]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Use OSSL_TIME instead of using arithmetic directly on time_t
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
b6461792 2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
b718f6fc 36#include <openssl/engine.h>
2cb4b5f6 37
20f8bc72 38#include "helpers/ssltestlib.h"
c887104f 39#include "testutil.h"
f297e4ec 40#include "testutil/output.h"
176db6dc 41#include "internal/nelem.h"
2b4cea1e 42#include "internal/tlsgroups.h"
fe5d9450 43#include "internal/ktls.h"
706457b7 44#include "../ssl/ssl_local.h"
0755722c 45#include "../ssl/record/methods/recmethod_local.h"
b0001d0c 46#include "filterprov.h"
2cb4b5f6 47
a763ca11
MC		 48#undef OSSL_NO_USABLE_TLS1_3
49#if defined(OPENSSL_NO_TLS1_3) \
50 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51/*
52 * If we don't have ec or dh then there are no built-in groups that are usable
53 * with TLSv1.3
54 */
55# define OSSL_NO_USABLE_TLS1_3
56#endif
57
0c13cdf8
MC		 58/* Defined in tls-provider.c */
59int tls_provider_init(const OSSL_CORE_HANDLE *handle,
60 const OSSL_DISPATCH *in,
61 const OSSL_DISPATCH **out,
62 void **provctx);
852c2ed2 63
b4250010 64static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 65static OSSL_PROVIDER *defctxnull = NULL;
66
a763ca11 67#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 68
69static SSL_SESSION *clientpsk = NULL;
70static SSL_SESSION *serverpsk = NULL;
71static const char *pskid = "Identity";
72static const char *srvid;
73
74static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
75 size_t *idlen, SSL_SESSION **sess);
76static int find_session_cb(SSL *ssl, const unsigned char *identity,
77 size_t identity_len, SSL_SESSION **sess);
78
79static int use_session_cb_cnt = 0;
80static int find_session_cb_cnt = 0;
8614a4eb
MC		 81#endif
82
1a2a3a42 83static char *certsdir = NULL;
2cb4b5f6
MC		 84static char *cert = NULL;
85static char *privkey = NULL;
b3842539
MC		 86static char *cert2 = NULL;
87static char *privkey2 = NULL;
3105d846
MC		 88static char *cert1024 = NULL;
89static char *privkey1024 = NULL;
90static char *cert3072 = NULL;
91static char *privkey3072 = NULL;
92static char *cert4096 = NULL;
93static char *privkey4096 = NULL;
94static char *cert8192 = NULL;
95static char *privkey8192 = NULL;
76fd7a1d
MC		 96static char *srpvfile = NULL;
97static char *tmpfilename = NULL;
b2b8d188 98static char *dhfile = NULL;
2cb4b5f6 99
4f6c7044 100static int is_fips = 0;
50ea5cdc 101static int fips_ems_check = 0;
4f6c7044 102
cffe973c 103#define LOG_BUFFER_SIZE 2048
6acdd3e5 104static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 105static size_t server_log_buffer_index = 0;
6acdd3e5 106static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 107static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 108static int error_writing_log = 0;
109
8f8c11d8 110#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 111static const unsigned char orespder[] = "Dummy OCSP Response";
112static int ocsp_server_called = 0;
113static int ocsp_client_called = 0;
114
115static int cdummyarg = 1;
116static X509 *ocspcert = NULL;
8f8c11d8 117#endif
ba881d3b 118
cf72c757 119#define CLIENT_VERSION_LEN 2
84d5549e 120
f1a5939f
CB		 121/*
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
124 */
125struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
cffe973c 128 unsigned int client_early_secret_count;
f1a5939f
CB		 129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
01a2a654 133 unsigned int early_exporter_secret_count;
6329ce8f 134 unsigned int exporter_secret_count;
f1a5939f
CB		 135};
136
16afd71c 137
104a733d
MC		 138static int hostname_cb(SSL *s, int *al, void *arg)
139{
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
145
146 return SSL_TLSEXT_ERR_NOACK;
147}
148
710756a9
RS		 149static void client_keylog_callback(const SSL *ssl, const char *line)
150{
6acdd3e5
CB		 151 int line_length = strlen(line);
152
153 /* If the log doesn't fit, error out. */
710756a9
RS		 154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
6acdd3e5
CB		 156 error_writing_log = 1;
157 return;
158 }
159
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
710756a9 162 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 163}
164
710756a9
RS		 165static void server_keylog_callback(const SSL *ssl, const char *line)
166{
6acdd3e5
CB		 167 int line_length = strlen(line);
168
169 /* If the log doesn't fit, error out. */
710756a9 170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 171 TEST_info("Server log too full");
6acdd3e5
CB		 172 error_writing_log = 1;
173 return;
174 }
175
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
710756a9 178 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 179}
180
181static int compare_hex_encoded_buffer(const char *hex_encoded,
182 size_t hex_length,
183 const uint8_t *raw,
710756a9
RS		 184 size_t raw_length)
185{
186 size_t i, j;
187 char hexed[3];
6acdd3e5 188
710756a9 189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 190 return 1;
6acdd3e5 191
710756a9 192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 193 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 196 return 1;
6acdd3e5
CB		 197 }
198
199 return 0;
200}
201
202static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 203 const SSL_SESSION *session,
710756a9
RS		 204 struct sslapitest_log_counts *expected)
205{
6acdd3e5
CB		 206 char *token = NULL;
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
cffe973c 213 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
01a2a654 218 unsigned int early_exporter_secret_count = 0;
6329ce8f 219 unsigned int exporter_secret_count = 0;
6acdd3e5 220
710756a9
RS		 221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
6acdd3e5 223 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 224 /*
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 226 * hex-encoded encrypted secret, then the hex-encoded pre-master
227 * secret.
228 */
710756a9 229 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 230 return 0;
710756a9 231 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 232 return 0;
710756a9 233 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 234 return 0;
f1a5939f
CB		 235 /*
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
239 */
240 rsa_key_exchange_count++;
6acdd3e5 241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 242 /*
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 244 * client random, then the hex-encoded master secret.
245 */
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
248 SSL3_RANDOM_SIZE);
710756a9 249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 250 return 0;
6acdd3e5 251
710756a9 252 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 253 return 0;
710756a9 254 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 255 return 0;
710756a9
RS		 256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
f1a5939f 259 return 0;
6acdd3e5 260
710756a9 261 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 262 return 0;
6acdd3e5
CB		 263 master_key_size = SSL_SESSION_get_master_key(session,
264 actual_master_key,
265 master_key_size);
710756a9 266 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 267 return 0;
710756a9
RS		 268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 actual_master_key,
270 master_key_size)))
f1a5939f 271 return 0;
f1a5939f 272 master_secret_count++;
cffe973c
PW		 273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 279 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 280 /*
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
285 */
cffe973c
PW		 286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
01a2a654
PW		 296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
6329ce8f
PW		 298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
f1a5939f
CB		 300
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
303 SSL3_RANDOM_SIZE);
710756a9 304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 305 return 0;
f1a5939f 306
710756a9 307 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 308 return 0;
710756a9 309 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 310 return 0;
710756a9
RS		 311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
f1a5939f 314 return 0;
6acdd3e5 315
710756a9 316 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 317 return 0;
6acdd3e5 318 } else {
710756a9 319 TEST_info("Unexpected token %s\n", token);
f1a5939f 320 return 0;
6acdd3e5 321 }
6acdd3e5
CB		 322 }
323
710756a9
RS		 324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
cffe973c
PW		 329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
710756a9
RS		 331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 338 expected->server_application_secret_count)
01a2a654
PW		 339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
6329ce8f
PW		 341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
710756a9
RS		 343 return 0;
344 return 1;
6acdd3e5
CB		 345}
346
a763ca11 347#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 348static int test_keylog(void)
349{
6acdd3e5
CB		 350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
352 int testresult = 0;
6fc1e624 353 struct sslapitest_log_counts expected;
6acdd3e5
CB		 354
355 /* Clean up logging space */
6fc1e624 356 memset(&expected, 0, sizeof(expected));
710756a9
RS		 357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
362
5e30f2fd 363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 364 TLS_client_method(),
5c587fb6 365 TLS1_VERSION, 0,
710756a9 366 &sctx, &cctx, cert, privkey)))
6acdd3e5 367 return 0;
6acdd3e5
CB		 368
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372
f0deb4d3 373 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 375 goto end;
f0deb4d3 376
cf10df81
RS		 377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 379 goto end;
6acdd3e5 380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
6acdd3e5 383 goto end;
710756a9 384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
6acdd3e5 387 goto end;
6acdd3e5 388
710756a9
RS		 389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
393 SSL_ERROR_NONE))
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 397 goto end;
6acdd3e5 398
f1a5939f
CB		 399 /*
400 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 401 * do that by using strtok and confirming that we have more or less the
f1a5939f 402 * data we expect. For both client and server, we expect to see one master
a63fa5f7 403 * secret. The client should also see an RSA key exchange.
6acdd3e5 404 */
f1a5939f
CB		 405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
710756a9
RS		 407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
6acdd3e5 409 goto end;
f1a5939f
CB		 410
411 expected.rsa_key_exchange_count = 0;
710756a9
RS		 412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
6acdd3e5 414 goto end;
6acdd3e5
CB		 415
416 testresult = 1;
417
418end:
419 SSL_free(serverssl);
420 SSL_free(clientssl);
421 SSL_CTX_free(sctx);
422 SSL_CTX_free(cctx);
423
424 return testresult;
425}
c423ecaa 426#endif
6acdd3e5 427
a763ca11 428#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 429static int test_keylog_no_master_key(void)
430{
6acdd3e5
CB		 431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 433 SSL_SESSION *sess = NULL;
6acdd3e5 434 int testresult = 0;
6fc1e624 435 struct sslapitest_log_counts expected;
cffe973c
PW		 436 unsigned char buf[1];
437 size_t readbytes, written;
6acdd3e5
CB		 438
439 /* Clean up logging space */
6fc1e624 440 memset(&expected, 0, sizeof(expected));
710756a9
RS		 441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
446
5e30f2fd
MC		 447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 451 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 452 return 0;
6acdd3e5 453
cf10df81
RS		 454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 456 goto end;
6acdd3e5
CB		 457
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
6acdd3e5 461 goto end;
6acdd3e5 462
710756a9 463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
6acdd3e5 466 goto end;
6acdd3e5 467
710756a9
RS		 468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_false(error_writing_log))
6acdd3e5 474 goto end;
6acdd3e5 475
f1a5939f
CB		 476 /*
477 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 479 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 480 */
f1a5939f
CB		 481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
6329ce8f 485 expected.exporter_secret_count = 1;
710756a9
RS		 486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
490 &expected)))
6acdd3e5 491 goto end;
6acdd3e5 492
cffe973c
PW		 493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
497 SSL_free(serverssl);
498 SSL_free(clientssl);
499 serverssl = clientssl = NULL;
500
501 /* Reset key log */
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
506
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513 &readbytes),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
518 SSL_ERROR_NONE))
519 || !TEST_true(SSL_session_reused(clientssl)))
520 goto end;
521
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
01a2a654 524 expected.early_exporter_secret_count = 1;
cffe973c
PW		 525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
529 &expected)))
530 goto end;
531
6acdd3e5
CB		 532 testresult = 1;
533
534end:
cffe973c 535 SSL_SESSION_free(sess);
6acdd3e5
CB		 536 SSL_free(serverssl);
537 SSL_free(clientssl);
538 SSL_CTX_free(sctx);
539 SSL_CTX_free(cctx);
540
541 return testresult;
542}
543#endif
544
0c3eb279
DDO		 545static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546{
547 int res = X509_verify_cert(ctx);
dfb39f73
TM		 548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
549 SSL *ssl;
550
551 /* this should not happen but check anyway */
552 if (idx < 0
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
554 return 0;
0c3eb279
DDO		 555
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
dfb39f73
TM		 558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
560
0c3eb279
DDO		 561 return res;
562}
563
564static int test_client_cert_verify_cb(void)
565{
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testresult = 0;
577
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
581 goto end;
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586 goto end;
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588 goto end;
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
593 goto end;
594
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
598 goto end;
599
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604 goto end;
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
607 goto end;
608 crt1 = NULL;
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
610 goto end;
611 crt2 = NULL;
612
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
615 SSL_ERROR_NONE)))
616 goto end;
617
618 testresult = 1;
619
620end:
621 X509_free(crt1);
622 X509_free(crt2);
c38048e7
P		 623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
625 SSL_free(clientssl);
626 }
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
629 SSL_free(serverssl);
630 }
0c3eb279
DDO		 631 SSL_CTX_free(sctx);
632 SSL_CTX_free(cctx);
633
634 OPENSSL_free(skey);
635 OPENSSL_free(leaf);
636 OPENSSL_free(int2);
637 OPENSSL_free(int1);
638 OPENSSL_free(root);
639
640 return testresult;
641}
642
4e4ae840
SL		 643static int test_ssl_build_cert_chain(void)
644{
645 int ret = 0;
646 SSL_CTX *ssl_ctx = NULL;
647 SSL *ssl = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652 goto end;
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654 goto end;
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659 goto end;
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
662 goto end;
663 ret = 1;
664end:
665 SSL_free(ssl);
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
668 OPENSSL_free(skey);
669 return ret;
670}
671
c7debe81
TM		 672static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673{
674 static const char pass[] = "testpass";
675
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
677 return -1;
678
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
681}
682
4e4ae840
SL		 683static int test_ssl_ctx_build_cert_chain(void)
684{
685 int ret = 0;
686 SSL_CTX *ctx = NULL;
c7debe81 687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
4e4ae840
SL		 688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691 goto end;
c7debe81 692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
4e4ae840
SL		 693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698 goto end;
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
701 goto end;
702 ret = 1;
703end:
704 SSL_CTX_free(ctx);
705 OPENSSL_free(leaf_chain);
706 OPENSSL_free(skey);
707 return ret;
708}
709
e9ee6536 710#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 711static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 712{
713 int *ctr = arg;
714 const unsigned char *p;
8ea404fb 715 int *exts;
2afaee51 716#ifdef OPENSSL_NO_EC
972ee925 717 const unsigned char expected_ciphers[] = {0x00, 0x9d};
2afaee51
BK		 718#else
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
972ee925 720 0x2c};
2afaee51 721#endif
8ea404fb 722 const int expected_extensions[] = {
972ee925 723 65281,
8ea404fb
BK		 724#ifndef OPENSSL_NO_EC
725 11, 10,
726#endif
10ed1b72 727 35, 22, 23, 13};
2afaee51
BK		 728 size_t len;
729
730 /* Make sure we can defer processing and get called back. */
731 if ((*ctr)++ == 0)
f1b97da1 732 return SSL_CLIENT_HELLO_RETRY;
2afaee51 733
a9c0d8be 734 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 736 || !TEST_size_t_eq(
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 738 || !TEST_int_eq(*p, 0))
f1b97da1 739 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 741 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 744 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 745 OPENSSL_free(exts);
f1b97da1 746 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 747 }
748 OPENSSL_free(exts);
f1b97da1 749 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 750}
751
a9c0d8be 752static int test_client_hello_cb(void)
710756a9 753{
2afaee51
BK		 754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
757
5e30f2fd
MC		 758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 760 &sctx, &cctx, cert, privkey)))
2afaee51 761 goto end;
a9c0d8be 762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 763
2afaee51
BK		 764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 766
710756a9
RS		 767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 773 /*
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
776 * */
a9c0d8be
DB		 777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
780 SSL_ERROR_NONE)))
2afaee51 781 goto end;
2afaee51
BK		 782
783 testresult = 1;
784
088dfa13
TS		 785end:
786 SSL_free(serverssl);
787 SSL_free(clientssl);
788 SSL_CTX_free(sctx);
789 SSL_CTX_free(cctx);
790
791 return testresult;
792}
793
794static int test_no_ems(void)
795{
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
50ea5cdc 798 int testresult = 0, status;
088dfa13 799
5e30f2fd 800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
804 goto end;
805 }
806
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
808
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
811 goto end;
812 }
813
50ea5cdc 814 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
815 if (fips_ems_check) {
816 if (status == 1) {
eb4129e1 817 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
50ea5cdc 818 goto end;
819 }
820 } else {
821 if (!status) {
822 printf("Creating SSL connection failed\n");
823 goto end;
824 }
825 if (SSL_get_extms_support(serverssl)) {
826 printf("Server reports Extended Master Secret support\n");
827 goto end;
828 }
829 if (SSL_get_extms_support(clientssl)) {
830 printf("Client reports Extended Master Secret support\n");
831 goto end;
832 }
088dfa13
TS		 833 }
834 testresult = 1;
835
2afaee51
BK		 836end:
837 SSL_free(serverssl);
838 SSL_free(clientssl);
839 SSL_CTX_free(sctx);
840 SSL_CTX_free(cctx);
841
842 return testresult;
843}
844
3cd14e5e
BK		 845/*
846 * Very focused test to exercise a single case in the server-side state
847 * machine, when the ChangeCipherState message needs to actually change
848 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 849 * encryption to real encryption).
3cd14e5e
BK		 850 */
851static int test_ccs_change_cipher(void)
852{
853 SSL_CTX *cctx = NULL, *sctx = NULL;
854 SSL *clientssl = NULL, *serverssl = NULL;
855 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
856 int testresult = 0;
857 int i;
858 unsigned char buf;
859 size_t readbytes;
860
861 /*
e304aa87 862 * Create a connection so we can resume and potentially (but not) use
3cd14e5e
BK		 863 * a different cipher in the second connection.
864 */
5e30f2fd 865 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 866 TLS_client_method(),
867 TLS1_VERSION, TLS1_2_VERSION,
868 &sctx, &cctx, cert, privkey))
869 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
870 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
871 NULL, NULL))
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
874 SSL_ERROR_NONE))
875 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
876 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
877 goto end;
878
879 shutdown_ssl_connection(serverssl, clientssl);
880 serverssl = clientssl = NULL;
881
882 /* Resume, preferring a different cipher. Our server will force the
883 * same cipher to be used as the initial handshake. */
884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
885 NULL, NULL))
886 || !TEST_true(SSL_set_session(clientssl, sess))
887 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
888 || !TEST_true(create_ssl_connection(serverssl, clientssl,
889 SSL_ERROR_NONE))
890 || !TEST_true(SSL_session_reused(clientssl))
891 || !TEST_true(SSL_session_reused(serverssl))
892 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
893 || !TEST_ptr_eq(sesspre, sesspost)
894 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
895 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
896 goto end;
897 shutdown_ssl_connection(serverssl, clientssl);
898 serverssl = clientssl = NULL;
899
900 /*
901 * Now create a fresh connection and try to renegotiate a different
902 * cipher on it.
903 */
b3e6d666
BK		 904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
905 NULL, NULL))
3cd14e5e
BK		 906 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
908 SSL_ERROR_NONE))
909 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
910 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
911 || !TEST_true(SSL_renegotiate(clientssl))
912 || !TEST_true(SSL_renegotiate_pending(clientssl)))
913 goto end;
914 /* Actually drive the renegotiation. */
915 for (i = 0; i < 3; i++) {
916 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
917 if (!TEST_ulong_eq(readbytes, 0))
918 goto end;
919 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
920 SSL_ERROR_WANT_READ)) {
921 goto end;
922 }
923 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
925 goto end;
926 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
927 SSL_ERROR_WANT_READ)) {
928 goto end;
929 }
930 }
931 /* sesspre and sesspost should be different since the cipher changed. */
932 if (!TEST_false(SSL_renegotiate_pending(clientssl))
933 || !TEST_false(SSL_session_reused(clientssl))
934 || !TEST_false(SSL_session_reused(serverssl))
935 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
936 || !TEST_ptr_ne(sesspre, sesspost)
937 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
938 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
939 goto end;
940
941 shutdown_ssl_connection(serverssl, clientssl);
942 serverssl = clientssl = NULL;
943
944 testresult = 1;
945
946end:
947 SSL_free(serverssl);
948 SSL_free(clientssl);
949 SSL_CTX_free(sctx);
950 SSL_CTX_free(cctx);
951 SSL_SESSION_free(sess);
952
953 return testresult;
954}
fb121631 955#endif
3cd14e5e 956
149c4f98
MC		 957static int execute_test_large_message(const SSL_METHOD *smeth,
958 const SSL_METHOD *cmeth,
959 int min_version, int max_version,
960 int read_ahead)
961{
962 SSL_CTX *cctx = NULL, *sctx = NULL;
963 SSL *clientssl = NULL, *serverssl = NULL;
964 int testresult = 0;
965
5e30f2fd
MC		 966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
968 privkey)))
84d5549e 969 goto end;
84d5549e 970
8ce390e1
MC		 971#ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
973 /*
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
975 * level 0
976 */
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
980 goto end;
981 }
982#endif
983
710756a9 984 if (read_ahead) {
7856332e
MC		 985 /*
986 * Test that read_ahead works correctly when dealing with large
987 * records
988 */
989 SSL_CTX_set_read_ahead(cctx, 1);
990 }
991
3860ef2a 992 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
149c4f98 993 goto end;
84d5549e 994
710756a9
RS		 995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
996 NULL, NULL))
997 || !TEST_true(create_ssl_connection(serverssl, clientssl,
998 SSL_ERROR_NONE)))
84d5549e 999 goto end;
84d5549e 1000
4bf08600
MC		 1001 /*
1002 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1003 * doesn't leak.
4bf08600 1004 */
710756a9 1005 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1006 goto end;
84d5549e 1007
4bf08600 1008 testresult = 1;
84d5549e 1009 end:
84d5549e
MC		 1010 SSL_free(serverssl);
1011 SSL_free(clientssl);
1012 SSL_CTX_free(sctx);
1013 SSL_CTX_free(cctx);
1014
1015 return testresult;
1016}
1017
da4db160 1018#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1019 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1020/* sock must be connected */
1021static int ktls_chk_platform(int sock)
1022{
1023 if (!ktls_enable(sock))
1024 return 0;
1025 return 1;
1026}
1027
e1fdd526 1028static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1029{
1030 static char count = 1;
1031 unsigned char cbuf[16000] = {0};
1032 unsigned char sbuf[16000];
1033 size_t err = 0;
e1fdd526
JB		 1034 char crec_wseq_before[SEQ_NUM_SIZE];
1035 char crec_wseq_after[SEQ_NUM_SIZE];
1036 char crec_rseq_before[SEQ_NUM_SIZE];
1037 char crec_rseq_after[SEQ_NUM_SIZE];
1038 char srec_wseq_before[SEQ_NUM_SIZE];
1039 char srec_wseq_after[SEQ_NUM_SIZE];
1040 char srec_rseq_before[SEQ_NUM_SIZE];
1041 char srec_rseq_after[SEQ_NUM_SIZE];
38b051a1
TM		 1042 SSL_CONNECTION *clientsc, *serversc;
1043
1044 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1045 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1046 goto end;
fe5d9450
BP		 1047
1048 cbuf[0] = count++;
2c50d7fb
MC		 1049 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1050 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1051 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1052 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1053
1054 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1055 goto end;
1056
1057 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1058 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1059 goto end;
1060 }
1061 }
1062
1063 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1064 goto end;
1065
1066 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1067 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1068 goto end;
1069 }
1070 }
1071
2c50d7fb
MC		 1072 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1073 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1074 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1075 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1076
1077 /* verify the payload */
1078 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1079 goto end;
1080
e1fdd526
JB		 1081 /*
1082 * If ktls is used then kernel sequences are used instead of
1083 * OpenSSL sequences
1084 */
38b051a1 1085 if (!BIO_get_ktls_send(clientsc->wbio)) {
e1fdd526
JB		 1086 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1087 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1088 goto end;
1089 } else {
e1fdd526
JB		 1090 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1091 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1092 goto end;
1093 }
1094
38b051a1 1095 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1096 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1097 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1098 goto end;
1099 } else {
e1fdd526
JB		 1100 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1101 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1102 goto end;
1103 }
1104
38b051a1 1105 if (!BIO_get_ktls_recv(clientsc->wbio)) {
e1fdd526
JB		 1106 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1107 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1108 goto end;
1109 } else {
e1fdd526
JB		 1110 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1111 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1112 goto end;
1113 }
1114
38b051a1 1115 if (!BIO_get_ktls_recv(serversc->wbio)) {
e1fdd526
JB		 1116 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1117 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1118 goto end;
1119 } else {
e1fdd526
JB		 1120 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1121 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1122 goto end;
1123 }
fe5d9450
BP		 1124
1125 return 1;
1126end:
1127 return 0;
1128}
1129
a3a54179 1130static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1131 int tls_version, const char *cipher)
fe5d9450
BP		 1132{
1133 SSL_CTX *cctx = NULL, *sctx = NULL;
1134 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1135 int ktls_used = 0, testresult = 0;
1136 int cfd = -1, sfd = -1;
1137 int rx_supported;
38b051a1 1138 SSL_CONNECTION *clientsc, *serversc;
563f4be8
MC		 1139 unsigned char *buf = NULL;
1140 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1141 int ret;
1142 size_t offset = 0, i;
fe5d9450 1143
0c593328 1144 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
fe5d9450
BP		 1145 goto end;
1146
1147 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1148 if (!ktls_chk_platform(cfd)) {
1149 testresult = TEST_skip("Kernel does not support KTLS");
1150 goto end;
1151 }
fe5d9450 1152
a5d8a2f8
DB		 1153 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1154 testresult = TEST_skip("CHACHA is not supported in FIPS");
1155 goto end;
1156 }
1157
fe5d9450 1158 /* Create a session based on SHA-256 */
5e30f2fd 1159 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1160 TLS_client_method(),
da4db160 1161 tls_version, tls_version,
e1fdd526
JB		 1162 &sctx, &cctx, cert, privkey)))
1163 goto end;
1164
1165 if (tls_version == TLS1_3_VERSION) {
1166 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1167 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1168 goto end;
1169 } else {
1170 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1171 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1172 goto end;
1173 }
1174
1175 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1176 &clientssl, sfd, cfd)))
fe5d9450
BP		 1177 goto end;
1178
38b051a1
TM		 1179 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1180 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1181 goto end;
1182
a3a54179
MC		 1183 if (cis_ktls) {
1184 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1185 goto end;
1186 }
1187
a3a54179 1188 if (sis_ktls) {
e1fdd526 1189 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1190 goto end;
1191 }
1192
e1fdd526 1193 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1194 goto end;
1195
e1fdd526
JB		 1196 /*
1197 * The running kernel may not support a given cipher suite
1198 * or direction, so just check that KTLS isn't used when it
1199 * isn't enabled.
1200 */
a3a54179 1201 if (!cis_ktls) {
38b051a1 1202 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
fe5d9450
BP		 1203 goto end;
1204 } else {
38b051a1 1205 if (BIO_get_ktls_send(clientsc->wbio))
e1fdd526 1206 ktls_used = 1;
fe5d9450
BP		 1207 }
1208
a3a54179 1209 if (!sis_ktls) {
38b051a1 1210 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
fe5d9450
BP		 1211 goto end;
1212 } else {
38b051a1 1213 if (BIO_get_ktls_send(serversc->wbio))
e1fdd526 1214 ktls_used = 1;
fe5d9450
BP		 1215 }
1216
a3a54179 1217#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1218 rx_supported = 0;
1219#else
7c78932b 1220 rx_supported = 1;
a3a54179 1221#endif
e1fdd526 1222 if (!cis_ktls || !rx_supported) {
38b051a1 1223 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
2fab79af
BP		 1224 goto end;
1225 } else {
38b051a1 1226 if (BIO_get_ktls_send(clientsc->rbio))
e1fdd526 1227 ktls_used = 1;
2fab79af
BP		 1228 }
1229
e1fdd526 1230 if (!sis_ktls || !rx_supported) {
38b051a1 1231 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
2fab79af
BP		 1232 goto end;
1233 } else {
38b051a1 1234 if (BIO_get_ktls_send(serversc->rbio))
e1fdd526
JB		 1235 ktls_used = 1;
1236 }
1237
1238 if ((cis_ktls || sis_ktls) && !ktls_used) {
1239 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1240 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1241 "TLS 1.2", cipher);
1242 goto end;
2fab79af
BP		 1243 }
1244
e1fdd526 1245 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1246 goto end;
1247
563f4be8
MC		 1248 buf = OPENSSL_zalloc(bufsz);
1249 if (!TEST_ptr(buf))
1250 goto end;
1251
1252 /*
1253 * Write some data that exceeds the maximum record length. KTLS may choose
1254 * to coalesce this data into a single buffer when we read it again.
1255 */
1256 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1257 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1258 goto end;
1259 }
1260
1261 /* Now check that we can read all the data we wrote */
1262 do {
1263 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1264 if (ret <= 0) {
1265 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1266 goto end;
1267 } else {
1268 offset += ret;
1269 }
1270 } while (offset < bufsz);
1271
1272 if (!TEST_true(offset == bufsz))
1273 goto end;
1274 for (i = 0; i < bufsz; i++)
1275 if (!TEST_true(buf[i] == 0))
1276 goto end;
1277
fe5d9450
BP		 1278 testresult = 1;
1279end:
563f4be8 1280 OPENSSL_free(buf);
fe5d9450
BP		 1281 if (clientssl) {
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1284 }
1285 if (serverssl) {
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1288 }
1289 SSL_CTX_free(sctx);
1290 SSL_CTX_free(cctx);
1291 serverssl = clientssl = NULL;
e1fdd526
JB		 1292 if (cfd != -1)
1293 close(cfd);
1294 if (sfd != -1)
1295 close(sfd);
fe5d9450
BP		 1296 return testresult;
1297}
1298
7c3a7561
BP		 1299#define SENDFILE_SZ (16 * 4096)
1300#define SENDFILE_CHUNK (4 * 4096)
1301#define min(a,b) ((a) > (b) ? (b) : (a))
1302
cd715b7e
MM		 1303static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1304 int zerocopy)
7c3a7561
BP		 1305{
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
e1fdd526 1310 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1313 int testresult = 0;
1314 FILE *ffdp;
38b051a1 1315 SSL_CONNECTION *serversc;
7c3a7561
BP		 1316
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
0c593328 1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
7c3a7561
BP		 1321 goto end;
1322
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
e1fdd526 1325 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1326 goto end;
1327 }
1328
a5d8a2f8
DB		 1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1331 goto end;
1332 }
1333
7c3a7561 1334 /* Create a session based on SHA-256 */
5e30f2fd 1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1336 TLS_client_method(),
da4db160 1337 tls_version, tls_version,
e1fdd526
JB		 1338 &sctx, &cctx, cert, privkey)))
1339 goto end;
1340
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1344 goto end;
1345 } else {
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1348 goto end;
1349 }
1350
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1353 goto end;
1354
38b051a1
TM		 1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1356 goto end;
1357
e1fdd526 1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1359 goto end;
1360
cd715b7e
MM		 1361 if (zerocopy) {
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1364 goto end;
1365 }
1366
7c3a7561 1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1368 SSL_ERROR_NONE)))
7c3a7561
BP		 1369 goto end;
1370
38b051a1 1371 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1374 "TLS 1.2", cipher);
1375 goto end;
1376 }
1377
c9007bda 1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1379 goto end;
1380
7c3a7561
BP		 1381 out = BIO_new_file(tmpfilename, "wb");
1382 if (!TEST_ptr(out))
1383 goto end;
1384
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1386 goto end;
1387
1388 BIO_free(out);
1389 out = NULL;
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1392 ffd = fileno(ffdp);
1393
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1397 ffd,
1398 chunk_off,
1399 chunk_size,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1402 goto end;
1403 }
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1408 goto end;
1409 }
1410
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1413 chunk_size,
1414 buf + chunk_off,
1415 chunk_size))
1416 goto end;
1417
1418 chunk_off += chunk_size;
1419 }
1420
1421 testresult = 1;
1422end:
1423 if (clientssl) {
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1426 }
1427 if (serverssl) {
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1430 }
1431 SSL_CTX_free(sctx);
1432 SSL_CTX_free(cctx);
1433 serverssl = clientssl = NULL;
1434 BIO_free(out);
1435 BIO_free(in);
e1fdd526
JB		 1436 if (cfd != -1)
1437 close(cfd);
1438 if (sfd != -1)
1439 close(sfd);
7c3a7561
BP		 1440 OPENSSL_free(buf);
1441 OPENSSL_free(buf_dst);
1442 return testresult;
1443}
1444
e1fdd526
JB		 1445static struct ktls_test_cipher {
1446 int tls_version;
1447 const char *cipher;
1448} ktls_test_ciphers[] = {
1449# if !defined(OPENSSL_NO_TLS1_2)
1450# ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1452# endif
1453# ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1455# endif
1456# ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1458# endif
11bac1b4 1459# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
2dded44a 1460# ifndef OPENSSL_NO_EC
11bac1b4 1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
2dded44a 1462# endif
11bac1b4 1463# endif
e1fdd526
JB		 1464# endif
1465# if !defined(OSSL_NO_USABLE_TLS1_3)
1466# ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1468# endif
1469# ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1471# endif
1472# ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1474# endif
11bac1b4
JB		 1475# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1477# endif
e1fdd526
JB		 1478# endif
1479};
1480
1481#define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1483
da4db160
VF		 1484static int test_ktls(int test)
1485{
e1fdd526 1486 struct ktls_test_cipher *cipher;
a3a54179 1487 int cis_ktls, sis_ktls;
da4db160 1488
2cff17fd 1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1490 cipher = &ktls_test_ciphers[test / 4];
da4db160 1491
a3a54179
MC		 1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
cd03b5dc 1494
e1fdd526
JB		 1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1496 cipher->cipher);
2fab79af
BP		 1497}
1498
cd715b7e 1499static int test_ktls_sendfile(int test)
fe5d9450 1500{
e1fdd526 1501 struct ktls_test_cipher *cipher;
cd715b7e 1502 int tst = test >> 1;
da4db160 1503
2cff17fd 1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1505 cipher = &ktls_test_ciphers[tst];
da4db160 1506
cd715b7e
MM		 1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1508 test & 1);
fe5d9450 1509}
fe5d9450
BP		 1510#endif
1511
84d5549e
MC		 1512static int test_large_message_tls(void)
1513{
7856332e 1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1515 TLS1_VERSION, 0, 0);
7856332e
MC		 1516}
1517
1518static int test_large_message_tls_read_ahead(void)
1519{
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1521 TLS1_VERSION, 0, 1);
84d5549e
MC		 1522}
1523
55386bef 1524#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1525static int test_large_message_dtls(void)
1526{
8ce390e1
MC		 1527# ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1529 if (is_fips)
1530 return 1;
1531# endif
7856332e
MC		 1532 /*
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1535 */
84d5549e 1536 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1537 DTLS_client_method(),
5c587fb6 1538 DTLS1_VERSION, 0, 0);
84d5549e 1539}
55386bef 1540#endif
84d5549e 1541
3ff0a48a
MC		 1542/*
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1549 */
1550static int test_large_app_data(int tst)
1551{
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
2fda45d5
MC		 1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
3ff0a48a
MC		 1559
1560 switch (tst >> 2) {
1561 case 0:
1562#ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1564 break;
1565#else
1566 return 1;
1567#endif
1568
1569 case 1:
1570#ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1572 break;
1573#else
1574 return 1;
1575#endif
1576
1577 case 2:
1578#ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1580 break;
1581#else
1582 return 1;
1583#endif
1584
1585 case 3:
1586#ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1588 break;
1589#else
1590 return 1;
1591#endif
1592
1593 case 4:
1594#ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1596 break;
1597#else
1598 return 1;
1599#endif
1600
2fda45d5
MC		 1601 case 5:
1602#ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1606 break;
1607#else
1608 return 1;
1609#endif
1610
1611 case 6:
1612#ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1616 break;
1617#else
1618 return 1;
1619#endif
1620
3ff0a48a
MC		 1621 default:
1622 /* Shouldn't happen */
1623 return 0;
1624 }
1625
2fda45d5 1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
3ff0a48a
MC		 1627 return 1;
1628
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1631 if (!TEST_ptr(msg))
1632 goto end;
1633
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1635 if (!TEST_ptr(buf))
1636 goto end;
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1639
2fda45d5 1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
3ff0a48a
MC		 1641 &sctx, &cctx, cert, privkey)))
1642 goto end;
1643
2fda45d5 1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
3ff0a48a
MC		 1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1649 goto end;
1650 }
1651
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1654 goto end;
1655
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1662 goto end;
1663 }
1664
1665 if ((tst & 2) != 0) {
1666 /*
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1669 */
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1673 goto end;
1674 }
1675
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1677 goto end;
1678
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1680 &written))
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1682 goto end;
1683
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1686 &readbytes)))
1687 goto end;
1688
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1690 goto end;
1691
1692 testresult = 1;
1693end:
1694 OPENSSL_free(msg);
1695 OPENSSL_free(buf);
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1698 SSL_CTX_free(sctx);
1699 SSL_CTX_free(cctx);
1700 return testresult;
1701}
1702
fb32f6ea
MC		 1703#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1704 || !defined(OPENSSL_NO_DTLS)
163b8016
ME		 1705static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1706 const SSL_METHOD *cmeth,
1707 int min_version, int max_version)
1708{
1709 size_t i;
1710 SSL_CTX *cctx = NULL, *sctx = NULL;
1711 SSL *clientssl = NULL, *serverssl = NULL;
1712 int testresult = 0;
2eb91b0e 1713 const unsigned char *zbuf;
38b051a1 1714 SSL_CONNECTION *serversc;
eddb067e 1715 TLS_RECORD *rr;
163b8016
ME		 1716
1717 static unsigned char cbuf[16000];
1718 static unsigned char sbuf[16000];
1719
1720 if (!TEST_true(create_ssl_ctx_pair(libctx,
1721 smeth, cmeth,
1722 min_version, max_version,
1723 &sctx, &cctx, cert,
1724 privkey)))
1725 goto end;
1726
8ce390e1 1727# ifdef OPENSSL_NO_DTLS1_2
fb32f6ea 1728 if (smeth == DTLS_server_method()) {
8ce390e1
MC		 1729 /* Not supported in the FIPS provider */
1730 if (is_fips) {
1731 testresult = 1;
1732 goto end;
1733 };
8ce390e1
MC		 1734 /*
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1736 * level 0
1737 */
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1741 goto end;
1742 }
fb32f6ea 1743# endif
8ce390e1 1744
163b8016
ME		 1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1746 NULL, NULL)))
1747 goto end;
1748
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1750 goto end;
1751
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1753 SSL_ERROR_NONE)))
1754 goto end;
1755
1756 for (i = 0; i < sizeof(cbuf); i++) {
1757 cbuf[i] = i & 0xff;
1758 }
1759
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1761 goto end;
1762
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1764 goto end;
1765
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1767 goto end;
1768
1769 /*
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1773 */
38b051a1
TM		 1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1775 goto end;
eddb067e 1776 rr = serversc->rlayer.tlsrecs;
4030869d 1777
eddb067e
MC		 1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1780 goto end;
163b8016
ME		 1781
1782 /*
1783 * After SSL_peek() the plaintext must still be stored in the
1784 * record.
1785 */
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1787 goto end;
1788
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1791 goto end;
1792
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1794 goto end;
1795
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1799 goto end;
1800
1801 testresult = 1;
1802 end:
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1805 SSL_CTX_free(sctx);
1806 SSL_CTX_free(cctx);
1807
1808 return testresult;
1809}
fb32f6ea
MC		 1810#endif /*
1811 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1812 * || !defined(OPENSSL_NO_DTLS)
1813 */
163b8016
ME		 1814
1815static int test_cleanse_plaintext(void)
1816{
1817#if !defined(OPENSSL_NO_TLS1_2)
1818 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1819 TLS_client_method(),
1820 TLS1_2_VERSION,
1821 TLS1_2_VERSION)))
1822 return 0;
1823
1824#endif
1825
a763ca11 1826#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1827 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1828 TLS_client_method(),
1829 TLS1_3_VERSION,
1830 TLS1_3_VERSION)))
1831 return 0;
1832#endif
1833
1834#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1835
163b8016
ME		 1836 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1837 DTLS_client_method(),
1838 DTLS1_VERSION,
1839 0)))
1840 return 0;
1841#endif
1842 return 1;
1843}
1844
8f8c11d8 1845#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1846static int ocsp_server_cb(SSL *s, void *arg)
1847{
1848 int *argi = (int *)arg;
710756a9 1849 unsigned char *copy = NULL;
ba881d3b
MC		 1850 STACK_OF(OCSP_RESPID) *ids = NULL;
1851 OCSP_RESPID *id = NULL;
1852
1853 if (*argi == 2) {
1854 /* In this test we are expecting exactly 1 OCSP_RESPID */
1855 SSL_get_tlsext_status_ids(s, &ids);
1856 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1858
1859 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1860 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 } else if (*argi != 1) {
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1864 }
1865
710756a9 1866 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1867 return SSL_TLSEXT_ERR_ALERT_FATAL;
1868
711d5a2f
P		 1869 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1870 sizeof(orespder)))) {
1871 OPENSSL_free(copy);
1872 return SSL_TLSEXT_ERR_ALERT_FATAL;
1873 }
ba881d3b 1874 ocsp_server_called = 1;
ba881d3b
MC		 1875 return SSL_TLSEXT_ERR_OK;
1876}
1877
1878static int ocsp_client_cb(SSL *s, void *arg)
1879{
1880 int *argi = (int *)arg;
1881 const unsigned char *respderin;
1882 size_t len;
1883
1884 if (*argi != 1 && *argi != 2)
1885 return 0;
1886
1887 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1888 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1889 return 0;
1890
1891 ocsp_client_called = 1;
ba881d3b
MC		 1892 return 1;
1893}
1894
2cb4b5f6
MC		 1895static int test_tlsext_status_type(void)
1896{
ba881d3b
MC		 1897 SSL_CTX *cctx = NULL, *sctx = NULL;
1898 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1899 int testresult = 0;
ba881d3b
MC		 1900 STACK_OF(OCSP_RESPID) *ids = NULL;
1901 OCSP_RESPID *id = NULL;
1902 BIO *certbio = NULL;
2cb4b5f6 1903
5e30f2fd 1904 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1905 TLS1_VERSION, 0,
7d7f6834 1906 &sctx, &cctx, cert, privkey))
ba881d3b 1907 return 0;
2cb4b5f6 1908
710756a9 1909 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1910 goto end;
2cb4b5f6 1911
ba881d3b 1912 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1913
ba881d3b 1914 clientssl = SSL_new(cctx);
710756a9
RS		 1915 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1916 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1917 TLSEXT_STATUSTYPE_ocsp))
1918 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1919 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1920 goto end;
2cb4b5f6 1921
ba881d3b
MC		 1922 SSL_free(clientssl);
1923 clientssl = NULL;
2cb4b5f6 1924
710756a9
RS		 1925 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1926 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1927 goto end;
2cb4b5f6 1928
ba881d3b 1929 clientssl = SSL_new(cctx);
710756a9 1930 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1931 goto end;
ba881d3b
MC		 1932 SSL_free(clientssl);
1933 clientssl = NULL;
1934
1935 /*
1936 * Now actually do a handshake and check OCSP information is exchanged and
1937 * the callbacks get called
1938 */
ba881d3b
MC		 1939 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1940 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1941 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1942 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL))
1945 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1946 SSL_ERROR_NONE))
1947 || !TEST_true(ocsp_client_called)
1948 || !TEST_true(ocsp_server_called))
ba881d3b 1949 goto end;
ba881d3b
MC		 1950 SSL_free(serverssl);
1951 SSL_free(clientssl);
1952 serverssl = NULL;
1953 clientssl = NULL;
1954
1955 /* Try again but this time force the server side callback to fail */
1956 ocsp_client_called = 0;
1957 ocsp_server_called = 0;
1958 cdummyarg = 0;
710756a9
RS		 1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL))
1961 /* This should fail because the callback will fail */
1962 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1963 SSL_ERROR_NONE))
1964 || !TEST_false(ocsp_client_called)
1965 || !TEST_false(ocsp_server_called))
ba881d3b 1966 goto end;
ba881d3b
MC		 1967 SSL_free(serverssl);
1968 SSL_free(clientssl);
1969 serverssl = NULL;
1970 clientssl = NULL;
1971
1972 /*
1973 * This time we'll get the client to send an OCSP_RESPID that it will
1974 * accept.
1975 */
1976 ocsp_client_called = 0;
1977 ocsp_server_called = 0;
1978 cdummyarg = 2;
710756a9
RS		 1979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1980 &clientssl, NULL, NULL)))
ba881d3b 1981 goto end;
ba881d3b
MC		 1982
1983 /*
1984 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1985 * specific one. We'll use the server cert.
ba881d3b 1986 */
710756a9
RS		 1987 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1988 || !TEST_ptr(id = OCSP_RESPID_new())
1989 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1990 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1991 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1992 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1993 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1994 goto end;
ba881d3b
MC		 1995 id = NULL;
1996 SSL_set_tlsext_status_ids(clientssl, ids);
1997 /* Control has been transferred */
1998 ids = NULL;
1999
2000 BIO_free(certbio);
2001 certbio = NULL;
2002
710756a9
RS		 2003 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2004 SSL_ERROR_NONE))
2005 || !TEST_true(ocsp_client_called)
2006 || !TEST_true(ocsp_server_called))
ba881d3b 2007 goto end;
ba881d3b 2008
2cb4b5f6
MC		 2009 testresult = 1;
2010
2011 end:
ba881d3b
MC		 2012 SSL_free(serverssl);
2013 SSL_free(clientssl);
2014 SSL_CTX_free(sctx);
2015 SSL_CTX_free(cctx);
2016 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2017 OCSP_RESPID_free(id);
2018 BIO_free(certbio);
2019 X509_free(ocspcert);
2020 ocspcert = NULL;
2cb4b5f6
MC		 2021
2022 return testresult;
2023}
8f8c11d8 2024#endif
2cb4b5f6 2025
a763ca11 2026#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 2027static int new_called, remove_called, get_called;
eaa776da 2028
eaa776da
MC		 2029static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2030{
2031 new_called++;
c0537ebd
MC		 2032 /*
2033 * sess has been up-refed for us, but we don't actually need it so free it
2034 * immediately.
2035 */
2036 SSL_SESSION_free(sess);
eaa776da
MC		 2037 return 1;
2038}
2039
2040static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2041{
2042 remove_called++;
2043}
2044
7a301f08
MC		 2045static SSL_SESSION *get_sess_val = NULL;
2046
2047static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2048 int *copy)
2049{
0afca811 2050 get_called++;
7a301f08
MC		 2051 *copy = 1;
2052 return get_sess_val;
2053}
2054
7a301f08 2055static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 2056 int use_ext_cache, long s_options)
2cb4b5f6
MC		 2057{
2058 SSL_CTX *sctx = NULL, *cctx = NULL;
2059 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2060 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 2061# ifndef OPENSSL_NO_TLS1_1
eaa776da 2062 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 2063# endif
2cb4b5f6 2064 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 2065 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 2066
7e885b7b
P		 2067 new_called = remove_called = 0;
2068
36ff232c
MC		 2069 /* TLSv1.3 sends 2 NewSessionTickets */
2070 if (maxprot == TLS1_3_VERSION)
2071 numnewsesstick = 2;
2072
5e30f2fd
MC		 2073 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2074 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2075 &sctx, &cctx, cert, privkey)))
2cb4b5f6 2076 return 0;
2cb4b5f6 2077
7a301f08
MC		 2078 /*
2079 * Only allow the max protocol version so we can force a connection failure
2080 * later
2081 */
2082 SSL_CTX_set_min_proto_version(cctx, maxprot);
2083 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 2084
2085 /* Set up session cache */
7e885b7b 2086 if (use_ext_cache) {
eaa776da
MC		 2087 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2088 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2089 }
7e885b7b 2090 if (use_int_cache) {
eaa776da
MC		 2091 /* Also covers instance where both are set */
2092 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2093 } else {
2094 SSL_CTX_set_session_cache_mode(cctx,
2095 SSL_SESS_CACHE_CLIENT
2096 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2097 }
2cb4b5f6 2098
90fc2c26
NM		 2099 if (s_options) {
2100 SSL_CTX_set_options(sctx, s_options);
2101 }
2102
710756a9
RS		 2103 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2104 NULL, NULL))
2105 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2106 SSL_ERROR_NONE))
2107 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 2108 goto end;
2cb4b5f6 2109
710756a9 2110 /* Should fail because it should already be in the cache */
7e885b7b 2111 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 2112 goto end;
7a301f08 2113 if (use_ext_cache
36ff232c
MC		 2114 && (!TEST_int_eq(new_called, numnewsesstick)
2115
2116 || !TEST_int_eq(remove_called, 0)))
b4982125 2117 goto end;
b4982125 2118
c0537ebd
MC		 2119 new_called = remove_called = 0;
2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2121 &clientssl2, NULL, NULL))
2122 || !TEST_true(SSL_set_session(clientssl2, sess1))
2123 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2124 SSL_ERROR_NONE))
2125 || !TEST_true(SSL_session_reused(clientssl2)))
2126 goto end;
2127
7a301f08
MC		 2128 if (maxprot == TLS1_3_VERSION) {
2129 /*
2130 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 2131 * resumed. Since we attempted a resume we should also have removed the
2132 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 2133 */
2134 if (use_ext_cache
2135 && (!TEST_int_eq(new_called, 1)
4cb00457 2136 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 2137 goto end;
2138 } else {
2139 /*
2140 * In TLSv1.2 we expect to have resumed so no sessions added or
2141 * removed.
2142 */
2143 if (use_ext_cache
2144 && (!TEST_int_eq(new_called, 0)
2145 || !TEST_int_eq(remove_called, 0)))
2146 goto end;
2147 }
c0537ebd
MC		 2148
2149 SSL_SESSION_free(sess1);
2150 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2151 goto end;
2152 shutdown_ssl_connection(serverssl2, clientssl2);
2153 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 2154
2155 new_called = remove_called = 0;
710756a9
RS		 2156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2157 &clientssl2, NULL, NULL))
2158 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2159 SSL_ERROR_NONE)))
2cb4b5f6 2160 goto end;
2cb4b5f6 2161
710756a9 2162 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 2163 goto end;
2cb4b5f6 2164
7a301f08 2165 if (use_ext_cache
36ff232c
MC		 2166 && (!TEST_int_eq(new_called, numnewsesstick)
2167 || !TEST_int_eq(remove_called, 0)))
eaa776da 2168 goto end;
eaa776da 2169
c0537ebd 2170 new_called = remove_called = 0;
2cb4b5f6 2171 /*
710756a9
RS		 2172 * This should clear sess2 from the cache because it is a "bad" session.
2173 * See SSL_set_session() documentation.
2cb4b5f6 2174 */
710756a9 2175 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 2176 goto end;
7a301f08
MC		 2177 if (use_ext_cache
2178 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 2179 goto end;
710756a9 2180 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 2181 goto end;
2cb4b5f6 2182
7e885b7b 2183 if (use_int_cache) {
710756a9
RS		 2184 /* Should succeeded because it should not already be in the cache */
2185 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2186 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 2187 goto end;
eaa776da
MC		 2188 }
2189
c0537ebd 2190 new_called = remove_called = 0;
eaa776da 2191 /* This shouldn't be in the cache so should fail */
710756a9 2192 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2193 goto end;
2cb4b5f6 2194
7a301f08
MC		 2195 if (use_ext_cache
2196 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2197 goto end;
2cb4b5f6 2198
bf208d95 2199# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2200 new_called = remove_called = 0;
eaa776da
MC		 2201 /* Force a connection failure */
2202 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2204 &clientssl3, NULL, NULL))
2205 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2206 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2207 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2208 SSL_ERROR_NONE)))
eaa776da 2209 goto end;
b4982125 2210
eaa776da 2211 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2212 if (use_ext_cache
2213 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2214 goto end;
2cb4b5f6 2215
710756a9 2216 /* Should succeed because it should not already be in the cache */
7e885b7b 2217 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2218 goto end;
bf208d95 2219# endif
eaa776da 2220
7a301f08
MC		 2221 /* Now do some tests for server side caching */
2222 if (use_ext_cache) {
2223 SSL_CTX_sess_set_new_cb(cctx, NULL);
2224 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2225 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2226 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2227 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2228 get_sess_val = NULL;
2229 }
2230
2231 SSL_CTX_set_session_cache_mode(cctx, 0);
2232 /* Internal caching is the default on the server side */
2233 if (!use_int_cache)
2234 SSL_CTX_set_session_cache_mode(sctx,
2235 SSL_SESS_CACHE_SERVER
2236 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2237
2238 SSL_free(serverssl1);
2239 SSL_free(clientssl1);
2240 serverssl1 = clientssl1 = NULL;
2241 SSL_free(serverssl2);
2242 SSL_free(clientssl2);
2243 serverssl2 = clientssl2 = NULL;
2244 SSL_SESSION_free(sess1);
2245 sess1 = NULL;
2246 SSL_SESSION_free(sess2);
2247 sess2 = NULL;
2248
2249 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2250 if (maxprot == TLS1_2_VERSION)
2251 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2252 new_called = remove_called = get_called = 0;
7a301f08
MC		 2253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2254 NULL, NULL))
2255 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2256 SSL_ERROR_NONE))
2257 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2258 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2259 goto end;
2260
ee94ec2e
MC		 2261 if (use_int_cache) {
2262 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2263 /*
2264 * In TLSv1.3 it should not have been added to the internal cache,
2265 * except in the case where we also have an external cache (in that
2266 * case it gets added to the cache in order to generate remove
2267 * events after timeout).
2268 */
2269 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2270 goto end;
2271 } else {
2272 /* Should fail because it should already be in the cache */
2273 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2274 goto end;
2275 }
2276 }
7a301f08
MC		 2277
2278 if (use_ext_cache) {
2279 SSL_SESSION *tmp = sess2;
2280
36ff232c 2281 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2282 || !TEST_int_eq(remove_called, 0)
2283 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2284 goto end;
2285 /*
2286 * Delete the session from the internal cache to force a lookup from
2287 * the external cache. We take a copy first because
2288 * SSL_CTX_remove_session() also marks the session as non-resumable.
2289 */
ee94ec2e 2290 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6 2291 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
9fdf9a44
WL		 2292 || !TEST_true(sess2->owner != NULL)
2293 || !TEST_true(tmp->owner == NULL)
2294 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
3cb6a4d6
BK		 2295 goto end;
2296 SSL_SESSION_free(sess2);
2297 }
7a301f08
MC		 2298 sess2 = tmp;
2299 }
2300
0afca811 2301 new_called = remove_called = get_called = 0;
7a301f08
MC		 2302 get_sess_val = sess2;
2303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2304 &clientssl2, NULL, NULL))
2305 || !TEST_true(SSL_set_session(clientssl2, sess1))
2306 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2307 SSL_ERROR_NONE))
2308 || !TEST_true(SSL_session_reused(clientssl2)))
2309 goto end;
2310
0afca811 2311 if (use_ext_cache) {
32305f88 2312 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2313 goto end;
2314
2315 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2316 if (!TEST_int_eq(new_called, 1)
2317 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2318 goto end;
2319 } else {
32305f88
MC		 2320 if (!TEST_int_eq(new_called, 0)
2321 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2322 goto end;
2323 }
2324 }
4842a27b
TS		 2325 /*
2326 * Make a small cache, force out all other sessions but
2327 * sess2, try to add sess1, which should succeed. Then
2328 * make sure it's there by checking the owners. Despite
2329 * the timeouts, sess1 should have kicked out sess2
2330 */
2331
2332 /* Make sess1 expire before sess2 */
2333 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2334 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2335 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2336 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2337 goto end;
2338
2339 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2340 goto end;
2341
2342 /* Don't care about results - cache should only be sess2 at end */
2343 SSL_CTX_add_session(sctx, sess1);
2344 SSL_CTX_add_session(sctx, sess2);
2345
2346 /* Now add sess1, and make sure it remains, despite timeout */
2347 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2348 || !TEST_ptr(sess1->owner)
2349 || !TEST_ptr_null(sess2->owner))
2350 goto end;
7a301f08 2351
2cb4b5f6 2352 testresult = 1;
eaa776da 2353
2cb4b5f6
MC		 2354 end:
2355 SSL_free(serverssl1);
2356 SSL_free(clientssl1);
2357 SSL_free(serverssl2);
2358 SSL_free(clientssl2);
bf208d95 2359# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2360 SSL_free(serverssl3);
2361 SSL_free(clientssl3);
bf208d95 2362# endif
2cb4b5f6
MC		 2363 SSL_SESSION_free(sess1);
2364 SSL_SESSION_free(sess2);
2365 SSL_CTX_free(sctx);
2366 SSL_CTX_free(cctx);
2367
2368 return testresult;
2369}
a763ca11 2370#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2371
7fb4c820
MC		 2372static int test_session_with_only_int_cache(void)
2373{
a763ca11 2374#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2375 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2376 return 0;
2377#endif
2378
2379#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2380 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2381#else
2382 return 1;
2383#endif
eaa776da
MC		 2384}
2385
7fb4c820
MC		 2386static int test_session_with_only_ext_cache(void)
2387{
a763ca11 2388#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2389 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2390 return 0;
2391#endif
2392
2393#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2394 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2395#else
2396 return 1;
2397#endif
eaa776da
MC		 2398}
2399
7fb4c820
MC		 2400static int test_session_with_both_cache(void)
2401{
a763ca11 2402#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2403 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2404 return 0;
2405#endif
2406
2407#ifndef OPENSSL_NO_TLS1_2
2408 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2409#else
2410 return 1;
2411#endif
2412}
2413
2414static int test_session_wo_ca_names(void)
2415{
a763ca11 2416#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2417 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2418 return 0;
2419#endif
2420
2421#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2422 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2423#else
2424 return 1;
2425#endif
eaa776da
MC		 2426}
2427
a763ca11 2428#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2429static SSL_SESSION *sesscache[6];
2430static int do_cache;
36ff232c
MC		 2431
2432static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2433{
c22365b3
MC		 2434 if (do_cache) {
2435 sesscache[new_called] = sess;
2436 } else {
2437 /* We don't need the reference to the session, so free it */
2438 SSL_SESSION_free(sess);
2439 }
2440 new_called++;
2441
2442 return 1;
2443}
2444
2445static int post_handshake_verify(SSL *sssl, SSL *cssl)
2446{
2447 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2448 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2449 return 0;
2450
2451 /* Start handshake on the server and client */
2452 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2453 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2454 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2455 || !TEST_true(create_ssl_connection(sssl, cssl,
2456 SSL_ERROR_NONE)))
2457 return 0;
36ff232c
MC		 2458
2459 return 1;
2460}
2461
fbe9dafd 2462static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2463 SSL_CTX **cctx)
2464{
2465 int sess_id_ctx = 1;
2466
5e30f2fd
MC		 2467 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2468 TLS_client_method(), TLS1_VERSION, 0,
2469 sctx, cctx, cert, privkey))
03cdf559
MC		 2470 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2471 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2472 (void *)&sess_id_ctx,
2473 sizeof(sess_id_ctx))))
2474 return 0;
2475
2476 if (stateful)
2477 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2478
2479 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2480 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2481 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2482
2483 return 1;
2484}
2485
2486static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2487{
2488 SSL *serverssl = NULL, *clientssl = NULL;
2489 int i;
2490
2491 /* Test that we can resume with all the tickets we got given */
2492 for (i = 0; i < idx * 2; i++) {
2493 new_called = 0;
2494 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2495 &clientssl, NULL, NULL))
2496 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2497 goto end;
2498
32097b33 2499 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2500
2501 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2502 SSL_ERROR_NONE)))
2503 goto end;
2504
2505 /*
2506 * Following a successful resumption we only get 1 ticket. After a
2507 * failed one we should get idx tickets.
2508 */
2509 if (succ) {
2510 if (!TEST_true(SSL_session_reused(clientssl))
2511 || !TEST_int_eq(new_called, 1))
2512 goto end;
2513 } else {
2514 if (!TEST_false(SSL_session_reused(clientssl))
2515 || !TEST_int_eq(new_called, idx))
2516 goto end;
2517 }
2518
2519 new_called = 0;
2520 /* After a post-handshake authentication we should get 1 new ticket */
2521 if (succ
2522 && (!post_handshake_verify(serverssl, clientssl)
2523 || !TEST_int_eq(new_called, 1)))
2524 goto end;
2525
2526 SSL_shutdown(clientssl);
2527 SSL_shutdown(serverssl);
2528 SSL_free(serverssl);
2529 SSL_free(clientssl);
2530 serverssl = clientssl = NULL;
2531 SSL_SESSION_free(sesscache[i]);
2532 sesscache[i] = NULL;
2533 }
2534
2535 return 1;
2536
2537 end:
2538 SSL_free(clientssl);
2539 SSL_free(serverssl);
2540 return 0;
2541}
2542
04d7814a 2543static int test_tickets(int stateful, int idx)
36ff232c
MC		 2544{
2545 SSL_CTX *sctx = NULL, *cctx = NULL;
2546 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2547 int testresult = 0;
36ff232c
MC		 2548 size_t j;
2549
2550 /* idx is the test number, but also the number of tickets we want */
2551
2552 new_called = 0;
c22365b3 2553 do_cache = 1;
36ff232c 2554
fbe9dafd 2555 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2556 goto end;
2557
03cdf559
MC		 2558 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2559 &clientssl, NULL, NULL)))
2560 goto end;
2561
2562 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2563 SSL_ERROR_NONE))
2564 /* Check we got the number of tickets we were expecting */
2565 || !TEST_int_eq(idx, new_called))
2566 goto end;
04d7814a 2567
03cdf559
MC		 2568 SSL_shutdown(clientssl);
2569 SSL_shutdown(serverssl);
2570 SSL_free(serverssl);
2571 SSL_free(clientssl);
2572 SSL_CTX_free(sctx);
2573 SSL_CTX_free(cctx);
2574 clientssl = serverssl = NULL;
2575 sctx = cctx = NULL;
2576
2577 /*
2578 * Now we try to resume with the tickets we previously created. The
2579 * resumption attempt is expected to fail (because we're now using a new
2580 * SSL_CTX). We should see idx number of tickets issued again.
2581 */
2582
2583 /* Stop caching sessions - just count them */
2584 do_cache = 0;
2585
fbe9dafd 2586 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2587 goto end;
2588
2589 if (!check_resumption(idx, sctx, cctx, 0))
2590 goto end;
2591
2592 /* Start again with caching sessions */
2593 new_called = 0;
2594 do_cache = 1;
fbe9dafd
MC		 2595 SSL_CTX_free(sctx);
2596 SSL_CTX_free(cctx);
2597 sctx = cctx = NULL;
03cdf559 2598
fbe9dafd 2599 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2600 goto end;
36ff232c
MC		 2601
2602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2603 &clientssl, NULL, NULL)))
2604 goto end;
2605
32097b33 2606 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2607
2608 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2609 SSL_ERROR_NONE))
2610 /* Check we got the number of tickets we were expecting */
2611 || !TEST_int_eq(idx, new_called))
2612 goto end;
2613
2614 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2615 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2616 || !TEST_int_eq(idx * 2, new_called))
2617 goto end;
2618
36ff232c
MC		 2619 SSL_shutdown(clientssl);
2620 SSL_shutdown(serverssl);
2621 SSL_free(serverssl);
2622 SSL_free(clientssl);
2623 serverssl = clientssl = NULL;
2624
c22365b3
MC		 2625 /* Stop caching sessions - just count them */
2626 do_cache = 0;
2627
03cdf559
MC		 2628 /*
2629 * Check we can resume with all the tickets we created. This time around the
2630 * resumptions should all be successful.
2631 */
2632 if (!check_resumption(idx, sctx, cctx, 1))
2633 goto end;
36ff232c
MC		 2634
2635 testresult = 1;
2636
2637 end:
2638 SSL_free(serverssl);
2639 SSL_free(clientssl);
c22365b3 2640 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2641 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2642 sesscache[j] = NULL;
2643 }
36ff232c
MC		 2644 SSL_CTX_free(sctx);
2645 SSL_CTX_free(cctx);
2646
2647 return testresult;
2648}
04d7814a
MC		 2649
2650static int test_stateless_tickets(int idx)
2651{
2652 return test_tickets(0, idx);
2653}
2654
2655static int test_stateful_tickets(int idx)
2656{
2657 return test_tickets(1, idx);
2658}
8614a4eb
MC		 2659
2660static int test_psk_tickets(void)
2661{
2662 SSL_CTX *sctx = NULL, *cctx = NULL;
2663 SSL *serverssl = NULL, *clientssl = NULL;
2664 int testresult = 0;
2665 int sess_id_ctx = 1;
2666
5e30f2fd
MC		 2667 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2668 TLS_client_method(), TLS1_VERSION, 0,
2669 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2670 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2671 (void *)&sess_id_ctx,
2672 sizeof(sess_id_ctx))))
2673 goto end;
2674
2675 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2676 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2677 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2678 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2679 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2680 use_session_cb_cnt = 0;
2681 find_session_cb_cnt = 0;
2682 srvid = pskid;
2683 new_called = 0;
2684
2685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2686 NULL, NULL)))
2687 goto end;
10836921 2688 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
8614a4eb
MC		 2689 if (!TEST_ptr(clientpsk))
2690 goto end;
2691 SSL_SESSION_up_ref(clientpsk);
2692
2693 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2694 SSL_ERROR_NONE))
2695 || !TEST_int_eq(1, find_session_cb_cnt)
2696 || !TEST_int_eq(1, use_session_cb_cnt)
2697 /* We should always get 1 ticket when using external PSK */
2698 || !TEST_int_eq(1, new_called))
2699 goto end;
2700
2701 testresult = 1;
2702
2703 end:
2704 SSL_free(serverssl);
2705 SSL_free(clientssl);
2706 SSL_CTX_free(sctx);
2707 SSL_CTX_free(cctx);
2708 SSL_SESSION_free(clientpsk);
2709 SSL_SESSION_free(serverpsk);
2710 clientpsk = serverpsk = NULL;
2711
2712 return testresult;
2713}
f0049b86
BK		 2714
2715static int test_extra_tickets(int idx)
2716{
2717 SSL_CTX *sctx = NULL, *cctx = NULL;
2718 SSL *serverssl = NULL, *clientssl = NULL;
2719 BIO *bretry = BIO_new(bio_s_always_retry());
2720 BIO *tmp = NULL;
2721 int testresult = 0;
2722 int stateful = 0;
2723 size_t nbytes;
2724 unsigned char c, buf[1];
2725
2726 new_called = 0;
2727 do_cache = 1;
2728
2729 if (idx >= 3) {
2730 idx -= 3;
2731 stateful = 1;
2732 }
2733
2734 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2735 goto end;
2736 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2737 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2738 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2739
2740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2741 &clientssl, NULL, NULL)))
2742 goto end;
2743
2744 /*
2745 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2746 * incremented by both client and server.
2747 */
2748 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2749 SSL_ERROR_NONE))
2750 /* Check we got the number of tickets we were expecting */
2751 || !TEST_int_eq(idx * 2, new_called)
2752 || !TEST_true(SSL_new_session_ticket(serverssl))
2753 || !TEST_true(SSL_new_session_ticket(serverssl))
2754 || !TEST_int_eq(idx * 2, new_called))
2755 goto end;
2756
2757 /* Now try a (real) write to actually send the tickets */
2758 c = '1';
2759 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2760 || !TEST_size_t_eq(1, nbytes)
2761 || !TEST_int_eq(idx * 2 + 2, new_called)
2762 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2763 || !TEST_int_eq(idx * 2 + 4, new_called)
2764 || !TEST_int_eq(sizeof(buf), nbytes)
2765 || !TEST_int_eq(c, buf[0])
2766 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2767 goto end;
2768
2769 /* Try with only requesting one new ticket, too */
2770 c = '2';
2771 new_called = 0;
2772 if (!TEST_true(SSL_new_session_ticket(serverssl))
2773 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2774 || !TEST_size_t_eq(sizeof(c), nbytes)
2775 || !TEST_int_eq(1, new_called)
2776 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2777 || !TEST_int_eq(2, new_called)
2778 || !TEST_size_t_eq(sizeof(buf), nbytes)
2779 || !TEST_int_eq(c, buf[0]))
2780 goto end;
2781
2782 /* Do it again but use dummy writes to drive the ticket generation */
2783 c = '3';
2784 new_called = 0;
2785 if (!TEST_true(SSL_new_session_ticket(serverssl))
2786 || !TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2788 || !TEST_size_t_eq(0, nbytes)
2789 || !TEST_int_eq(2, new_called)
2790 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2791 || !TEST_int_eq(4, new_called))
2792 goto end;
2793
a0bbcb42
BK		 2794 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2795 c = '4';
2796 new_called = 0;
2797 if (!TEST_true(SSL_new_session_ticket(serverssl))
2798 || !TEST_true(SSL_new_session_ticket(serverssl))
2799 || !TEST_true(SSL_do_handshake(serverssl))
2800 || !TEST_int_eq(2, new_called)
2801 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2802 || !TEST_int_eq(4, new_called))
2803 goto end;
2804
f0049b86
BK		 2805 /*
2806 * Use the always-retry BIO to exercise the logic that forces ticket
2807 * generation to wait until a record boundary.
2808 */
a0bbcb42 2809 c = '5';
f0049b86
BK		 2810 new_called = 0;
2811 tmp = SSL_get_wbio(serverssl);
2812 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2813 tmp = NULL;
2814 goto end;
2815 }
2816 SSL_set0_wbio(serverssl, bretry);
2817 bretry = NULL;
2818 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2819 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2820 || !TEST_size_t_eq(nbytes, 0))
2821 goto end;
2822 /* Restore a BIO that will let the write succeed */
2823 SSL_set0_wbio(serverssl, tmp);
2824 tmp = NULL;
a0bbcb42
BK		 2825 /*
2826 * These calls should just queue the request and not send anything
2827 * even if we explicitly try to hit the state machine.
2828 */
f0049b86
BK		 2829 if (!TEST_true(SSL_new_session_ticket(serverssl))
2830 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2831 || !TEST_int_eq(0, new_called)
2832 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2833 || !TEST_int_eq(0, new_called))
2834 goto end;
2835 /* Re-do the write; still no tickets sent */
2836 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2837 || !TEST_size_t_eq(1, nbytes)
2838 || !TEST_int_eq(0, new_called)
2839 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2840 || !TEST_int_eq(0, new_called)
2841 || !TEST_int_eq(sizeof(buf), nbytes)
2842 || !TEST_int_eq(c, buf[0])
2843 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2844 goto end;
a0bbcb42
BK		 2845 /* Even trying to hit the state machine now will still not send tickets */
2846 if (!TEST_true(SSL_do_handshake(serverssl))
2847 || !TEST_int_eq(0, new_called))
2848 goto end;
f0049b86 2849 /* Now the *next* write should send the tickets */
a0bbcb42 2850 c = '6';
f0049b86
BK		 2851 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2852 || !TEST_size_t_eq(1, nbytes)
2853 || !TEST_int_eq(2, new_called)
2854 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2855 || !TEST_int_eq(4, new_called)
2856 || !TEST_int_eq(sizeof(buf), nbytes)
2857 || !TEST_int_eq(c, buf[0])
2858 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2859 goto end;
2860
2861 SSL_shutdown(clientssl);
2862 SSL_shutdown(serverssl);
2863 testresult = 1;
2864
2865 end:
2866 BIO_free(bretry);
2867 BIO_free(tmp);
2868 SSL_free(serverssl);
2869 SSL_free(clientssl);
2870 SSL_CTX_free(sctx);
2871 SSL_CTX_free(cctx);
2872 clientssl = serverssl = NULL;
2873 sctx = cctx = NULL;
2874 return testresult;
2875}
04225915 2876#endif
36ff232c 2877
7d4488bb
MC		 2878#define USE_NULL 0
2879#define USE_BIO_1 1
2880#define USE_BIO_2 2
2881#define USE_DEFAULT 3
2882
2883#define CONNTYPE_CONNECTION_SUCCESS 0
2884#define CONNTYPE_CONNECTION_FAIL 1
2885#define CONNTYPE_NO_CONNECTION 2
2886
2887#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2888#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2889#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2890# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2891#else
2892# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2893#endif
2894
7d4488bb
MC		 2895#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2896 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2897 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2898
2899static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2900{
2901 switch (type) {
2902 case USE_NULL:
2903 *res = NULL;
2904 break;
2905 case USE_BIO_1:
2906 *res = bio1;
2907 break;
2908 case USE_BIO_2:
2909 *res = bio2;
2910 break;
2911 }
2912}
2913
7d4488bb
MC		 2914
2915/*
2916 * Tests calls to SSL_set_bio() under various conditions.
2917 *
2918 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2919 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2920 * then do more tests where we create a successful connection first using our
2921 * standard connection setup functions, and then call SSL_set_bio() with
2922 * various combinations of valid BIOs or NULL. We then repeat these tests
2923 * following a failed connection. In this last case we are looking to check that
2924 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2925 */
7fb4c820
MC		 2926static int test_ssl_set_bio(int idx)
2927{
7d4488bb 2928 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2929 BIO *bio1 = NULL;
2930 BIO *bio2 = NULL;
0fae8150 2931 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2932 SSL *serverssl = NULL, *clientssl = NULL;
2933 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2934 int testresult = 0;
2935
7d4488bb
MC		 2936 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2937 initrbio = idx % 3;
2938 idx /= 3;
2939 initwbio = idx % 3;
2940 idx /= 3;
2941 newrbio = idx % 3;
2942 idx /= 3;
2943 newwbio = idx % 3;
2944 conntype = CONNTYPE_NO_CONNECTION;
2945 } else {
2946 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2947 initrbio = initwbio = USE_DEFAULT;
2948 newrbio = idx % 2;
2949 idx /= 2;
2950 newwbio = idx % 2;
2951 idx /= 2;
2952 conntype = idx % 2;
2953 }
710756a9 2954
5e30f2fd
MC		 2955 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2956 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2957 &sctx, &cctx, cert, privkey)))
2958 goto end;
2959
2960 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2961 /*
2962 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2963 * because we reduced the number of tests in the definition of
2964 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2965 * mismatched protocol versions we will force a connection failure.
2966 */
2967 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2968 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2969 }
2970
2971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2972 NULL, NULL)))
710756a9 2973 goto end;
7fb4c820 2974
710756a9
RS		 2975 if (initrbio == USE_BIO_1
2976 || initwbio == USE_BIO_1
2977 || newrbio == USE_BIO_1
7fb4c820 2978 || newwbio == USE_BIO_1) {
710756a9 2979 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2980 goto end;
7fb4c820
MC		 2981 }
2982
710756a9
RS		 2983 if (initrbio == USE_BIO_2
2984 || initwbio == USE_BIO_2
2985 || newrbio == USE_BIO_2
7fb4c820 2986 || newwbio == USE_BIO_2) {
710756a9 2987 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2988 goto end;
7fb4c820
MC		 2989 }
2990
7d4488bb
MC		 2991 if (initrbio != USE_DEFAULT) {
2992 setupbio(&irbio, bio1, bio2, initrbio);
2993 setupbio(&iwbio, bio1, bio2, initwbio);
2994 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2995
7d4488bb
MC		 2996 /*
2997 * We want to maintain our own refs to these BIO, so do an up ref for
2998 * each BIO that will have ownership transferred in the SSL_set_bio()
2999 * call
3000 */
3001 if (irbio != NULL)
3002 BIO_up_ref(irbio);
3003 if (iwbio != NULL && iwbio != irbio)
3004 BIO_up_ref(iwbio);
3005 }
7fb4c820 3006
7d4488bb
MC		 3007 if (conntype != CONNTYPE_NO_CONNECTION
3008 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3009 SSL_ERROR_NONE)
3010 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3011 goto end;
7fb4c820
MC		 3012
3013 setupbio(&nrbio, bio1, bio2, newrbio);
3014 setupbio(&nwbio, bio1, bio2, newwbio);
3015
3016 /*
3017 * We will (maybe) transfer ownership again so do more up refs.
3018 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3019 * already been set!
3020 */
710756a9
RS		 3021 if (nrbio != NULL
3022 && nrbio != irbio
3023 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 3024 BIO_up_ref(nrbio);
710756a9
RS		 3025 if (nwbio != NULL
3026 && nwbio != nrbio
3027 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 3028 BIO_up_ref(nwbio);
3029
7d4488bb 3030 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 3031
3032 testresult = 1;
3033
3034 end:
7fb4c820
MC		 3035 BIO_free(bio1);
3036 BIO_free(bio2);
710756a9 3037
7fb4c820
MC		 3038 /*
3039 * This test is checking that the ref counting for SSL_set_bio is correct.
3040 * If we get here and we did too many frees then we will fail in the above
742ccab3 3041 * functions.
7fb4c820 3042 */
7d4488bb
MC		 3043 SSL_free(serverssl);
3044 SSL_free(clientssl);
3045 SSL_CTX_free(sctx);
3046 SSL_CTX_free(cctx);
7fb4c820
MC		 3047 return testresult;
3048}
3049
7e885b7b 3050typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 3051
7e885b7b 3052static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 3053{
3054 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 3055 SSL_CTX *ctx;
9a716987
MC		 3056 SSL *ssl = NULL;
3057 int testresult = 0;
3058
d8652be0 3059 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 3060 || !TEST_ptr(ssl = SSL_new(ctx))
3061 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3062 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 3063 goto end;
9a716987
MC		 3064
3065 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3066
3067 /*
742ccab3 3068 * If anything goes wrong here then we could leak memory.
9a716987
MC		 3069 */
3070 BIO_push(sslbio, membio1);
3071
69687aa8 3072 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 3073 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 3074 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3075 ssl = NULL;
9a716987 3076 goto end;
493e7898 3077 }
7e885b7b 3078 if (change_bio == CHANGE_RBIO)
65e2d672 3079 SSL_set0_rbio(ssl, membio2);
9a716987 3080 else
65e2d672 3081 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 3082 }
3083 ssl = NULL;
3084
7e885b7b 3085 if (pop_ssl)
9a716987
MC		 3086 BIO_pop(sslbio);
3087 else
3088 BIO_pop(membio1);
3089
3090 testresult = 1;
3091 end:
3092 BIO_free(membio1);
3093 BIO_free(sslbio);
3094 SSL_free(ssl);
3095 SSL_CTX_free(ctx);
3096
3097 return testresult;
3098}
3099
3100static int test_ssl_bio_pop_next_bio(void)
3101{
7e885b7b 3102 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 3103}
3104
3105static int test_ssl_bio_pop_ssl_bio(void)
3106{
7e885b7b 3107 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 3108}
3109
3110static int test_ssl_bio_change_rbio(void)
3111{
7e885b7b 3112 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 3113}
3114
3115static int test_ssl_bio_change_wbio(void)
3116{
7e885b7b 3117 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 3118}
3119
a763ca11 3120#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 3121typedef struct {
3122 /* The list of sig algs */
3123 const int *list;
3124 /* The length of the list */
3125 size_t listlen;
3126 /* A sigalgs list in string format */
3127 const char *liststr;
3128 /* Whether setting the list should succeed */
3129 int valid;
3130 /* Whether creating a connection with the list should succeed */
3131 int connsuccess;
3132} sigalgs_list;
3133
3134static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 3135# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3136static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3137static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 3138# endif
f1b25aae
MC		 3139static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3140static const int invalidlist2[] = {NID_sha256, NID_undef};
3141static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3142static const int invalidlist4[] = {NID_sha256};
3143static const sigalgs_list testsigalgs[] = {
3144 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 3145# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3146 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3147 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 3148# endif
f1b25aae 3149 {NULL, 0, "RSA+SHA256", 1, 1},
2b4cea1e 3150 {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
c423ecaa 3151# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3152 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3153 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 3154# endif
f1b25aae
MC		 3155 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3156 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3157 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3158 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3159 {NULL, 0, "RSA", 0, 0},
3160 {NULL, 0, "SHA256", 0, 0},
3161 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 3162 {NULL, 0, "Invalid", 0, 0}
3163};
f1b25aae
MC		 3164
3165static int test_set_sigalgs(int idx)
3166{
3167 SSL_CTX *cctx = NULL, *sctx = NULL;
3168 SSL *clientssl = NULL, *serverssl = NULL;
3169 int testresult = 0;
3170 const sigalgs_list *curr;
3171 int testctx;
3172
3173 /* Should never happen */
710756a9 3174 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 3175 return 0;
3176
3177 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3178 curr = testctx ? &testsigalgs[idx]
3179 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3180
5e30f2fd
MC		 3181 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3182 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 3183 &sctx, &cctx, cert, privkey)))
f1b25aae 3184 return 0;
f1b25aae 3185
d2e491f2
MC		 3186 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3187
f1b25aae
MC		 3188 if (testctx) {
3189 int ret;
710756a9 3190
f1b25aae
MC		 3191 if (curr->list != NULL)
3192 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3193 else
3194 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3195
3196 if (!ret) {
3197 if (curr->valid)
710756a9 3198 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3199 else
3200 testresult = 1;
3201 goto end;
3202 }
3203 if (!curr->valid) {
710756a9 3204 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3205 goto end;
3206 }
3207 }
3208
710756a9
RS		 3209 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3210 &clientssl, NULL, NULL)))
f1b25aae 3211 goto end;
f1b25aae
MC		 3212
3213 if (!testctx) {
3214 int ret;
3215
3216 if (curr->list != NULL)
3217 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3218 else
3219 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3220 if (!ret) {
3221 if (curr->valid)
710756a9 3222 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3223 else
3224 testresult = 1;
3225 goto end;
3226 }
710756a9 3227 if (!curr->valid)
f1b25aae 3228 goto end;
f1b25aae
MC		 3229 }
3230
710756a9
RS		 3231 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3232 SSL_ERROR_NONE),
3233 curr->connsuccess))
f1b25aae 3234 goto end;
f1b25aae
MC		 3235
3236 testresult = 1;
3237
3238 end:
3239 SSL_free(serverssl);
3240 SSL_free(clientssl);
3241 SSL_CTX_free(sctx);
3242 SSL_CTX_free(cctx);
3243
3244 return testresult;
3245}
c423ecaa 3246#endif
f1b25aae 3247
a763ca11 3248#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3249static int psk_client_cb_cnt = 0;
3250static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3251
3252static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3253 size_t *idlen, SSL_SESSION **sess)
3254{
3255 switch (++use_session_cb_cnt) {
3256 case 1:
3257 /* The first call should always have a NULL md */
3258 if (md != NULL)
3259 return 0;
3260 break;
3261
3262 case 2:
3263 /* The second call should always have an md */
3264 if (md == NULL)
3265 return 0;
3266 break;
3267
3268 default:
3269 /* We should only be called a maximum of twice */
3270 return 0;
3271 }
3272
57dee9bb
MC		 3273 if (clientpsk != NULL)
3274 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3275
57dee9bb 3276 *sess = clientpsk;
02a3ed5a
MC		 3277 *id = (const unsigned char *)pskid;
3278 *idlen = strlen(pskid);
3279
3280 return 1;
3281}
3282
c2b290c3 3283#ifndef OPENSSL_NO_PSK
532f9578
MC		 3284static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3285 unsigned int max_id_len,
3286 unsigned char *psk,
3287 unsigned int max_psk_len)
3288{
3289 unsigned int psklen = 0;
3290
3291 psk_client_cb_cnt++;
3292
3293 if (strlen(pskid) + 1 > max_id_len)
3294 return 0;
3295
3296 /* We should only ever be called a maximum of twice per connection */
3297 if (psk_client_cb_cnt > 2)
3298 return 0;
3299
3300 if (clientpsk == NULL)
3301 return 0;
3302
3303 /* We'll reuse the PSK we set up for TLSv1.3 */
3304 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3305 return 0;
3306 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3307 strncpy(id, pskid, max_id_len);
3308
3309 return psklen;
3310}
c2b290c3 3311#endif /* OPENSSL_NO_PSK */
532f9578 3312
02a3ed5a
MC		 3313static int find_session_cb(SSL *ssl, const unsigned char *identity,
3314 size_t identity_len, SSL_SESSION **sess)
3315{
3316 find_session_cb_cnt++;
3317
3318 /* We should only ever be called a maximum of twice per connection */
3319 if (find_session_cb_cnt > 2)
3320 return 0;
3321
57dee9bb 3322 if (serverpsk == NULL)
02a3ed5a
MC		 3323 return 0;
3324
3325 /* Identity should match that set by the client */
3326 if (strlen(srvid) != identity_len
3327 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3328 /* No PSK found, continue but without a PSK */
3329 *sess = NULL;
3330 return 1;
3331 }
3332
57dee9bb
MC		 3333 SSL_SESSION_up_ref(serverpsk);
3334 *sess = serverpsk;
02a3ed5a
MC		 3335
3336 return 1;
3337}
3338
c2b290c3 3339#ifndef OPENSSL_NO_PSK
532f9578
MC		 3340static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3341 unsigned char *psk, unsigned int max_psk_len)
3342{
3343 unsigned int psklen = 0;
3344
3345 psk_server_cb_cnt++;
3346
3347 /* We should only ever be called a maximum of twice per connection */
3348 if (find_session_cb_cnt > 2)
3349 return 0;
3350
3351 if (serverpsk == NULL)
3352 return 0;
3353
3354 /* Identity should match that set by the client */
3355 if (strcmp(srvid, identity) != 0) {
3356 return 0;
3357 }
3358
3359 /* We'll reuse the PSK we set up for TLSv1.3 */
3360 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3361 return 0;
3362 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3363
3364 return psklen;
3365}
c2b290c3 3366#endif /* OPENSSL_NO_PSK */
532f9578 3367
5f982038
MC		 3368#define MSG1 "Hello"
3369#define MSG2 "World."
3370#define MSG3 "This"
3371#define MSG4 "is"
3372#define MSG5 "a"
90049cea
MC		 3373#define MSG6 "test"
3374#define MSG7 "message."
5f982038 3375
2be5065b
MC		 3376static int artificial_ticket_time = 0;
3377
afb6ce0d
MC		 3378static int sub_session_time(SSL_SESSION *sess)
3379{
3380 OSSL_TIME tick_time;
3381
3382 tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
3383 tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
3384
3385 return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
3386}
3387
2be5065b
MC		 3388static int ed_gen_cb(SSL *s, void *arg)
3389{
3390 SSL_SESSION *sess = SSL_get0_session(s);
3391
3392 if (sess == NULL)
3393 return 0;
3394
3395 /*
3396 * Artificially give the ticket some age. Just do it for the number of
3397 * tickets we've been told to do.
3398 */
3399 if (artificial_ticket_time == 0)
3400 return 1;
3401 artificial_ticket_time--;
3402
afb6ce0d 3403 return sub_session_time(sess);
2be5065b
MC		 3404}
3405
5f982038
MC		 3406/*
3407 * Helper method to setup objects for early data test. Caller frees objects on
3408 * error.
3409 */
3410static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
10836921
MC		 3411 SSL **serverssl, SSL_SESSION **sess, int idx,
3412 size_t mdsize)
5f982038 3413{
2be5065b
MC		 3414 int artificial = (artificial_ticket_time > 0);
3415
5a421415 3416 if (*sctx == NULL
5e30f2fd 3417 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3418 TLS_client_method(),
5c587fb6 3419 TLS1_VERSION, 0,
5a421415
MC		 3420 sctx, cctx, cert, privkey)))
3421 return 0;
3422
2be5065b
MC		 3423 if (artificial)
3424 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3425
5a421415 3426 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3427 return 0;
5f982038 3428
02a3ed5a
MC		 3429 if (idx == 1) {
3430 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3431 SSL_CTX_set_read_ahead(*cctx, 1);
3432 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3433 } else if (idx == 2) {
3434 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3435 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3436 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3437 use_session_cb_cnt = 0;
3438 find_session_cb_cnt = 0;
3439 srvid = pskid;
3cb47b4e
MC		 3440 }
3441
710756a9 3442 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3443 NULL, NULL)))
3444 return 0;
3445
141e4709
MC		 3446 /*
3447 * For one of the run throughs (doesn't matter which one), we'll try sending
3448 * some SNI data in the initial ClientHello. This will be ignored (because
3449 * there is no SNI cb set up by the server), so it should not impact
3450 * early_data.
3451 */
3452 if (idx == 1
3453 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3454 return 0;
3455
02a3ed5a 3456 if (idx == 2) {
10836921 3457 clientpsk = create_a_psk(*clientssl, mdsize);
57dee9bb 3458 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3459 /*
3460 * We just choose an arbitrary value for max_early_data which
3461 * should be big enough for testing purposes.
3462 */
57dee9bb
MC		 3463 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3464 0x100))
3465 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3466 SSL_SESSION_free(clientpsk);
3467 clientpsk = NULL;
02a3ed5a
MC		 3468 return 0;
3469 }
57dee9bb 3470 serverpsk = clientpsk;
02a3ed5a 3471
c20e3b28
MC		 3472 if (sess != NULL) {
3473 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3474 SSL_SESSION_free(clientpsk);
3475 SSL_SESSION_free(serverpsk);
3476 clientpsk = serverpsk = NULL;
3477 return 0;
3478 }
57dee9bb 3479 *sess = clientpsk;
c20e3b28 3480 }
02a3ed5a
MC		 3481 return 1;
3482 }
3483
3484 if (sess == NULL)
3485 return 1;
3486
3487 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3488 SSL_ERROR_NONE)))
5f982038 3489 return 0;
5f982038
MC		 3490
3491 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3492 SSL_shutdown(*clientssl);
3493 SSL_shutdown(*serverssl);
5f982038
MC		 3494 SSL_free(*serverssl);
3495 SSL_free(*clientssl);
3496 *serverssl = *clientssl = NULL;
3497
2be5065b
MC		 3498 /*
3499 * Artificially give the ticket some age to match the artificial age we
3500 * gave it on the server side
3501 */
3502 if (artificial
afb6ce0d 3503 && !TEST_true(sub_session_time(*sess)))
2be5065b
MC		 3504 return 0;
3505
710756a9
RS		 3506 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3507 clientssl, NULL, NULL))
3508 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3509 return 0;
5f982038
MC		 3510
3511 return 1;
3512}
3513
3cb47b4e 3514static int test_early_data_read_write(int idx)
5f982038
MC		 3515{
3516 SSL_CTX *cctx = NULL, *sctx = NULL;
3517 SSL *clientssl = NULL, *serverssl = NULL;
3518 int testresult = 0;
3519 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3520 unsigned char buf[20], data[1024];
3521 size_t readbytes, written, eoedlen, rawread, rawwritten;
3522 BIO *rbio;
5f982038 3523
2be5065b
MC		 3524 /* Artificially give the next 2 tickets some age for non PSK sessions */
3525 if (idx != 2)
3526 artificial_ticket_time = 2;
710756a9 3527 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3528 &serverssl, &sess, idx,
3529 SHA384_DIGEST_LENGTH))) {
2be5065b 3530 artificial_ticket_time = 0;
5f982038 3531 goto end;
2be5065b
MC		 3532 }
3533 artificial_ticket_time = 0;
5f982038
MC		 3534
3535 /* Write and read some early data */
710756a9
RS		 3536 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3537 &written))
3538 || !TEST_size_t_eq(written, strlen(MSG1))
3539 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3540 sizeof(buf), &readbytes),
3541 SSL_READ_EARLY_DATA_SUCCESS)
3542 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3543 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3544 SSL_EARLY_DATA_ACCEPTED))
5f982038 3545 goto end;
5f982038
MC		 3546
3547 /*
09f28874 3548 * Server should be able to write data, and client should be able to
5f982038
MC		 3549 * read it.
3550 */
710756a9
RS		 3551 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3552 &written))
3553 || !TEST_size_t_eq(written, strlen(MSG2))
3554 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3555 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3556 goto end;
5f982038
MC		 3557
3558 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3559 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3560 &written))
3561 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3562 goto end;
5f982038 3563
09f28874 3564 /* Server should still be able read early data after writing data */
710756a9
RS		 3565 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3566 &readbytes),
3567 SSL_READ_EARLY_DATA_SUCCESS)
3568 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3569 goto end;
5f982038 3570
09f28874 3571 /* Write more data from server and read it from client */
710756a9
RS		 3572 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3573 &written))
3574 || !TEST_size_t_eq(written, strlen(MSG4))
3575 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3576 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3577 goto end;
5f982038
MC		 3578
3579 /*
3580 * If client writes normal data it should mean writing early data is no
3581 * longer possible.
3582 */
710756a9
RS		 3583 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3584 || !TEST_size_t_eq(written, strlen(MSG5))
3585 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3586 SSL_EARLY_DATA_ACCEPTED))
5f982038 3587 goto end;
5f982038 3588
9b5c865d
MC		 3589 /*
3590 * At this point the client has written EndOfEarlyData, ClientFinished and
3591 * normal (fully protected) data. We are going to cause a delay between the
3592 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3593 * in the read BIO, and then just put back the EndOfEarlyData message.
3594 */
3595 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3596 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3597 || !TEST_size_t_lt(rawread, sizeof(data))
3598 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3599 goto end;
710756a9 3600
9b5c865d
MC		 3601 /* Record length is in the 4th and 5th bytes of the record header */
3602 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3603 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3604 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3605 goto end;
9b5c865d 3606
5f982038 3607 /* Server should be told that there is no more early data */
710756a9
RS		 3608 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3609 &readbytes),
3610 SSL_READ_EARLY_DATA_FINISH)
3611 || !TEST_size_t_eq(readbytes, 0))
5f982038 3612 goto end;
5f982038 3613
9b5c865d
MC		 3614 /*
3615 * Server has not finished init yet, so should still be able to write early
3616 * data.
3617 */
710756a9
RS		 3618 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3619 &written))
3620 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3621 goto end;
9b5c865d 3622
f8a303fa 3623 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3624 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3625 &rawwritten))
3626 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3627 goto end;
f8a303fa 3628
5f982038 3629 /* Server should be able to read normal data */
710756a9
RS		 3630 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3631 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3632 goto end;
5f982038 3633
09f28874 3634 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3635 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3636 &written)))
5f982038 3637 goto end;
5f982038 3638 ERR_clear_error();
710756a9
RS		 3639 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3640 &readbytes),
3641 SSL_READ_EARLY_DATA_ERROR))
5f982038 3642 goto end;
5f982038
MC		 3643 ERR_clear_error();
3644
9b5c865d 3645 /* Client should be able to read the data sent by the server */
710756a9
RS		 3646 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3647 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3648 goto end;
710756a9 3649
f8a303fa 3650 /*
36ff232c
MC		 3651 * Make sure we process the two NewSessionTickets. These arrive
3652 * post-handshake. We attempt reads which we do not expect to return any
3653 * data.
f8a303fa 3654 */
36ff232c
MC		 3655 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3656 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3657 &readbytes)))
f8a303fa 3658 goto end;
5f982038 3659
90049cea 3660 /* Server should be able to write normal data */
710756a9
RS		 3661 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3662 || !TEST_size_t_eq(written, strlen(MSG7))
3663 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3664 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3665 goto end;
90049cea 3666
c20e3b28 3667 SSL_SESSION_free(sess);
5f982038 3668 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3669 use_session_cb_cnt = 0;
3670 find_session_cb_cnt = 0;
5f982038
MC		 3671
3672 SSL_shutdown(clientssl);
3673 SSL_shutdown(serverssl);
5f982038
MC		 3674 SSL_free(serverssl);
3675 SSL_free(clientssl);
3676 serverssl = clientssl = NULL;
710756a9
RS		 3677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3678 &clientssl, NULL, NULL))
3679 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3680 goto end;
5f982038
MC		 3681
3682 /* Write and read some early data */
710756a9
RS		 3683 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3684 &written))
3685 || !TEST_size_t_eq(written, strlen(MSG1))
3686 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3687 &readbytes),
3688 SSL_READ_EARLY_DATA_SUCCESS)
3689 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3690 goto end;
5f982038 3691
710756a9
RS		 3692 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3693 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3694 goto end;
5f982038 3695
09f28874 3696 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3697 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3698 &written)))
5f982038 3699 goto end;
5f982038 3700 ERR_clear_error();
710756a9
RS		 3701 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3702 &readbytes),
3703 SSL_READ_EARLY_DATA_ERROR))
5f982038 3704 goto end;
5f982038
MC		 3705 ERR_clear_error();
3706
3707 /* Client and server should be able to write/read normal data */
710756a9
RS		 3708 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3709 || !TEST_size_t_eq(written, strlen(MSG5))
3710 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3711 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3712 goto end;
5f982038
MC		 3713
3714 testresult = 1;
3715
3716 end:
c20e3b28 3717 SSL_SESSION_free(sess);
57dee9bb
MC		 3718 SSL_SESSION_free(clientpsk);
3719 SSL_SESSION_free(serverpsk);
3720 clientpsk = serverpsk = NULL;
5f982038
MC		 3721 SSL_free(serverssl);
3722 SSL_free(clientssl);
3723 SSL_CTX_free(sctx);
3724 SSL_CTX_free(cctx);
5f982038
MC		 3725 return testresult;
3726}
3727
5a421415
MC		 3728static int allow_ed_cb_called = 0;
3729
3730static int allow_early_data_cb(SSL *s, void *arg)
3731{
3732 int *usecb = (int *)arg;
3733
3734 allow_ed_cb_called++;
3735
3736 if (*usecb == 1)
3737 return 0;
3738
3739 return 1;
3740}
3741
3742/*
3743 * idx == 0: Standard early_data setup
3744 * idx == 1: early_data setup using read_ahead
3745 * usecb == 0: Don't use a custom early data callback
3746 * usecb == 1: Use a custom early data callback and reject the early data
3747 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3748 * confopt == 0: Configure anti-replay directly
3749 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3750 */
3bb5e5b0 3751static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3752{
3753 SSL_CTX *cctx = NULL, *sctx = NULL;
3754 SSL *clientssl = NULL, *serverssl = NULL;
3755 int testresult = 0;
3756 SSL_SESSION *sess = NULL;
5a421415
MC		 3757 size_t readbytes, written;
3758 unsigned char buf[20];
3759
3760 allow_ed_cb_called = 0;
3761
5e30f2fd
MC		 3762 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3763 TLS_client_method(), TLS1_VERSION, 0,
3764 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3765 return 0;
3766
3767 if (usecb > 0) {
3bb5e5b0
MC		 3768 if (confopt == 0) {
3769 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3770 } else {
3771 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3772
3773 if (!TEST_ptr(confctx))
3774 goto end;
3775 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3776 | SSL_CONF_FLAG_SERVER);
3777 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3778 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3779 2)) {
3780 SSL_CONF_CTX_free(confctx);
3781 goto end;
3782 }
3783 SSL_CONF_CTX_free(confctx);
3784 }
5a421415
MC		 3785 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3786 }
78fb5374
MC		 3787
3788 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3789 &serverssl, &sess, idx,
3790 SHA384_DIGEST_LENGTH)))
78fb5374
MC		 3791 goto end;
3792
3793 /*
3794 * The server is configured to accept early data. Create a connection to
3795 * "use up" the ticket
3796 */
3797 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3798 || !TEST_true(SSL_session_reused(clientssl)))
3799 goto end;
3800
3801 SSL_shutdown(clientssl);
3802 SSL_shutdown(serverssl);
3803 SSL_free(serverssl);
3804 SSL_free(clientssl);
3805 serverssl = clientssl = NULL;
3806
3807 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3808 &clientssl, NULL, NULL))
5a421415
MC		 3809 || !TEST_true(SSL_set_session(clientssl, sess)))
3810 goto end;
3811
3812 /* Write and read some early data */
3813 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3814 &written))
3815 || !TEST_size_t_eq(written, strlen(MSG1)))
3816 goto end;
3817
3818 if (usecb <= 1) {
3819 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3820 &readbytes),
3821 SSL_READ_EARLY_DATA_FINISH)
3822 /*
3823 * The ticket was reused, so the we should have rejected the
3824 * early data
3825 */
3826 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3827 SSL_EARLY_DATA_REJECTED))
3828 goto end;
3829 } else {
3830 /* In this case the callback decides to accept the early data */
3831 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3832 &readbytes),
3833 SSL_READ_EARLY_DATA_SUCCESS)
3834 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3835 /*
3836 * Server will have sent its flight so client can now send
3837 * end of early data and complete its half of the handshake
3838 */
3839 || !TEST_int_gt(SSL_connect(clientssl), 0)
3840 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3841 &readbytes),
3842 SSL_READ_EARLY_DATA_FINISH)
3843 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3844 SSL_EARLY_DATA_ACCEPTED))
3845 goto end;
3846 }
3847
3848 /* Complete the connection */
3849 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3850 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3851 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3852 goto end;
3853
3854 testresult = 1;
3855
3856 end:
c20e3b28 3857 SSL_SESSION_free(sess);
78fb5374
MC		 3858 SSL_SESSION_free(clientpsk);
3859 SSL_SESSION_free(serverpsk);
3860 clientpsk = serverpsk = NULL;
3861 SSL_free(serverssl);
3862 SSL_free(clientssl);
3863 SSL_CTX_free(sctx);
3864 SSL_CTX_free(cctx);
3865 return testresult;
3866}
3867
5a421415
MC		 3868static int test_early_data_replay(int idx)
3869{
3bb5e5b0 3870 int ret = 1, usecb, confopt;
5a421415 3871
3bb5e5b0
MC		 3872 for (usecb = 0; usecb < 3; usecb++) {
3873 for (confopt = 0; confopt < 2; confopt++)
3874 ret &= test_early_data_replay_int(idx, usecb, confopt);
3875 }
5a421415
MC		 3876
3877 return ret;
3878}
3879
10836921
MC		 3880static const char *ciphersuites[] = {
3881 "TLS_AES_128_CCM_8_SHA256",
3882 "TLS_AES_128_GCM_SHA256",
3883 "TLS_AES_256_GCM_SHA384",
3884 "TLS_AES_128_CCM_SHA256",
3885#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3886 "TLS_CHACHA20_POLY1305_SHA256"
3887#endif
3888};
3889
710756a9 3890/*
6b84e6bf
MC		 3891 * Helper function to test that a server attempting to read early data can
3892 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3893 * testtype: 0 == No HRR
3894 * testtype: 1 == HRR
0efa0ba4
MC		 3895 * testtype: 2 == HRR, invalid early_data sent after HRR
3896 * testtype: 3 == recv_max_early_data set to 0
710756a9 3897 */
10836921 3898static int early_data_skip_helper(int testtype, int cipher, int idx)
5f982038
MC		 3899{
3900 SSL_CTX *cctx = NULL, *sctx = NULL;
3901 SSL *clientssl = NULL, *serverssl = NULL;
3902 int testresult = 0;
018fcbec 3903 SSL_SESSION *sess = NULL;
5f982038
MC		 3904 unsigned char buf[20];
3905 size_t readbytes, written;
3906
10836921
MC		 3907 if (is_fips && cipher == 4)
3908 return 1;
3909
3910 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3911 TLS_client_method(),
3912 TLS1_VERSION, 0,
3913 &sctx, &cctx, cert, privkey)))
3914 goto end;
3915
3916 if (cipher == 0) {
3917 SSL_CTX_set_security_level(sctx, 0);
3918 SSL_CTX_set_security_level(cctx, 0);
3919 }
3920
3921 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3922 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3923 goto end;
3924
710756a9 3925 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3926 &serverssl, &sess, idx,
3927 cipher == 2 ? SHA384_DIGEST_LENGTH
3928 : SHA256_DIGEST_LENGTH)))
5f982038
MC		 3929 goto end;
3930
0efa0ba4 3931 if (testtype == 1 || testtype == 2) {
6b84e6bf 3932 /* Force an HRR to occur */
dbc6268f
MC		 3933#if defined(OPENSSL_NO_EC)
3934 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3935 goto end;
3936#else
4032cd9a 3937 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
6b84e6bf 3938 goto end;
dbc6268f 3939#endif
02a3ed5a
MC		 3940 } else if (idx == 2) {
3941 /*
3942 * We force early_data rejection by ensuring the PSK identity is
3943 * unrecognised
3944 */
3945 srvid = "Dummy Identity";
6b84e6bf
MC		 3946 } else {
3947 /*
3948 * Deliberately corrupt the creation time. We take 20 seconds off the
3949 * time. It could be any value as long as it is not within tolerance.
3950 * This should mean the ticket is rejected.
3951 */
5d99881e 3952 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3953 goto end;
3954 }
5f982038 3955
0efa0ba4 3956 if (testtype == 3
0d1b7789
MC		 3957 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3958 goto end;
3959
5f982038 3960 /* Write some early data */
710756a9
RS		 3961 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3962 &written))
3963 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3964 goto end;
5f982038 3965
0d1b7789 3966 /* Server should reject the early data */
710756a9
RS		 3967 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3968 &readbytes),
3969 SSL_READ_EARLY_DATA_FINISH)
3970 || !TEST_size_t_eq(readbytes, 0)
3971 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3972 SSL_EARLY_DATA_REJECTED))
5f982038 3973 goto end;
5f982038 3974
0efa0ba4
MC		 3975 switch (testtype) {
3976 case 0:
3977 /* Nothing to do */
3978 break;
3979
3980 case 1:
6b84e6bf
MC		 3981 /*
3982 * Finish off the handshake. We perform the same writes and reads as
3983 * further down but we expect them to fail due to the incomplete
3984 * handshake.
3985 */
3986 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3987 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3988 &readbytes)))
3989 goto end;
0efa0ba4
MC		 3990 break;
3991
3992 case 2:
3993 {
3994 BIO *wbio = SSL_get_wbio(clientssl);
3995 /* A record that will appear as bad early_data */
3996 const unsigned char bad_early_data[] = {
3997 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3998 };
3999
4000 /*
4001 * We force the client to attempt a write. This will fail because
4002 * we're still in the handshake. It will cause the second
4003 * ClientHello to be sent.
4004 */
4005 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4006 &written)))
4007 goto end;
4008
4009 /*
4010 * Inject some early_data after the second ClientHello. This should
4011 * cause the server to fail
4012 */
4013 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4014 sizeof(bad_early_data), &written)))
4015 goto end;
4016 }
4017 /* fallthrough */
4018
4019 case 3:
0d1b7789 4020 /*
0efa0ba4
MC		 4021 * This client has sent more early_data than we are willing to skip
4022 * (case 3) or sent invalid early_data (case 2) so the connection should
4023 * abort.
0d1b7789
MC		 4024 */
4025 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4026 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4027 goto end;
4028
4029 /* Connection has failed - nothing more to do */
4030 testresult = 1;
4031 goto end;
0efa0ba4
MC		 4032
4033 default:
4034 TEST_error("Invalid test type");
4035 goto end;
6b84e6bf
MC		 4036 }
4037
10836921 4038 ERR_clear_error();
0d1b7789
MC		 4039 /*
4040 * Should be able to send normal data despite rejection of early data. The
4041 * early_data should be skipped.
4042 */
710756a9
RS		 4043 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4044 || !TEST_size_t_eq(written, strlen(MSG2))
4045 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4046 SSL_EARLY_DATA_REJECTED)
4047 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4048 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4049 goto end;
5f982038 4050
10836921
MC		 4051 /*
4052 * Failure to decrypt early data records should not leave spurious errors
4053 * on the error stack
4054 */
4055 if (!TEST_long_eq(ERR_peek_error(), 0))
4056 goto end;
4057
5f982038
MC		 4058 testresult = 1;
4059
4060 end:
c20e3b28 4061 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4062 SSL_SESSION_free(serverpsk);
4063 clientpsk = serverpsk = NULL;
5f982038
MC		 4064 SSL_SESSION_free(sess);
4065 SSL_free(serverssl);
4066 SSL_free(clientssl);
4067 SSL_CTX_free(sctx);
4068 SSL_CTX_free(cctx);
5f982038
MC		 4069 return testresult;
4070}
4071
6b84e6bf
MC		 4072/*
4073 * Test that a server attempting to read early data can handle a connection
4074 * from a client where the early data is not acceptable.
4075 */
4076static int test_early_data_skip(int idx)
4077{
10836921
MC		 4078 return early_data_skip_helper(0,
4079 idx % OSSL_NELEM(ciphersuites),
4080 idx / OSSL_NELEM(ciphersuites));
6b84e6bf
MC		 4081}
4082
4083/*
4084 * Test that a server attempting to read early data can handle a connection
4085 * from a client where an HRR occurs.
4086 */
4087static int test_early_data_skip_hrr(int idx)
4088{
10836921
MC		 4089 return early_data_skip_helper(1,
4090 idx % OSSL_NELEM(ciphersuites),
4091 idx / OSSL_NELEM(ciphersuites));
6b84e6bf
MC		 4092}
4093
0efa0ba4
MC		 4094/*
4095 * Test that a server attempting to read early data can handle a connection
4096 * from a client where an HRR occurs and correctly fails if early_data is sent
4097 * after the HRR
4098 */
4099static int test_early_data_skip_hrr_fail(int idx)
4100{
10836921
MC		 4101 return early_data_skip_helper(2,
4102 idx % OSSL_NELEM(ciphersuites),
4103 idx / OSSL_NELEM(ciphersuites));
0efa0ba4
MC		 4104}
4105
0d1b7789
MC		 4106/*
4107 * Test that a server attempting to read early data will abort if it tries to
4108 * skip over too much.
4109 */
4110static int test_early_data_skip_abort(int idx)
4111{
10836921
MC		 4112 return early_data_skip_helper(3,
4113 idx % OSSL_NELEM(ciphersuites),
4114 idx / OSSL_NELEM(ciphersuites));
0d1b7789
MC		 4115}
4116
710756a9
RS		 4117/*
4118 * Test that a server attempting to read early data can handle a connection
4119 * from a client that doesn't send any.
4120 */
3cb47b4e 4121static int test_early_data_not_sent(int idx)
5f982038
MC		 4122{
4123 SSL_CTX *cctx = NULL, *sctx = NULL;
4124 SSL *clientssl = NULL, *serverssl = NULL;
4125 int testresult = 0;
018fcbec 4126 SSL_SESSION *sess = NULL;
5f982038
MC		 4127 unsigned char buf[20];
4128 size_t readbytes, written;
4129
710756a9 4130 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4131 &serverssl, &sess, idx,
4132 SHA384_DIGEST_LENGTH)))
5f982038
MC		 4133 goto end;
4134
4135 /* Write some data - should block due to handshake with server */
4136 SSL_set_connect_state(clientssl);
710756a9 4137 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4138 goto end;
5f982038
MC		 4139
4140 /* Server should detect that early data has not been sent */
710756a9
RS		 4141 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4142 &readbytes),
4143 SSL_READ_EARLY_DATA_FINISH)
4144 || !TEST_size_t_eq(readbytes, 0)
4145 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4146 SSL_EARLY_DATA_NOT_SENT)
4147 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4148 SSL_EARLY_DATA_NOT_SENT))
5f982038 4149 goto end;
5f982038
MC		 4150
4151 /* Continue writing the message we started earlier */
710756a9
RS		 4152 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4153 || !TEST_size_t_eq(written, strlen(MSG1))
4154 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4155 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4156 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4157 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4158 goto end;
5f982038 4159
710756a9
RS		 4160 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4161 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4162 goto end;
5f982038
MC		 4163
4164 testresult = 1;
4165
4166 end:
5f982038 4167 SSL_SESSION_free(sess);
c20e3b28 4168 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4169 SSL_SESSION_free(serverpsk);
4170 clientpsk = serverpsk = NULL;
5f982038
MC		 4171 SSL_free(serverssl);
4172 SSL_free(clientssl);
4173 SSL_CTX_free(sctx);
4174 SSL_CTX_free(cctx);
5f982038
MC		 4175 return testresult;
4176}
4177
976e5323
MC		 4178static const char *servalpn;
4179
c7558d5b
PY		 4180static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4181 unsigned char *outlen, const unsigned char *in,
4182 unsigned int inlen, void *arg)
976e5323 4183{
c7558d5b 4184 unsigned int protlen = 0;
976e5323
MC		 4185 const unsigned char *prot;
4186
c7558d5b
PY		 4187 for (prot = in; prot < in + inlen; prot += protlen) {
4188 protlen = *prot++;
5d99881e 4189 if (in + inlen < prot + protlen)
976e5323
MC		 4190 return SSL_TLSEXT_ERR_NOACK;
4191
4192 if (protlen == strlen(servalpn)
0bd42fde 4193 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 4194 *out = prot;
4195 *outlen = protlen;
4196 return SSL_TLSEXT_ERR_OK;
4197 }
4198 }
4199
4200 return SSL_TLSEXT_ERR_NOACK;
4201}
4202
57dee9bb 4203/* Test that a PSK can be used to send early_data */
976e5323
MC		 4204static int test_early_data_psk(int idx)
4205{
4206 SSL_CTX *cctx = NULL, *sctx = NULL;
4207 SSL *clientssl = NULL, *serverssl = NULL;
4208 int testresult = 0;
4209 SSL_SESSION *sess = NULL;
57dee9bb
MC		 4210 unsigned char alpnlist[] = {
4211 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4212 'l', 'p', 'n'
4213 };
4214#define GOODALPNLEN 9
4215#define BADALPNLEN 8
4216#define GOODALPN (alpnlist)
4217#define BADALPN (alpnlist + GOODALPNLEN)
4218 int err = 0;
976e5323
MC		 4219 unsigned char buf[20];
4220 size_t readbytes, written;
57dee9bb 4221 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 4222 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4223
4224 /* We always set this up with a final parameter of "2" for PSK */
4225 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4226 &serverssl, &sess, 2,
4227 SHA384_DIGEST_LENGTH)))
976e5323
MC		 4228 goto end;
4229
976e5323
MC		 4230 servalpn = "goodalpn";
4231
57dee9bb
MC		 4232 /*
4233 * Note: There is no test for inconsistent SNI with late client detection.
4234 * This is because servers do not acknowledge SNI even if they are using
4235 * it in a resumption handshake - so it is not actually possible for a
4236 * client to detect a problem.
4237 */
976e5323
MC		 4238 switch (idx) {
4239 case 0:
57dee9bb 4240 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 4241 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4242 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4243 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4244 goto end;
4245 break;
4246
4247 case 1:
57dee9bb 4248 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 4249 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4250 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 4251 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4252 GOODALPNLEN))
4253 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4254 BADALPNLEN)))
976e5323
MC		 4255 goto end;
4256 break;
4257
4258 case 2:
4259 /*
4260 * Set invalid protocol version. Technically this affects PSKs without
4261 * early_data too, but we test it here because it is similar to the
4262 * SNI/ALPN consistency tests.
4263 */
4264 err = SSL_R_BAD_PSK;
4265 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4266 goto end;
4267 break;
4268
4269 case 3:
4270 /*
49ef3d07
MC		 4271 * Set inconsistent SNI (server side). In this case the connection
4272 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4273 * is associated with each handshake - not the session. Therefore it
4274 * should not matter that we used a different server name last time.
976e5323 4275 */
281bf233
MC		 4276 SSL_SESSION_free(serverpsk);
4277 serverpsk = SSL_SESSION_dup(clientpsk);
4278 if (!TEST_ptr(serverpsk)
4279 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4280 goto end;
976e5323
MC		 4281 /* Fall through */
4282 case 4:
4283 /* Set consistent SNI */
976e5323
MC		 4284 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4285 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4286 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4287 hostname_cb)))
4288 goto end;
4289 break;
4290
4291 case 5:
4292 /*
4293 * Set inconsistent ALPN (server detected). In this case the connection
4294 * will succeed but reject early_data.
4295 */
4296 servalpn = "badalpn";
4297 edstatus = SSL_EARLY_DATA_REJECTED;
4298 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4299 /* Fall through */
4300 case 6:
976e5323 4301 /*
57dee9bb 4302 * Set consistent ALPN.
976e5323
MC		 4303 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4304 * accepts a list of protos (each one length prefixed).
4305 * SSL_set1_alpn_selected accepts a single protocol (not length
4306 * prefixed)
4307 */
57dee9bb
MC		 4308 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4309 GOODALPNLEN - 1))
4310 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4311 GOODALPNLEN)))
976e5323
MC		 4312 goto end;
4313
4314 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4315 break;
4316
57dee9bb
MC		 4317 case 7:
4318 /* Set inconsistent ALPN (late client detection) */
4319 SSL_SESSION_free(serverpsk);
4320 serverpsk = SSL_SESSION_dup(clientpsk);
4321 if (!TEST_ptr(serverpsk)
4322 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4323 BADALPN + 1,
4324 BADALPNLEN - 1))
4325 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4326 GOODALPN + 1,
4327 GOODALPNLEN - 1))
4328 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4329 sizeof(alpnlist))))
4330 goto end;
4331 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4332 edstatus = SSL_EARLY_DATA_ACCEPTED;
4333 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4334 /* SSL_connect() call should fail */
4335 connectres = -1;
4336 break;
4337
976e5323
MC		 4338 default:
4339 TEST_error("Bad test index");
4340 goto end;
4341 }
4342
4343 SSL_set_connect_state(clientssl);
4344 if (err != 0) {
4345 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4346 &written))
4347 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4348 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4349 goto end;
4350 } else {
4351 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4352 &written)))
4353 goto end;
4354
4355 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4356 &readbytes), readearlyres)
976e5323
MC		 4357 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4358 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4359 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4360 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4361 goto end;
4362 }
4363
4364 testresult = 1;
4365
4366 end:
c20e3b28 4367 SSL_SESSION_free(sess);
57dee9bb
MC		 4368 SSL_SESSION_free(clientpsk);
4369 SSL_SESSION_free(serverpsk);
4370 clientpsk = serverpsk = NULL;
976e5323
MC		 4371 SSL_free(serverssl);
4372 SSL_free(clientssl);
4373 SSL_CTX_free(sctx);
4374 SSL_CTX_free(cctx);
4375 return testresult;
4376}
4377
0b2b0be9 4378/*
4379 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4380 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4381 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4382 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4383 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4384 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4385 */
4386static int test_early_data_psk_with_all_ciphers(int idx)
4387{
4388 SSL_CTX *cctx = NULL, *sctx = NULL;
4389 SSL *clientssl = NULL, *serverssl = NULL;
4390 int testresult = 0;
4391 SSL_SESSION *sess = NULL;
4392 unsigned char buf[20];
4393 size_t readbytes, written;
4394 const SSL_CIPHER *cipher;
4395 const char *cipher_str[] = {
4396 TLS1_3_RFC_AES_128_GCM_SHA256,
4397 TLS1_3_RFC_AES_256_GCM_SHA384,
4398# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4399 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4400# else
4401 NULL,
4402# endif
4403 TLS1_3_RFC_AES_128_CCM_SHA256,
4404 TLS1_3_RFC_AES_128_CCM_8_SHA256
4405 };
4406 const unsigned char *cipher_bytes[] = {
4407 TLS13_AES_128_GCM_SHA256_BYTES,
4408 TLS13_AES_256_GCM_SHA384_BYTES,
4409# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4410 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4411# else
4412 NULL,
4413# endif
4414 TLS13_AES_128_CCM_SHA256_BYTES,
4415 TLS13_AES_128_CCM_8_SHA256_BYTES
4416 };
4417
4418 if (cipher_str[idx] == NULL)
4419 return 1;
4420 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4421 if (idx == 2 && is_fips == 1)
4422 return 1;
4423
4424 /* We always set this up with a final parameter of "2" for PSK */
4425 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4426 &serverssl, &sess, 2,
4427 SHA384_DIGEST_LENGTH)))
0b2b0be9 4428 goto end;
4429
e0710222
P		 4430 if (idx == 4) {
4431 /* CCM8 ciphers are considered low security due to their short tag */
4432 SSL_set_security_level(clientssl, 0);
4433 SSL_set_security_level(serverssl, 0);
4434 }
4435
0b2b0be9 4436 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4437 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4438 goto end;
4439
4440 /*
4441 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4442 * and assigns to both client and server with incremented reference
4443 * and the same instance is updated in 'sess'.
4444 * So updating ciphersuite in 'sess' which will get reflected in
4445 * PSK handshake using psk use sess and find sess cb.
4446 */
4447 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4448 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4449 goto end;
4450
4451 SSL_set_connect_state(clientssl);
4452 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4453 &written)))
4454 goto end;
4455
4456 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4457 &readbytes),
4458 SSL_READ_EARLY_DATA_SUCCESS)
4459 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4460 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4461 SSL_EARLY_DATA_ACCEPTED)
4462 || !TEST_int_eq(SSL_connect(clientssl), 1)
4463 || !TEST_int_eq(SSL_accept(serverssl), 1))
4464 goto end;
4465
4466 /* Send some normal data from client to server */
4467 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4468 || !TEST_size_t_eq(written, strlen(MSG2)))
4469 goto end;
4470
4471 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4472 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4473 goto end;
4474
4475 testresult = 1;
4476 end:
4477 SSL_SESSION_free(sess);
4478 SSL_SESSION_free(clientpsk);
4479 SSL_SESSION_free(serverpsk);
4480 clientpsk = serverpsk = NULL;
4481 if (clientssl != NULL)
4482 SSL_shutdown(clientssl);
4483 if (serverssl != NULL)
4484 SSL_shutdown(serverssl);
4485 SSL_free(serverssl);
4486 SSL_free(clientssl);
4487 SSL_CTX_free(sctx);
4488 SSL_CTX_free(cctx);
4489 return testresult;
4490}
4491
710756a9
RS		 4492/*
4493 * Test that a server that doesn't try to read early data can handle a
4494 * client sending some.
4495 */
3cb47b4e 4496static int test_early_data_not_expected(int idx)
5f982038
MC		 4497{
4498 SSL_CTX *cctx = NULL, *sctx = NULL;
4499 SSL *clientssl = NULL, *serverssl = NULL;
4500 int testresult = 0;
018fcbec 4501 SSL_SESSION *sess = NULL;
5f982038
MC		 4502 unsigned char buf[20];
4503 size_t readbytes, written;
4504
710756a9 4505 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4506 &serverssl, &sess, idx,
4507 SHA384_DIGEST_LENGTH)))
5f982038
MC		 4508 goto end;
4509
4510 /* Write some early data */
710756a9
RS		 4511 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4512 &written)))
5f982038 4513 goto end;
5f982038
MC		 4514
4515 /*
4516 * Server should skip over early data and then block waiting for client to
4517 * continue handshake
4518 */
710756a9
RS		 4519 if (!TEST_int_le(SSL_accept(serverssl), 0)
4520 || !TEST_int_gt(SSL_connect(clientssl), 0)
4521 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4522 SSL_EARLY_DATA_REJECTED)
4523 || !TEST_int_gt(SSL_accept(serverssl), 0)
4524 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4525 SSL_EARLY_DATA_REJECTED))
5f982038 4526 goto end;
5f982038
MC		 4527
4528 /* Send some normal data from client to server */
710756a9
RS		 4529 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4530 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4531 goto end;
5f982038 4532
710756a9
RS		 4533 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4534 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4535 goto end;
5f982038
MC		 4536
4537 testresult = 1;
4538
4539 end:
5f982038 4540 SSL_SESSION_free(sess);
c20e3b28 4541 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4542 SSL_SESSION_free(serverpsk);
4543 clientpsk = serverpsk = NULL;
5f982038
MC		 4544 SSL_free(serverssl);
4545 SSL_free(clientssl);
4546 SSL_CTX_free(sctx);
4547 SSL_CTX_free(cctx);
5f982038
MC		 4548 return testresult;
4549}
4550
4551
4552# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4553/*
4554 * Test that a server attempting to read early data can handle a connection
4555 * from a TLSv1.2 client.
4556 */
3cb47b4e 4557static int test_early_data_tls1_2(int idx)
5f982038
MC		 4558{
4559 SSL_CTX *cctx = NULL, *sctx = NULL;
4560 SSL *clientssl = NULL, *serverssl = NULL;
4561 int testresult = 0;
4562 unsigned char buf[20];
4563 size_t readbytes, written;
4564
02a3ed5a 4565 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4566 &serverssl, NULL, idx,
4567 SHA384_DIGEST_LENGTH)))
5f982038 4568 goto end;
5f982038
MC		 4569
4570 /* Write some data - should block due to handshake with server */
4571 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4572 SSL_set_connect_state(clientssl);
710756a9 4573 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4574 goto end;
5f982038
MC		 4575
4576 /*
4577 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4578 * messages from client after ServerDone. Then SSL_read_early_data should
4579 * finish and detect that early data has not been sent
5f982038 4580 */
710756a9
RS		 4581 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4582 &readbytes),
4583 SSL_READ_EARLY_DATA_ERROR))
5f982038 4584 goto end;
5f982038
MC		 4585
4586 /*
4587 * Continue writing the message we started earlier. Will still block waiting
4588 * for the CCS/Finished from server
4589 */
710756a9
RS		 4590 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4591 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4592 &readbytes),
4593 SSL_READ_EARLY_DATA_FINISH)
4594 || !TEST_size_t_eq(readbytes, 0)
4595 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4596 SSL_EARLY_DATA_NOT_SENT))
5f982038 4597 goto end;
5f982038
MC		 4598
4599 /* Continue writing the message we started earlier */
710756a9
RS		 4600 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4601 || !TEST_size_t_eq(written, strlen(MSG1))
4602 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4603 SSL_EARLY_DATA_NOT_SENT)
4604 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4605 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4606 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4607 || !TEST_size_t_eq(written, strlen(MSG2))
4608 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4609 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4610 goto end;
5f982038
MC		 4611
4612 testresult = 1;
4613
4614 end:
57dee9bb
MC		 4615 SSL_SESSION_free(clientpsk);
4616 SSL_SESSION_free(serverpsk);
4617 clientpsk = serverpsk = NULL;
5f982038
MC		 4618 SSL_free(serverssl);
4619 SSL_free(clientssl);
4620 SSL_CTX_free(sctx);
4621 SSL_CTX_free(cctx);
4622
4623 return testresult;
4624}
ca0413ae
MC		 4625# endif /* OPENSSL_NO_TLS1_2 */
4626
034cb87b
MC		 4627/*
4628 * Test configuring the TLSv1.3 ciphersuites
4629 *
4630 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4631 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4632 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4633 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4634 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4635 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4636 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4637 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4638 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4639 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4640 */
4641static int test_set_ciphersuite(int idx)
4642{
4643 SSL_CTX *cctx = NULL, *sctx = NULL;
4644 SSL *clientssl = NULL, *serverssl = NULL;
4645 int testresult = 0;
4646
5e30f2fd
MC		 4647 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4648 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4649 &sctx, &cctx, cert, privkey))
4650 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4651 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4652 goto end;
4653
4654 if (idx >=4 && idx <= 7) {
4655 /* SSL_CTX explicit cipher list */
4656 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4657 goto end;
4658 }
4659
4660 if (idx == 0 || idx == 4) {
4661 /* Default ciphersuite */
4662 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4663 "TLS_AES_128_GCM_SHA256")))
4664 goto end;
4665 } else if (idx == 1 || idx == 5) {
4666 /* Non default ciphersuite */
4667 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4668 "TLS_AES_128_CCM_SHA256")))
4669 goto end;
4670 }
4671
4672 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4673 &clientssl, NULL, NULL)))
4674 goto end;
4675
4676 if (idx == 8 || idx == 9) {
4677 /* SSL explicit cipher list */
4678 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4679 goto end;
4680 }
4681
4682 if (idx == 2 || idx == 6 || idx == 8) {
4683 /* Default ciphersuite */
4684 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4685 "TLS_AES_128_GCM_SHA256")))
4686 goto end;
4687 } else if (idx == 3 || idx == 7 || idx == 9) {
4688 /* Non default ciphersuite */
4689 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4690 "TLS_AES_128_CCM_SHA256")))
4691 goto end;
4692 }
4693
4694 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4695 goto end;
4696
4697 testresult = 1;
4698
4699 end:
4700 SSL_free(serverssl);
4701 SSL_free(clientssl);
4702 SSL_CTX_free(sctx);
4703 SSL_CTX_free(cctx);
4704
4705 return testresult;
4706}
4707
ca0413ae
MC		 4708static int test_ciphersuite_change(void)
4709{
4710 SSL_CTX *cctx = NULL, *sctx = NULL;
4711 SSL *clientssl = NULL, *serverssl = NULL;
4712 SSL_SESSION *clntsess = NULL;
4713 int testresult = 0;
4714 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4715
4716 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4717 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4718 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4719 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4720 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4721 "TLS_AES_128_GCM_SHA256:"
4722 "TLS_AES_256_GCM_SHA384:"
4723 "TLS_AES_128_CCM_SHA256"))
f865b081 4724 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4725 "TLS_AES_128_GCM_SHA256")))
4726 goto end;
4727
4728 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4729 NULL, NULL))
ca0413ae
MC		 4730 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4731 SSL_ERROR_NONE)))
4732 goto end;
4733
4734 clntsess = SSL_get1_session(clientssl);
4735 /* Save for later */
4736 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4737 SSL_shutdown(clientssl);
4738 SSL_shutdown(serverssl);
4739 SSL_free(serverssl);
4740 SSL_free(clientssl);
4741 serverssl = clientssl = NULL;
4742
4743 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4744 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4745 "TLS_AES_128_CCM_SHA256"))
4746 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4747 &clientssl, NULL, NULL))
ca0413ae
MC		 4748 || !TEST_true(SSL_set_session(clientssl, clntsess))
4749 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4750 SSL_ERROR_NONE))
4751 || !TEST_true(SSL_session_reused(clientssl)))
4752 goto end;
4753
4754 SSL_SESSION_free(clntsess);
4755 clntsess = SSL_get1_session(clientssl);
4756 SSL_shutdown(clientssl);
4757 SSL_shutdown(serverssl);
4758 SSL_free(serverssl);
4759 SSL_free(clientssl);
4760 serverssl = clientssl = NULL;
4761
4762 /*
4763 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4764 * succeeds but does not resume.
ca0413ae 4765 */
f865b081 4766 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4767 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4768 NULL, NULL))
4769 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4770 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4771 SSL_ERROR_SSL))
0de6d66d 4772 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4773 goto end;
4774
4775 SSL_SESSION_free(clntsess);
4776 clntsess = NULL;
4777 SSL_shutdown(clientssl);
4778 SSL_shutdown(serverssl);
4779 SSL_free(serverssl);
4780 SSL_free(clientssl);
4781 serverssl = clientssl = NULL;
4782
4783 /* Create a session based on SHA384 */
f865b081 4784 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4785 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4786 &clientssl, NULL, NULL))
4787 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4788 SSL_ERROR_NONE)))
4789 goto end;
4790
4791 clntsess = SSL_get1_session(clientssl);
4792 SSL_shutdown(clientssl);
4793 SSL_shutdown(serverssl);
4794 SSL_free(serverssl);
4795 SSL_free(clientssl);
4796 serverssl = clientssl = NULL;
4797
f865b081
MC		 4798 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4799 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4800 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4801 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4802 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4803 NULL, NULL))
4804 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4805 /*
4806 * We use SSL_ERROR_WANT_READ below so that we can pause the
4807 * connection after the initial ClientHello has been sent to
4808 * enable us to make some session changes.
4809 */
ca0413ae
MC		 4810 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4811 SSL_ERROR_WANT_READ)))
4812 goto end;
4813
4814 /* Trick the client into thinking this session is for a different digest */
4815 clntsess->cipher = aes_128_gcm_sha256;
4816 clntsess->cipher_id = clntsess->cipher->id;
4817
4818 /*
3b0e88d3
MC		 4819 * Continue the previously started connection. Server has selected a SHA-384
4820 * ciphersuite, but client thinks the session is for SHA-256, so it should
4821 * bail out.
ca0413ae
MC		 4822 */
4823 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4824 SSL_ERROR_SSL))
4825 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4826 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4827 goto end;
4828
4829 testresult = 1;
4830
4831 end:
4832 SSL_SESSION_free(clntsess);
4833 SSL_free(serverssl);
4834 SSL_free(clientssl);
4835 SSL_CTX_free(sctx);
4836 SSL_CTX_free(cctx);
4837
4838 return testresult;
4839}
4840
8e63900a 4841/*
5bf2eade 4842 * Test TLSv1.3 Key exchange
4843 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4844 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4845 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4846 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4847 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4848 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4849 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4850 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4851 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4852 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4853 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4854 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4855 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4856 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4857 */
f89d3d69
BK		 4858# ifndef OPENSSL_NO_EC
4859static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4032cd9a
YL		 4860 NID_secp521r1,
4861# ifndef OPENSSL_NO_ECX
4862 NID_X25519, NID_X448
4863# endif
4864 };
f89d3d69
BK		 4865# endif
4866# ifndef OPENSSL_NO_DH
4867static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4868 NID_ffdhe6144, NID_ffdhe8192};
4869# endif
db26ec80 4870static int test_key_exchange(int idx)
8e63900a 4871{
4872 SSL_CTX *sctx = NULL, *cctx = NULL;
4873 SSL *serverssl = NULL, *clientssl = NULL;
4874 int testresult = 0;
fb8c6db4 4875 int kexch_alg;
4876 int *kexch_groups = &kexch_alg;
4877 int kexch_groups_size = 1;
8e63900a 4878 int max_version = TLS1_3_VERSION;
becbacd7 4879 char *kexch_name0 = NULL;
8e63900a 4880
4881 switch (idx) {
5bf2eade 4882# ifndef OPENSSL_NO_EC
db26ec80 4883# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4884 case 12:
fb8c6db4 4885 max_version = TLS1_2_VERSION;
db26ec80 4886# endif
fb8c6db4 4887 /* Fall through */
4888 case 0:
4889 kexch_groups = ecdhe_kexch_groups;
4890 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4891 kexch_name0 = "secp256r1";
fb8c6db4 4892 break;
5bf2eade 4893 case 1:
fb8c6db4 4894 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4895 kexch_name0 = "secp256r1";
fb8c6db4 4896 break;
5bf2eade 4897 case 2:
fb8c6db4 4898 kexch_alg = NID_secp384r1;
becbacd7 4899 kexch_name0 = "secp384r1";
fb8c6db4 4900 break;
5bf2eade 4901 case 3:
fb8c6db4 4902 kexch_alg = NID_secp521r1;
becbacd7 4903 kexch_name0 = "secp521r1";
fb8c6db4 4904 break;
4032cd9a 4905# ifndef OPENSSL_NO_ECX
5bf2eade 4906 case 4:
fb8c6db4 4907 kexch_alg = NID_X25519;
becbacd7 4908 kexch_name0 = "x25519";
fb8c6db4 4909 break;
5bf2eade 4910 case 5:
fb8c6db4 4911 kexch_alg = NID_X448;
becbacd7 4912 kexch_name0 = "x448";
fb8c6db4 4913 break;
4032cd9a 4914# endif
5bf2eade 4915# endif
4916# ifndef OPENSSL_NO_DH
db26ec80 4917# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4918 case 13:
dbc6268f 4919 max_version = TLS1_2_VERSION;
becbacd7 4920 kexch_name0 = "ffdhe2048";
db26ec80 4921# endif
dbc6268f 4922 /* Fall through */
5bf2eade 4923 case 6:
8e63900a 4924 kexch_groups = ffdhe_kexch_groups;
4925 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4926 kexch_name0 = "ffdhe2048";
8e63900a 4927 break;
5bf2eade 4928 case 7:
fb8c6db4 4929 kexch_alg = NID_ffdhe2048;
becbacd7 4930 kexch_name0 = "ffdhe2048";
fb8c6db4 4931 break;
5bf2eade 4932 case 8:
fb8c6db4 4933 kexch_alg = NID_ffdhe3072;
becbacd7 4934 kexch_name0 = "ffdhe3072";
fb8c6db4 4935 break;
5bf2eade 4936 case 9:
fb8c6db4 4937 kexch_alg = NID_ffdhe4096;
becbacd7 4938 kexch_name0 = "ffdhe4096";
fb8c6db4 4939 break;
5bf2eade 4940 case 10:
fb8c6db4 4941 kexch_alg = NID_ffdhe6144;
becbacd7 4942 kexch_name0 = "ffdhe6144";
fb8c6db4 4943 break;
5bf2eade 4944 case 11:
fb8c6db4 4945 kexch_alg = NID_ffdhe8192;
becbacd7 4946 kexch_name0 = "ffdhe8192";
8e63900a 4947 break;
5bf2eade 4948# endif
6597d62b
MC		 4949 default:
4950 /* We're skipping this test */
4951 return 1;
8e63900a 4952 }
4953
5e30f2fd
MC		 4954 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4955 TLS_client_method(), TLS1_VERSION,
4956 max_version, &sctx, &cctx, cert,
4957 privkey)))
8e63900a 4958 goto end;
4959
5bf2eade 4960 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4961 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4962 goto end;
4963
5bf2eade 4964 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4965 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4966 goto end;
4967
5bf2eade 4968 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4969 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4970 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4971 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4972 goto end;
4973
dbc6268f
MC		 4974 /*
4975 * Must include an EC ciphersuite so that we send supported groups in
4976 * TLSv1.2
4977 */
5bf2eade 4978# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4979 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4980 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4981 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4982 goto end;
5bf2eade 4983# endif
8e63900a 4984
4985 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4986 NULL, NULL)))
4987 goto end;
4988
4989 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4990 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4991 goto end;
4992
5bf2eade 4993 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4994 goto end;
8e63900a 4995
dbc6268f 4996 /*
5bf2eade 4997 * If Handshake succeeds the negotiated kexch alg should be the first one in
4998 * configured, except in the case of FFDHE groups (idx 13), which are
4999 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 5000 */
5001 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 5002 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 5003 goto end;
becbacd7
MB		 5004
5005 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5006 kexch_name0))
5007 goto end;
5008
75d48520
BK		 5009 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5010 if (idx != 13) {
68668243
AB		 5011 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5012 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5013 goto end;
fb8c6db4 5014 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5015 goto end;
5016 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5017 goto end;
5018 }
8e63900a 5019
5020 testresult = 1;
5021 end:
5022 SSL_free(serverssl);
5023 SSL_free(clientssl);
5024 SSL_CTX_free(sctx);
5025 SSL_CTX_free(cctx);
5026 return testresult;
5027}
5028
c9cddf05
P		 5029# if !defined(OPENSSL_NO_TLS1_2) \
5030 && !defined(OPENSSL_NO_EC) \
5031 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 5032static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5033 int isecdhe, int idx)
5034{
5035 int kexch_alg;
5036 int *kexch_groups = &kexch_alg;
5037 int numec, numff;
5038
5039 numec = OSSL_NELEM(ecdhe_kexch_groups);
5040 numff = OSSL_NELEM(ffdhe_kexch_groups);
5041 if (isecdhe)
5042 kexch_alg = ecdhe_kexch_groups[idx];
5043 else
5044 kexch_alg = ffdhe_kexch_groups[idx];
5045
5046 if (clientmulti) {
5047 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5048 return 0;
5049 if (isecdhe) {
5050 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5051 numec)))
5052 return 0;
5053 } else {
5054 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5055 numff)))
5056 return 0;
5057 }
5058 } else {
5059 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5060 return 0;
5061 if (isecdhe) {
5062 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5063 numec)))
5064 return 0;
5065 } else {
5066 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5067 numff)))
5068 return 0;
5069 }
5070 }
5071 return 1;
5072}
5073
5074/*-
5075 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5076 * Run through both the ECDHE and FFDHE group lists used in the previous
5077 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5078 * confirming the expected result; then perform a resumption handshake
5079 * while offering the same group list, and another resumption handshake
5080 * offering a different group list. The returned value should be the
5081 * negotiated group for the initial handshake; for TLS 1.3 resumption
5082 * handshakes the returned value will be negotiated on the resumption
5083 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5084 * be cached in the session from the original handshake, regardless of what
5085 * was offered in the resumption ClientHello.
5086 *
5087 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 5088 * E tests of ECDHE with TLS 1.3, server only has one group
5089 * F tests of FFDHE with TLS 1.3, server only has one group
5090 * E tests of ECDHE with TLS 1.2, server only has one group
5091 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 5092 * E tests of ECDHE with TLS 1.3, client sends only one group
5093 * F tests of FFDHE with TLS 1.3, client sends only one group
5094 * E tests of ECDHE with TLS 1.2, client sends only one group
5095 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 5096 */
5097static int test_negotiated_group(int idx)
5098{
5099 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5100 int expectednid;
5101 SSL_CTX *sctx = NULL, *cctx = NULL;
5102 SSL *serverssl = NULL, *clientssl = NULL;
5103 SSL_SESSION *origsess = NULL;
5104 int testresult = 0;
5105 int kexch_alg;
5106 int max_version = TLS1_3_VERSION;
5107
5108 numec = OSSL_NELEM(ecdhe_kexch_groups);
5109 numff = OSSL_NELEM(ffdhe_kexch_groups);
5110 numgroups = numec + numff;
5111 clientmulti = (idx < 2 * numgroups);
5112 idx = idx % (2 * numgroups);
5113 istls13 = (idx < numgroups);
5114 idx = idx % numgroups;
5115 isecdhe = (idx < numec);
5116 if (!isecdhe)
5117 idx -= numec;
5118 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5119 if (isecdhe)
5120 kexch_alg = ecdhe_kexch_groups[idx];
5121 else
5122 kexch_alg = ffdhe_kexch_groups[idx];
5123 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5124 if (!istls13 && !isecdhe)
5125 expectednid = NID_undef;
5126 else
5127 expectednid = kexch_alg;
5128
5129 if (!istls13)
5130 max_version = TLS1_2_VERSION;
5131
5132 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5133 TLS_client_method(), TLS1_VERSION,
5134 max_version, &sctx, &cctx, cert,
5135 privkey)))
5136 goto end;
5137
5138 /*
5139 * Force (EC)DHE ciphers for TLS 1.2.
5140 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5141 */
5142 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5143 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5144 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5145 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5146 goto end;
5147 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5148 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5149 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5150 goto end;
5151
5152 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5153 NULL, NULL)))
5154 goto end;
5155
5156 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5157 idx)))
5158 goto end;
5159
5160 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5161 goto end;
5162
5163 /* Initial handshake; always the configured one */
5164 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5165 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5166 goto end;
5167
5168 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5169 goto end;
5170
5171 SSL_shutdown(clientssl);
5172 SSL_shutdown(serverssl);
5173 SSL_free(serverssl);
5174 SSL_free(clientssl);
5175 serverssl = clientssl = NULL;
5176
5177 /* First resumption attempt; use the same config as initial handshake */
5178 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5179 NULL, NULL))
5180 || !TEST_true(SSL_set_session(clientssl, origsess))
5181 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5182 isecdhe, idx)))
5183 goto end;
5184
5185 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5186 || !TEST_true(SSL_session_reused(clientssl)))
5187 goto end;
5188
5189 /* Still had better agree, since nothing changed... */
5190 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5191 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5192 goto end;
5193
5194 SSL_shutdown(clientssl);
5195 SSL_shutdown(serverssl);
5196 SSL_free(serverssl);
5197 SSL_free(clientssl);
5198 serverssl = clientssl = NULL;
5199
5200 /*-
5201 * Second resumption attempt
5202 * The party that picks one group changes it, which we effectuate by
5203 * changing 'idx' and updating what we expect.
5204 */
5205 if (idx == 0)
5206 idx = 1;
5207 else
5208 idx--;
5209 if (istls13) {
5210 if (isecdhe)
5211 expectednid = ecdhe_kexch_groups[idx];
5212 else
5213 expectednid = ffdhe_kexch_groups[idx];
5214 /* Verify that we are changing what we expect. */
5215 if (!TEST_int_ne(expectednid, kexch_alg))
5216 goto end;
5217 } else {
5218 /* TLS 1.2 only supports named groups for ECDHE. */
5219 if (isecdhe)
5220 expectednid = kexch_alg;
5221 else
5222 expectednid = 0;
5223 }
5224 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5225 NULL, NULL))
5226 || !TEST_true(SSL_set_session(clientssl, origsess))
5227 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5228 isecdhe, idx)))
5229 goto end;
5230
5231 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5232 || !TEST_true(SSL_session_reused(clientssl)))
5233 goto end;
5234
5235 /* Check that we get what we expected */
5236 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5237 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5238 goto end;
5239
5240 testresult = 1;
5241 end:
5242 SSL_free(serverssl);
5243 SSL_free(clientssl);
5244 SSL_CTX_free(sctx);
5245 SSL_CTX_free(cctx);
5246 SSL_SESSION_free(origsess);
5247 return testresult;
5248}
5249# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5250
5bf2eade 5251/*
5252 * Test TLSv1.3 Cipher Suite
5253 * Test 0 = Set TLS1.3 cipher on context
5254 * Test 1 = Set TLS1.3 cipher on SSL
5255 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5256 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5257 */
5258static int test_tls13_ciphersuite(int idx)
5259{
5260 SSL_CTX *sctx = NULL, *cctx = NULL;
5261 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 5262 static const struct {
5263 const char *ciphername;
5264 int fipscapable;
e0710222 5265 int low_security;
4f6c7044 5266 } t13_ciphers[] = {
e0710222
P		 5267 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5268 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5269 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 5270# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 5271 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 5272 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 5273 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 5274# endif
e0710222
P		 5275 /* CCM8 ciphers are considered low security due to their short tag */
5276 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5277 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5bf2eade 5278 };
5279 const char *t13_cipher = NULL;
5280 const char *t12_cipher = NULL;
5281 const char *negotiated_scipher;
5282 const char *negotiated_ccipher;
5283 int set_at_ctx = 0;
5284 int set_at_ssl = 0;
5285 int testresult = 0;
5286 int max_ver;
5287 size_t i;
5288
5289 switch (idx) {
5290 case 0:
5291 set_at_ctx = 1;
5292 break;
5293 case 1:
5294 set_at_ssl = 1;
5295 break;
5296 case 2:
5297 set_at_ctx = 1;
2d900758 5298 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5299 break;
5300 case 3:
5301 set_at_ssl = 1;
2d900758 5302 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5303 break;
5304 }
5305
5306 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5307# ifdef OPENSSL_NO_TLS1_2
5308 if (max_ver == TLS1_2_VERSION)
5309 continue;
5310# endif
5311 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 5312 if (is_fips && !t13_ciphers[i].fipscapable)
5313 continue;
5314 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 5315 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5316 TLS_client_method(),
5317 TLS1_VERSION, max_ver,
5318 &sctx, &cctx, cert, privkey)))
5319 goto end;
5320
e0710222
P		 5321 if (t13_ciphers[i].low_security) {
5322 SSL_CTX_set_security_level(sctx, 0);
5323 SSL_CTX_set_security_level(cctx, 0);
5324 }
5325
5bf2eade 5326 if (set_at_ctx) {
5327 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5328 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5329 goto end;
5330 if (t12_cipher != NULL) {
5331 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5332 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5333 t12_cipher)))
5334 goto end;
5335 }
5336 }
5337
5338 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5339 &clientssl, NULL, NULL)))
5340 goto end;
5341
5342 if (set_at_ssl) {
5343 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5344 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5345 goto end;
5346 if (t12_cipher != NULL) {
5347 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5348 || !TEST_true(SSL_set_cipher_list(clientssl,
5349 t12_cipher)))
5350 goto end;
5351 }
5352 }
5353
5354 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5355 SSL_ERROR_NONE)))
5356 goto end;
5357
5358 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5359 serverssl));
5360 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5361 clientssl));
5362 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5363 goto end;
5364
5365 /*
5366 * TEST_strn_eq is used below because t13_cipher can contain
5367 * multiple ciphersuites
5368 */
5369 if (max_ver == TLS1_3_VERSION
5370 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5371 strlen(negotiated_scipher)))
5372 goto end;
5373
5374# ifndef OPENSSL_NO_TLS1_2
5375 /* Below validation is not done when t12_cipher is NULL */
5376 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5377 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5378 goto end;
5379# endif
5380
5381 SSL_free(serverssl);
5382 serverssl = NULL;
5383 SSL_free(clientssl);
5384 clientssl = NULL;
5385 SSL_CTX_free(sctx);
5386 sctx = NULL;
5387 SSL_CTX_free(cctx);
5388 cctx = NULL;
5389 }
5390 }
5391
5392 testresult = 1;
5393 end:
5394 SSL_free(serverssl);
5395 SSL_free(clientssl);
5396 SSL_CTX_free(sctx);
5397 SSL_CTX_free(cctx);
5398 return testresult;
5399}
5400
0d8da779
MC		 5401/*
5402 * Test TLSv1.3 PSKs
5403 * Test 0 = Test new style callbacks
5404 * Test 1 = Test both new and old style callbacks
5405 * Test 2 = Test old style callbacks
5406 * Test 3 = Test old style callbacks with no certificate
5407 */
532f9578 5408static int test_tls13_psk(int idx)
ca8c71ba
MC		 5409{
5410 SSL_CTX *sctx = NULL, *cctx = NULL;
5411 SSL *serverssl = NULL, *clientssl = NULL;
5412 const SSL_CIPHER *cipher = NULL;
5413 const unsigned char key[] = {
5414 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5415 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5416 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5417 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5418 };
5419 int testresult = 0;
5420
5e30f2fd
MC		 5421 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5422 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5423 &sctx, &cctx, idx == 3 ? NULL : cert,
5424 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5425 goto end;
5426
0d8da779
MC		 5427 if (idx != 3) {
5428 /*
5429 * We use a ciphersuite with SHA256 to ease testing old style PSK
5430 * callbacks which will always default to SHA256. This should not be
5431 * necessary if we have no cert/priv key. In that case the server should
5432 * prefer SHA256 automatically.
5433 */
5434 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5435 "TLS_AES_128_GCM_SHA256")))
5436 goto end;
4f6c7044
MC		 5437 } else {
5438 /*
5439 * As noted above the server should prefer SHA256 automatically. However
5440 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5441 * code works even if we are testing with only the FIPS provider loaded.
5442 */
5443 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5444 "TLS_AES_256_GCM_SHA384:"
5445 "TLS_AES_128_GCM_SHA256")))
5446 goto end;
0d8da779 5447 }
532f9578
MC		 5448
5449 /*
5450 * Test 0: New style callbacks only
5451 * Test 1: New and old style callbacks (only the new ones should be used)
5452 * Test 2: Old style callbacks only
5453 */
5454 if (idx == 0 || idx == 1) {
5455 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5456 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5457 }
c2b290c3 5458#ifndef OPENSSL_NO_PSK
0d8da779 5459 if (idx >= 1) {
532f9578
MC		 5460 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5461 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5462 }
c2b290c3 5463#endif
ca8c71ba 5464 srvid = pskid;
02a3ed5a
MC		 5465 use_session_cb_cnt = 0;
5466 find_session_cb_cnt = 0;
532f9578
MC		 5467 psk_client_cb_cnt = 0;
5468 psk_server_cb_cnt = 0;
ca8c71ba 5469
0d8da779
MC		 5470 if (idx != 3) {
5471 /*
5472 * Check we can create a connection if callback decides not to send a
5473 * PSK
5474 */
5475 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5476 NULL, NULL))
5477 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5478 SSL_ERROR_NONE))
5479 || !TEST_false(SSL_session_reused(clientssl))
5480 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5481 goto end;
532f9578 5482
0d8da779
MC		 5483 if (idx == 0 || idx == 1) {
5484 if (!TEST_true(use_session_cb_cnt == 1)
5485 || !TEST_true(find_session_cb_cnt == 0)
5486 /*
5487 * If no old style callback then below should be 0
5488 * otherwise 1
5489 */
5490 || !TEST_true(psk_client_cb_cnt == idx)
5491 || !TEST_true(psk_server_cb_cnt == 0))
5492 goto end;
5493 } else {
5494 if (!TEST_true(use_session_cb_cnt == 0)
5495 || !TEST_true(find_session_cb_cnt == 0)
5496 || !TEST_true(psk_client_cb_cnt == 1)
5497 || !TEST_true(psk_server_cb_cnt == 0))
5498 goto end;
5499 }
5500
5501 shutdown_ssl_connection(serverssl, clientssl);
5502 serverssl = clientssl = NULL;
5503 use_session_cb_cnt = psk_client_cb_cnt = 0;
5504 }
ca8c71ba
MC		 5505
5506 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5507 NULL, NULL)))
5508 goto end;
5509
5510 /* Create the PSK */
532f9578 5511 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5512 clientpsk = SSL_SESSION_new();
5513 if (!TEST_ptr(clientpsk)
ca8c71ba 5514 || !TEST_ptr(cipher)
57dee9bb
MC		 5515 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5516 sizeof(key)))
5517 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5518 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5519 TLS1_3_VERSION))
5520 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5521 goto end;
57dee9bb 5522 serverpsk = clientpsk;
ca8c71ba
MC		 5523
5524 /* Check we can create a connection and the PSK is used */
5525 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5526 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5527 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5528 goto end;
5529
532f9578
MC		 5530 if (idx == 0 || idx == 1) {
5531 if (!TEST_true(use_session_cb_cnt == 1)
5532 || !TEST_true(find_session_cb_cnt == 1)
5533 || !TEST_true(psk_client_cb_cnt == 0)
5534 || !TEST_true(psk_server_cb_cnt == 0))
5535 goto end;
5536 } else {
5537 if (!TEST_true(use_session_cb_cnt == 0)
5538 || !TEST_true(find_session_cb_cnt == 0)
5539 || !TEST_true(psk_client_cb_cnt == 1)
5540 || !TEST_true(psk_server_cb_cnt == 1))
5541 goto end;
5542 }
5543
ca8c71ba
MC		 5544 shutdown_ssl_connection(serverssl, clientssl);
5545 serverssl = clientssl = NULL;
5546 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5547 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5548
5549 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5550 NULL, NULL)))
5551 goto end;
5552
5553 /* Force an HRR */
dbc6268f
MC		 5554#if defined(OPENSSL_NO_EC)
5555 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5556 goto end;
5557#else
4032cd9a 5558 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
ca8c71ba 5559 goto end;
dbc6268f 5560#endif
ca8c71ba
MC		 5561
5562 /*
5563 * Check we can create a connection, the PSK is used and the callbacks are
5564 * called twice.
5565 */
5566 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5567 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5568 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5569 goto end;
5570
532f9578
MC		 5571 if (idx == 0 || idx == 1) {
5572 if (!TEST_true(use_session_cb_cnt == 2)
5573 || !TEST_true(find_session_cb_cnt == 2)
5574 || !TEST_true(psk_client_cb_cnt == 0)
5575 || !TEST_true(psk_server_cb_cnt == 0))
5576 goto end;
5577 } else {
5578 if (!TEST_true(use_session_cb_cnt == 0)
5579 || !TEST_true(find_session_cb_cnt == 0)
5580 || !TEST_true(psk_client_cb_cnt == 2)
5581 || !TEST_true(psk_server_cb_cnt == 2))
5582 goto end;
5583 }
5584
ca8c71ba
MC		 5585 shutdown_ssl_connection(serverssl, clientssl);
5586 serverssl = clientssl = NULL;
5587 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5588 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5589
0d8da779
MC		 5590 if (idx != 3) {
5591 /*
5592 * Check that if the server rejects the PSK we can still connect, but with
5593 * a full handshake
5594 */
5595 srvid = "Dummy Identity";
5596 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5597 NULL, NULL))
5598 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5599 SSL_ERROR_NONE))
5600 || !TEST_false(SSL_session_reused(clientssl))
5601 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5602 goto end;
532f9578 5603
0d8da779
MC		 5604 if (idx == 0 || idx == 1) {
5605 if (!TEST_true(use_session_cb_cnt == 1)
5606 || !TEST_true(find_session_cb_cnt == 1)
5607 || !TEST_true(psk_client_cb_cnt == 0)
5608 /*
5609 * If no old style callback then below should be 0
5610 * otherwise 1
5611 */
5612 || !TEST_true(psk_server_cb_cnt == idx))
5613 goto end;
5614 } else {
5615 if (!TEST_true(use_session_cb_cnt == 0)
5616 || !TEST_true(find_session_cb_cnt == 0)
5617 || !TEST_true(psk_client_cb_cnt == 1)
5618 || !TEST_true(psk_server_cb_cnt == 1))
5619 goto end;
5620 }
5621
5622 shutdown_ssl_connection(serverssl, clientssl);
5623 serverssl = clientssl = NULL;
5624 }
ca8c71ba
MC		 5625 testresult = 1;
5626
5627 end:
57dee9bb
MC		 5628 SSL_SESSION_free(clientpsk);
5629 SSL_SESSION_free(serverpsk);
5630 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5631 SSL_free(serverssl);
5632 SSL_free(clientssl);
5633 SSL_CTX_free(sctx);
5634 SSL_CTX_free(cctx);
5635 return testresult;
5636}
5637
71583393
MM		 5638#ifndef OSSL_NO_USABLE_TLS1_3
5639/*
5640 * Test TLS1.3 connection establishment succeeds with various configurations of
5641 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
164a541b 5642 * The verification of whether the right KEX mode is chosen is not covered by
71583393
MM		 5643 * this test but by `test_tls13kexmodes`.
5644 *
5645 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5646 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5647 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5648 */
5649static int test_tls13_no_dhe_kex(const int idx)
5650{
5651 SSL_CTX *sctx = NULL, *cctx = NULL;
5652 SSL *serverssl = NULL, *clientssl = NULL;
5653 int testresult = 0;
5654 size_t j;
5655 SSL_SESSION *saved_session;
5656
5657 int server_allow_no_dhe = (idx & 1) != 0;
5658 int server_prefer_no_dhe = (idx & 2) != 0;
5659 int client_allow_no_dhe = (idx & 4) != 0;
5660
5661 uint64_t server_options = 0
5662 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5663 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5664
5665 uint64_t client_options = 0
5666 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5667
5668 new_called = 0;
5669 do_cache = 1;
5670
5671 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5672 TLS_client_method(), TLS1_3_VERSION, 0,
5673 &sctx, &cctx, cert, privkey)))
5674 goto end;
5675
5676 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5677 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5678
5679 SSL_CTX_set_options(sctx, server_options);
5680 SSL_CTX_set_options(cctx, client_options);
5681
5682 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5683
5684 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5685 &clientssl, NULL, NULL)))
5686 goto end;
5687
5688 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5689 SSL_ERROR_NONE))
5690 /* Check we got the number of tickets we were expecting */
5691 || !TEST_int_eq(2, new_called))
5692 goto end;
5693
5694 /* We'll reuse the last ticket. */
5695 saved_session = sesscache[new_called - 1];
5696
5697 SSL_shutdown(clientssl);
5698 SSL_shutdown(serverssl);
5699 SSL_free(serverssl);
5700 SSL_free(clientssl);
5701 SSL_CTX_free(cctx);
5702 clientssl = serverssl = NULL;
5703 cctx = NULL;
5704
5705 /*
5706 * Now we resume with the last ticket we created.
5707 */
5708
5709 /* The server context already exists, so we only create the client. */
5710 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5711 TLS_client_method(), TLS1_3_VERSION, 0,
5712 NULL, &cctx, cert, privkey)))
5713 goto end;
5714
5715 SSL_CTX_set_options(cctx, client_options);
5716
5717 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5718 &clientssl, NULL, NULL))
5719 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5720 goto end;
5721
5722 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5723 SSL_ERROR_NONE)))
5724 goto end;
5725
5726 /*
5727 * Make sure, the session was resumed.
5728 */
5729 if (!TEST_true(SSL_session_reused(clientssl)))
5730 goto end;
5731
5732 SSL_shutdown(clientssl);
5733 SSL_shutdown(serverssl);
5734
5735 testresult = 1;
5736
5737 end:
5738 SSL_free(serverssl);
5739 SSL_free(clientssl);
5740 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5741 SSL_SESSION_free(sesscache[j]);
5742 sesscache[j] = NULL;
5743 }
5744 SSL_CTX_free(sctx);
5745 SSL_CTX_free(cctx);
5746
5747 return testresult;
5748}
5749#endif /* OSSL_NO_USABLE_TLS1_3 */
5750
c7b8ff25
MC		 5751static unsigned char cookie_magic_value[] = "cookie magic";
5752
5753static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5754 unsigned int *cookie_len)
5755{
5756 /*
5757 * Not suitable as a real cookie generation function but good enough for
5758 * testing!
5759 */
97ea1e7f
MC		 5760 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5761 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5762
5763 return 1;
5764}
5765
5766static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5767 unsigned int cookie_len)
5768{
97ea1e7f 5769 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5770 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5771 return 1;
5772
5773 return 0;
5774}
5775
3fa2812f
BS		 5776static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5777 size_t *cookie_len)
5778{
5779 unsigned int temp;
5780 int res = generate_cookie_callback(ssl, cookie, &temp);
5781 *cookie_len = temp;
5782 return res;
5783}
5784
5785static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5786 size_t cookie_len)
5787{
5788 return verify_cookie_callback(ssl, cookie, cookie_len);
5789}
5790
c7b8ff25
MC		 5791static int test_stateless(void)
5792{
5793 SSL_CTX *sctx = NULL, *cctx = NULL;
5794 SSL *serverssl = NULL, *clientssl = NULL;
5795 int testresult = 0;
5796
5e30f2fd
MC		 5797 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5798 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5799 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5800 goto end;
5801
e440f513
MC		 5802 /* The arrival of CCS messages can confuse the test */
5803 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5804
5805 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5806 NULL, NULL))
5807 /* Send the first ClientHello */
5808 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5809 SSL_ERROR_WANT_READ))
5810 /*
5811 * This should fail with a -1 return because we have no callbacks
5812 * set up
5813 */
5814 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5815 goto end;
5816
5817 /* Fatal error so abandon the connection from this client */
5818 SSL_free(clientssl);
5819 clientssl = NULL;
5820
c7b8ff25 5821 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5822 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5823 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5824
e440f513
MC		 5825 /*
5826 * Create a new connection from the client (we can reuse the server SSL
5827 * object).
5828 */
c7b8ff25
MC		 5829 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5830 NULL, NULL))
5831 /* Send the first ClientHello */
5832 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5833 SSL_ERROR_WANT_READ))
5834 /* This should fail because there is no cookie */
e440f513 5835 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5836 goto end;
5837
5838 /* Abandon the connection from this client */
5839 SSL_free(clientssl);
5840 clientssl = NULL;
5841
5842 /*
5843 * Now create a connection from a new client but with the same server SSL
5844 * object
5845 */
5846 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5847 NULL, NULL))
5848 /* Send the first ClientHello */
5849 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5850 SSL_ERROR_WANT_READ))
5851 /* This should fail because there is no cookie */
e440f513 5852 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5853 /* Send the second ClientHello */
5854 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5855 SSL_ERROR_WANT_READ))
5856 /* This should succeed because a cookie is now present */
e440f513 5857 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5858 /* Complete the connection */
5859 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5860 SSL_ERROR_NONE)))
5861 goto end;
5862
5863 shutdown_ssl_connection(serverssl, clientssl);
5864 serverssl = clientssl = NULL;
5865 testresult = 1;
5866
5867 end:
5868 SSL_free(serverssl);
5869 SSL_free(clientssl);
5870 SSL_CTX_free(sctx);
5871 SSL_CTX_free(cctx);
5872 return testresult;
5873
5874}
a763ca11 5875#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5876
a37008d9
MC		 5877static int clntaddoldcb = 0;
5878static int clntparseoldcb = 0;
5879static int srvaddoldcb = 0;
5880static int srvparseoldcb = 0;
5881static int clntaddnewcb = 0;
5882static int clntparsenewcb = 0;
5883static int srvaddnewcb = 0;
5884static int srvparsenewcb = 0;
bb01ef3f 5885static int snicb = 0;
a37008d9
MC		 5886
5887#define TEST_EXT_TYPE1 0xff00
5888
5889static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5890 size_t *outlen, int *al, void *add_arg)
5891{
5892 int *server = (int *)add_arg;
5893 unsigned char *data;
5894
5895 if (SSL_is_server(s))
5896 srvaddoldcb++;
5897 else
5898 clntaddoldcb++;
5899
710756a9
RS		 5900 if (*server != SSL_is_server(s)
5901 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5902 return -1;
5903
5904 *data = 1;
5905 *out = data;
5906 *outlen = sizeof(char);
a37008d9
MC		 5907 return 1;
5908}
5909
5910static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5911 void *add_arg)
5912{
5913 OPENSSL_free((unsigned char *)out);
5914}
5915
5916static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5917 size_t inlen, int *al, void *parse_arg)
5918{
5919 int *server = (int *)parse_arg;
5920
5921 if (SSL_is_server(s))
5922 srvparseoldcb++;
5923 else
5924 clntparseoldcb++;
5925
710756a9
RS		 5926 if (*server != SSL_is_server(s)
5927 || inlen != sizeof(char)
5928 || *in != 1)
a37008d9
MC		 5929 return -1;
5930
5931 return 1;
5932}
5933
5934static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5935 const unsigned char **out, size_t *outlen, X509 *x,
5936 size_t chainidx, int *al, void *add_arg)
5937{
5938 int *server = (int *)add_arg;
5939 unsigned char *data;
5940
5941 if (SSL_is_server(s))
5942 srvaddnewcb++;
5943 else
5944 clntaddnewcb++;
5945
710756a9
RS		 5946 if (*server != SSL_is_server(s)
5947 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5948 return -1;
5949
5950 *data = 1;
5951 *out = data;
710756a9 5952 *outlen = sizeof(*data);
a37008d9
MC		 5953 return 1;
5954}
5955
5956static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5957 const unsigned char *out, void *add_arg)
5958{
5959 OPENSSL_free((unsigned char *)out);
5960}
5961
5962static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5963 const unsigned char *in, size_t inlen, X509 *x,
5964 size_t chainidx, int *al, void *parse_arg)
5965{
5966 int *server = (int *)parse_arg;
5967
5968 if (SSL_is_server(s))
5969 srvparsenewcb++;
5970 else
5971 clntparsenewcb++;
5972
710756a9
RS		 5973 if (*server != SSL_is_server(s)
5974 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5975 return -1;
5976
5977 return 1;
5978}
bb01ef3f
MC		 5979
5980static int sni_cb(SSL *s, int *al, void *arg)
5981{
5982 SSL_CTX *ctx = (SSL_CTX *)arg;
5983
5984 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5985 *al = SSL_AD_INTERNAL_ERROR;
5986 return SSL_TLSEXT_ERR_ALERT_FATAL;
5987 }
5988 snicb++;
5989 return SSL_TLSEXT_ERR_OK;
5990}
5991
0db3a990
MC		 5992static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5993{
5994 return 1;
5995}
5996
a37008d9
MC		 5997/*
5998 * Custom call back tests.
5999 * Test 0: Old style callbacks in TLSv1.2
6000 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 6001 * Test 2: New style callbacks in TLSv1.2 with SNI
6002 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
6003 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 6004 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 6005 */
710756a9
RS		 6006static int test_custom_exts(int tst)
6007{
bb01ef3f 6008 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 6009 SSL *clientssl = NULL, *serverssl = NULL;
6010 int testresult = 0;
6011 static int server = 1;
6012 static int client = 0;
6013 SSL_SESSION *sess = NULL;
6014 unsigned int context;
6015
a763ca11 6016#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 6017 /* Skip tests for TLSv1.2 and below in this case */
6018 if (tst < 3)
6019 return 1;
6020#endif
6021
a37008d9
MC		 6022 /* Reset callback counters */
6023 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6024 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 6025 snicb = 0;
a37008d9 6026
5e30f2fd
MC		 6027 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6028 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6029 &sctx, &cctx, cert, privkey)))
710756a9 6030 goto end;
a37008d9 6031
bb01ef3f 6032 if (tst == 2
5e30f2fd 6033 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 6034 TLS1_VERSION, 0,
7d7f6834 6035 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 6036 goto end;
6037
6038
6039 if (tst < 3) {
a37008d9
MC		 6040 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6041 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 6042 if (sctx2 != NULL)
6043 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 6044 }
6045
0db3a990
MC		 6046 if (tst == 5) {
6047 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6048 | SSL_EXT_TLS1_3_CERTIFICATE;
6049 SSL_CTX_set_verify(sctx,
6050 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6051 verify_cb);
6052 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6053 SSL_FILETYPE_PEM), 1)
6054 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6055 SSL_FILETYPE_PEM), 1)
6056 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6057 goto end;
6058 } else if (tst == 4) {
710756a9
RS		 6059 context = SSL_EXT_CLIENT_HELLO
6060 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 6061 | SSL_EXT_TLS1_3_SERVER_HELLO
6062 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6063 | SSL_EXT_TLS1_3_CERTIFICATE
6064 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6065 } else {
710756a9
RS		 6066 context = SSL_EXT_CLIENT_HELLO
6067 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 6068 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6069 }
6070
6071 /* Create a client side custom extension */
6072 if (tst == 0) {
710756a9
RS		 6073 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6074 old_add_cb, old_free_cb,
6075 &client, old_parse_cb,
6076 &client)))
6077 goto end;
a37008d9 6078 } else {
710756a9
RS		 6079 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6080 new_add_cb, new_free_cb,
6081 &client, new_parse_cb, &client)))
6082 goto end;
a37008d9
MC		 6083 }
6084
6085 /* Should not be able to add duplicates */
710756a9
RS		 6086 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6087 old_add_cb, old_free_cb,
6088 &client, old_parse_cb,
6089 &client))
6090 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6091 context, new_add_cb,
6092 new_free_cb, &client,
6093 new_parse_cb, &client)))
6094 goto end;
a37008d9
MC		 6095
6096 /* Create a server side custom extension */
6097 if (tst == 0) {
710756a9
RS		 6098 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6099 old_add_cb, old_free_cb,
6100 &server, old_parse_cb,
6101 &server)))
6102 goto end;
a37008d9 6103 } else {
710756a9
RS		 6104 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6105 new_add_cb, new_free_cb,
6106 &server, new_parse_cb, &server)))
6107 goto end;
bb01ef3f
MC		 6108 if (sctx2 != NULL
6109 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6110 context, new_add_cb,
6111 new_free_cb, &server,
6112 new_parse_cb, &server)))
6113 goto end;
a37008d9
MC		 6114 }
6115
6116 /* Should not be able to add duplicates */
710756a9
RS		 6117 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6118 old_add_cb, old_free_cb,
6119 &server, old_parse_cb,
6120 &server))
6121 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6122 context, new_add_cb,
6123 new_free_cb, &server,
6124 new_parse_cb, &server)))
a37008d9 6125 goto end;
a37008d9 6126
bb01ef3f
MC		 6127 if (tst == 2) {
6128 /* Set up SNI */
6129 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6130 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6131 goto end;
6132 }
6133
710756a9
RS		 6134 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6135 &clientssl, NULL, NULL))
6136 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6137 SSL_ERROR_NONE)))
a37008d9 6138 goto end;
a37008d9
MC		 6139
6140 if (tst == 0) {
710756a9
RS		 6141 if (clntaddoldcb != 1
6142 || clntparseoldcb != 1
6143 || srvaddoldcb != 1
6144 || srvparseoldcb != 1)
a37008d9 6145 goto end;
bb01ef3f 6146 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 6147 if (clntaddnewcb != 1
6148 || clntparsenewcb != 1
6149 || srvaddnewcb != 1
bb01ef3f
MC		 6150 || srvparsenewcb != 1
6151 || (tst != 2 && snicb != 0)
6152 || (tst == 2 && snicb != 1))
a37008d9 6153 goto end;
0db3a990
MC		 6154 } else if (tst == 5) {
6155 if (clntaddnewcb != 1
6156 || clntparsenewcb != 1
6157 || srvaddnewcb != 1
6158 || srvparsenewcb != 1)
6159 goto end;
a37008d9 6160 } else {
36ff232c 6161 /* In this case there 2 NewSessionTicket messages created */
710756a9 6162 if (clntaddnewcb != 1
36ff232c
MC		 6163 || clntparsenewcb != 5
6164 || srvaddnewcb != 5
710756a9 6165 || srvparsenewcb != 1)
a37008d9 6166 goto end;
a37008d9
MC		 6167 }
6168
6169 sess = SSL_get1_session(clientssl);
a37008d9
MC		 6170 SSL_shutdown(clientssl);
6171 SSL_shutdown(serverssl);
a37008d9
MC		 6172 SSL_free(serverssl);
6173 SSL_free(clientssl);
6174 serverssl = clientssl = NULL;
6175
0db3a990
MC		 6176 if (tst == 3 || tst == 5) {
6177 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 6178 testresult = 1;
6179 goto end;
6180 }
6181
710756a9
RS		 6182 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6183 NULL, NULL))
6184 || !TEST_true(SSL_set_session(clientssl, sess))
6185 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6186 SSL_ERROR_NONE)))
a37008d9 6187 goto end;
a37008d9
MC		 6188
6189 /*
6190 * For a resumed session we expect to add the ClientHello extension. For the
6191 * old style callbacks we ignore it on the server side because they set
6192 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6193 * them.
6194 */
6195 if (tst == 0) {
710756a9
RS		 6196 if (clntaddoldcb != 2
6197 || clntparseoldcb != 1
6198 || srvaddoldcb != 1
6199 || srvparseoldcb != 1)
a37008d9 6200 goto end;
bb01ef3f 6201 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 6202 if (clntaddnewcb != 2
6203 || clntparsenewcb != 2
6204 || srvaddnewcb != 2
6205 || srvparsenewcb != 2)
a37008d9 6206 goto end;
a37008d9 6207 } else {
36ff232c
MC		 6208 /*
6209 * No Certificate message extensions in the resumption handshake,
6210 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6211 */
710756a9 6212 if (clntaddnewcb != 2
36ff232c
MC		 6213 || clntparsenewcb != 8
6214 || srvaddnewcb != 8
710756a9 6215 || srvparsenewcb != 2)
a37008d9 6216 goto end;
a37008d9
MC		 6217 }
6218
6219 testresult = 1;
6220
6221end:
6222 SSL_SESSION_free(sess);
6223 SSL_free(serverssl);
6224 SSL_free(clientssl);
bb01ef3f 6225 SSL_CTX_free(sctx2);
a37008d9
MC		 6226 SSL_CTX_free(sctx);
6227 SSL_CTX_free(cctx);
a37008d9
MC		 6228 return testresult;
6229}
6230
555dd939 6231#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
16afd71c 6232
555dd939
DF		 6233#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6234 | SSL_EXT_CLIENT_HELLO \
6235 | SSL_EXT_TLS1_2_SERVER_HELLO \
6236 | SSL_EXT_IGNORE_ON_RESUMPTION)
16afd71c 6237
555dd939
DF		 6238#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6239 | SSL_EXT_TLS1_2_SERVER_HELLO \
6240 | SSL_EXT_CLIENT_HELLO)
16afd71c 6241
555dd939
DF		 6242#define SERVERINFO_CUSTOM \
6243 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6244 0x00, 0x03, \
6245 0x04, 0x05, 0x06 \
6246
6247static const unsigned char serverinfo_custom_tls13[] = {
6248 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6249 SERVERINFO_CUSTOM
6250};
6251static const unsigned char serverinfo_custom_v2[] = {
6252 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6253 SERVERINFO_CUSTOM
6254};
6255static const unsigned char serverinfo_custom_v1[] = {
6256 SERVERINFO_CUSTOM
6257};
6258static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6259static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6260static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6261
6262static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6263 unsigned int context,
6264 const unsigned char *in,
6265 size_t inlen, X509 *x,
6266 size_t chainidx, int *al,
6267 void *parse_arg)
6268{
6269 const size_t len = serverinfo_custom_v1_len;
6270 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6271 int *p_cb_result = (int*)parse_arg;
6272 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6273 return 1;
6274}
6275
6276static int test_serverinfo_custom(const int idx)
6277{
6278 SSL_CTX *sctx = NULL, *cctx = NULL;
6279 SSL *clientssl = NULL, *serverssl = NULL;
6280 int testresult = 0;
6281 int cb_result = 0;
6282
6283 /*
6284 * Following variables are set in the switch statement
6285 * according to the test iteration.
6286 * Default values do not make much sense: test would fail with them.
6287 */
6288 int serverinfo_version = 0;
6289 int protocol_version = 0;
6290 unsigned int extension_context = 0;
6291 const unsigned char *si = NULL;
6292 size_t si_len = 0;
6293
6294 const int call_use_serverinfo_ex = idx > 0;
6295 switch (idx) {
6296 case 0: /* FALLTHROUGH */
6297 case 1:
6298 serverinfo_version = SSL_SERVERINFOV1;
6299 protocol_version = TLS1_2_VERSION;
6300 extension_context = SYNTHV1CONTEXT;
6301 si = serverinfo_custom_v1;
6302 si_len = serverinfo_custom_v1_len;
6303 break;
6304 case 2:
6305 serverinfo_version = SSL_SERVERINFOV2;
6306 protocol_version = TLS1_2_VERSION;
6307 extension_context = SYNTHV1CONTEXT;
6308 si = serverinfo_custom_v2;
6309 si_len = serverinfo_custom_v2_len;
6310 break;
6311 case 3:
6312 serverinfo_version = SSL_SERVERINFOV2;
6313 protocol_version = TLS1_3_VERSION;
6314 extension_context = TLS13CONTEXT;
6315 si = serverinfo_custom_tls13;
6316 si_len = serverinfo_custom_tls13_len;
6317 break;
16afd71c
MC		 6318 }
6319
555dd939
DF		 6320 if (!TEST_true(create_ssl_ctx_pair(libctx,
6321 TLS_method(),
6322 TLS_method(),
6323 protocol_version,
6324 protocol_version,
6325 &sctx, &cctx, cert, privkey)))
6326 goto end;
16afd71c 6327
555dd939
DF		 6328 if (call_use_serverinfo_ex) {
6329 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6330 si, si_len)))
6331 goto end;
6332 } else {
6333 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6334 goto end;
16afd71c
MC		 6335 }
6336
555dd939
DF		 6337 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6338 extension_context,
6339 NULL, NULL, NULL,
6340 serverinfo_custom_parse_cb,
6341 &cb_result))
6342 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6343 NULL, NULL))
6344 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6345 SSL_ERROR_NONE))
6346 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6347 goto end;
6348
6349 if (!TEST_true(cb_result))
16afd71c
MC		 6350 goto end;
6351
6352 testresult = 1;
6353
6354 end:
555dd939
DF		 6355 SSL_free(serverssl);
6356 SSL_free(clientssl);
6357 SSL_CTX_free(sctx);
6358 SSL_CTX_free(cctx);
16afd71c
MC		 6359
6360 return testresult;
6361}
555dd939 6362#endif
16afd71c 6363
2197d1df
MC		 6364/*
6365 * Test that SSL_export_keying_material() produces expected results. There are
6366 * no test vectors so all we do is test that both sides of the communication
6367 * produce the same results for different protocol versions.
6368 */
0fb2815b
MC		 6369#define SMALL_LABEL_LEN 10
6370#define LONG_LABEL_LEN 249
2197d1df
MC		 6371static int test_export_key_mat(int tst)
6372{
a599574b 6373 int testresult = 0;
2197d1df
MC		 6374 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6375 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 6376 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 6377 const unsigned char context[] = "context";
6378 const unsigned char *emptycontext = NULL;
ef9d8f2f 6379 unsigned char longcontext[1280];
5df160f1 6380 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
ef9d8f2f
DU		 6381 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6382 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
0fb2815b 6383 size_t labellen;
a599574b
MC		 6384 const int protocols[] = {
6385 TLS1_VERSION,
6386 TLS1_1_VERSION,
6387 TLS1_2_VERSION,
0fb2815b
MC		 6388 TLS1_3_VERSION,
6389 TLS1_3_VERSION,
a599574b
MC		 6390 TLS1_3_VERSION
6391 };
2197d1df
MC		 6392
6393#ifdef OPENSSL_NO_TLS1
6394 if (tst == 0)
6395 return 1;
6396#endif
6397#ifdef OPENSSL_NO_TLS1_1
6398 if (tst == 1)
6399 return 1;
6400#endif
4f6c7044
MC		 6401 if (is_fips && (tst == 0 || tst == 1))
6402 return 1;
2197d1df
MC		 6403#ifdef OPENSSL_NO_TLS1_2
6404 if (tst == 2)
6405 return 1;
6406#endif
a763ca11 6407#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 6408 if (tst >= 3)
2197d1df
MC		 6409 return 1;
6410#endif
5e30f2fd
MC		 6411 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6412 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6413 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 6414 goto end;
6415
a599574b
MC		 6416 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6417 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6418 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 6419 if ((protocols[tst] < TLS1_2_VERSION) &&
6420 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6421 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6422 goto end;
2197d1df
MC		 6423
6424 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 6425 NULL)))
6426 goto end;
6427
6428 /*
6429 * Premature call of SSL_export_keying_material should just fail.
6430 */
6431 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6432 sizeof(ckeymat1), label,
6433 SMALL_LABEL_LEN + 1, context,
6434 sizeof(context) - 1, 1), 0))
6435 goto end;
6436
6437 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6438 SSL_ERROR_NONE)))
2197d1df
MC		 6439 goto end;
6440
0fb2815b
MC		 6441 if (tst == 5) {
6442 /*
6443 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6444 * go over that.
6445 */
6446 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6447 sizeof(ckeymat1), label,
6448 LONG_LABEL_LEN + 1, context,
6449 sizeof(context) - 1, 1), 0))
6450 goto end;
6451
6452 testresult = 1;
6453 goto end;
6454 } else if (tst == 4) {
6455 labellen = LONG_LABEL_LEN;
6456 } else {
6457 labellen = SMALL_LABEL_LEN;
6458 }
6459
ef9d8f2f
DU		 6460 memset(longcontext, 1, sizeof(longcontext));
6461
2197d1df
MC		 6462 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6463 sizeof(ckeymat1), label,
0fb2815b 6464 labellen, context,
2197d1df
MC		 6465 sizeof(context) - 1, 1), 1)
6466 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6467 sizeof(ckeymat2), label,
0fb2815b 6468 labellen,
2197d1df
MC		 6469 emptycontext,
6470 0, 1), 1)
6471 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6472 sizeof(ckeymat3), label,
0fb2815b 6473 labellen,
2197d1df 6474 NULL, 0, 0), 1)
5df160f1
TM		 6475 || (test_longcontext
6476 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6477 ckeymat4,
6478 sizeof(ckeymat4), label,
6479 labellen,
6480 longcontext,
6481 sizeof(longcontext), 1),
6482 1))
2197d1df
MC		 6483 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6484 sizeof(skeymat1), label,
0fb2815b 6485 labellen,
2197d1df
MC		 6486 context,
6487 sizeof(context) -1, 1),
6488 1)
6489 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6490 sizeof(skeymat2), label,
0fb2815b 6491 labellen,
2197d1df
MC		 6492 emptycontext,
6493 0, 1), 1)
6494 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6495 sizeof(skeymat3), label,
0fb2815b 6496 labellen,
2197d1df 6497 NULL, 0, 0), 1)
5df160f1
TM		 6498 || (test_longcontext
6499 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6500 sizeof(skeymat4), label,
6501 labellen,
6502 longcontext,
6503 sizeof(longcontext), 1),
6504 1))
2197d1df
MC		 6505 /*
6506 * Check that both sides created the same key material with the
6507 * same context.
6508 */
6509 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6510 sizeof(skeymat1))
6511 /*
6512 * Check that both sides created the same key material with an
6513 * empty context.
6514 */
6515 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6516 sizeof(skeymat2))
6517 /*
6518 * Check that both sides created the same key material without a
6519 * context.
6520 */
6521 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6522 sizeof(skeymat3))
ef9d8f2f
DU		 6523 /*
6524 * Check that both sides created the same key material with a
6525 * long context.
6526 */
5df160f1
TM		 6527 || (test_longcontext
6528 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6529 sizeof(skeymat4)))
2197d1df
MC		 6530 /* Different contexts should produce different results */
6531 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6532 sizeof(ckeymat2)))
6533 goto end;
6534
6535 /*
6536 * Check that an empty context and no context produce different results in
6537 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6538 */
0fb2815b 6539 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6540 sizeof(ckeymat3)))
0fb2815b
MC		 6541 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6542 sizeof(ckeymat3))))
2197d1df
MC		 6543 goto end;
6544
6545 testresult = 1;
6546
6547 end:
6548 SSL_free(serverssl);
6549 SSL_free(clientssl);
6550 SSL_CTX_free(sctx2);
6551 SSL_CTX_free(sctx);
6552 SSL_CTX_free(cctx);
6553
6554 return testresult;
6555}
6556
a763ca11 6557#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6558/*
6559 * Test that SSL_export_keying_material_early() produces expected
6560 * results. There are no test vectors so all we do is test that both
6561 * sides of the communication produce the same results for different
6562 * protocol versions.
6563 */
6564static int test_export_key_mat_early(int idx)
6565{
6566 static const char label[] = "test label";
6567 static const unsigned char context[] = "context";
6568 int testresult = 0;
6569 SSL_CTX *cctx = NULL, *sctx = NULL;
6570 SSL *clientssl = NULL, *serverssl = NULL;
6571 SSL_SESSION *sess = NULL;
6572 const unsigned char *emptycontext = NULL;
6573 unsigned char ckeymat1[80], ckeymat2[80];
6574 unsigned char skeymat1[80], skeymat2[80];
6575 unsigned char buf[1];
6576 size_t readbytes, written;
6577
6578 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
10836921 6579 &sess, idx, SHA384_DIGEST_LENGTH)))
b38ede80
TT		 6580 goto end;
6581
6582 /* Here writing 0 length early data is enough. */
6583 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6584 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6585 &readbytes),
6586 SSL_READ_EARLY_DATA_ERROR)
6587 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6588 SSL_EARLY_DATA_ACCEPTED))
6589 goto end;
6590
6591 if (!TEST_int_eq(SSL_export_keying_material_early(
6592 clientssl, ckeymat1, sizeof(ckeymat1), label,
6593 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6594 || !TEST_int_eq(SSL_export_keying_material_early(
6595 clientssl, ckeymat2, sizeof(ckeymat2), label,
6596 sizeof(label) - 1, emptycontext, 0), 1)
6597 || !TEST_int_eq(SSL_export_keying_material_early(
6598 serverssl, skeymat1, sizeof(skeymat1), label,
6599 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6600 || !TEST_int_eq(SSL_export_keying_material_early(
6601 serverssl, skeymat2, sizeof(skeymat2), label,
6602 sizeof(label) - 1, emptycontext, 0), 1)
6603 /*
6604 * Check that both sides created the same key material with the
6605 * same context.
6606 */
6607 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6608 sizeof(skeymat1))
6609 /*
6610 * Check that both sides created the same key material with an
6611 * empty context.
6612 */
6613 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6614 sizeof(skeymat2))
6615 /* Different contexts should produce different results */
6616 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6617 sizeof(ckeymat2)))
6618 goto end;
6619
6620 testresult = 1;
6621
6622 end:
c20e3b28 6623 SSL_SESSION_free(sess);
b38ede80
TT		 6624 SSL_SESSION_free(clientpsk);
6625 SSL_SESSION_free(serverpsk);
34ff74eb 6626 clientpsk = serverpsk = NULL;
b38ede80
TT		 6627 SSL_free(serverssl);
6628 SSL_free(clientssl);
6629 SSL_CTX_free(sctx);
6630 SSL_CTX_free(cctx);
6631
6632 return testresult;
6633}
3409a5ff
MC		 6634
6635#define NUM_KEY_UPDATE_MESSAGES 40
6636/*
6637 * Test KeyUpdate.
6638 */
6639static int test_key_update(void)
6640{
6641 SSL_CTX *cctx = NULL, *sctx = NULL;
6642 SSL *clientssl = NULL, *serverssl = NULL;
6643 int testresult = 0, i, j;
6644 char buf[20];
6645 static char *mess = "A test message";
6646
5e30f2fd 6647 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6648 TLS_client_method(),
6649 TLS1_3_VERSION,
6650 0,
6651 &sctx, &cctx, cert, privkey))
6652 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6653 NULL, NULL))
6654 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6655 SSL_ERROR_NONE)))
6656 goto end;
6657
6658 for (j = 0; j < 2; j++) {
6659 /* Send lots of KeyUpdate messages */
6660 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6661 if (!TEST_true(SSL_key_update(clientssl,
6662 (j == 0)
6663 ? SSL_KEY_UPDATE_NOT_REQUESTED
6664 : SSL_KEY_UPDATE_REQUESTED))
6665 || !TEST_true(SSL_do_handshake(clientssl)))
6666 goto end;
6667 }
6668
6669 /* Check that sending and receiving app data is ok */
6670 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6671 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6672 strlen(mess)))
6673 goto end;
a77b4dba
MC		 6674
6675 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6676 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6677 strlen(mess)))
6678 goto end;
3409a5ff
MC		 6679 }
6680
6681 testresult = 1;
6682
6683 end:
6684 SSL_free(serverssl);
6685 SSL_free(clientssl);
6686 SSL_CTX_free(sctx);
6687 SSL_CTX_free(cctx);
6688
6689 return testresult;
6690}
a77b4dba
MC		 6691
6692/*
0c48fda8 6693 * Test we can handle a KeyUpdate (update requested) message while
6694 * write data is pending in peer.
a77b4dba
MC		 6695 * Test 0: Client sends KeyUpdate while Server is writing
6696 * Test 1: Server sends KeyUpdate while Client is writing
6697 */
0c48fda8 6698static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6699{
6700 SSL_CTX *cctx = NULL, *sctx = NULL;
6701 SSL *clientssl = NULL, *serverssl = NULL;
6702 int testresult = 0;
6703 char buf[20];
6704 static char *mess = "A test message";
6705 BIO *bretry = BIO_new(bio_s_always_retry());
6706 BIO *tmp = NULL;
6707 SSL *peerupdate = NULL, *peerwrite = NULL;
6708
6709 if (!TEST_ptr(bretry)
5e30f2fd 6710 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6711 TLS_client_method(),
6712 TLS1_3_VERSION,
6713 0,
6714 &sctx, &cctx, cert, privkey))
6715 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6716 NULL, NULL))
6717 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6718 SSL_ERROR_NONE)))
6719 goto end;
6720
6721 peerupdate = tst == 0 ? clientssl : serverssl;
6722 peerwrite = tst == 0 ? serverssl : clientssl;
6723
6724 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6725 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6726 goto end;
6727
6728 /* Swap the writing endpoint's write BIO to force a retry */
6729 tmp = SSL_get_wbio(peerwrite);
6730 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6731 tmp = NULL;
6732 goto end;
6733 }
6734 SSL_set0_wbio(peerwrite, bretry);
6735 bretry = NULL;
6736
6737 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6738 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
7e1b0dc1
HL		 6739 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6740 || !TEST_true(SSL_want_write(peerwrite))
6741 || !TEST_true(SSL_net_write_desired(peerwrite)))
a77b4dba
MC		 6742 goto end;
6743
6744 /* Reinstate the original writing endpoint's write BIO */
6745 SSL_set0_wbio(peerwrite, tmp);
6746 tmp = NULL;
6747
6748 /* Now read some data - we will read the key update */
6749 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
7e1b0dc1
HL		 6750 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6751 || !TEST_true(SSL_want_read(peerwrite))
6752 || !TEST_true(SSL_net_read_desired(peerwrite)))
a77b4dba
MC		 6753 goto end;
6754
6755 /*
6756 * Complete the write we started previously and read it from the other
6757 * endpoint
6758 */
6759 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6760 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6761 goto end;
6762
6763 /* Write more data to ensure we send the KeyUpdate message back */
6764 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6765 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6766 goto end;
6767
7e1b0dc1
HL		 6768 if (!TEST_false(SSL_net_read_desired(peerwrite))
6769 || !TEST_false(SSL_net_write_desired(peerwrite))
6770 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6771 goto end;
6772
a77b4dba
MC		 6773 testresult = 1;
6774
6775 end:
6776 SSL_free(serverssl);
6777 SSL_free(clientssl);
6778 SSL_CTX_free(sctx);
6779 SSL_CTX_free(cctx);
6780 BIO_free(bretry);
6781 BIO_free(tmp);
6782
6783 return testresult;
6784}
0c48fda8 6785
6786/*
6787 * Test we can handle a KeyUpdate (update requested) message while
6788 * peer read data is pending after peer accepted keyupdate(the msg header
6789 * had been read 5 bytes).
6790 * Test 0: Client sends KeyUpdate while Server is reading
6791 * Test 1: Server sends KeyUpdate while Client is reading
6792 */
6793static int test_key_update_peer_in_read(int tst)
6794{
6795 SSL_CTX *cctx = NULL, *sctx = NULL;
6796 SSL *clientssl = NULL, *serverssl = NULL;
6797 int testresult = 0;
6798 char prbuf[515], lwbuf[515] = {0};
6799 static char *mess = "A test message";
6800 BIO *lbio = NULL, *pbio = NULL;
6801 SSL *local = NULL, *peer = NULL;
6802
6803 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6804 TLS_client_method(),
6805 TLS1_3_VERSION,
6806 0,
6807 &sctx, &cctx, cert, privkey))
6808 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6809 NULL, NULL))
6810 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6811 SSL_ERROR_NONE)))
6812 goto end;
6813
6814 local = tst == 0 ? clientssl : serverssl;
6815 peer = tst == 0 ? serverssl : clientssl;
6816
6817 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6818 goto end;
6819
6820 SSL_set_bio(local, lbio, lbio);
6821 SSL_set_bio(peer, pbio, pbio);
6822
6823 /*
6824 * we first write keyupdate msg then appdata in local
6825 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6826 * lwbuf app data msg size + key updata msg size > 512(the size of
6827 * the bio pair buffer)
6828 */
6829 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6830 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6831 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6832 goto end;
6833
6834 /*
6835 * first read keyupdate msg in peer in peer
6836 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6837 */
6838 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6839 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6840 goto end;
6841
6842 /* Now write some data in peer - we will write the key update */
6843 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6844 goto end;
6845
6846 /*
6847 * write data in local previously that we will complete
6848 * read data in peer previously that we will complete
6849 */
6850 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6851 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6852 goto end;
6853
6854 /* check that sending and receiving appdata ok */
6855 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6856 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6857 goto end;
6858
6859 testresult = 1;
6860
6861 end:
6862 SSL_free(serverssl);
6863 SSL_free(clientssl);
6864 SSL_CTX_free(sctx);
6865 SSL_CTX_free(cctx);
6866
6867 return testresult;
6868}
6869
6870/*
6871 * Test we can't send a KeyUpdate (update requested) message while
6872 * local write data is pending.
6873 * Test 0: Client sends KeyUpdate while Client is writing
6874 * Test 1: Server sends KeyUpdate while Server is writing
6875 */
6876static int test_key_update_local_in_write(int tst)
6877{
6878 SSL_CTX *cctx = NULL, *sctx = NULL;
6879 SSL *clientssl = NULL, *serverssl = NULL;
6880 int testresult = 0;
6881 char buf[20];
6882 static char *mess = "A test message";
6883 BIO *bretry = BIO_new(bio_s_always_retry());
6884 BIO *tmp = NULL;
6885 SSL *local = NULL, *peer = NULL;
6886
6887 if (!TEST_ptr(bretry)
6888 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6889 TLS_client_method(),
6890 TLS1_3_VERSION,
6891 0,
6892 &sctx, &cctx, cert, privkey))
6893 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6894 NULL, NULL))
6895 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6896 SSL_ERROR_NONE)))
6897 goto end;
6898
6899 local = tst == 0 ? clientssl : serverssl;
6900 peer = tst == 0 ? serverssl : clientssl;
6901
6902 /* Swap the writing endpoint's write BIO to force a retry */
6903 tmp = SSL_get_wbio(local);
6904 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6905 tmp = NULL;
6906 goto end;
6907 }
6908 SSL_set0_wbio(local, bretry);
6909 bretry = NULL;
6910
6911 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6912 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6913 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6914 goto end;
6915
6916 /* Reinstate the original writing endpoint's write BIO */
6917 SSL_set0_wbio(local, tmp);
6918 tmp = NULL;
6919
6920 /* SSL_key_update will fail, because writing in local*/
6921 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6922 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6923 goto end;
6924
6925 ERR_clear_error();
6926 /* write data in local previously that we will complete */
6927 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6928 goto end;
6929
6930 /* SSL_key_update will succeed because there is no pending write data */
6931 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6932 || !TEST_int_eq(SSL_do_handshake(local), 1))
6933 goto end;
6934
6935 /*
6936 * we write some appdata in local
6937 * read data in peer - we will read the keyupdate msg
6938 */
6939 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6940 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6941 goto end;
6942
6943 /* Write more peer more data to ensure we send the keyupdate message back */
6944 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6945 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6946 goto end;
6947
6948 testresult = 1;
6949
6950 end:
6951 SSL_free(serverssl);
6952 SSL_free(clientssl);
6953 SSL_CTX_free(sctx);
6954 SSL_CTX_free(cctx);
6955 BIO_free(bretry);
6956 BIO_free(tmp);
6957
6958 return testresult;
6959}
6960
6961/*
6962 * Test we can handle a KeyUpdate (update requested) message while
6963 * local read data is pending(the msg header had been read 5 bytes).
6964 * Test 0: Client sends KeyUpdate while Client is reading
6965 * Test 1: Server sends KeyUpdate while Server is reading
6966 */
6967static int test_key_update_local_in_read(int tst)
6968{
6969 SSL_CTX *cctx = NULL, *sctx = NULL;
6970 SSL *clientssl = NULL, *serverssl = NULL;
6971 int testresult = 0;
6972 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6973 static char *mess = "A test message";
6974 BIO *lbio = NULL, *pbio = NULL;
6975 SSL *local = NULL, *peer = NULL;
6976
6977 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6978 TLS_client_method(),
6979 TLS1_3_VERSION,
6980 0,
6981 &sctx, &cctx, cert, privkey))
6982 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6983 NULL, NULL))
6984 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6985 SSL_ERROR_NONE)))
6986 goto end;
6987
6988 local = tst == 0 ? clientssl : serverssl;
6989 peer = tst == 0 ? serverssl : clientssl;
6990
6991 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6992 goto end;
6993
6994 SSL_set_bio(local, lbio, lbio);
6995 SSL_set_bio(peer, pbio, pbio);
6996
6997 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6998 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6999 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
7000 goto end;
7001
7002 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
7003 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
7004 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7005 goto end;
7006
7007 /* SSL_do_handshake will send keyupdate msg */
7008 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7009 || !TEST_int_eq(SSL_do_handshake(local), 1))
7010 goto end;
7011
7012 /*
7013 * write data in peer previously that we will complete
7014 * read data in local previously that we will complete
7015 */
7016 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7017 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7018 goto end;
7019
7020 /*
7021 * write data in local
7022 * read data in peer - we will read the key update
7023 */
7024 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7025 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7026 goto end;
7027
7028 /* Write more peer data to ensure we send the keyupdate message back */
7029 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7030 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7031 goto end;
7032
7033 testresult = 1;
7034
7035 end:
7036 SSL_free(serverssl);
7037 SSL_free(clientssl);
7038 SSL_CTX_free(sctx);
7039 SSL_CTX_free(cctx);
7040
7041 return testresult;
7042}
a763ca11 7043#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 7044
5de8c49d
MC		 7045/*
7046 * Test clearing a connection via SSL_clear(), or resetting it via
7047 * SSL_set_connect_state()/SSL_set_accept_state()
7048 * Test 0: SSL_set_connect_state, TLSv1.3
7049 * Test 1: SSL_set_connect_state, TLSv1.2
7050 * Test 2: SSL_set_accept_state, TLSv1.3
7051 * Test 3: SSL_set_accept_state, TLSv1.2
7052 * Test 4: SSL_clear (client), TLSv1.3
7053 * Test 5: SSL_clear (client), TLSv1.2
7054 * Test 6: SSL_clear (server), TLSv1.3
7055 * Test 7: SSL_clear (server), TLSv1.2
7056 */
e11b6aa4
MC		 7057static int test_ssl_clear(int idx)
7058{
7059 SSL_CTX *cctx = NULL, *sctx = NULL;
7060 SSL *clientssl = NULL, *serverssl = NULL;
5de8c49d 7061 SSL *writer, *reader;
e11b6aa4 7062 int testresult = 0;
5de8c49d
MC		 7063 int tls12test, servertest, cleartest;
7064 size_t written, readbytes;
7065 const char *msg = "Hello World";
7066 unsigned char buf[5];
7067
7068 tls12test = idx & 1;
7069 idx >>= 1;
7070 servertest = idx & 1;
7071 idx >>= 1;
7072 cleartest = idx & 1;
e11b6aa4
MC		 7073
7074#ifdef OPENSSL_NO_TLS1_2
5de8c49d
MC		 7075 if (tls12test == 1)
7076 return TEST_skip("No TLSv1.2 in this build");
e11b6aa4
MC		 7077#endif
7078
7079 /* Create an initial connection */
5e30f2fd
MC		 7080 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7081 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 7082 &sctx, &cctx, cert, privkey))
5de8c49d 7083 || (tls12test
e11b6aa4
MC		 7084 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7085 TLS1_2_VERSION)))
7086 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7087 &clientssl, NULL, NULL))
7088 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7089 SSL_ERROR_NONE)))
7090 goto end;
7091
5de8c49d
MC		 7092 if (servertest) {
7093 writer = clientssl;
7094 reader = serverssl;
7095 } else {
7096 writer = serverssl;
7097 reader = clientssl;
7098 }
7099
7100 /* Write some data */
7101 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7102 || written != strlen(msg))
7103 goto end;
7104
7105 /*
7106 * Read a partial record. The remaining buffered data should be cleared by
7107 * the subsequent clear/reset
7108 */
7109 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7110 || readbytes != sizeof(buf))
7111 goto end;
7112
e11b6aa4
MC		 7113 SSL_shutdown(clientssl);
7114 SSL_shutdown(serverssl);
e11b6aa4 7115
5de8c49d
MC		 7116 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7117 if (servertest) {
7118 if (cleartest) {
7119 if (!TEST_true(SSL_clear(serverssl)))
7120 goto end;
7121 } else {
7122 SSL_set_accept_state(serverssl);
7123 }
7124 /*
7125 * A peculiarity of SSL_clear() is that it does not clear the session.
7126 * This is intended behaviour so that a client can create a new
7127 * connection and reuse the session. But this doesn't make much sense
7128 * on the server side - and causes incorrect behaviour due to the
7129 * handshake failing (even though the documentation does say SSL_clear()
7130 * is supposed to work on the server side). We clear the session
7131 * explicitly - although note that the documentation for
7132 * SSL_set_session() says that its only useful for clients!
7133 */
7134 if (!TEST_true(SSL_set_session(serverssl, NULL)))
7135 goto end;
7136 SSL_free(clientssl);
7137 clientssl = NULL;
7138 } else {
7139 if (cleartest) {
7140 if (!TEST_true(SSL_clear(clientssl)))
7141 goto end;
7142 } else {
7143 SSL_set_connect_state(clientssl);
7144 }
7145 SSL_free(serverssl);
7146 serverssl = NULL;
7147 }
e11b6aa4
MC		 7148
7149 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7150 NULL, NULL))
7151 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7152 SSL_ERROR_NONE))
5de8c49d 7153 || !TEST_true(servertest || SSL_session_reused(clientssl)))
e11b6aa4
MC		 7154 goto end;
7155
7156 SSL_shutdown(clientssl);
7157 SSL_shutdown(serverssl);
7158
7159 testresult = 1;
7160
7161 end:
7162 SSL_free(serverssl);
7163 SSL_free(clientssl);
7164 SSL_CTX_free(sctx);
7165 SSL_CTX_free(cctx);
7166
7167 return testresult;
7168}
7169
cf72c757
F		 7170/* Parse CH and retrieve any MFL extension value if present */
7171static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7172{
7173 long len;
7174 unsigned char *data;
72962d02 7175 PACKET pkt, pkt2, pkt3;
cf72c757
F		 7176 unsigned int MFL_code = 0, type = 0;
7177
1287dabd 7178 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 7179 goto end;
7180
72962d02
P		 7181 memset(&pkt, 0, sizeof(pkt));
7182 memset(&pkt2, 0, sizeof(pkt2));
7183 memset(&pkt3, 0, sizeof(pkt3));
7184
9ba18520 7185 if (!TEST_long_gt(len, 0)
1287dabd 7186 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 7187 /* Skip the record header */
7188 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7189 /* Skip the handshake message header */
7190 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7191 /* Skip client version and random */
7192 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7193 + SSL3_RANDOM_SIZE))
7194 /* Skip session id */
7195 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7196 /* Skip ciphers */
7197 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7198 /* Skip compression */
7199 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7200 /* Extensions len */
7201 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7202 goto end;
7203
7204 /* Loop through all extensions */
7205 while (PACKET_remaining(&pkt2)) {
7206 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7207 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7208 goto end;
7209
7210 if (type == TLSEXT_TYPE_max_fragment_length) {
7211 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7212 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7213 goto end;
7214
7215 *mfl_codemfl_code = MFL_code;
7216 return 1;
7217 }
7218 }
7219
7220 end:
7221 return 0;
7222}
7223
7224/* Maximum-Fragment-Length TLS extension mode to test */
7225static const unsigned char max_fragment_len_test[] = {
7226 TLSEXT_max_fragment_length_512,
7227 TLSEXT_max_fragment_length_1024,
7228 TLSEXT_max_fragment_length_2048,
7229 TLSEXT_max_fragment_length_4096
7230};
7231
7232static int test_max_fragment_len_ext(int idx_tst)
7233{
a763ca11 7234 SSL_CTX *ctx = NULL;
cf72c757
F		 7235 SSL *con = NULL;
7236 int testresult = 0, MFL_mode = 0;
7237 BIO *rbio, *wbio;
7238
a763ca11
MC		 7239 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7240 TLS1_VERSION, 0, NULL, &ctx, NULL,
7241 NULL)))
7242 return 0;
cf72c757
F		 7243
7244 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7245 ctx, max_fragment_len_test[idx_tst])))
7246 goto end;
7247
7248 con = SSL_new(ctx);
7249 if (!TEST_ptr(con))
7250 goto end;
7251
7252 rbio = BIO_new(BIO_s_mem());
7253 wbio = BIO_new(BIO_s_mem());
7254 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7255 BIO_free(rbio);
7256 BIO_free(wbio);
7257 goto end;
7258 }
7259
7260 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 7261
7262 if (!TEST_int_le(SSL_connect(con), 0)) {
7263 /* This shouldn't succeed because we don't have a server! */
7264 goto end;
7265 }
7266
7267 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7268 /* no MFL in client hello */
7269 goto end;
7270 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7271 goto end;
7272
7273 testresult = 1;
7274
7275end:
7276 SSL_free(con);
7277 SSL_CTX_free(ctx);
7278
7279 return testresult;
7280}
7281
a763ca11 7282#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 7283static int test_pha_key_update(void)
7284{
7285 SSL_CTX *cctx = NULL, *sctx = NULL;
7286 SSL *clientssl = NULL, *serverssl = NULL;
7287 int testresult = 0;
7288
5e30f2fd
MC		 7289 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7290 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 7291 &sctx, &cctx, cert, privkey)))
7292 return 0;
7293
7294 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7295 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7296 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7297 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7298 goto end;
7299
e97be718 7300 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 7301
7302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7303 NULL, NULL)))
7304 goto end;
7305
9d75dce3
TS		 7306 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7307 SSL_ERROR_NONE)))
7308 goto end;
7309
7310 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7311 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7312 goto end;
7313
7314 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7315 goto end;
7316
7317 /* Start handshake on the server */
7318 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7319 goto end;
7320
7321 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7322 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7323 SSL_ERROR_NONE)))
7324 goto end;
7325
7326 SSL_shutdown(clientssl);
7327 SSL_shutdown(serverssl);
7328
7329 testresult = 1;
7330
7331 end:
7332 SSL_free(serverssl);
7333 SSL_free(clientssl);
7334 SSL_CTX_free(sctx);
7335 SSL_CTX_free(cctx);
7336 return testresult;
7337}
7338#endif
7339
76fd7a1d
MC		 7340#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7341
7342static SRP_VBASE *vbase = NULL;
7343
7344static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7345{
7346 int ret = SSL3_AL_FATAL;
7347 char *username;
7348 SRP_user_pwd *user = NULL;
7349
7350 username = SSL_get_srp_username(s);
7351 if (username == NULL) {
7352 *ad = SSL_AD_INTERNAL_ERROR;
7353 goto err;
7354 }
7355
7356 user = SRP_VBASE_get1_by_user(vbase, username);
7357 if (user == NULL) {
7358 *ad = SSL_AD_INTERNAL_ERROR;
7359 goto err;
7360 }
7361
7362 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7363 user->info) <= 0) {
7364 *ad = SSL_AD_INTERNAL_ERROR;
7365 goto err;
7366 }
7367
7368 ret = 0;
7369
7370 err:
7371 SRP_user_pwd_free(user);
7372 return ret;
7373}
7374
7375static int create_new_vfile(char *userid, char *password, const char *filename)
7376{
7377 char *gNid = NULL;
7378 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7379 TXT_DB *db = NULL;
7380 int ret = 0;
7381 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7382 size_t i;
7383
7384 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7385 goto end;
7386
20c00d0a 7387 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 7388 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 7389 if (!TEST_ptr(gNid))
7390 goto end;
7391
7392 /*
7393 * The only way to create an empty TXT_DB is to provide a BIO with no data
7394 * in it!
7395 */
7396 db = TXT_DB_read(dummy, DB_NUMBER);
7397 if (!TEST_ptr(db))
7398 goto end;
7399
7400 out = BIO_new_file(filename, "w");
7401 if (!TEST_ptr(out))
7402 goto end;
7403
7404 row[DB_srpid] = OPENSSL_strdup(userid);
7405 row[DB_srptype] = OPENSSL_strdup("V");
7406 row[DB_srpgN] = OPENSSL_strdup(gNid);
7407
7408 if (!TEST_ptr(row[DB_srpid])
7409 || !TEST_ptr(row[DB_srptype])
7410 || !TEST_ptr(row[DB_srpgN])
7411 || !TEST_true(TXT_DB_insert(db, row)))
7412 goto end;
7413
7414 row = NULL;
7415
aba9943f 7416 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 7417 goto end;
7418
7419 ret = 1;
7420 end:
7421 if (row != NULL) {
7422 for (i = 0; i < DB_NUMBER; i++)
7423 OPENSSL_free(row[i]);
7424 }
7425 OPENSSL_free(row);
7426 BIO_free(dummy);
7427 BIO_free(out);
7428 TXT_DB_free(db);
7429
7430 return ret;
7431}
7432
7433static int create_new_vbase(char *userid, char *password)
7434{
7435 BIGNUM *verifier = NULL, *salt = NULL;
7436 const SRP_gN *lgN = NULL;
7437 SRP_user_pwd *user_pwd = NULL;
7438 int ret = 0;
7439
7440 lgN = SRP_get_default_gN(NULL);
7441 if (!TEST_ptr(lgN))
7442 goto end;
7443
20c00d0a 7444 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 7445 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 7446 goto end;
7447
7448 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7449 if (!TEST_ptr(user_pwd))
7450 goto end;
7451
7452 user_pwd->N = lgN->N;
7453 user_pwd->g = lgN->g;
7454 user_pwd->id = OPENSSL_strdup(userid);
7455 if (!TEST_ptr(user_pwd->id))
7456 goto end;
7457
7458 user_pwd->v = verifier;
7459 user_pwd->s = salt;
7460 verifier = salt = NULL;
7461
7462 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7463 goto end;
7464 user_pwd = NULL;
7465
7466 ret = 1;
7467end:
7468 SRP_user_pwd_free(user_pwd);
7469 BN_free(salt);
7470 BN_free(verifier);
7471
7472 return ret;
7473}
7474
7475/*
7476 * SRP tests
7477 *
7478 * Test 0: Simple successful SRP connection, new vbase
7479 * Test 1: Connection failure due to bad password, new vbase
7480 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7481 * Test 3: Connection failure due to bad password, vbase loaded from existing
7482 * file
7483 * Test 4: Simple successful SRP connection, vbase loaded from new file
7484 * Test 5: Connection failure due to bad password, vbase loaded from new file
7485 */
7486static int test_srp(int tst)
7487{
7488 char *userid = "test", *password = "password", *tstsrpfile;
7489 SSL_CTX *cctx = NULL, *sctx = NULL;
7490 SSL *clientssl = NULL, *serverssl = NULL;
7491 int ret, testresult = 0;
7492
7493 vbase = SRP_VBASE_new(NULL);
7494 if (!TEST_ptr(vbase))
7495 goto end;
7496
7497 if (tst == 0 || tst == 1) {
7498 if (!TEST_true(create_new_vbase(userid, password)))
7499 goto end;
7500 } else {
7501 if (tst == 4 || tst == 5) {
7502 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7503 goto end;
7504 tstsrpfile = tmpfilename;
7505 } else {
7506 tstsrpfile = srpvfile;
7507 }
7508 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7509 goto end;
7510 }
7511
5e30f2fd
MC		 7512 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7513 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 7514 &sctx, &cctx, cert, privkey)))
7515 goto end;
7516
7517 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7518 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7519 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7520 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7521 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7522 goto end;
7523
7524 if (tst % 2 == 1) {
7525 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7526 goto end;
7527 } else {
7528 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7529 goto end;
7530 }
7531
7532 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7533 NULL, NULL)))
7534 goto end;
7535
7536 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7537 if (ret) {
7538 if (!TEST_true(tst % 2 == 0))
7539 goto end;
7540 } else {
7541 if (!TEST_true(tst % 2 == 1))
7542 goto end;
7543 }
7544
7545 testresult = 1;
7546
7547 end:
7548 SRP_VBASE_free(vbase);
7549 vbase = NULL;
7550 SSL_free(serverssl);
7551 SSL_free(clientssl);
7552 SSL_CTX_free(sctx);
7553 SSL_CTX_free(cctx);
7554
7555 return testresult;
7556}
7557#endif
7558
5718fe45
MC		 7559static int info_cb_failed = 0;
7560static int info_cb_offset = 0;
7561static int info_cb_this_state = -1;
7562
7563static struct info_cb_states_st {
7564 int where;
7565 const char *statestr;
7566} info_cb_states[][60] = {
7567 {
7568 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 7569 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7570 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7571 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7572 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7573 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7574 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7575 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7576 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7577 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 7578 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7579 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7580 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7581 {SSL_CB_EXIT, NULL}, {0, NULL},
7582 }, {
7583 /* TLSv1.2 client followed by resumption */
e0f69c35 7584 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7585 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7586 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7587 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7588 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7589 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7590 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 7591 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7592 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7593 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7594 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7595 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7596 }, {
7597 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 7598 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7599 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 7600 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 7601 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 7602 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 7603 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7604 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 7605 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7606 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 7607 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7608 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7609 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7610 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7611 }, {
7612 /* TLSv1.3 client followed by resumption */
e0f69c35 7613 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7614 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7615 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7616 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7617 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7618 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7619 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7620 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7621 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7622 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7623 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7624 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7625 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7626 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7627 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7628 }, {
7629 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7630 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7631 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7632 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7633 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7634 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7635 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7636 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7637 {SSL_CB_EXIT, NULL}, {0, NULL},
7638 }, {
7639 /* TLSv1.3 client, early_data */
e0f69c35 7640 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7641 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7642 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7643 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7644 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7645 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7646 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7647 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7648 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
b67cb09f
TS		 7649 }, {
7650 /* TLSv1.3 server, certificate compression, followed by resumption */
7651 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7652 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7653 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7654 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7655 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7656 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7657 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7658 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7659 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7660 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7661 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7662 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7663 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7664 }, {
7665 /* TLSv1.3 client, certificate compression, followed by resumption */
7666 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7667 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7668 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7669 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7670 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7671 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7672 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7673 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7674 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7675 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7676 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7677 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7678 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7679 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7680 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7681 }, {
7682 {0, NULL},
7683 }
7684};
7685
7686static void sslapi_info_callback(const SSL *s, int where, int ret)
7687{
7688 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7689
7690 /* We do not ever expect a connection to fail in this test */
7691 if (!TEST_false(ret == 0)) {
7692 info_cb_failed = 1;
7693 return;
7694 }
7695
7696 /*
7697 * Do some sanity checks. We never expect these things to happen in this
7698 * test
7699 */
7700 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7701 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7702 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7703 info_cb_failed = 1;
7704 return;
7705 }
7706
7707 /* Now check we're in the right state */
7708 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7709 info_cb_failed = 1;
7710 return;
7711 }
7712 if ((where & SSL_CB_LOOP) != 0
7713 && !TEST_int_eq(strcmp(SSL_state_string(s),
7714 state[info_cb_this_state].statestr), 0)) {
7715 info_cb_failed = 1;
7716 return;
7717 }
033c181b 7718
4af5836b
MC		 7719 /*
7720 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7721 */
7722 if ((where & SSL_CB_HANDSHAKE_DONE)
7723 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7724 info_cb_failed = 1;
7725 return;
7726 }
5718fe45
MC		 7727}
7728
7729/*
7730 * Test the info callback gets called when we expect it to.
7731 *
7732 * Test 0: TLSv1.2, server
7733 * Test 1: TLSv1.2, client
7734 * Test 2: TLSv1.3, server
7735 * Test 3: TLSv1.3, client
7736 * Test 4: TLSv1.3, server, early_data
7737 * Test 5: TLSv1.3, client, early_data
b67cb09f
TS		 7738 * Test 6: TLSv1.3, server, compressed certificate
7739 * Test 7: TLSv1.3, client, compressed certificate
5718fe45
MC		 7740 */
7741static int test_info_callback(int tst)
7742{
7743 SSL_CTX *cctx = NULL, *sctx = NULL;
7744 SSL *clientssl = NULL, *serverssl = NULL;
7745 SSL_SESSION *clntsess = NULL;
7746 int testresult = 0;
7747 int tlsvers;
7748
7749 if (tst < 2) {
1aac20f5
MC		 7750/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7751#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7752 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7753 tlsvers = TLS1_2_VERSION;
7754#else
7755 return 1;
7756#endif
7757 } else {
a763ca11 7758#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7759 tlsvers = TLS1_3_VERSION;
7760#else
7761 return 1;
7762#endif
7763 }
7764
7765 /* Reset globals */
7766 info_cb_failed = 0;
7767 info_cb_this_state = -1;
7768 info_cb_offset = tst;
7769
a763ca11 7770#ifndef OSSL_NO_USABLE_TLS1_3
b67cb09f 7771 if (tst >= 4 && tst < 6) {
5718fe45
MC		 7772 SSL_SESSION *sess = NULL;
7773 size_t written, readbytes;
7774 unsigned char buf[80];
7775
7776 /* early_data tests */
7777 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 7778 &serverssl, &sess, 0,
7779 SHA384_DIGEST_LENGTH)))
5718fe45
MC		 7780 goto end;
7781
7782 /* We don't actually need this reference */
7783 SSL_SESSION_free(sess);
7784
7785 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7786 sslapi_info_callback);
7787
7788 /* Write and read some early data and then complete the connection */
7789 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7790 &written))
7791 || !TEST_size_t_eq(written, strlen(MSG1))
7792 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7793 sizeof(buf), &readbytes),
7794 SSL_READ_EARLY_DATA_SUCCESS)
7795 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7796 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7797 SSL_EARLY_DATA_ACCEPTED)
7798 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7799 SSL_ERROR_NONE))
7800 || !TEST_false(info_cb_failed))
7801 goto end;
7802
7803 testresult = 1;
7804 goto end;
7805 }
6e07834c 7806#endif
5718fe45 7807
5e30f2fd 7808 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7809 TLS_client_method(),
7810 tlsvers, tlsvers, &sctx, &cctx, cert,
7811 privkey)))
7812 goto end;
7813
33c39a06
MC		 7814 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7815 goto end;
7816
5718fe45
MC		 7817 /*
7818 * For even numbered tests we check the server callbacks. For odd numbers we
7819 * check the client.
7820 */
7821 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7822 sslapi_info_callback);
b67cb09f
TS		 7823 if (tst >= 6) {
7824 if (!SSL_CTX_compress_certs(sctx, 0))
7825 goto end;
7826 }
5718fe45
MC		 7827
7828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7829 &clientssl, NULL, NULL))
7830 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7831 SSL_ERROR_NONE))
7832 || !TEST_false(info_cb_failed))
7833 goto end;
7834
7835
7836
7837 clntsess = SSL_get1_session(clientssl);
7838 SSL_shutdown(clientssl);
7839 SSL_shutdown(serverssl);
7840 SSL_free(serverssl);
7841 SSL_free(clientssl);
7842 serverssl = clientssl = NULL;
7843
7844 /* Now do a resumption */
7845 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7846 NULL))
7847 || !TEST_true(SSL_set_session(clientssl, clntsess))
7848 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7849 SSL_ERROR_NONE))
7850 || !TEST_true(SSL_session_reused(clientssl))
7851 || !TEST_false(info_cb_failed))
7852 goto end;
7853
7854 testresult = 1;
7855
7856 end:
7857 SSL_free(serverssl);
7858 SSL_free(clientssl);
7859 SSL_SESSION_free(clntsess);
7860 SSL_CTX_free(sctx);
7861 SSL_CTX_free(cctx);
7862 return testresult;
7863}
7864
4a432af8
MC		 7865static int test_ssl_pending(int tst)
7866{
7867 SSL_CTX *cctx = NULL, *sctx = NULL;
7868 SSL *clientssl = NULL, *serverssl = NULL;
7869 int testresult = 0;
7870 char msg[] = "A test message";
7871 char buf[5];
7872 size_t written, readbytes;
7873
7874 if (tst == 0) {
5e30f2fd 7875 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7876 TLS_client_method(),
5c587fb6 7877 TLS1_VERSION, 0,
4a432af8
MC		 7878 &sctx, &cctx, cert, privkey)))
7879 goto end;
7880 } else {
7881#ifndef OPENSSL_NO_DTLS
5e30f2fd 7882 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7883 DTLS_client_method(),
5c587fb6 7884 DTLS1_VERSION, 0,
4a432af8
MC		 7885 &sctx, &cctx, cert, privkey)))
7886 goto end;
8ce390e1
MC		 7887
7888# ifdef OPENSSL_NO_DTLS1_2
7889 /* Not supported in the FIPS provider */
7890 if (is_fips) {
7891 testresult = 1;
7892 goto end;
7893 };
7894 /*
7895 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7896 * level 0
7897 */
7898 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7899 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7900 "DEFAULT:@SECLEVEL=0")))
7901 goto end;
7902# endif
4a432af8
MC		 7903#else
7904 return 1;
7905#endif
7906 }
7907
7908 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7909 NULL, NULL))
7910 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7911 SSL_ERROR_NONE)))
7912 goto end;
7913
e8251092
MC		 7914 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7915 || !TEST_false(SSL_has_pending(clientssl))
7916 || !TEST_int_eq(SSL_pending(serverssl), 0)
7917 || !TEST_false(SSL_has_pending(serverssl))
7918 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 7919 || !TEST_size_t_eq(written, sizeof(msg))
7920 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7921 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 7922 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7923 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 7924 goto end;
7925
7926 testresult = 1;
7927
7928 end:
7929 SSL_free(serverssl);
7930 SSL_free(clientssl);
7931 SSL_CTX_free(sctx);
7932 SSL_CTX_free(cctx);
7933
7934 return testresult;
7935}
7936
e401389a
MC		 7937static struct {
7938 unsigned int maxprot;
7939 const char *clntciphers;
7940 const char *clnttls13ciphers;
7941 const char *srvrciphers;
7942 const char *srvrtls13ciphers;
7943 const char *shared;
a96e6c34 7944 const char *fipsshared;
e401389a 7945} shared_ciphers_data[] = {
60155b9a
MC		 7946/*
7947 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7948 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7949 */
a763ca11 7950#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 7951 {
7952 TLS1_2_VERSION,
7953 "AES128-SHA:AES256-SHA",
7954 NULL,
7955 "AES256-SHA:DHE-RSA-AES128-SHA",
7956 NULL,
a96e6c34 7957 "AES256-SHA",
e401389a
MC		 7958 "AES256-SHA"
7959 },
a96e6c34
MC		 7960# if !defined(OPENSSL_NO_CHACHA) \
7961 && !defined(OPENSSL_NO_POLY1305) \
7962 && !defined(OPENSSL_NO_EC)
7963 {
7964 TLS1_2_VERSION,
7965 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7966 NULL,
7967 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7968 NULL,
7969 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7970 "AES128-SHA"
7971 },
7972# endif
e401389a
MC		 7973 {
7974 TLS1_2_VERSION,
7975 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7976 NULL,
7977 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7978 NULL,
a96e6c34 7979 "AES128-SHA:AES256-SHA",
e401389a
MC		 7980 "AES128-SHA:AES256-SHA"
7981 },
7982 {
7983 TLS1_2_VERSION,
7984 "AES128-SHA:AES256-SHA",
7985 NULL,
7986 "AES128-SHA:DHE-RSA-AES128-SHA",
7987 NULL,
a96e6c34 7988 "AES128-SHA",
e401389a
MC		 7989 "AES128-SHA"
7990 },
60155b9a
MC		 7991#endif
7992/*
7993 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7994 * enabled.
7995 */
a763ca11 7996#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7997 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7998 {
7999 TLS1_3_VERSION,
8000 "AES128-SHA:AES256-SHA",
8001 NULL,
8002 "AES256-SHA:AES128-SHA256",
8003 NULL,
8004 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 8005 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8006 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 8007 },
60155b9a 8008#endif
a763ca11 8009#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 8010 {
8011 TLS1_3_VERSION,
8012 "AES128-SHA",
8013 "TLS_AES_256_GCM_SHA384",
8014 "AES256-SHA",
8015 "TLS_AES_256_GCM_SHA384",
a96e6c34 8016 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 8017 "TLS_AES_256_GCM_SHA384"
8018 },
8019#endif
8020};
8021
a96e6c34 8022static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 8023{
8024 SSL_CTX *cctx = NULL, *sctx = NULL;
8025 SSL *clientssl = NULL, *serverssl = NULL;
8026 int testresult = 0;
8027 char buf[1024];
b4250010 8028 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 8029
8030 if (!TEST_ptr(tmplibctx))
8031 goto end;
8032
8033 /*
8034 * Regardless of whether we're testing with the FIPS provider loaded into
8035 * libctx, we want one peer to always use the full set of ciphersuites
8036 * available. Therefore we use a separate libctx with the default provider
8037 * loaded into it. We run the same tests twice - once with the client side
8038 * having the full set of ciphersuites and once with the server side.
8039 */
8040 if (clnt) {
d8652be0 8041 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 8042 if (!TEST_ptr(cctx))
8043 goto end;
8044 } else {
d8652be0 8045 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 8046 if (!TEST_ptr(sctx))
8047 goto end;
8048 }
e401389a 8049
5e30f2fd 8050 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 8051 TLS_client_method(),
8052 TLS1_VERSION,
8053 shared_ciphers_data[tst].maxprot,
8054 &sctx, &cctx, cert, privkey)))
8055 goto end;
8056
8057 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8058 shared_ciphers_data[tst].clntciphers))
8059 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8060 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8061 shared_ciphers_data[tst].clnttls13ciphers)))
8062 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8063 shared_ciphers_data[tst].srvrciphers))
8064 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8065 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8066 shared_ciphers_data[tst].srvrtls13ciphers))))
8067 goto end;
8068
8069
8070 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8071 NULL, NULL))
8072 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8073 SSL_ERROR_NONE)))
8074 goto end;
8075
8076 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 8077 || !TEST_int_eq(strcmp(buf,
8078 is_fips
8079 ? shared_ciphers_data[tst].fipsshared
8080 : shared_ciphers_data[tst].shared),
8081 0)) {
e401389a
MC		 8082 TEST_info("Shared ciphers are: %s\n", buf);
8083 goto end;
8084 }
8085
8086 testresult = 1;
8087
8088 end:
8089 SSL_free(serverssl);
8090 SSL_free(clientssl);
8091 SSL_CTX_free(sctx);
8092 SSL_CTX_free(cctx);
b4250010 8093 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 8094
8095 return testresult;
8096}
8097
a96e6c34
MC		 8098static int test_ssl_get_shared_ciphers(int tst)
8099{
8100 return int_test_ssl_get_shared_ciphers(tst, 0)
8101 && int_test_ssl_get_shared_ciphers(tst, 1);
8102}
8103
8104
d0191fe0 8105static const char *appdata = "Hello World";
61fb5923
MC		 8106static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8107static int tick_key_renew = 0;
8108static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 8109
8110static int gen_tick_cb(SSL *s, void *arg)
8111{
8112 gen_tick_called = 1;
8113
8114 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8115 strlen(appdata));
8116}
8117
8118static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8119 const unsigned char *keyname,
8120 size_t keyname_length,
61fb5923
MC		 8121 SSL_TICKET_STATUS status,
8122 void *arg)
d0191fe0
MC		 8123{
8124 void *tickdata;
8125 size_t tickdlen;
8126
8127 dec_tick_called = 1;
8128
61fb5923
MC		 8129 if (status == SSL_TICKET_EMPTY)
8130 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 8131
61fb5923
MC		 8132 if (!TEST_true(status == SSL_TICKET_SUCCESS
8133 || status == SSL_TICKET_SUCCESS_RENEW))
8134 return SSL_TICKET_RETURN_ABORT;
8135
8136 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8137 &tickdlen))
d0191fe0
MC		 8138 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8139 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 8140 return SSL_TICKET_RETURN_ABORT;
d0191fe0 8141
61fb5923
MC		 8142 if (tick_key_cb_called) {
8143 /* Don't change what the ticket key callback wanted to do */
8144 switch (status) {
8145 case SSL_TICKET_NO_DECRYPT:
8146 return SSL_TICKET_RETURN_IGNORE_RENEW;
8147
8148 case SSL_TICKET_SUCCESS:
8149 return SSL_TICKET_RETURN_USE;
d0191fe0 8150
61fb5923
MC		 8151 case SSL_TICKET_SUCCESS_RENEW:
8152 return SSL_TICKET_RETURN_USE_RENEW;
8153
8154 default:
8155 return SSL_TICKET_RETURN_ABORT;
8156 }
8157 }
8158 return tick_dec_ret;
8159
8160}
d0191fe0 8161
a76ce286 8162#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 8163static int tick_key_cb(SSL *s, unsigned char key_name[16],
8164 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8165 HMAC_CTX *hctx, int enc)
8166{
8167 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8168 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
3b7a3241
MC		 8169 EVP_CIPHER *aes128cbc;
8170 EVP_MD *sha256;
5e30f2fd 8171 int ret;
d0191fe0 8172
61fb5923 8173 tick_key_cb_called = 1;
3b7a3241
MC		 8174
8175 if (tick_key_renew == -1)
8176 return 0;
8177
8178 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8179 if (!TEST_ptr(aes128cbc))
8180 return 0;
8181 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8182 if (!TEST_ptr(sha256)) {
8183 EVP_CIPHER_free(aes128cbc);
8184 return 0;
8185 }
8186
d0191fe0
MC		 8187 memset(iv, 0, AES_BLOCK_SIZE);
8188 memset(key_name, 0, 16);
5e30f2fd
MC		 8189 if (aes128cbc == NULL
8190 || sha256 == NULL
8191 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8192 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8193 NULL))
8194 ret = -1;
8195 else
8196 ret = tick_key_renew ? 2 : 1;
d0191fe0 8197
5e30f2fd
MC		 8198 EVP_CIPHER_free(aes128cbc);
8199 EVP_MD_free(sha256);
8200
8201 return ret;
d0191fe0 8202}
a76ce286
P		 8203#endif
8204
8205static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8206 unsigned char iv[EVP_MAX_IV_LENGTH],
8207 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8208{
8209 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8210 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 8211 OSSL_PARAM params[2];
3b7a3241 8212 EVP_CIPHER *aes128cbc;
5e30f2fd 8213 int ret;
a76ce286
P		 8214
8215 tick_key_cb_called = 1;
3b7a3241
MC		 8216
8217 if (tick_key_renew == -1)
8218 return 0;
8219
8220 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8221 if (!TEST_ptr(aes128cbc))
8222 return 0;
8223
a76ce286
P		 8224 memset(iv, 0, AES_BLOCK_SIZE);
8225 memset(key_name, 0, 16);
8226 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8227 "SHA256", 0);
77e4ae58 8228 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 8229 if (aes128cbc == NULL
8230 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 8231 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8232 params))
5e30f2fd
MC		 8233 ret = -1;
8234 else
8235 ret = tick_key_renew ? 2 : 1;
8236
8237 EVP_CIPHER_free(aes128cbc);
a76ce286 8238
5e30f2fd 8239 return ret;
a76ce286 8240}
d0191fe0
MC		 8241
8242/*
8243 * Test the various ticket callbacks
61fb5923
MC		 8244 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8245 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8246 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8247 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8248 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8249 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8250 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8251 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 8252 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8253 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8254 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8255 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
3b7a3241
MC		 8256 * Test 12: TLSv1.2, old ticket key callback, no ticket
8257 * Test 13: TLSv1.3, old ticket key callback, no ticket
8258 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8259 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8260 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8261 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8262 * Test 18: TLSv1.2, ticket key callback, no ticket
8263 * Test 19: TLSv1.3, ticket key callback, no ticket
d0191fe0
MC		 8264 */
8265static int test_ticket_callbacks(int tst)
8266{
8267 SSL_CTX *cctx = NULL, *sctx = NULL;
8268 SSL *clientssl = NULL, *serverssl = NULL;
8269 SSL_SESSION *clntsess = NULL;
8270 int testresult = 0;
8271
8272#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 8273 if (tst % 2 == 0)
d0191fe0
MC		 8274 return 1;
8275#endif
a763ca11 8276#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 8277 if (tst % 2 == 1)
d0191fe0
MC		 8278 return 1;
8279#endif
a76ce286 8280#ifdef OPENSSL_NO_DEPRECATED_3_0
3b7a3241 8281 if (tst >= 8 && tst <= 13)
a76ce286
P		 8282 return 1;
8283#endif
d0191fe0 8284
61fb5923 8285 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 8286
8287 /* Which tests the ticket key callback should request renewal for */
3c95ef22 8288
3b7a3241 8289 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
61fb5923 8290 tick_key_renew = 1;
3b7a3241
MC		 8291 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8292 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
d0191fe0 8293 else
61fb5923
MC		 8294 tick_key_renew = 0;
8295
8296 /* Which tests the decrypt ticket callback should request renewal for */
8297 switch (tst) {
8298 case 0:
8299 case 1:
8300 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8301 break;
8302
8303 case 2:
8304 case 3:
8305 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8306 break;
8307
8308 case 4:
8309 case 5:
8310 tick_dec_ret = SSL_TICKET_RETURN_USE;
8311 break;
8312
8313 case 6:
8314 case 7:
8315 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8316 break;
8317
8318 default:
8319 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8320 }
d0191fe0 8321
5e30f2fd 8322 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 8323 TLS_client_method(),
8324 TLS1_VERSION,
61fb5923
MC		 8325 ((tst % 2) == 0) ? TLS1_2_VERSION
8326 : TLS1_3_VERSION,
d0191fe0
MC		 8327 &sctx, &cctx, cert, privkey)))
8328 goto end;
8329
61fb5923
MC		 8330 /*
8331 * We only want sessions to resume from tickets - not the session cache. So
8332 * switch the cache off.
8333 */
8334 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8335 goto end;
8336
d0191fe0
MC		 8337 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8338 NULL)))
8339 goto end;
8340
3b7a3241 8341 if (tst >= 14) {
a76ce286
P		 8342 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8343 goto end;
8344#ifndef OPENSSL_NO_DEPRECATED_3_0
8345 } else if (tst >= 8) {
8346 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8347 goto end;
8348#endif
8349 }
d0191fe0
MC		 8350
8351 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8352 NULL, NULL))
8353 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8354 SSL_ERROR_NONE)))
8355 goto end;
8356
61fb5923
MC		 8357 /*
8358 * The decrypt ticket key callback in TLSv1.2 should be called even though
8359 * we have no ticket yet, because it gets called with a status of
8360 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8361 * actually send any ticket data). This does not happen in TLSv1.3 because
8362 * it is not valid to send empty ticket data in TLSv1.3.
8363 */
d0191fe0 8364 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 8365 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 8366 goto end;
8367
8368 gen_tick_called = dec_tick_called = 0;
8369
8370 clntsess = SSL_get1_session(clientssl);
8371 SSL_shutdown(clientssl);
8372 SSL_shutdown(serverssl);
8373 SSL_free(serverssl);
8374 SSL_free(clientssl);
8375 serverssl = clientssl = NULL;
8376
8377 /* Now do a resumption */
8378 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8379 NULL))
8380 || !TEST_true(SSL_set_session(clientssl, clntsess))
8381 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 8382 SSL_ERROR_NONE)))
d0191fe0
MC		 8383 goto end;
8384
61fb5923 8385 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
3b7a3241
MC		 8386 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8387 || tick_key_renew == -1) {
61fb5923
MC		 8388 if (!TEST_false(SSL_session_reused(clientssl)))
8389 goto end;
8390 } else {
8391 if (!TEST_true(SSL_session_reused(clientssl)))
8392 goto end;
8393 }
8394
d0191fe0 8395 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 8396 (tick_key_renew
8397 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8398 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8399 ? 1 : 0)
3b7a3241
MC		 8400 /* There is no ticket to decrypt in tests 13 and 19 */
8401 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
d0191fe0
MC		 8402 goto end;
8403
8404 testresult = 1;
8405
8406 end:
8407 SSL_SESSION_free(clntsess);
8408 SSL_free(serverssl);
8409 SSL_free(clientssl);
8410 SSL_CTX_free(sctx);
8411 SSL_CTX_free(cctx);
8412
8413 return testresult;
8414}
8415
e638112e
DB		 8416/*
8417 * Test incorrect shutdown.
8418 * Test 0: client does not shutdown properly,
8419 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8420 * server should get SSL_ERROR_SSL
8421 * Test 1: client does not shutdown properly,
8422 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8423 * server should get SSL_ERROR_ZERO_RETURN
8424 */
8425static int test_incorrect_shutdown(int tst)
8426{
8427 SSL_CTX *cctx = NULL, *sctx = NULL;
8428 SSL *clientssl = NULL, *serverssl = NULL;
8429 int testresult = 0;
8430 char buf[80];
8431 BIO *c2s;
8432
8433 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8434 TLS_client_method(), 0, 0,
8435 &sctx, &cctx, cert, privkey)))
8436 goto end;
8437
8438 if (tst == 1)
8439 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8440
8441 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8442 NULL, NULL)))
8443 goto end;
8444
8445 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8446 SSL_ERROR_NONE)))
8447 goto end;
8448
8449 c2s = SSL_get_rbio(serverssl);
8450 BIO_set_mem_eof_return(c2s, 0);
8451
8452 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8453 goto end;
8454
8455 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8456 goto end;
8457 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8458 goto end;
8459
8460 testresult = 1;
8461
8462 end:
8463 SSL_free(serverssl);
8464 SSL_free(clientssl);
8465 SSL_CTX_free(sctx);
8466 SSL_CTX_free(cctx);
8467
8468 return testresult;
8469}
8470
c748834f
MC		 8471/*
8472 * Test bi-directional shutdown.
8473 * Test 0: TLSv1.2
8474 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8475 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8476 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 8477 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8478 * sends key update, client reads it
57d7b988
MC		 8479 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8480 * sends CertificateRequest, client reads and ignores it
8481 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 8482 * doesn't read it
8483 */
8484static int test_shutdown(int tst)
8485{
8486 SSL_CTX *cctx = NULL, *sctx = NULL;
8487 SSL *clientssl = NULL, *serverssl = NULL;
8488 int testresult = 0;
8489 char msg[] = "A test message";
8490 char buf[80];
8491 size_t written, readbytes;
80eff008 8492 SSL_SESSION *sess;
c748834f
MC		 8493
8494#ifdef OPENSSL_NO_TLS1_2
a97d19f7 8495 if (tst <= 1)
c748834f
MC		 8496 return 1;
8497#endif
a763ca11 8498#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 8499 if (tst >= 2)
c748834f
MC		 8500 return 1;
8501#endif
8502
5e30f2fd 8503 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 8504 TLS_client_method(),
8505 TLS1_VERSION,
8506 (tst <= 1) ? TLS1_2_VERSION
8507 : TLS1_3_VERSION,
57d7b988
MC		 8508 &sctx, &cctx, cert, privkey)))
8509 goto end;
8510
8511 if (tst == 5)
8512 SSL_CTX_set_post_handshake_auth(cctx, 1);
8513
8514 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 8515 NULL, NULL)))
8516 goto end;
8517
8518 if (tst == 3) {
8519 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
26dad42e 8520 SSL_ERROR_NONE, 1, 0))
80eff008
KR		 8521 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8522 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 8523 goto end;
8524 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 8525 SSL_ERROR_NONE))
8526 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8527 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 8528 goto end;
8529 }
8530
8531 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8532 goto end;
8533
8534 if (tst >= 4) {
8535 /*
8536 * Reading on the server after the client has sent close_notify should
8537 * fail and provide SSL_ERROR_ZERO_RETURN
8538 */
8539 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8540 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8541 SSL_ERROR_ZERO_RETURN)
8542 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8543 SSL_RECEIVED_SHUTDOWN)
8544 /*
8545 * Even though we're shutdown on receive we should still be
8546 * able to write.
8547 */
80eff008
KR		 8548 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8549 goto end;
57d7b988
MC		 8550 if (tst == 4
8551 && !TEST_true(SSL_key_update(serverssl,
8552 SSL_KEY_UPDATE_REQUESTED)))
8553 goto end;
8554 if (tst == 5) {
8555 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8556 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8557 goto end;
8558 }
8559 if ((tst == 4 || tst == 5)
8560 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 8561 goto end;
8562 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 8563 goto end;
57d7b988 8564 if (tst == 4 || tst == 5) {
80eff008 8565 /* Should still be able to read data from server */
c748834f 8566 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 8567 &readbytes))
8568 || !TEST_size_t_eq(readbytes, sizeof(msg))
8569 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8570 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8571 &readbytes))
c748834f
MC		 8572 || !TEST_size_t_eq(readbytes, sizeof(msg))
8573 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8574 goto end;
8575 }
8576 }
8577
8578 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 8579 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 8580 goto end;
8581
8582 if (tst < 4) {
8583 /*
8584 * For these tests the client has sent close_notify but it has not yet
8585 * been received by the server. The server has not sent close_notify
8586 * yet.
8587 */
8588 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 8589 /*
8590 * Writing on the server after sending close_notify shouldn't
8591 * be possible.
8592 */
8593 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 8594 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 8595 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8596 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 8597 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8598 goto end;
57d7b988 8599 } else if (tst == 4 || tst == 5) {
c748834f
MC		 8600 /*
8601 * In this test the client has sent close_notify and it has been
8602 * received by the server which has responded with a close_notify. The
358ffa05 8603 * client needs to read the close_notify sent by the server.
c748834f 8604 */
80eff008
KR		 8605 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8606 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8607 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 8608 goto end;
358ffa05
MC		 8609 } else {
8610 /*
57d7b988 8611 * tst == 6
358ffa05
MC		 8612 *
8613 * The client has sent close_notify and is expecting a close_notify
8614 * back, but instead there is application data first. The shutdown
8615 * should fail with a fatal error.
8616 */
8617 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8618 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8619 goto end;
c748834f
MC		 8620 }
8621
8622 testresult = 1;
8623
8624 end:
8625 SSL_free(serverssl);
8626 SSL_free(clientssl);
8627 SSL_CTX_free(sctx);
8628 SSL_CTX_free(cctx);
8629
8630 return testresult;
8631}
8632
cbf965b4
MC		 8633/*
8634 * Test that sending close_notify alerts works correctly in the case of a
8635 * retryable write failure.
8636 */
8637static int test_async_shutdown(void)
8638{
8639 SSL_CTX *cctx = NULL, *sctx = NULL;
8640 SSL *clientssl = NULL, *serverssl = NULL;
8641 int testresult = 0;
8642 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8643
8644 if (!TEST_ptr(bretry))
8645 goto end;
8646
8647 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8648 TLS_client_method(),
8649 0, 0,
8650 &sctx, &cctx, cert, privkey)))
8651 goto end;
8652
8653 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8654 NULL)))
8655 goto end;
8656
8657 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8658 goto end;
8659
8660 /* Close write side of clientssl */
8661 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8662 goto end;
8663
8664 tmp = SSL_get_wbio(serverssl);
8665 if (!TEST_true(BIO_up_ref(tmp))) {
8666 tmp = NULL;
8667 goto end;
8668 }
8669 SSL_set0_wbio(serverssl, bretry);
8670 bretry = NULL;
8671
8672 /* First server shutdown should fail because of a retrable write failure */
8673 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8674 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8675 goto end;
8676
8677 /* Second server shutdown should fail for the same reason */
8678 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8679 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8680 goto end;
8681
8682 SSL_set0_wbio(serverssl, tmp);
8683 tmp = NULL;
8684
8685 /* Third server shutdown should send close_notify */
8686 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8687 goto end;
8688
8689 /* Fourth server shutdown should read close_notify from client and finish */
8690 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8691 goto end;
8692
8693 /* Client should also successfully fully shutdown */
8694 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8695 goto end;
8696
8697 testresult = 1;
8698 end:
8699 SSL_free(serverssl);
8700 SSL_free(clientssl);
8701 SSL_CTX_free(sctx);
8702 SSL_CTX_free(cctx);
8703 BIO_free(bretry);
8704 BIO_free(tmp);
8705
8706 return testresult;
8707}
8708
a763ca11 8709#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 8710static int cert_cb_cnt;
8711
8712static int cert_cb(SSL *s, void *arg)
8713{
8714 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 8715 BIO *in = NULL;
8716 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 8717 X509 *x509 = NULL, *rootx = NULL;
8718 STACK_OF(X509) *chain = NULL;
8719 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8720 int ret = 0;
cd6fe29f
MC		 8721
8722 if (cert_cb_cnt == 0) {
8723 /* Suspend the handshake */
8724 cert_cb_cnt++;
8725 return -1;
8726 } else if (cert_cb_cnt == 1) {
8727 /*
8728 * Update the SSL_CTX, set the certificate and private key and then
8729 * continue the handshake normally.
8730 */
8731 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8732 return 0;
8733
8734 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8735 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8736 SSL_FILETYPE_PEM))
8737 || !TEST_true(SSL_check_private_key(s)))
8738 return 0;
8739 cert_cb_cnt++;
8740 return 1;
7cb8fb07
BK		 8741 } else if (cert_cb_cnt == 3) {
8742 int rv;
1a2a3a42
MC		 8743
8744 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8745 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8746 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8747 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8748 goto out;
8749 chain = sk_X509_new_null();
8750 if (!TEST_ptr(chain))
8751 goto out;
7cb8fb07 8752 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8753 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 8754 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 8755 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8756 || !TEST_true(sk_X509_push(chain, rootx)))
8757 goto out;
8758 rootx = NULL;
8759 BIO_free(in);
8760 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8761 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8762 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8763 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8764 goto out;
8765 BIO_free(in);
8766 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8767 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8768 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8769 NULL, NULL,
8770 libctx, NULL)))
7cb8fb07 8771 goto out;
1a2a3a42 8772 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8773 /*
8774 * If the cert doesn't show as valid here (e.g., because we don't
8775 * have any shared sigalgs), then we will not set it, and there will
8776 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8777 * will cause tls_choose_sigalgs() to fail the connection.
8778 */
1a2a3a42
MC		 8779 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8780 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8781 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8782 goto out;
8783 }
1a2a3a42
MC		 8784
8785 ret = 1;
cd6fe29f
MC		 8786 }
8787
8788 /* Abort the handshake */
7cb8fb07 8789 out:
1a2a3a42
MC		 8790 OPENSSL_free(ecdsacert);
8791 OPENSSL_free(ecdsakey);
8792 OPENSSL_free(rootfile);
7cb8fb07
BK		 8793 BIO_free(in);
8794 EVP_PKEY_free(pkey);
8795 X509_free(x509);
1a2a3a42 8796 X509_free(rootx);
79b2a2f2 8797 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8798 return ret;
cd6fe29f
MC		 8799}
8800
8801/*
8802 * Test the certificate callback.
8803 * Test 0: Callback fails
8804 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8805 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8806 * Test 3: Success - Call SSL_check_chain from the callback
8807 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8808 * chain
8809 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8810 */
8811static int test_cert_cb_int(int prot, int tst)
8812{
8813 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8814 SSL *clientssl = NULL, *serverssl = NULL;
8815 int testresult = 0, ret;
8816
1a2a3a42
MC		 8817#ifdef OPENSSL_NO_EC
8818 /* We use an EC cert in these tests, so we skip in a no-ec build */
8819 if (tst >= 3)
8820 return 1;
8821#endif
8822
5e30f2fd 8823 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8824 TLS_client_method(),
8825 TLS1_VERSION,
8826 prot,
8827 &sctx, &cctx, NULL, NULL)))
8828 goto end;
8829
8830 if (tst == 0)
8831 cert_cb_cnt = -1;
1a2a3a42 8832 else if (tst >= 3)
7cb8fb07 8833 cert_cb_cnt = 3;
cd6fe29f
MC		 8834 else
8835 cert_cb_cnt = 0;
1a2a3a42 8836
b0317df2 8837 if (tst == 2) {
7e1eda48 8838 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
b0317df2
JJ		 8839 if (!TEST_ptr(snictx))
8840 goto end;
8841 }
8842
cd6fe29f
MC		 8843 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8844
8845 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8846 NULL, NULL)))
8847 goto end;
8848
1a2a3a42
MC		 8849 if (tst == 4) {
8850 /*
8851 * We cause SSL_check_chain() to fail by specifying sig_algs that
8852 * the chain doesn't meet (the root uses an RSA cert)
8853 */
8854 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8855 "ecdsa_secp256r1_sha256")))
8856 goto end;
8857 } else if (tst == 5) {
8858 /*
8859 * We cause SSL_check_chain() to fail by specifying sig_algs that
8860 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8861 */
8862 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8863 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8864 goto end;
8865 }
8866
cd6fe29f 8867 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8868 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8869 || (tst > 0
8870 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8871 goto end;
8872 }
8873
8874 testresult = 1;
8875
8876 end:
8877 SSL_free(serverssl);
8878 SSL_free(clientssl);
8879 SSL_CTX_free(sctx);
8880 SSL_CTX_free(cctx);
8881 SSL_CTX_free(snictx);
8882
8883 return testresult;
8884}
7f1d923a 8885#endif
cd6fe29f
MC		 8886
8887static int test_cert_cb(int tst)
8888{
8889 int testresult = 1;
8890
8891#ifndef OPENSSL_NO_TLS1_2
8892 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8893#endif
a763ca11 8894#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8895 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8896#endif
8897
8898 return testresult;
8899}
8900
6e46c065
MC		 8901static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8902{
8c2bfd25 8903 X509 *xcert;
6e46c065
MC		 8904 EVP_PKEY *privpkey;
8905 BIO *in = NULL;
6725682d 8906 BIO *priv_in = NULL;
6e46c065 8907
8c2bfd25
TS		 8908 /* Check that SSL_get0_peer_certificate() returns something sensible */
8909 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8910 return 0;
6e46c065
MC		 8911
8912 in = BIO_new_file(cert, "r");
8913 if (!TEST_ptr(in))
8914 return 0;
8915
d8652be0 8916 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 8917 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8918 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 8919 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8920 NULL, NULL,
8921 libctx, NULL)))
6725682d 8922 goto err;
6e46c065
MC		 8923
8924 *x509 = xcert;
8925 *pkey = privpkey;
8926
6725682d
SL		 8927 BIO_free(in);
8928 BIO_free(priv_in);
6e46c065 8929 return 1;
6725682d
SL		 8930err:
8931 X509_free(xcert);
8932 BIO_free(in);
8933 BIO_free(priv_in);
8934 return 0;
6e46c065
MC		 8935}
8936
6e46c065
MC		 8937static int test_client_cert_cb(int tst)
8938{
8939 SSL_CTX *cctx = NULL, *sctx = NULL;
8940 SSL *clientssl = NULL, *serverssl = NULL;
8941 int testresult = 0;
8942
8943#ifdef OPENSSL_NO_TLS1_2
8944 if (tst == 0)
8945 return 1;
8946#endif
a763ca11 8947#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 8948 if (tst == 1)
8949 return 1;
8950#endif
8951
5e30f2fd 8952 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 8953 TLS_client_method(),
8954 TLS1_VERSION,
8955 tst == 0 ? TLS1_2_VERSION
8956 : TLS1_3_VERSION,
8957 &sctx, &cctx, cert, privkey)))
8958 goto end;
8959
8960 /*
8961 * Test that setting a client_cert_cb results in a client certificate being
8962 * sent.
8963 */
8964 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8965 SSL_CTX_set_verify(sctx,
8966 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8967 verify_cb);
fb8c8359
MC		 8968
8969 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8970 NULL, NULL))
8971 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8972 SSL_ERROR_NONE)))
8973 goto end;
8974
8975 testresult = 1;
8976
8977 end:
8978 SSL_free(serverssl);
8979 SSL_free(clientssl);
8980 SSL_CTX_free(sctx);
8981 SSL_CTX_free(cctx);
8982
8983 return testresult;
8984}
8985
a763ca11 8986#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 8987/*
8988 * Test setting certificate authorities on both client and server.
8989 *
8990 * Test 0: SSL_CTX_set0_CA_list() only
8991 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8992 * Test 2: Only SSL_CTX_set_client_CA_list()
8993 */
8994static int test_ca_names_int(int prot, int tst)
8995{
8996 SSL_CTX *cctx = NULL, *sctx = NULL;
8997 SSL *clientssl = NULL, *serverssl = NULL;
8998 int testresult = 0;
8999 size_t i;
9000 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
9001 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
9002 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
9003 const STACK_OF(X509_NAME) *sktmp = NULL;
9004
9005 for (i = 0; i < OSSL_NELEM(name); i++) {
9006 name[i] = X509_NAME_new();
9007 if (!TEST_ptr(name[i])
9008 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9009 MBSTRING_ASC,
9010 (unsigned char *)
9011 strnames[i],
9012 -1, -1, 0)))
9013 goto end;
9014 }
9015
5e30f2fd 9016 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 9017 TLS_client_method(),
9018 TLS1_VERSION,
9019 prot,
9020 &sctx, &cctx, cert, privkey)))
9021 goto end;
9022
9023 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9024
9025 if (tst == 0 || tst == 1) {
9026 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9027 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9028 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9029 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9030 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9031 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9032 goto end;
9033
9034 SSL_CTX_set0_CA_list(sctx, sk1);
9035 SSL_CTX_set0_CA_list(cctx, sk2);
9036 sk1 = sk2 = NULL;
9037 }
9038 if (tst == 1 || tst == 2) {
9039 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9040 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9041 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9042 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9043 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9044 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9045 goto end;
9046
9047 SSL_CTX_set_client_CA_list(sctx, sk1);
9048 SSL_CTX_set_client_CA_list(cctx, sk2);
9049 sk1 = sk2 = NULL;
9050 }
9051
6e46c065
MC		 9052 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9053 NULL, NULL))
9054 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9055 SSL_ERROR_NONE)))
9056 goto end;
9057
fb8c8359
MC		 9058 /*
9059 * We only expect certificate authorities to have been sent to the server
9060 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9061 */
9062 sktmp = SSL_get0_peer_CA_list(serverssl);
9063 if (prot == TLS1_3_VERSION
9064 && (tst == 0 || tst == 1)) {
9065 if (!TEST_ptr(sktmp)
9066 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9067 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9068 name[0]), 0)
9069 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9070 name[1]), 0))
9071 goto end;
9072 } else if (!TEST_ptr_null(sktmp)) {
9073 goto end;
9074 }
9075
9076 /*
9077 * In all tests we expect certificate authorities to have been sent to the
9078 * client. However, SSL_set_client_CA_list() should override
9079 * SSL_set0_CA_list()
9080 */
9081 sktmp = SSL_get0_peer_CA_list(clientssl);
9082 if (!TEST_ptr(sktmp)
9083 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9084 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9085 name[tst == 0 ? 0 : 2]), 0)
9086 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9087 name[tst == 0 ? 1 : 3]), 0))
9088 goto end;
9089
6e46c065
MC		 9090 testresult = 1;
9091
9092 end:
9093 SSL_free(serverssl);
9094 SSL_free(clientssl);
9095 SSL_CTX_free(sctx);
9096 SSL_CTX_free(cctx);
fb8c8359
MC		 9097 for (i = 0; i < OSSL_NELEM(name); i++)
9098 X509_NAME_free(name[i]);
9099 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9100 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9101
9102 return testresult;
9103}
9104#endif
9105
9106static int test_ca_names(int tst)
9107{
9108 int testresult = 1;
9109
9110#ifndef OPENSSL_NO_TLS1_2
9111 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9112#endif
a763ca11 9113#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 9114 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9115#endif
6e46c065
MC		 9116
9117 return testresult;
9118}
9119
0d2bfe52
SL		 9120#ifndef OPENSSL_NO_TLS1_2
9121static const char *multiblock_cipherlist_data[]=
9122{
9123 "AES128-SHA",
9124 "AES128-SHA256",
9125 "AES256-SHA",
9126 "AES256-SHA256",
9127};
9128
9129/* Reduce the fragment size - so the multiblock test buffer can be small */
9130# define MULTIBLOCK_FRAGSIZE 512
9131
9132static int test_multiblock_write(int test_index)
9133{
9134 static const char *fetchable_ciphers[]=
9135 {
9136 "AES-128-CBC-HMAC-SHA1",
9137 "AES-128-CBC-HMAC-SHA256",
9138 "AES-256-CBC-HMAC-SHA1",
9139 "AES-256-CBC-HMAC-SHA256"
9140 };
9141 const char *cipherlist = multiblock_cipherlist_data[test_index];
9142 const SSL_METHOD *smeth = TLS_server_method();
9143 const SSL_METHOD *cmeth = TLS_client_method();
9144 int min_version = TLS1_VERSION;
9145 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9146 SSL_CTX *cctx = NULL, *sctx = NULL;
9147 SSL *clientssl = NULL, *serverssl = NULL;
9148 int testresult = 0;
9149
9150 /*
9151 * Choose a buffer large enough to perform a multi-block operation
9152 * i.e: write_len >= 4 * frag_size
9153 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9154 */
9155 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9156 unsigned char buf[sizeof(msg)], *p = buf;
9157 size_t readbytes, written, len;
9158 EVP_CIPHER *ciph = NULL;
9159
9160 /*
9161 * Check if the cipher exists before attempting to use it since it only has
9162 * a hardware specific implementation.
9163 */
7c82a7a8 9164 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
0d2bfe52
SL		 9165 if (ciph == NULL) {
9166 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9167 return 1;
9168 }
9169 EVP_CIPHER_free(ciph);
9170
9171 /* Set up a buffer with some data that will be sent to the client */
9172 RAND_bytes(msg, sizeof(msg));
9173
5e30f2fd
MC		 9174 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9175 max_version, &sctx, &cctx, cert,
9176 privkey)))
0d2bfe52
SL		 9177 goto end;
9178
9179 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9180 goto end;
9181
9182 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9183 NULL, NULL)))
9184 goto end;
9185
9186 /* settings to force it to use AES-CBC-HMAC_SHA */
9187 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9188 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9189 goto end;
9190
9191 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9192 goto end;
9193
9194 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9195 || !TEST_size_t_eq(written, sizeof(msg)))
9196 goto end;
9197
9198 len = written;
9199 while (len > 0) {
9200 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9201 goto end;
9202 p += readbytes;
9203 len -= readbytes;
9204 }
9205 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9206 goto end;
9207
9208 testresult = 1;
9209end:
9210 SSL_free(serverssl);
9211 SSL_free(clientssl);
9212 SSL_CTX_free(sctx);
9213 SSL_CTX_free(cctx);
9214
9215 return testresult;
9216}
9217#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 9218
25959e04
TS		 9219static int test_session_timeout(int test)
9220{
9221 /*
9222 * Test session ordering and timeout
9223 * Can't explicitly test performance of the new code,
9224 * but can test to see if the ordering of the sessions
ad31628c 9225 * are correct, and they are removed as expected
25959e04
TS		 9226 */
9227 SSL_SESSION *early = NULL;
9228 SSL_SESSION *middle = NULL;
9229 SSL_SESSION *late = NULL;
9230 SSL_CTX *ctx;
9231 int testresult = 0;
9232 long now = (long)time(NULL);
9233#define TIMEOUT 10
9234
9235 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9236 || !TEST_ptr(early = SSL_SESSION_new())
9237 || !TEST_ptr(middle = SSL_SESSION_new())
9238 || !TEST_ptr(late = SSL_SESSION_new()))
9239 goto end;
9240
9241 /* assign unique session ids */
9242 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9243 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9244 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9245 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9246 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9247 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9248
9249 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9250 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9251 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9252 goto end;
9253
9254 /* Make sure they are all added */
9255 if (!TEST_ptr(early->prev)
9256 || !TEST_ptr(middle->prev)
9257 || !TEST_ptr(late->prev))
9258 goto end;
9259
9260 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9261 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9262 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9263 goto end;
9264
9265 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9266 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9267 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9268 goto end;
9269
9270 /* Make sure they are all still there */
9271 if (!TEST_ptr(early->prev)
9272 || !TEST_ptr(middle->prev)
9273 || !TEST_ptr(late->prev))
9274 goto end;
9275
9276 /* Make sure they are in the expected order */
9277 if (!TEST_ptr_eq(late->next, middle)
9278 || !TEST_ptr_eq(middle->next, early)
9279 || !TEST_ptr_eq(early->prev, middle)
9280 || !TEST_ptr_eq(middle->prev, late))
9281 goto end;
9282
9283 /* This should remove "early" */
9284 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9285 if (!TEST_ptr_null(early->prev)
9286 || !TEST_ptr(middle->prev)
9287 || !TEST_ptr(late->prev))
9288 goto end;
9289
9290 /* This should remove "middle" */
9291 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9292 if (!TEST_ptr_null(early->prev)
9293 || !TEST_ptr_null(middle->prev)
9294 || !TEST_ptr(late->prev))
9295 goto end;
9296
9297 /* This should remove "late" */
9298 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9299 if (!TEST_ptr_null(early->prev)
9300 || !TEST_ptr_null(middle->prev)
9301 || !TEST_ptr_null(late->prev))
9302 goto end;
9303
9304 /* Add them back in again */
9305 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9306 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9307 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9308 goto end;
9309
9310 /* Make sure they are all added */
9311 if (!TEST_ptr(early->prev)
9312 || !TEST_ptr(middle->prev)
9313 || !TEST_ptr(late->prev))
9314 goto end;
9315
9316 /* This should remove all of them */
9317 SSL_CTX_flush_sessions(ctx, 0);
9318 if (!TEST_ptr_null(early->prev)
9319 || !TEST_ptr_null(middle->prev)
9320 || !TEST_ptr_null(late->prev))
9321 goto end;
9322
9323 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9324 | SSL_CTX_get_session_cache_mode(ctx));
9325
9326 /* make sure |now| is NOT equal to the current time */
9327 now -= 10;
9328 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9329 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9330 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9331 goto end;
9332
9333 testresult = 1;
9334 end:
9335 SSL_CTX_free(ctx);
9336 SSL_SESSION_free(early);
9337 SSL_SESSION_free(middle);
9338 SSL_SESSION_free(late);
9339 return testresult;
9340}
9341
4a3e8f08
MC		 9342/*
9343 * Test that a session cache overflow works as expected
9344 * Test 0: TLSv1.3, timeout on new session later than old session
9345 * Test 1: TLSv1.2, timeout on new session later than old session
9346 * Test 2: TLSv1.3, timeout on new session earlier than old session
9347 * Test 3: TLSv1.2, timeout on new session earlier than old session
9348 */
9349#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
9350static int test_session_cache_overflow(int idx)
9351{
9352 SSL_CTX *sctx = NULL, *cctx = NULL;
9353 SSL *serverssl = NULL, *clientssl = NULL;
9354 int testresult = 0;
9355 SSL_SESSION *sess = NULL;
9356
9357#ifdef OSSL_NO_USABLE_TLS1_3
9358 /* If no TLSv1.3 available then do nothing in this case */
9359 if (idx % 2 == 0)
9360 return TEST_skip("No TLSv1.3 available");
9361#endif
9362#ifdef OPENSSL_NO_TLS1_2
9363 /* If no TLSv1.2 available then do nothing in this case */
9364 if (idx % 2 == 1)
9365 return TEST_skip("No TLSv1.2 available");
9366#endif
9367
9368 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9369 TLS_client_method(), TLS1_VERSION,
9370 (idx % 2 == 0) ? TLS1_3_VERSION
9371 : TLS1_2_VERSION,
9372 &sctx, &cctx, cert, privkey))
9373 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9374 goto end;
9375
9376 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9377 get_sess_val = NULL;
9378
9379 SSL_CTX_sess_set_cache_size(sctx, 1);
9380
9381 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9382 NULL, NULL)))
9383 goto end;
9384
9385 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9386 goto end;
9387
9388 if (idx > 1) {
9389 sess = SSL_get_session(serverssl);
9390 if (!TEST_ptr(sess))
9391 goto end;
9392
9393 /*
9394 * Cause this session to have a longer timeout than the next session to
9395 * be added.
9396 */
9397 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
9398 sess = NULL;
9399 goto end;
9400 }
9401 sess = NULL;
9402 }
9403
9404 SSL_shutdown(serverssl);
9405 SSL_shutdown(clientssl);
9406 SSL_free(serverssl);
9407 SSL_free(clientssl);
9408 serverssl = clientssl = NULL;
9409
9410 /*
9411 * Session cache size is 1 and we already populated the cache with a session
9412 * so the next connection should cause an overflow.
9413 */
9414
9415 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9416 NULL, NULL)))
9417 goto end;
9418
9419 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9420 goto end;
9421
9422 /*
9423 * The session we just negotiated may have been already removed from the
9424 * internal cache - but we will return it anyway from our external cache.
9425 */
9426 get_sess_val = SSL_get_session(serverssl);
9427 if (!TEST_ptr(get_sess_val))
9428 goto end;
9429 sess = SSL_get1_session(clientssl);
9430 if (!TEST_ptr(sess))
9431 goto end;
9432
9433 SSL_shutdown(serverssl);
9434 SSL_shutdown(clientssl);
9435 SSL_free(serverssl);
9436 SSL_free(clientssl);
9437 serverssl = clientssl = NULL;
9438
9439 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9440 NULL, NULL)))
9441 goto end;
9442
9443 if (!TEST_true(SSL_set_session(clientssl, sess)))
9444 goto end;
9445
9446 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9447 goto end;
9448
9449 testresult = 1;
9450
9451 end:
9452 SSL_free(serverssl);
9453 SSL_free(clientssl);
9454 SSL_CTX_free(sctx);
9455 SSL_CTX_free(cctx);
9456 SSL_SESSION_free(sess);
9457
9458 return testresult;
9459}
9460#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9461
49ef3d07
MC		 9462/*
9463 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9464 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9465 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9466 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9467 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9468 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9469 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9470 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9471 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9472 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9473 */
9474static int test_servername(int tst)
9475{
9476 SSL_CTX *cctx = NULL, *sctx = NULL;
9477 SSL *clientssl = NULL, *serverssl = NULL;
9478 int testresult = 0;
9479 SSL_SESSION *sess = NULL;
9480 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9481
9482#ifdef OPENSSL_NO_TLS1_2
9483 if (tst <= 4)
9484 return 1;
9485#endif
a763ca11 9486#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 9487 if (tst >= 5)
9488 return 1;
9489#endif
9490
5e30f2fd 9491 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 9492 TLS_client_method(),
9493 TLS1_VERSION,
9494 (tst <= 4) ? TLS1_2_VERSION
9495 : TLS1_3_VERSION,
9496 &sctx, &cctx, cert, privkey))
9497 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9498 NULL, NULL)))
9499 goto end;
9500
9501 if (tst != 1 && tst != 6) {
9502 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9503 hostname_cb)))
9504 goto end;
9505 }
9506
9507 if (tst != 3 && tst != 8) {
9508 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9509 goto end;
9510 sexpectedhost = cexpectedhost = "goodhost";
9511 }
9512
9513 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9514 goto end;
9515
9516 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9517 cexpectedhost)
9518 || !TEST_str_eq(SSL_get_servername(serverssl,
9519 TLSEXT_NAMETYPE_host_name),
9520 sexpectedhost))
9521 goto end;
9522
9523 /* Now repeat with a resumption handshake */
9524
9525 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9526 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9527 || !TEST_true(SSL_SESSION_is_resumable(sess))
9528 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9529 goto end;
9530
9531 SSL_free(clientssl);
9532 SSL_free(serverssl);
9533 clientssl = serverssl = NULL;
9534
9535 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9536 NULL)))
9537 goto end;
9538
9539 if (!TEST_true(SSL_set_session(clientssl, sess)))
9540 goto end;
9541
9542 sexpectedhost = cexpectedhost = "goodhost";
9543 if (tst == 2 || tst == 7) {
9544 /* Set an inconsistent hostname */
9545 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9546 goto end;
9547 /*
9548 * In TLSv1.2 we expect the hostname from the original handshake, in
9549 * TLSv1.3 we expect the hostname from this handshake
9550 */
9551 if (tst == 7)
9552 sexpectedhost = cexpectedhost = "altgoodhost";
9553
9554 if (!TEST_str_eq(SSL_get_servername(clientssl,
9555 TLSEXT_NAMETYPE_host_name),
9556 "altgoodhost"))
9557 goto end;
9558 } else if (tst == 4 || tst == 9) {
9559 /*
9560 * A TLSv1.3 session does not associate a session with a servername,
9561 * but a TLSv1.2 session does.
9562 */
9563 if (tst == 9)
9564 sexpectedhost = cexpectedhost = NULL;
9565
9566 if (!TEST_str_eq(SSL_get_servername(clientssl,
9567 TLSEXT_NAMETYPE_host_name),
9568 cexpectedhost))
9569 goto end;
9570 } else {
9571 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9572 goto end;
9573 /*
9574 * In a TLSv1.2 resumption where the hostname was not acknowledged
9575 * we expect the hostname on the server to be empty. On the client we
9576 * return what was requested in this case.
9577 *
9578 * Similarly if the client didn't set a hostname on an original TLSv1.2
9579 * session but is now, the server hostname will be empty, but the client
9580 * is as we set it.
9581 */
9582 if (tst == 1 || tst == 3)
9583 sexpectedhost = NULL;
9584
9585 if (!TEST_str_eq(SSL_get_servername(clientssl,
9586 TLSEXT_NAMETYPE_host_name),
9587 "goodhost"))
9588 goto end;
9589 }
9590
9591 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9592 goto end;
9593
9594 if (!TEST_true(SSL_session_reused(clientssl))
9595 || !TEST_true(SSL_session_reused(serverssl))
9596 || !TEST_str_eq(SSL_get_servername(clientssl,
9597 TLSEXT_NAMETYPE_host_name),
9598 cexpectedhost)
9599 || !TEST_str_eq(SSL_get_servername(serverssl,
9600 TLSEXT_NAMETYPE_host_name),
9601 sexpectedhost))
9602 goto end;
9603
9604 testresult = 1;
9605
9606 end:
9607 SSL_SESSION_free(sess);
9608 SSL_free(serverssl);
9609 SSL_free(clientssl);
9610 SSL_CTX_free(sctx);
9611 SSL_CTX_free(cctx);
9612
9613 return testresult;
9614}
9615
2b4cea1e
TM		 9616static int test_unknown_sigalgs_groups(void)
9617{
9618 int ret = 0;
9619 SSL_CTX *ctx = NULL;
9620
9621 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9622 goto end;
9623
9624 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9625 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9626 0))
9627 goto end;
9628 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9629 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9630 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9631 goto end;
9632
9633 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9634 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9635 0))
9636 goto end;
9637 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9638 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9639 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9640 goto end;
9641
9642 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9643 "nonexistent"),
9644 0))
9645 goto end;
9646
9647 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9648 "?nonexistent1:?nonexistent2:?nonexistent3"),
9649 0))
9650 goto end;
9651
9652#ifndef OPENSSL_NO_EC
9653 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9654 "P-256:nonexistent"),
9655 0))
9656 goto end;
9657
9658 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9659 "P-384:?nonexistent:?P-521"),
9660 0))
9661 goto end;
9662 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
9663 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
9664 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
9665 goto end;
9666#endif
9667
9668 ret = 1;
9669 end:
9670 SSL_CTX_free(ctx);
9671 return ret;
9672}
9673
b1fdbc68 9674#if !defined(OPENSSL_NO_EC) \
a763ca11 9675 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 9676/*
9677 * Test that if signature algorithms are not available, then we do not offer or
9678 * accept them.
9679 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9680 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9681 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9682 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9683 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9684 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9685 */
9686static int test_sigalgs_available(int idx)
9687{
9688 SSL_CTX *cctx = NULL, *sctx = NULL;
9689 SSL *clientssl = NULL, *serverssl = NULL;
9690 int testresult = 0;
b4250010
DMSP		 9691 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9692 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 9693 OSSL_PROVIDER *filterprov = NULL;
9694 int sig, hash;
9695
9696 if (!TEST_ptr(tmpctx))
9697 goto end;
9698
9699 if (idx != 0 && idx != 3) {
9700 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9701 filter_provider_init)))
9702 goto end;
9703
9704 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9705 if (!TEST_ptr(filterprov))
9706 goto end;
9707
9708 if (idx < 3) {
9709 /*
9710 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9711 * or accepted for the peer that uses this libctx. Note that libssl
9712 * *requires* SHA2-256 to be available so we cannot disable that. We
9713 * also need SHA1 for our certificate.
9714 */
9715 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9716 "SHA2-256:SHA1")))
9717 goto end;
9718 } else {
9719 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9720 "ECDSA"))
4032cd9a
YL		 9721# ifdef OPENSSL_NO_ECX
9722 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9723# else
b3842539 9724 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
4032cd9a
YL		 9725 "EC:X25519:X448"))
9726# endif
9727 )
b3842539
MC		 9728 goto end;
9729 }
9730
9731 if (idx == 1 || idx == 4)
9732 clientctx = tmpctx;
9733 else
9734 serverctx = tmpctx;
9735 }
9736
d8652be0
MC		 9737 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9738 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 9739 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9740 goto end;
b3842539 9741
b4c4a2c6
TM		 9742 if (idx != 5) {
9743 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9744 TLS_client_method(),
9745 TLS1_VERSION,
9746 0,
9747 &sctx, &cctx, cert, privkey)))
9748 goto end;
9749 } else {
9750 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9751 TLS_client_method(),
9752 TLS1_VERSION,
9753 0,
9754 &sctx, &cctx, cert2, privkey2)))
9755 goto end;
9756 }
b3842539 9757
b1fdbc68
MC		 9758 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9759 if (idx < 4) {
9760 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9761 "ECDHE-RSA-AES128-GCM-SHA256")))
9762 goto end;
9763 } else {
9764 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9765 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9766 goto end;
9767 }
9768
b3842539
MC		 9769 if (idx < 3) {
9770 if (!SSL_CTX_set1_sigalgs_list(cctx,
9771 "rsa_pss_rsae_sha384"
9772 ":rsa_pss_rsae_sha256")
9773 || !SSL_CTX_set1_sigalgs_list(sctx,
9774 "rsa_pss_rsae_sha384"
9775 ":rsa_pss_rsae_sha256"))
9776 goto end;
9777 } else {
9778 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9779 || !SSL_CTX_set1_sigalgs_list(sctx,
9780 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9781 goto end;
9782 }
9783
b4c4a2c6
TM		 9784 if (idx != 5
9785 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9786 SSL_FILETYPE_PEM), 1)
b3842539
MC		 9787 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9788 privkey2,
9789 SSL_FILETYPE_PEM), 1)
b4c4a2c6 9790 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 9791 goto end;
9792
9793 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 9794 NULL, NULL)))
b3842539
MC		 9795 goto end;
9796
9797 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9798 goto end;
9799
9800 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9801 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9802 NULL, NULL),
9803 (idx == 0 || idx == 3) ? 2 : 1))
9804 goto end;
9805
9806 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9807 goto end;
9808
9809 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9810 : NID_rsassaPss))
9811 goto end;
9812
b0001d0c 9813 testresult = filter_provider_check_clean_finish();
b3842539
MC		 9814
9815 end:
9816 SSL_free(serverssl);
9817 SSL_free(clientssl);
9818 SSL_CTX_free(sctx);
9819 SSL_CTX_free(cctx);
9820 OSSL_PROVIDER_unload(filterprov);
b4250010 9821 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 9822
9823 return testresult;
9824}
b1fdbc68
MC		 9825#endif /*
9826 * !defined(OPENSSL_NO_EC) \
a763ca11 9827 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 9828 */
b3842539 9829
0c13cdf8 9830#ifndef OPENSSL_NO_TLS1_3
a763ca11 9831/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 9832static int test_pluggable_group(int idx)
0c13cdf8
MC		 9833{
9834 SSL_CTX *cctx = NULL, *sctx = NULL;
9835 SSL *clientssl = NULL, *serverssl = NULL;
9836 int testresult = 0;
9837 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 9838 /* Check that we are not impacted by a provider without any groups */
9839 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
f4ed6eed 9840 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
0c13cdf8 9841
5ae54dba 9842 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 9843 goto end;
9844
9845 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9846 TLS_client_method(),
9847 TLS1_3_VERSION,
9848 TLS1_3_VERSION,
9849 &sctx, &cctx, cert, privkey))
9850 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9851 NULL, NULL)))
9852 goto end;
9853
f4ed6eed
MB		 9854 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9855 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9856 /* removing a single algorithm from the list makes the test pass */
c8e3a4c6 9857 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 9858 goto end;
9859
9860 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9861 goto end;
9862
becbacd7
MB		 9863 if (!TEST_str_eq(group_name,
9864 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9865 goto end;
9866
68668243
AB		 9867 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9868 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9869 goto end;
9870
0c13cdf8
MC		 9871 testresult = 1;
9872
9873 end:
9874 SSL_free(serverssl);
9875 SSL_free(clientssl);
9876 SSL_CTX_free(sctx);
9877 SSL_CTX_free(cctx);
9878 OSSL_PROVIDER_unload(tlsprov);
146aebc6 9879 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 9880
9881 return testresult;
9882}
ee58915c
MB		 9883
9884/*
9885 * This function triggers encode, decode and sign functions
9886 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9887 * creating private key and certificate files for use in TLS testing.
9888 */
9889static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9890{
bbaeadb0 9891 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
ee58915c
MB		 9892 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9893 EVP_PKEY *pkey = NULL;
9894 X509 *x509 = X509_new();
9895 X509_NAME *name = NULL;
9896 BIO *keybio = NULL, *certbio = NULL;
9897 int ret = 1;
9898
9899 if (!TEST_ptr(evpctx)
9900 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9901 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9902 || !TEST_ptr(pkey)
9903 || !TEST_ptr(x509)
9904 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9905 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9906 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9907 || !TEST_true(X509_set_pubkey(x509, pkey))
9908 || !TEST_ptr(name = X509_get_subject_name(x509))
9909 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9910 (unsigned char *)"CH", -1, -1, 0))
9911 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9912 (unsigned char *)"test.org", -1, -1, 0))
9913 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9914 (unsigned char *)"localhost", -1, -1, 0))
9915 || !TEST_true(X509_set_issuer_name(x509, name))
9916 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9917 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9918 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9919 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9920 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9921 ret = 0;
9922
9923 EVP_PKEY_free(pkey);
9924 X509_free(x509);
9925 EVP_PKEY_CTX_free(evpctx);
9926 BIO_free(keybio);
9927 BIO_free(certbio);
9928 return ret;
9929}
9930
9931/*
9932 * Test that signature algorithms loaded via the provider interface can
9933 * correctly establish a TLS (1.3) connection.
9934 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9935 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
3c95ef22
TS		 9936 * Test 2: Test 0 using RPK
9937 * Test 3: Test 1 using RPK
ee58915c
MB		 9938 */
9939static int test_pluggable_signature(int idx)
9940{
3c95ef22 9941 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
ee58915c
MB		 9942 SSL_CTX *cctx = NULL, *sctx = NULL;
9943 SSL *clientssl = NULL, *serverssl = NULL;
9944 int testresult = 0;
9945 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9946 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9947 char *certfilename = "tls-prov-cert.pem";
9948 char *privkeyfilename = "tls-prov-key.pem";
3c95ef22
TS		 9949 int sigidx = idx % 2;
9950 int rpkidx = idx / 2;
ee58915c
MB		 9951
9952 /* create key and certificate for the different algorithm types */
9953 if (!TEST_ptr(tlsprov)
3c95ef22 9954 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
ee58915c
MB		 9955 goto end;
9956
9957 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9958 TLS_client_method(),
9959 TLS1_3_VERSION,
9960 TLS1_3_VERSION,
9961 &sctx, &cctx, certfilename, privkeyfilename))
9962 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9963 NULL, NULL)))
9964 goto end;
9965
3c95ef22
TS		 9966 /* Enable RPK for server cert */
9967 if (rpkidx) {
9968 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
9969 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
9970 goto end;
9971 }
9972
ee58915c
MB		 9973 /* This is necessary to pass minimal setup w/o other groups configured */
9974 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9975 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9976 goto end;
9977
9978 /*
9979 * If this connection gets established, it must have been completed
9980 * via the tls-provider-implemented "hmacsig" algorithm, testing
9981 * both sign and verify functions during handshake.
9982 */
9983 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9984 goto end;
9985
3c95ef22
TS		 9986 /* If using RPK, make sure we got one */
9987 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
9988 goto end;
9989
ee58915c
MB		 9990 testresult = 1;
9991
9992 end:
9993 SSL_free(serverssl);
9994 SSL_free(clientssl);
9995 SSL_CTX_free(sctx);
9996 SSL_CTX_free(cctx);
9997 OSSL_PROVIDER_unload(tlsprov);
9998 OSSL_PROVIDER_unload(defaultprov);
9999
10000 return testresult;
10001}
0c13cdf8 10002#endif
b3842539 10003
49a36a52
MC		 10004#ifndef OPENSSL_NO_TLS1_2
10005static int test_ssl_dup(void)
10006{
10007 SSL_CTX *cctx = NULL, *sctx = NULL;
10008 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
10009 int testresult = 0;
10010 BIO *rbio = NULL, *wbio = NULL;
10011
10012 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10013 TLS_client_method(),
10014 0,
10015 0,
10016 &sctx, &cctx, cert, privkey)))
10017 goto end;
10018
10019 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10020 NULL, NULL)))
10021 goto end;
10022
10023 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10024 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
10025 goto end;
10026
10027 client2ssl = SSL_dup(clientssl);
10028 rbio = SSL_get_rbio(clientssl);
10029 if (!TEST_ptr(rbio)
10030 || !TEST_true(BIO_up_ref(rbio)))
10031 goto end;
10032 SSL_set0_rbio(client2ssl, rbio);
10033 rbio = NULL;
10034
10035 wbio = SSL_get_wbio(clientssl);
10036 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
10037 goto end;
10038 SSL_set0_wbio(client2ssl, wbio);
10039 rbio = NULL;
10040
10041 if (!TEST_ptr(client2ssl)
10042 /* Handshake not started so pointers should be different */
10043 || !TEST_ptr_ne(clientssl, client2ssl))
10044 goto end;
10045
10046 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
10047 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
10048 goto end;
10049
10050 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
10051 goto end;
10052
10053 SSL_free(clientssl);
10054 clientssl = SSL_dup(client2ssl);
10055 if (!TEST_ptr(clientssl)
10056 /* Handshake has finished so pointers should be the same */
10057 || !TEST_ptr_eq(clientssl, client2ssl))
10058 goto end;
10059
10060 testresult = 1;
10061
10062 end:
10063 SSL_free(serverssl);
10064 SSL_free(clientssl);
10065 SSL_free(client2ssl);
10066 SSL_CTX_free(sctx);
10067 SSL_CTX_free(cctx);
10068
10069 return testresult;
10070}
33c39a06
MC		 10071
10072# ifndef OPENSSL_NO_DH
10073
10074static EVP_PKEY *tmp_dh_params = NULL;
10075
10076/* Helper function for the test_set_tmp_dh() tests */
10077static EVP_PKEY *get_tmp_dh_params(void)
10078{
10079 if (tmp_dh_params == NULL) {
10080 BIGNUM *p = NULL;
10081 OSSL_PARAM_BLD *tmpl = NULL;
10082 EVP_PKEY_CTX *pctx = NULL;
10083 OSSL_PARAM *params = NULL;
10084 EVP_PKEY *dhpkey = NULL;
10085
10086 p = BN_get_rfc3526_prime_2048(NULL);
10087 if (!TEST_ptr(p))
10088 goto end;
10089
10090 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
10091 if (!TEST_ptr(pctx)
884400d7 10092 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 10093 goto end;
10094
10095 tmpl = OSSL_PARAM_BLD_new();
10096 if (!TEST_ptr(tmpl)
10097 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
10098 OSSL_PKEY_PARAM_FFC_P,
10099 p))
10100 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
10101 OSSL_PKEY_PARAM_FFC_G,
10102 2)))
10103 goto end;
10104
10105 params = OSSL_PARAM_BLD_to_param(tmpl);
10106 if (!TEST_ptr(params)
884400d7 10107 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
10108 EVP_PKEY_KEY_PARAMETERS,
10109 params), 1))
33c39a06
MC		 10110 goto end;
10111
10112 tmp_dh_params = dhpkey;
10113 end:
10114 BN_free(p);
10115 EVP_PKEY_CTX_free(pctx);
10116 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 10117 OSSL_PARAM_free(params);
33c39a06
MC		 10118 }
10119
f1619160 10120 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 10121 return NULL;
10122
10123 return tmp_dh_params;
10124}
10125
39f3427d 10126# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 10127/* Callback used by test_set_tmp_dh() */
10128static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10129{
10130 EVP_PKEY *dhpkey = get_tmp_dh_params();
10131 DH *ret = NULL;
10132
10133 if (!TEST_ptr(dhpkey))
10134 return NULL;
10135
7bc0fdd3
MC		 10136 /*
10137 * libssl does not free the returned DH, so we free it now knowing that even
10138 * after we free dhpkey, there will still be a reference to the owning
10139 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10140 * of time we need it for.
10141 */
10142 ret = EVP_PKEY_get1_DH(dhpkey);
10143 DH_free(ret);
33c39a06
MC		 10144
10145 EVP_PKEY_free(dhpkey);
10146
10147 return ret;
10148}
10149# endif
10150
10151/*
10152 * Test the various methods for setting temporary DH parameters
10153 *
10154 * Test 0: Default (no auto) setting
10155 * Test 1: Explicit SSL_CTX auto off
10156 * Test 2: Explicit SSL auto off
10157 * Test 3: Explicit SSL_CTX auto on
10158 * Test 4: Explicit SSL auto on
10159 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10160 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
10161 *
10162 * The following are testing deprecated APIs, so we only run them if available
10163 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
10164 * Test 8: Explicit SSL auto off, custom DH params via DH
10165 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
10166 * Test 10: Explicit SSL auto off, custom DH params via callback
10167 */
10168static int test_set_tmp_dh(int idx)
10169{
10170 SSL_CTX *cctx = NULL, *sctx = NULL;
10171 SSL *clientssl = NULL, *serverssl = NULL;
10172 int testresult = 0;
10173 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10174 int expected = (idx <= 2) ? 0 : 1;
10175 EVP_PKEY *dhpkey = NULL;
10176# ifndef OPENSSL_NO_DEPRECATED_3_0
10177 DH *dh = NULL;
10178# else
10179
10180 if (idx >= 7)
10181 return 1;
10182# endif
10183
10184 if (idx >= 5 && idx <= 8) {
10185 dhpkey = get_tmp_dh_params();
10186 if (!TEST_ptr(dhpkey))
10187 goto end;
10188 }
10189# ifndef OPENSSL_NO_DEPRECATED_3_0
10190 if (idx == 7 || idx == 8) {
7bc0fdd3 10191 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 10192 if (!TEST_ptr(dh))
10193 goto end;
10194 }
10195# endif
10196
10197 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10198 TLS_client_method(),
10199 0,
10200 0,
10201 &sctx, &cctx, cert, privkey)))
10202 goto end;
10203
10204 if ((idx & 1) == 1) {
10205 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10206 goto end;
10207 }
10208
10209 if (idx == 5) {
10210 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10211 goto end;
10212 dhpkey = NULL;
10213 }
10214# ifndef OPENSSL_NO_DEPRECATED_3_0
10215 else if (idx == 7) {
10216 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10217 goto end;
10218 } else if (idx == 9) {
10219 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10220 }
10221# endif
10222
10223 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10224 NULL, NULL)))
10225 goto end;
10226
10227 if ((idx & 1) == 0 && idx != 0) {
10228 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10229 goto end;
10230 }
10231 if (idx == 6) {
10232 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10233 goto end;
10234 dhpkey = NULL;
10235 }
10236# ifndef OPENSSL_NO_DEPRECATED_3_0
10237 else if (idx == 8) {
10238 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10239 goto end;
10240 } else if (idx == 10) {
10241 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10242 }
10243# endif
10244
10245 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10246 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10247 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10248 goto end;
10249
10250 /*
10251 * If autoon then we should succeed. Otherwise we expect failure because
10252 * there are no parameters
10253 */
10254 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10255 SSL_ERROR_NONE), expected))
10256 goto end;
10257
10258 testresult = 1;
10259
10260 end:
7bc0fdd3
MC		 10261# ifndef OPENSSL_NO_DEPRECATED_3_0
10262 DH_free(dh);
10263# endif
33c39a06
MC		 10264 SSL_free(serverssl);
10265 SSL_free(clientssl);
10266 SSL_CTX_free(sctx);
10267 SSL_CTX_free(cctx);
10268 EVP_PKEY_free(dhpkey);
10269
10270 return testresult;
10271}
3105d846
MC		 10272
10273/*
10274 * Test the auto DH keys are appropriately sized
10275 */
10276static int test_dh_auto(int idx)
10277{
61cab650
MC		 10278 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10279 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 10280 SSL *clientssl = NULL, *serverssl = NULL;
10281 int testresult = 0;
10282 EVP_PKEY *tmpkey = NULL;
10283 char *thiscert = NULL, *thiskey = NULL;
10284 size_t expdhsize = 0;
10285 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10286
61cab650
MC		 10287 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10288 goto end;
10289
3105d846
MC		 10290 switch (idx) {
10291 case 0:
10292 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 10293 if (is_fips) {
10294 testresult = 1;
10295 goto end;
10296 }
3105d846
MC		 10297 thiscert = cert1024;
10298 thiskey = privkey1024;
10299 expdhsize = 1024;
61cab650
MC		 10300 SSL_CTX_set_security_level(sctx, 1);
10301 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 10302 break;
10303 case 1:
10304 /* 2048 bit prime */
10305 thiscert = cert;
10306 thiskey = privkey;
10307 expdhsize = 2048;
10308 break;
10309 case 2:
10310 thiscert = cert3072;
10311 thiskey = privkey3072;
10312 expdhsize = 3072;
10313 break;
10314 case 3:
10315 thiscert = cert4096;
10316 thiskey = privkey4096;
10317 expdhsize = 4096;
10318 break;
10319 case 4:
10320 thiscert = cert8192;
10321 thiskey = privkey8192;
10322 expdhsize = 8192;
10323 break;
10324 /* No certificate cases */
10325 case 5:
10326 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 10327 if (is_fips) {
10328 testresult = 1;
10329 goto end;
10330 }
3105d846
MC		 10331 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10332 expdhsize = 1024;
10333 break;
10334 case 6:
10335 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10336 expdhsize = 3072;
10337 break;
10338 default:
10339 TEST_error("Invalid text index");
10340 goto end;
10341 }
10342
61cab650
MC		 10343 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10344 NULL,
3105d846
MC		 10345 0,
10346 0,
10347 &sctx, &cctx, thiscert, thiskey)))
10348 goto end;
10349
10350 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10351 NULL, NULL)))
10352 goto end;
10353
10354 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10355 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10356 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10357 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10358 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10359 goto end;
10360
10361 /*
10362 * Send the server's first flight. At this point the server has created the
10363 * temporary DH key but hasn't finished using it yet. Once used it is
10364 * removed, so we cannot test it.
10365 */
10366 if (!TEST_int_le(SSL_connect(clientssl), 0)
10367 || !TEST_int_le(SSL_accept(serverssl), 0))
10368 goto end;
10369
10370 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10371 goto end;
ed576acd 10372 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 10373 goto end;
10374
10375 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10376 goto end;
10377
10378 testresult = 1;
10379
10380 end:
10381 SSL_free(serverssl);
10382 SSL_free(clientssl);
10383 SSL_CTX_free(sctx);
10384 SSL_CTX_free(cctx);
10385 EVP_PKEY_free(tmpkey);
10386
10387 return testresult;
10388
10389}
33c39a06
MC		 10390# endif /* OPENSSL_NO_DH */
10391#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 10392
a763ca11 10393#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 10394/*
10395 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10396 * that it works even without a certificate configured for the original
10397 * SSL_CTX
10398 */
10399static int test_sni_tls13(void)
10400{
10401 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10402 SSL *clientssl = NULL, *serverssl = NULL;
10403 int testresult = 0;
10404
10405 /* Reset callback counter */
10406 snicb = 0;
10407
10408 /* Create an initial SSL_CTX with no certificate configured */
10409 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10410 if (!TEST_ptr(sctx))
10411 goto end;
10412 /* Require TLSv1.3 as a minimum */
10413 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10414 TLS_client_method(), TLS1_3_VERSION, 0,
10415 &sctx2, &cctx, cert, privkey)))
10416 goto end;
10417
10418 /* Set up SNI */
10419 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10420 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10421 goto end;
10422
10423 /*
10424 * Connection should still succeed because the final SSL_CTX has the right
10425 * certificates configured.
10426 */
10427 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10428 &clientssl, NULL, NULL))
10429 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10430 SSL_ERROR_NONE)))
10431 goto end;
10432
10433 /* We should have had the SNI callback called exactly once */
10434 if (!TEST_int_eq(snicb, 1))
10435 goto end;
10436
10437 testresult = 1;
10438
10439end:
10440 SSL_free(serverssl);
10441 SSL_free(clientssl);
10442 SSL_CTX_free(sctx2);
10443 SSL_CTX_free(sctx);
10444 SSL_CTX_free(cctx);
10445 return testresult;
10446}
0089cc7f
TS		 10447
10448/*
10449 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10450 * 0 = TLSv1.2
10451 * 1 = TLSv1.3
10452 */
10453static int test_ticket_lifetime(int idx)
10454{
10455 SSL_CTX *cctx = NULL, *sctx = NULL;
10456 SSL *clientssl = NULL, *serverssl = NULL;
10457 int testresult = 0;
10458 int version = TLS1_3_VERSION;
10459
10460#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10461#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10462
10463 if (idx == 0) {
40fb5a4c
TS		 10464#ifdef OPENSSL_NO_TLS1_2
10465 return TEST_skip("TLS 1.2 is disabled.");
10466#else
0089cc7f 10467 version = TLS1_2_VERSION;
40fb5a4c 10468#endif
0089cc7f
TS		 10469 }
10470
10471 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10472 TLS_client_method(), version, version,
10473 &sctx, &cctx, cert, privkey)))
10474 goto end;
10475
10476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10477 &clientssl, NULL, NULL)))
10478 goto end;
10479
10480 /*
10481 * Set the timeout to be more than 1 week
10482 * make sure the returned value is the default
10483 */
10484 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10485 SSL_get_default_timeout(serverssl)))
10486 goto end;
10487
10488 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10489 goto end;
10490
10491 if (idx == 0) {
10492 /* TLSv1.2 uses the set value */
10493 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10494 goto end;
10495 } else {
10496 /* TLSv1.3 uses the limited value */
10497 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10498 goto end;
10499 }
10500 testresult = 1;
10501
10502end:
10503 SSL_free(serverssl);
10504 SSL_free(clientssl);
10505 SSL_CTX_free(sctx);
10506 SSL_CTX_free(cctx);
10507 return testresult;
10508}
6582661f 10509#endif
feba11cf
TS		 10510/*
10511 * Test that setting an ALPN does not violate RFC
10512 */
10513static int test_set_alpn(void)
10514{
10515 SSL_CTX *ctx = NULL;
10516 SSL *ssl = NULL;
10517 int testresult = 0;
10518
10519 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10520 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10521 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10522 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10523 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10524 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10525
10526 /* Create an initial SSL_CTX with no certificate configured */
10527 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10528 if (!TEST_ptr(ctx))
10529 goto end;
10530
10531 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10532 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10533 goto end;
10534 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10535 goto end;
10536 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10537 goto end;
10538 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10539 goto end;
10540 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10541 goto end;
10542 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10543 goto end;
10544 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10545 goto end;
10546 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10547 goto end;
10548 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10549 goto end;
10550
10551 ssl = SSL_new(ctx);
10552 if (!TEST_ptr(ssl))
10553 goto end;
10554
10555 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10556 goto end;
10557 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10558 goto end;
10559 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10560 goto end;
10561 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10562 goto end;
10563 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10564 goto end;
10565 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10566 goto end;
10567 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10568 goto end;
10569 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10570 goto end;
10571 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10572 goto end;
10573
10574 testresult = 1;
10575
10576end:
10577 SSL_free(ssl);
10578 SSL_CTX_free(ctx);
10579 return testresult;
10580}
6582661f 10581
948cf521
HL		 10582/*
10583 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10584 */
10585static int test_set_verify_cert_store_ssl_ctx(void)
10586{
10587 SSL_CTX *ctx = NULL;
10588 int testresult = 0;
10589 X509_STORE *store = NULL, *new_store = NULL,
10590 *cstore = NULL, *new_cstore = NULL;
10591
10592 /* Create an initial SSL_CTX. */
10593 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10594 if (!TEST_ptr(ctx))
10595 goto end;
10596
10597 /* Retrieve verify store pointer. */
10598 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10599 goto end;
10600
10601 /* Retrieve chain store pointer. */
10602 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10603 goto end;
10604
10605 /* We haven't set any yet, so this should be NULL. */
10606 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10607 goto end;
10608
10609 /* Create stores. We use separate stores so pointers are different. */
10610 new_store = X509_STORE_new();
10611 if (!TEST_ptr(new_store))
10612 goto end;
10613
10614 new_cstore = X509_STORE_new();
10615 if (!TEST_ptr(new_cstore))
10616 goto end;
10617
10618 /* Set stores. */
10619 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10620 goto end;
10621
10622 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10623 goto end;
10624
10625 /* Should be able to retrieve the same pointer. */
10626 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10627 goto end;
10628
10629 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10630 goto end;
10631
10632 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10633 goto end;
10634
10635 /* Should be able to unset again. */
10636 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10637 goto end;
10638
10639 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10640 goto end;
10641
10642 /* Should now be NULL. */
10643 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10644 goto end;
10645
10646 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10647 goto end;
10648
10649 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10650 goto end;
10651
10652 testresult = 1;
10653
10654end:
10655 X509_STORE_free(new_store);
10656 X509_STORE_free(new_cstore);
10657 SSL_CTX_free(ctx);
10658 return testresult;
10659}
10660
10661/*
10662 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10663 */
10664static int test_set_verify_cert_store_ssl(void)
10665{
10666 SSL_CTX *ctx = NULL;
10667 SSL *ssl = NULL;
10668 int testresult = 0;
10669 X509_STORE *store = NULL, *new_store = NULL,
10670 *cstore = NULL, *new_cstore = NULL;
10671
10672 /* Create an initial SSL_CTX. */
10673 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10674 if (!TEST_ptr(ctx))
10675 goto end;
10676
10677 /* Create an SSL object. */
10678 ssl = SSL_new(ctx);
10679 if (!TEST_ptr(ssl))
10680 goto end;
10681
10682 /* Retrieve verify store pointer. */
10683 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10684 goto end;
10685
10686 /* Retrieve chain store pointer. */
10687 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10688 goto end;
10689
10690 /* We haven't set any yet, so this should be NULL. */
10691 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10692 goto end;
10693
10694 /* Create stores. We use separate stores so pointers are different. */
10695 new_store = X509_STORE_new();
10696 if (!TEST_ptr(new_store))
10697 goto end;
10698
10699 new_cstore = X509_STORE_new();
10700 if (!TEST_ptr(new_cstore))
10701 goto end;
10702
10703 /* Set stores. */
10704 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10705 goto end;
10706
10707 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10708 goto end;
10709
10710 /* Should be able to retrieve the same pointer. */
10711 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10712 goto end;
10713
10714 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10715 goto end;
10716
10717 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10718 goto end;
10719
10720 /* Should be able to unset again. */
10721 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10722 goto end;
10723
10724 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10725 goto end;
10726
10727 /* Should now be NULL. */
10728 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10729 goto end;
10730
10731 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10732 goto end;
10733
10734 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10735 goto end;
10736
10737 testresult = 1;
10738
10739end:
10740 X509_STORE_free(new_store);
10741 X509_STORE_free(new_cstore);
10742 SSL_free(ssl);
10743 SSL_CTX_free(ctx);
10744 return testresult;
10745}
10746
10747
dfccfde0
CH		 10748static int test_inherit_verify_param(void)
10749{
10750 int testresult = 0;
10751
10752 SSL_CTX *ctx = NULL;
10753 X509_VERIFY_PARAM *cp = NULL;
10754 SSL *ssl = NULL;
10755 X509_VERIFY_PARAM *sp = NULL;
10756 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10757
10758 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10759 if (!TEST_ptr(ctx))
10760 goto end;
10761
10762 cp = SSL_CTX_get0_param(ctx);
10763 if (!TEST_ptr(cp))
10764 goto end;
10765 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10766 goto end;
10767
10768 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10769
10770 ssl = SSL_new(ctx);
10771 if (!TEST_ptr(ssl))
10772 goto end;
10773
10774 sp = SSL_get0_param(ssl);
10775 if (!TEST_ptr(sp))
10776 goto end;
10777 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10778 goto end;
10779
10780 testresult = 1;
10781
10782 end:
10783 SSL_free(ssl);
10784 SSL_CTX_free(ctx);
10785
10786 return testresult;
10787}
10788
b2b8d188
DF		 10789static int test_load_dhfile(void)
10790{
10791#ifndef OPENSSL_NO_DH
10792 int testresult = 0;
10793
10794 SSL_CTX *ctx = NULL;
10795 SSL_CONF_CTX *cctx = NULL;
10796
10797 if (dhfile == NULL)
10798 return 1;
10799
10800 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10801 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10802 goto end;
10803
10804 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10805 SSL_CONF_CTX_set_flags(cctx,
10806 SSL_CONF_FLAG_CERTIFICATE
10807 | SSL_CONF_FLAG_SERVER
10808 | SSL_CONF_FLAG_FILE);
10809
10810 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10811 goto end;
10812
10813 testresult = 1;
10814end:
10815 SSL_CONF_CTX_free(cctx);
10816 SSL_CTX_free(ctx);
10817
10818 return testresult;
10819#else
10820 return TEST_skip("DH not supported by this build");
10821#endif
10822}
10823
f7565348
MC		 10824#ifndef OSSL_NO_USABLE_TLS1_3
10825/* Test that read_ahead works across a key change */
10826static int test_read_ahead_key_change(void)
10827{
10828 SSL_CTX *cctx = NULL, *sctx = NULL;
10829 SSL *clientssl = NULL, *serverssl = NULL;
10830 int testresult = 0;
10831 char *msg = "Hello World";
10832 size_t written, readbytes;
10833 char buf[80];
10834 int i;
10835
10836 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10837 TLS_client_method(), TLS1_3_VERSION, 0,
10838 &sctx, &cctx, cert, privkey)))
10839 goto end;
10840
10841 SSL_CTX_set_read_ahead(sctx, 1);
10842
10843 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10844 &clientssl, NULL, NULL)))
10845 goto end;
10846
10847 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10848 goto end;
10849
10850 /* Write some data, send a key update, write more data */
10851 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10852 || !TEST_size_t_eq(written, strlen(msg)))
10853 goto end;
10854
10855 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10856 goto end;
10857
10858 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10859 || !TEST_size_t_eq(written, strlen(msg)))
10860 goto end;
10861
10862 /*
10863 * Since read_ahead is on the first read below should read the record with
10864 * the first app data, the second record with the key update message, and
10865 * the third record with the app data all in one go. We should be able to
10866 * still process the read_ahead data correctly even though it crosses
10867 * epochs
10868 */
10869 for (i = 0; i < 2; i++) {
10870 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10871 &readbytes)))
10872 goto end;
10873
10874 buf[readbytes] = '\0';
10875 if (!TEST_str_eq(buf, msg))
10876 goto end;
10877 }
10878
10879 testresult = 1;
10880
10881end:
10882 SSL_free(serverssl);
10883 SSL_free(clientssl);
10884 SSL_CTX_free(sctx);
10885 SSL_CTX_free(cctx);
10886 return testresult;
10887}
f3f8e53c
MC		 10888
10889static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10890{
10891 int *called = arg;
10892
10893 switch ((*called)++) {
10894 case 0:
10895 /* Add some padding to first record */
10896 return 512;
10897 case 1:
10898 /* Maximally pad the second record */
10899 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10900 case 2:
10901 /*
10902 * Exceeding the maximum padding should be fine. It should just pad to
10903 * the maximum anyway
10904 */
10905 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10906 case 3:
10907 /*
10908 * Very large padding should also be ok. Should just pad to the maximum
10909 * allowed
10910 */
10911 return SIZE_MAX;
10912 default:
10913 return 0;
10914 }
10915}
10916
10917/*
10918 * Test that setting record padding in TLSv1.3 works as expected
10919 * Test 0: Record padding callback on the SSL_CTX
10920 * Test 1: Record padding callback on the SSL
10921 * Test 2: Record block padding on the SSL_CTX
10922 * Test 3: Record block padding on the SSL
10923 */
10924static int test_tls13_record_padding(int idx)
10925{
10926 SSL_CTX *cctx = NULL, *sctx = NULL;
10927 SSL *clientssl = NULL, *serverssl = NULL;
10928 int testresult = 0;
10929 char *msg = "Hello World";
10930 size_t written, readbytes;
10931 char buf[80];
10932 int i;
10933 int called = 0;
10934
10935 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10936 TLS_client_method(), TLS1_3_VERSION, 0,
10937 &sctx, &cctx, cert, privkey)))
10938 goto end;
10939
10940 if (idx == 0) {
10941 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10942 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10943 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10944 goto end;
10945 } else if (idx == 2) {
10946 /* Exceeding the max plain length should fail */
10947 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10948 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10949 goto end;
10950 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10951 goto end;
10952 }
10953
10954 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10955 &clientssl, NULL, NULL)))
10956 goto end;
10957
10958 if (idx == 1) {
10959 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10960 SSL_set_record_padding_callback_arg(clientssl, &called);
10961 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10962 goto end;
10963 } else if (idx == 3) {
10964 /* Exceeding the max plain length should fail */
10965 if (!TEST_false(SSL_set_block_padding(clientssl,
10966 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10967 goto end;
10968 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10969 goto end;
10970 }
10971
10972 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10973 goto end;
10974
10975 called = 0;
10976 /*
10977 * Write some data, then check we can read it. Do this four times to check
10978 * we can continue to write and read padded data after the initial record
10979 * padding has been added. We don't actually check that the padding has
10980 * been applied to the record - just that we can continue to communicate
10981 * normally and that the callback has been called (if appropriate).
10982 */
10983 for (i = 0; i < 4; i++) {
10984 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10985 || !TEST_size_t_eq(written, strlen(msg)))
10986 goto end;
10987
10988 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10989 &readbytes))
10990 || !TEST_size_t_eq(written, readbytes))
10991 goto end;
10992
10993 buf[readbytes] = '\0';
10994 if (!TEST_str_eq(buf, msg))
10995 goto end;
10996 }
10997
10998 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10999 goto end;
11000
11001 testresult = 1;
11002end:
11003 SSL_free(serverssl);
11004 SSL_free(clientssl);
11005 SSL_CTX_free(sctx);
11006 SSL_CTX_free(cctx);
11007 return testresult;
11008}
f7565348
MC		 11009#endif /* OSSL_NO_USABLE_TLS1_3 */
11010
b718f6fc 11011#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
7765d25f
MC		 11012
11013static ENGINE *load_dasync(void)
11014{
11015 ENGINE *e;
11016
11017 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
11018 return NULL;
11019
11020 if (!TEST_true(ENGINE_init(e))) {
11021 ENGINE_free(e);
11022 return NULL;
11023 }
11024
11025 if (!TEST_true(ENGINE_register_ciphers(e))) {
11026 ENGINE_free(e);
11027 return NULL;
11028 }
11029
11030 return e;
11031}
11032
b718f6fc
MC		 11033/*
11034 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
11035 * support this yet. The only pipeline capable cipher that we have is in the
11036 * dasync engine (providers don't support this yet), so we have to use
11037 * deprecated APIs for this test.
11038 *
11039 * Test 0: Client has pipelining enabled, server does not
11040 * Test 1: Server has pipelining enabled, client does not
11041 * Test 2: Client has pipelining enabled, server does not: not enough data to
11042 * fill all the pipelines
11043 * Test 3: Client has pipelining enabled, server does not: not enough data to
11044 * fill all the pipelines by more than a full pipeline's worth
11045 * Test 4: Client has pipelining enabled, server does not: more data than all
11046 * the available pipelines can take
11047 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
7765d25f
MC		 11048 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
11049 * is created)
b718f6fc
MC		 11050 */
11051static int test_pipelining(int idx)
11052{
11053 SSL_CTX *cctx = NULL, *sctx = NULL;
11054 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
11055 int testresult = 0, numreads;
11056 /* A 55 byte message */
11057 unsigned char *msg = (unsigned char *)
11058 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
11059 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
11060 size_t expectedreads;
11061 unsigned char *buf = NULL;
7765d25f 11062 ENGINE *e = NULL;
b718f6fc 11063
7765d25f
MC		 11064 if (idx != 6) {
11065 e = load_dasync();
11066 if (e == NULL)
11067 return 0;
b718f6fc
MC		 11068 }
11069
b718f6fc
MC		 11070 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11071 TLS_client_method(), 0,
11072 TLS1_2_VERSION, &sctx, &cctx, cert,
11073 privkey)))
11074 goto end;
11075
7765d25f
MC		 11076 if (idx == 6) {
11077 e = load_dasync();
11078 if (e == NULL)
11079 goto end;
11080 /* Now act like test 0 */
11081 idx = 0;
11082 }
11083
b718f6fc
MC		 11084 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11085 &clientssl, NULL, NULL)))
11086 goto end;
11087
11088 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
11089 goto end;
11090
11091 /* peera is always configured for pipelining, while peerb is not. */
11092 if (idx == 1) {
11093 peera = serverssl;
11094 peerb = clientssl;
11095
11096 } else {
11097 peera = clientssl;
11098 peerb = serverssl;
11099 }
11100
11101 if (idx == 5) {
11102 numpipes = 2;
11103 /* Maximum allowed fragment size */
11104 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
11105 msglen = fragsize * numpipes;
11106 msg = OPENSSL_malloc(msglen);
11107 if (!TEST_ptr(msg))
11108 goto end;
11109 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
11110 goto end;
11111 } else if (idx == 4) {
11112 msglen = 55;
11113 } else {
11114 msglen = 50;
11115 }
11116 if (idx == 2)
11117 msglen -= 2; /* Send 2 less bytes */
11118 else if (idx == 3)
11119 msglen -= 12; /* Send 12 less bytes */
11120
11121 buf = OPENSSL_malloc(msglen);
11122 if (!TEST_ptr(buf))
11123 goto end;
11124
11125 if (idx == 5) {
11126 /*
11127 * Test that setting a split send fragment longer than the maximum
11128 * allowed fails
11129 */
11130 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11131 goto end;
11132 }
11133
11134 /*
11135 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11136 * (50 bytes in total). This is a ridiculously small number of bytes -
11137 * but sufficient for our purposes
11138 */
11139 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11140 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11141 goto end;
11142
11143 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11144 goto end;
11145
11146 /* Write some data from peera to peerb */
11147 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11148 || !TEST_size_t_eq(written, msglen))
11149 goto end;
11150
11151 /*
11152 * If the pipelining code worked, then we expect all |numpipes| pipelines to
11153 * have been used - except in test 3 where only |numpipes - 1| pipelines
11154 * will be used. This will result in |numpipes| records (|numpipes - 1| for
11155 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11156 * expect this to be read in |numpipes| or |numpipes - 1| separate
11157 * SSL_read_ex calls. In the case of test 4, there is then one additional
11158 * read for left over data that couldn't fit in the previous pipelines
11159 */
11160 for (offset = 0, numreads = 0;
11161 offset < msglen;
11162 offset += readbytes, numreads++) {
11163 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11164 msglen - offset, &readbytes)))
11165 goto end;
11166 }
11167
11168 expectedreads = idx == 4 ? numpipes + 1
11169 : (idx == 3 ? numpipes - 1 : numpipes);
11170 if (!TEST_mem_eq(msg, msglen, buf, offset)
11171 || !TEST_int_eq(numreads, expectedreads))
11172 goto end;
11173
11174 /*
11175 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11176 * chunks to exercise the read pipelining code on peera.
11177 */
11178 for (offset = 0; offset < msglen; offset += fragsize) {
11179 size_t sendlen = msglen - offset;
11180
11181 if (sendlen > fragsize)
11182 sendlen = fragsize;
11183 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11184 || !TEST_size_t_eq(written, sendlen))
11185 goto end;
11186 }
11187
11188 /*
11189 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11190 * separate chunks (depending on which test we are running). If the
11191 * pipelining is working then we expect peera to read up to numpipes chunks
11192 * and process them in parallel, giving back the complete result in a single
11193 * call to SSL_read_ex
11194 */
11195 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11196 || !TEST_size_t_le(readbytes, msglen))
11197 goto end;
11198
11199 if (idx == 4) {
11200 size_t readbytes2;
11201
11202 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11203 msglen - readbytes, &readbytes2)))
11204 goto end;
11205 readbytes += readbytes2;
11206 if (!TEST_size_t_le(readbytes, msglen))
11207 goto end;
11208 }
11209
11210 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11211 goto end;
11212
11213 testresult = 1;
11214end:
11215 SSL_free(serverssl);
11216 SSL_free(clientssl);
11217 SSL_CTX_free(sctx);
11218 SSL_CTX_free(cctx);
7765d25f
MC		 11219 if (e != NULL) {
11220 ENGINE_unregister_ciphers(e);
11221 ENGINE_finish(e);
11222 ENGINE_free(e);
11223 }
b718f6fc 11224 OPENSSL_free(buf);
06a0d403 11225 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
b718f6fc
MC		 11226 OPENSSL_free(msg);
11227 return testresult;
11228}
11229#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11230
843f6e27
MC		 11231static int check_version_string(SSL *s, int version)
11232{
11233 const char *verstr = NULL;
11234
11235 switch (version) {
11236 case SSL3_VERSION:
11237 verstr = "SSLv3";
11238 break;
11239 case TLS1_VERSION:
11240 verstr = "TLSv1";
11241 break;
11242 case TLS1_1_VERSION:
11243 verstr = "TLSv1.1";
11244 break;
11245 case TLS1_2_VERSION:
11246 verstr = "TLSv1.2";
11247 break;
11248 case TLS1_3_VERSION:
11249 verstr = "TLSv1.3";
11250 break;
11251 case DTLS1_VERSION:
11252 verstr = "DTLSv1";
11253 break;
11254 case DTLS1_2_VERSION:
11255 verstr = "DTLSv1.2";
11256 }
11257
11258 return TEST_str_eq(verstr, SSL_get_version(s));
11259}
11260
11261/*
11262 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11263 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11264 * test_version() in quicapitest.c which does the same thing for QUIC
11265 * connections.
11266 */
11267static int test_version(int idx)
11268{
11269 SSL_CTX *cctx = NULL, *sctx = NULL;
11270 SSL *clientssl = NULL, *serverssl = NULL;
11271 int testresult = 0, version;
11272 const SSL_METHOD *servmeth = TLS_server_method();
11273 const SSL_METHOD *clientmeth = TLS_client_method();
11274
11275 switch (idx) {
11276#if !defined(OPENSSL_NO_SSL3)
11277 case 0:
11278 version = SSL3_VERSION;
11279 break;
11280#endif
11281#if !defined(OPENSSL_NO_TLS1)
11282 case 1:
11283 version = TLS1_VERSION;
11284 break;
11285#endif
11286#if !defined(OPENSSL_NO_TLS1_2)
11287 case 2:
11288 version = TLS1_2_VERSION;
11289 break;
11290#endif
11291#if !defined(OSSL_NO_USABLE_TLS1_3)
11292 case 3:
11293 version = TLS1_3_VERSION;
11294 break;
11295#endif
11296#if !defined(OPENSSL_NO_DTLS1)
11297 case 4:
11298 version = DTLS1_VERSION;
11299 break;
11300#endif
11301#if !defined(OPENSSL_NO_DTLS1_2)
11302 case 5:
11303 version = DTLS1_2_VERSION;
11304 break;
11305#endif
11306 /*
11307 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11308 * We also don't support DTLS1_BAD_VER since we have no server support for
11309 * that.
11310 */
11311 default:
11312 TEST_skip("Unsupported protocol version");
11313 return 1;
11314 }
11315
11316 if (is_fips
11317 && (version == SSL3_VERSION
11318 || version == TLS1_VERSION
11319 || version == DTLS1_VERSION)) {
11320 TEST_skip("Protocol version not supported with FIPS");
11321 return 1;
11322 }
11323
11324#if !defined(OPENSSL_NO_DTLS)
11325 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11326 servmeth = DTLS_server_method();
11327 clientmeth = DTLS_client_method();
11328 }
11329#endif
11330
11331 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11332 version, &sctx, &cctx, cert, privkey)))
11333 goto end;
11334
11335 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11336 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11337 "DEFAULT:@SECLEVEL=0")))
11338 goto end;
11339
11340 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11341 &clientssl, NULL, NULL)))
11342 goto end;
11343
11344 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11345 goto end;
11346
11347 if (!TEST_int_eq(SSL_version(serverssl), version)
11348 || !TEST_int_eq(SSL_version(clientssl), version)
11349 || !TEST_true(check_version_string(serverssl, version))
11350 || !TEST_true(check_version_string(clientssl, version)))
11351 goto end;
11352
11353 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11354 if (!TEST_true(SSL_is_dtls(serverssl))
11355 || !TEST_true(SSL_is_dtls(clientssl))
11356 || !TEST_false(SSL_is_tls(serverssl))
11357 || !TEST_false(SSL_is_tls(clientssl))
11358 || !TEST_false(SSL_is_quic(serverssl))
11359 || !TEST_false(SSL_is_quic(clientssl)))
11360 goto end;
11361 } else {
11362 if (!TEST_true(SSL_is_tls(serverssl))
11363 || !TEST_true(SSL_is_tls(clientssl))
11364 || !TEST_false(SSL_is_dtls(serverssl))
11365 || !TEST_false(SSL_is_dtls(clientssl))
11366 || !TEST_false(SSL_is_quic(serverssl))
11367 || !TEST_false(SSL_is_quic(clientssl)))
11368 goto end;
11369 }
11370
11371 testresult = 1;
11372end:
11373 SSL_free(serverssl);
11374 SSL_free(clientssl);
11375 SSL_CTX_free(sctx);
11376 SSL_CTX_free(cctx);
11377 return testresult;
11378}
11379
79ee0172
MC		 11380/*
11381 * Test that the SSL_rstate_string*() APIs return sane results
11382 */
11383static int test_rstate_string(void)
11384{
11385 SSL_CTX *cctx = NULL, *sctx = NULL;
11386 SSL *clientssl = NULL, *serverssl = NULL;
11387 int testresult = 0, version;
11388 const SSL_METHOD *servmeth = TLS_server_method();
11389 const SSL_METHOD *clientmeth = TLS_client_method();
11390 size_t written, readbytes;
11391 unsigned char buf[2];
11392 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11393 SSL3_RT_APPLICATION_DATA,
11394 TLS1_2_VERSION_MAJOR,
11395 0, /* To be filled in later */
11396 0,
11397 1
11398 };
11399
11400 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11401 0, &sctx, &cctx, cert, privkey)))
11402 goto end;
11403
11404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11405 &clientssl, NULL, NULL)))
11406 goto end;
11407
11408 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11409 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11410 goto end;
11411
11412 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11413 goto end;
11414
11415 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11416 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11417 goto end;
11418
11419 /* Fill in the correct version for the record header */
11420 version = SSL_version(serverssl);
11421 if (version == TLS1_3_VERSION)
11422 version = TLS1_2_VERSION;
11423 dummyheader[2] = version & 0xff;
11424
11425 /*
11426 * Send a dummy header. If we continued to read the body as well this
11427 * would fail with a bad record mac, but we're not going to go that far.
11428 */
11429 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11430 sizeof(dummyheader), &written))
11431 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11432 goto end;
11433
11434 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11435 goto end;
11436
11437 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11438 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11439 goto end;
11440
11441 testresult = 1;
11442end:
11443 SSL_free(serverssl);
11444 SSL_free(clientssl);
11445 SSL_CTX_free(sctx);
11446 SSL_CTX_free(cctx);
11447 return testresult;
11448}
11449
149c4f98
MC		 11450/*
11451 * Force a write retry during handshaking. We test various combinations of
11452 * scenarios. We test a large certificate message which will fill the buffering
11453 * BIO used in the handshake. We try with client auth on and off. Finally we
11454 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11455 * to indicate retry via -1 - but sometimes BIOs don't do that.
11456 *
11457 * Test 0: Standard certificate message
11458 * Test 1: Large certificate message
11459 * Test 2: Standard cert, verify peer
11460 * Test 3: Large cert, verify peer
11461 * Test 4: Standard cert, BIO returns 0 on retry
11462 * Test 5: Large cert, BIO returns 0 on retry
11463 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11464 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11465 * Test 8-15: Repeat of above with TLSv1.2
11466 */
11467static int test_handshake_retry(int idx)
11468{
11469 SSL_CTX *cctx = NULL, *sctx = NULL;
11470 SSL *clientssl = NULL, *serverssl = NULL;
11471 int testresult = 0;
11472 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11473 int maxversion = 0;
11474
11475 if (!TEST_ptr(bretry))
11476 goto end;
11477
11478#ifndef OPENSSL_NO_TLS1_2
11479 if ((idx & 8) == 8)
11480 maxversion = TLS1_2_VERSION;
11481#else
11482 if ((idx & 8) == 8)
11483 return TEST_skip("No TLSv1.2");
11484#endif
11485
11486 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11487 TLS_client_method(), 0, maxversion,
11488 &sctx, &cctx, cert, privkey)))
11489 goto end;
11490
11491 /*
11492 * Add a large amount of data to fill the buffering BIO used by the SSL
11493 * object
11494 */
3860ef2a 11495 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
149c4f98
MC		 11496 goto end;
11497
11498 /*
11499 * We don't actually configure a client cert, but neither do we fail if one
11500 * isn't present.
11501 */
11502 if ((idx & 2) == 2)
11503 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11504
11505 if ((idx & 4) == 4)
11506 set_always_retry_err_val(0);
11507
11508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11509 &clientssl, NULL, NULL)))
11510 goto end;
11511
11512 tmp = SSL_get_wbio(serverssl);
11513 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11514 tmp = NULL;
11515 goto end;
11516 }
11517 SSL_set0_wbio(serverssl, bretry);
11518 bretry = NULL;
11519
11520 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11521 goto end;
11522
11523 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11524 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11525 goto end;
11526
11527 /* Restore a BIO that will let the write succeed */
11528 SSL_set0_wbio(serverssl, tmp);
11529 tmp = NULL;
11530
11531 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11532 goto end;
11533
11534 testresult = 1;
11535end:
11536 SSL_free(serverssl);
11537 SSL_free(clientssl);
11538 SSL_CTX_free(sctx);
11539 SSL_CTX_free(cctx);
11540 BIO_free(bretry);
11541 BIO_free(tmp);
11542 set_always_retry_err_val(-1);
11543 return testresult;
11544}
11545
dbbdb940
MC		 11546/*
11547 * Test that receiving retries when writing application data works as expected
11548 */
11549static int test_data_retry(void)
11550{
11551 SSL_CTX *cctx = NULL, *sctx = NULL;
11552 SSL *clientssl = NULL, *serverssl = NULL;
11553 int testresult = 0;
11554 unsigned char inbuf[1200], outbuf[1200];
11555 size_t i;
11556 BIO *tmp = NULL;
11557 BIO *bretry = BIO_new(bio_s_maybe_retry());
11558 size_t written, readbytes, totread = 0;
11559
11560 if (!TEST_ptr(bretry))
11561 goto end;
11562
11563 for (i = 0; i < sizeof(inbuf); i++)
74efc547 11564 inbuf[i] = (unsigned char)(0xff & i);
dbbdb940
MC		 11565 memset(outbuf, 0, sizeof(outbuf));
11566
11567 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11568 TLS_client_method(), 0, 0, &sctx, &cctx,
11569 cert, privkey)))
11570 goto end;
11571
11572 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11573 NULL)))
11574 goto end;
11575
11576 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11577 goto end;
11578
11579 /* Smallest possible max send fragment is 512 */
11580 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11581 goto end;
11582
11583 tmp = SSL_get_wbio(clientssl);
11584 if (!TEST_ptr(tmp))
11585 goto end;
11586 if (!TEST_true(BIO_up_ref(tmp)))
11587 goto end;
11588 BIO_push(bretry, tmp);
11589 tmp = NULL;
11590 SSL_set0_wbio(clientssl, bretry);
11591 if (!BIO_up_ref(bretry)) {
11592 bretry = NULL;
11593 goto end;
11594 }
11595
11596 for (i = 0; i < 3; i++) {
11597 /* We expect this call to make no progress and indicate retry */
11598 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11599 goto end;
11600 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11601 goto end;
11602
164a541b 11603 /* Allow one write to progress, but the next one to signal retry */
dbbdb940
MC		 11604 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
11605 NULL)))
11606 goto end;
11607
11608 if (i == 2)
11609 break;
11610
11611 /*
11612 * This call will hopefully make progress but will still indicate retry
11613 * because there is more data than will fit into a single record.
11614 */
11615 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11616 goto end;
11617 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11618 goto end;
11619 }
11620
11621 /* The final call should write the last chunk of data and succeed */
11622 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11623 goto end;
11624 /* Read all the data available */
11625 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
11626 &readbytes))
11627 totread += readbytes;
11628 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
11629 goto end;
11630
11631 testresult = 1;
11632end:
11633 SSL_free(serverssl);
11634 SSL_free(clientssl);
11635 SSL_CTX_free(sctx);
11636 SSL_CTX_free(cctx);
11637 BIO_free_all(bretry);
11638 BIO_free(tmp);
11639 return testresult;
11640}
11641
cfeaf33a
MC		 11642struct resume_servername_cb_data {
11643 int i;
11644 SSL_CTX *cctx;
11645 SSL_CTX *sctx;
11646 SSL_SESSION *sess;
11647 int recurse;
11648};
11649
11650/*
11651 * Servername callback. We use it here to run another complete handshake using
11652 * the same session - and mark the session as not_resuamble at the end
11653 */
11654static int resume_servername_cb(SSL *s, int *ad, void *arg)
11655{
11656 struct resume_servername_cb_data *cbdata = arg;
11657 SSL *serverssl = NULL, *clientssl = NULL;
11658 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
11659
11660 if (cbdata->recurse)
11661 return SSL_TLSEXT_ERR_ALERT_FATAL;
11662
11663 if ((cbdata->i % 3) != 1)
11664 return SSL_TLSEXT_ERR_OK;
11665
11666 cbdata->recurse = 1;
11667
11668 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
11669 &clientssl, NULL, NULL))
11670 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
11671 goto end;
11672
11673 ERR_set_mark();
11674 /*
11675 * We expect this to fail - because the servername cb will fail. This will
11676 * mark the session as not_resumable.
11677 */
11678 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
11679 ERR_clear_last_mark();
11680 goto end;
11681 }
11682 ERR_pop_to_mark();
11683
11684 ret = SSL_TLSEXT_ERR_OK;
11685 end:
11686 SSL_free(serverssl);
11687 SSL_free(clientssl);
11688 cbdata->recurse = 0;
11689 return ret;
11690}
0447cd69
MC		 11691/*
11692 * Test multiple resumptions and cache size handling
11693 * Test 0: TLSv1.3 (max_early_data set)
11694 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
11695 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
cfeaf33a
MC		 11696 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
11697 * Test 4: TLSv1.2
0447cd69
MC		 11698 */
11699static int test_multi_resume(int idx)
11700{
11701 SSL_CTX *sctx = NULL, *cctx = NULL;
11702 SSL *serverssl = NULL, *clientssl = NULL;
11703 SSL_SESSION *sess = NULL;
11704 int max_version = TLS1_3_VERSION;
11705 int i, testresult = 0;
cfeaf33a 11706 struct resume_servername_cb_data cbdata;
0447cd69 11707
cfeaf33a
MC		 11708#if defined(OPENSSL_NO_TLS1_2)
11709 if (idx == 4)
11710 return TEST_skip("TLSv1.2 is disabled in this build");
11711#else
11712 if (idx == 4)
0447cd69 11713 max_version = TLS1_2_VERSION;
cfeaf33a
MC		 11714#endif
11715#if defined(OSSL_NO_USABLE_TLS1_3)
11716 if (idx != 4)
11717 return TEST_skip("No usable TLSv1.3 in this build");
11718#endif
0447cd69
MC		 11719
11720 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11721 TLS_client_method(), TLS1_VERSION,
11722 max_version, &sctx, &cctx, cert,
11723 privkey)))
11724 goto end;
11725
11726 /*
11727 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
11728 * replay protection), or if SSL_OP_NO_TICKET is in use
11729 */
11730 if (idx == 0 || idx == 2) {
11731 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
11732 goto end;
11733 }
cfeaf33a 11734 if (idx == 1 || idx == 2 || idx == 3)
0447cd69
MC		 11735 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
11736
11737 SSL_CTX_sess_set_cache_size(sctx, 5);
11738
cfeaf33a
MC		 11739 if (idx == 3) {
11740 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
11741 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
11742 cbdata.cctx = cctx;
11743 cbdata.sctx = sctx;
11744 cbdata.recurse = 0;
11745 }
11746
0447cd69
MC		 11747 for (i = 0; i < 30; i++) {
11748 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11749 NULL, NULL))
11750 || !TEST_true(SSL_set_session(clientssl, sess)))
11751 goto end;
11752
cfeaf33a
MC		 11753 /*
11754 * Check simultaneous resumes. We pause the connection part way through
11755 * the handshake by (mis)using the servername_cb. The pause occurs after
11756 * session resumption has already occurred, but before any session
11757 * tickets have been issued. While paused we run another complete
11758 * handshake resuming the same session.
11759 */
11760 if (idx == 3) {
11761 cbdata.i = i;
11762 cbdata.sess = sess;
11763 }
11764
0447cd69
MC		 11765 /*
11766 * Recreate a bug where dynamically changing the max_early_data value
11767 * can cause sessions in the session cache which cannot be deleted.
11768 */
11769 if ((idx == 0 || idx == 2) && (i % 3) == 2)
11770 SSL_set_max_early_data(serverssl, 0);
11771
11772 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11773 goto end;
11774
11775 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
11776 if (!TEST_false(SSL_session_reused(clientssl)))
11777 goto end;
11778 } else {
11779 if (!TEST_true(SSL_session_reused(clientssl)))
11780 goto end;
11781 }
11782 SSL_SESSION_free(sess);
11783
11784 /* Do a full handshake, followed by two resumptions */
11785 if ((i % 3) == 2) {
11786 sess = NULL;
11787 } else {
11788 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
11789 goto end;
11790 }
11791
11792 SSL_shutdown(clientssl);
11793 SSL_shutdown(serverssl);
11794 SSL_free(serverssl);
11795 SSL_free(clientssl);
11796 serverssl = clientssl = NULL;
11797 }
11798
11799 /* We should never exceed the session cache size limit */
11800 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
11801 goto end;
11802
11803 testresult = 1;
11804 end:
11805 SSL_free(serverssl);
11806 SSL_free(clientssl);
11807 SSL_CTX_free(sctx);
11808 SSL_CTX_free(cctx);
11809 SSL_SESSION_free(sess);
11810 return testresult;
11811}
11812
b2b8d188 11813OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
a43ce58f 11814
ad887416 11815int setup_tests(void)
2cb4b5f6 11816{
5e30f2fd
MC		 11817 char *modulename;
11818 char *configfile;
11819
b4250010 11820 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 11821 if (!TEST_ptr(libctx))
11822 return 0;
11823
11824 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11825
11826 /*
11827 * Verify that the default and fips providers in the default libctx are not
11828 * available
11829 */
11830 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11831 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11832 return 0;
11833
8d242823
MC		 11834 if (!test_skip_common_options()) {
11835 TEST_error("Error parsing test options\n");
11836 return 0;
11837 }
11838
1a2a3a42
MC		 11839 if (!TEST_ptr(certsdir = test_get_argument(0))
11840 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 11841 || !TEST_ptr(tmpfilename = test_get_argument(2))
11842 || !TEST_ptr(modulename = test_get_argument(3))
b2b8d188
DF		 11843 || !TEST_ptr(configfile = test_get_argument(4))
11844 || !TEST_ptr(dhfile = test_get_argument(5)))
5e30f2fd
MC		 11845 return 0;
11846
b4250010 11847 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 11848 return 0;
11849
11850 /* Check we have the expected provider available */
11851 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11852 return 0;
11853
11854 /* Check the default provider is not available */
11855 if (strcmp(modulename, "default") != 0
11856 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 11857 return 0;
2cb4b5f6 11858
50ea5cdc 11859 if (strcmp(modulename, "fips") == 0) {
11860 OSSL_PROVIDER *prov = NULL;
11861 OSSL_PARAM params[2];
11862
4f6c7044
MC		 11863 is_fips = 1;
11864
50ea5cdc 11865 prov = OSSL_PROVIDER_load(libctx, "fips");
11866 if (prov != NULL) {
11867 /* Query the fips provider to check if the check ems option is enabled */
11868 params[0] =
11869 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11870 &fips_ems_check);
11871 params[1] = OSSL_PARAM_construct_end();
11872 OSSL_PROVIDER_get_params(prov, params);
11873 OSSL_PROVIDER_unload(prov);
11874 }
11875 }
11876
0c13cdf8
MC		 11877 /*
11878 * We add, but don't load the test "tls-provider". We'll load it when we
11879 * need it.
11880 */
11881 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11882 tls_provider_init)))
11883 return 0;
11884
11885
f297e4ec
RS		 11886 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11887#ifdef OPENSSL_NO_CRYPTO_MDEBUG
11888 TEST_error("not supported in this build");
11889 return 0;
11890#else
11891 int i, mcount, rcount, fcount;
11892
11893 for (i = 0; i < 4; i++)
11894 test_export_key_mat(i);
11895 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11896 test_printf_stdout("malloc %d realloc %d free %d\n",
11897 mcount, rcount, fcount);
11898 return 1;
11899#endif
11900 }
11901
1a2a3a42
MC		 11902 cert = test_mk_file_path(certsdir, "servercert.pem");
11903 if (cert == NULL)
b3842539 11904 goto err;
1a2a3a42
MC		 11905
11906 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 11907 if (privkey == NULL)
11908 goto err;
11909
11910 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11911 if (cert2 == NULL)
11912 goto err;
11913
11914 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11915 if (privkey2 == NULL)
11916 goto err;
1a2a3a42 11917
3105d846
MC		 11918 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11919 if (cert1024 == NULL)
11920 goto err;
11921
11922 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11923 if (privkey1024 == NULL)
11924 goto err;
11925
11926 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11927 if (cert3072 == NULL)
11928 goto err;
11929
11930 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11931 if (privkey3072 == NULL)
11932 goto err;
11933
11934 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11935 if (cert4096 == NULL)
11936 goto err;
11937
11938 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11939 if (privkey4096 == NULL)
11940 goto err;
11941
11942 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11943 if (cert8192 == NULL)
11944 goto err;
11945
11946 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11947 if (privkey8192 == NULL)
11948 goto err;
11949
50ea5cdc 11950 if (fips_ems_check) {
11951#ifndef OPENSSL_NO_TLS1_2
11952 ADD_TEST(test_no_ems);
11953#endif
11954 return 1;
11955 }
da4db160 11956#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 11957# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526 11958 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
cd715b7e 11959 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
c8e3a4c6 11960# endif
fe5d9450 11961#endif
84d5549e 11962 ADD_TEST(test_large_message_tls);
7856332e 11963 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 11964#ifndef OPENSSL_NO_DTLS
84d5549e 11965 ADD_TEST(test_large_message_dtls);
55386bef 11966#endif
2fda45d5 11967 ADD_ALL_TESTS(test_large_app_data, 28);
163b8016 11968 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 11969#ifndef OPENSSL_NO_OCSP
c887104f 11970 ADD_TEST(test_tlsext_status_type);
8f8c11d8 11971#endif
eaa776da
MC		 11972 ADD_TEST(test_session_with_only_int_cache);
11973 ADD_TEST(test_session_with_only_ext_cache);
11974 ADD_TEST(test_session_with_both_cache);
90fc2c26 11975 ADD_TEST(test_session_wo_ca_names);
a763ca11 11976#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 11977 ADD_ALL_TESTS(test_stateful_tickets, 3);
11978 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 11979 ADD_TEST(test_psk_tickets);
f0049b86 11980 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 11981#endif
7fb4c820 11982 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 11983 ADD_TEST(test_ssl_bio_pop_next_bio);
11984 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11985 ADD_TEST(test_ssl_bio_change_rbio);
11986 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 11987#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 11988 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 11989 ADD_TEST(test_keylog);
c423ecaa 11990#endif
a763ca11 11991#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 11992 ADD_TEST(test_keylog_no_master_key);
11993#endif
0c3eb279 11994 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 11995 ADD_TEST(test_ssl_build_cert_chain);
11996 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 11997#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 11998 ADD_TEST(test_client_hello_cb);
088dfa13 11999 ADD_TEST(test_no_ems);
3cd14e5e 12000 ADD_TEST(test_ccs_change_cipher);
5f982038 12001#endif
a763ca11 12002#ifndef OSSL_NO_USABLE_TLS1_3
10836921 12003 ADD_ALL_TESTS(test_early_data_read_write, 6);
78fb5374
MC		 12004 /*
12005 * We don't do replay tests for external PSK. Replay protection isn't used
12006 * in that scenario.
12007 */
12008 ADD_ALL_TESTS(test_early_data_replay, 2);
10836921
MC		 12009 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
12010 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
12011 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
12012 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
02a3ed5a 12013 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 12014 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 12015 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 12016 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 12017# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 12018 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 12019# endif
e9ee6536 12020#endif
a763ca11 12021#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 12022 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 12023 ADD_TEST(test_ciphersuite_change);
5bf2eade 12024 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
12025# ifdef OPENSSL_NO_PSK
c2b290c3 12026 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 12027# else
0d8da779 12028 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 12029# endif /* OPENSSL_NO_PSK */
71583393
MM		 12030#ifndef OSSL_NO_USABLE_TLS1_3
12031 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
12032#endif /* OSSL_NO_USABLE_TLS1_3 */
5bf2eade 12033# ifndef OPENSSL_NO_TLS1_2
12034 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 12035 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 12036# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
12037 ADD_ALL_TESTS(test_negotiated_group,
12038 4 * (OSSL_NELEM(ecdhe_kexch_groups)
12039 + OSSL_NELEM(ffdhe_kexch_groups)));
12040# endif
5bf2eade 12041# else
12042 /* Test with only TLSv1.3 versions */
12043 ADD_ALL_TESTS(test_key_exchange, 12);
12044# endif
0db3a990 12045 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 12046 ADD_TEST(test_stateless);
9d75dce3 12047 ADD_TEST(test_pha_key_update);
a273157a 12048#else
bb01ef3f 12049 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 12050#endif
0fb2815b 12051 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 12052#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 12053 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 12054 ADD_TEST(test_key_update);
0c48fda8 12055 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
12056 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
12057 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
12058 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 12059#endif
5de8c49d 12060 ADD_ALL_TESTS(test_ssl_clear, 8);
cf72c757 12061 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 12062#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
12063 ADD_ALL_TESTS(test_srp, 6);
12064#endif
b67cb09f
TS		 12065#if !defined(OPENSSL_NO_COMP_ALG)
12066 /* Add compression case */
12067 ADD_ALL_TESTS(test_info_callback, 8);
12068#else
5718fe45 12069 ADD_ALL_TESTS(test_info_callback, 6);
b67cb09f 12070#endif
4a432af8 12071 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 12072 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
3b7a3241 12073 ADD_ALL_TESTS(test_ticket_callbacks, 20);
57d7b988 12074 ADD_ALL_TESTS(test_shutdown, 7);
cbf965b4 12075 ADD_TEST(test_async_shutdown);
e638112e 12076 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 12077 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 12078 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 12079 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 12080#ifndef OPENSSL_NO_TLS1_2
12081 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
12082#endif
49ef3d07 12083 ADD_ALL_TESTS(test_servername, 10);
2b4cea1e 12084 ADD_TEST(test_unknown_sigalgs_groups);
b1fdbc68 12085#if !defined(OPENSSL_NO_EC) \
a763ca11 12086 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 12087 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 12088#endif
12089#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 12090 ADD_ALL_TESTS(test_pluggable_group, 2);
3c95ef22 12091 ADD_ALL_TESTS(test_pluggable_signature, 4);
49a36a52
MC		 12092#endif
12093#ifndef OPENSSL_NO_TLS1_2
12094 ADD_TEST(test_ssl_dup);
33c39a06
MC		 12095# ifndef OPENSSL_NO_DH
12096 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 12097 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 12098# endif
6582661f 12099#endif
a763ca11 12100#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 12101 ADD_TEST(test_sni_tls13);
0089cc7f 12102 ADD_ALL_TESTS(test_ticket_lifetime, 2);
b3842539 12103#endif
dfccfde0 12104 ADD_TEST(test_inherit_verify_param);
feba11cf 12105 ADD_TEST(test_set_alpn);
948cf521
HL		 12106 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
12107 ADD_TEST(test_set_verify_cert_store_ssl);
25959e04 12108 ADD_ALL_TESTS(test_session_timeout, 1);
4a3e8f08
MC		 12109#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
12110 ADD_ALL_TESTS(test_session_cache_overflow, 4);
12111#endif
b2b8d188 12112 ADD_TEST(test_load_dhfile);
f7565348
MC		 12113#ifndef OSSL_NO_USABLE_TLS1_3
12114 ADD_TEST(test_read_ahead_key_change);
f3f8e53c 12115 ADD_ALL_TESTS(test_tls13_record_padding, 4);
555dd939
DF		 12116#endif
12117#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
12118 ADD_ALL_TESTS(test_serverinfo_custom, 4);
b718f6fc
MC		 12119#endif
12120#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
7765d25f 12121 ADD_ALL_TESTS(test_pipelining, 7);
f7565348 12122#endif
843f6e27 12123 ADD_ALL_TESTS(test_version, 6);
79ee0172 12124 ADD_TEST(test_rstate_string);
149c4f98 12125 ADD_ALL_TESTS(test_handshake_retry, 16);
dbbdb940 12126 ADD_TEST(test_data_retry);
cfeaf33a 12127 ADD_ALL_TESTS(test_multi_resume, 5);
ad887416 12128 return 1;
b3842539
MC		 12129
12130 err:
12131 OPENSSL_free(cert);
12132 OPENSSL_free(privkey);
12133 OPENSSL_free(cert2);
12134 OPENSSL_free(privkey2);
12135 return 0;
ad887416 12136}
2cb4b5f6 12137
ad887416
P		 12138void cleanup_tests(void)
12139{
8778f0eb 12140# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 12141 EVP_PKEY_free(tmp_dh_params);
12142#endif
1a2a3a42
MC		 12143 OPENSSL_free(cert);
12144 OPENSSL_free(privkey);
b3842539
MC		 12145 OPENSSL_free(cert2);
12146 OPENSSL_free(privkey2);
3105d846
MC		 12147 OPENSSL_free(cert1024);
12148 OPENSSL_free(privkey1024);
12149 OPENSSL_free(cert3072);
12150 OPENSSL_free(privkey3072);
12151 OPENSSL_free(cert4096);
12152 OPENSSL_free(privkey4096);
12153 OPENSSL_free(cert8192);
12154 OPENSSL_free(privkey8192);
fa454945 12155 bio_s_mempacket_test_free();
a77b4dba 12156 bio_s_always_retry_free();
dbbdb940 12157 bio_s_maybe_retry_free();
5e30f2fd 12158 OSSL_PROVIDER_unload(defctxnull);
b4250010 12159 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 12160}
A mirror of the official openssl repository