called even though
7876 * we have no ticket yet, because it gets called with a status of
7877 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7878 * actually send any ticket data). This does not happen in TLSv1.3 because
7879 * it is not valid to send empty ticket data in TLSv1.3.
7880 */
d0191fe0 7881 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7882 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7883 goto end;
7884
7885 gen_tick_called = dec_tick_called = 0;
7886
7887 clntsess = SSL_get1_session(clientssl);
7888 SSL_shutdown(clientssl);
7889 SSL_shutdown(serverssl);
7890 SSL_free(serverssl);
7891 SSL_free(clientssl);
7892 serverssl = clientssl = NULL;
7893
7894 /* Now do a resumption */
7895 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7896 NULL))
7897 || !TEST_true(SSL_set_session(clientssl, clntsess))
7898 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7899 SSL_ERROR_NONE)))
d0191fe0
MC		 7900 goto end;
7901
61fb5923 7902 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
3b7a3241
MC		 7903 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7904 || tick_key_renew == -1) {
61fb5923
MC		 7905 if (!TEST_false(SSL_session_reused(clientssl)))
7906 goto end;
7907 } else {
7908 if (!TEST_true(SSL_session_reused(clientssl)))
7909 goto end;
7910 }
7911
d0191fe0 7912 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7913 (tick_key_renew
7914 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7915 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7916 ? 1 : 0)
3b7a3241
MC		 7917 /* There is no ticket to decrypt in tests 13 and 19 */
7918 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
d0191fe0
MC		 7919 goto end;
7920
7921 testresult = 1;
7922
7923 end:
7924 SSL_SESSION_free(clntsess);
7925 SSL_free(serverssl);
7926 SSL_free(clientssl);
7927 SSL_CTX_free(sctx);
7928 SSL_CTX_free(cctx);
7929
7930 return testresult;
7931}
7932
e638112e
DB		 7933/*
7934 * Test incorrect shutdown.
7935 * Test 0: client does not shutdown properly,
7936 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7937 * server should get SSL_ERROR_SSL
7938 * Test 1: client does not shutdown properly,
7939 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7940 * server should get SSL_ERROR_ZERO_RETURN
7941 */
7942static int test_incorrect_shutdown(int tst)
7943{
7944 SSL_CTX *cctx = NULL, *sctx = NULL;
7945 SSL *clientssl = NULL, *serverssl = NULL;
7946 int testresult = 0;
7947 char buf[80];
7948 BIO *c2s;
7949
7950 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7951 TLS_client_method(), 0, 0,
7952 &sctx, &cctx, cert, privkey)))
7953 goto end;
7954
7955 if (tst == 1)
7956 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7957
7958 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7959 NULL, NULL)))
7960 goto end;
7961
7962 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7963 SSL_ERROR_NONE)))
7964 goto end;
7965
7966 c2s = SSL_get_rbio(serverssl);
7967 BIO_set_mem_eof_return(c2s, 0);
7968
7969 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7970 goto end;
7971
7972 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7973 goto end;
7974 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7975 goto end;
7976
7977 testresult = 1;
7978
7979 end:
7980 SSL_free(serverssl);
7981 SSL_free(clientssl);
7982 SSL_CTX_free(sctx);
7983 SSL_CTX_free(cctx);
7984
7985 return testresult;
7986}
7987
c748834f
MC		 7988/*
7989 * Test bi-directional shutdown.
7990 * Test 0: TLSv1.2
7991 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7992 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7993 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7994 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7995 * sends key update, client reads it
57d7b988
MC		 7996 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7997 * sends CertificateRequest, client reads and ignores it
7998 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7999 * doesn't read it
8000 */
8001static int test_shutdown(int tst)
8002{
8003 SSL_CTX *cctx = NULL, *sctx = NULL;
8004 SSL *clientssl = NULL, *serverssl = NULL;
8005 int testresult = 0;
8006 char msg[] = "A test message";
8007 char buf[80];
8008 size_t written, readbytes;
80eff008 8009 SSL_SESSION *sess;
c748834f
MC		 8010
8011#ifdef OPENSSL_NO_TLS1_2
a97d19f7 8012 if (tst <= 1)
c748834f
MC		 8013 return 1;
8014#endif
a763ca11 8015#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 8016 if (tst >= 2)
c748834f
MC		 8017 return 1;
8018#endif
8019
5e30f2fd 8020 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 8021 TLS_client_method(),
8022 TLS1_VERSION,
8023 (tst <= 1) ? TLS1_2_VERSION
8024 : TLS1_3_VERSION,
57d7b988
MC		 8025 &sctx, &cctx, cert, privkey)))
8026 goto end;
8027
8028 if (tst == 5)
8029 SSL_CTX_set_post_handshake_auth(cctx, 1);
8030
8031 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 8032 NULL, NULL)))
8033 goto end;
8034
8035 if (tst == 3) {
8036 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
26dad42e 8037 SSL_ERROR_NONE, 1, 0))
80eff008
KR		 8038 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8039 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 8040 goto end;
8041 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 8042 SSL_ERROR_NONE))
8043 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8044 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 8045 goto end;
8046 }
8047
8048 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8049 goto end;
8050
8051 if (tst >= 4) {
8052 /*
8053 * Reading on the server after the client has sent close_notify should
8054 * fail and provide SSL_ERROR_ZERO_RETURN
8055 */
8056 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8057 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8058 SSL_ERROR_ZERO_RETURN)
8059 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8060 SSL_RECEIVED_SHUTDOWN)
8061 /*
8062 * Even though we're shutdown on receive we should still be
8063 * able to write.
8064 */
80eff008
KR		 8065 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8066 goto end;
57d7b988
MC		 8067 if (tst == 4
8068 && !TEST_true(SSL_key_update(serverssl,
8069 SSL_KEY_UPDATE_REQUESTED)))
8070 goto end;
8071 if (tst == 5) {
8072 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8073 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8074 goto end;
8075 }
8076 if ((tst == 4 || tst == 5)
8077 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 8078 goto end;
8079 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 8080 goto end;
57d7b988 8081 if (tst == 4 || tst == 5) {
80eff008 8082 /* Should still be able to read data from server */
c748834f 8083 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 8084 &readbytes))
8085 || !TEST_size_t_eq(readbytes, sizeof(msg))
8086 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8087 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8088 &readbytes))
c748834f
MC		 8089 || !TEST_size_t_eq(readbytes, sizeof(msg))
8090 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8091 goto end;
8092 }
8093 }
8094
8095 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 8096 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 8097 goto end;
8098
8099 if (tst < 4) {
8100 /*
8101 * For these tests the client has sent close_notify but it has not yet
8102 * been received by the server. The server has not sent close_notify
8103 * yet.
8104 */
8105 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 8106 /*
8107 * Writing on the server after sending close_notify shouldn't
8108 * be possible.
8109 */
8110 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 8111 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 8112 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8113 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 8114 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8115 goto end;
57d7b988 8116 } else if (tst == 4 || tst == 5) {
c748834f
MC		 8117 /*
8118 * In this test the client has sent close_notify and it has been
8119 * received by the server which has responded with a close_notify. The
358ffa05 8120 * client needs to read the close_notify sent by the server.
c748834f 8121 */
80eff008
KR		 8122 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8123 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8124 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 8125 goto end;
358ffa05
MC		 8126 } else {
8127 /*
57d7b988 8128 * tst == 6
358ffa05
MC		 8129 *
8130 * The client has sent close_notify and is expecting a close_notify
8131 * back, but instead there is application data first. The shutdown
8132 * should fail with a fatal error.
8133 */
8134 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8135 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8136 goto end;
c748834f
MC		 8137 }
8138
8139 testresult = 1;
8140
8141 end:
8142 SSL_free(serverssl);
8143 SSL_free(clientssl);
8144 SSL_CTX_free(sctx);
8145 SSL_CTX_free(cctx);
8146
8147 return testresult;
8148}
8149
a763ca11 8150#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 8151static int cert_cb_cnt;
8152
8153static int cert_cb(SSL *s, void *arg)
8154{
8155 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 8156 BIO *in = NULL;
8157 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 8158 X509 *x509 = NULL, *rootx = NULL;
8159 STACK_OF(X509) *chain = NULL;
8160 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8161 int ret = 0;
cd6fe29f
MC		 8162
8163 if (cert_cb_cnt == 0) {
8164 /* Suspend the handshake */
8165 cert_cb_cnt++;
8166 return -1;
8167 } else if (cert_cb_cnt == 1) {
8168 /*
8169 * Update the SSL_CTX, set the certificate and private key and then
8170 * continue the handshake normally.
8171 */
8172 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8173 return 0;
8174
8175 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8176 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8177 SSL_FILETYPE_PEM))
8178 || !TEST_true(SSL_check_private_key(s)))
8179 return 0;
8180 cert_cb_cnt++;
8181 return 1;
7cb8fb07
BK		 8182 } else if (cert_cb_cnt == 3) {
8183 int rv;
1a2a3a42
MC		 8184
8185 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8186 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8187 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8188 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8189 goto out;
8190 chain = sk_X509_new_null();
8191 if (!TEST_ptr(chain))
8192 goto out;
7cb8fb07 8193 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8194 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 8195 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 8196 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8197 || !TEST_true(sk_X509_push(chain, rootx)))
8198 goto out;
8199 rootx = NULL;
8200 BIO_free(in);
8201 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8202 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8203 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8204 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8205 goto out;
8206 BIO_free(in);
8207 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8208 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8209 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8210 NULL, NULL,
8211 libctx, NULL)))
7cb8fb07 8212 goto out;
1a2a3a42 8213 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8214 /*
8215 * If the cert doesn't show as valid here (e.g., because we don't
8216 * have any shared sigalgs), then we will not set it, and there will
8217 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8218 * will cause tls_choose_sigalgs() to fail the connection.
8219 */
1a2a3a42
MC		 8220 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8221 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8222 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8223 goto out;
8224 }
1a2a3a42
MC		 8225
8226 ret = 1;
cd6fe29f
MC		 8227 }
8228
8229 /* Abort the handshake */
7cb8fb07 8230 out:
1a2a3a42
MC		 8231 OPENSSL_free(ecdsacert);
8232 OPENSSL_free(ecdsakey);
8233 OPENSSL_free(rootfile);
7cb8fb07
BK		 8234 BIO_free(in);
8235 EVP_PKEY_free(pkey);
8236 X509_free(x509);
1a2a3a42 8237 X509_free(rootx);
79b2a2f2 8238 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8239 return ret;
cd6fe29f
MC		 8240}
8241
8242/*
8243 * Test the certificate callback.
8244 * Test 0: Callback fails
8245 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8246 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8247 * Test 3: Success - Call SSL_check_chain from the callback
8248 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8249 * chain
8250 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8251 */
8252static int test_cert_cb_int(int prot, int tst)
8253{
8254 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8255 SSL *clientssl = NULL, *serverssl = NULL;
8256 int testresult = 0, ret;
8257
1a2a3a42
MC		 8258#ifdef OPENSSL_NO_EC
8259 /* We use an EC cert in these tests, so we skip in a no-ec build */
8260 if (tst >= 3)
8261 return 1;
8262#endif
8263
5e30f2fd 8264 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8265 TLS_client_method(),
8266 TLS1_VERSION,
8267 prot,
8268 &sctx, &cctx, NULL, NULL)))
8269 goto end;
8270
8271 if (tst == 0)
8272 cert_cb_cnt = -1;
1a2a3a42 8273 else if (tst >= 3)
7cb8fb07 8274 cert_cb_cnt = 3;
cd6fe29f
MC		 8275 else
8276 cert_cb_cnt = 0;
1a2a3a42 8277
b0317df2 8278 if (tst == 2) {
7e1eda48 8279 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
b0317df2
JJ		 8280 if (!TEST_ptr(snictx))
8281 goto end;
8282 }
8283
cd6fe29f
MC		 8284 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8285
8286 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8287 NULL, NULL)))
8288 goto end;
8289
1a2a3a42
MC		 8290 if (tst == 4) {
8291 /*
8292 * We cause SSL_check_chain() to fail by specifying sig_algs that
8293 * the chain doesn't meet (the root uses an RSA cert)
8294 */
8295 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8296 "ecdsa_secp256r1_sha256")))
8297 goto end;
8298 } else if (tst == 5) {
8299 /*
8300 * We cause SSL_check_chain() to fail by specifying sig_algs that
8301 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8302 */
8303 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8304 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8305 goto end;
8306 }
8307
cd6fe29f 8308 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8309 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8310 || (tst > 0
8311 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8312 goto end;
8313 }
8314
8315 testresult = 1;
8316
8317 end:
8318 SSL_free(serverssl);
8319 SSL_free(clientssl);
8320 SSL_CTX_free(sctx);
8321 SSL_CTX_free(cctx);
8322 SSL_CTX_free(snictx);
8323
8324 return testresult;
8325}
7f1d923a 8326#endif
cd6fe29f
MC		 8327
8328static int test_cert_cb(int tst)
8329{
8330 int testresult = 1;
8331
8332#ifndef OPENSSL_NO_TLS1_2
8333 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8334#endif
a763ca11 8335#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8336 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8337#endif
8338
8339 return testresult;
8340}
8341
6e46c065
MC		 8342static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8343{
8c2bfd25 8344 X509 *xcert;
6e46c065
MC		 8345 EVP_PKEY *privpkey;
8346 BIO *in = NULL;
6725682d 8347 BIO *priv_in = NULL;
6e46c065 8348
8c2bfd25
TS		 8349 /* Check that SSL_get0_peer_certificate() returns something sensible */
8350 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8351 return 0;
6e46c065
MC		 8352
8353 in = BIO_new_file(cert, "r");
8354 if (!TEST_ptr(in))
8355 return 0;
8356
d8652be0 8357 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 8358 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8359 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 8360 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8361 NULL, NULL,
8362 libctx, NULL)))
6725682d 8363 goto err;
6e46c065
MC		 8364
8365 *x509 = xcert;
8366 *pkey = privpkey;
8367
6725682d
SL		 8368 BIO_free(in);
8369 BIO_free(priv_in);
6e46c065 8370 return 1;
6725682d
SL		 8371err:
8372 X509_free(xcert);
8373 BIO_free(in);
8374 BIO_free(priv_in);
8375 return 0;
6e46c065
MC		 8376}
8377
6e46c065
MC		 8378static int test_client_cert_cb(int tst)
8379{
8380 SSL_CTX *cctx = NULL, *sctx = NULL;
8381 SSL *clientssl = NULL, *serverssl = NULL;
8382 int testresult = 0;
8383
8384#ifdef OPENSSL_NO_TLS1_2
8385 if (tst == 0)
8386 return 1;
8387#endif
a763ca11 8388#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 8389 if (tst == 1)
8390 return 1;
8391#endif
8392
5e30f2fd 8393 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 8394 TLS_client_method(),
8395 TLS1_VERSION,
8396 tst == 0 ? TLS1_2_VERSION
8397 : TLS1_3_VERSION,
8398 &sctx, &cctx, cert, privkey)))
8399 goto end;
8400
8401 /*
8402 * Test that setting a client_cert_cb results in a client certificate being
8403 * sent.
8404 */
8405 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8406 SSL_CTX_set_verify(sctx,
8407 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8408 verify_cb);
fb8c8359
MC		 8409
8410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8411 NULL, NULL))
8412 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8413 SSL_ERROR_NONE)))
8414 goto end;
8415
8416 testresult = 1;
8417
8418 end:
8419 SSL_free(serverssl);
8420 SSL_free(clientssl);
8421 SSL_CTX_free(sctx);
8422 SSL_CTX_free(cctx);
8423
8424 return testresult;
8425}
8426
a763ca11 8427#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 8428/*
8429 * Test setting certificate authorities on both client and server.
8430 *
8431 * Test 0: SSL_CTX_set0_CA_list() only
8432 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8433 * Test 2: Only SSL_CTX_set_client_CA_list()
8434 */
8435static int test_ca_names_int(int prot, int tst)
8436{
8437 SSL_CTX *cctx = NULL, *sctx = NULL;
8438 SSL *clientssl = NULL, *serverssl = NULL;
8439 int testresult = 0;
8440 size_t i;
8441 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8442 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8443 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8444 const STACK_OF(X509_NAME) *sktmp = NULL;
8445
8446 for (i = 0; i < OSSL_NELEM(name); i++) {
8447 name[i] = X509_NAME_new();
8448 if (!TEST_ptr(name[i])
8449 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8450 MBSTRING_ASC,
8451 (unsigned char *)
8452 strnames[i],
8453 -1, -1, 0)))
8454 goto end;
8455 }
8456
5e30f2fd 8457 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 8458 TLS_client_method(),
8459 TLS1_VERSION,
8460 prot,
8461 &sctx, &cctx, cert, privkey)))
8462 goto end;
8463
8464 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8465
8466 if (tst == 0 || tst == 1) {
8467 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8468 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8469 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8470 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8471 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8472 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8473 goto end;
8474
8475 SSL_CTX_set0_CA_list(sctx, sk1);
8476 SSL_CTX_set0_CA_list(cctx, sk2);
8477 sk1 = sk2 = NULL;
8478 }
8479 if (tst == 1 || tst == 2) {
8480 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8481 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8482 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8483 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8484 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8485 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8486 goto end;
8487
8488 SSL_CTX_set_client_CA_list(sctx, sk1);
8489 SSL_CTX_set_client_CA_list(cctx, sk2);
8490 sk1 = sk2 = NULL;
8491 }
8492
6e46c065
MC		 8493 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8494 NULL, NULL))
8495 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8496 SSL_ERROR_NONE)))
8497 goto end;
8498
fb8c8359
MC		 8499 /*
8500 * We only expect certificate authorities to have been sent to the server
8501 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8502 */
8503 sktmp = SSL_get0_peer_CA_list(serverssl);
8504 if (prot == TLS1_3_VERSION
8505 && (tst == 0 || tst == 1)) {
8506 if (!TEST_ptr(sktmp)
8507 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8508 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8509 name[0]), 0)
8510 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8511 name[1]), 0))
8512 goto end;
8513 } else if (!TEST_ptr_null(sktmp)) {
8514 goto end;
8515 }
8516
8517 /*
8518 * In all tests we expect certificate authorities to have been sent to the
8519 * client. However, SSL_set_client_CA_list() should override
8520 * SSL_set0_CA_list()
8521 */
8522 sktmp = SSL_get0_peer_CA_list(clientssl);
8523 if (!TEST_ptr(sktmp)
8524 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8525 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8526 name[tst == 0 ? 0 : 2]), 0)
8527 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8528 name[tst == 0 ? 1 : 3]), 0))
8529 goto end;
8530
6e46c065
MC		 8531 testresult = 1;
8532
8533 end:
8534 SSL_free(serverssl);
8535 SSL_free(clientssl);
8536 SSL_CTX_free(sctx);
8537 SSL_CTX_free(cctx);
fb8c8359
MC		 8538 for (i = 0; i < OSSL_NELEM(name); i++)
8539 X509_NAME_free(name[i]);
8540 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8541 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8542
8543 return testresult;
8544}
8545#endif
8546
8547static int test_ca_names(int tst)
8548{
8549 int testresult = 1;
8550
8551#ifndef OPENSSL_NO_TLS1_2
8552 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8553#endif
a763ca11 8554#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 8555 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8556#endif
6e46c065
MC		 8557
8558 return testresult;
8559}
8560
0d2bfe52
SL		 8561#ifndef OPENSSL_NO_TLS1_2
8562static const char *multiblock_cipherlist_data[]=
8563{
8564 "AES128-SHA",
8565 "AES128-SHA256",
8566 "AES256-SHA",
8567 "AES256-SHA256",
8568};
8569
8570/* Reduce the fragment size - so the multiblock test buffer can be small */
8571# define MULTIBLOCK_FRAGSIZE 512
8572
8573static int test_multiblock_write(int test_index)
8574{
8575 static const char *fetchable_ciphers[]=
8576 {
8577 "AES-128-CBC-HMAC-SHA1",
8578 "AES-128-CBC-HMAC-SHA256",
8579 "AES-256-CBC-HMAC-SHA1",
8580 "AES-256-CBC-HMAC-SHA256"
8581 };
8582 const char *cipherlist = multiblock_cipherlist_data[test_index];
8583 const SSL_METHOD *smeth = TLS_server_method();
8584 const SSL_METHOD *cmeth = TLS_client_method();
8585 int min_version = TLS1_VERSION;
8586 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8587 SSL_CTX *cctx = NULL, *sctx = NULL;
8588 SSL *clientssl = NULL, *serverssl = NULL;
8589 int testresult = 0;
8590
8591 /*
8592 * Choose a buffer large enough to perform a multi-block operation
8593 * i.e: write_len >= 4 * frag_size
8594 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8595 */
8596 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8597 unsigned char buf[sizeof(msg)], *p = buf;
8598 size_t readbytes, written, len;
8599 EVP_CIPHER *ciph = NULL;
8600
8601 /*
8602 * Check if the cipher exists before attempting to use it since it only has
8603 * a hardware specific implementation.
8604 */
7c82a7a8 8605 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
0d2bfe52
SL		 8606 if (ciph == NULL) {
8607 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8608 return 1;
8609 }
8610 EVP_CIPHER_free(ciph);
8611
8612 /* Set up a buffer with some data that will be sent to the client */
8613 RAND_bytes(msg, sizeof(msg));
8614
5e30f2fd
MC		 8615 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8616 max_version, &sctx, &cctx, cert,
8617 privkey)))
0d2bfe52
SL		 8618 goto end;
8619
8620 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8621 goto end;
8622
8623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8624 NULL, NULL)))
8625 goto end;
8626
8627 /* settings to force it to use AES-CBC-HMAC_SHA */
8628 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8629 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8630 goto end;
8631
8632 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8633 goto end;
8634
8635 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8636 || !TEST_size_t_eq(written, sizeof(msg)))
8637 goto end;
8638
8639 len = written;
8640 while (len > 0) {
8641 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8642 goto end;
8643 p += readbytes;
8644 len -= readbytes;
8645 }
8646 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8647 goto end;
8648
8649 testresult = 1;
8650end:
8651 SSL_free(serverssl);
8652 SSL_free(clientssl);
8653 SSL_CTX_free(sctx);
8654 SSL_CTX_free(cctx);
8655
8656 return testresult;
8657}
8658#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 8659
25959e04
TS		 8660static int test_session_timeout(int test)
8661{
8662 /*
8663 * Test session ordering and timeout
8664 * Can't explicitly test performance of the new code,
8665 * but can test to see if the ordering of the sessions
8666 * are correct, and they they are removed as expected
8667 */
8668 SSL_SESSION *early = NULL;
8669 SSL_SESSION *middle = NULL;
8670 SSL_SESSION *late = NULL;
8671 SSL_CTX *ctx;
8672 int testresult = 0;
8673 long now = (long)time(NULL);
8674#define TIMEOUT 10
8675
8676 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8677 || !TEST_ptr(early = SSL_SESSION_new())
8678 || !TEST_ptr(middle = SSL_SESSION_new())
8679 || !TEST_ptr(late = SSL_SESSION_new()))
8680 goto end;
8681
8682 /* assign unique session ids */
8683 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8684 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8685 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8686 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8687 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8688 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8689
8690 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8691 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8692 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8693 goto end;
8694
8695 /* Make sure they are all added */
8696 if (!TEST_ptr(early->prev)
8697 || !TEST_ptr(middle->prev)
8698 || !TEST_ptr(late->prev))
8699 goto end;
8700
8701 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8702 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8703 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8704 goto end;
8705
8706 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8707 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8708 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8709 goto end;
8710
8711 /* Make sure they are all still there */
8712 if (!TEST_ptr(early->prev)
8713 || !TEST_ptr(middle->prev)
8714 || !TEST_ptr(late->prev))
8715 goto end;
8716
8717 /* Make sure they are in the expected order */
8718 if (!TEST_ptr_eq(late->next, middle)
8719 || !TEST_ptr_eq(middle->next, early)
8720 || !TEST_ptr_eq(early->prev, middle)
8721 || !TEST_ptr_eq(middle->prev, late))
8722 goto end;
8723
8724 /* This should remove "early" */
8725 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8726 if (!TEST_ptr_null(early->prev)
8727 || !TEST_ptr(middle->prev)
8728 || !TEST_ptr(late->prev))
8729 goto end;
8730
8731 /* This should remove "middle" */
8732 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8733 if (!TEST_ptr_null(early->prev)
8734 || !TEST_ptr_null(middle->prev)
8735 || !TEST_ptr(late->prev))
8736 goto end;
8737
8738 /* This should remove "late" */
8739 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8740 if (!TEST_ptr_null(early->prev)
8741 || !TEST_ptr_null(middle->prev)
8742 || !TEST_ptr_null(late->prev))
8743 goto end;
8744
8745 /* Add them back in again */
8746 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8747 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8748 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8749 goto end;
8750
8751 /* Make sure they are all added */
8752 if (!TEST_ptr(early->prev)
8753 || !TEST_ptr(middle->prev)
8754 || !TEST_ptr(late->prev))
8755 goto end;
8756
8757 /* This should remove all of them */
8758 SSL_CTX_flush_sessions(ctx, 0);
8759 if (!TEST_ptr_null(early->prev)
8760 || !TEST_ptr_null(middle->prev)
8761 || !TEST_ptr_null(late->prev))
8762 goto end;
8763
8764 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8765 | SSL_CTX_get_session_cache_mode(ctx));
8766
8767 /* make sure |now| is NOT equal to the current time */
8768 now -= 10;
8769 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8770 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8771 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8772 goto end;
8773
8774 testresult = 1;
8775 end:
8776 SSL_CTX_free(ctx);
8777 SSL_SESSION_free(early);
8778 SSL_SESSION_free(middle);
8779 SSL_SESSION_free(late);
8780 return testresult;
8781}
8782
49ef3d07
MC		 8783/*
8784 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8785 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8786 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8787 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8788 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8789 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8790 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8791 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8792 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8793 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8794 */
8795static int test_servername(int tst)
8796{
8797 SSL_CTX *cctx = NULL, *sctx = NULL;
8798 SSL *clientssl = NULL, *serverssl = NULL;
8799 int testresult = 0;
8800 SSL_SESSION *sess = NULL;
8801 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8802
8803#ifdef OPENSSL_NO_TLS1_2
8804 if (tst <= 4)
8805 return 1;
8806#endif
a763ca11 8807#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 8808 if (tst >= 5)
8809 return 1;
8810#endif
8811
5e30f2fd 8812 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 8813 TLS_client_method(),
8814 TLS1_VERSION,
8815 (tst <= 4) ? TLS1_2_VERSION
8816 : TLS1_3_VERSION,
8817 &sctx, &cctx, cert, privkey))
8818 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8819 NULL, NULL)))
8820 goto end;
8821
8822 if (tst != 1 && tst != 6) {
8823 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8824 hostname_cb)))
8825 goto end;
8826 }
8827
8828 if (tst != 3 && tst != 8) {
8829 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8830 goto end;
8831 sexpectedhost = cexpectedhost = "goodhost";
8832 }
8833
8834 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8835 goto end;
8836
8837 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8838 cexpectedhost)
8839 || !TEST_str_eq(SSL_get_servername(serverssl,
8840 TLSEXT_NAMETYPE_host_name),
8841 sexpectedhost))
8842 goto end;
8843
8844 /* Now repeat with a resumption handshake */
8845
8846 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8847 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8848 || !TEST_true(SSL_SESSION_is_resumable(sess))
8849 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8850 goto end;
8851
8852 SSL_free(clientssl);
8853 SSL_free(serverssl);
8854 clientssl = serverssl = NULL;
8855
8856 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8857 NULL)))
8858 goto end;
8859
8860 if (!TEST_true(SSL_set_session(clientssl, sess)))
8861 goto end;
8862
8863 sexpectedhost = cexpectedhost = "goodhost";
8864 if (tst == 2 || tst == 7) {
8865 /* Set an inconsistent hostname */
8866 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8867 goto end;
8868 /*
8869 * In TLSv1.2 we expect the hostname from the original handshake, in
8870 * TLSv1.3 we expect the hostname from this handshake
8871 */
8872 if (tst == 7)
8873 sexpectedhost = cexpectedhost = "altgoodhost";
8874
8875 if (!TEST_str_eq(SSL_get_servername(clientssl,
8876 TLSEXT_NAMETYPE_host_name),
8877 "altgoodhost"))
8878 goto end;
8879 } else if (tst == 4 || tst == 9) {
8880 /*
8881 * A TLSv1.3 session does not associate a session with a servername,
8882 * but a TLSv1.2 session does.
8883 */
8884 if (tst == 9)
8885 sexpectedhost = cexpectedhost = NULL;
8886
8887 if (!TEST_str_eq(SSL_get_servername(clientssl,
8888 TLSEXT_NAMETYPE_host_name),
8889 cexpectedhost))
8890 goto end;
8891 } else {
8892 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8893 goto end;
8894 /*
8895 * In a TLSv1.2 resumption where the hostname was not acknowledged
8896 * we expect the hostname on the server to be empty. On the client we
8897 * return what was requested in this case.
8898 *
8899 * Similarly if the client didn't set a hostname on an original TLSv1.2
8900 * session but is now, the server hostname will be empty, but the client
8901 * is as we set it.
8902 */
8903 if (tst == 1 || tst == 3)
8904 sexpectedhost = NULL;
8905
8906 if (!TEST_str_eq(SSL_get_servername(clientssl,
8907 TLSEXT_NAMETYPE_host_name),
8908 "goodhost"))
8909 goto end;
8910 }
8911
8912 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8913 goto end;
8914
8915 if (!TEST_true(SSL_session_reused(clientssl))
8916 || !TEST_true(SSL_session_reused(serverssl))
8917 || !TEST_str_eq(SSL_get_servername(clientssl,
8918 TLSEXT_NAMETYPE_host_name),
8919 cexpectedhost)
8920 || !TEST_str_eq(SSL_get_servername(serverssl,
8921 TLSEXT_NAMETYPE_host_name),
8922 sexpectedhost))
8923 goto end;
8924
8925 testresult = 1;
8926
8927 end:
8928 SSL_SESSION_free(sess);
8929 SSL_free(serverssl);
8930 SSL_free(clientssl);
8931 SSL_CTX_free(sctx);
8932 SSL_CTX_free(cctx);
8933
8934 return testresult;
8935}
8936
b1fdbc68 8937#if !defined(OPENSSL_NO_EC) \
a763ca11 8938 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 8939/*
8940 * Test that if signature algorithms are not available, then we do not offer or
8941 * accept them.
8942 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8943 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8944 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8945 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8946 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8947 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8948 */
8949static int test_sigalgs_available(int idx)
8950{
8951 SSL_CTX *cctx = NULL, *sctx = NULL;
8952 SSL *clientssl = NULL, *serverssl = NULL;
8953 int testresult = 0;
b4250010
DMSP		 8954 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8955 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 8956 OSSL_PROVIDER *filterprov = NULL;
8957 int sig, hash;
8958
8959 if (!TEST_ptr(tmpctx))
8960 goto end;
8961
8962 if (idx != 0 && idx != 3) {
8963 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8964 filter_provider_init)))
8965 goto end;
8966
8967 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8968 if (!TEST_ptr(filterprov))
8969 goto end;
8970
8971 if (idx < 3) {
8972 /*
8973 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8974 * or accepted for the peer that uses this libctx. Note that libssl
8975 * *requires* SHA2-256 to be available so we cannot disable that. We
8976 * also need SHA1 for our certificate.
8977 */
8978 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8979 "SHA2-256:SHA1")))
8980 goto end;
8981 } else {
8982 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8983 "ECDSA"))
8984 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8985 "EC:X25519:X448")))
8986 goto end;
8987 }
8988
8989 if (idx == 1 || idx == 4)
8990 clientctx = tmpctx;
8991 else
8992 serverctx = tmpctx;
8993 }
8994
d8652be0
MC		 8995 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8996 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 8997 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8998 goto end;
b3842539 8999
b4c4a2c6
TM		 9000 if (idx != 5) {
9001 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9002 TLS_client_method(),
9003 TLS1_VERSION,
9004 0,
9005 &sctx, &cctx, cert, privkey)))
9006 goto end;
9007 } else {
9008 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9009 TLS_client_method(),
9010 TLS1_VERSION,
9011 0,
9012 &sctx, &cctx, cert2, privkey2)))
9013 goto end;
9014 }
b3842539 9015
b1fdbc68
MC		 9016 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9017 if (idx < 4) {
9018 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9019 "ECDHE-RSA-AES128-GCM-SHA256")))
9020 goto end;
9021 } else {
9022 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9023 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9024 goto end;
9025 }
9026
b3842539
MC		 9027 if (idx < 3) {
9028 if (!SSL_CTX_set1_sigalgs_list(cctx,
9029 "rsa_pss_rsae_sha384"
9030 ":rsa_pss_rsae_sha256")
9031 || !SSL_CTX_set1_sigalgs_list(sctx,
9032 "rsa_pss_rsae_sha384"
9033 ":rsa_pss_rsae_sha256"))
9034 goto end;
9035 } else {
9036 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9037 || !SSL_CTX_set1_sigalgs_list(sctx,
9038 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9039 goto end;
9040 }
9041
b4c4a2c6
TM		 9042 if (idx != 5
9043 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9044 SSL_FILETYPE_PEM), 1)
b3842539
MC		 9045 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9046 privkey2,
9047 SSL_FILETYPE_PEM), 1)
b4c4a2c6 9048 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 9049 goto end;
9050
9051 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 9052 NULL, NULL)))
b3842539
MC		 9053 goto end;
9054
9055 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9056 goto end;
9057
9058 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9059 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9060 NULL, NULL),
9061 (idx == 0 || idx == 3) ? 2 : 1))
9062 goto end;
9063
9064 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9065 goto end;
9066
9067 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9068 : NID_rsassaPss))
9069 goto end;
9070
b0001d0c 9071 testresult = filter_provider_check_clean_finish();
b3842539
MC		 9072
9073 end:
9074 SSL_free(serverssl);
9075 SSL_free(clientssl);
9076 SSL_CTX_free(sctx);
9077 SSL_CTX_free(cctx);
9078 OSSL_PROVIDER_unload(filterprov);
b4250010 9079 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 9080
9081 return testresult;
9082}
b1fdbc68
MC		 9083#endif /*
9084 * !defined(OPENSSL_NO_EC) \
a763ca11 9085 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 9086 */
b3842539 9087
0c13cdf8 9088#ifndef OPENSSL_NO_TLS1_3
a763ca11 9089/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 9090static int test_pluggable_group(int idx)
0c13cdf8
MC		 9091{
9092 SSL_CTX *cctx = NULL, *sctx = NULL;
9093 SSL *clientssl = NULL, *serverssl = NULL;
9094 int testresult = 0;
9095 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 9096 /* Check that we are not impacted by a provider without any groups */
9097 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 9098 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 9099
5ae54dba 9100 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 9101 goto end;
9102
5ae54dba
MC		 9103 if (legacyprov == NULL) {
9104 /*
9105 * In this case we assume we've been built with "no-legacy" and skip
9106 * this test (there is no OPENSSL_NO_LEGACY)
9107 */
9108 testresult = 1;
9109 goto end;
9110 }
9111
0c13cdf8
MC		 9112 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9113 TLS_client_method(),
9114 TLS1_3_VERSION,
9115 TLS1_3_VERSION,
9116 &sctx, &cctx, cert, privkey))
9117 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9118 NULL, NULL)))
9119 goto end;
9120
c8e3a4c6
NT		 9121 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
9122 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 9123 goto end;
9124
9125 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9126 goto end;
9127
becbacd7
MB		 9128 if (!TEST_str_eq(group_name,
9129 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9130 goto end;
9131
0c13cdf8
MC		 9132 testresult = 1;
9133
9134 end:
9135 SSL_free(serverssl);
9136 SSL_free(clientssl);
9137 SSL_CTX_free(sctx);
9138 SSL_CTX_free(cctx);
9139 OSSL_PROVIDER_unload(tlsprov);
146aebc6 9140 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 9141
9142 return testresult;
9143}
9144#endif
b3842539 9145
49a36a52
MC		 9146#ifndef OPENSSL_NO_TLS1_2
9147static int test_ssl_dup(void)
9148{
9149 SSL_CTX *cctx = NULL, *sctx = NULL;
9150 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9151 int testresult = 0;
9152 BIO *rbio = NULL, *wbio = NULL;
9153
9154 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9155 TLS_client_method(),
9156 0,
9157 0,
9158 &sctx, &cctx, cert, privkey)))
9159 goto end;
9160
9161 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9162 NULL, NULL)))
9163 goto end;
9164
9165 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9166 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9167 goto end;
9168
9169 client2ssl = SSL_dup(clientssl);
9170 rbio = SSL_get_rbio(clientssl);
9171 if (!TEST_ptr(rbio)
9172 || !TEST_true(BIO_up_ref(rbio)))
9173 goto end;
9174 SSL_set0_rbio(client2ssl, rbio);
9175 rbio = NULL;
9176
9177 wbio = SSL_get_wbio(clientssl);
9178 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9179 goto end;
9180 SSL_set0_wbio(client2ssl, wbio);
9181 rbio = NULL;
9182
9183 if (!TEST_ptr(client2ssl)
9184 /* Handshake not started so pointers should be different */
9185 || !TEST_ptr_ne(clientssl, client2ssl))
9186 goto end;
9187
9188 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9189 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9190 goto end;
9191
9192 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9193 goto end;
9194
9195 SSL_free(clientssl);
9196 clientssl = SSL_dup(client2ssl);
9197 if (!TEST_ptr(clientssl)
9198 /* Handshake has finished so pointers should be the same */
9199 || !TEST_ptr_eq(clientssl, client2ssl))
9200 goto end;
9201
9202 testresult = 1;
9203
9204 end:
9205 SSL_free(serverssl);
9206 SSL_free(clientssl);
9207 SSL_free(client2ssl);
9208 SSL_CTX_free(sctx);
9209 SSL_CTX_free(cctx);
9210
9211 return testresult;
9212}
33c39a06
MC		 9213
9214# ifndef OPENSSL_NO_DH
9215
9216static EVP_PKEY *tmp_dh_params = NULL;
9217
9218/* Helper function for the test_set_tmp_dh() tests */
9219static EVP_PKEY *get_tmp_dh_params(void)
9220{
9221 if (tmp_dh_params == NULL) {
9222 BIGNUM *p = NULL;
9223 OSSL_PARAM_BLD *tmpl = NULL;
9224 EVP_PKEY_CTX *pctx = NULL;
9225 OSSL_PARAM *params = NULL;
9226 EVP_PKEY *dhpkey = NULL;
9227
9228 p = BN_get_rfc3526_prime_2048(NULL);
9229 if (!TEST_ptr(p))
9230 goto end;
9231
9232 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9233 if (!TEST_ptr(pctx)
884400d7 9234 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 9235 goto end;
9236
9237 tmpl = OSSL_PARAM_BLD_new();
9238 if (!TEST_ptr(tmpl)
9239 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9240 OSSL_PKEY_PARAM_FFC_P,
9241 p))
9242 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9243 OSSL_PKEY_PARAM_FFC_G,
9244 2)))
9245 goto end;
9246
9247 params = OSSL_PARAM_BLD_to_param(tmpl);
9248 if (!TEST_ptr(params)
884400d7 9249 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9250 EVP_PKEY_KEY_PARAMETERS,
9251 params), 1))
33c39a06
MC		 9252 goto end;
9253
9254 tmp_dh_params = dhpkey;
9255 end:
9256 BN_free(p);
9257 EVP_PKEY_CTX_free(pctx);
9258 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 9259 OSSL_PARAM_free(params);
33c39a06
MC		 9260 }
9261
f1619160 9262 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 9263 return NULL;
9264
9265 return tmp_dh_params;
9266}
9267
39f3427d 9268# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 9269/* Callback used by test_set_tmp_dh() */
9270static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9271{
9272 EVP_PKEY *dhpkey = get_tmp_dh_params();
9273 DH *ret = NULL;
9274
9275 if (!TEST_ptr(dhpkey))
9276 return NULL;
9277
7bc0fdd3
MC		 9278 /*
9279 * libssl does not free the returned DH, so we free it now knowing that even
9280 * after we free dhpkey, there will still be a reference to the owning
9281 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9282 * of time we need it for.
9283 */
9284 ret = EVP_PKEY_get1_DH(dhpkey);
9285 DH_free(ret);
33c39a06
MC		 9286
9287 EVP_PKEY_free(dhpkey);
9288
9289 return ret;
9290}
9291# endif
9292
9293/*
9294 * Test the various methods for setting temporary DH parameters
9295 *
9296 * Test 0: Default (no auto) setting
9297 * Test 1: Explicit SSL_CTX auto off
9298 * Test 2: Explicit SSL auto off
9299 * Test 3: Explicit SSL_CTX auto on
9300 * Test 4: Explicit SSL auto on
9301 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9302 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9303 *
9304 * The following are testing deprecated APIs, so we only run them if available
9305 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9306 * Test 8: Explicit SSL auto off, custom DH params via DH
9307 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9308 * Test 10: Explicit SSL auto off, custom DH params via callback
9309 */
9310static int test_set_tmp_dh(int idx)
9311{
9312 SSL_CTX *cctx = NULL, *sctx = NULL;
9313 SSL *clientssl = NULL, *serverssl = NULL;
9314 int testresult = 0;
9315 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9316 int expected = (idx <= 2) ? 0 : 1;
9317 EVP_PKEY *dhpkey = NULL;
9318# ifndef OPENSSL_NO_DEPRECATED_3_0
9319 DH *dh = NULL;
9320# else
9321
9322 if (idx >= 7)
9323 return 1;
9324# endif
9325
9326 if (idx >= 5 && idx <= 8) {
9327 dhpkey = get_tmp_dh_params();
9328 if (!TEST_ptr(dhpkey))
9329 goto end;
9330 }
9331# ifndef OPENSSL_NO_DEPRECATED_3_0
9332 if (idx == 7 || idx == 8) {
7bc0fdd3 9333 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 9334 if (!TEST_ptr(dh))
9335 goto end;
9336 }
9337# endif
9338
9339 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9340 TLS_client_method(),
9341 0,
9342 0,
9343 &sctx, &cctx, cert, privkey)))
9344 goto end;
9345
9346 if ((idx & 1) == 1) {
9347 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9348 goto end;
9349 }
9350
9351 if (idx == 5) {
9352 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9353 goto end;
9354 dhpkey = NULL;
9355 }
9356# ifndef OPENSSL_NO_DEPRECATED_3_0
9357 else if (idx == 7) {
9358 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9359 goto end;
9360 } else if (idx == 9) {
9361 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9362 }
9363# endif
9364
9365 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9366 NULL, NULL)))
9367 goto end;
9368
9369 if ((idx & 1) == 0 && idx != 0) {
9370 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9371 goto end;
9372 }
9373 if (idx == 6) {
9374 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9375 goto end;
9376 dhpkey = NULL;
9377 }
9378# ifndef OPENSSL_NO_DEPRECATED_3_0
9379 else if (idx == 8) {
9380 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9381 goto end;
9382 } else if (idx == 10) {
9383 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9384 }
9385# endif
9386
9387 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9388 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9389 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9390 goto end;
9391
9392 /*
9393 * If autoon then we should succeed. Otherwise we expect failure because
9394 * there are no parameters
9395 */
9396 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9397 SSL_ERROR_NONE), expected))
9398 goto end;
9399
9400 testresult = 1;
9401
9402 end:
7bc0fdd3
MC		 9403# ifndef OPENSSL_NO_DEPRECATED_3_0
9404 DH_free(dh);
9405# endif
33c39a06
MC		 9406 SSL_free(serverssl);
9407 SSL_free(clientssl);
9408 SSL_CTX_free(sctx);
9409 SSL_CTX_free(cctx);
9410 EVP_PKEY_free(dhpkey);
9411
9412 return testresult;
9413}
3105d846
MC		 9414
9415/*
9416 * Test the auto DH keys are appropriately sized
9417 */
9418static int test_dh_auto(int idx)
9419{
61cab650
MC		 9420 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9421 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 9422 SSL *clientssl = NULL, *serverssl = NULL;
9423 int testresult = 0;
9424 EVP_PKEY *tmpkey = NULL;
9425 char *thiscert = NULL, *thiskey = NULL;
9426 size_t expdhsize = 0;
9427 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9428
61cab650
MC		 9429 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9430 goto end;
9431
3105d846
MC		 9432 switch (idx) {
9433 case 0:
9434 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9435 if (is_fips) {
9436 testresult = 1;
9437 goto end;
9438 }
3105d846
MC		 9439 thiscert = cert1024;
9440 thiskey = privkey1024;
9441 expdhsize = 1024;
61cab650
MC		 9442 SSL_CTX_set_security_level(sctx, 1);
9443 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 9444 break;
9445 case 1:
9446 /* 2048 bit prime */
9447 thiscert = cert;
9448 thiskey = privkey;
9449 expdhsize = 2048;
9450 break;
9451 case 2:
9452 thiscert = cert3072;
9453 thiskey = privkey3072;
9454 expdhsize = 3072;
9455 break;
9456 case 3:
9457 thiscert = cert4096;
9458 thiskey = privkey4096;
9459 expdhsize = 4096;
9460 break;
9461 case 4:
9462 thiscert = cert8192;
9463 thiskey = privkey8192;
9464 expdhsize = 8192;
9465 break;
9466 /* No certificate cases */
9467 case 5:
9468 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9469 if (is_fips) {
9470 testresult = 1;
9471 goto end;
9472 }
3105d846
MC		 9473 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9474 expdhsize = 1024;
9475 break;
9476 case 6:
9477 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9478 expdhsize = 3072;
9479 break;
9480 default:
9481 TEST_error("Invalid text index");
9482 goto end;
9483 }
9484
61cab650
MC		 9485 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9486 NULL,
3105d846
MC		 9487 0,
9488 0,
9489 &sctx, &cctx, thiscert, thiskey)))
9490 goto end;
9491
9492 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9493 NULL, NULL)))
9494 goto end;
9495
9496 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9497 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9498 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9499 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9500 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9501 goto end;
9502
9503 /*
9504 * Send the server's first flight. At this point the server has created the
9505 * temporary DH key but hasn't finished using it yet. Once used it is
9506 * removed, so we cannot test it.
9507 */
9508 if (!TEST_int_le(SSL_connect(clientssl), 0)
9509 || !TEST_int_le(SSL_accept(serverssl), 0))
9510 goto end;
9511
9512 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9513 goto end;
ed576acd 9514 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 9515 goto end;
9516
9517 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9518 goto end;
9519
9520 testresult = 1;
9521
9522 end:
9523 SSL_free(serverssl);
9524 SSL_free(clientssl);
9525 SSL_CTX_free(sctx);
9526 SSL_CTX_free(cctx);
9527 EVP_PKEY_free(tmpkey);
9528
9529 return testresult;
9530
9531}
33c39a06
MC		 9532# endif /* OPENSSL_NO_DH */
9533#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 9534
a763ca11 9535#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 9536/*
9537 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9538 * that it works even without a certificate configured for the original
9539 * SSL_CTX
9540 */
9541static int test_sni_tls13(void)
9542{
9543 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9544 SSL *clientssl = NULL, *serverssl = NULL;
9545 int testresult = 0;
9546
9547 /* Reset callback counter */
9548 snicb = 0;
9549
9550 /* Create an initial SSL_CTX with no certificate configured */
9551 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9552 if (!TEST_ptr(sctx))
9553 goto end;
9554 /* Require TLSv1.3 as a minimum */
9555 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9556 TLS_client_method(), TLS1_3_VERSION, 0,
9557 &sctx2, &cctx, cert, privkey)))
9558 goto end;
9559
9560 /* Set up SNI */
9561 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9562 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9563 goto end;
9564
9565 /*
9566 * Connection should still succeed because the final SSL_CTX has the right
9567 * certificates configured.
9568 */
9569 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9570 &clientssl, NULL, NULL))
9571 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9572 SSL_ERROR_NONE)))
9573 goto end;
9574
9575 /* We should have had the SNI callback called exactly once */
9576 if (!TEST_int_eq(snicb, 1))
9577 goto end;
9578
9579 testresult = 1;
9580
9581end:
9582 SSL_free(serverssl);
9583 SSL_free(clientssl);
9584 SSL_CTX_free(sctx2);
9585 SSL_CTX_free(sctx);
9586 SSL_CTX_free(cctx);
9587 return testresult;
9588}
0089cc7f
TS		 9589
9590/*
9591 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9592 * 0 = TLSv1.2
9593 * 1 = TLSv1.3
9594 */
9595static int test_ticket_lifetime(int idx)
9596{
9597 SSL_CTX *cctx = NULL, *sctx = NULL;
9598 SSL *clientssl = NULL, *serverssl = NULL;
9599 int testresult = 0;
9600 int version = TLS1_3_VERSION;
9601
9602#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9603#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9604
9605 if (idx == 0) {
40fb5a4c
TS		 9606#ifdef OPENSSL_NO_TLS1_2
9607 return TEST_skip("TLS 1.2 is disabled.");
9608#else
0089cc7f 9609 version = TLS1_2_VERSION;
40fb5a4c 9610#endif
0089cc7f
TS		 9611 }
9612
9613 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9614 TLS_client_method(), version, version,
9615 &sctx, &cctx, cert, privkey)))
9616 goto end;
9617
9618 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9619 &clientssl, NULL, NULL)))
9620 goto end;
9621
9622 /*
9623 * Set the timeout to be more than 1 week
9624 * make sure the returned value is the default
9625 */
9626 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9627 SSL_get_default_timeout(serverssl)))
9628 goto end;
9629
9630 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9631 goto end;
9632
9633 if (idx == 0) {
9634 /* TLSv1.2 uses the set value */
9635 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9636 goto end;
9637 } else {
9638 /* TLSv1.3 uses the limited value */
9639 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9640 goto end;
9641 }
9642 testresult = 1;
9643
9644end:
9645 SSL_free(serverssl);
9646 SSL_free(clientssl);
9647 SSL_CTX_free(sctx);
9648 SSL_CTX_free(cctx);
9649 return testresult;
9650}
6582661f 9651#endif
feba11cf
TS		 9652/*
9653 * Test that setting an ALPN does not violate RFC
9654 */
9655static int test_set_alpn(void)
9656{
9657 SSL_CTX *ctx = NULL;
9658 SSL *ssl = NULL;
9659 int testresult = 0;
9660
9661 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9662 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9663 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9664 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9665 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9666 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9667
9668 /* Create an initial SSL_CTX with no certificate configured */
9669 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9670 if (!TEST_ptr(ctx))
9671 goto end;
9672
9673 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9674 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9675 goto end;
9676 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9677 goto end;
9678 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9679 goto end;
9680 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9681 goto end;
9682 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9683 goto end;
9684 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9685 goto end;
9686 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9687 goto end;
9688 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9689 goto end;
9690 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9691 goto end;
9692
9693 ssl = SSL_new(ctx);
9694 if (!TEST_ptr(ssl))
9695 goto end;
9696
9697 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9698 goto end;
9699 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9700 goto end;
9701 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9702 goto end;
9703 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9704 goto end;
9705 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9706 goto end;
9707 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9708 goto end;
9709 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9710 goto end;
9711 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9712 goto end;
9713 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9714 goto end;
9715
9716 testresult = 1;
9717
9718end:
9719 SSL_free(ssl);
9720 SSL_CTX_free(ctx);
9721 return testresult;
9722}
6582661f 9723
948cf521
HL		 9724/*
9725 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9726 */
9727static int test_set_verify_cert_store_ssl_ctx(void)
9728{
9729 SSL_CTX *ctx = NULL;
9730 int testresult = 0;
9731 X509_STORE *store = NULL, *new_store = NULL,
9732 *cstore = NULL, *new_cstore = NULL;
9733
9734 /* Create an initial SSL_CTX. */
9735 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9736 if (!TEST_ptr(ctx))
9737 goto end;
9738
9739 /* Retrieve verify store pointer. */
9740 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9741 goto end;
9742
9743 /* Retrieve chain store pointer. */
9744 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9745 goto end;
9746
9747 /* We haven't set any yet, so this should be NULL. */
9748 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9749 goto end;
9750
9751 /* Create stores. We use separate stores so pointers are different. */
9752 new_store = X509_STORE_new();
9753 if (!TEST_ptr(new_store))
9754 goto end;
9755
9756 new_cstore = X509_STORE_new();
9757 if (!TEST_ptr(new_cstore))
9758 goto end;
9759
9760 /* Set stores. */
9761 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9762 goto end;
9763
9764 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9765 goto end;
9766
9767 /* Should be able to retrieve the same pointer. */
9768 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9769 goto end;
9770
9771 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9772 goto end;
9773
9774 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9775 goto end;
9776
9777 /* Should be able to unset again. */
9778 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9779 goto end;
9780
9781 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9782 goto end;
9783
9784 /* Should now be NULL. */
9785 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9786 goto end;
9787
9788 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9789 goto end;
9790
9791 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9792 goto end;
9793
9794 testresult = 1;
9795
9796end:
9797 X509_STORE_free(new_store);
9798 X509_STORE_free(new_cstore);
9799 SSL_CTX_free(ctx);
9800 return testresult;
9801}
9802
9803/*
9804 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9805 */
9806static int test_set_verify_cert_store_ssl(void)
9807{
9808 SSL_CTX *ctx = NULL;
9809 SSL *ssl = NULL;
9810 int testresult = 0;
9811 X509_STORE *store = NULL, *new_store = NULL,
9812 *cstore = NULL, *new_cstore = NULL;
9813
9814 /* Create an initial SSL_CTX. */
9815 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9816 if (!TEST_ptr(ctx))
9817 goto end;
9818
9819 /* Create an SSL object. */
9820 ssl = SSL_new(ctx);
9821 if (!TEST_ptr(ssl))
9822 goto end;
9823
9824 /* Retrieve verify store pointer. */
9825 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9826 goto end;
9827
9828 /* Retrieve chain store pointer. */
9829 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9830 goto end;
9831
9832 /* We haven't set any yet, so this should be NULL. */
9833 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9834 goto end;
9835
9836 /* Create stores. We use separate stores so pointers are different. */
9837 new_store = X509_STORE_new();
9838 if (!TEST_ptr(new_store))
9839 goto end;
9840
9841 new_cstore = X509_STORE_new();
9842 if (!TEST_ptr(new_cstore))
9843 goto end;
9844
9845 /* Set stores. */
9846 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
9847 goto end;
9848
9849 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
9850 goto end;
9851
9852 /* Should be able to retrieve the same pointer. */
9853 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9854 goto end;
9855
9856 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9857 goto end;
9858
9859 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9860 goto end;
9861
9862 /* Should be able to unset again. */
9863 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
9864 goto end;
9865
9866 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
9867 goto end;
9868
9869 /* Should now be NULL. */
9870 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9871 goto end;
9872
9873 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9874 goto end;
9875
9876 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9877 goto end;
9878
9879 testresult = 1;
9880
9881end:
9882 X509_STORE_free(new_store);
9883 X509_STORE_free(new_cstore);
9884 SSL_free(ssl);
9885 SSL_CTX_free(ctx);
9886 return testresult;
9887}
9888
9889
dfccfde0
CH		 9890static int test_inherit_verify_param(void)
9891{
9892 int testresult = 0;
9893
9894 SSL_CTX *ctx = NULL;
9895 X509_VERIFY_PARAM *cp = NULL;
9896 SSL *ssl = NULL;
9897 X509_VERIFY_PARAM *sp = NULL;
9898 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9899
9900 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9901 if (!TEST_ptr(ctx))
9902 goto end;
9903
9904 cp = SSL_CTX_get0_param(ctx);
9905 if (!TEST_ptr(cp))
9906 goto end;
9907 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9908 goto end;
9909
9910 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9911
9912 ssl = SSL_new(ctx);
9913 if (!TEST_ptr(ssl))
9914 goto end;
9915
9916 sp = SSL_get0_param(ssl);
9917 if (!TEST_ptr(sp))
9918 goto end;
9919 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9920 goto end;
9921
9922 testresult = 1;
9923
9924 end:
9925 SSL_free(ssl);
9926 SSL_CTX_free(ctx);
9927
9928 return testresult;
9929}
9930
b2b8d188
DF		 9931static int test_load_dhfile(void)
9932{
9933#ifndef OPENSSL_NO_DH
9934 int testresult = 0;
9935
9936 SSL_CTX *ctx = NULL;
9937 SSL_CONF_CTX *cctx = NULL;
9938
9939 if (dhfile == NULL)
9940 return 1;
9941
9942 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
9943 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
9944 goto end;
9945
9946 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
9947 SSL_CONF_CTX_set_flags(cctx,
9948 SSL_CONF_FLAG_CERTIFICATE
9949 | SSL_CONF_FLAG_SERVER
9950 | SSL_CONF_FLAG_FILE);
9951
9952 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
9953 goto end;
9954
9955 testresult = 1;
9956end:
9957 SSL_CONF_CTX_free(cctx);
9958 SSL_CTX_free(ctx);
9959
9960 return testresult;
9961#else
9962 return TEST_skip("DH not supported by this build");
9963#endif
9964}
9965
f7565348
MC		 9966#ifndef OSSL_NO_USABLE_TLS1_3
9967/* Test that read_ahead works across a key change */
9968static int test_read_ahead_key_change(void)
9969{
9970 SSL_CTX *cctx = NULL, *sctx = NULL;
9971 SSL *clientssl = NULL, *serverssl = NULL;
9972 int testresult = 0;
9973 char *msg = "Hello World";
9974 size_t written, readbytes;
9975 char buf[80];
9976 int i;
9977
9978 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9979 TLS_client_method(), TLS1_3_VERSION, 0,
9980 &sctx, &cctx, cert, privkey)))
9981 goto end;
9982
9983 SSL_CTX_set_read_ahead(sctx, 1);
9984
9985 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9986 &clientssl, NULL, NULL)))
9987 goto end;
9988
9989 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9990 goto end;
9991
9992 /* Write some data, send a key update, write more data */
9993 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
9994 || !TEST_size_t_eq(written, strlen(msg)))
9995 goto end;
9996
9997 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
9998 goto end;
9999
10000 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10001 || !TEST_size_t_eq(written, strlen(msg)))
10002 goto end;
10003
10004 /*
10005 * Since read_ahead is on the first read below should read the record with
10006 * the first app data, the second record with the key update message, and
10007 * the third record with the app data all in one go. We should be able to
10008 * still process the read_ahead data correctly even though it crosses
10009 * epochs
10010 */
10011 for (i = 0; i < 2; i++) {
10012 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10013 &readbytes)))
10014 goto end;
10015
10016 buf[readbytes] = '\0';
10017 if (!TEST_str_eq(buf, msg))
10018 goto end;
10019 }
10020
10021 testresult = 1;
10022
10023end:
10024 SSL_free(serverssl);
10025 SSL_free(clientssl);
10026 SSL_CTX_free(sctx);
10027 SSL_CTX_free(cctx);
10028 return testresult;
10029}
f3f8e53c
MC		 10030
10031static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10032{
10033 int *called = arg;
10034
10035 switch ((*called)++) {
10036 case 0:
10037 /* Add some padding to first record */
10038 return 512;
10039 case 1:
10040 /* Maximally pad the second record */
10041 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10042 case 2:
10043 /*
10044 * Exceeding the maximum padding should be fine. It should just pad to
10045 * the maximum anyway
10046 */
10047 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10048 case 3:
10049 /*
10050 * Very large padding should also be ok. Should just pad to the maximum
10051 * allowed
10052 */
10053 return SIZE_MAX;
10054 default:
10055 return 0;
10056 }
10057}
10058
10059/*
10060 * Test that setting record padding in TLSv1.3 works as expected
10061 * Test 0: Record padding callback on the SSL_CTX
10062 * Test 1: Record padding callback on the SSL
10063 * Test 2: Record block padding on the SSL_CTX
10064 * Test 3: Record block padding on the SSL
10065 */
10066static int test_tls13_record_padding(int idx)
10067{
10068 SSL_CTX *cctx = NULL, *sctx = NULL;
10069 SSL *clientssl = NULL, *serverssl = NULL;
10070 int testresult = 0;
10071 char *msg = "Hello World";
10072 size_t written, readbytes;
10073 char buf[80];
10074 int i;
10075 int called = 0;
10076
10077 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10078 TLS_client_method(), TLS1_3_VERSION, 0,
10079 &sctx, &cctx, cert, privkey)))
10080 goto end;
10081
10082 if (idx == 0) {
10083 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10084 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10085 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10086 goto end;
10087 } else if (idx == 2) {
10088 /* Exceeding the max plain length should fail */
10089 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10090 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10091 goto end;
10092 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10093 goto end;
10094 }
10095
10096 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10097 &clientssl, NULL, NULL)))
10098 goto end;
10099
10100 if (idx == 1) {
10101 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10102 SSL_set_record_padding_callback_arg(clientssl, &called);
10103 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10104 goto end;
10105 } else if (idx == 3) {
10106 /* Exceeding the max plain length should fail */
10107 if (!TEST_false(SSL_set_block_padding(clientssl,
10108 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10109 goto end;
10110 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10111 goto end;
10112 }
10113
10114 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10115 goto end;
10116
10117 called = 0;
10118 /*
10119 * Write some data, then check we can read it. Do this four times to check
10120 * we can continue to write and read padded data after the initial record
10121 * padding has been added. We don't actually check that the padding has
10122 * been applied to the record - just that we can continue to communicate
10123 * normally and that the callback has been called (if appropriate).
10124 */
10125 for (i = 0; i < 4; i++) {
10126 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10127 || !TEST_size_t_eq(written, strlen(msg)))
10128 goto end;
10129
10130 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10131 &readbytes))
10132 || !TEST_size_t_eq(written, readbytes))
10133 goto end;
10134
10135 buf[readbytes] = '\0';
10136 if (!TEST_str_eq(buf, msg))
10137 goto end;
10138 }
10139
10140 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10141 goto end;
10142
10143 testresult = 1;
10144end:
10145 SSL_free(serverssl);
10146 SSL_free(clientssl);
10147 SSL_CTX_free(sctx);
10148 SSL_CTX_free(cctx);
10149 return testresult;
10150}
f7565348
MC		 10151#endif /* OSSL_NO_USABLE_TLS1_3 */
10152
b2b8d188 10153OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
a43ce58f 10154
ad887416 10155int setup_tests(void)
2cb4b5f6 10156{
5e30f2fd
MC		 10157 char *modulename;
10158 char *configfile;
10159
b4250010 10160 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 10161 if (!TEST_ptr(libctx))
10162 return 0;
10163
10164 defctxnull = OSSL_PROVIDER_load(NULL, "null");
10165
10166 /*
10167 * Verify that the default and fips providers in the default libctx are not
10168 * available
10169 */
10170 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
10171 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
10172 return 0;
10173
8d242823
MC		 10174 if (!test_skip_common_options()) {
10175 TEST_error("Error parsing test options\n");
10176 return 0;
10177 }
10178
1a2a3a42
MC		 10179 if (!TEST_ptr(certsdir = test_get_argument(0))
10180 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 10181 || !TEST_ptr(tmpfilename = test_get_argument(2))
10182 || !TEST_ptr(modulename = test_get_argument(3))
b2b8d188
DF		 10183 || !TEST_ptr(configfile = test_get_argument(4))
10184 || !TEST_ptr(dhfile = test_get_argument(5)))
5e30f2fd
MC		 10185 return 0;
10186
b4250010 10187 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 10188 return 0;
10189
10190 /* Check we have the expected provider available */
10191 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
10192 return 0;
10193
10194 /* Check the default provider is not available */
10195 if (strcmp(modulename, "default") != 0
10196 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 10197 return 0;
2cb4b5f6 10198
4f6c7044
MC		 10199 if (strcmp(modulename, "fips") == 0)
10200 is_fips = 1;
10201
0c13cdf8
MC		 10202 /*
10203 * We add, but don't load the test "tls-provider". We'll load it when we
10204 * need it.
10205 */
10206 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
10207 tls_provider_init)))
10208 return 0;
10209
10210
f297e4ec
RS		 10211 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
10212#ifdef OPENSSL_NO_CRYPTO_MDEBUG
10213 TEST_error("not supported in this build");
10214 return 0;
10215#else
10216 int i, mcount, rcount, fcount;
10217
10218 for (i = 0; i < 4; i++)
10219 test_export_key_mat(i);
10220 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
10221 test_printf_stdout("malloc %d realloc %d free %d\n",
10222 mcount, rcount, fcount);
10223 return 1;
10224#endif
10225 }
10226
1a2a3a42
MC		 10227 cert = test_mk_file_path(certsdir, "servercert.pem");
10228 if (cert == NULL)
b3842539 10229 goto err;
1a2a3a42
MC		 10230
10231 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 10232 if (privkey == NULL)
10233 goto err;
10234
10235 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
10236 if (cert2 == NULL)
10237 goto err;
10238
10239 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
10240 if (privkey2 == NULL)
10241 goto err;
1a2a3a42 10242
3105d846
MC		 10243 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
10244 if (cert1024 == NULL)
10245 goto err;
10246
10247 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
10248 if (privkey1024 == NULL)
10249 goto err;
10250
10251 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
10252 if (cert3072 == NULL)
10253 goto err;
10254
10255 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
10256 if (privkey3072 == NULL)
10257 goto err;
10258
10259 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
10260 if (cert4096 == NULL)
10261 goto err;
10262
10263 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
10264 if (privkey4096 == NULL)
10265 goto err;
10266
10267 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
10268 if (cert8192 == NULL)
10269 goto err;
10270
10271 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
10272 if (privkey8192 == NULL)
10273 goto err;
10274
da4db160 10275#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 10276# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526
JB		 10277 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
10278 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
c8e3a4c6 10279# endif
fe5d9450 10280#endif
84d5549e 10281 ADD_TEST(test_large_message_tls);
7856332e 10282 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 10283#ifndef OPENSSL_NO_DTLS
84d5549e 10284 ADD_TEST(test_large_message_dtls);
55386bef 10285#endif
163b8016 10286 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 10287#ifndef OPENSSL_NO_OCSP
c887104f 10288 ADD_TEST(test_tlsext_status_type);
8f8c11d8 10289#endif
eaa776da
MC		 10290 ADD_TEST(test_session_with_only_int_cache);
10291 ADD_TEST(test_session_with_only_ext_cache);
10292 ADD_TEST(test_session_with_both_cache);
90fc2c26 10293 ADD_TEST(test_session_wo_ca_names);
a763ca11 10294#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 10295 ADD_ALL_TESTS(test_stateful_tickets, 3);
10296 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 10297 ADD_TEST(test_psk_tickets);
f0049b86 10298 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 10299#endif
7fb4c820 10300 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 10301 ADD_TEST(test_ssl_bio_pop_next_bio);
10302 ADD_TEST(test_ssl_bio_pop_ssl_bio);
10303 ADD_TEST(test_ssl_bio_change_rbio);
10304 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 10305#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 10306 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 10307 ADD_TEST(test_keylog);
c423ecaa 10308#endif
a763ca11 10309#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 10310 ADD_TEST(test_keylog_no_master_key);
10311#endif
0c3eb279 10312 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 10313 ADD_TEST(test_ssl_build_cert_chain);
10314 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 10315#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 10316 ADD_TEST(test_client_hello_cb);
088dfa13 10317 ADD_TEST(test_no_ems);
3cd14e5e 10318 ADD_TEST(test_ccs_change_cipher);
5f982038 10319#endif
a763ca11 10320#ifndef OSSL_NO_USABLE_TLS1_3
02a3ed5a 10321 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 10322 /*
10323 * We don't do replay tests for external PSK. Replay protection isn't used
10324 * in that scenario.
10325 */
10326 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 10327 ADD_ALL_TESTS(test_early_data_skip, 3);
10328 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 10329 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 10330 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 10331 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 10332 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 10333 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 10334 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 10335# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 10336 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 10337# endif
e9ee6536 10338#endif
a763ca11 10339#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 10340 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 10341 ADD_TEST(test_ciphersuite_change);
5bf2eade 10342 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10343# ifdef OPENSSL_NO_PSK
c2b290c3 10344 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 10345# else
0d8da779 10346 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 10347# endif /* OPENSSL_NO_PSK */
10348# ifndef OPENSSL_NO_TLS1_2
10349 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 10350 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 10351# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10352 ADD_ALL_TESTS(test_negotiated_group,
10353 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10354 + OSSL_NELEM(ffdhe_kexch_groups)));
10355# endif
5bf2eade 10356# else
10357 /* Test with only TLSv1.3 versions */
10358 ADD_ALL_TESTS(test_key_exchange, 12);
10359# endif
0db3a990 10360 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 10361 ADD_TEST(test_stateless);
9d75dce3 10362 ADD_TEST(test_pha_key_update);
a273157a 10363#else
bb01ef3f 10364 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 10365#endif
0fb2815b 10366 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 10367#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 10368 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 10369 ADD_TEST(test_key_update);
0c48fda8 10370 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10371 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10372 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10373 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 10374#endif
e11b6aa4 10375 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 10376 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 10377#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10378 ADD_ALL_TESTS(test_srp, 6);
10379#endif
b67cb09f
TS		 10380#if !defined(OPENSSL_NO_COMP_ALG)
10381 /* Add compression case */
10382 ADD_ALL_TESTS(test_info_callback, 8);
10383#else
5718fe45 10384 ADD_ALL_TESTS(test_info_callback, 6);
b67cb09f 10385#endif
4a432af8 10386 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 10387 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
3b7a3241 10388 ADD_ALL_TESTS(test_ticket_callbacks, 20);
57d7b988 10389 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 10390 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 10391 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 10392 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 10393 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 10394#ifndef OPENSSL_NO_TLS1_2
10395 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10396#endif
49ef3d07 10397 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 10398#if !defined(OPENSSL_NO_EC) \
a763ca11 10399 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 10400 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 10401#endif
10402#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 10403 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 10404#endif
10405#ifndef OPENSSL_NO_TLS1_2
10406 ADD_TEST(test_ssl_dup);
33c39a06
MC		 10407# ifndef OPENSSL_NO_DH
10408 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 10409 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 10410# endif
6582661f 10411#endif
a763ca11 10412#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 10413 ADD_TEST(test_sni_tls13);
0089cc7f 10414 ADD_ALL_TESTS(test_ticket_lifetime, 2);
b3842539 10415#endif
dfccfde0 10416 ADD_TEST(test_inherit_verify_param);
feba11cf 10417 ADD_TEST(test_set_alpn);
948cf521
HL		 10418 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10419 ADD_TEST(test_set_verify_cert_store_ssl);
25959e04 10420 ADD_ALL_TESTS(test_session_timeout, 1);
b2b8d188 10421 ADD_TEST(test_load_dhfile);
f7565348
MC		 10422#ifndef OSSL_NO_USABLE_TLS1_3
10423 ADD_TEST(test_read_ahead_key_change);
f3f8e53c 10424 ADD_ALL_TESTS(test_tls13_record_padding, 4);
555dd939
DF		 10425#endif
10426#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
10427 ADD_ALL_TESTS(test_serverinfo_custom, 4);
f7565348 10428#endif
ad887416 10429 return 1;
b3842539
MC		 10430
10431 err:
10432 OPENSSL_free(cert);
10433 OPENSSL_free(privkey);
10434 OPENSSL_free(cert2);
10435 OPENSSL_free(privkey2);
10436 return 0;
ad887416 10437}
2cb4b5f6 10438
ad887416
P		 10439void cleanup_tests(void)
10440{
8778f0eb 10441# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 10442 EVP_PKEY_free(tmp_dh_params);
10443#endif
1a2a3a42
MC		 10444 OPENSSL_free(cert);
10445 OPENSSL_free(privkey);
b3842539
MC		 10446 OPENSSL_free(cert2);
10447 OPENSSL_free(privkey2);
3105d846
MC		 10448 OPENSSL_free(cert1024);
10449 OPENSSL_free(privkey1024);
10450 OPENSSL_free(cert3072);
10451 OPENSSL_free(privkey3072);
10452 OPENSSL_free(cert4096);
10453 OPENSSL_free(privkey4096);
10454 OPENSSL_free(cert8192);
10455 OPENSSL_free(privkey8192);
fa454945 10456 bio_s_mempacket_test_free();
a77b4dba 10457 bio_s_always_retry_free();
5e30f2fd 10458 OSSL_PROVIDER_unload(defctxnull);
b4250010 10459 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 10460}
A mirror of the official openssl repository