]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add support for integrity-only cipher suites for TLS v1.3
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
b6461792 2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
b718f6fc 36#include <openssl/engine.h>
2cb4b5f6 37
20f8bc72 38#include "helpers/ssltestlib.h"
c887104f 39#include "testutil.h"
f297e4ec 40#include "testutil/output.h"
176db6dc 41#include "internal/nelem.h"
2b4cea1e 42#include "internal/tlsgroups.h"
fe5d9450 43#include "internal/ktls.h"
706457b7 44#include "../ssl/ssl_local.h"
0755722c 45#include "../ssl/record/methods/recmethod_local.h"
b0001d0c 46#include "filterprov.h"
2cb4b5f6 47
a763ca11
MC		 48#undef OSSL_NO_USABLE_TLS1_3
49#if defined(OPENSSL_NO_TLS1_3) \
50 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51/*
52 * If we don't have ec or dh then there are no built-in groups that are usable
53 * with TLSv1.3
54 */
55# define OSSL_NO_USABLE_TLS1_3
56#endif
57
0c13cdf8
MC		 58/* Defined in tls-provider.c */
59int tls_provider_init(const OSSL_CORE_HANDLE *handle,
60 const OSSL_DISPATCH *in,
61 const OSSL_DISPATCH **out,
62 void **provctx);
852c2ed2 63
b4250010 64static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 65static OSSL_PROVIDER *defctxnull = NULL;
66
a763ca11 67#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 68
69static SSL_SESSION *clientpsk = NULL;
70static SSL_SESSION *serverpsk = NULL;
71static const char *pskid = "Identity";
72static const char *srvid;
73
74static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
75 size_t *idlen, SSL_SESSION **sess);
76static int find_session_cb(SSL *ssl, const unsigned char *identity,
77 size_t identity_len, SSL_SESSION **sess);
78
79static int use_session_cb_cnt = 0;
80static int find_session_cb_cnt = 0;
8614a4eb
MC		 81#endif
82
1a2a3a42 83static char *certsdir = NULL;
2cb4b5f6
MC		 84static char *cert = NULL;
85static char *privkey = NULL;
b3842539
MC		 86static char *cert2 = NULL;
87static char *privkey2 = NULL;
3105d846
MC		 88static char *cert1024 = NULL;
89static char *privkey1024 = NULL;
90static char *cert3072 = NULL;
91static char *privkey3072 = NULL;
92static char *cert4096 = NULL;
93static char *privkey4096 = NULL;
94static char *cert8192 = NULL;
95static char *privkey8192 = NULL;
76fd7a1d
MC		 96static char *srpvfile = NULL;
97static char *tmpfilename = NULL;
b2b8d188 98static char *dhfile = NULL;
2cb4b5f6 99
4f6c7044 100static int is_fips = 0;
50ea5cdc 101static int fips_ems_check = 0;
4f6c7044 102
cffe973c 103#define LOG_BUFFER_SIZE 2048
6acdd3e5 104static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 105static size_t server_log_buffer_index = 0;
6acdd3e5 106static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 107static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 108static int error_writing_log = 0;
109
8f8c11d8 110#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 111static const unsigned char orespder[] = "Dummy OCSP Response";
112static int ocsp_server_called = 0;
113static int ocsp_client_called = 0;
114
115static int cdummyarg = 1;
116static X509 *ocspcert = NULL;
8f8c11d8 117#endif
ba881d3b 118
cf72c757 119#define CLIENT_VERSION_LEN 2
84d5549e 120
f1a5939f
CB		 121/*
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
124 */
125struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
cffe973c 128 unsigned int client_early_secret_count;
f1a5939f
CB		 129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
01a2a654 133 unsigned int early_exporter_secret_count;
6329ce8f 134 unsigned int exporter_secret_count;
f1a5939f
CB		 135};
136
16afd71c 137
104a733d
MC		 138static int hostname_cb(SSL *s, int *al, void *arg)
139{
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
145
146 return SSL_TLSEXT_ERR_NOACK;
147}
148
710756a9
RS		 149static void client_keylog_callback(const SSL *ssl, const char *line)
150{
6acdd3e5
CB		 151 int line_length = strlen(line);
152
153 /* If the log doesn't fit, error out. */
710756a9
RS		 154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
6acdd3e5
CB		 156 error_writing_log = 1;
157 return;
158 }
159
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
710756a9 162 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 163}
164
710756a9
RS		 165static void server_keylog_callback(const SSL *ssl, const char *line)
166{
6acdd3e5
CB		 167 int line_length = strlen(line);
168
169 /* If the log doesn't fit, error out. */
710756a9 170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 171 TEST_info("Server log too full");
6acdd3e5
CB		 172 error_writing_log = 1;
173 return;
174 }
175
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
710756a9 178 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 179}
180
181static int compare_hex_encoded_buffer(const char *hex_encoded,
182 size_t hex_length,
183 const uint8_t *raw,
710756a9
RS		 184 size_t raw_length)
185{
186 size_t i, j;
187 char hexed[3];
6acdd3e5 188
710756a9 189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 190 return 1;
6acdd3e5 191
710756a9 192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 193 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 196 return 1;
6acdd3e5
CB		 197 }
198
199 return 0;
200}
201
202static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 203 const SSL_SESSION *session,
710756a9
RS		 204 struct sslapitest_log_counts *expected)
205{
6acdd3e5
CB		 206 char *token = NULL;
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
cffe973c 213 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
01a2a654 218 unsigned int early_exporter_secret_count = 0;
6329ce8f 219 unsigned int exporter_secret_count = 0;
6acdd3e5 220
710756a9
RS		 221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
6acdd3e5 223 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 224 /*
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 226 * hex-encoded encrypted secret, then the hex-encoded pre-master
227 * secret.
228 */
710756a9 229 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 230 return 0;
710756a9 231 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 232 return 0;
710756a9 233 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 234 return 0;
f1a5939f
CB		 235 /*
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
239 */
240 rsa_key_exchange_count++;
6acdd3e5 241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 242 /*
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 244 * client random, then the hex-encoded master secret.
245 */
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
248 SSL3_RANDOM_SIZE);
710756a9 249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 250 return 0;
6acdd3e5 251
710756a9 252 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 253 return 0;
710756a9 254 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 255 return 0;
710756a9
RS		 256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
f1a5939f 259 return 0;
6acdd3e5 260
710756a9 261 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 262 return 0;
6acdd3e5
CB		 263 master_key_size = SSL_SESSION_get_master_key(session,
264 actual_master_key,
265 master_key_size);
710756a9 266 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 267 return 0;
710756a9
RS		 268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 actual_master_key,
270 master_key_size)))
f1a5939f 271 return 0;
f1a5939f 272 master_secret_count++;
cffe973c
PW		 273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 279 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 280 /*
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
285 */
cffe973c
PW		 286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
01a2a654
PW		 296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
6329ce8f
PW		 298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
f1a5939f
CB		 300
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
303 SSL3_RANDOM_SIZE);
710756a9 304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 305 return 0;
f1a5939f 306
710756a9 307 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 308 return 0;
710756a9 309 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 310 return 0;
710756a9
RS		 311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
f1a5939f 314 return 0;
6acdd3e5 315
710756a9 316 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 317 return 0;
6acdd3e5 318 } else {
710756a9 319 TEST_info("Unexpected token %s\n", token);
f1a5939f 320 return 0;
6acdd3e5 321 }
6acdd3e5
CB		 322 }
323
710756a9
RS		 324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
cffe973c
PW		 329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
710756a9
RS		 331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 338 expected->server_application_secret_count)
01a2a654
PW		 339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
6329ce8f
PW		 341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
710756a9
RS		 343 return 0;
344 return 1;
6acdd3e5
CB		 345}
346
a763ca11 347#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 348static int test_keylog(void)
349{
6acdd3e5
CB		 350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
352 int testresult = 0;
6fc1e624 353 struct sslapitest_log_counts expected;
6acdd3e5
CB		 354
355 /* Clean up logging space */
6fc1e624 356 memset(&expected, 0, sizeof(expected));
710756a9
RS		 357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
362
5e30f2fd 363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 364 TLS_client_method(),
5c587fb6 365 TLS1_VERSION, 0,
710756a9 366 &sctx, &cctx, cert, privkey)))
6acdd3e5 367 return 0;
6acdd3e5
CB		 368
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372
f0deb4d3 373 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 375 goto end;
f0deb4d3 376
cf10df81
RS		 377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 379 goto end;
6acdd3e5 380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
6acdd3e5 383 goto end;
710756a9 384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
6acdd3e5 387 goto end;
6acdd3e5 388
710756a9
RS		 389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
393 SSL_ERROR_NONE))
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 397 goto end;
6acdd3e5 398
f1a5939f
CB		 399 /*
400 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 401 * do that by using strtok and confirming that we have more or less the
f1a5939f 402 * data we expect. For both client and server, we expect to see one master
a63fa5f7 403 * secret. The client should also see an RSA key exchange.
6acdd3e5 404 */
f1a5939f
CB		 405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
710756a9
RS		 407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
6acdd3e5 409 goto end;
f1a5939f
CB		 410
411 expected.rsa_key_exchange_count = 0;
710756a9
RS		 412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
6acdd3e5 414 goto end;
6acdd3e5
CB		 415
416 testresult = 1;
417
418end:
419 SSL_free(serverssl);
420 SSL_free(clientssl);
421 SSL_CTX_free(sctx);
422 SSL_CTX_free(cctx);
423
424 return testresult;
425}
c423ecaa 426#endif
6acdd3e5 427
a763ca11 428#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 429static int test_keylog_no_master_key(void)
430{
6acdd3e5
CB		 431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 433 SSL_SESSION *sess = NULL;
6acdd3e5 434 int testresult = 0;
6fc1e624 435 struct sslapitest_log_counts expected;
cffe973c
PW		 436 unsigned char buf[1];
437 size_t readbytes, written;
6acdd3e5
CB		 438
439 /* Clean up logging space */
6fc1e624 440 memset(&expected, 0, sizeof(expected));
710756a9
RS		 441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
446
5e30f2fd
MC		 447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 451 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 452 return 0;
6acdd3e5 453
cf10df81
RS		 454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 456 goto end;
6acdd3e5
CB		 457
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
6acdd3e5 461 goto end;
6acdd3e5 462
710756a9 463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
6acdd3e5 466 goto end;
6acdd3e5 467
710756a9
RS		 468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_false(error_writing_log))
6acdd3e5 474 goto end;
6acdd3e5 475
f1a5939f
CB		 476 /*
477 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 479 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 480 */
f1a5939f
CB		 481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
6329ce8f 485 expected.exporter_secret_count = 1;
710756a9
RS		 486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
490 &expected)))
6acdd3e5 491 goto end;
6acdd3e5 492
cffe973c
PW		 493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
497 SSL_free(serverssl);
498 SSL_free(clientssl);
499 serverssl = clientssl = NULL;
500
501 /* Reset key log */
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
506
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513 &readbytes),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
518 SSL_ERROR_NONE))
519 || !TEST_true(SSL_session_reused(clientssl)))
520 goto end;
521
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
01a2a654 524 expected.early_exporter_secret_count = 1;
cffe973c
PW		 525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
529 &expected)))
530 goto end;
531
6acdd3e5
CB		 532 testresult = 1;
533
534end:
cffe973c 535 SSL_SESSION_free(sess);
6acdd3e5
CB		 536 SSL_free(serverssl);
537 SSL_free(clientssl);
538 SSL_CTX_free(sctx);
539 SSL_CTX_free(cctx);
540
541 return testresult;
542}
543#endif
544
0c3eb279
DDO		 545static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546{
547 int res = X509_verify_cert(ctx);
dfb39f73
TM		 548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
549 SSL *ssl;
550
551 /* this should not happen but check anyway */
552 if (idx < 0
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
554 return 0;
0c3eb279
DDO		 555
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
dfb39f73
TM		 558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
560
0c3eb279
DDO		 561 return res;
562}
563
564static int test_client_cert_verify_cb(void)
565{
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testresult = 0;
577
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
581 goto end;
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586 goto end;
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588 goto end;
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
593 goto end;
594
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
598 goto end;
599
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604 goto end;
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
607 goto end;
608 crt1 = NULL;
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
610 goto end;
611 crt2 = NULL;
612
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
615 SSL_ERROR_NONE)))
616 goto end;
617
618 testresult = 1;
619
620end:
621 X509_free(crt1);
622 X509_free(crt2);
c38048e7
P		 623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
625 SSL_free(clientssl);
626 }
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
629 SSL_free(serverssl);
630 }
0c3eb279
DDO		 631 SSL_CTX_free(sctx);
632 SSL_CTX_free(cctx);
633
634 OPENSSL_free(skey);
635 OPENSSL_free(leaf);
636 OPENSSL_free(int2);
637 OPENSSL_free(int1);
638 OPENSSL_free(root);
639
640 return testresult;
641}
642
4e4ae840
SL		 643static int test_ssl_build_cert_chain(void)
644{
645 int ret = 0;
646 SSL_CTX *ssl_ctx = NULL;
647 SSL *ssl = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652 goto end;
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654 goto end;
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659 goto end;
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
662 goto end;
663 ret = 1;
664end:
665 SSL_free(ssl);
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
668 OPENSSL_free(skey);
669 return ret;
670}
671
c7debe81
TM		 672static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673{
674 static const char pass[] = "testpass";
675
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
677 return -1;
678
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
681}
682
4e4ae840
SL		 683static int test_ssl_ctx_build_cert_chain(void)
684{
685 int ret = 0;
686 SSL_CTX *ctx = NULL;
c7debe81 687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
4e4ae840
SL		 688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691 goto end;
c7debe81 692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
4e4ae840
SL		 693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698 goto end;
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
701 goto end;
702 ret = 1;
703end:
704 SSL_CTX_free(ctx);
705 OPENSSL_free(leaf_chain);
706 OPENSSL_free(skey);
707 return ret;
708}
709
e9ee6536 710#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 711static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 712{
713 int *ctr = arg;
714 const unsigned char *p;
8ea404fb 715 int *exts;
2afaee51 716#ifdef OPENSSL_NO_EC
972ee925 717 const unsigned char expected_ciphers[] = {0x00, 0x9d};
2afaee51
BK		 718#else
719 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
972ee925 720 0x2c};
2afaee51 721#endif
8ea404fb 722 const int expected_extensions[] = {
972ee925 723 65281,
8ea404fb
BK		 724#ifndef OPENSSL_NO_EC
725 11, 10,
726#endif
10ed1b72 727 35, 22, 23, 13};
2afaee51
BK		 728 size_t len;
729
730 /* Make sure we can defer processing and get called back. */
731 if ((*ctr)++ == 0)
f1b97da1 732 return SSL_CLIENT_HELLO_RETRY;
2afaee51 733
a9c0d8be 734 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 736 || !TEST_size_t_eq(
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 738 || !TEST_int_eq(*p, 0))
f1b97da1 739 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 741 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 744 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 745 OPENSSL_free(exts);
f1b97da1 746 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 747 }
748 OPENSSL_free(exts);
f1b97da1 749 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 750}
751
a9c0d8be 752static int test_client_hello_cb(void)
710756a9 753{
2afaee51
BK		 754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
757
5e30f2fd
MC		 758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 760 &sctx, &cctx, cert, privkey)))
2afaee51 761 goto end;
a9c0d8be 762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 763
2afaee51
BK		 764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 766
710756a9
RS		 767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 773 /*
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
776 * */
a9c0d8be
DB		 777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
780 SSL_ERROR_NONE)))
2afaee51 781 goto end;
2afaee51
BK		 782
783 testresult = 1;
784
088dfa13
TS		 785end:
786 SSL_free(serverssl);
787 SSL_free(clientssl);
788 SSL_CTX_free(sctx);
789 SSL_CTX_free(cctx);
790
791 return testresult;
792}
793
794static int test_no_ems(void)
795{
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
50ea5cdc 798 int testresult = 0, status;
088dfa13 799
5e30f2fd 800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
804 goto end;
805 }
806
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
808
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
811 goto end;
812 }
813
50ea5cdc 814 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
815 if (fips_ems_check) {
816 if (status == 1) {
eb4129e1 817 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
50ea5cdc 818 goto end;
819 }
820 } else {
821 if (!status) {
822 printf("Creating SSL connection failed\n");
823 goto end;
824 }
825 if (SSL_get_extms_support(serverssl)) {
826 printf("Server reports Extended Master Secret support\n");
827 goto end;
828 }
829 if (SSL_get_extms_support(clientssl)) {
830 printf("Client reports Extended Master Secret support\n");
831 goto end;
832 }
088dfa13
TS		 833 }
834 testresult = 1;
835
2afaee51
BK		 836end:
837 SSL_free(serverssl);
838 SSL_free(clientssl);
839 SSL_CTX_free(sctx);
840 SSL_CTX_free(cctx);
841
842 return testresult;
843}
844
3cd14e5e
BK		 845/*
846 * Very focused test to exercise a single case in the server-side state
847 * machine, when the ChangeCipherState message needs to actually change
848 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 849 * encryption to real encryption).
3cd14e5e
BK		 850 */
851static int test_ccs_change_cipher(void)
852{
853 SSL_CTX *cctx = NULL, *sctx = NULL;
854 SSL *clientssl = NULL, *serverssl = NULL;
855 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
856 int testresult = 0;
857 int i;
858 unsigned char buf;
859 size_t readbytes;
860
861 /*
e304aa87 862 * Create a connection so we can resume and potentially (but not) use
3cd14e5e
BK		 863 * a different cipher in the second connection.
864 */
5e30f2fd 865 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 866 TLS_client_method(),
867 TLS1_VERSION, TLS1_2_VERSION,
868 &sctx, &cctx, cert, privkey))
869 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
870 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
871 NULL, NULL))
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
874 SSL_ERROR_NONE))
875 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
876 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
877 goto end;
878
879 shutdown_ssl_connection(serverssl, clientssl);
880 serverssl = clientssl = NULL;
881
882 /* Resume, preferring a different cipher. Our server will force the
883 * same cipher to be used as the initial handshake. */
884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
885 NULL, NULL))
886 || !TEST_true(SSL_set_session(clientssl, sess))
887 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
888 || !TEST_true(create_ssl_connection(serverssl, clientssl,
889 SSL_ERROR_NONE))
890 || !TEST_true(SSL_session_reused(clientssl))
891 || !TEST_true(SSL_session_reused(serverssl))
892 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
893 || !TEST_ptr_eq(sesspre, sesspost)
894 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
895 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
896 goto end;
897 shutdown_ssl_connection(serverssl, clientssl);
898 serverssl = clientssl = NULL;
899
900 /*
901 * Now create a fresh connection and try to renegotiate a different
902 * cipher on it.
903 */
b3e6d666
BK		 904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
905 NULL, NULL))
3cd14e5e
BK		 906 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
908 SSL_ERROR_NONE))
909 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
910 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
911 || !TEST_true(SSL_renegotiate(clientssl))
912 || !TEST_true(SSL_renegotiate_pending(clientssl)))
913 goto end;
914 /* Actually drive the renegotiation. */
915 for (i = 0; i < 3; i++) {
916 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
917 if (!TEST_ulong_eq(readbytes, 0))
918 goto end;
919 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
920 SSL_ERROR_WANT_READ)) {
921 goto end;
922 }
923 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
925 goto end;
926 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
927 SSL_ERROR_WANT_READ)) {
928 goto end;
929 }
930 }
931 /* sesspre and sesspost should be different since the cipher changed. */
932 if (!TEST_false(SSL_renegotiate_pending(clientssl))
933 || !TEST_false(SSL_session_reused(clientssl))
934 || !TEST_false(SSL_session_reused(serverssl))
935 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
936 || !TEST_ptr_ne(sesspre, sesspost)
937 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
938 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
939 goto end;
940
941 shutdown_ssl_connection(serverssl, clientssl);
942 serverssl = clientssl = NULL;
943
944 testresult = 1;
945
946end:
947 SSL_free(serverssl);
948 SSL_free(clientssl);
949 SSL_CTX_free(sctx);
950 SSL_CTX_free(cctx);
951 SSL_SESSION_free(sess);
952
953 return testresult;
954}
fb121631 955#endif
3cd14e5e 956
149c4f98
MC		 957static int execute_test_large_message(const SSL_METHOD *smeth,
958 const SSL_METHOD *cmeth,
959 int min_version, int max_version,
960 int read_ahead)
961{
962 SSL_CTX *cctx = NULL, *sctx = NULL;
963 SSL *clientssl = NULL, *serverssl = NULL;
964 int testresult = 0;
965
5e30f2fd
MC		 966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
968 privkey)))
84d5549e 969 goto end;
84d5549e 970
8ce390e1
MC		 971#ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
973 /*
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
975 * level 0
976 */
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
980 goto end;
981 }
982#endif
983
710756a9 984 if (read_ahead) {
7856332e
MC		 985 /*
986 * Test that read_ahead works correctly when dealing with large
987 * records
988 */
989 SSL_CTX_set_read_ahead(cctx, 1);
990 }
991
3860ef2a 992 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
149c4f98 993 goto end;
84d5549e 994
710756a9
RS		 995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
996 NULL, NULL))
997 || !TEST_true(create_ssl_connection(serverssl, clientssl,
998 SSL_ERROR_NONE)))
84d5549e 999 goto end;
84d5549e 1000
4bf08600
MC		 1001 /*
1002 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1003 * doesn't leak.
4bf08600 1004 */
710756a9 1005 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1006 goto end;
84d5549e 1007
4bf08600 1008 testresult = 1;
84d5549e 1009 end:
84d5549e
MC		 1010 SSL_free(serverssl);
1011 SSL_free(clientssl);
1012 SSL_CTX_free(sctx);
1013 SSL_CTX_free(cctx);
1014
1015 return testresult;
1016}
1017
da4db160 1018#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1019 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1020/* sock must be connected */
1021static int ktls_chk_platform(int sock)
1022{
1023 if (!ktls_enable(sock))
1024 return 0;
1025 return 1;
1026}
1027
e1fdd526 1028static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1029{
1030 static char count = 1;
1031 unsigned char cbuf[16000] = {0};
1032 unsigned char sbuf[16000];
1033 size_t err = 0;
e1fdd526
JB		 1034 char crec_wseq_before[SEQ_NUM_SIZE];
1035 char crec_wseq_after[SEQ_NUM_SIZE];
1036 char crec_rseq_before[SEQ_NUM_SIZE];
1037 char crec_rseq_after[SEQ_NUM_SIZE];
1038 char srec_wseq_before[SEQ_NUM_SIZE];
1039 char srec_wseq_after[SEQ_NUM_SIZE];
1040 char srec_rseq_before[SEQ_NUM_SIZE];
1041 char srec_rseq_after[SEQ_NUM_SIZE];
38b051a1
TM		 1042 SSL_CONNECTION *clientsc, *serversc;
1043
1044 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1045 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1046 goto end;
fe5d9450
BP		 1047
1048 cbuf[0] = count++;
2c50d7fb
MC		 1049 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1050 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1051 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1052 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1053
1054 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1055 goto end;
1056
1057 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1058 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1059 goto end;
1060 }
1061 }
1062
1063 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1064 goto end;
1065
1066 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1067 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1068 goto end;
1069 }
1070 }
1071
2c50d7fb
MC		 1072 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1073 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1074 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1075 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1076
1077 /* verify the payload */
1078 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1079 goto end;
1080
e1fdd526
JB		 1081 /*
1082 * If ktls is used then kernel sequences are used instead of
1083 * OpenSSL sequences
1084 */
38b051a1 1085 if (!BIO_get_ktls_send(clientsc->wbio)) {
e1fdd526
JB		 1086 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1087 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1088 goto end;
1089 } else {
e1fdd526
JB		 1090 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1091 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1092 goto end;
1093 }
1094
38b051a1 1095 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1096 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1097 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1098 goto end;
1099 } else {
e1fdd526
JB		 1100 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1101 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1102 goto end;
1103 }
1104
38b051a1 1105 if (!BIO_get_ktls_recv(clientsc->wbio)) {
e1fdd526
JB		 1106 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1107 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1108 goto end;
1109 } else {
e1fdd526
JB		 1110 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1111 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1112 goto end;
1113 }
1114
38b051a1 1115 if (!BIO_get_ktls_recv(serversc->wbio)) {
e1fdd526
JB		 1116 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1117 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1118 goto end;
1119 } else {
e1fdd526
JB		 1120 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1121 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1122 goto end;
1123 }
fe5d9450
BP		 1124
1125 return 1;
1126end:
1127 return 0;
1128}
1129
a3a54179 1130static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1131 int tls_version, const char *cipher)
fe5d9450
BP		 1132{
1133 SSL_CTX *cctx = NULL, *sctx = NULL;
1134 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1135 int ktls_used = 0, testresult = 0;
1136 int cfd = -1, sfd = -1;
1137 int rx_supported;
38b051a1 1138 SSL_CONNECTION *clientsc, *serversc;
563f4be8
MC		 1139 unsigned char *buf = NULL;
1140 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1141 int ret;
1142 size_t offset = 0, i;
fe5d9450 1143
0c593328 1144 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
fe5d9450
BP		 1145 goto end;
1146
1147 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1148 if (!ktls_chk_platform(cfd)) {
1149 testresult = TEST_skip("Kernel does not support KTLS");
1150 goto end;
1151 }
fe5d9450 1152
a5d8a2f8
DB		 1153 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1154 testresult = TEST_skip("CHACHA is not supported in FIPS");
1155 goto end;
1156 }
1157
fe5d9450 1158 /* Create a session based on SHA-256 */
5e30f2fd 1159 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1160 TLS_client_method(),
da4db160 1161 tls_version, tls_version,
e1fdd526
JB		 1162 &sctx, &cctx, cert, privkey)))
1163 goto end;
1164
1165 if (tls_version == TLS1_3_VERSION) {
1166 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1167 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1168 goto end;
1169 } else {
1170 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1171 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1172 goto end;
1173 }
1174
1175 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1176 &clientssl, sfd, cfd)))
fe5d9450
BP		 1177 goto end;
1178
38b051a1
TM		 1179 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1180 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1181 goto end;
1182
a3a54179
MC		 1183 if (cis_ktls) {
1184 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1185 goto end;
1186 }
1187
a3a54179 1188 if (sis_ktls) {
e1fdd526 1189 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1190 goto end;
1191 }
1192
e1fdd526 1193 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1194 goto end;
1195
e1fdd526
JB		 1196 /*
1197 * The running kernel may not support a given cipher suite
1198 * or direction, so just check that KTLS isn't used when it
1199 * isn't enabled.
1200 */
a3a54179 1201 if (!cis_ktls) {
38b051a1 1202 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
fe5d9450
BP		 1203 goto end;
1204 } else {
38b051a1 1205 if (BIO_get_ktls_send(clientsc->wbio))
e1fdd526 1206 ktls_used = 1;
fe5d9450
BP		 1207 }
1208
a3a54179 1209 if (!sis_ktls) {
38b051a1 1210 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
fe5d9450
BP		 1211 goto end;
1212 } else {
38b051a1 1213 if (BIO_get_ktls_send(serversc->wbio))
e1fdd526 1214 ktls_used = 1;
fe5d9450
BP		 1215 }
1216
a3a54179 1217#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1218 rx_supported = 0;
1219#else
7c78932b 1220 rx_supported = 1;
a3a54179 1221#endif
e1fdd526 1222 if (!cis_ktls || !rx_supported) {
38b051a1 1223 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
2fab79af
BP		 1224 goto end;
1225 } else {
38b051a1 1226 if (BIO_get_ktls_send(clientsc->rbio))
e1fdd526 1227 ktls_used = 1;
2fab79af
BP		 1228 }
1229
e1fdd526 1230 if (!sis_ktls || !rx_supported) {
38b051a1 1231 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
2fab79af
BP		 1232 goto end;
1233 } else {
38b051a1 1234 if (BIO_get_ktls_send(serversc->rbio))
e1fdd526
JB		 1235 ktls_used = 1;
1236 }
1237
1238 if ((cis_ktls || sis_ktls) && !ktls_used) {
1239 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1240 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1241 "TLS 1.2", cipher);
1242 goto end;
2fab79af
BP		 1243 }
1244
e1fdd526 1245 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1246 goto end;
1247
563f4be8
MC		 1248 buf = OPENSSL_zalloc(bufsz);
1249 if (!TEST_ptr(buf))
1250 goto end;
1251
1252 /*
1253 * Write some data that exceeds the maximum record length. KTLS may choose
1254 * to coalesce this data into a single buffer when we read it again.
1255 */
1256 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1257 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1258 goto end;
1259 }
1260
1261 /* Now check that we can read all the data we wrote */
1262 do {
1263 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1264 if (ret <= 0) {
1265 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1266 goto end;
1267 } else {
1268 offset += ret;
1269 }
1270 } while (offset < bufsz);
1271
1272 if (!TEST_true(offset == bufsz))
1273 goto end;
1274 for (i = 0; i < bufsz; i++)
1275 if (!TEST_true(buf[i] == 0))
1276 goto end;
1277
fe5d9450
BP		 1278 testresult = 1;
1279end:
563f4be8 1280 OPENSSL_free(buf);
fe5d9450
BP		 1281 if (clientssl) {
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1284 }
1285 if (serverssl) {
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1288 }
1289 SSL_CTX_free(sctx);
1290 SSL_CTX_free(cctx);
1291 serverssl = clientssl = NULL;
e1fdd526
JB		 1292 if (cfd != -1)
1293 close(cfd);
1294 if (sfd != -1)
1295 close(sfd);
fe5d9450
BP		 1296 return testresult;
1297}
1298
7c3a7561
BP		 1299#define SENDFILE_SZ (16 * 4096)
1300#define SENDFILE_CHUNK (4 * 4096)
1301#define min(a,b) ((a) > (b) ? (b) : (a))
1302
cd715b7e
MM		 1303static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1304 int zerocopy)
7c3a7561
BP		 1305{
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
e1fdd526 1310 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1313 int testresult = 0;
1314 FILE *ffdp;
38b051a1 1315 SSL_CONNECTION *serversc;
7c3a7561
BP		 1316
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
0c593328 1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
7c3a7561
BP		 1321 goto end;
1322
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
e1fdd526 1325 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1326 goto end;
1327 }
1328
a5d8a2f8
DB		 1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1331 goto end;
1332 }
1333
7c3a7561 1334 /* Create a session based on SHA-256 */
5e30f2fd 1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1336 TLS_client_method(),
da4db160 1337 tls_version, tls_version,
e1fdd526
JB		 1338 &sctx, &cctx, cert, privkey)))
1339 goto end;
1340
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1344 goto end;
1345 } else {
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1348 goto end;
1349 }
1350
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1353 goto end;
1354
38b051a1
TM		 1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1356 goto end;
1357
e1fdd526 1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1359 goto end;
1360
cd715b7e
MM		 1361 if (zerocopy) {
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1364 goto end;
1365 }
1366
7c3a7561 1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1368 SSL_ERROR_NONE)))
7c3a7561
BP		 1369 goto end;
1370
38b051a1 1371 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1374 "TLS 1.2", cipher);
1375 goto end;
1376 }
1377
c9007bda 1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1379 goto end;
1380
7c3a7561
BP		 1381 out = BIO_new_file(tmpfilename, "wb");
1382 if (!TEST_ptr(out))
1383 goto end;
1384
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1386 goto end;
1387
1388 BIO_free(out);
1389 out = NULL;
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1392 ffd = fileno(ffdp);
1393
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1397 ffd,
1398 chunk_off,
1399 chunk_size,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1402 goto end;
1403 }
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1408 goto end;
1409 }
1410
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1413 chunk_size,
1414 buf + chunk_off,
1415 chunk_size))
1416 goto end;
1417
1418 chunk_off += chunk_size;
1419 }
1420
1421 testresult = 1;
1422end:
1423 if (clientssl) {
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1426 }
1427 if (serverssl) {
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1430 }
1431 SSL_CTX_free(sctx);
1432 SSL_CTX_free(cctx);
1433 serverssl = clientssl = NULL;
1434 BIO_free(out);
1435 BIO_free(in);
e1fdd526
JB		 1436 if (cfd != -1)
1437 close(cfd);
1438 if (sfd != -1)
1439 close(sfd);
7c3a7561
BP		 1440 OPENSSL_free(buf);
1441 OPENSSL_free(buf_dst);
1442 return testresult;
1443}
1444
e1fdd526
JB		 1445static struct ktls_test_cipher {
1446 int tls_version;
1447 const char *cipher;
1448} ktls_test_ciphers[] = {
1449# if !defined(OPENSSL_NO_TLS1_2)
1450# ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1452# endif
1453# ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1455# endif
1456# ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1458# endif
11bac1b4 1459# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
2dded44a 1460# ifndef OPENSSL_NO_EC
11bac1b4 1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
2dded44a 1462# endif
11bac1b4 1463# endif
e1fdd526
JB		 1464# endif
1465# if !defined(OSSL_NO_USABLE_TLS1_3)
1466# ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1468# endif
1469# ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1471# endif
1472# ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1474# endif
11bac1b4
JB		 1475# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1477# endif
e1fdd526
JB		 1478# endif
1479};
1480
1481#define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1483
da4db160
VF		 1484static int test_ktls(int test)
1485{
e1fdd526 1486 struct ktls_test_cipher *cipher;
a3a54179 1487 int cis_ktls, sis_ktls;
da4db160 1488
2cff17fd 1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1490 cipher = &ktls_test_ciphers[test / 4];
da4db160 1491
a3a54179
MC		 1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
cd03b5dc 1494
e1fdd526
JB		 1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1496 cipher->cipher);
2fab79af
BP		 1497}
1498
cd715b7e 1499static int test_ktls_sendfile(int test)
fe5d9450 1500{
e1fdd526 1501 struct ktls_test_cipher *cipher;
cd715b7e 1502 int tst = test >> 1;
da4db160 1503
2cff17fd 1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1505 cipher = &ktls_test_ciphers[tst];
da4db160 1506
cd715b7e
MM		 1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1508 test & 1);
fe5d9450 1509}
fe5d9450
BP		 1510#endif
1511
84d5549e
MC		 1512static int test_large_message_tls(void)
1513{
7856332e 1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1515 TLS1_VERSION, 0, 0);
7856332e
MC		 1516}
1517
1518static int test_large_message_tls_read_ahead(void)
1519{
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1521 TLS1_VERSION, 0, 1);
84d5549e
MC		 1522}
1523
55386bef 1524#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1525static int test_large_message_dtls(void)
1526{
8ce390e1
MC		 1527# ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1529 if (is_fips)
1530 return 1;
1531# endif
7856332e
MC		 1532 /*
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1535 */
84d5549e 1536 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1537 DTLS_client_method(),
5c587fb6 1538 DTLS1_VERSION, 0, 0);
84d5549e 1539}
55386bef 1540#endif
84d5549e 1541
3ff0a48a
MC		 1542/*
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1549 */
1550static int test_large_app_data(int tst)
1551{
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
2fda45d5
MC		 1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
3ff0a48a
MC		 1559
1560 switch (tst >> 2) {
1561 case 0:
1562#ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1564 break;
1565#else
1566 return 1;
1567#endif
1568
1569 case 1:
1570#ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1572 break;
1573#else
1574 return 1;
1575#endif
1576
1577 case 2:
1578#ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1580 break;
1581#else
1582 return 1;
1583#endif
1584
1585 case 3:
1586#ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1588 break;
1589#else
1590 return 1;
1591#endif
1592
1593 case 4:
1594#ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1596 break;
1597#else
1598 return 1;
1599#endif
1600
2fda45d5
MC		 1601 case 5:
1602#ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1606 break;
1607#else
1608 return 1;
1609#endif
1610
1611 case 6:
1612#ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1616 break;
1617#else
1618 return 1;
1619#endif
1620
3ff0a48a
MC		 1621 default:
1622 /* Shouldn't happen */
1623 return 0;
1624 }
1625
2fda45d5 1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
3ff0a48a
MC		 1627 return 1;
1628
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1631 if (!TEST_ptr(msg))
1632 goto end;
1633
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1635 if (!TEST_ptr(buf))
1636 goto end;
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1639
2fda45d5 1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
3ff0a48a
MC		 1641 &sctx, &cctx, cert, privkey)))
1642 goto end;
1643
2fda45d5 1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
3ff0a48a
MC		 1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1649 goto end;
1650 }
1651
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1654 goto end;
1655
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1662 goto end;
1663 }
1664
1665 if ((tst & 2) != 0) {
1666 /*
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1669 */
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1673 goto end;
1674 }
1675
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1677 goto end;
1678
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1680 &written))
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1682 goto end;
1683
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1686 &readbytes)))
1687 goto end;
1688
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1690 goto end;
1691
1692 testresult = 1;
1693end:
1694 OPENSSL_free(msg);
1695 OPENSSL_free(buf);
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1698 SSL_CTX_free(sctx);
1699 SSL_CTX_free(cctx);
1700 return testresult;
1701}
1702
fb32f6ea
MC		 1703#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1704 || !defined(OPENSSL_NO_DTLS)
163b8016
ME		 1705static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1706 const SSL_METHOD *cmeth,
1707 int min_version, int max_version)
1708{
1709 size_t i;
1710 SSL_CTX *cctx = NULL, *sctx = NULL;
1711 SSL *clientssl = NULL, *serverssl = NULL;
1712 int testresult = 0;
2eb91b0e 1713 const unsigned char *zbuf;
38b051a1 1714 SSL_CONNECTION *serversc;
eddb067e 1715 TLS_RECORD *rr;
163b8016
ME		 1716
1717 static unsigned char cbuf[16000];
1718 static unsigned char sbuf[16000];
1719
1720 if (!TEST_true(create_ssl_ctx_pair(libctx,
1721 smeth, cmeth,
1722 min_version, max_version,
1723 &sctx, &cctx, cert,
1724 privkey)))
1725 goto end;
1726
8ce390e1 1727# ifdef OPENSSL_NO_DTLS1_2
fb32f6ea 1728 if (smeth == DTLS_server_method()) {
8ce390e1
MC		 1729 /* Not supported in the FIPS provider */
1730 if (is_fips) {
1731 testresult = 1;
1732 goto end;
1733 };
8ce390e1
MC		 1734 /*
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1736 * level 0
1737 */
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1741 goto end;
1742 }
fb32f6ea 1743# endif
8ce390e1 1744
163b8016
ME		 1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1746 NULL, NULL)))
1747 goto end;
1748
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1750 goto end;
1751
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1753 SSL_ERROR_NONE)))
1754 goto end;
1755
1756 for (i = 0; i < sizeof(cbuf); i++) {
1757 cbuf[i] = i & 0xff;
1758 }
1759
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1761 goto end;
1762
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1764 goto end;
1765
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1767 goto end;
1768
1769 /*
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1773 */
38b051a1
TM		 1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1775 goto end;
eddb067e 1776 rr = serversc->rlayer.tlsrecs;
4030869d 1777
eddb067e
MC		 1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1780 goto end;
163b8016
ME		 1781
1782 /*
1783 * After SSL_peek() the plaintext must still be stored in the
1784 * record.
1785 */
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1787 goto end;
1788
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1791 goto end;
1792
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1794 goto end;
1795
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1799 goto end;
1800
1801 testresult = 1;
1802 end:
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1805 SSL_CTX_free(sctx);
1806 SSL_CTX_free(cctx);
1807
1808 return testresult;
1809}
fb32f6ea
MC		 1810#endif /*
1811 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1812 * || !defined(OPENSSL_NO_DTLS)
1813 */
163b8016
ME		 1814
1815static int test_cleanse_plaintext(void)
1816{
1817#if !defined(OPENSSL_NO_TLS1_2)
1818 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1819 TLS_client_method(),
1820 TLS1_2_VERSION,
1821 TLS1_2_VERSION)))
1822 return 0;
1823
1824#endif
1825
a763ca11 1826#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1827 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1828 TLS_client_method(),
1829 TLS1_3_VERSION,
1830 TLS1_3_VERSION)))
1831 return 0;
1832#endif
1833
1834#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1835
163b8016
ME		 1836 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1837 DTLS_client_method(),
1838 DTLS1_VERSION,
1839 0)))
1840 return 0;
1841#endif
1842 return 1;
1843}
1844
8f8c11d8 1845#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1846static int ocsp_server_cb(SSL *s, void *arg)
1847{
1848 int *argi = (int *)arg;
710756a9 1849 unsigned char *copy = NULL;
ba881d3b
MC		 1850 STACK_OF(OCSP_RESPID) *ids = NULL;
1851 OCSP_RESPID *id = NULL;
1852
1853 if (*argi == 2) {
1854 /* In this test we are expecting exactly 1 OCSP_RESPID */
1855 SSL_get_tlsext_status_ids(s, &ids);
1856 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1858
1859 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1860 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 } else if (*argi != 1) {
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1864 }
1865
710756a9 1866 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1867 return SSL_TLSEXT_ERR_ALERT_FATAL;
1868
711d5a2f
P		 1869 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1870 sizeof(orespder)))) {
1871 OPENSSL_free(copy);
1872 return SSL_TLSEXT_ERR_ALERT_FATAL;
1873 }
ba881d3b 1874 ocsp_server_called = 1;
ba881d3b
MC		 1875 return SSL_TLSEXT_ERR_OK;
1876}
1877
1878static int ocsp_client_cb(SSL *s, void *arg)
1879{
1880 int *argi = (int *)arg;
1881 const unsigned char *respderin;
1882 size_t len;
1883
1884 if (*argi != 1 && *argi != 2)
1885 return 0;
1886
1887 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1888 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1889 return 0;
1890
1891 ocsp_client_called = 1;
ba881d3b
MC		 1892 return 1;
1893}
1894
2cb4b5f6
MC		 1895static int test_tlsext_status_type(void)
1896{
ba881d3b
MC		 1897 SSL_CTX *cctx = NULL, *sctx = NULL;
1898 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1899 int testresult = 0;
ba881d3b
MC		 1900 STACK_OF(OCSP_RESPID) *ids = NULL;
1901 OCSP_RESPID *id = NULL;
1902 BIO *certbio = NULL;
2cb4b5f6 1903
5e30f2fd 1904 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1905 TLS1_VERSION, 0,
7d7f6834 1906 &sctx, &cctx, cert, privkey))
ba881d3b 1907 return 0;
2cb4b5f6 1908
710756a9 1909 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1910 goto end;
2cb4b5f6 1911
ba881d3b 1912 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1913
ba881d3b 1914 clientssl = SSL_new(cctx);
710756a9
RS		 1915 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1916 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1917 TLSEXT_STATUSTYPE_ocsp))
1918 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1919 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1920 goto end;
2cb4b5f6 1921
ba881d3b
MC		 1922 SSL_free(clientssl);
1923 clientssl = NULL;
2cb4b5f6 1924
710756a9
RS		 1925 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1926 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1927 goto end;
2cb4b5f6 1928
ba881d3b 1929 clientssl = SSL_new(cctx);
710756a9 1930 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1931 goto end;
ba881d3b
MC		 1932 SSL_free(clientssl);
1933 clientssl = NULL;
1934
1935 /*
1936 * Now actually do a handshake and check OCSP information is exchanged and
1937 * the callbacks get called
1938 */
ba881d3b
MC		 1939 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1940 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1941 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1942 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL))
1945 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1946 SSL_ERROR_NONE))
1947 || !TEST_true(ocsp_client_called)
1948 || !TEST_true(ocsp_server_called))
ba881d3b 1949 goto end;
ba881d3b
MC		 1950 SSL_free(serverssl);
1951 SSL_free(clientssl);
1952 serverssl = NULL;
1953 clientssl = NULL;
1954
1955 /* Try again but this time force the server side callback to fail */
1956 ocsp_client_called = 0;
1957 ocsp_server_called = 0;
1958 cdummyarg = 0;
710756a9
RS		 1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL))
1961 /* This should fail because the callback will fail */
1962 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1963 SSL_ERROR_NONE))
1964 || !TEST_false(ocsp_client_called)
1965 || !TEST_false(ocsp_server_called))
ba881d3b 1966 goto end;
ba881d3b
MC		 1967 SSL_free(serverssl);
1968 SSL_free(clientssl);
1969 serverssl = NULL;
1970 clientssl = NULL;
1971
1972 /*
1973 * This time we'll get the client to send an OCSP_RESPID that it will
1974 * accept.
1975 */
1976 ocsp_client_called = 0;
1977 ocsp_server_called = 0;
1978 cdummyarg = 2;
710756a9
RS		 1979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1980 &clientssl, NULL, NULL)))
ba881d3b 1981 goto end;
ba881d3b
MC		 1982
1983 /*
1984 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1985 * specific one. We'll use the server cert.
ba881d3b 1986 */
710756a9
RS		 1987 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1988 || !TEST_ptr(id = OCSP_RESPID_new())
1989 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1990 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1991 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1992 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1993 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1994 goto end;
ba881d3b
MC		 1995 id = NULL;
1996 SSL_set_tlsext_status_ids(clientssl, ids);
1997 /* Control has been transferred */
1998 ids = NULL;
1999
2000 BIO_free(certbio);
2001 certbio = NULL;
2002
710756a9
RS		 2003 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2004 SSL_ERROR_NONE))
2005 || !TEST_true(ocsp_client_called)
2006 || !TEST_true(ocsp_server_called))
ba881d3b 2007 goto end;
ba881d3b 2008
2cb4b5f6
MC		 2009 testresult = 1;
2010
2011 end:
ba881d3b
MC		 2012 SSL_free(serverssl);
2013 SSL_free(clientssl);
2014 SSL_CTX_free(sctx);
2015 SSL_CTX_free(cctx);
2016 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2017 OCSP_RESPID_free(id);
2018 BIO_free(certbio);
2019 X509_free(ocspcert);
2020 ocspcert = NULL;
2cb4b5f6
MC		 2021
2022 return testresult;
2023}
8f8c11d8 2024#endif
2cb4b5f6 2025
a763ca11 2026#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 2027static int new_called, remove_called, get_called;
eaa776da 2028
eaa776da
MC		 2029static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2030{
2031 new_called++;
c0537ebd
MC		 2032 /*
2033 * sess has been up-refed for us, but we don't actually need it so free it
2034 * immediately.
2035 */
2036 SSL_SESSION_free(sess);
eaa776da
MC		 2037 return 1;
2038}
2039
2040static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2041{
2042 remove_called++;
2043}
2044
7a301f08
MC		 2045static SSL_SESSION *get_sess_val = NULL;
2046
2047static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2048 int *copy)
2049{
0afca811 2050 get_called++;
7a301f08
MC		 2051 *copy = 1;
2052 return get_sess_val;
2053}
2054
7a301f08 2055static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 2056 int use_ext_cache, long s_options)
2cb4b5f6
MC		 2057{
2058 SSL_CTX *sctx = NULL, *cctx = NULL;
2059 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2060 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 2061# ifndef OPENSSL_NO_TLS1_1
eaa776da 2062 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 2063# endif
2cb4b5f6 2064 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 2065 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 2066
7e885b7b
P		 2067 new_called = remove_called = 0;
2068
36ff232c
MC		 2069 /* TLSv1.3 sends 2 NewSessionTickets */
2070 if (maxprot == TLS1_3_VERSION)
2071 numnewsesstick = 2;
2072
5e30f2fd
MC		 2073 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2074 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2075 &sctx, &cctx, cert, privkey)))
2cb4b5f6 2076 return 0;
2cb4b5f6 2077
7a301f08
MC		 2078 /*
2079 * Only allow the max protocol version so we can force a connection failure
2080 * later
2081 */
2082 SSL_CTX_set_min_proto_version(cctx, maxprot);
2083 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 2084
2085 /* Set up session cache */
7e885b7b 2086 if (use_ext_cache) {
eaa776da
MC		 2087 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2088 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2089 }
7e885b7b 2090 if (use_int_cache) {
eaa776da
MC		 2091 /* Also covers instance where both are set */
2092 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2093 } else {
2094 SSL_CTX_set_session_cache_mode(cctx,
2095 SSL_SESS_CACHE_CLIENT
2096 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2097 }
2cb4b5f6 2098
90fc2c26
NM		 2099 if (s_options) {
2100 SSL_CTX_set_options(sctx, s_options);
2101 }
2102
710756a9
RS		 2103 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2104 NULL, NULL))
2105 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2106 SSL_ERROR_NONE))
2107 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 2108 goto end;
2cb4b5f6 2109
710756a9 2110 /* Should fail because it should already be in the cache */
7e885b7b 2111 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 2112 goto end;
7a301f08 2113 if (use_ext_cache
36ff232c
MC		 2114 && (!TEST_int_eq(new_called, numnewsesstick)
2115
2116 || !TEST_int_eq(remove_called, 0)))
b4982125 2117 goto end;
b4982125 2118
c0537ebd
MC		 2119 new_called = remove_called = 0;
2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2121 &clientssl2, NULL, NULL))
2122 || !TEST_true(SSL_set_session(clientssl2, sess1))
2123 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2124 SSL_ERROR_NONE))
2125 || !TEST_true(SSL_session_reused(clientssl2)))
2126 goto end;
2127
7a301f08
MC		 2128 if (maxprot == TLS1_3_VERSION) {
2129 /*
2130 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 2131 * resumed. Since we attempted a resume we should also have removed the
2132 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 2133 */
2134 if (use_ext_cache
2135 && (!TEST_int_eq(new_called, 1)
4cb00457 2136 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 2137 goto end;
2138 } else {
2139 /*
2140 * In TLSv1.2 we expect to have resumed so no sessions added or
2141 * removed.
2142 */
2143 if (use_ext_cache
2144 && (!TEST_int_eq(new_called, 0)
2145 || !TEST_int_eq(remove_called, 0)))
2146 goto end;
2147 }
c0537ebd
MC		 2148
2149 SSL_SESSION_free(sess1);
2150 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2151 goto end;
2152 shutdown_ssl_connection(serverssl2, clientssl2);
2153 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 2154
2155 new_called = remove_called = 0;
710756a9
RS		 2156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2157 &clientssl2, NULL, NULL))
2158 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2159 SSL_ERROR_NONE)))
2cb4b5f6 2160 goto end;
2cb4b5f6 2161
710756a9 2162 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 2163 goto end;
2cb4b5f6 2164
7a301f08 2165 if (use_ext_cache
36ff232c
MC		 2166 && (!TEST_int_eq(new_called, numnewsesstick)
2167 || !TEST_int_eq(remove_called, 0)))
eaa776da 2168 goto end;
eaa776da 2169
c0537ebd 2170 new_called = remove_called = 0;
2cb4b5f6 2171 /*
710756a9
RS		 2172 * This should clear sess2 from the cache because it is a "bad" session.
2173 * See SSL_set_session() documentation.
2cb4b5f6 2174 */
710756a9 2175 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 2176 goto end;
7a301f08
MC		 2177 if (use_ext_cache
2178 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 2179 goto end;
710756a9 2180 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 2181 goto end;
2cb4b5f6 2182
7e885b7b 2183 if (use_int_cache) {
710756a9
RS		 2184 /* Should succeeded because it should not already be in the cache */
2185 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2186 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 2187 goto end;
eaa776da
MC		 2188 }
2189
c0537ebd 2190 new_called = remove_called = 0;
eaa776da 2191 /* This shouldn't be in the cache so should fail */
710756a9 2192 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2193 goto end;
2cb4b5f6 2194
7a301f08
MC		 2195 if (use_ext_cache
2196 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2197 goto end;
2cb4b5f6 2198
bf208d95 2199# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2200 new_called = remove_called = 0;
eaa776da
MC		 2201 /* Force a connection failure */
2202 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2204 &clientssl3, NULL, NULL))
2205 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2206 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2207 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2208 SSL_ERROR_NONE)))
eaa776da 2209 goto end;
b4982125 2210
eaa776da 2211 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2212 if (use_ext_cache
2213 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2214 goto end;
2cb4b5f6 2215
710756a9 2216 /* Should succeed because it should not already be in the cache */
7e885b7b 2217 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2218 goto end;
bf208d95 2219# endif
eaa776da 2220
7a301f08
MC		 2221 /* Now do some tests for server side caching */
2222 if (use_ext_cache) {
2223 SSL_CTX_sess_set_new_cb(cctx, NULL);
2224 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2225 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2226 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2227 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2228 get_sess_val = NULL;
2229 }
2230
2231 SSL_CTX_set_session_cache_mode(cctx, 0);
2232 /* Internal caching is the default on the server side */
2233 if (!use_int_cache)
2234 SSL_CTX_set_session_cache_mode(sctx,
2235 SSL_SESS_CACHE_SERVER
2236 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2237
2238 SSL_free(serverssl1);
2239 SSL_free(clientssl1);
2240 serverssl1 = clientssl1 = NULL;
2241 SSL_free(serverssl2);
2242 SSL_free(clientssl2);
2243 serverssl2 = clientssl2 = NULL;
2244 SSL_SESSION_free(sess1);
2245 sess1 = NULL;
2246 SSL_SESSION_free(sess2);
2247 sess2 = NULL;
2248
2249 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2250 if (maxprot == TLS1_2_VERSION)
2251 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2252 new_called = remove_called = get_called = 0;
7a301f08
MC		 2253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2254 NULL, NULL))
2255 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2256 SSL_ERROR_NONE))
2257 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2258 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2259 goto end;
2260
ee94ec2e
MC		 2261 if (use_int_cache) {
2262 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2263 /*
2264 * In TLSv1.3 it should not have been added to the internal cache,
2265 * except in the case where we also have an external cache (in that
2266 * case it gets added to the cache in order to generate remove
2267 * events after timeout).
2268 */
2269 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2270 goto end;
2271 } else {
2272 /* Should fail because it should already be in the cache */
2273 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2274 goto end;
2275 }
2276 }
7a301f08
MC		 2277
2278 if (use_ext_cache) {
2279 SSL_SESSION *tmp = sess2;
2280
36ff232c 2281 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2282 || !TEST_int_eq(remove_called, 0)
2283 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2284 goto end;
2285 /*
2286 * Delete the session from the internal cache to force a lookup from
2287 * the external cache. We take a copy first because
2288 * SSL_CTX_remove_session() also marks the session as non-resumable.
2289 */
ee94ec2e 2290 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6 2291 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
9fdf9a44
WL		 2292 || !TEST_true(sess2->owner != NULL)
2293 || !TEST_true(tmp->owner == NULL)
2294 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
3cb6a4d6
BK		 2295 goto end;
2296 SSL_SESSION_free(sess2);
2297 }
7a301f08
MC		 2298 sess2 = tmp;
2299 }
2300
0afca811 2301 new_called = remove_called = get_called = 0;
7a301f08
MC		 2302 get_sess_val = sess2;
2303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2304 &clientssl2, NULL, NULL))
2305 || !TEST_true(SSL_set_session(clientssl2, sess1))
2306 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2307 SSL_ERROR_NONE))
2308 || !TEST_true(SSL_session_reused(clientssl2)))
2309 goto end;
2310
0afca811 2311 if (use_ext_cache) {
32305f88 2312 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2313 goto end;
2314
2315 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2316 if (!TEST_int_eq(new_called, 1)
2317 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2318 goto end;
2319 } else {
32305f88
MC		 2320 if (!TEST_int_eq(new_called, 0)
2321 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2322 goto end;
2323 }
2324 }
4842a27b
TS		 2325 /*
2326 * Make a small cache, force out all other sessions but
2327 * sess2, try to add sess1, which should succeed. Then
2328 * make sure it's there by checking the owners. Despite
2329 * the timeouts, sess1 should have kicked out sess2
2330 */
2331
2332 /* Make sess1 expire before sess2 */
2333 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2334 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2335 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2336 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2337 goto end;
2338
2339 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2340 goto end;
2341
2342 /* Don't care about results - cache should only be sess2 at end */
2343 SSL_CTX_add_session(sctx, sess1);
2344 SSL_CTX_add_session(sctx, sess2);
2345
2346 /* Now add sess1, and make sure it remains, despite timeout */
2347 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2348 || !TEST_ptr(sess1->owner)
2349 || !TEST_ptr_null(sess2->owner))
2350 goto end;
7a301f08 2351
2cb4b5f6 2352 testresult = 1;
eaa776da 2353
2cb4b5f6
MC		 2354 end:
2355 SSL_free(serverssl1);
2356 SSL_free(clientssl1);
2357 SSL_free(serverssl2);
2358 SSL_free(clientssl2);
bf208d95 2359# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2360 SSL_free(serverssl3);
2361 SSL_free(clientssl3);
bf208d95 2362# endif
2cb4b5f6
MC		 2363 SSL_SESSION_free(sess1);
2364 SSL_SESSION_free(sess2);
2365 SSL_CTX_free(sctx);
2366 SSL_CTX_free(cctx);
2367
2368 return testresult;
2369}
a763ca11 2370#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2371
7fb4c820
MC		 2372static int test_session_with_only_int_cache(void)
2373{
a763ca11 2374#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2375 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2376 return 0;
2377#endif
2378
2379#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2380 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2381#else
2382 return 1;
2383#endif
eaa776da
MC		 2384}
2385
7fb4c820
MC		 2386static int test_session_with_only_ext_cache(void)
2387{
a763ca11 2388#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2389 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2390 return 0;
2391#endif
2392
2393#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2394 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2395#else
2396 return 1;
2397#endif
eaa776da
MC		 2398}
2399
7fb4c820
MC		 2400static int test_session_with_both_cache(void)
2401{
a763ca11 2402#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2403 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2404 return 0;
2405#endif
2406
2407#ifndef OPENSSL_NO_TLS1_2
2408 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2409#else
2410 return 1;
2411#endif
2412}
2413
2414static int test_session_wo_ca_names(void)
2415{
a763ca11 2416#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2417 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2418 return 0;
2419#endif
2420
2421#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2422 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2423#else
2424 return 1;
2425#endif
eaa776da
MC		 2426}
2427
a763ca11 2428#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2429static SSL_SESSION *sesscache[6];
2430static int do_cache;
36ff232c
MC		 2431
2432static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2433{
c22365b3
MC		 2434 if (do_cache) {
2435 sesscache[new_called] = sess;
2436 } else {
2437 /* We don't need the reference to the session, so free it */
2438 SSL_SESSION_free(sess);
2439 }
2440 new_called++;
2441
2442 return 1;
2443}
2444
2445static int post_handshake_verify(SSL *sssl, SSL *cssl)
2446{
2447 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2448 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2449 return 0;
2450
2451 /* Start handshake on the server and client */
2452 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2453 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2454 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2455 || !TEST_true(create_ssl_connection(sssl, cssl,
2456 SSL_ERROR_NONE)))
2457 return 0;
36ff232c
MC		 2458
2459 return 1;
2460}
2461
fbe9dafd 2462static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2463 SSL_CTX **cctx)
2464{
2465 int sess_id_ctx = 1;
2466
5e30f2fd
MC		 2467 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2468 TLS_client_method(), TLS1_VERSION, 0,
2469 sctx, cctx, cert, privkey))
03cdf559
MC		 2470 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2471 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2472 (void *)&sess_id_ctx,
2473 sizeof(sess_id_ctx))))
2474 return 0;
2475
2476 if (stateful)
2477 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2478
2479 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2480 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2481 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2482
2483 return 1;
2484}
2485
2486static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2487{
2488 SSL *serverssl = NULL, *clientssl = NULL;
2489 int i;
2490
2491 /* Test that we can resume with all the tickets we got given */
2492 for (i = 0; i < idx * 2; i++) {
2493 new_called = 0;
2494 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2495 &clientssl, NULL, NULL))
2496 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2497 goto end;
2498
32097b33 2499 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2500
2501 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2502 SSL_ERROR_NONE)))
2503 goto end;
2504
2505 /*
2506 * Following a successful resumption we only get 1 ticket. After a
2507 * failed one we should get idx tickets.
2508 */
2509 if (succ) {
2510 if (!TEST_true(SSL_session_reused(clientssl))
2511 || !TEST_int_eq(new_called, 1))
2512 goto end;
2513 } else {
2514 if (!TEST_false(SSL_session_reused(clientssl))
2515 || !TEST_int_eq(new_called, idx))
2516 goto end;
2517 }
2518
2519 new_called = 0;
2520 /* After a post-handshake authentication we should get 1 new ticket */
2521 if (succ
2522 && (!post_handshake_verify(serverssl, clientssl)
2523 || !TEST_int_eq(new_called, 1)))
2524 goto end;
2525
2526 SSL_shutdown(clientssl);
2527 SSL_shutdown(serverssl);
2528 SSL_free(serverssl);
2529 SSL_free(clientssl);
2530 serverssl = clientssl = NULL;
2531 SSL_SESSION_free(sesscache[i]);
2532 sesscache[i] = NULL;
2533 }
2534
2535 return 1;
2536
2537 end:
2538 SSL_free(clientssl);
2539 SSL_free(serverssl);
2540 return 0;
2541}
2542
04d7814a 2543static int test_tickets(int stateful, int idx)
36ff232c
MC		 2544{
2545 SSL_CTX *sctx = NULL, *cctx = NULL;
2546 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2547 int testresult = 0;
36ff232c
MC		 2548 size_t j;
2549
2550 /* idx is the test number, but also the number of tickets we want */
2551
2552 new_called = 0;
c22365b3 2553 do_cache = 1;
36ff232c 2554
fbe9dafd 2555 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2556 goto end;
2557
03cdf559
MC		 2558 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2559 &clientssl, NULL, NULL)))
2560 goto end;
2561
2562 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2563 SSL_ERROR_NONE))
2564 /* Check we got the number of tickets we were expecting */
2565 || !TEST_int_eq(idx, new_called))
2566 goto end;
04d7814a 2567
03cdf559
MC		 2568 SSL_shutdown(clientssl);
2569 SSL_shutdown(serverssl);
2570 SSL_free(serverssl);
2571 SSL_free(clientssl);
2572 SSL_CTX_free(sctx);
2573 SSL_CTX_free(cctx);
2574 clientssl = serverssl = NULL;
2575 sctx = cctx = NULL;
2576
2577 /*
2578 * Now we try to resume with the tickets we previously created. The
2579 * resumption attempt is expected to fail (because we're now using a new
2580 * SSL_CTX). We should see idx number of tickets issued again.
2581 */
2582
2583 /* Stop caching sessions - just count them */
2584 do_cache = 0;
2585
fbe9dafd 2586 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2587 goto end;
2588
2589 if (!check_resumption(idx, sctx, cctx, 0))
2590 goto end;
2591
2592 /* Start again with caching sessions */
2593 new_called = 0;
2594 do_cache = 1;
fbe9dafd
MC		 2595 SSL_CTX_free(sctx);
2596 SSL_CTX_free(cctx);
2597 sctx = cctx = NULL;
03cdf559 2598
fbe9dafd 2599 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2600 goto end;
36ff232c
MC		 2601
2602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2603 &clientssl, NULL, NULL)))
2604 goto end;
2605
32097b33 2606 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2607
2608 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2609 SSL_ERROR_NONE))
2610 /* Check we got the number of tickets we were expecting */
2611 || !TEST_int_eq(idx, new_called))
2612 goto end;
2613
2614 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2615 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2616 || !TEST_int_eq(idx * 2, new_called))
2617 goto end;
2618
36ff232c
MC		 2619 SSL_shutdown(clientssl);
2620 SSL_shutdown(serverssl);
2621 SSL_free(serverssl);
2622 SSL_free(clientssl);
2623 serverssl = clientssl = NULL;
2624
c22365b3
MC		 2625 /* Stop caching sessions - just count them */
2626 do_cache = 0;
2627
03cdf559
MC		 2628 /*
2629 * Check we can resume with all the tickets we created. This time around the
2630 * resumptions should all be successful.
2631 */
2632 if (!check_resumption(idx, sctx, cctx, 1))
2633 goto end;
36ff232c
MC		 2634
2635 testresult = 1;
2636
2637 end:
2638 SSL_free(serverssl);
2639 SSL_free(clientssl);
c22365b3 2640 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2641 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2642 sesscache[j] = NULL;
2643 }
36ff232c
MC		 2644 SSL_CTX_free(sctx);
2645 SSL_CTX_free(cctx);
2646
2647 return testresult;
2648}
04d7814a
MC		 2649
2650static int test_stateless_tickets(int idx)
2651{
2652 return test_tickets(0, idx);
2653}
2654
2655static int test_stateful_tickets(int idx)
2656{
2657 return test_tickets(1, idx);
2658}
8614a4eb
MC		 2659
2660static int test_psk_tickets(void)
2661{
2662 SSL_CTX *sctx = NULL, *cctx = NULL;
2663 SSL *serverssl = NULL, *clientssl = NULL;
2664 int testresult = 0;
2665 int sess_id_ctx = 1;
2666
5e30f2fd
MC		 2667 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2668 TLS_client_method(), TLS1_VERSION, 0,
2669 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2670 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2671 (void *)&sess_id_ctx,
2672 sizeof(sess_id_ctx))))
2673 goto end;
2674
2675 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2676 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2677 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2678 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2679 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2680 use_session_cb_cnt = 0;
2681 find_session_cb_cnt = 0;
2682 srvid = pskid;
2683 new_called = 0;
2684
2685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2686 NULL, NULL)))
2687 goto end;
10836921 2688 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
8614a4eb
MC		 2689 if (!TEST_ptr(clientpsk))
2690 goto end;
2691 SSL_SESSION_up_ref(clientpsk);
2692
2693 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2694 SSL_ERROR_NONE))
2695 || !TEST_int_eq(1, find_session_cb_cnt)
2696 || !TEST_int_eq(1, use_session_cb_cnt)
2697 /* We should always get 1 ticket when using external PSK */
2698 || !TEST_int_eq(1, new_called))
2699 goto end;
2700
2701 testresult = 1;
2702
2703 end:
2704 SSL_free(serverssl);
2705 SSL_free(clientssl);
2706 SSL_CTX_free(sctx);
2707 SSL_CTX_free(cctx);
2708 SSL_SESSION_free(clientpsk);
2709 SSL_SESSION_free(serverpsk);
2710 clientpsk = serverpsk = NULL;
2711
2712 return testresult;
2713}
f0049b86
BK		 2714
2715static int test_extra_tickets(int idx)
2716{
2717 SSL_CTX *sctx = NULL, *cctx = NULL;
2718 SSL *serverssl = NULL, *clientssl = NULL;
2719 BIO *bretry = BIO_new(bio_s_always_retry());
2720 BIO *tmp = NULL;
2721 int testresult = 0;
2722 int stateful = 0;
2723 size_t nbytes;
2724 unsigned char c, buf[1];
2725
2726 new_called = 0;
2727 do_cache = 1;
2728
2729 if (idx >= 3) {
2730 idx -= 3;
2731 stateful = 1;
2732 }
2733
2734 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2735 goto end;
2736 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2737 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2738 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2739
2740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2741 &clientssl, NULL, NULL)))
2742 goto end;
2743
2744 /*
2745 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2746 * incremented by both client and server.
2747 */
2748 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2749 SSL_ERROR_NONE))
2750 /* Check we got the number of tickets we were expecting */
2751 || !TEST_int_eq(idx * 2, new_called)
2752 || !TEST_true(SSL_new_session_ticket(serverssl))
2753 || !TEST_true(SSL_new_session_ticket(serverssl))
2754 || !TEST_int_eq(idx * 2, new_called))
2755 goto end;
2756
2757 /* Now try a (real) write to actually send the tickets */
2758 c = '1';
2759 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2760 || !TEST_size_t_eq(1, nbytes)
2761 || !TEST_int_eq(idx * 2 + 2, new_called)
2762 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2763 || !TEST_int_eq(idx * 2 + 4, new_called)
2764 || !TEST_int_eq(sizeof(buf), nbytes)
2765 || !TEST_int_eq(c, buf[0])
2766 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2767 goto end;
2768
2769 /* Try with only requesting one new ticket, too */
2770 c = '2';
2771 new_called = 0;
2772 if (!TEST_true(SSL_new_session_ticket(serverssl))
2773 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2774 || !TEST_size_t_eq(sizeof(c), nbytes)
2775 || !TEST_int_eq(1, new_called)
2776 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2777 || !TEST_int_eq(2, new_called)
2778 || !TEST_size_t_eq(sizeof(buf), nbytes)
2779 || !TEST_int_eq(c, buf[0]))
2780 goto end;
2781
2782 /* Do it again but use dummy writes to drive the ticket generation */
2783 c = '3';
2784 new_called = 0;
2785 if (!TEST_true(SSL_new_session_ticket(serverssl))
2786 || !TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2788 || !TEST_size_t_eq(0, nbytes)
2789 || !TEST_int_eq(2, new_called)
2790 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2791 || !TEST_int_eq(4, new_called))
2792 goto end;
2793
a0bbcb42
BK		 2794 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2795 c = '4';
2796 new_called = 0;
2797 if (!TEST_true(SSL_new_session_ticket(serverssl))
2798 || !TEST_true(SSL_new_session_ticket(serverssl))
2799 || !TEST_true(SSL_do_handshake(serverssl))
2800 || !TEST_int_eq(2, new_called)
2801 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2802 || !TEST_int_eq(4, new_called))
2803 goto end;
2804
f0049b86
BK		 2805 /*
2806 * Use the always-retry BIO to exercise the logic that forces ticket
2807 * generation to wait until a record boundary.
2808 */
a0bbcb42 2809 c = '5';
f0049b86
BK		 2810 new_called = 0;
2811 tmp = SSL_get_wbio(serverssl);
2812 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2813 tmp = NULL;
2814 goto end;
2815 }
2816 SSL_set0_wbio(serverssl, bretry);
2817 bretry = NULL;
2818 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2819 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2820 || !TEST_size_t_eq(nbytes, 0))
2821 goto end;
2822 /* Restore a BIO that will let the write succeed */
2823 SSL_set0_wbio(serverssl, tmp);
2824 tmp = NULL;
a0bbcb42
BK		 2825 /*
2826 * These calls should just queue the request and not send anything
2827 * even if we explicitly try to hit the state machine.
2828 */
f0049b86
BK		 2829 if (!TEST_true(SSL_new_session_ticket(serverssl))
2830 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2831 || !TEST_int_eq(0, new_called)
2832 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2833 || !TEST_int_eq(0, new_called))
2834 goto end;
2835 /* Re-do the write; still no tickets sent */
2836 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2837 || !TEST_size_t_eq(1, nbytes)
2838 || !TEST_int_eq(0, new_called)
2839 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2840 || !TEST_int_eq(0, new_called)
2841 || !TEST_int_eq(sizeof(buf), nbytes)
2842 || !TEST_int_eq(c, buf[0])
2843 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2844 goto end;
a0bbcb42
BK		 2845 /* Even trying to hit the state machine now will still not send tickets */
2846 if (!TEST_true(SSL_do_handshake(serverssl))
2847 || !TEST_int_eq(0, new_called))
2848 goto end;
f0049b86 2849 /* Now the *next* write should send the tickets */
a0bbcb42 2850 c = '6';
f0049b86
BK		 2851 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2852 || !TEST_size_t_eq(1, nbytes)
2853 || !TEST_int_eq(2, new_called)
2854 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2855 || !TEST_int_eq(4, new_called)
2856 || !TEST_int_eq(sizeof(buf), nbytes)
2857 || !TEST_int_eq(c, buf[0])
2858 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2859 goto end;
2860
2861 SSL_shutdown(clientssl);
2862 SSL_shutdown(serverssl);
2863 testresult = 1;
2864
2865 end:
2866 BIO_free(bretry);
2867 BIO_free(tmp);
2868 SSL_free(serverssl);
2869 SSL_free(clientssl);
2870 SSL_CTX_free(sctx);
2871 SSL_CTX_free(cctx);
2872 clientssl = serverssl = NULL;
2873 sctx = cctx = NULL;
2874 return testresult;
2875}
04225915 2876#endif
36ff232c 2877
7d4488bb
MC		 2878#define USE_NULL 0
2879#define USE_BIO_1 1
2880#define USE_BIO_2 2
2881#define USE_DEFAULT 3
2882
2883#define CONNTYPE_CONNECTION_SUCCESS 0
2884#define CONNTYPE_CONNECTION_FAIL 1
2885#define CONNTYPE_NO_CONNECTION 2
2886
2887#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2888#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2889#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2890# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2891#else
2892# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2893#endif
2894
7d4488bb
MC		 2895#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2896 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2897 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2898
2899static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2900{
2901 switch (type) {
2902 case USE_NULL:
2903 *res = NULL;
2904 break;
2905 case USE_BIO_1:
2906 *res = bio1;
2907 break;
2908 case USE_BIO_2:
2909 *res = bio2;
2910 break;
2911 }
2912}
2913
7d4488bb
MC		 2914
2915/*
2916 * Tests calls to SSL_set_bio() under various conditions.
2917 *
2918 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2919 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2920 * then do more tests where we create a successful connection first using our
2921 * standard connection setup functions, and then call SSL_set_bio() with
2922 * various combinations of valid BIOs or NULL. We then repeat these tests
2923 * following a failed connection. In this last case we are looking to check that
2924 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2925 */
7fb4c820
MC		 2926static int test_ssl_set_bio(int idx)
2927{
7d4488bb 2928 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2929 BIO *bio1 = NULL;
2930 BIO *bio2 = NULL;
0fae8150 2931 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2932 SSL *serverssl = NULL, *clientssl = NULL;
2933 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2934 int testresult = 0;
2935
7d4488bb
MC		 2936 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2937 initrbio = idx % 3;
2938 idx /= 3;
2939 initwbio = idx % 3;
2940 idx /= 3;
2941 newrbio = idx % 3;
2942 idx /= 3;
2943 newwbio = idx % 3;
2944 conntype = CONNTYPE_NO_CONNECTION;
2945 } else {
2946 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2947 initrbio = initwbio = USE_DEFAULT;
2948 newrbio = idx % 2;
2949 idx /= 2;
2950 newwbio = idx % 2;
2951 idx /= 2;
2952 conntype = idx % 2;
2953 }
710756a9 2954
5e30f2fd
MC		 2955 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2956 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2957 &sctx, &cctx, cert, privkey)))
2958 goto end;
2959
2960 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2961 /*
2962 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2963 * because we reduced the number of tests in the definition of
2964 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2965 * mismatched protocol versions we will force a connection failure.
2966 */
2967 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2968 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2969 }
2970
2971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2972 NULL, NULL)))
710756a9 2973 goto end;
7fb4c820 2974
710756a9
RS		 2975 if (initrbio == USE_BIO_1
2976 || initwbio == USE_BIO_1
2977 || newrbio == USE_BIO_1
7fb4c820 2978 || newwbio == USE_BIO_1) {
710756a9 2979 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2980 goto end;
7fb4c820
MC		 2981 }
2982
710756a9
RS		 2983 if (initrbio == USE_BIO_2
2984 || initwbio == USE_BIO_2
2985 || newrbio == USE_BIO_2
7fb4c820 2986 || newwbio == USE_BIO_2) {
710756a9 2987 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2988 goto end;
7fb4c820
MC		 2989 }
2990
7d4488bb
MC		 2991 if (initrbio != USE_DEFAULT) {
2992 setupbio(&irbio, bio1, bio2, initrbio);
2993 setupbio(&iwbio, bio1, bio2, initwbio);
2994 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2995
7d4488bb
MC		 2996 /*
2997 * We want to maintain our own refs to these BIO, so do an up ref for
2998 * each BIO that will have ownership transferred in the SSL_set_bio()
2999 * call
3000 */
3001 if (irbio != NULL)
3002 BIO_up_ref(irbio);
3003 if (iwbio != NULL && iwbio != irbio)
3004 BIO_up_ref(iwbio);
3005 }
7fb4c820 3006
7d4488bb
MC		 3007 if (conntype != CONNTYPE_NO_CONNECTION
3008 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3009 SSL_ERROR_NONE)
3010 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3011 goto end;
7fb4c820
MC		 3012
3013 setupbio(&nrbio, bio1, bio2, newrbio);
3014 setupbio(&nwbio, bio1, bio2, newwbio);
3015
3016 /*
3017 * We will (maybe) transfer ownership again so do more up refs.
3018 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3019 * already been set!
3020 */
710756a9
RS		 3021 if (nrbio != NULL
3022 && nrbio != irbio
3023 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 3024 BIO_up_ref(nrbio);
710756a9
RS		 3025 if (nwbio != NULL
3026 && nwbio != nrbio
3027 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 3028 BIO_up_ref(nwbio);
3029
7d4488bb 3030 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 3031
3032 testresult = 1;
3033
3034 end:
7fb4c820
MC		 3035 BIO_free(bio1);
3036 BIO_free(bio2);
710756a9 3037
7fb4c820
MC		 3038 /*
3039 * This test is checking that the ref counting for SSL_set_bio is correct.
3040 * If we get here and we did too many frees then we will fail in the above
742ccab3 3041 * functions.
7fb4c820 3042 */
7d4488bb
MC		 3043 SSL_free(serverssl);
3044 SSL_free(clientssl);
3045 SSL_CTX_free(sctx);
3046 SSL_CTX_free(cctx);
7fb4c820
MC		 3047 return testresult;
3048}
3049
7e885b7b 3050typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 3051
7e885b7b 3052static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 3053{
3054 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 3055 SSL_CTX *ctx;
9a716987
MC		 3056 SSL *ssl = NULL;
3057 int testresult = 0;
3058
d8652be0 3059 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 3060 || !TEST_ptr(ssl = SSL_new(ctx))
3061 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3062 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 3063 goto end;
9a716987
MC		 3064
3065 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3066
3067 /*
742ccab3 3068 * If anything goes wrong here then we could leak memory.
9a716987
MC		 3069 */
3070 BIO_push(sslbio, membio1);
3071
69687aa8 3072 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 3073 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 3074 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3075 ssl = NULL;
9a716987 3076 goto end;
493e7898 3077 }
7e885b7b 3078 if (change_bio == CHANGE_RBIO)
65e2d672 3079 SSL_set0_rbio(ssl, membio2);
9a716987 3080 else
65e2d672 3081 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 3082 }
3083 ssl = NULL;
3084
7e885b7b 3085 if (pop_ssl)
9a716987
MC		 3086 BIO_pop(sslbio);
3087 else
3088 BIO_pop(membio1);
3089
3090 testresult = 1;
3091 end:
3092 BIO_free(membio1);
3093 BIO_free(sslbio);
3094 SSL_free(ssl);
3095 SSL_CTX_free(ctx);
3096
3097 return testresult;
3098}
3099
3100static int test_ssl_bio_pop_next_bio(void)
3101{
7e885b7b 3102 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 3103}
3104
3105static int test_ssl_bio_pop_ssl_bio(void)
3106{
7e885b7b 3107 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 3108}
3109
3110static int test_ssl_bio_change_rbio(void)
3111{
7e885b7b 3112 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 3113}
3114
3115static int test_ssl_bio_change_wbio(void)
3116{
7e885b7b 3117 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 3118}
3119
a763ca11 3120#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 3121typedef struct {
3122 /* The list of sig algs */
3123 const int *list;
3124 /* The length of the list */
3125 size_t listlen;
3126 /* A sigalgs list in string format */
3127 const char *liststr;
3128 /* Whether setting the list should succeed */
3129 int valid;
3130 /* Whether creating a connection with the list should succeed */
3131 int connsuccess;
3132} sigalgs_list;
3133
3134static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 3135# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3136static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3137static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 3138# endif
f1b25aae
MC		 3139static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3140static const int invalidlist2[] = {NID_sha256, NID_undef};
3141static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3142static const int invalidlist4[] = {NID_sha256};
3143static const sigalgs_list testsigalgs[] = {
3144 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 3145# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3146 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3147 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 3148# endif
f1b25aae 3149 {NULL, 0, "RSA+SHA256", 1, 1},
2b4cea1e 3150 {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
c423ecaa 3151# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3152 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3153 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 3154# endif
f1b25aae
MC		 3155 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3156 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3157 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3158 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3159 {NULL, 0, "RSA", 0, 0},
3160 {NULL, 0, "SHA256", 0, 0},
3161 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 3162 {NULL, 0, "Invalid", 0, 0}
3163};
f1b25aae
MC		 3164
3165static int test_set_sigalgs(int idx)
3166{
3167 SSL_CTX *cctx = NULL, *sctx = NULL;
3168 SSL *clientssl = NULL, *serverssl = NULL;
3169 int testresult = 0;
3170 const sigalgs_list *curr;
3171 int testctx;
3172
3173 /* Should never happen */
710756a9 3174 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 3175 return 0;
3176
3177 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3178 curr = testctx ? &testsigalgs[idx]
3179 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3180
5e30f2fd
MC		 3181 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3182 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 3183 &sctx, &cctx, cert, privkey)))
f1b25aae 3184 return 0;
f1b25aae 3185
d2e491f2
MC		 3186 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3187
f1b25aae
MC		 3188 if (testctx) {
3189 int ret;
710756a9 3190
f1b25aae
MC		 3191 if (curr->list != NULL)
3192 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3193 else
3194 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3195
3196 if (!ret) {
3197 if (curr->valid)
710756a9 3198 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3199 else
3200 testresult = 1;
3201 goto end;
3202 }
3203 if (!curr->valid) {
710756a9 3204 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3205 goto end;
3206 }
3207 }
3208
710756a9
RS		 3209 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3210 &clientssl, NULL, NULL)))
f1b25aae 3211 goto end;
f1b25aae
MC		 3212
3213 if (!testctx) {
3214 int ret;
3215
3216 if (curr->list != NULL)
3217 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3218 else
3219 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3220 if (!ret) {
3221 if (curr->valid)
710756a9 3222 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3223 else
3224 testresult = 1;
3225 goto end;
3226 }
710756a9 3227 if (!curr->valid)
f1b25aae 3228 goto end;
f1b25aae
MC		 3229 }
3230
710756a9
RS		 3231 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3232 SSL_ERROR_NONE),
3233 curr->connsuccess))
f1b25aae 3234 goto end;
f1b25aae
MC		 3235
3236 testresult = 1;
3237
3238 end:
3239 SSL_free(serverssl);
3240 SSL_free(clientssl);
3241 SSL_CTX_free(sctx);
3242 SSL_CTX_free(cctx);
3243
3244 return testresult;
3245}
c423ecaa 3246#endif
f1b25aae 3247
a763ca11 3248#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3249static int psk_client_cb_cnt = 0;
3250static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3251
3252static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3253 size_t *idlen, SSL_SESSION **sess)
3254{
3255 switch (++use_session_cb_cnt) {
3256 case 1:
3257 /* The first call should always have a NULL md */
3258 if (md != NULL)
3259 return 0;
3260 break;
3261
3262 case 2:
3263 /* The second call should always have an md */
3264 if (md == NULL)
3265 return 0;
3266 break;
3267
3268 default:
3269 /* We should only be called a maximum of twice */
3270 return 0;
3271 }
3272
57dee9bb
MC		 3273 if (clientpsk != NULL)
3274 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3275
57dee9bb 3276 *sess = clientpsk;
02a3ed5a
MC		 3277 *id = (const unsigned char *)pskid;
3278 *idlen = strlen(pskid);
3279
3280 return 1;
3281}
3282
c2b290c3 3283#ifndef OPENSSL_NO_PSK
532f9578
MC		 3284static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3285 unsigned int max_id_len,
3286 unsigned char *psk,
3287 unsigned int max_psk_len)
3288{
3289 unsigned int psklen = 0;
3290
3291 psk_client_cb_cnt++;
3292
3293 if (strlen(pskid) + 1 > max_id_len)
3294 return 0;
3295
3296 /* We should only ever be called a maximum of twice per connection */
3297 if (psk_client_cb_cnt > 2)
3298 return 0;
3299
3300 if (clientpsk == NULL)
3301 return 0;
3302
3303 /* We'll reuse the PSK we set up for TLSv1.3 */
3304 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3305 return 0;
3306 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3307 strncpy(id, pskid, max_id_len);
3308
3309 return psklen;
3310}
c2b290c3 3311#endif /* OPENSSL_NO_PSK */
532f9578 3312
02a3ed5a
MC		 3313static int find_session_cb(SSL *ssl, const unsigned char *identity,
3314 size_t identity_len, SSL_SESSION **sess)
3315{
3316 find_session_cb_cnt++;
3317
3318 /* We should only ever be called a maximum of twice per connection */
3319 if (find_session_cb_cnt > 2)
3320 return 0;
3321
57dee9bb 3322 if (serverpsk == NULL)
02a3ed5a
MC		 3323 return 0;
3324
3325 /* Identity should match that set by the client */
3326 if (strlen(srvid) != identity_len
3327 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3328 /* No PSK found, continue but without a PSK */
3329 *sess = NULL;
3330 return 1;
3331 }
3332
57dee9bb
MC		 3333 SSL_SESSION_up_ref(serverpsk);
3334 *sess = serverpsk;
02a3ed5a
MC		 3335
3336 return 1;
3337}
3338
c2b290c3 3339#ifndef OPENSSL_NO_PSK
532f9578
MC		 3340static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3341 unsigned char *psk, unsigned int max_psk_len)
3342{
3343 unsigned int psklen = 0;
3344
3345 psk_server_cb_cnt++;
3346
3347 /* We should only ever be called a maximum of twice per connection */
3348 if (find_session_cb_cnt > 2)
3349 return 0;
3350
3351 if (serverpsk == NULL)
3352 return 0;
3353
3354 /* Identity should match that set by the client */
3355 if (strcmp(srvid, identity) != 0) {
3356 return 0;
3357 }
3358
3359 /* We'll reuse the PSK we set up for TLSv1.3 */
3360 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3361 return 0;
3362 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3363
3364 return psklen;
3365}
c2b290c3 3366#endif /* OPENSSL_NO_PSK */
532f9578 3367
5f982038
MC		 3368#define MSG1 "Hello"
3369#define MSG2 "World."
3370#define MSG3 "This"
3371#define MSG4 "is"
3372#define MSG5 "a"
90049cea
MC		 3373#define MSG6 "test"
3374#define MSG7 "message."
5f982038 3375
2be5065b
MC		 3376static int artificial_ticket_time = 0;
3377
afb6ce0d
MC		 3378static int sub_session_time(SSL_SESSION *sess)
3379{
3380 OSSL_TIME tick_time;
3381
3382 tick_time = ossl_time_from_time_t(SSL_SESSION_get_time_ex(sess));
3383 tick_time = ossl_time_subtract(tick_time, ossl_seconds2time(10));
3384
3385 return SSL_SESSION_set_time_ex(sess, ossl_time_to_time_t(tick_time)) != 0;
3386}
3387
2be5065b
MC		 3388static int ed_gen_cb(SSL *s, void *arg)
3389{
3390 SSL_SESSION *sess = SSL_get0_session(s);
3391
3392 if (sess == NULL)
3393 return 0;
3394
3395 /*
3396 * Artificially give the ticket some age. Just do it for the number of
3397 * tickets we've been told to do.
3398 */
3399 if (artificial_ticket_time == 0)
3400 return 1;
3401 artificial_ticket_time--;
3402
afb6ce0d 3403 return sub_session_time(sess);
2be5065b
MC		 3404}
3405
5f982038
MC		 3406/*
3407 * Helper method to setup objects for early data test. Caller frees objects on
3408 * error.
3409 */
3410static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
10836921
MC		 3411 SSL **serverssl, SSL_SESSION **sess, int idx,
3412 size_t mdsize)
5f982038 3413{
2be5065b
MC		 3414 int artificial = (artificial_ticket_time > 0);
3415
5a421415 3416 if (*sctx == NULL
5e30f2fd 3417 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3418 TLS_client_method(),
5c587fb6 3419 TLS1_VERSION, 0,
5a421415
MC		 3420 sctx, cctx, cert, privkey)))
3421 return 0;
3422
2be5065b
MC		 3423 if (artificial)
3424 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3425
5a421415 3426 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3427 return 0;
5f982038 3428
02a3ed5a
MC		 3429 if (idx == 1) {
3430 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3431 SSL_CTX_set_read_ahead(*cctx, 1);
3432 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3433 } else if (idx == 2) {
3434 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3435 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3436 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3437 use_session_cb_cnt = 0;
3438 find_session_cb_cnt = 0;
3439 srvid = pskid;
3cb47b4e
MC		 3440 }
3441
710756a9 3442 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3443 NULL, NULL)))
3444 return 0;
3445
141e4709
MC		 3446 /*
3447 * For one of the run throughs (doesn't matter which one), we'll try sending
3448 * some SNI data in the initial ClientHello. This will be ignored (because
3449 * there is no SNI cb set up by the server), so it should not impact
3450 * early_data.
3451 */
3452 if (idx == 1
3453 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3454 return 0;
3455
02a3ed5a 3456 if (idx == 2) {
10836921 3457 clientpsk = create_a_psk(*clientssl, mdsize);
57dee9bb 3458 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3459 /*
3460 * We just choose an arbitrary value for max_early_data which
3461 * should be big enough for testing purposes.
3462 */
57dee9bb
MC		 3463 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3464 0x100))
3465 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3466 SSL_SESSION_free(clientpsk);
3467 clientpsk = NULL;
02a3ed5a
MC		 3468 return 0;
3469 }
57dee9bb 3470 serverpsk = clientpsk;
02a3ed5a 3471
c20e3b28
MC		 3472 if (sess != NULL) {
3473 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3474 SSL_SESSION_free(clientpsk);
3475 SSL_SESSION_free(serverpsk);
3476 clientpsk = serverpsk = NULL;
3477 return 0;
3478 }
57dee9bb 3479 *sess = clientpsk;
c20e3b28 3480 }
02a3ed5a
MC		 3481 return 1;
3482 }
3483
3484 if (sess == NULL)
3485 return 1;
3486
3487 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3488 SSL_ERROR_NONE)))
5f982038 3489 return 0;
5f982038
MC		 3490
3491 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3492 SSL_shutdown(*clientssl);
3493 SSL_shutdown(*serverssl);
5f982038
MC		 3494 SSL_free(*serverssl);
3495 SSL_free(*clientssl);
3496 *serverssl = *clientssl = NULL;
3497
2be5065b
MC		 3498 /*
3499 * Artificially give the ticket some age to match the artificial age we
3500 * gave it on the server side
3501 */
3502 if (artificial
afb6ce0d 3503 && !TEST_true(sub_session_time(*sess)))
2be5065b
MC		 3504 return 0;
3505
710756a9
RS		 3506 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3507 clientssl, NULL, NULL))
3508 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3509 return 0;
5f982038
MC		 3510
3511 return 1;
3512}
3513
1848c561
MC		 3514static int check_early_data_timeout(OSSL_TIME timer)
3515{
3516 int res = 0;
3517
3518 /*
3519 * Early data is time sensitive. We have an approx 8 second allowance
3520 * between writing the early data and reading it. If we exceed that time
3521 * then this test will fail. This can sometimes (rarely) occur in normal CI
3522 * operation. We can try and detect this and just ignore the result of this
3523 * test if it has taken too long. We assume anything over 7 seconds is too
3524 * long
3525 */
3526 timer = ossl_time_subtract(ossl_time_now(), timer);
3527 if (ossl_time_compare(timer, ossl_seconds2time(7)) >= 0)
3528 res = TEST_skip("Test took too long, ignoring result");
3529
3530 return res;
3531}
3532
3cb47b4e 3533static int test_early_data_read_write(int idx)
5f982038
MC		 3534{
3535 SSL_CTX *cctx = NULL, *sctx = NULL;
3536 SSL *clientssl = NULL, *serverssl = NULL;
3537 int testresult = 0;
3538 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3539 unsigned char buf[20], data[1024];
3540 size_t readbytes, written, eoedlen, rawread, rawwritten;
3541 BIO *rbio;
1848c561 3542 OSSL_TIME timer;
5f982038 3543
2be5065b
MC		 3544 /* Artificially give the next 2 tickets some age for non PSK sessions */
3545 if (idx != 2)
3546 artificial_ticket_time = 2;
710756a9 3547 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3548 &serverssl, &sess, idx,
3549 SHA384_DIGEST_LENGTH))) {
2be5065b 3550 artificial_ticket_time = 0;
5f982038 3551 goto end;
2be5065b
MC		 3552 }
3553 artificial_ticket_time = 0;
5f982038
MC		 3554
3555 /* Write and read some early data */
1848c561 3556 timer = ossl_time_now();
710756a9
RS		 3557 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3558 &written))
1848c561
MC		 3559 || !TEST_size_t_eq(written, strlen(MSG1)))
3560 goto end;
3561
3562 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3563 &readbytes),
3564 SSL_READ_EARLY_DATA_SUCCESS)) {
3565 testresult = check_early_data_timeout(timer);
3566 goto end;
3567 }
3568
3569 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
710756a9
RS		 3570 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3571 SSL_EARLY_DATA_ACCEPTED))
5f982038 3572 goto end;
5f982038
MC		 3573
3574 /*
09f28874 3575 * Server should be able to write data, and client should be able to
5f982038
MC		 3576 * read it.
3577 */
710756a9
RS		 3578 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3579 &written))
3580 || !TEST_size_t_eq(written, strlen(MSG2))
3581 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3582 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3583 goto end;
5f982038
MC		 3584
3585 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3586 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3587 &written))
3588 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3589 goto end;
5f982038 3590
09f28874 3591 /* Server should still be able read early data after writing data */
710756a9
RS		 3592 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3593 &readbytes),
3594 SSL_READ_EARLY_DATA_SUCCESS)
3595 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3596 goto end;
5f982038 3597
09f28874 3598 /* Write more data from server and read it from client */
710756a9
RS		 3599 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3600 &written))
3601 || !TEST_size_t_eq(written, strlen(MSG4))
3602 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3603 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3604 goto end;
5f982038
MC		 3605
3606 /*
3607 * If client writes normal data it should mean writing early data is no
3608 * longer possible.
3609 */
710756a9
RS		 3610 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3611 || !TEST_size_t_eq(written, strlen(MSG5))
3612 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3613 SSL_EARLY_DATA_ACCEPTED))
5f982038 3614 goto end;
5f982038 3615
9b5c865d
MC		 3616 /*
3617 * At this point the client has written EndOfEarlyData, ClientFinished and
3618 * normal (fully protected) data. We are going to cause a delay between the
3619 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3620 * in the read BIO, and then just put back the EndOfEarlyData message.
3621 */
3622 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3623 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3624 || !TEST_size_t_lt(rawread, sizeof(data))
3625 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3626 goto end;
710756a9 3627
9b5c865d
MC		 3628 /* Record length is in the 4th and 5th bytes of the record header */
3629 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3630 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3631 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3632 goto end;
9b5c865d 3633
5f982038 3634 /* Server should be told that there is no more early data */
710756a9
RS		 3635 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3636 &readbytes),
3637 SSL_READ_EARLY_DATA_FINISH)
3638 || !TEST_size_t_eq(readbytes, 0))
5f982038 3639 goto end;
5f982038 3640
9b5c865d
MC		 3641 /*
3642 * Server has not finished init yet, so should still be able to write early
3643 * data.
3644 */
710756a9
RS		 3645 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3646 &written))
3647 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3648 goto end;
9b5c865d 3649
f8a303fa 3650 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3651 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3652 &rawwritten))
3653 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3654 goto end;
f8a303fa 3655
5f982038 3656 /* Server should be able to read normal data */
710756a9
RS		 3657 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3658 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3659 goto end;
5f982038 3660
09f28874 3661 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3662 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3663 &written)))
5f982038 3664 goto end;
5f982038 3665 ERR_clear_error();
710756a9
RS		 3666 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3667 &readbytes),
3668 SSL_READ_EARLY_DATA_ERROR))
5f982038 3669 goto end;
5f982038
MC		 3670 ERR_clear_error();
3671
9b5c865d 3672 /* Client should be able to read the data sent by the server */
710756a9
RS		 3673 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3674 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3675 goto end;
710756a9 3676
f8a303fa 3677 /*
36ff232c
MC		 3678 * Make sure we process the two NewSessionTickets. These arrive
3679 * post-handshake. We attempt reads which we do not expect to return any
3680 * data.
f8a303fa 3681 */
36ff232c
MC		 3682 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3683 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3684 &readbytes)))
f8a303fa 3685 goto end;
5f982038 3686
90049cea 3687 /* Server should be able to write normal data */
710756a9
RS		 3688 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3689 || !TEST_size_t_eq(written, strlen(MSG7))
3690 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3691 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3692 goto end;
90049cea 3693
c20e3b28 3694 SSL_SESSION_free(sess);
5f982038 3695 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3696 use_session_cb_cnt = 0;
3697 find_session_cb_cnt = 0;
5f982038
MC		 3698
3699 SSL_shutdown(clientssl);
3700 SSL_shutdown(serverssl);
5f982038
MC		 3701 SSL_free(serverssl);
3702 SSL_free(clientssl);
3703 serverssl = clientssl = NULL;
710756a9
RS		 3704 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3705 &clientssl, NULL, NULL))
3706 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3707 goto end;
5f982038
MC		 3708
3709 /* Write and read some early data */
710756a9
RS		 3710 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3711 &written))
3712 || !TEST_size_t_eq(written, strlen(MSG1))
3713 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3714 &readbytes),
3715 SSL_READ_EARLY_DATA_SUCCESS)
3716 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3717 goto end;
5f982038 3718
710756a9
RS		 3719 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3720 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3721 goto end;
5f982038 3722
09f28874 3723 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3724 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3725 &written)))
5f982038 3726 goto end;
5f982038 3727 ERR_clear_error();
710756a9
RS		 3728 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3729 &readbytes),
3730 SSL_READ_EARLY_DATA_ERROR))
5f982038 3731 goto end;
5f982038
MC		 3732 ERR_clear_error();
3733
3734 /* Client and server should be able to write/read normal data */
710756a9
RS		 3735 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3736 || !TEST_size_t_eq(written, strlen(MSG5))
3737 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3738 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3739 goto end;
5f982038
MC		 3740
3741 testresult = 1;
3742
3743 end:
c20e3b28 3744 SSL_SESSION_free(sess);
57dee9bb
MC		 3745 SSL_SESSION_free(clientpsk);
3746 SSL_SESSION_free(serverpsk);
3747 clientpsk = serverpsk = NULL;
5f982038
MC		 3748 SSL_free(serverssl);
3749 SSL_free(clientssl);
3750 SSL_CTX_free(sctx);
3751 SSL_CTX_free(cctx);
5f982038
MC		 3752 return testresult;
3753}
3754
5a421415
MC		 3755static int allow_ed_cb_called = 0;
3756
3757static int allow_early_data_cb(SSL *s, void *arg)
3758{
3759 int *usecb = (int *)arg;
3760
3761 allow_ed_cb_called++;
3762
3763 if (*usecb == 1)
3764 return 0;
3765
3766 return 1;
3767}
3768
3769/*
3770 * idx == 0: Standard early_data setup
3771 * idx == 1: early_data setup using read_ahead
3772 * usecb == 0: Don't use a custom early data callback
3773 * usecb == 1: Use a custom early data callback and reject the early data
3774 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3775 * confopt == 0: Configure anti-replay directly
3776 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3777 */
3bb5e5b0 3778static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3779{
3780 SSL_CTX *cctx = NULL, *sctx = NULL;
3781 SSL *clientssl = NULL, *serverssl = NULL;
3782 int testresult = 0;
3783 SSL_SESSION *sess = NULL;
5a421415
MC		 3784 size_t readbytes, written;
3785 unsigned char buf[20];
1848c561 3786 OSSL_TIME timer;
5a421415
MC		 3787
3788 allow_ed_cb_called = 0;
3789
5e30f2fd
MC		 3790 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3791 TLS_client_method(), TLS1_VERSION, 0,
3792 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3793 return 0;
3794
3795 if (usecb > 0) {
3bb5e5b0
MC		 3796 if (confopt == 0) {
3797 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3798 } else {
3799 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3800
3801 if (!TEST_ptr(confctx))
3802 goto end;
3803 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3804 | SSL_CONF_FLAG_SERVER);
3805 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3806 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3807 2)) {
3808 SSL_CONF_CTX_free(confctx);
3809 goto end;
3810 }
3811 SSL_CONF_CTX_free(confctx);
3812 }
5a421415
MC		 3813 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3814 }
78fb5374
MC		 3815
3816 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3817 &serverssl, &sess, idx,
3818 SHA384_DIGEST_LENGTH)))
78fb5374
MC		 3819 goto end;
3820
3821 /*
3822 * The server is configured to accept early data. Create a connection to
3823 * "use up" the ticket
3824 */
3825 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3826 || !TEST_true(SSL_session_reused(clientssl)))
3827 goto end;
3828
3829 SSL_shutdown(clientssl);
3830 SSL_shutdown(serverssl);
3831 SSL_free(serverssl);
3832 SSL_free(clientssl);
3833 serverssl = clientssl = NULL;
3834
3835 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3836 &clientssl, NULL, NULL))
5a421415
MC		 3837 || !TEST_true(SSL_set_session(clientssl, sess)))
3838 goto end;
3839
3840 /* Write and read some early data */
1848c561 3841 timer = ossl_time_now();
5a421415
MC		 3842 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3843 &written))
3844 || !TEST_size_t_eq(written, strlen(MSG1)))
3845 goto end;
3846
3847 if (usecb <= 1) {
3848 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3849 &readbytes),
3850 SSL_READ_EARLY_DATA_FINISH)
3851 /*
3852 * The ticket was reused, so the we should have rejected the
3853 * early data
3854 */
3855 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3856 SSL_EARLY_DATA_REJECTED))
3857 goto end;
3858 } else {
3859 /* In this case the callback decides to accept the early data */
3860 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3861 &readbytes),
1848c561
MC		 3862 SSL_READ_EARLY_DATA_SUCCESS)) {
3863 testresult = check_early_data_timeout(timer);
3864 goto end;
3865 }
3866 if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
5a421415
MC		 3867 /*
3868 * Server will have sent its flight so client can now send
3869 * end of early data and complete its half of the handshake
3870 */
3871 || !TEST_int_gt(SSL_connect(clientssl), 0)
3872 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3873 &readbytes),
3874 SSL_READ_EARLY_DATA_FINISH)
3875 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3876 SSL_EARLY_DATA_ACCEPTED))
3877 goto end;
3878 }
3879
3880 /* Complete the connection */
3881 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3882 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3883 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3884 goto end;
3885
3886 testresult = 1;
3887
3888 end:
c20e3b28 3889 SSL_SESSION_free(sess);
78fb5374
MC		 3890 SSL_SESSION_free(clientpsk);
3891 SSL_SESSION_free(serverpsk);
3892 clientpsk = serverpsk = NULL;
3893 SSL_free(serverssl);
3894 SSL_free(clientssl);
3895 SSL_CTX_free(sctx);
3896 SSL_CTX_free(cctx);
3897 return testresult;
3898}
3899
5a421415
MC		 3900static int test_early_data_replay(int idx)
3901{
3bb5e5b0 3902 int ret = 1, usecb, confopt;
5a421415 3903
3bb5e5b0
MC		 3904 for (usecb = 0; usecb < 3; usecb++) {
3905 for (confopt = 0; confopt < 2; confopt++)
3906 ret &= test_early_data_replay_int(idx, usecb, confopt);
3907 }
5a421415
MC		 3908
3909 return ret;
3910}
3911
10836921
MC		 3912static const char *ciphersuites[] = {
3913 "TLS_AES_128_CCM_8_SHA256",
3914 "TLS_AES_128_GCM_SHA256",
3915 "TLS_AES_256_GCM_SHA384",
3916 "TLS_AES_128_CCM_SHA256",
3917#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
b6a5e801
RR		 3918 "TLS_CHACHA20_POLY1305_SHA256",
3919#else
3920 NULL,
3921#endif
3922#if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
3923 "TLS_SHA256_SHA256",
3924 "TLS_SHA384_SHA384"
10836921
MC		 3925#endif
3926};
3927
710756a9 3928/*
6b84e6bf
MC		 3929 * Helper function to test that a server attempting to read early data can
3930 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3931 * testtype: 0 == No HRR
3932 * testtype: 1 == HRR
0efa0ba4
MC		 3933 * testtype: 2 == HRR, invalid early_data sent after HRR
3934 * testtype: 3 == recv_max_early_data set to 0
710756a9 3935 */
10836921 3936static int early_data_skip_helper(int testtype, int cipher, int idx)
5f982038
MC		 3937{
3938 SSL_CTX *cctx = NULL, *sctx = NULL;
3939 SSL *clientssl = NULL, *serverssl = NULL;
3940 int testresult = 0;
018fcbec 3941 SSL_SESSION *sess = NULL;
5f982038
MC		 3942 unsigned char buf[20];
3943 size_t readbytes, written;
3944
b6a5e801 3945 if (is_fips && cipher >= 4)
10836921
MC		 3946 return 1;
3947
b6a5e801
RR		 3948 if (ciphersuites[cipher] == NULL)
3949 return TEST_skip("Cipher not supported");
3950
10836921
MC		 3951 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3952 TLS_client_method(),
3953 TLS1_VERSION, 0,
3954 &sctx, &cctx, cert, privkey)))
3955 goto end;
3956
b6a5e801 3957 if (cipher == 0 || cipher == 5 || cipher == 6) {
10836921
MC		 3958 SSL_CTX_set_security_level(sctx, 0);
3959 SSL_CTX_set_security_level(cctx, 0);
3960 }
3961
3962 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3963 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3964 goto end;
3965
710756a9 3966 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921 3967 &serverssl, &sess, idx,
b6a5e801
RR		 3968 (cipher == 2 || cipher == 6)
3969 ? SHA384_DIGEST_LENGTH
3970 : SHA256_DIGEST_LENGTH)))
5f982038
MC		 3971 goto end;
3972
0efa0ba4 3973 if (testtype == 1 || testtype == 2) {
6b84e6bf 3974 /* Force an HRR to occur */
dbc6268f
MC		 3975#if defined(OPENSSL_NO_EC)
3976 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3977 goto end;
3978#else
4032cd9a 3979 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
6b84e6bf 3980 goto end;
dbc6268f 3981#endif
02a3ed5a
MC		 3982 } else if (idx == 2) {
3983 /*
3984 * We force early_data rejection by ensuring the PSK identity is
3985 * unrecognised
3986 */
3987 srvid = "Dummy Identity";
6b84e6bf
MC		 3988 } else {
3989 /*
3990 * Deliberately corrupt the creation time. We take 20 seconds off the
3991 * time. It could be any value as long as it is not within tolerance.
3992 * This should mean the ticket is rejected.
3993 */
5d99881e 3994 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3995 goto end;
3996 }
5f982038 3997
0efa0ba4 3998 if (testtype == 3
0d1b7789
MC		 3999 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
4000 goto end;
4001
5f982038 4002 /* Write some early data */
710756a9
RS		 4003 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4004 &written))
4005 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 4006 goto end;
5f982038 4007
0d1b7789 4008 /* Server should reject the early data */
710756a9
RS		 4009 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4010 &readbytes),
4011 SSL_READ_EARLY_DATA_FINISH)
4012 || !TEST_size_t_eq(readbytes, 0)
4013 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4014 SSL_EARLY_DATA_REJECTED))
5f982038 4015 goto end;
5f982038 4016
0efa0ba4
MC		 4017 switch (testtype) {
4018 case 0:
4019 /* Nothing to do */
4020 break;
4021
4022 case 1:
6b84e6bf
MC		 4023 /*
4024 * Finish off the handshake. We perform the same writes and reads as
4025 * further down but we expect them to fail due to the incomplete
4026 * handshake.
4027 */
4028 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4029 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
4030 &readbytes)))
4031 goto end;
0efa0ba4
MC		 4032 break;
4033
4034 case 2:
4035 {
4036 BIO *wbio = SSL_get_wbio(clientssl);
4037 /* A record that will appear as bad early_data */
4038 const unsigned char bad_early_data[] = {
4039 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
4040 };
4041
4042 /*
4043 * We force the client to attempt a write. This will fail because
4044 * we're still in the handshake. It will cause the second
4045 * ClientHello to be sent.
4046 */
4047 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4048 &written)))
4049 goto end;
4050
4051 /*
4052 * Inject some early_data after the second ClientHello. This should
4053 * cause the server to fail
4054 */
4055 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4056 sizeof(bad_early_data), &written)))
4057 goto end;
4058 }
4059 /* fallthrough */
4060
4061 case 3:
0d1b7789 4062 /*
0efa0ba4
MC		 4063 * This client has sent more early_data than we are willing to skip
4064 * (case 3) or sent invalid early_data (case 2) so the connection should
4065 * abort.
0d1b7789
MC		 4066 */
4067 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4068 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4069 goto end;
4070
4071 /* Connection has failed - nothing more to do */
4072 testresult = 1;
4073 goto end;
0efa0ba4
MC		 4074
4075 default:
4076 TEST_error("Invalid test type");
4077 goto end;
6b84e6bf
MC		 4078 }
4079
10836921 4080 ERR_clear_error();
0d1b7789
MC		 4081 /*
4082 * Should be able to send normal data despite rejection of early data. The
4083 * early_data should be skipped.
4084 */
710756a9
RS		 4085 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4086 || !TEST_size_t_eq(written, strlen(MSG2))
4087 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4088 SSL_EARLY_DATA_REJECTED)
4089 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4090 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4091 goto end;
5f982038 4092
10836921
MC		 4093 /*
4094 * Failure to decrypt early data records should not leave spurious errors
4095 * on the error stack
4096 */
4097 if (!TEST_long_eq(ERR_peek_error(), 0))
4098 goto end;
4099
5f982038
MC		 4100 testresult = 1;
4101
4102 end:
c20e3b28 4103 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4104 SSL_SESSION_free(serverpsk);
4105 clientpsk = serverpsk = NULL;
5f982038
MC		 4106 SSL_SESSION_free(sess);
4107 SSL_free(serverssl);
4108 SSL_free(clientssl);
4109 SSL_CTX_free(sctx);
4110 SSL_CTX_free(cctx);
5f982038
MC		 4111 return testresult;
4112}
4113
6b84e6bf
MC		 4114/*
4115 * Test that a server attempting to read early data can handle a connection
4116 * from a client where the early data is not acceptable.
4117 */
4118static int test_early_data_skip(int idx)
4119{
10836921
MC		 4120 return early_data_skip_helper(0,
4121 idx % OSSL_NELEM(ciphersuites),
4122 idx / OSSL_NELEM(ciphersuites));
6b84e6bf
MC		 4123}
4124
4125/*
4126 * Test that a server attempting to read early data can handle a connection
4127 * from a client where an HRR occurs.
4128 */
4129static int test_early_data_skip_hrr(int idx)
4130{
10836921
MC		 4131 return early_data_skip_helper(1,
4132 idx % OSSL_NELEM(ciphersuites),
4133 idx / OSSL_NELEM(ciphersuites));
6b84e6bf
MC		 4134}
4135
0efa0ba4
MC		 4136/*
4137 * Test that a server attempting to read early data can handle a connection
4138 * from a client where an HRR occurs and correctly fails if early_data is sent
4139 * after the HRR
4140 */
4141static int test_early_data_skip_hrr_fail(int idx)
4142{
10836921
MC		 4143 return early_data_skip_helper(2,
4144 idx % OSSL_NELEM(ciphersuites),
4145 idx / OSSL_NELEM(ciphersuites));
0efa0ba4
MC		 4146}
4147
0d1b7789
MC		 4148/*
4149 * Test that a server attempting to read early data will abort if it tries to
4150 * skip over too much.
4151 */
4152static int test_early_data_skip_abort(int idx)
4153{
10836921
MC		 4154 return early_data_skip_helper(3,
4155 idx % OSSL_NELEM(ciphersuites),
4156 idx / OSSL_NELEM(ciphersuites));
0d1b7789
MC		 4157}
4158
710756a9
RS		 4159/*
4160 * Test that a server attempting to read early data can handle a connection
4161 * from a client that doesn't send any.
4162 */
3cb47b4e 4163static int test_early_data_not_sent(int idx)
5f982038
MC		 4164{
4165 SSL_CTX *cctx = NULL, *sctx = NULL;
4166 SSL *clientssl = NULL, *serverssl = NULL;
4167 int testresult = 0;
018fcbec 4168 SSL_SESSION *sess = NULL;
5f982038
MC		 4169 unsigned char buf[20];
4170 size_t readbytes, written;
4171
710756a9 4172 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4173 &serverssl, &sess, idx,
4174 SHA384_DIGEST_LENGTH)))
5f982038
MC		 4175 goto end;
4176
4177 /* Write some data - should block due to handshake with server */
4178 SSL_set_connect_state(clientssl);
710756a9 4179 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4180 goto end;
5f982038
MC		 4181
4182 /* Server should detect that early data has not been sent */
710756a9
RS		 4183 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4184 &readbytes),
4185 SSL_READ_EARLY_DATA_FINISH)
4186 || !TEST_size_t_eq(readbytes, 0)
4187 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4188 SSL_EARLY_DATA_NOT_SENT)
4189 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4190 SSL_EARLY_DATA_NOT_SENT))
5f982038 4191 goto end;
5f982038
MC		 4192
4193 /* Continue writing the message we started earlier */
710756a9
RS		 4194 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4195 || !TEST_size_t_eq(written, strlen(MSG1))
4196 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4197 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4198 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4199 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4200 goto end;
5f982038 4201
710756a9
RS		 4202 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4203 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4204 goto end;
5f982038
MC		 4205
4206 testresult = 1;
4207
4208 end:
5f982038 4209 SSL_SESSION_free(sess);
c20e3b28 4210 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4211 SSL_SESSION_free(serverpsk);
4212 clientpsk = serverpsk = NULL;
5f982038
MC		 4213 SSL_free(serverssl);
4214 SSL_free(clientssl);
4215 SSL_CTX_free(sctx);
4216 SSL_CTX_free(cctx);
5f982038
MC		 4217 return testresult;
4218}
4219
976e5323
MC		 4220static const char *servalpn;
4221
c7558d5b
PY		 4222static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4223 unsigned char *outlen, const unsigned char *in,
4224 unsigned int inlen, void *arg)
976e5323 4225{
c7558d5b 4226 unsigned int protlen = 0;
976e5323
MC		 4227 const unsigned char *prot;
4228
c7558d5b
PY		 4229 for (prot = in; prot < in + inlen; prot += protlen) {
4230 protlen = *prot++;
5d99881e 4231 if (in + inlen < prot + protlen)
976e5323
MC		 4232 return SSL_TLSEXT_ERR_NOACK;
4233
4234 if (protlen == strlen(servalpn)
0bd42fde 4235 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 4236 *out = prot;
4237 *outlen = protlen;
4238 return SSL_TLSEXT_ERR_OK;
4239 }
4240 }
4241
4242 return SSL_TLSEXT_ERR_NOACK;
4243}
4244
57dee9bb 4245/* Test that a PSK can be used to send early_data */
976e5323
MC		 4246static int test_early_data_psk(int idx)
4247{
4248 SSL_CTX *cctx = NULL, *sctx = NULL;
4249 SSL *clientssl = NULL, *serverssl = NULL;
4250 int testresult = 0;
4251 SSL_SESSION *sess = NULL;
57dee9bb
MC		 4252 unsigned char alpnlist[] = {
4253 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4254 'l', 'p', 'n'
4255 };
4256#define GOODALPNLEN 9
4257#define BADALPNLEN 8
4258#define GOODALPN (alpnlist)
4259#define BADALPN (alpnlist + GOODALPNLEN)
4260 int err = 0;
976e5323
MC		 4261 unsigned char buf[20];
4262 size_t readbytes, written;
57dee9bb 4263 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 4264 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4265
4266 /* We always set this up with a final parameter of "2" for PSK */
4267 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4268 &serverssl, &sess, 2,
4269 SHA384_DIGEST_LENGTH)))
976e5323
MC		 4270 goto end;
4271
976e5323
MC		 4272 servalpn = "goodalpn";
4273
57dee9bb
MC		 4274 /*
4275 * Note: There is no test for inconsistent SNI with late client detection.
4276 * This is because servers do not acknowledge SNI even if they are using
4277 * it in a resumption handshake - so it is not actually possible for a
4278 * client to detect a problem.
4279 */
976e5323
MC		 4280 switch (idx) {
4281 case 0:
57dee9bb 4282 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 4283 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4284 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4285 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4286 goto end;
4287 break;
4288
4289 case 1:
57dee9bb 4290 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 4291 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4292 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 4293 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4294 GOODALPNLEN))
4295 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4296 BADALPNLEN)))
976e5323
MC		 4297 goto end;
4298 break;
4299
4300 case 2:
4301 /*
4302 * Set invalid protocol version. Technically this affects PSKs without
4303 * early_data too, but we test it here because it is similar to the
4304 * SNI/ALPN consistency tests.
4305 */
4306 err = SSL_R_BAD_PSK;
4307 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4308 goto end;
4309 break;
4310
4311 case 3:
4312 /*
49ef3d07
MC		 4313 * Set inconsistent SNI (server side). In this case the connection
4314 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4315 * is associated with each handshake - not the session. Therefore it
4316 * should not matter that we used a different server name last time.
976e5323 4317 */
281bf233
MC		 4318 SSL_SESSION_free(serverpsk);
4319 serverpsk = SSL_SESSION_dup(clientpsk);
4320 if (!TEST_ptr(serverpsk)
4321 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4322 goto end;
976e5323
MC		 4323 /* Fall through */
4324 case 4:
4325 /* Set consistent SNI */
976e5323
MC		 4326 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4327 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4328 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4329 hostname_cb)))
4330 goto end;
4331 break;
4332
4333 case 5:
4334 /*
4335 * Set inconsistent ALPN (server detected). In this case the connection
4336 * will succeed but reject early_data.
4337 */
4338 servalpn = "badalpn";
4339 edstatus = SSL_EARLY_DATA_REJECTED;
4340 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4341 /* Fall through */
4342 case 6:
976e5323 4343 /*
57dee9bb 4344 * Set consistent ALPN.
976e5323
MC		 4345 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4346 * accepts a list of protos (each one length prefixed).
4347 * SSL_set1_alpn_selected accepts a single protocol (not length
4348 * prefixed)
4349 */
57dee9bb
MC		 4350 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4351 GOODALPNLEN - 1))
4352 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4353 GOODALPNLEN)))
976e5323
MC		 4354 goto end;
4355
4356 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4357 break;
4358
57dee9bb
MC		 4359 case 7:
4360 /* Set inconsistent ALPN (late client detection) */
4361 SSL_SESSION_free(serverpsk);
4362 serverpsk = SSL_SESSION_dup(clientpsk);
4363 if (!TEST_ptr(serverpsk)
4364 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4365 BADALPN + 1,
4366 BADALPNLEN - 1))
4367 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4368 GOODALPN + 1,
4369 GOODALPNLEN - 1))
4370 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4371 sizeof(alpnlist))))
4372 goto end;
4373 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4374 edstatus = SSL_EARLY_DATA_ACCEPTED;
4375 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4376 /* SSL_connect() call should fail */
4377 connectres = -1;
4378 break;
4379
976e5323
MC		 4380 default:
4381 TEST_error("Bad test index");
4382 goto end;
4383 }
4384
4385 SSL_set_connect_state(clientssl);
4386 if (err != 0) {
4387 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4388 &written))
4389 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4390 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4391 goto end;
4392 } else {
1848c561
MC		 4393 OSSL_TIME timer = ossl_time_now();
4394
976e5323 4395 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4396 &written)))
4397 goto end;
4398
4399 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1848c561
MC		 4400 &readbytes), readearlyres)) {
4401 testresult = check_early_data_timeout(timer);
4402 goto end;
4403 }
4404
4405 if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
976e5323 4406 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4407 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4408 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4409 goto end;
4410 }
4411
4412 testresult = 1;
4413
4414 end:
c20e3b28 4415 SSL_SESSION_free(sess);
57dee9bb
MC		 4416 SSL_SESSION_free(clientpsk);
4417 SSL_SESSION_free(serverpsk);
4418 clientpsk = serverpsk = NULL;
976e5323
MC		 4419 SSL_free(serverssl);
4420 SSL_free(clientssl);
4421 SSL_CTX_free(sctx);
4422 SSL_CTX_free(cctx);
4423 return testresult;
4424}
4425
0b2b0be9 4426/*
b6a5e801 4427 * Test TLSv1.3 PSK can be used to send early_data with all 7 ciphersuites
0b2b0be9 4428 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4429 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4430 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4431 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4432 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
b6a5e801
RR		 4433 * idx == 5: Test with TLS1_3_RFC_SHA256_SHA256
4434 * idx == 6: Test with TLS1_3_RFC_SHA384_SHA384
0b2b0be9 4435 */
4436static int test_early_data_psk_with_all_ciphers(int idx)
4437{
4438 SSL_CTX *cctx = NULL, *sctx = NULL;
4439 SSL *clientssl = NULL, *serverssl = NULL;
4440 int testresult = 0;
4441 SSL_SESSION *sess = NULL;
4442 unsigned char buf[20];
4443 size_t readbytes, written;
4444 const SSL_CIPHER *cipher;
1848c561 4445 OSSL_TIME timer;
0b2b0be9 4446 const char *cipher_str[] = {
4447 TLS1_3_RFC_AES_128_GCM_SHA256,
4448 TLS1_3_RFC_AES_256_GCM_SHA384,
4449# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4450 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4451# else
4452 NULL,
4453# endif
4454 TLS1_3_RFC_AES_128_CCM_SHA256,
b6a5e801
RR		 4455 TLS1_3_RFC_AES_128_CCM_8_SHA256,
4456# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4457 TLS1_3_RFC_SHA256_SHA256,
4458 TLS1_3_RFC_SHA384_SHA384
4459#else
4460 NULL,
4461 NULL
4462#endif
0b2b0be9 4463 };
4464 const unsigned char *cipher_bytes[] = {
4465 TLS13_AES_128_GCM_SHA256_BYTES,
4466 TLS13_AES_256_GCM_SHA384_BYTES,
4467# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4468 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4469# else
4470 NULL,
4471# endif
4472 TLS13_AES_128_CCM_SHA256_BYTES,
b6a5e801
RR		 4473 TLS13_AES_128_CCM_8_SHA256_BYTES,
4474# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
4475 TLS13_SHA256_SHA256_BYTES,
4476 TLS13_SHA384_SHA384_BYTES
4477#else
4478 NULL,
4479 NULL
4480#endif
0b2b0be9 4481 };
4482
4483 if (cipher_str[idx] == NULL)
4484 return 1;
b6a5e801
RR		 4485 /*
4486 * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers
4487 * as currently FIPS module does not support them.
4488 */
4489 if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1)
0b2b0be9 4490 return 1;
4491
4492 /* We always set this up with a final parameter of "2" for PSK */
4493 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4494 &serverssl, &sess, 2,
4495 SHA384_DIGEST_LENGTH)))
0b2b0be9 4496 goto end;
4497
b6a5e801
RR		 4498 if (idx == 4 || idx == 5 || idx == 6) {
4499 /*
4500 * CCM8 ciphers are considered low security due to their short tag.
4501 * Integrity-only cipher do not provide any confidentiality.
4502 */
e0710222
P		 4503 SSL_set_security_level(clientssl, 0);
4504 SSL_set_security_level(serverssl, 0);
4505 }
4506
0b2b0be9 4507 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4508 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4509 goto end;
4510
4511 /*
4512 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4513 * and assigns to both client and server with incremented reference
4514 * and the same instance is updated in 'sess'.
4515 * So updating ciphersuite in 'sess' which will get reflected in
4516 * PSK handshake using psk use sess and find sess cb.
4517 */
4518 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4519 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4520 goto end;
4521
4522 SSL_set_connect_state(clientssl);
1848c561 4523 timer = ossl_time_now();
0b2b0be9 4524 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4525 &written)))
4526 goto end;
4527
4528 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4529 &readbytes),
1848c561
MC		 4530 SSL_READ_EARLY_DATA_SUCCESS)) {
4531 testresult = check_early_data_timeout(timer);
4532 goto end;
4533 }
4534
4535 if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
0b2b0be9 4536 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4537 SSL_EARLY_DATA_ACCEPTED)
4538 || !TEST_int_eq(SSL_connect(clientssl), 1)
4539 || !TEST_int_eq(SSL_accept(serverssl), 1))
4540 goto end;
4541
4542 /* Send some normal data from client to server */
4543 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4544 || !TEST_size_t_eq(written, strlen(MSG2)))
4545 goto end;
4546
4547 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4548 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4549 goto end;
4550
4551 testresult = 1;
4552 end:
4553 SSL_SESSION_free(sess);
4554 SSL_SESSION_free(clientpsk);
4555 SSL_SESSION_free(serverpsk);
4556 clientpsk = serverpsk = NULL;
4557 if (clientssl != NULL)
4558 SSL_shutdown(clientssl);
4559 if (serverssl != NULL)
4560 SSL_shutdown(serverssl);
4561 SSL_free(serverssl);
4562 SSL_free(clientssl);
4563 SSL_CTX_free(sctx);
4564 SSL_CTX_free(cctx);
4565 return testresult;
4566}
4567
710756a9
RS		 4568/*
4569 * Test that a server that doesn't try to read early data can handle a
4570 * client sending some.
4571 */
3cb47b4e 4572static int test_early_data_not_expected(int idx)
5f982038
MC		 4573{
4574 SSL_CTX *cctx = NULL, *sctx = NULL;
4575 SSL *clientssl = NULL, *serverssl = NULL;
4576 int testresult = 0;
018fcbec 4577 SSL_SESSION *sess = NULL;
5f982038
MC		 4578 unsigned char buf[20];
4579 size_t readbytes, written;
4580
710756a9 4581 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4582 &serverssl, &sess, idx,
4583 SHA384_DIGEST_LENGTH)))
5f982038
MC		 4584 goto end;
4585
4586 /* Write some early data */
710756a9
RS		 4587 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4588 &written)))
5f982038 4589 goto end;
5f982038
MC		 4590
4591 /*
4592 * Server should skip over early data and then block waiting for client to
4593 * continue handshake
4594 */
710756a9
RS		 4595 if (!TEST_int_le(SSL_accept(serverssl), 0)
4596 || !TEST_int_gt(SSL_connect(clientssl), 0)
4597 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4598 SSL_EARLY_DATA_REJECTED)
4599 || !TEST_int_gt(SSL_accept(serverssl), 0)
4600 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4601 SSL_EARLY_DATA_REJECTED))
5f982038 4602 goto end;
5f982038
MC		 4603
4604 /* Send some normal data from client to server */
710756a9
RS		 4605 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4606 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4607 goto end;
5f982038 4608
710756a9
RS		 4609 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4610 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4611 goto end;
5f982038
MC		 4612
4613 testresult = 1;
4614
4615 end:
5f982038 4616 SSL_SESSION_free(sess);
c20e3b28 4617 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4618 SSL_SESSION_free(serverpsk);
4619 clientpsk = serverpsk = NULL;
5f982038
MC		 4620 SSL_free(serverssl);
4621 SSL_free(clientssl);
4622 SSL_CTX_free(sctx);
4623 SSL_CTX_free(cctx);
5f982038
MC		 4624 return testresult;
4625}
4626
4627
4628# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4629/*
4630 * Test that a server attempting to read early data can handle a connection
4631 * from a TLSv1.2 client.
4632 */
3cb47b4e 4633static int test_early_data_tls1_2(int idx)
5f982038
MC		 4634{
4635 SSL_CTX *cctx = NULL, *sctx = NULL;
4636 SSL *clientssl = NULL, *serverssl = NULL;
4637 int testresult = 0;
4638 unsigned char buf[20];
4639 size_t readbytes, written;
4640
02a3ed5a 4641 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4642 &serverssl, NULL, idx,
4643 SHA384_DIGEST_LENGTH)))
5f982038 4644 goto end;
5f982038
MC		 4645
4646 /* Write some data - should block due to handshake with server */
4647 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4648 SSL_set_connect_state(clientssl);
710756a9 4649 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4650 goto end;
5f982038
MC		 4651
4652 /*
4653 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4654 * messages from client after ServerDone. Then SSL_read_early_data should
4655 * finish and detect that early data has not been sent
5f982038 4656 */
710756a9
RS		 4657 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4658 &readbytes),
4659 SSL_READ_EARLY_DATA_ERROR))
5f982038 4660 goto end;
5f982038
MC		 4661
4662 /*
4663 * Continue writing the message we started earlier. Will still block waiting
4664 * for the CCS/Finished from server
4665 */
710756a9
RS		 4666 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4667 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4668 &readbytes),
4669 SSL_READ_EARLY_DATA_FINISH)
4670 || !TEST_size_t_eq(readbytes, 0)
4671 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4672 SSL_EARLY_DATA_NOT_SENT))
5f982038 4673 goto end;
5f982038
MC		 4674
4675 /* Continue writing the message we started earlier */
710756a9
RS		 4676 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4677 || !TEST_size_t_eq(written, strlen(MSG1))
4678 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4679 SSL_EARLY_DATA_NOT_SENT)
4680 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4681 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4682 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4683 || !TEST_size_t_eq(written, strlen(MSG2))
4684 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4685 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4686 goto end;
5f982038
MC		 4687
4688 testresult = 1;
4689
4690 end:
57dee9bb
MC		 4691 SSL_SESSION_free(clientpsk);
4692 SSL_SESSION_free(serverpsk);
4693 clientpsk = serverpsk = NULL;
5f982038
MC		 4694 SSL_free(serverssl);
4695 SSL_free(clientssl);
4696 SSL_CTX_free(sctx);
4697 SSL_CTX_free(cctx);
4698
4699 return testresult;
4700}
ca0413ae
MC		 4701# endif /* OPENSSL_NO_TLS1_2 */
4702
034cb87b
MC		 4703/*
4704 * Test configuring the TLSv1.3 ciphersuites
4705 *
4706 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4707 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4708 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4709 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4710 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4711 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4712 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4713 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4714 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4715 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4716 */
4717static int test_set_ciphersuite(int idx)
4718{
4719 SSL_CTX *cctx = NULL, *sctx = NULL;
4720 SSL *clientssl = NULL, *serverssl = NULL;
4721 int testresult = 0;
4722
5e30f2fd
MC		 4723 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4724 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4725 &sctx, &cctx, cert, privkey))
4726 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4727 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4728 goto end;
4729
4730 if (idx >=4 && idx <= 7) {
4731 /* SSL_CTX explicit cipher list */
4732 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4733 goto end;
4734 }
4735
4736 if (idx == 0 || idx == 4) {
4737 /* Default ciphersuite */
4738 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4739 "TLS_AES_128_GCM_SHA256")))
4740 goto end;
4741 } else if (idx == 1 || idx == 5) {
4742 /* Non default ciphersuite */
4743 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4744 "TLS_AES_128_CCM_SHA256")))
4745 goto end;
4746 }
4747
4748 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4749 &clientssl, NULL, NULL)))
4750 goto end;
4751
4752 if (idx == 8 || idx == 9) {
4753 /* SSL explicit cipher list */
4754 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4755 goto end;
4756 }
4757
4758 if (idx == 2 || idx == 6 || idx == 8) {
4759 /* Default ciphersuite */
4760 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4761 "TLS_AES_128_GCM_SHA256")))
4762 goto end;
4763 } else if (idx == 3 || idx == 7 || idx == 9) {
4764 /* Non default ciphersuite */
4765 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4766 "TLS_AES_128_CCM_SHA256")))
4767 goto end;
4768 }
4769
4770 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4771 goto end;
4772
4773 testresult = 1;
4774
4775 end:
4776 SSL_free(serverssl);
4777 SSL_free(clientssl);
4778 SSL_CTX_free(sctx);
4779 SSL_CTX_free(cctx);
4780
4781 return testresult;
4782}
4783
ca0413ae
MC		 4784static int test_ciphersuite_change(void)
4785{
4786 SSL_CTX *cctx = NULL, *sctx = NULL;
4787 SSL *clientssl = NULL, *serverssl = NULL;
4788 SSL_SESSION *clntsess = NULL;
4789 int testresult = 0;
4790 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4791
4792 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4793 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4794 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4795 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4796 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4797 "TLS_AES_128_GCM_SHA256:"
4798 "TLS_AES_256_GCM_SHA384:"
4799 "TLS_AES_128_CCM_SHA256"))
f865b081 4800 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4801 "TLS_AES_128_GCM_SHA256")))
4802 goto end;
4803
4804 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4805 NULL, NULL))
ca0413ae
MC		 4806 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4807 SSL_ERROR_NONE)))
4808 goto end;
4809
4810 clntsess = SSL_get1_session(clientssl);
4811 /* Save for later */
4812 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4813 SSL_shutdown(clientssl);
4814 SSL_shutdown(serverssl);
4815 SSL_free(serverssl);
4816 SSL_free(clientssl);
4817 serverssl = clientssl = NULL;
4818
4819 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4820 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4821 "TLS_AES_128_CCM_SHA256"))
4822 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4823 &clientssl, NULL, NULL))
ca0413ae
MC		 4824 || !TEST_true(SSL_set_session(clientssl, clntsess))
4825 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4826 SSL_ERROR_NONE))
4827 || !TEST_true(SSL_session_reused(clientssl)))
4828 goto end;
4829
4830 SSL_SESSION_free(clntsess);
4831 clntsess = SSL_get1_session(clientssl);
4832 SSL_shutdown(clientssl);
4833 SSL_shutdown(serverssl);
4834 SSL_free(serverssl);
4835 SSL_free(clientssl);
4836 serverssl = clientssl = NULL;
4837
4838 /*
4839 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4840 * succeeds but does not resume.
ca0413ae 4841 */
f865b081 4842 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4843 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4844 NULL, NULL))
4845 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4846 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4847 SSL_ERROR_SSL))
0de6d66d 4848 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4849 goto end;
4850
4851 SSL_SESSION_free(clntsess);
4852 clntsess = NULL;
4853 SSL_shutdown(clientssl);
4854 SSL_shutdown(serverssl);
4855 SSL_free(serverssl);
4856 SSL_free(clientssl);
4857 serverssl = clientssl = NULL;
4858
4859 /* Create a session based on SHA384 */
f865b081 4860 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4861 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4862 &clientssl, NULL, NULL))
4863 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4864 SSL_ERROR_NONE)))
4865 goto end;
4866
4867 clntsess = SSL_get1_session(clientssl);
4868 SSL_shutdown(clientssl);
4869 SSL_shutdown(serverssl);
4870 SSL_free(serverssl);
4871 SSL_free(clientssl);
4872 serverssl = clientssl = NULL;
4873
f865b081
MC		 4874 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4875 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4876 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4877 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4878 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4879 NULL, NULL))
4880 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4881 /*
4882 * We use SSL_ERROR_WANT_READ below so that we can pause the
4883 * connection after the initial ClientHello has been sent to
4884 * enable us to make some session changes.
4885 */
ca0413ae
MC		 4886 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4887 SSL_ERROR_WANT_READ)))
4888 goto end;
4889
4890 /* Trick the client into thinking this session is for a different digest */
4891 clntsess->cipher = aes_128_gcm_sha256;
4892 clntsess->cipher_id = clntsess->cipher->id;
4893
4894 /*
3b0e88d3
MC		 4895 * Continue the previously started connection. Server has selected a SHA-384
4896 * ciphersuite, but client thinks the session is for SHA-256, so it should
4897 * bail out.
ca0413ae
MC		 4898 */
4899 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4900 SSL_ERROR_SSL))
4901 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4902 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4903 goto end;
4904
4905 testresult = 1;
4906
4907 end:
4908 SSL_SESSION_free(clntsess);
4909 SSL_free(serverssl);
4910 SSL_free(clientssl);
4911 SSL_CTX_free(sctx);
4912 SSL_CTX_free(cctx);
4913
4914 return testresult;
4915}
4916
8e63900a 4917/*
5bf2eade 4918 * Test TLSv1.3 Key exchange
4919 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4920 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4921 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4922 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4923 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4924 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4925 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4926 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4927 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4928 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4929 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4930 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4931 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4932 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4933 */
f89d3d69
BK		 4934# ifndef OPENSSL_NO_EC
4935static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4032cd9a
YL		 4936 NID_secp521r1,
4937# ifndef OPENSSL_NO_ECX
4938 NID_X25519, NID_X448
4939# endif
4940 };
f89d3d69
BK		 4941# endif
4942# ifndef OPENSSL_NO_DH
4943static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4944 NID_ffdhe6144, NID_ffdhe8192};
4945# endif
db26ec80 4946static int test_key_exchange(int idx)
8e63900a 4947{
4948 SSL_CTX *sctx = NULL, *cctx = NULL;
4949 SSL *serverssl = NULL, *clientssl = NULL;
4950 int testresult = 0;
fb8c6db4 4951 int kexch_alg;
4952 int *kexch_groups = &kexch_alg;
4953 int kexch_groups_size = 1;
8e63900a 4954 int max_version = TLS1_3_VERSION;
becbacd7 4955 char *kexch_name0 = NULL;
8e63900a 4956
4957 switch (idx) {
5bf2eade 4958# ifndef OPENSSL_NO_EC
db26ec80 4959# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4960 case 12:
fb8c6db4 4961 max_version = TLS1_2_VERSION;
db26ec80 4962# endif
fb8c6db4 4963 /* Fall through */
4964 case 0:
4965 kexch_groups = ecdhe_kexch_groups;
4966 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4967 kexch_name0 = "secp256r1";
fb8c6db4 4968 break;
5bf2eade 4969 case 1:
fb8c6db4 4970 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4971 kexch_name0 = "secp256r1";
fb8c6db4 4972 break;
5bf2eade 4973 case 2:
fb8c6db4 4974 kexch_alg = NID_secp384r1;
becbacd7 4975 kexch_name0 = "secp384r1";
fb8c6db4 4976 break;
5bf2eade 4977 case 3:
fb8c6db4 4978 kexch_alg = NID_secp521r1;
becbacd7 4979 kexch_name0 = "secp521r1";
fb8c6db4 4980 break;
4032cd9a 4981# ifndef OPENSSL_NO_ECX
5bf2eade 4982 case 4:
fb8c6db4 4983 kexch_alg = NID_X25519;
becbacd7 4984 kexch_name0 = "x25519";
fb8c6db4 4985 break;
5bf2eade 4986 case 5:
fb8c6db4 4987 kexch_alg = NID_X448;
becbacd7 4988 kexch_name0 = "x448";
fb8c6db4 4989 break;
4032cd9a 4990# endif
5bf2eade 4991# endif
4992# ifndef OPENSSL_NO_DH
db26ec80 4993# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4994 case 13:
dbc6268f 4995 max_version = TLS1_2_VERSION;
becbacd7 4996 kexch_name0 = "ffdhe2048";
db26ec80 4997# endif
dbc6268f 4998 /* Fall through */
5bf2eade 4999 case 6:
8e63900a 5000 kexch_groups = ffdhe_kexch_groups;
5001 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 5002 kexch_name0 = "ffdhe2048";
8e63900a 5003 break;
5bf2eade 5004 case 7:
fb8c6db4 5005 kexch_alg = NID_ffdhe2048;
becbacd7 5006 kexch_name0 = "ffdhe2048";
fb8c6db4 5007 break;
5bf2eade 5008 case 8:
fb8c6db4 5009 kexch_alg = NID_ffdhe3072;
becbacd7 5010 kexch_name0 = "ffdhe3072";
fb8c6db4 5011 break;
5bf2eade 5012 case 9:
fb8c6db4 5013 kexch_alg = NID_ffdhe4096;
becbacd7 5014 kexch_name0 = "ffdhe4096";
fb8c6db4 5015 break;
5bf2eade 5016 case 10:
fb8c6db4 5017 kexch_alg = NID_ffdhe6144;
becbacd7 5018 kexch_name0 = "ffdhe6144";
fb8c6db4 5019 break;
5bf2eade 5020 case 11:
fb8c6db4 5021 kexch_alg = NID_ffdhe8192;
becbacd7 5022 kexch_name0 = "ffdhe8192";
8e63900a 5023 break;
5bf2eade 5024# endif
6597d62b
MC		 5025 default:
5026 /* We're skipping this test */
5027 return 1;
8e63900a 5028 }
5029
5e30f2fd
MC		 5030 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5031 TLS_client_method(), TLS1_VERSION,
5032 max_version, &sctx, &cctx, cert,
5033 privkey)))
8e63900a 5034 goto end;
5035
5bf2eade 5036 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
5037 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 5038 goto end;
5039
5bf2eade 5040 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5041 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 5042 goto end;
5043
5bf2eade 5044 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 5045 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5046 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5047 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 5048 goto end;
5049
dbc6268f
MC		 5050 /*
5051 * Must include an EC ciphersuite so that we send supported groups in
5052 * TLSv1.2
5053 */
5bf2eade 5054# ifndef OPENSSL_NO_TLS1_2
dbc6268f 5055 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 5056 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5057 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 5058 goto end;
5bf2eade 5059# endif
8e63900a 5060
5061 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5062 NULL, NULL)))
5063 goto end;
5064
5065 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
5066 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
5067 goto end;
5068
5bf2eade 5069 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 5070 goto end;
8e63900a 5071
dbc6268f 5072 /*
5bf2eade 5073 * If Handshake succeeds the negotiated kexch alg should be the first one in
5074 * configured, except in the case of FFDHE groups (idx 13), which are
5075 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 5076 */
5077 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 5078 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 5079 goto end;
becbacd7
MB		 5080
5081 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5082 kexch_name0))
5083 goto end;
5084
75d48520
BK		 5085 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5086 if (idx != 13) {
68668243
AB		 5087 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5088 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5089 goto end;
fb8c6db4 5090 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5091 goto end;
5092 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5093 goto end;
5094 }
8e63900a 5095
5096 testresult = 1;
5097 end:
5098 SSL_free(serverssl);
5099 SSL_free(clientssl);
5100 SSL_CTX_free(sctx);
5101 SSL_CTX_free(cctx);
5102 return testresult;
5103}
5104
c9cddf05
P		 5105# if !defined(OPENSSL_NO_TLS1_2) \
5106 && !defined(OPENSSL_NO_EC) \
5107 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 5108static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5109 int isecdhe, int idx)
5110{
5111 int kexch_alg;
5112 int *kexch_groups = &kexch_alg;
5113 int numec, numff;
5114
5115 numec = OSSL_NELEM(ecdhe_kexch_groups);
5116 numff = OSSL_NELEM(ffdhe_kexch_groups);
5117 if (isecdhe)
5118 kexch_alg = ecdhe_kexch_groups[idx];
5119 else
5120 kexch_alg = ffdhe_kexch_groups[idx];
5121
5122 if (clientmulti) {
5123 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5124 return 0;
5125 if (isecdhe) {
5126 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5127 numec)))
5128 return 0;
5129 } else {
5130 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5131 numff)))
5132 return 0;
5133 }
5134 } else {
5135 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5136 return 0;
5137 if (isecdhe) {
5138 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5139 numec)))
5140 return 0;
5141 } else {
5142 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5143 numff)))
5144 return 0;
5145 }
5146 }
5147 return 1;
5148}
5149
5150/*-
5151 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5152 * Run through both the ECDHE and FFDHE group lists used in the previous
5153 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5154 * confirming the expected result; then perform a resumption handshake
5155 * while offering the same group list, and another resumption handshake
5156 * offering a different group list. The returned value should be the
5157 * negotiated group for the initial handshake; for TLS 1.3 resumption
5158 * handshakes the returned value will be negotiated on the resumption
5159 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5160 * be cached in the session from the original handshake, regardless of what
5161 * was offered in the resumption ClientHello.
5162 *
5163 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 5164 * E tests of ECDHE with TLS 1.3, server only has one group
5165 * F tests of FFDHE with TLS 1.3, server only has one group
5166 * E tests of ECDHE with TLS 1.2, server only has one group
5167 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 5168 * E tests of ECDHE with TLS 1.3, client sends only one group
5169 * F tests of FFDHE with TLS 1.3, client sends only one group
5170 * E tests of ECDHE with TLS 1.2, client sends only one group
5171 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 5172 */
5173static int test_negotiated_group(int idx)
5174{
5175 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5176 int expectednid;
5177 SSL_CTX *sctx = NULL, *cctx = NULL;
5178 SSL *serverssl = NULL, *clientssl = NULL;
5179 SSL_SESSION *origsess = NULL;
5180 int testresult = 0;
5181 int kexch_alg;
5182 int max_version = TLS1_3_VERSION;
5183
5184 numec = OSSL_NELEM(ecdhe_kexch_groups);
5185 numff = OSSL_NELEM(ffdhe_kexch_groups);
5186 numgroups = numec + numff;
5187 clientmulti = (idx < 2 * numgroups);
5188 idx = idx % (2 * numgroups);
5189 istls13 = (idx < numgroups);
5190 idx = idx % numgroups;
5191 isecdhe = (idx < numec);
5192 if (!isecdhe)
5193 idx -= numec;
5194 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5195 if (isecdhe)
5196 kexch_alg = ecdhe_kexch_groups[idx];
5197 else
5198 kexch_alg = ffdhe_kexch_groups[idx];
5199 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5200 if (!istls13 && !isecdhe)
5201 expectednid = NID_undef;
5202 else
5203 expectednid = kexch_alg;
5204
5205 if (!istls13)
5206 max_version = TLS1_2_VERSION;
5207
5208 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5209 TLS_client_method(), TLS1_VERSION,
5210 max_version, &sctx, &cctx, cert,
5211 privkey)))
5212 goto end;
5213
5214 /*
5215 * Force (EC)DHE ciphers for TLS 1.2.
5216 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5217 */
5218 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5219 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5220 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5221 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5222 goto end;
5223 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5224 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5225 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5226 goto end;
5227
5228 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5229 NULL, NULL)))
5230 goto end;
5231
5232 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5233 idx)))
5234 goto end;
5235
5236 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5237 goto end;
5238
5239 /* Initial handshake; always the configured one */
5240 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5241 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5242 goto end;
5243
5244 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5245 goto end;
5246
5247 SSL_shutdown(clientssl);
5248 SSL_shutdown(serverssl);
5249 SSL_free(serverssl);
5250 SSL_free(clientssl);
5251 serverssl = clientssl = NULL;
5252
5253 /* First resumption attempt; use the same config as initial handshake */
5254 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5255 NULL, NULL))
5256 || !TEST_true(SSL_set_session(clientssl, origsess))
5257 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5258 isecdhe, idx)))
5259 goto end;
5260
5261 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5262 || !TEST_true(SSL_session_reused(clientssl)))
5263 goto end;
5264
5265 /* Still had better agree, since nothing changed... */
5266 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5267 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5268 goto end;
5269
5270 SSL_shutdown(clientssl);
5271 SSL_shutdown(serverssl);
5272 SSL_free(serverssl);
5273 SSL_free(clientssl);
5274 serverssl = clientssl = NULL;
5275
5276 /*-
5277 * Second resumption attempt
5278 * The party that picks one group changes it, which we effectuate by
5279 * changing 'idx' and updating what we expect.
5280 */
5281 if (idx == 0)
5282 idx = 1;
5283 else
5284 idx--;
5285 if (istls13) {
5286 if (isecdhe)
5287 expectednid = ecdhe_kexch_groups[idx];
5288 else
5289 expectednid = ffdhe_kexch_groups[idx];
5290 /* Verify that we are changing what we expect. */
5291 if (!TEST_int_ne(expectednid, kexch_alg))
5292 goto end;
5293 } else {
5294 /* TLS 1.2 only supports named groups for ECDHE. */
5295 if (isecdhe)
5296 expectednid = kexch_alg;
5297 else
5298 expectednid = 0;
5299 }
5300 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5301 NULL, NULL))
5302 || !TEST_true(SSL_set_session(clientssl, origsess))
5303 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5304 isecdhe, idx)))
5305 goto end;
5306
5307 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5308 || !TEST_true(SSL_session_reused(clientssl)))
5309 goto end;
5310
5311 /* Check that we get what we expected */
5312 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5313 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5314 goto end;
5315
5316 testresult = 1;
5317 end:
5318 SSL_free(serverssl);
5319 SSL_free(clientssl);
5320 SSL_CTX_free(sctx);
5321 SSL_CTX_free(cctx);
5322 SSL_SESSION_free(origsess);
5323 return testresult;
5324}
5325# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5326
5bf2eade 5327/*
5328 * Test TLSv1.3 Cipher Suite
5329 * Test 0 = Set TLS1.3 cipher on context
5330 * Test 1 = Set TLS1.3 cipher on SSL
5331 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5332 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5333 */
5334static int test_tls13_ciphersuite(int idx)
5335{
5336 SSL_CTX *sctx = NULL, *cctx = NULL;
5337 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 5338 static const struct {
5339 const char *ciphername;
5340 int fipscapable;
e0710222 5341 int low_security;
4f6c7044 5342 } t13_ciphers[] = {
e0710222
P		 5343 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5344 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5345 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 5346# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 5347 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 5348 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 5349 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 5350# endif
e0710222
P		 5351 /* CCM8 ciphers are considered low security due to their short tag */
5352 { TLS1_3_RFC_AES_128_CCM_8_SHA256
b6a5e801
RR		 5353 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 },
5354# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
5355 /* Integrity-only cipher do not provide any confidentiality */
5356 { TLS1_3_RFC_SHA256_SHA256, 0, 1 },
5357 { TLS1_3_RFC_SHA384_SHA384, 0, 1 }
5358# endif
5bf2eade 5359 };
5360 const char *t13_cipher = NULL;
5361 const char *t12_cipher = NULL;
5362 const char *negotiated_scipher;
5363 const char *negotiated_ccipher;
5364 int set_at_ctx = 0;
5365 int set_at_ssl = 0;
5366 int testresult = 0;
5367 int max_ver;
5368 size_t i;
5369
5370 switch (idx) {
5371 case 0:
5372 set_at_ctx = 1;
5373 break;
5374 case 1:
5375 set_at_ssl = 1;
5376 break;
5377 case 2:
5378 set_at_ctx = 1;
2d900758 5379 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5380 break;
5381 case 3:
5382 set_at_ssl = 1;
2d900758 5383 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5384 break;
5385 }
5386
5387 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5388# ifdef OPENSSL_NO_TLS1_2
5389 if (max_ver == TLS1_2_VERSION)
5390 continue;
5391# endif
5392 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 5393 if (is_fips && !t13_ciphers[i].fipscapable)
5394 continue;
5395 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 5396 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5397 TLS_client_method(),
5398 TLS1_VERSION, max_ver,
5399 &sctx, &cctx, cert, privkey)))
5400 goto end;
5401
e0710222
P		 5402 if (t13_ciphers[i].low_security) {
5403 SSL_CTX_set_security_level(sctx, 0);
5404 SSL_CTX_set_security_level(cctx, 0);
5405 }
5406
5bf2eade 5407 if (set_at_ctx) {
5408 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5409 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5410 goto end;
5411 if (t12_cipher != NULL) {
5412 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5413 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5414 t12_cipher)))
5415 goto end;
5416 }
5417 }
5418
5419 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5420 &clientssl, NULL, NULL)))
5421 goto end;
5422
5423 if (set_at_ssl) {
5424 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5425 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5426 goto end;
5427 if (t12_cipher != NULL) {
5428 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5429 || !TEST_true(SSL_set_cipher_list(clientssl,
5430 t12_cipher)))
5431 goto end;
5432 }
5433 }
5434
5435 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5436 SSL_ERROR_NONE)))
5437 goto end;
5438
5439 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5440 serverssl));
5441 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5442 clientssl));
5443 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5444 goto end;
5445
5446 /*
5447 * TEST_strn_eq is used below because t13_cipher can contain
5448 * multiple ciphersuites
5449 */
5450 if (max_ver == TLS1_3_VERSION
5451 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5452 strlen(negotiated_scipher)))
5453 goto end;
5454
5455# ifndef OPENSSL_NO_TLS1_2
5456 /* Below validation is not done when t12_cipher is NULL */
5457 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5458 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5459 goto end;
5460# endif
5461
5462 SSL_free(serverssl);
5463 serverssl = NULL;
5464 SSL_free(clientssl);
5465 clientssl = NULL;
5466 SSL_CTX_free(sctx);
5467 sctx = NULL;
5468 SSL_CTX_free(cctx);
5469 cctx = NULL;
5470 }
5471 }
5472
5473 testresult = 1;
5474 end:
5475 SSL_free(serverssl);
5476 SSL_free(clientssl);
5477 SSL_CTX_free(sctx);
5478 SSL_CTX_free(cctx);
5479 return testresult;
5480}
5481
0d8da779
MC		 5482/*
5483 * Test TLSv1.3 PSKs
5484 * Test 0 = Test new style callbacks
5485 * Test 1 = Test both new and old style callbacks
5486 * Test 2 = Test old style callbacks
5487 * Test 3 = Test old style callbacks with no certificate
5488 */
532f9578 5489static int test_tls13_psk(int idx)
ca8c71ba
MC		 5490{
5491 SSL_CTX *sctx = NULL, *cctx = NULL;
5492 SSL *serverssl = NULL, *clientssl = NULL;
5493 const SSL_CIPHER *cipher = NULL;
5494 const unsigned char key[] = {
5495 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5496 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5497 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5498 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5499 };
5500 int testresult = 0;
5501
5e30f2fd
MC		 5502 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5503 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5504 &sctx, &cctx, idx == 3 ? NULL : cert,
5505 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5506 goto end;
5507
0d8da779
MC		 5508 if (idx != 3) {
5509 /*
5510 * We use a ciphersuite with SHA256 to ease testing old style PSK
5511 * callbacks which will always default to SHA256. This should not be
5512 * necessary if we have no cert/priv key. In that case the server should
5513 * prefer SHA256 automatically.
5514 */
5515 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5516 "TLS_AES_128_GCM_SHA256")))
5517 goto end;
4f6c7044
MC		 5518 } else {
5519 /*
5520 * As noted above the server should prefer SHA256 automatically. However
5521 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5522 * code works even if we are testing with only the FIPS provider loaded.
5523 */
5524 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5525 "TLS_AES_256_GCM_SHA384:"
5526 "TLS_AES_128_GCM_SHA256")))
5527 goto end;
0d8da779 5528 }
532f9578
MC		 5529
5530 /*
5531 * Test 0: New style callbacks only
5532 * Test 1: New and old style callbacks (only the new ones should be used)
5533 * Test 2: Old style callbacks only
5534 */
5535 if (idx == 0 || idx == 1) {
5536 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5537 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5538 }
c2b290c3 5539#ifndef OPENSSL_NO_PSK
0d8da779 5540 if (idx >= 1) {
532f9578
MC		 5541 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5542 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5543 }
c2b290c3 5544#endif
ca8c71ba 5545 srvid = pskid;
02a3ed5a
MC		 5546 use_session_cb_cnt = 0;
5547 find_session_cb_cnt = 0;
532f9578
MC		 5548 psk_client_cb_cnt = 0;
5549 psk_server_cb_cnt = 0;
ca8c71ba 5550
0d8da779
MC		 5551 if (idx != 3) {
5552 /*
5553 * Check we can create a connection if callback decides not to send a
5554 * PSK
5555 */
5556 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5557 NULL, NULL))
5558 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5559 SSL_ERROR_NONE))
5560 || !TEST_false(SSL_session_reused(clientssl))
5561 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5562 goto end;
532f9578 5563
0d8da779
MC		 5564 if (idx == 0 || idx == 1) {
5565 if (!TEST_true(use_session_cb_cnt == 1)
5566 || !TEST_true(find_session_cb_cnt == 0)
5567 /*
5568 * If no old style callback then below should be 0
5569 * otherwise 1
5570 */
5571 || !TEST_true(psk_client_cb_cnt == idx)
5572 || !TEST_true(psk_server_cb_cnt == 0))
5573 goto end;
5574 } else {
5575 if (!TEST_true(use_session_cb_cnt == 0)
5576 || !TEST_true(find_session_cb_cnt == 0)
5577 || !TEST_true(psk_client_cb_cnt == 1)
5578 || !TEST_true(psk_server_cb_cnt == 0))
5579 goto end;
5580 }
5581
5582 shutdown_ssl_connection(serverssl, clientssl);
5583 serverssl = clientssl = NULL;
5584 use_session_cb_cnt = psk_client_cb_cnt = 0;
5585 }
ca8c71ba
MC		 5586
5587 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5588 NULL, NULL)))
5589 goto end;
5590
5591 /* Create the PSK */
532f9578 5592 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5593 clientpsk = SSL_SESSION_new();
5594 if (!TEST_ptr(clientpsk)
ca8c71ba 5595 || !TEST_ptr(cipher)
57dee9bb
MC		 5596 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5597 sizeof(key)))
5598 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5599 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5600 TLS1_3_VERSION))
5601 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5602 goto end;
57dee9bb 5603 serverpsk = clientpsk;
ca8c71ba
MC		 5604
5605 /* Check we can create a connection and the PSK is used */
5606 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5607 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5608 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5609 goto end;
5610
532f9578
MC		 5611 if (idx == 0 || idx == 1) {
5612 if (!TEST_true(use_session_cb_cnt == 1)
5613 || !TEST_true(find_session_cb_cnt == 1)
5614 || !TEST_true(psk_client_cb_cnt == 0)
5615 || !TEST_true(psk_server_cb_cnt == 0))
5616 goto end;
5617 } else {
5618 if (!TEST_true(use_session_cb_cnt == 0)
5619 || !TEST_true(find_session_cb_cnt == 0)
5620 || !TEST_true(psk_client_cb_cnt == 1)
5621 || !TEST_true(psk_server_cb_cnt == 1))
5622 goto end;
5623 }
5624
ca8c71ba
MC		 5625 shutdown_ssl_connection(serverssl, clientssl);
5626 serverssl = clientssl = NULL;
5627 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5628 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5629
5630 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5631 NULL, NULL)))
5632 goto end;
5633
5634 /* Force an HRR */
dbc6268f
MC		 5635#if defined(OPENSSL_NO_EC)
5636 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5637 goto end;
5638#else
4032cd9a 5639 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
ca8c71ba 5640 goto end;
dbc6268f 5641#endif
ca8c71ba
MC		 5642
5643 /*
5644 * Check we can create a connection, the PSK is used and the callbacks are
5645 * called twice.
5646 */
5647 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5648 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5649 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5650 goto end;
5651
532f9578
MC		 5652 if (idx == 0 || idx == 1) {
5653 if (!TEST_true(use_session_cb_cnt == 2)
5654 || !TEST_true(find_session_cb_cnt == 2)
5655 || !TEST_true(psk_client_cb_cnt == 0)
5656 || !TEST_true(psk_server_cb_cnt == 0))
5657 goto end;
5658 } else {
5659 if (!TEST_true(use_session_cb_cnt == 0)
5660 || !TEST_true(find_session_cb_cnt == 0)
5661 || !TEST_true(psk_client_cb_cnt == 2)
5662 || !TEST_true(psk_server_cb_cnt == 2))
5663 goto end;
5664 }
5665
ca8c71ba
MC		 5666 shutdown_ssl_connection(serverssl, clientssl);
5667 serverssl = clientssl = NULL;
5668 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5669 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5670
0d8da779
MC		 5671 if (idx != 3) {
5672 /*
5673 * Check that if the server rejects the PSK we can still connect, but with
5674 * a full handshake
5675 */
5676 srvid = "Dummy Identity";
5677 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5678 NULL, NULL))
5679 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5680 SSL_ERROR_NONE))
5681 || !TEST_false(SSL_session_reused(clientssl))
5682 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5683 goto end;
532f9578 5684
0d8da779
MC		 5685 if (idx == 0 || idx == 1) {
5686 if (!TEST_true(use_session_cb_cnt == 1)
5687 || !TEST_true(find_session_cb_cnt == 1)
5688 || !TEST_true(psk_client_cb_cnt == 0)
5689 /*
5690 * If no old style callback then below should be 0
5691 * otherwise 1
5692 */
5693 || !TEST_true(psk_server_cb_cnt == idx))
5694 goto end;
5695 } else {
5696 if (!TEST_true(use_session_cb_cnt == 0)
5697 || !TEST_true(find_session_cb_cnt == 0)
5698 || !TEST_true(psk_client_cb_cnt == 1)
5699 || !TEST_true(psk_server_cb_cnt == 1))
5700 goto end;
5701 }
5702
5703 shutdown_ssl_connection(serverssl, clientssl);
5704 serverssl = clientssl = NULL;
5705 }
ca8c71ba
MC		 5706 testresult = 1;
5707
5708 end:
57dee9bb
MC		 5709 SSL_SESSION_free(clientpsk);
5710 SSL_SESSION_free(serverpsk);
5711 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5712 SSL_free(serverssl);
5713 SSL_free(clientssl);
5714 SSL_CTX_free(sctx);
5715 SSL_CTX_free(cctx);
5716 return testresult;
5717}
5718
71583393
MM		 5719#ifndef OSSL_NO_USABLE_TLS1_3
5720/*
5721 * Test TLS1.3 connection establishment succeeds with various configurations of
5722 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
164a541b 5723 * The verification of whether the right KEX mode is chosen is not covered by
71583393
MM		 5724 * this test but by `test_tls13kexmodes`.
5725 *
5726 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5727 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5728 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5729 */
5730static int test_tls13_no_dhe_kex(const int idx)
5731{
5732 SSL_CTX *sctx = NULL, *cctx = NULL;
5733 SSL *serverssl = NULL, *clientssl = NULL;
5734 int testresult = 0;
5735 size_t j;
5736 SSL_SESSION *saved_session;
5737
5738 int server_allow_no_dhe = (idx & 1) != 0;
5739 int server_prefer_no_dhe = (idx & 2) != 0;
5740 int client_allow_no_dhe = (idx & 4) != 0;
5741
5742 uint64_t server_options = 0
5743 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5744 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5745
5746 uint64_t client_options = 0
5747 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5748
5749 new_called = 0;
5750 do_cache = 1;
5751
5752 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5753 TLS_client_method(), TLS1_3_VERSION, 0,
5754 &sctx, &cctx, cert, privkey)))
5755 goto end;
5756
5757 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5758 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5759
5760 SSL_CTX_set_options(sctx, server_options);
5761 SSL_CTX_set_options(cctx, client_options);
5762
5763 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5764
5765 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5766 &clientssl, NULL, NULL)))
5767 goto end;
5768
5769 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5770 SSL_ERROR_NONE))
5771 /* Check we got the number of tickets we were expecting */
5772 || !TEST_int_eq(2, new_called))
5773 goto end;
5774
5775 /* We'll reuse the last ticket. */
5776 saved_session = sesscache[new_called - 1];
5777
5778 SSL_shutdown(clientssl);
5779 SSL_shutdown(serverssl);
5780 SSL_free(serverssl);
5781 SSL_free(clientssl);
5782 SSL_CTX_free(cctx);
5783 clientssl = serverssl = NULL;
5784 cctx = NULL;
5785
5786 /*
5787 * Now we resume with the last ticket we created.
5788 */
5789
5790 /* The server context already exists, so we only create the client. */
5791 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5792 TLS_client_method(), TLS1_3_VERSION, 0,
5793 NULL, &cctx, cert, privkey)))
5794 goto end;
5795
5796 SSL_CTX_set_options(cctx, client_options);
5797
5798 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5799 &clientssl, NULL, NULL))
5800 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5801 goto end;
5802
5803 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5804 SSL_ERROR_NONE)))
5805 goto end;
5806
5807 /*
5808 * Make sure, the session was resumed.
5809 */
5810 if (!TEST_true(SSL_session_reused(clientssl)))
5811 goto end;
5812
5813 SSL_shutdown(clientssl);
5814 SSL_shutdown(serverssl);
5815
5816 testresult = 1;
5817
5818 end:
5819 SSL_free(serverssl);
5820 SSL_free(clientssl);
5821 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5822 SSL_SESSION_free(sesscache[j]);
5823 sesscache[j] = NULL;
5824 }
5825 SSL_CTX_free(sctx);
5826 SSL_CTX_free(cctx);
5827
5828 return testresult;
5829}
5830#endif /* OSSL_NO_USABLE_TLS1_3 */
5831
c7b8ff25
MC		 5832static unsigned char cookie_magic_value[] = "cookie magic";
5833
5834static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5835 unsigned int *cookie_len)
5836{
5837 /*
5838 * Not suitable as a real cookie generation function but good enough for
5839 * testing!
5840 */
97ea1e7f
MC		 5841 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5842 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5843
5844 return 1;
5845}
5846
5847static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5848 unsigned int cookie_len)
5849{
97ea1e7f 5850 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5851 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5852 return 1;
5853
5854 return 0;
5855}
5856
3fa2812f
BS		 5857static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5858 size_t *cookie_len)
5859{
5860 unsigned int temp;
5861 int res = generate_cookie_callback(ssl, cookie, &temp);
5862 *cookie_len = temp;
5863 return res;
5864}
5865
5866static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5867 size_t cookie_len)
5868{
5869 return verify_cookie_callback(ssl, cookie, cookie_len);
5870}
5871
c7b8ff25
MC		 5872static int test_stateless(void)
5873{
5874 SSL_CTX *sctx = NULL, *cctx = NULL;
5875 SSL *serverssl = NULL, *clientssl = NULL;
5876 int testresult = 0;
5877
5e30f2fd
MC		 5878 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5879 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5880 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5881 goto end;
5882
e440f513
MC		 5883 /* The arrival of CCS messages can confuse the test */
5884 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5885
5886 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5887 NULL, NULL))
5888 /* Send the first ClientHello */
5889 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5890 SSL_ERROR_WANT_READ))
5891 /*
5892 * This should fail with a -1 return because we have no callbacks
5893 * set up
5894 */
5895 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5896 goto end;
5897
5898 /* Fatal error so abandon the connection from this client */
5899 SSL_free(clientssl);
5900 clientssl = NULL;
5901
c7b8ff25 5902 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5903 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5904 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5905
e440f513
MC		 5906 /*
5907 * Create a new connection from the client (we can reuse the server SSL
5908 * object).
5909 */
c7b8ff25
MC		 5910 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5911 NULL, NULL))
5912 /* Send the first ClientHello */
5913 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5914 SSL_ERROR_WANT_READ))
5915 /* This should fail because there is no cookie */
e440f513 5916 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5917 goto end;
5918
5919 /* Abandon the connection from this client */
5920 SSL_free(clientssl);
5921 clientssl = NULL;
5922
5923 /*
5924 * Now create a connection from a new client but with the same server SSL
5925 * object
5926 */
5927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5928 NULL, NULL))
5929 /* Send the first ClientHello */
5930 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5931 SSL_ERROR_WANT_READ))
5932 /* This should fail because there is no cookie */
e440f513 5933 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5934 /* Send the second ClientHello */
5935 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5936 SSL_ERROR_WANT_READ))
5937 /* This should succeed because a cookie is now present */
e440f513 5938 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5939 /* Complete the connection */
5940 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5941 SSL_ERROR_NONE)))
5942 goto end;
5943
5944 shutdown_ssl_connection(serverssl, clientssl);
5945 serverssl = clientssl = NULL;
5946 testresult = 1;
5947
5948 end:
5949 SSL_free(serverssl);
5950 SSL_free(clientssl);
5951 SSL_CTX_free(sctx);
5952 SSL_CTX_free(cctx);
5953 return testresult;
5954
5955}
a763ca11 5956#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5957
a37008d9
MC		 5958static int clntaddoldcb = 0;
5959static int clntparseoldcb = 0;
5960static int srvaddoldcb = 0;
5961static int srvparseoldcb = 0;
5962static int clntaddnewcb = 0;
5963static int clntparsenewcb = 0;
5964static int srvaddnewcb = 0;
5965static int srvparsenewcb = 0;
bb01ef3f 5966static int snicb = 0;
a37008d9
MC		 5967
5968#define TEST_EXT_TYPE1 0xff00
5969
5970static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5971 size_t *outlen, int *al, void *add_arg)
5972{
5973 int *server = (int *)add_arg;
5974 unsigned char *data;
5975
5976 if (SSL_is_server(s))
5977 srvaddoldcb++;
5978 else
5979 clntaddoldcb++;
5980
710756a9
RS		 5981 if (*server != SSL_is_server(s)
5982 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5983 return -1;
5984
5985 *data = 1;
5986 *out = data;
5987 *outlen = sizeof(char);
a37008d9
MC		 5988 return 1;
5989}
5990
5991static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5992 void *add_arg)
5993{
5994 OPENSSL_free((unsigned char *)out);
5995}
5996
5997static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5998 size_t inlen, int *al, void *parse_arg)
5999{
6000 int *server = (int *)parse_arg;
6001
6002 if (SSL_is_server(s))
6003 srvparseoldcb++;
6004 else
6005 clntparseoldcb++;
6006
710756a9
RS		 6007 if (*server != SSL_is_server(s)
6008 || inlen != sizeof(char)
6009 || *in != 1)
a37008d9
MC		 6010 return -1;
6011
6012 return 1;
6013}
6014
6015static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
6016 const unsigned char **out, size_t *outlen, X509 *x,
6017 size_t chainidx, int *al, void *add_arg)
6018{
6019 int *server = (int *)add_arg;
6020 unsigned char *data;
6021
6022 if (SSL_is_server(s))
6023 srvaddnewcb++;
6024 else
6025 clntaddnewcb++;
6026
710756a9
RS		 6027 if (*server != SSL_is_server(s)
6028 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 6029 return -1;
6030
6031 *data = 1;
6032 *out = data;
710756a9 6033 *outlen = sizeof(*data);
a37008d9
MC		 6034 return 1;
6035}
6036
6037static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
6038 const unsigned char *out, void *add_arg)
6039{
6040 OPENSSL_free((unsigned char *)out);
6041}
6042
6043static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
6044 const unsigned char *in, size_t inlen, X509 *x,
6045 size_t chainidx, int *al, void *parse_arg)
6046{
6047 int *server = (int *)parse_arg;
6048
6049 if (SSL_is_server(s))
6050 srvparsenewcb++;
6051 else
6052 clntparsenewcb++;
6053
710756a9
RS		 6054 if (*server != SSL_is_server(s)
6055 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 6056 return -1;
6057
6058 return 1;
6059}
bb01ef3f
MC		 6060
6061static int sni_cb(SSL *s, int *al, void *arg)
6062{
6063 SSL_CTX *ctx = (SSL_CTX *)arg;
6064
6065 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
6066 *al = SSL_AD_INTERNAL_ERROR;
6067 return SSL_TLSEXT_ERR_ALERT_FATAL;
6068 }
6069 snicb++;
6070 return SSL_TLSEXT_ERR_OK;
6071}
6072
0db3a990
MC		 6073static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
6074{
6075 return 1;
6076}
6077
a37008d9
MC		 6078/*
6079 * Custom call back tests.
6080 * Test 0: Old style callbacks in TLSv1.2
6081 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 6082 * Test 2: New style callbacks in TLSv1.2 with SNI
6083 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
6084 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 6085 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 6086 */
710756a9
RS		 6087static int test_custom_exts(int tst)
6088{
bb01ef3f 6089 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 6090 SSL *clientssl = NULL, *serverssl = NULL;
6091 int testresult = 0;
6092 static int server = 1;
6093 static int client = 0;
6094 SSL_SESSION *sess = NULL;
6095 unsigned int context;
6096
a763ca11 6097#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 6098 /* Skip tests for TLSv1.2 and below in this case */
6099 if (tst < 3)
6100 return 1;
6101#endif
6102
a37008d9
MC		 6103 /* Reset callback counters */
6104 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6105 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 6106 snicb = 0;
a37008d9 6107
5e30f2fd
MC		 6108 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6109 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6110 &sctx, &cctx, cert, privkey)))
710756a9 6111 goto end;
a37008d9 6112
bb01ef3f 6113 if (tst == 2
5e30f2fd 6114 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 6115 TLS1_VERSION, 0,
7d7f6834 6116 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 6117 goto end;
6118
6119
6120 if (tst < 3) {
a37008d9
MC		 6121 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6122 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 6123 if (sctx2 != NULL)
6124 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 6125 }
6126
0db3a990
MC		 6127 if (tst == 5) {
6128 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6129 | SSL_EXT_TLS1_3_CERTIFICATE;
6130 SSL_CTX_set_verify(sctx,
6131 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6132 verify_cb);
6133 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6134 SSL_FILETYPE_PEM), 1)
6135 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6136 SSL_FILETYPE_PEM), 1)
6137 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6138 goto end;
6139 } else if (tst == 4) {
710756a9
RS		 6140 context = SSL_EXT_CLIENT_HELLO
6141 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 6142 | SSL_EXT_TLS1_3_SERVER_HELLO
6143 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6144 | SSL_EXT_TLS1_3_CERTIFICATE
6145 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6146 } else {
710756a9
RS		 6147 context = SSL_EXT_CLIENT_HELLO
6148 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 6149 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6150 }
6151
6152 /* Create a client side custom extension */
6153 if (tst == 0) {
710756a9
RS		 6154 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6155 old_add_cb, old_free_cb,
6156 &client, old_parse_cb,
6157 &client)))
6158 goto end;
a37008d9 6159 } else {
710756a9
RS		 6160 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6161 new_add_cb, new_free_cb,
6162 &client, new_parse_cb, &client)))
6163 goto end;
a37008d9
MC		 6164 }
6165
6166 /* Should not be able to add duplicates */
710756a9
RS		 6167 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6168 old_add_cb, old_free_cb,
6169 &client, old_parse_cb,
6170 &client))
6171 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6172 context, new_add_cb,
6173 new_free_cb, &client,
6174 new_parse_cb, &client)))
6175 goto end;
a37008d9
MC		 6176
6177 /* Create a server side custom extension */
6178 if (tst == 0) {
710756a9
RS		 6179 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6180 old_add_cb, old_free_cb,
6181 &server, old_parse_cb,
6182 &server)))
6183 goto end;
a37008d9 6184 } else {
710756a9
RS		 6185 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6186 new_add_cb, new_free_cb,
6187 &server, new_parse_cb, &server)))
6188 goto end;
bb01ef3f
MC		 6189 if (sctx2 != NULL
6190 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6191 context, new_add_cb,
6192 new_free_cb, &server,
6193 new_parse_cb, &server)))
6194 goto end;
a37008d9
MC		 6195 }
6196
6197 /* Should not be able to add duplicates */
710756a9
RS		 6198 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6199 old_add_cb, old_free_cb,
6200 &server, old_parse_cb,
6201 &server))
6202 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6203 context, new_add_cb,
6204 new_free_cb, &server,
6205 new_parse_cb, &server)))
a37008d9 6206 goto end;
a37008d9 6207
bb01ef3f
MC		 6208 if (tst == 2) {
6209 /* Set up SNI */
6210 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6211 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6212 goto end;
6213 }
6214
710756a9
RS		 6215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6216 &clientssl, NULL, NULL))
6217 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6218 SSL_ERROR_NONE)))
a37008d9 6219 goto end;
a37008d9
MC		 6220
6221 if (tst == 0) {
710756a9
RS		 6222 if (clntaddoldcb != 1
6223 || clntparseoldcb != 1
6224 || srvaddoldcb != 1
6225 || srvparseoldcb != 1)
a37008d9 6226 goto end;
bb01ef3f 6227 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 6228 if (clntaddnewcb != 1
6229 || clntparsenewcb != 1
6230 || srvaddnewcb != 1
bb01ef3f
MC		 6231 || srvparsenewcb != 1
6232 || (tst != 2 && snicb != 0)
6233 || (tst == 2 && snicb != 1))
a37008d9 6234 goto end;
0db3a990
MC		 6235 } else if (tst == 5) {
6236 if (clntaddnewcb != 1
6237 || clntparsenewcb != 1
6238 || srvaddnewcb != 1
6239 || srvparsenewcb != 1)
6240 goto end;
a37008d9 6241 } else {
36ff232c 6242 /* In this case there 2 NewSessionTicket messages created */
710756a9 6243 if (clntaddnewcb != 1
36ff232c
MC		 6244 || clntparsenewcb != 5
6245 || srvaddnewcb != 5
710756a9 6246 || srvparsenewcb != 1)
a37008d9 6247 goto end;
a37008d9
MC		 6248 }
6249
6250 sess = SSL_get1_session(clientssl);
a37008d9
MC		 6251 SSL_shutdown(clientssl);
6252 SSL_shutdown(serverssl);
a37008d9
MC		 6253 SSL_free(serverssl);
6254 SSL_free(clientssl);
6255 serverssl = clientssl = NULL;
6256
0db3a990
MC		 6257 if (tst == 3 || tst == 5) {
6258 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 6259 testresult = 1;
6260 goto end;
6261 }
6262
710756a9
RS		 6263 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6264 NULL, NULL))
6265 || !TEST_true(SSL_set_session(clientssl, sess))
6266 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6267 SSL_ERROR_NONE)))
a37008d9 6268 goto end;
a37008d9
MC		 6269
6270 /*
6271 * For a resumed session we expect to add the ClientHello extension. For the
6272 * old style callbacks we ignore it on the server side because they set
6273 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6274 * them.
6275 */
6276 if (tst == 0) {
710756a9
RS		 6277 if (clntaddoldcb != 2
6278 || clntparseoldcb != 1
6279 || srvaddoldcb != 1
6280 || srvparseoldcb != 1)
a37008d9 6281 goto end;
bb01ef3f 6282 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 6283 if (clntaddnewcb != 2
6284 || clntparsenewcb != 2
6285 || srvaddnewcb != 2
6286 || srvparsenewcb != 2)
a37008d9 6287 goto end;
a37008d9 6288 } else {
36ff232c
MC		 6289 /*
6290 * No Certificate message extensions in the resumption handshake,
6291 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6292 */
710756a9 6293 if (clntaddnewcb != 2
36ff232c
MC		 6294 || clntparsenewcb != 8
6295 || srvaddnewcb != 8
710756a9 6296 || srvparsenewcb != 2)
a37008d9 6297 goto end;
a37008d9
MC		 6298 }
6299
6300 testresult = 1;
6301
6302end:
6303 SSL_SESSION_free(sess);
6304 SSL_free(serverssl);
6305 SSL_free(clientssl);
bb01ef3f 6306 SSL_CTX_free(sctx2);
a37008d9
MC		 6307 SSL_CTX_free(sctx);
6308 SSL_CTX_free(cctx);
a37008d9
MC		 6309 return testresult;
6310}
6311
555dd939 6312#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
16afd71c 6313
555dd939
DF		 6314#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6315 | SSL_EXT_CLIENT_HELLO \
6316 | SSL_EXT_TLS1_2_SERVER_HELLO \
6317 | SSL_EXT_IGNORE_ON_RESUMPTION)
16afd71c 6318
555dd939
DF		 6319#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6320 | SSL_EXT_TLS1_2_SERVER_HELLO \
6321 | SSL_EXT_CLIENT_HELLO)
16afd71c 6322
555dd939
DF		 6323#define SERVERINFO_CUSTOM \
6324 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6325 0x00, 0x03, \
6326 0x04, 0x05, 0x06 \
6327
6328static const unsigned char serverinfo_custom_tls13[] = {
6329 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6330 SERVERINFO_CUSTOM
6331};
6332static const unsigned char serverinfo_custom_v2[] = {
6333 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6334 SERVERINFO_CUSTOM
6335};
6336static const unsigned char serverinfo_custom_v1[] = {
6337 SERVERINFO_CUSTOM
6338};
6339static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6340static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6341static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6342
6343static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6344 unsigned int context,
6345 const unsigned char *in,
6346 size_t inlen, X509 *x,
6347 size_t chainidx, int *al,
6348 void *parse_arg)
6349{
6350 const size_t len = serverinfo_custom_v1_len;
6351 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6352 int *p_cb_result = (int*)parse_arg;
6353 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6354 return 1;
6355}
6356
6357static int test_serverinfo_custom(const int idx)
6358{
6359 SSL_CTX *sctx = NULL, *cctx = NULL;
6360 SSL *clientssl = NULL, *serverssl = NULL;
6361 int testresult = 0;
6362 int cb_result = 0;
6363
6364 /*
6365 * Following variables are set in the switch statement
6366 * according to the test iteration.
6367 * Default values do not make much sense: test would fail with them.
6368 */
6369 int serverinfo_version = 0;
6370 int protocol_version = 0;
6371 unsigned int extension_context = 0;
6372 const unsigned char *si = NULL;
6373 size_t si_len = 0;
6374
6375 const int call_use_serverinfo_ex = idx > 0;
6376 switch (idx) {
6377 case 0: /* FALLTHROUGH */
6378 case 1:
6379 serverinfo_version = SSL_SERVERINFOV1;
6380 protocol_version = TLS1_2_VERSION;
6381 extension_context = SYNTHV1CONTEXT;
6382 si = serverinfo_custom_v1;
6383 si_len = serverinfo_custom_v1_len;
6384 break;
6385 case 2:
6386 serverinfo_version = SSL_SERVERINFOV2;
6387 protocol_version = TLS1_2_VERSION;
6388 extension_context = SYNTHV1CONTEXT;
6389 si = serverinfo_custom_v2;
6390 si_len = serverinfo_custom_v2_len;
6391 break;
6392 case 3:
6393 serverinfo_version = SSL_SERVERINFOV2;
6394 protocol_version = TLS1_3_VERSION;
6395 extension_context = TLS13CONTEXT;
6396 si = serverinfo_custom_tls13;
6397 si_len = serverinfo_custom_tls13_len;
6398 break;
16afd71c
MC		 6399 }
6400
555dd939
DF		 6401 if (!TEST_true(create_ssl_ctx_pair(libctx,
6402 TLS_method(),
6403 TLS_method(),
6404 protocol_version,
6405 protocol_version,
6406 &sctx, &cctx, cert, privkey)))
6407 goto end;
16afd71c 6408
555dd939
DF		 6409 if (call_use_serverinfo_ex) {
6410 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6411 si, si_len)))
6412 goto end;
6413 } else {
6414 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6415 goto end;
16afd71c
MC		 6416 }
6417
555dd939
DF		 6418 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6419 extension_context,
6420 NULL, NULL, NULL,
6421 serverinfo_custom_parse_cb,
6422 &cb_result))
6423 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6424 NULL, NULL))
6425 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6426 SSL_ERROR_NONE))
6427 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6428 goto end;
6429
6430 if (!TEST_true(cb_result))
16afd71c
MC		 6431 goto end;
6432
6433 testresult = 1;
6434
6435 end:
555dd939
DF		 6436 SSL_free(serverssl);
6437 SSL_free(clientssl);
6438 SSL_CTX_free(sctx);
6439 SSL_CTX_free(cctx);
16afd71c
MC		 6440
6441 return testresult;
6442}
555dd939 6443#endif
16afd71c 6444
2197d1df
MC		 6445/*
6446 * Test that SSL_export_keying_material() produces expected results. There are
6447 * no test vectors so all we do is test that both sides of the communication
6448 * produce the same results for different protocol versions.
6449 */
0fb2815b
MC		 6450#define SMALL_LABEL_LEN 10
6451#define LONG_LABEL_LEN 249
2197d1df
MC		 6452static int test_export_key_mat(int tst)
6453{
a599574b 6454 int testresult = 0;
2197d1df
MC		 6455 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6456 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 6457 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 6458 const unsigned char context[] = "context";
6459 const unsigned char *emptycontext = NULL;
ef9d8f2f 6460 unsigned char longcontext[1280];
5df160f1 6461 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
ef9d8f2f
DU		 6462 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6463 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
0fb2815b 6464 size_t labellen;
a599574b
MC		 6465 const int protocols[] = {
6466 TLS1_VERSION,
6467 TLS1_1_VERSION,
6468 TLS1_2_VERSION,
0fb2815b
MC		 6469 TLS1_3_VERSION,
6470 TLS1_3_VERSION,
a599574b
MC		 6471 TLS1_3_VERSION
6472 };
2197d1df
MC		 6473
6474#ifdef OPENSSL_NO_TLS1
6475 if (tst == 0)
6476 return 1;
6477#endif
6478#ifdef OPENSSL_NO_TLS1_1
6479 if (tst == 1)
6480 return 1;
6481#endif
4f6c7044
MC		 6482 if (is_fips && (tst == 0 || tst == 1))
6483 return 1;
2197d1df
MC		 6484#ifdef OPENSSL_NO_TLS1_2
6485 if (tst == 2)
6486 return 1;
6487#endif
a763ca11 6488#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 6489 if (tst >= 3)
2197d1df
MC		 6490 return 1;
6491#endif
5e30f2fd
MC		 6492 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6493 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6494 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 6495 goto end;
6496
a599574b
MC		 6497 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6498 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6499 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 6500 if ((protocols[tst] < TLS1_2_VERSION) &&
6501 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6502 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6503 goto end;
2197d1df
MC		 6504
6505 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 6506 NULL)))
6507 goto end;
6508
6509 /*
6510 * Premature call of SSL_export_keying_material should just fail.
6511 */
6512 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6513 sizeof(ckeymat1), label,
6514 SMALL_LABEL_LEN + 1, context,
6515 sizeof(context) - 1, 1), 0))
6516 goto end;
6517
6518 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6519 SSL_ERROR_NONE)))
2197d1df
MC		 6520 goto end;
6521
0fb2815b
MC		 6522 if (tst == 5) {
6523 /*
6524 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6525 * go over that.
6526 */
6527 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6528 sizeof(ckeymat1), label,
6529 LONG_LABEL_LEN + 1, context,
6530 sizeof(context) - 1, 1), 0))
6531 goto end;
6532
6533 testresult = 1;
6534 goto end;
6535 } else if (tst == 4) {
6536 labellen = LONG_LABEL_LEN;
6537 } else {
6538 labellen = SMALL_LABEL_LEN;
6539 }
6540
ef9d8f2f
DU		 6541 memset(longcontext, 1, sizeof(longcontext));
6542
2197d1df
MC		 6543 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6544 sizeof(ckeymat1), label,
0fb2815b 6545 labellen, context,
2197d1df
MC		 6546 sizeof(context) - 1, 1), 1)
6547 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6548 sizeof(ckeymat2), label,
0fb2815b 6549 labellen,
2197d1df
MC		 6550 emptycontext,
6551 0, 1), 1)
6552 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6553 sizeof(ckeymat3), label,
0fb2815b 6554 labellen,
2197d1df 6555 NULL, 0, 0), 1)
5df160f1
TM		 6556 || (test_longcontext
6557 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6558 ckeymat4,
6559 sizeof(ckeymat4), label,
6560 labellen,
6561 longcontext,
6562 sizeof(longcontext), 1),
6563 1))
2197d1df
MC		 6564 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6565 sizeof(skeymat1), label,
0fb2815b 6566 labellen,
2197d1df
MC		 6567 context,
6568 sizeof(context) -1, 1),
6569 1)
6570 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6571 sizeof(skeymat2), label,
0fb2815b 6572 labellen,
2197d1df
MC		 6573 emptycontext,
6574 0, 1), 1)
6575 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6576 sizeof(skeymat3), label,
0fb2815b 6577 labellen,
2197d1df 6578 NULL, 0, 0), 1)
5df160f1
TM		 6579 || (test_longcontext
6580 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6581 sizeof(skeymat4), label,
6582 labellen,
6583 longcontext,
6584 sizeof(longcontext), 1),
6585 1))
2197d1df
MC		 6586 /*
6587 * Check that both sides created the same key material with the
6588 * same context.
6589 */
6590 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6591 sizeof(skeymat1))
6592 /*
6593 * Check that both sides created the same key material with an
6594 * empty context.
6595 */
6596 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6597 sizeof(skeymat2))
6598 /*
6599 * Check that both sides created the same key material without a
6600 * context.
6601 */
6602 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6603 sizeof(skeymat3))
ef9d8f2f
DU		 6604 /*
6605 * Check that both sides created the same key material with a
6606 * long context.
6607 */
5df160f1
TM		 6608 || (test_longcontext
6609 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6610 sizeof(skeymat4)))
2197d1df
MC		 6611 /* Different contexts should produce different results */
6612 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6613 sizeof(ckeymat2)))
6614 goto end;
6615
6616 /*
6617 * Check that an empty context and no context produce different results in
6618 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6619 */
0fb2815b 6620 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6621 sizeof(ckeymat3)))
0fb2815b
MC		 6622 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6623 sizeof(ckeymat3))))
2197d1df
MC		 6624 goto end;
6625
6626 testresult = 1;
6627
6628 end:
6629 SSL_free(serverssl);
6630 SSL_free(clientssl);
6631 SSL_CTX_free(sctx2);
6632 SSL_CTX_free(sctx);
6633 SSL_CTX_free(cctx);
6634
6635 return testresult;
6636}
6637
a763ca11 6638#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6639/*
6640 * Test that SSL_export_keying_material_early() produces expected
6641 * results. There are no test vectors so all we do is test that both
6642 * sides of the communication produce the same results for different
6643 * protocol versions.
6644 */
6645static int test_export_key_mat_early(int idx)
6646{
6647 static const char label[] = "test label";
6648 static const unsigned char context[] = "context";
6649 int testresult = 0;
6650 SSL_CTX *cctx = NULL, *sctx = NULL;
6651 SSL *clientssl = NULL, *serverssl = NULL;
6652 SSL_SESSION *sess = NULL;
6653 const unsigned char *emptycontext = NULL;
6654 unsigned char ckeymat1[80], ckeymat2[80];
6655 unsigned char skeymat1[80], skeymat2[80];
6656 unsigned char buf[1];
6657 size_t readbytes, written;
6658
6659 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
10836921 6660 &sess, idx, SHA384_DIGEST_LENGTH)))
b38ede80
TT		 6661 goto end;
6662
6663 /* Here writing 0 length early data is enough. */
6664 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6665 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6666 &readbytes),
6667 SSL_READ_EARLY_DATA_ERROR)
6668 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6669 SSL_EARLY_DATA_ACCEPTED))
6670 goto end;
6671
6672 if (!TEST_int_eq(SSL_export_keying_material_early(
6673 clientssl, ckeymat1, sizeof(ckeymat1), label,
6674 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6675 || !TEST_int_eq(SSL_export_keying_material_early(
6676 clientssl, ckeymat2, sizeof(ckeymat2), label,
6677 sizeof(label) - 1, emptycontext, 0), 1)
6678 || !TEST_int_eq(SSL_export_keying_material_early(
6679 serverssl, skeymat1, sizeof(skeymat1), label,
6680 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6681 || !TEST_int_eq(SSL_export_keying_material_early(
6682 serverssl, skeymat2, sizeof(skeymat2), label,
6683 sizeof(label) - 1, emptycontext, 0), 1)
6684 /*
6685 * Check that both sides created the same key material with the
6686 * same context.
6687 */
6688 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6689 sizeof(skeymat1))
6690 /*
6691 * Check that both sides created the same key material with an
6692 * empty context.
6693 */
6694 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6695 sizeof(skeymat2))
6696 /* Different contexts should produce different results */
6697 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6698 sizeof(ckeymat2)))
6699 goto end;
6700
6701 testresult = 1;
6702
6703 end:
c20e3b28 6704 SSL_SESSION_free(sess);
b38ede80
TT		 6705 SSL_SESSION_free(clientpsk);
6706 SSL_SESSION_free(serverpsk);
34ff74eb 6707 clientpsk = serverpsk = NULL;
b38ede80
TT		 6708 SSL_free(serverssl);
6709 SSL_free(clientssl);
6710 SSL_CTX_free(sctx);
6711 SSL_CTX_free(cctx);
6712
6713 return testresult;
6714}
3409a5ff
MC		 6715
6716#define NUM_KEY_UPDATE_MESSAGES 40
6717/*
6718 * Test KeyUpdate.
6719 */
6720static int test_key_update(void)
6721{
6722 SSL_CTX *cctx = NULL, *sctx = NULL;
6723 SSL *clientssl = NULL, *serverssl = NULL;
6724 int testresult = 0, i, j;
6725 char buf[20];
6726 static char *mess = "A test message";
6727
5e30f2fd 6728 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6729 TLS_client_method(),
6730 TLS1_3_VERSION,
6731 0,
6732 &sctx, &cctx, cert, privkey))
6733 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6734 NULL, NULL))
6735 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6736 SSL_ERROR_NONE)))
6737 goto end;
6738
6739 for (j = 0; j < 2; j++) {
6740 /* Send lots of KeyUpdate messages */
6741 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6742 if (!TEST_true(SSL_key_update(clientssl,
6743 (j == 0)
6744 ? SSL_KEY_UPDATE_NOT_REQUESTED
6745 : SSL_KEY_UPDATE_REQUESTED))
6746 || !TEST_true(SSL_do_handshake(clientssl)))
6747 goto end;
6748 }
6749
6750 /* Check that sending and receiving app data is ok */
6751 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6752 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6753 strlen(mess)))
6754 goto end;
a77b4dba
MC		 6755
6756 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6757 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6758 strlen(mess)))
6759 goto end;
3409a5ff
MC		 6760 }
6761
6762 testresult = 1;
6763
6764 end:
6765 SSL_free(serverssl);
6766 SSL_free(clientssl);
6767 SSL_CTX_free(sctx);
6768 SSL_CTX_free(cctx);
6769
6770 return testresult;
6771}
a77b4dba
MC		 6772
6773/*
0c48fda8 6774 * Test we can handle a KeyUpdate (update requested) message while
6775 * write data is pending in peer.
a77b4dba
MC		 6776 * Test 0: Client sends KeyUpdate while Server is writing
6777 * Test 1: Server sends KeyUpdate while Client is writing
6778 */
0c48fda8 6779static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6780{
6781 SSL_CTX *cctx = NULL, *sctx = NULL;
6782 SSL *clientssl = NULL, *serverssl = NULL;
6783 int testresult = 0;
6784 char buf[20];
6785 static char *mess = "A test message";
6786 BIO *bretry = BIO_new(bio_s_always_retry());
6787 BIO *tmp = NULL;
6788 SSL *peerupdate = NULL, *peerwrite = NULL;
6789
6790 if (!TEST_ptr(bretry)
5e30f2fd 6791 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6792 TLS_client_method(),
6793 TLS1_3_VERSION,
6794 0,
6795 &sctx, &cctx, cert, privkey))
6796 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6797 NULL, NULL))
6798 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6799 SSL_ERROR_NONE)))
6800 goto end;
6801
6802 peerupdate = tst == 0 ? clientssl : serverssl;
6803 peerwrite = tst == 0 ? serverssl : clientssl;
6804
6805 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6806 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6807 goto end;
6808
6809 /* Swap the writing endpoint's write BIO to force a retry */
6810 tmp = SSL_get_wbio(peerwrite);
6811 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6812 tmp = NULL;
6813 goto end;
6814 }
6815 SSL_set0_wbio(peerwrite, bretry);
6816 bretry = NULL;
6817
6818 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6819 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
7e1b0dc1
HL		 6820 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6821 || !TEST_true(SSL_want_write(peerwrite))
6822 || !TEST_true(SSL_net_write_desired(peerwrite)))
a77b4dba
MC		 6823 goto end;
6824
6825 /* Reinstate the original writing endpoint's write BIO */
6826 SSL_set0_wbio(peerwrite, tmp);
6827 tmp = NULL;
6828
6829 /* Now read some data - we will read the key update */
6830 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
7e1b0dc1
HL		 6831 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6832 || !TEST_true(SSL_want_read(peerwrite))
6833 || !TEST_true(SSL_net_read_desired(peerwrite)))
a77b4dba
MC		 6834 goto end;
6835
6836 /*
6837 * Complete the write we started previously and read it from the other
6838 * endpoint
6839 */
6840 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6841 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6842 goto end;
6843
6844 /* Write more data to ensure we send the KeyUpdate message back */
6845 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6846 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6847 goto end;
6848
7e1b0dc1
HL		 6849 if (!TEST_false(SSL_net_read_desired(peerwrite))
6850 || !TEST_false(SSL_net_write_desired(peerwrite))
6851 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6852 goto end;
6853
a77b4dba
MC		 6854 testresult = 1;
6855
6856 end:
6857 SSL_free(serverssl);
6858 SSL_free(clientssl);
6859 SSL_CTX_free(sctx);
6860 SSL_CTX_free(cctx);
6861 BIO_free(bretry);
6862 BIO_free(tmp);
6863
6864 return testresult;
6865}
0c48fda8 6866
6867/*
6868 * Test we can handle a KeyUpdate (update requested) message while
6869 * peer read data is pending after peer accepted keyupdate(the msg header
6870 * had been read 5 bytes).
6871 * Test 0: Client sends KeyUpdate while Server is reading
6872 * Test 1: Server sends KeyUpdate while Client is reading
6873 */
6874static int test_key_update_peer_in_read(int tst)
6875{
6876 SSL_CTX *cctx = NULL, *sctx = NULL;
6877 SSL *clientssl = NULL, *serverssl = NULL;
6878 int testresult = 0;
6879 char prbuf[515], lwbuf[515] = {0};
6880 static char *mess = "A test message";
6881 BIO *lbio = NULL, *pbio = NULL;
6882 SSL *local = NULL, *peer = NULL;
6883
6884 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6885 TLS_client_method(),
6886 TLS1_3_VERSION,
6887 0,
6888 &sctx, &cctx, cert, privkey))
6889 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6890 NULL, NULL))
6891 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6892 SSL_ERROR_NONE)))
6893 goto end;
6894
6895 local = tst == 0 ? clientssl : serverssl;
6896 peer = tst == 0 ? serverssl : clientssl;
6897
6898 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6899 goto end;
6900
6901 SSL_set_bio(local, lbio, lbio);
6902 SSL_set_bio(peer, pbio, pbio);
6903
6904 /*
6905 * we first write keyupdate msg then appdata in local
6906 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6907 * lwbuf app data msg size + key updata msg size > 512(the size of
6908 * the bio pair buffer)
6909 */
6910 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6911 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6912 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6913 goto end;
6914
6915 /*
6916 * first read keyupdate msg in peer in peer
6917 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6918 */
6919 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6920 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6921 goto end;
6922
6923 /* Now write some data in peer - we will write the key update */
6924 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6925 goto end;
6926
6927 /*
6928 * write data in local previously that we will complete
6929 * read data in peer previously that we will complete
6930 */
6931 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6932 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6933 goto end;
6934
6935 /* check that sending and receiving appdata ok */
6936 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6937 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6938 goto end;
6939
6940 testresult = 1;
6941
6942 end:
6943 SSL_free(serverssl);
6944 SSL_free(clientssl);
6945 SSL_CTX_free(sctx);
6946 SSL_CTX_free(cctx);
6947
6948 return testresult;
6949}
6950
6951/*
6952 * Test we can't send a KeyUpdate (update requested) message while
6953 * local write data is pending.
6954 * Test 0: Client sends KeyUpdate while Client is writing
6955 * Test 1: Server sends KeyUpdate while Server is writing
6956 */
6957static int test_key_update_local_in_write(int tst)
6958{
6959 SSL_CTX *cctx = NULL, *sctx = NULL;
6960 SSL *clientssl = NULL, *serverssl = NULL;
6961 int testresult = 0;
6962 char buf[20];
6963 static char *mess = "A test message";
6964 BIO *bretry = BIO_new(bio_s_always_retry());
6965 BIO *tmp = NULL;
6966 SSL *local = NULL, *peer = NULL;
6967
6968 if (!TEST_ptr(bretry)
6969 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6970 TLS_client_method(),
6971 TLS1_3_VERSION,
6972 0,
6973 &sctx, &cctx, cert, privkey))
6974 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6975 NULL, NULL))
6976 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6977 SSL_ERROR_NONE)))
6978 goto end;
6979
6980 local = tst == 0 ? clientssl : serverssl;
6981 peer = tst == 0 ? serverssl : clientssl;
6982
6983 /* Swap the writing endpoint's write BIO to force a retry */
6984 tmp = SSL_get_wbio(local);
6985 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6986 tmp = NULL;
6987 goto end;
6988 }
6989 SSL_set0_wbio(local, bretry);
6990 bretry = NULL;
6991
6992 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6993 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6994 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6995 goto end;
6996
6997 /* Reinstate the original writing endpoint's write BIO */
6998 SSL_set0_wbio(local, tmp);
6999 tmp = NULL;
7000
7001 /* SSL_key_update will fail, because writing in local*/
7002 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7003 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
7004 goto end;
7005
7006 ERR_clear_error();
7007 /* write data in local previously that we will complete */
7008 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
7009 goto end;
7010
7011 /* SSL_key_update will succeed because there is no pending write data */
7012 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7013 || !TEST_int_eq(SSL_do_handshake(local), 1))
7014 goto end;
7015
7016 /*
7017 * we write some appdata in local
7018 * read data in peer - we will read the keyupdate msg
7019 */
7020 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7021 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
7022 goto end;
7023
7024 /* Write more peer more data to ensure we send the keyupdate message back */
7025 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7026 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
7027 goto end;
7028
7029 testresult = 1;
7030
7031 end:
7032 SSL_free(serverssl);
7033 SSL_free(clientssl);
7034 SSL_CTX_free(sctx);
7035 SSL_CTX_free(cctx);
7036 BIO_free(bretry);
7037 BIO_free(tmp);
7038
7039 return testresult;
7040}
7041
7042/*
7043 * Test we can handle a KeyUpdate (update requested) message while
7044 * local read data is pending(the msg header had been read 5 bytes).
7045 * Test 0: Client sends KeyUpdate while Client is reading
7046 * Test 1: Server sends KeyUpdate while Server is reading
7047 */
7048static int test_key_update_local_in_read(int tst)
7049{
7050 SSL_CTX *cctx = NULL, *sctx = NULL;
7051 SSL *clientssl = NULL, *serverssl = NULL;
7052 int testresult = 0;
7053 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
7054 static char *mess = "A test message";
7055 BIO *lbio = NULL, *pbio = NULL;
7056 SSL *local = NULL, *peer = NULL;
7057
7058 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7059 TLS_client_method(),
7060 TLS1_3_VERSION,
7061 0,
7062 &sctx, &cctx, cert, privkey))
7063 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7064 NULL, NULL))
7065 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7066 SSL_ERROR_NONE)))
7067 goto end;
7068
7069 local = tst == 0 ? clientssl : serverssl;
7070 peer = tst == 0 ? serverssl : clientssl;
7071
7072 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
7073 goto end;
7074
7075 SSL_set_bio(local, lbio, lbio);
7076 SSL_set_bio(peer, pbio, pbio);
7077
7078 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
7079 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
7080 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
7081 goto end;
7082
7083 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
7084 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
7085 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7086 goto end;
7087
7088 /* SSL_do_handshake will send keyupdate msg */
7089 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7090 || !TEST_int_eq(SSL_do_handshake(local), 1))
7091 goto end;
7092
7093 /*
7094 * write data in peer previously that we will complete
7095 * read data in local previously that we will complete
7096 */
7097 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7098 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7099 goto end;
7100
7101 /*
7102 * write data in local
7103 * read data in peer - we will read the key update
7104 */
7105 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7106 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7107 goto end;
7108
7109 /* Write more peer data to ensure we send the keyupdate message back */
7110 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7111 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7112 goto end;
7113
7114 testresult = 1;
7115
7116 end:
7117 SSL_free(serverssl);
7118 SSL_free(clientssl);
7119 SSL_CTX_free(sctx);
7120 SSL_CTX_free(cctx);
7121
7122 return testresult;
7123}
a763ca11 7124#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 7125
5de8c49d
MC		 7126/*
7127 * Test clearing a connection via SSL_clear(), or resetting it via
7128 * SSL_set_connect_state()/SSL_set_accept_state()
7129 * Test 0: SSL_set_connect_state, TLSv1.3
7130 * Test 1: SSL_set_connect_state, TLSv1.2
7131 * Test 2: SSL_set_accept_state, TLSv1.3
7132 * Test 3: SSL_set_accept_state, TLSv1.2
7133 * Test 4: SSL_clear (client), TLSv1.3
7134 * Test 5: SSL_clear (client), TLSv1.2
7135 * Test 6: SSL_clear (server), TLSv1.3
7136 * Test 7: SSL_clear (server), TLSv1.2
7137 */
e11b6aa4
MC		 7138static int test_ssl_clear(int idx)
7139{
7140 SSL_CTX *cctx = NULL, *sctx = NULL;
7141 SSL *clientssl = NULL, *serverssl = NULL;
5de8c49d 7142 SSL *writer, *reader;
e11b6aa4 7143 int testresult = 0;
5de8c49d
MC		 7144 int tls12test, servertest, cleartest;
7145 size_t written, readbytes;
7146 const char *msg = "Hello World";
7147 unsigned char buf[5];
7148
7149 tls12test = idx & 1;
7150 idx >>= 1;
7151 servertest = idx & 1;
7152 idx >>= 1;
7153 cleartest = idx & 1;
e11b6aa4
MC		 7154
7155#ifdef OPENSSL_NO_TLS1_2
5de8c49d
MC		 7156 if (tls12test == 1)
7157 return TEST_skip("No TLSv1.2 in this build");
e11b6aa4
MC		 7158#endif
7159
7160 /* Create an initial connection */
5e30f2fd
MC		 7161 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7162 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 7163 &sctx, &cctx, cert, privkey))
5de8c49d 7164 || (tls12test
e11b6aa4
MC		 7165 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7166 TLS1_2_VERSION)))
7167 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7168 &clientssl, NULL, NULL))
7169 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7170 SSL_ERROR_NONE)))
7171 goto end;
7172
5de8c49d
MC		 7173 if (servertest) {
7174 writer = clientssl;
7175 reader = serverssl;
7176 } else {
7177 writer = serverssl;
7178 reader = clientssl;
7179 }
7180
7181 /* Write some data */
7182 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7183 || written != strlen(msg))
7184 goto end;
7185
7186 /*
7187 * Read a partial record. The remaining buffered data should be cleared by
7188 * the subsequent clear/reset
7189 */
7190 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7191 || readbytes != sizeof(buf))
7192 goto end;
7193
e11b6aa4
MC		 7194 SSL_shutdown(clientssl);
7195 SSL_shutdown(serverssl);
e11b6aa4 7196
5de8c49d
MC		 7197 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7198 if (servertest) {
7199 if (cleartest) {
7200 if (!TEST_true(SSL_clear(serverssl)))
7201 goto end;
7202 } else {
7203 SSL_set_accept_state(serverssl);
7204 }
7205 /*
7206 * A peculiarity of SSL_clear() is that it does not clear the session.
7207 * This is intended behaviour so that a client can create a new
7208 * connection and reuse the session. But this doesn't make much sense
7209 * on the server side - and causes incorrect behaviour due to the
7210 * handshake failing (even though the documentation does say SSL_clear()
7211 * is supposed to work on the server side). We clear the session
7212 * explicitly - although note that the documentation for
7213 * SSL_set_session() says that its only useful for clients!
7214 */
7215 if (!TEST_true(SSL_set_session(serverssl, NULL)))
7216 goto end;
7217 SSL_free(clientssl);
7218 clientssl = NULL;
7219 } else {
7220 if (cleartest) {
7221 if (!TEST_true(SSL_clear(clientssl)))
7222 goto end;
7223 } else {
7224 SSL_set_connect_state(clientssl);
7225 }
7226 SSL_free(serverssl);
7227 serverssl = NULL;
7228 }
e11b6aa4
MC		 7229
7230 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7231 NULL, NULL))
7232 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7233 SSL_ERROR_NONE))
5de8c49d 7234 || !TEST_true(servertest || SSL_session_reused(clientssl)))
e11b6aa4
MC		 7235 goto end;
7236
7237 SSL_shutdown(clientssl);
7238 SSL_shutdown(serverssl);
7239
7240 testresult = 1;
7241
7242 end:
7243 SSL_free(serverssl);
7244 SSL_free(clientssl);
7245 SSL_CTX_free(sctx);
7246 SSL_CTX_free(cctx);
7247
7248 return testresult;
7249}
7250
cf72c757
F		 7251/* Parse CH and retrieve any MFL extension value if present */
7252static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7253{
7254 long len;
7255 unsigned char *data;
72962d02 7256 PACKET pkt, pkt2, pkt3;
cf72c757
F		 7257 unsigned int MFL_code = 0, type = 0;
7258
1287dabd 7259 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 7260 goto end;
7261
72962d02
P		 7262 memset(&pkt, 0, sizeof(pkt));
7263 memset(&pkt2, 0, sizeof(pkt2));
7264 memset(&pkt3, 0, sizeof(pkt3));
7265
9ba18520 7266 if (!TEST_long_gt(len, 0)
1287dabd 7267 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 7268 /* Skip the record header */
7269 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7270 /* Skip the handshake message header */
7271 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7272 /* Skip client version and random */
7273 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7274 + SSL3_RANDOM_SIZE))
7275 /* Skip session id */
7276 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7277 /* Skip ciphers */
7278 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7279 /* Skip compression */
7280 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7281 /* Extensions len */
7282 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7283 goto end;
7284
7285 /* Loop through all extensions */
7286 while (PACKET_remaining(&pkt2)) {
7287 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7288 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7289 goto end;
7290
7291 if (type == TLSEXT_TYPE_max_fragment_length) {
7292 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7293 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7294 goto end;
7295
7296 *mfl_codemfl_code = MFL_code;
7297 return 1;
7298 }
7299 }
7300
7301 end:
7302 return 0;
7303}
7304
7305/* Maximum-Fragment-Length TLS extension mode to test */
7306static const unsigned char max_fragment_len_test[] = {
7307 TLSEXT_max_fragment_length_512,
7308 TLSEXT_max_fragment_length_1024,
7309 TLSEXT_max_fragment_length_2048,
7310 TLSEXT_max_fragment_length_4096
7311};
7312
7313static int test_max_fragment_len_ext(int idx_tst)
7314{
a763ca11 7315 SSL_CTX *ctx = NULL;
cf72c757
F		 7316 SSL *con = NULL;
7317 int testresult = 0, MFL_mode = 0;
7318 BIO *rbio, *wbio;
7319
a763ca11
MC		 7320 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7321 TLS1_VERSION, 0, NULL, &ctx, NULL,
7322 NULL)))
7323 return 0;
cf72c757
F		 7324
7325 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7326 ctx, max_fragment_len_test[idx_tst])))
7327 goto end;
7328
7329 con = SSL_new(ctx);
7330 if (!TEST_ptr(con))
7331 goto end;
7332
7333 rbio = BIO_new(BIO_s_mem());
7334 wbio = BIO_new(BIO_s_mem());
7335 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7336 BIO_free(rbio);
7337 BIO_free(wbio);
7338 goto end;
7339 }
7340
7341 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 7342
7343 if (!TEST_int_le(SSL_connect(con), 0)) {
7344 /* This shouldn't succeed because we don't have a server! */
7345 goto end;
7346 }
7347
7348 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7349 /* no MFL in client hello */
7350 goto end;
7351 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7352 goto end;
7353
7354 testresult = 1;
7355
7356end:
7357 SSL_free(con);
7358 SSL_CTX_free(ctx);
7359
7360 return testresult;
7361}
7362
a763ca11 7363#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 7364static int test_pha_key_update(void)
7365{
7366 SSL_CTX *cctx = NULL, *sctx = NULL;
7367 SSL *clientssl = NULL, *serverssl = NULL;
7368 int testresult = 0;
7369
5e30f2fd
MC		 7370 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7371 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 7372 &sctx, &cctx, cert, privkey)))
7373 return 0;
7374
7375 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7376 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7377 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7378 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7379 goto end;
7380
e97be718 7381 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 7382
7383 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7384 NULL, NULL)))
7385 goto end;
7386
9d75dce3
TS		 7387 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7388 SSL_ERROR_NONE)))
7389 goto end;
7390
7391 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7392 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7393 goto end;
7394
7395 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7396 goto end;
7397
7398 /* Start handshake on the server */
7399 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7400 goto end;
7401
7402 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7403 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7404 SSL_ERROR_NONE)))
7405 goto end;
7406
7407 SSL_shutdown(clientssl);
7408 SSL_shutdown(serverssl);
7409
7410 testresult = 1;
7411
7412 end:
7413 SSL_free(serverssl);
7414 SSL_free(clientssl);
7415 SSL_CTX_free(sctx);
7416 SSL_CTX_free(cctx);
7417 return testresult;
7418}
7419#endif
7420
76fd7a1d
MC		 7421#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7422
7423static SRP_VBASE *vbase = NULL;
7424
7425static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7426{
7427 int ret = SSL3_AL_FATAL;
7428 char *username;
7429 SRP_user_pwd *user = NULL;
7430
7431 username = SSL_get_srp_username(s);
7432 if (username == NULL) {
7433 *ad = SSL_AD_INTERNAL_ERROR;
7434 goto err;
7435 }
7436
7437 user = SRP_VBASE_get1_by_user(vbase, username);
7438 if (user == NULL) {
7439 *ad = SSL_AD_INTERNAL_ERROR;
7440 goto err;
7441 }
7442
7443 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7444 user->info) <= 0) {
7445 *ad = SSL_AD_INTERNAL_ERROR;
7446 goto err;
7447 }
7448
7449 ret = 0;
7450
7451 err:
7452 SRP_user_pwd_free(user);
7453 return ret;
7454}
7455
7456static int create_new_vfile(char *userid, char *password, const char *filename)
7457{
7458 char *gNid = NULL;
7459 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7460 TXT_DB *db = NULL;
7461 int ret = 0;
7462 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7463 size_t i;
7464
7465 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7466 goto end;
7467
20c00d0a 7468 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 7469 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 7470 if (!TEST_ptr(gNid))
7471 goto end;
7472
7473 /*
7474 * The only way to create an empty TXT_DB is to provide a BIO with no data
7475 * in it!
7476 */
7477 db = TXT_DB_read(dummy, DB_NUMBER);
7478 if (!TEST_ptr(db))
7479 goto end;
7480
7481 out = BIO_new_file(filename, "w");
7482 if (!TEST_ptr(out))
7483 goto end;
7484
7485 row[DB_srpid] = OPENSSL_strdup(userid);
7486 row[DB_srptype] = OPENSSL_strdup("V");
7487 row[DB_srpgN] = OPENSSL_strdup(gNid);
7488
7489 if (!TEST_ptr(row[DB_srpid])
7490 || !TEST_ptr(row[DB_srptype])
7491 || !TEST_ptr(row[DB_srpgN])
7492 || !TEST_true(TXT_DB_insert(db, row)))
7493 goto end;
7494
7495 row = NULL;
7496
aba9943f 7497 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 7498 goto end;
7499
7500 ret = 1;
7501 end:
7502 if (row != NULL) {
7503 for (i = 0; i < DB_NUMBER; i++)
7504 OPENSSL_free(row[i]);
7505 }
7506 OPENSSL_free(row);
7507 BIO_free(dummy);
7508 BIO_free(out);
7509 TXT_DB_free(db);
7510
7511 return ret;
7512}
7513
7514static int create_new_vbase(char *userid, char *password)
7515{
7516 BIGNUM *verifier = NULL, *salt = NULL;
7517 const SRP_gN *lgN = NULL;
7518 SRP_user_pwd *user_pwd = NULL;
7519 int ret = 0;
7520
7521 lgN = SRP_get_default_gN(NULL);
7522 if (!TEST_ptr(lgN))
7523 goto end;
7524
20c00d0a 7525 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 7526 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 7527 goto end;
7528
7529 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7530 if (!TEST_ptr(user_pwd))
7531 goto end;
7532
7533 user_pwd->N = lgN->N;
7534 user_pwd->g = lgN->g;
7535 user_pwd->id = OPENSSL_strdup(userid);
7536 if (!TEST_ptr(user_pwd->id))
7537 goto end;
7538
7539 user_pwd->v = verifier;
7540 user_pwd->s = salt;
7541 verifier = salt = NULL;
7542
7543 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7544 goto end;
7545 user_pwd = NULL;
7546
7547 ret = 1;
7548end:
7549 SRP_user_pwd_free(user_pwd);
7550 BN_free(salt);
7551 BN_free(verifier);
7552
7553 return ret;
7554}
7555
7556/*
7557 * SRP tests
7558 *
7559 * Test 0: Simple successful SRP connection, new vbase
7560 * Test 1: Connection failure due to bad password, new vbase
7561 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7562 * Test 3: Connection failure due to bad password, vbase loaded from existing
7563 * file
7564 * Test 4: Simple successful SRP connection, vbase loaded from new file
7565 * Test 5: Connection failure due to bad password, vbase loaded from new file
7566 */
7567static int test_srp(int tst)
7568{
7569 char *userid = "test", *password = "password", *tstsrpfile;
7570 SSL_CTX *cctx = NULL, *sctx = NULL;
7571 SSL *clientssl = NULL, *serverssl = NULL;
7572 int ret, testresult = 0;
7573
7574 vbase = SRP_VBASE_new(NULL);
7575 if (!TEST_ptr(vbase))
7576 goto end;
7577
7578 if (tst == 0 || tst == 1) {
7579 if (!TEST_true(create_new_vbase(userid, password)))
7580 goto end;
7581 } else {
7582 if (tst == 4 || tst == 5) {
7583 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7584 goto end;
7585 tstsrpfile = tmpfilename;
7586 } else {
7587 tstsrpfile = srpvfile;
7588 }
7589 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7590 goto end;
7591 }
7592
5e30f2fd
MC		 7593 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7594 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 7595 &sctx, &cctx, cert, privkey)))
7596 goto end;
7597
7598 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7599 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7600 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7601 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7602 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7603 goto end;
7604
7605 if (tst % 2 == 1) {
7606 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7607 goto end;
7608 } else {
7609 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7610 goto end;
7611 }
7612
7613 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7614 NULL, NULL)))
7615 goto end;
7616
7617 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7618 if (ret) {
7619 if (!TEST_true(tst % 2 == 0))
7620 goto end;
7621 } else {
7622 if (!TEST_true(tst % 2 == 1))
7623 goto end;
7624 }
7625
7626 testresult = 1;
7627
7628 end:
7629 SRP_VBASE_free(vbase);
7630 vbase = NULL;
7631 SSL_free(serverssl);
7632 SSL_free(clientssl);
7633 SSL_CTX_free(sctx);
7634 SSL_CTX_free(cctx);
7635
7636 return testresult;
7637}
7638#endif
7639
5718fe45
MC		 7640static int info_cb_failed = 0;
7641static int info_cb_offset = 0;
7642static int info_cb_this_state = -1;
7643
7644static struct info_cb_states_st {
7645 int where;
7646 const char *statestr;
7647} info_cb_states[][60] = {
7648 {
7649 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 7650 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7651 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7652 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7653 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7654 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7655 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7656 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7657 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7658 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 7659 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7660 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7661 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7662 {SSL_CB_EXIT, NULL}, {0, NULL},
7663 }, {
7664 /* TLSv1.2 client followed by resumption */
e0f69c35 7665 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7666 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7667 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7668 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7669 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7670 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7671 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 7672 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7673 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7674 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7675 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7676 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7677 }, {
7678 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 7679 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7680 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 7681 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 7682 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 7683 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 7684 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7685 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 7686 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7687 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 7688 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7689 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7690 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7691 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7692 }, {
7693 /* TLSv1.3 client followed by resumption */
e0f69c35 7694 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7695 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7696 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7697 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7698 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7699 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7700 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7701 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7702 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7703 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7704 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7705 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7706 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7707 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7708 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7709 }, {
7710 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7711 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7712 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7713 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7714 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7715 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7716 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7717 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7718 {SSL_CB_EXIT, NULL}, {0, NULL},
7719 }, {
7720 /* TLSv1.3 client, early_data */
e0f69c35 7721 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7722 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7723 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7724 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7725 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7726 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7727 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7728 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7729 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
b67cb09f
TS		 7730 }, {
7731 /* TLSv1.3 server, certificate compression, followed by resumption */
7732 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7733 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7734 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7735 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7736 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7737 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7738 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7739 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7740 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7741 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7742 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7743 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7744 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7745 }, {
7746 /* TLSv1.3 client, certificate compression, followed by resumption */
7747 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7748 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7749 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7750 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7751 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7752 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7753 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7754 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7755 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7756 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7757 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7758 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7759 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7760 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7761 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7762 }, {
7763 {0, NULL},
7764 }
7765};
7766
7767static void sslapi_info_callback(const SSL *s, int where, int ret)
7768{
7769 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7770
7771 /* We do not ever expect a connection to fail in this test */
7772 if (!TEST_false(ret == 0)) {
7773 info_cb_failed = 1;
7774 return;
7775 }
7776
7777 /*
7778 * Do some sanity checks. We never expect these things to happen in this
7779 * test
7780 */
7781 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7782 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7783 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7784 info_cb_failed = 1;
7785 return;
7786 }
7787
7788 /* Now check we're in the right state */
7789 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7790 info_cb_failed = 1;
7791 return;
7792 }
7793 if ((where & SSL_CB_LOOP) != 0
7794 && !TEST_int_eq(strcmp(SSL_state_string(s),
7795 state[info_cb_this_state].statestr), 0)) {
7796 info_cb_failed = 1;
7797 return;
7798 }
033c181b 7799
4af5836b
MC		 7800 /*
7801 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7802 */
7803 if ((where & SSL_CB_HANDSHAKE_DONE)
7804 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7805 info_cb_failed = 1;
7806 return;
7807 }
5718fe45
MC		 7808}
7809
7810/*
7811 * Test the info callback gets called when we expect it to.
7812 *
7813 * Test 0: TLSv1.2, server
7814 * Test 1: TLSv1.2, client
7815 * Test 2: TLSv1.3, server
7816 * Test 3: TLSv1.3, client
7817 * Test 4: TLSv1.3, server, early_data
7818 * Test 5: TLSv1.3, client, early_data
b67cb09f
TS		 7819 * Test 6: TLSv1.3, server, compressed certificate
7820 * Test 7: TLSv1.3, client, compressed certificate
5718fe45
MC		 7821 */
7822static int test_info_callback(int tst)
7823{
7824 SSL_CTX *cctx = NULL, *sctx = NULL;
7825 SSL *clientssl = NULL, *serverssl = NULL;
7826 SSL_SESSION *clntsess = NULL;
7827 int testresult = 0;
7828 int tlsvers;
7829
7830 if (tst < 2) {
1aac20f5
MC		 7831/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7832#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7833 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7834 tlsvers = TLS1_2_VERSION;
7835#else
7836 return 1;
7837#endif
7838 } else {
a763ca11 7839#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7840 tlsvers = TLS1_3_VERSION;
7841#else
7842 return 1;
7843#endif
7844 }
7845
7846 /* Reset globals */
7847 info_cb_failed = 0;
7848 info_cb_this_state = -1;
7849 info_cb_offset = tst;
7850
a763ca11 7851#ifndef OSSL_NO_USABLE_TLS1_3
b67cb09f 7852 if (tst >= 4 && tst < 6) {
5718fe45
MC		 7853 SSL_SESSION *sess = NULL;
7854 size_t written, readbytes;
7855 unsigned char buf[80];
1848c561 7856 OSSL_TIME timer;
5718fe45
MC		 7857
7858 /* early_data tests */
7859 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 7860 &serverssl, &sess, 0,
7861 SHA384_DIGEST_LENGTH)))
5718fe45
MC		 7862 goto end;
7863
7864 /* We don't actually need this reference */
7865 SSL_SESSION_free(sess);
7866
7867 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7868 sslapi_info_callback);
7869
7870 /* Write and read some early data and then complete the connection */
1848c561 7871 timer = ossl_time_now();
5718fe45
MC		 7872 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7873 &written))
1848c561
MC		 7874 || !TEST_size_t_eq(written, strlen(MSG1)))
7875 goto end;
7876
7877 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
7878 sizeof(buf), &readbytes),
7879 SSL_READ_EARLY_DATA_SUCCESS)) {
7880 testresult = check_early_data_timeout(timer);
7881 goto end;
7882 }
7883
7884 if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
5718fe45
MC		 7885 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7886 SSL_EARLY_DATA_ACCEPTED)
7887 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7888 SSL_ERROR_NONE))
7889 || !TEST_false(info_cb_failed))
7890 goto end;
7891
7892 testresult = 1;
7893 goto end;
7894 }
6e07834c 7895#endif
5718fe45 7896
5e30f2fd 7897 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7898 TLS_client_method(),
7899 tlsvers, tlsvers, &sctx, &cctx, cert,
7900 privkey)))
7901 goto end;
7902
33c39a06
MC		 7903 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7904 goto end;
7905
5718fe45
MC		 7906 /*
7907 * For even numbered tests we check the server callbacks. For odd numbers we
7908 * check the client.
7909 */
7910 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7911 sslapi_info_callback);
b67cb09f
TS		 7912 if (tst >= 6) {
7913 if (!SSL_CTX_compress_certs(sctx, 0))
7914 goto end;
7915 }
5718fe45
MC		 7916
7917 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7918 &clientssl, NULL, NULL))
7919 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7920 SSL_ERROR_NONE))
7921 || !TEST_false(info_cb_failed))
7922 goto end;
7923
7924
7925
7926 clntsess = SSL_get1_session(clientssl);
7927 SSL_shutdown(clientssl);
7928 SSL_shutdown(serverssl);
7929 SSL_free(serverssl);
7930 SSL_free(clientssl);
7931 serverssl = clientssl = NULL;
7932
7933 /* Now do a resumption */
7934 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7935 NULL))
7936 || !TEST_true(SSL_set_session(clientssl, clntsess))
7937 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7938 SSL_ERROR_NONE))
7939 || !TEST_true(SSL_session_reused(clientssl))
7940 || !TEST_false(info_cb_failed))
7941 goto end;
7942
7943 testresult = 1;
7944
7945 end:
7946 SSL_free(serverssl);
7947 SSL_free(clientssl);
7948 SSL_SESSION_free(clntsess);
7949 SSL_CTX_free(sctx);
7950 SSL_CTX_free(cctx);
7951 return testresult;
7952}
7953
4a432af8
MC		 7954static int test_ssl_pending(int tst)
7955{
7956 SSL_CTX *cctx = NULL, *sctx = NULL;
7957 SSL *clientssl = NULL, *serverssl = NULL;
7958 int testresult = 0;
7959 char msg[] = "A test message";
7960 char buf[5];
7961 size_t written, readbytes;
7962
7963 if (tst == 0) {
5e30f2fd 7964 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7965 TLS_client_method(),
5c587fb6 7966 TLS1_VERSION, 0,
4a432af8
MC		 7967 &sctx, &cctx, cert, privkey)))
7968 goto end;
7969 } else {
7970#ifndef OPENSSL_NO_DTLS
5e30f2fd 7971 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7972 DTLS_client_method(),
5c587fb6 7973 DTLS1_VERSION, 0,
4a432af8
MC		 7974 &sctx, &cctx, cert, privkey)))
7975 goto end;
8ce390e1
MC		 7976
7977# ifdef OPENSSL_NO_DTLS1_2
7978 /* Not supported in the FIPS provider */
7979 if (is_fips) {
7980 testresult = 1;
7981 goto end;
7982 };
7983 /*
7984 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7985 * level 0
7986 */
7987 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7988 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7989 "DEFAULT:@SECLEVEL=0")))
7990 goto end;
7991# endif
4a432af8
MC		 7992#else
7993 return 1;
7994#endif
7995 }
7996
7997 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7998 NULL, NULL))
7999 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8000 SSL_ERROR_NONE)))
8001 goto end;
8002
e8251092
MC		 8003 if (!TEST_int_eq(SSL_pending(clientssl), 0)
8004 || !TEST_false(SSL_has_pending(clientssl))
8005 || !TEST_int_eq(SSL_pending(serverssl), 0)
8006 || !TEST_false(SSL_has_pending(serverssl))
8007 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 8008 || !TEST_size_t_eq(written, sizeof(msg))
8009 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
8010 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 8011 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
8012 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 8013 goto end;
8014
8015 testresult = 1;
8016
8017 end:
8018 SSL_free(serverssl);
8019 SSL_free(clientssl);
8020 SSL_CTX_free(sctx);
8021 SSL_CTX_free(cctx);
8022
8023 return testresult;
8024}
8025
e401389a
MC		 8026static struct {
8027 unsigned int maxprot;
8028 const char *clntciphers;
8029 const char *clnttls13ciphers;
8030 const char *srvrciphers;
8031 const char *srvrtls13ciphers;
8032 const char *shared;
a96e6c34 8033 const char *fipsshared;
e401389a 8034} shared_ciphers_data[] = {
60155b9a
MC		 8035/*
8036 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
8037 * TLSv1.3 is enabled but TLSv1.2 is disabled.
8038 */
a763ca11 8039#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 8040 {
8041 TLS1_2_VERSION,
8042 "AES128-SHA:AES256-SHA",
8043 NULL,
8044 "AES256-SHA:DHE-RSA-AES128-SHA",
8045 NULL,
a96e6c34 8046 "AES256-SHA",
e401389a
MC		 8047 "AES256-SHA"
8048 },
a96e6c34
MC		 8049# if !defined(OPENSSL_NO_CHACHA) \
8050 && !defined(OPENSSL_NO_POLY1305) \
8051 && !defined(OPENSSL_NO_EC)
8052 {
8053 TLS1_2_VERSION,
8054 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8055 NULL,
8056 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8057 NULL,
8058 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
8059 "AES128-SHA"
8060 },
8061# endif
e401389a
MC		 8062 {
8063 TLS1_2_VERSION,
8064 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
8065 NULL,
8066 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
8067 NULL,
a96e6c34 8068 "AES128-SHA:AES256-SHA",
e401389a
MC		 8069 "AES128-SHA:AES256-SHA"
8070 },
8071 {
8072 TLS1_2_VERSION,
8073 "AES128-SHA:AES256-SHA",
8074 NULL,
8075 "AES128-SHA:DHE-RSA-AES128-SHA",
8076 NULL,
a96e6c34 8077 "AES128-SHA",
e401389a
MC		 8078 "AES128-SHA"
8079 },
60155b9a
MC		 8080#endif
8081/*
8082 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
8083 * enabled.
8084 */
a763ca11 8085#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 8086 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 8087 {
8088 TLS1_3_VERSION,
8089 "AES128-SHA:AES256-SHA",
8090 NULL,
8091 "AES256-SHA:AES128-SHA256",
8092 NULL,
8093 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 8094 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8095 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 8096 },
60155b9a 8097#endif
a763ca11 8098#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 8099 {
8100 TLS1_3_VERSION,
8101 "AES128-SHA",
8102 "TLS_AES_256_GCM_SHA384",
8103 "AES256-SHA",
8104 "TLS_AES_256_GCM_SHA384",
a96e6c34 8105 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 8106 "TLS_AES_256_GCM_SHA384"
8107 },
8108#endif
8109};
8110
a96e6c34 8111static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 8112{
8113 SSL_CTX *cctx = NULL, *sctx = NULL;
8114 SSL *clientssl = NULL, *serverssl = NULL;
8115 int testresult = 0;
8116 char buf[1024];
b4250010 8117 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 8118
8119 if (!TEST_ptr(tmplibctx))
8120 goto end;
8121
8122 /*
8123 * Regardless of whether we're testing with the FIPS provider loaded into
8124 * libctx, we want one peer to always use the full set of ciphersuites
8125 * available. Therefore we use a separate libctx with the default provider
8126 * loaded into it. We run the same tests twice - once with the client side
8127 * having the full set of ciphersuites and once with the server side.
8128 */
8129 if (clnt) {
d8652be0 8130 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 8131 if (!TEST_ptr(cctx))
8132 goto end;
8133 } else {
d8652be0 8134 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 8135 if (!TEST_ptr(sctx))
8136 goto end;
8137 }
e401389a 8138
5e30f2fd 8139 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 8140 TLS_client_method(),
8141 TLS1_VERSION,
8142 shared_ciphers_data[tst].maxprot,
8143 &sctx, &cctx, cert, privkey)))
8144 goto end;
8145
8146 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8147 shared_ciphers_data[tst].clntciphers))
8148 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8149 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8150 shared_ciphers_data[tst].clnttls13ciphers)))
8151 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8152 shared_ciphers_data[tst].srvrciphers))
8153 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8154 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8155 shared_ciphers_data[tst].srvrtls13ciphers))))
8156 goto end;
8157
8158
8159 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8160 NULL, NULL))
8161 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8162 SSL_ERROR_NONE)))
8163 goto end;
8164
8165 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 8166 || !TEST_int_eq(strcmp(buf,
8167 is_fips
8168 ? shared_ciphers_data[tst].fipsshared
8169 : shared_ciphers_data[tst].shared),
8170 0)) {
e401389a
MC		 8171 TEST_info("Shared ciphers are: %s\n", buf);
8172 goto end;
8173 }
8174
8175 testresult = 1;
8176
8177 end:
8178 SSL_free(serverssl);
8179 SSL_free(clientssl);
8180 SSL_CTX_free(sctx);
8181 SSL_CTX_free(cctx);
b4250010 8182 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 8183
8184 return testresult;
8185}
8186
a96e6c34
MC		 8187static int test_ssl_get_shared_ciphers(int tst)
8188{
8189 return int_test_ssl_get_shared_ciphers(tst, 0)
8190 && int_test_ssl_get_shared_ciphers(tst, 1);
8191}
8192
8193
d0191fe0 8194static const char *appdata = "Hello World";
61fb5923
MC		 8195static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8196static int tick_key_renew = 0;
8197static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 8198
8199static int gen_tick_cb(SSL *s, void *arg)
8200{
8201 gen_tick_called = 1;
8202
8203 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8204 strlen(appdata));
8205}
8206
8207static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8208 const unsigned char *keyname,
8209 size_t keyname_length,
61fb5923
MC		 8210 SSL_TICKET_STATUS status,
8211 void *arg)
d0191fe0
MC		 8212{
8213 void *tickdata;
8214 size_t tickdlen;
8215
8216 dec_tick_called = 1;
8217
61fb5923
MC		 8218 if (status == SSL_TICKET_EMPTY)
8219 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 8220
61fb5923
MC		 8221 if (!TEST_true(status == SSL_TICKET_SUCCESS
8222 || status == SSL_TICKET_SUCCESS_RENEW))
8223 return SSL_TICKET_RETURN_ABORT;
8224
8225 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8226 &tickdlen))
d0191fe0
MC		 8227 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8228 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 8229 return SSL_TICKET_RETURN_ABORT;
d0191fe0 8230
61fb5923
MC		 8231 if (tick_key_cb_called) {
8232 /* Don't change what the ticket key callback wanted to do */
8233 switch (status) {
8234 case SSL_TICKET_NO_DECRYPT:
8235 return SSL_TICKET_RETURN_IGNORE_RENEW;
8236
8237 case SSL_TICKET_SUCCESS:
8238 return SSL_TICKET_RETURN_USE;
d0191fe0 8239
61fb5923
MC		 8240 case SSL_TICKET_SUCCESS_RENEW:
8241 return SSL_TICKET_RETURN_USE_RENEW;
8242
8243 default:
8244 return SSL_TICKET_RETURN_ABORT;
8245 }
8246 }
8247 return tick_dec_ret;
8248
8249}
d0191fe0 8250
a76ce286 8251#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 8252static int tick_key_cb(SSL *s, unsigned char key_name[16],
8253 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8254 HMAC_CTX *hctx, int enc)
8255{
8256 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8257 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
3b7a3241
MC		 8258 EVP_CIPHER *aes128cbc;
8259 EVP_MD *sha256;
5e30f2fd 8260 int ret;
d0191fe0 8261
61fb5923 8262 tick_key_cb_called = 1;
3b7a3241
MC		 8263
8264 if (tick_key_renew == -1)
8265 return 0;
8266
8267 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8268 if (!TEST_ptr(aes128cbc))
8269 return 0;
8270 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8271 if (!TEST_ptr(sha256)) {
8272 EVP_CIPHER_free(aes128cbc);
8273 return 0;
8274 }
8275
d0191fe0
MC		 8276 memset(iv, 0, AES_BLOCK_SIZE);
8277 memset(key_name, 0, 16);
5e30f2fd
MC		 8278 if (aes128cbc == NULL
8279 || sha256 == NULL
8280 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8281 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8282 NULL))
8283 ret = -1;
8284 else
8285 ret = tick_key_renew ? 2 : 1;
d0191fe0 8286
5e30f2fd
MC		 8287 EVP_CIPHER_free(aes128cbc);
8288 EVP_MD_free(sha256);
8289
8290 return ret;
d0191fe0 8291}
a76ce286
P		 8292#endif
8293
8294static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8295 unsigned char iv[EVP_MAX_IV_LENGTH],
8296 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8297{
8298 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8299 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 8300 OSSL_PARAM params[2];
3b7a3241 8301 EVP_CIPHER *aes128cbc;
5e30f2fd 8302 int ret;
a76ce286
P		 8303
8304 tick_key_cb_called = 1;
3b7a3241
MC		 8305
8306 if (tick_key_renew == -1)
8307 return 0;
8308
8309 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8310 if (!TEST_ptr(aes128cbc))
8311 return 0;
8312
a76ce286
P		 8313 memset(iv, 0, AES_BLOCK_SIZE);
8314 memset(key_name, 0, 16);
8315 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8316 "SHA256", 0);
77e4ae58 8317 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 8318 if (aes128cbc == NULL
8319 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 8320 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8321 params))
5e30f2fd
MC		 8322 ret = -1;
8323 else
8324 ret = tick_key_renew ? 2 : 1;
8325
8326 EVP_CIPHER_free(aes128cbc);
a76ce286 8327
5e30f2fd 8328 return ret;
a76ce286 8329}
d0191fe0
MC		 8330
8331/*
8332 * Test the various ticket callbacks
61fb5923
MC		 8333 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8334 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8335 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8336 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8337 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8338 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8339 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8340 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 8341 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8342 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8343 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8344 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
3b7a3241
MC		 8345 * Test 12: TLSv1.2, old ticket key callback, no ticket
8346 * Test 13: TLSv1.3, old ticket key callback, no ticket
8347 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8348 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8349 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8350 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8351 * Test 18: TLSv1.2, ticket key callback, no ticket
8352 * Test 19: TLSv1.3, ticket key callback, no ticket
d0191fe0
MC		 8353 */
8354static int test_ticket_callbacks(int tst)
8355{
8356 SSL_CTX *cctx = NULL, *sctx = NULL;
8357 SSL *clientssl = NULL, *serverssl = NULL;
8358 SSL_SESSION *clntsess = NULL;
8359 int testresult = 0;
8360
8361#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 8362 if (tst % 2 == 0)
d0191fe0
MC		 8363 return 1;
8364#endif
a763ca11 8365#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 8366 if (tst % 2 == 1)
d0191fe0
MC		 8367 return 1;
8368#endif
a76ce286 8369#ifdef OPENSSL_NO_DEPRECATED_3_0
3b7a3241 8370 if (tst >= 8 && tst <= 13)
a76ce286
P		 8371 return 1;
8372#endif
d0191fe0 8373
61fb5923 8374 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 8375
8376 /* Which tests the ticket key callback should request renewal for */
3c95ef22 8377
3b7a3241 8378 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
61fb5923 8379 tick_key_renew = 1;
3b7a3241
MC		 8380 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8381 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
d0191fe0 8382 else
61fb5923
MC		 8383 tick_key_renew = 0;
8384
8385 /* Which tests the decrypt ticket callback should request renewal for */
8386 switch (tst) {
8387 case 0:
8388 case 1:
8389 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8390 break;
8391
8392 case 2:
8393 case 3:
8394 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8395 break;
8396
8397 case 4:
8398 case 5:
8399 tick_dec_ret = SSL_TICKET_RETURN_USE;
8400 break;
8401
8402 case 6:
8403 case 7:
8404 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8405 break;
8406
8407 default:
8408 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8409 }
d0191fe0 8410
5e30f2fd 8411 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 8412 TLS_client_method(),
8413 TLS1_VERSION,
61fb5923
MC		 8414 ((tst % 2) == 0) ? TLS1_2_VERSION
8415 : TLS1_3_VERSION,
d0191fe0
MC		 8416 &sctx, &cctx, cert, privkey)))
8417 goto end;
8418
61fb5923
MC		 8419 /*
8420 * We only want sessions to resume from tickets - not the session cache. So
8421 * switch the cache off.
8422 */
8423 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8424 goto end;
8425
d0191fe0
MC		 8426 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8427 NULL)))
8428 goto end;
8429
3b7a3241 8430 if (tst >= 14) {
a76ce286
P		 8431 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8432 goto end;
8433#ifndef OPENSSL_NO_DEPRECATED_3_0
8434 } else if (tst >= 8) {
8435 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8436 goto end;
8437#endif
8438 }
d0191fe0
MC		 8439
8440 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8441 NULL, NULL))
8442 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8443 SSL_ERROR_NONE)))
8444 goto end;
8445
61fb5923
MC		 8446 /*
8447 * The decrypt ticket key callback in TLSv1.2 should be called even though
8448 * we have no ticket yet, because it gets called with a status of
8449 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8450 * actually send any ticket data). This does not happen in TLSv1.3 because
8451 * it is not valid to send empty ticket data in TLSv1.3.
8452 */
d0191fe0 8453 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 8454 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 8455 goto end;
8456
8457 gen_tick_called = dec_tick_called = 0;
8458
8459 clntsess = SSL_get1_session(clientssl);
8460 SSL_shutdown(clientssl);
8461 SSL_shutdown(serverssl);
8462 SSL_free(serverssl);
8463 SSL_free(clientssl);
8464 serverssl = clientssl = NULL;
8465
8466 /* Now do a resumption */
8467 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8468 NULL))
8469 || !TEST_true(SSL_set_session(clientssl, clntsess))
8470 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 8471 SSL_ERROR_NONE)))
d0191fe0
MC		 8472 goto end;
8473
61fb5923 8474 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
3b7a3241
MC		 8475 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8476 || tick_key_renew == -1) {
61fb5923
MC		 8477 if (!TEST_false(SSL_session_reused(clientssl)))
8478 goto end;
8479 } else {
8480 if (!TEST_true(SSL_session_reused(clientssl)))
8481 goto end;
8482 }
8483
d0191fe0 8484 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 8485 (tick_key_renew
8486 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8487 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8488 ? 1 : 0)
3b7a3241
MC		 8489 /* There is no ticket to decrypt in tests 13 and 19 */
8490 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
d0191fe0
MC		 8491 goto end;
8492
8493 testresult = 1;
8494
8495 end:
8496 SSL_SESSION_free(clntsess);
8497 SSL_free(serverssl);
8498 SSL_free(clientssl);
8499 SSL_CTX_free(sctx);
8500 SSL_CTX_free(cctx);
8501
8502 return testresult;
8503}
8504
e638112e
DB		 8505/*
8506 * Test incorrect shutdown.
8507 * Test 0: client does not shutdown properly,
8508 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8509 * server should get SSL_ERROR_SSL
8510 * Test 1: client does not shutdown properly,
8511 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8512 * server should get SSL_ERROR_ZERO_RETURN
8513 */
8514static int test_incorrect_shutdown(int tst)
8515{
8516 SSL_CTX *cctx = NULL, *sctx = NULL;
8517 SSL *clientssl = NULL, *serverssl = NULL;
8518 int testresult = 0;
8519 char buf[80];
8520 BIO *c2s;
8521
8522 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8523 TLS_client_method(), 0, 0,
8524 &sctx, &cctx, cert, privkey)))
8525 goto end;
8526
8527 if (tst == 1)
8528 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8529
8530 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8531 NULL, NULL)))
8532 goto end;
8533
8534 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8535 SSL_ERROR_NONE)))
8536 goto end;
8537
8538 c2s = SSL_get_rbio(serverssl);
8539 BIO_set_mem_eof_return(c2s, 0);
8540
8541 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8542 goto end;
8543
8544 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8545 goto end;
8546 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8547 goto end;
8548
8549 testresult = 1;
8550
8551 end:
8552 SSL_free(serverssl);
8553 SSL_free(clientssl);
8554 SSL_CTX_free(sctx);
8555 SSL_CTX_free(cctx);
8556
8557 return testresult;
8558}
8559
c748834f
MC		 8560/*
8561 * Test bi-directional shutdown.
8562 * Test 0: TLSv1.2
8563 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8564 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8565 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 8566 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8567 * sends key update, client reads it
57d7b988
MC		 8568 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8569 * sends CertificateRequest, client reads and ignores it
8570 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 8571 * doesn't read it
8572 */
8573static int test_shutdown(int tst)
8574{
8575 SSL_CTX *cctx = NULL, *sctx = NULL;
8576 SSL *clientssl = NULL, *serverssl = NULL;
8577 int testresult = 0;
8578 char msg[] = "A test message";
8579 char buf[80];
8580 size_t written, readbytes;
80eff008 8581 SSL_SESSION *sess;
c748834f
MC		 8582
8583#ifdef OPENSSL_NO_TLS1_2
a97d19f7 8584 if (tst <= 1)
c748834f
MC		 8585 return 1;
8586#endif
a763ca11 8587#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 8588 if (tst >= 2)
c748834f
MC		 8589 return 1;
8590#endif
8591
5e30f2fd 8592 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 8593 TLS_client_method(),
8594 TLS1_VERSION,
8595 (tst <= 1) ? TLS1_2_VERSION
8596 : TLS1_3_VERSION,
57d7b988
MC		 8597 &sctx, &cctx, cert, privkey)))
8598 goto end;
8599
8600 if (tst == 5)
8601 SSL_CTX_set_post_handshake_auth(cctx, 1);
8602
8603 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 8604 NULL, NULL)))
8605 goto end;
8606
8607 if (tst == 3) {
8608 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
26dad42e 8609 SSL_ERROR_NONE, 1, 0))
80eff008
KR		 8610 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8611 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 8612 goto end;
8613 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 8614 SSL_ERROR_NONE))
8615 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8616 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 8617 goto end;
8618 }
8619
8620 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8621 goto end;
8622
8623 if (tst >= 4) {
8624 /*
8625 * Reading on the server after the client has sent close_notify should
8626 * fail and provide SSL_ERROR_ZERO_RETURN
8627 */
8628 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8629 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8630 SSL_ERROR_ZERO_RETURN)
8631 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8632 SSL_RECEIVED_SHUTDOWN)
8633 /*
8634 * Even though we're shutdown on receive we should still be
8635 * able to write.
8636 */
80eff008
KR		 8637 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8638 goto end;
57d7b988
MC		 8639 if (tst == 4
8640 && !TEST_true(SSL_key_update(serverssl,
8641 SSL_KEY_UPDATE_REQUESTED)))
8642 goto end;
8643 if (tst == 5) {
8644 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8645 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8646 goto end;
8647 }
8648 if ((tst == 4 || tst == 5)
8649 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 8650 goto end;
8651 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 8652 goto end;
57d7b988 8653 if (tst == 4 || tst == 5) {
80eff008 8654 /* Should still be able to read data from server */
c748834f 8655 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 8656 &readbytes))
8657 || !TEST_size_t_eq(readbytes, sizeof(msg))
8658 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8659 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8660 &readbytes))
c748834f
MC		 8661 || !TEST_size_t_eq(readbytes, sizeof(msg))
8662 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8663 goto end;
8664 }
8665 }
8666
8667 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 8668 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 8669 goto end;
8670
8671 if (tst < 4) {
8672 /*
8673 * For these tests the client has sent close_notify but it has not yet
8674 * been received by the server. The server has not sent close_notify
8675 * yet.
8676 */
8677 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 8678 /*
8679 * Writing on the server after sending close_notify shouldn't
8680 * be possible.
8681 */
8682 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 8683 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 8684 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8685 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 8686 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8687 goto end;
57d7b988 8688 } else if (tst == 4 || tst == 5) {
c748834f
MC		 8689 /*
8690 * In this test the client has sent close_notify and it has been
8691 * received by the server which has responded with a close_notify. The
358ffa05 8692 * client needs to read the close_notify sent by the server.
c748834f 8693 */
80eff008
KR		 8694 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8695 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8696 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 8697 goto end;
358ffa05
MC		 8698 } else {
8699 /*
57d7b988 8700 * tst == 6
358ffa05
MC		 8701 *
8702 * The client has sent close_notify and is expecting a close_notify
8703 * back, but instead there is application data first. The shutdown
8704 * should fail with a fatal error.
8705 */
8706 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8707 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8708 goto end;
c748834f
MC		 8709 }
8710
8711 testresult = 1;
8712
8713 end:
8714 SSL_free(serverssl);
8715 SSL_free(clientssl);
8716 SSL_CTX_free(sctx);
8717 SSL_CTX_free(cctx);
8718
8719 return testresult;
8720}
8721
cbf965b4
MC		 8722/*
8723 * Test that sending close_notify alerts works correctly in the case of a
8724 * retryable write failure.
8725 */
8726static int test_async_shutdown(void)
8727{
8728 SSL_CTX *cctx = NULL, *sctx = NULL;
8729 SSL *clientssl = NULL, *serverssl = NULL;
8730 int testresult = 0;
8731 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8732
8733 if (!TEST_ptr(bretry))
8734 goto end;
8735
8736 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8737 TLS_client_method(),
8738 0, 0,
8739 &sctx, &cctx, cert, privkey)))
8740 goto end;
8741
8742 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8743 NULL)))
8744 goto end;
8745
8746 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8747 goto end;
8748
8749 /* Close write side of clientssl */
8750 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8751 goto end;
8752
8753 tmp = SSL_get_wbio(serverssl);
8754 if (!TEST_true(BIO_up_ref(tmp))) {
8755 tmp = NULL;
8756 goto end;
8757 }
8758 SSL_set0_wbio(serverssl, bretry);
8759 bretry = NULL;
8760
8761 /* First server shutdown should fail because of a retrable write failure */
8762 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8763 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8764 goto end;
8765
8766 /* Second server shutdown should fail for the same reason */
8767 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8768 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8769 goto end;
8770
8771 SSL_set0_wbio(serverssl, tmp);
8772 tmp = NULL;
8773
8774 /* Third server shutdown should send close_notify */
8775 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8776 goto end;
8777
8778 /* Fourth server shutdown should read close_notify from client and finish */
8779 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8780 goto end;
8781
8782 /* Client should also successfully fully shutdown */
8783 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8784 goto end;
8785
8786 testresult = 1;
8787 end:
8788 SSL_free(serverssl);
8789 SSL_free(clientssl);
8790 SSL_CTX_free(sctx);
8791 SSL_CTX_free(cctx);
8792 BIO_free(bretry);
8793 BIO_free(tmp);
8794
8795 return testresult;
8796}
8797
a763ca11 8798#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 8799static int cert_cb_cnt;
8800
8801static int cert_cb(SSL *s, void *arg)
8802{
8803 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 8804 BIO *in = NULL;
8805 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 8806 X509 *x509 = NULL, *rootx = NULL;
8807 STACK_OF(X509) *chain = NULL;
8808 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8809 int ret = 0;
cd6fe29f
MC		 8810
8811 if (cert_cb_cnt == 0) {
8812 /* Suspend the handshake */
8813 cert_cb_cnt++;
8814 return -1;
8815 } else if (cert_cb_cnt == 1) {
8816 /*
8817 * Update the SSL_CTX, set the certificate and private key and then
8818 * continue the handshake normally.
8819 */
8820 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8821 return 0;
8822
8823 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8824 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8825 SSL_FILETYPE_PEM))
8826 || !TEST_true(SSL_check_private_key(s)))
8827 return 0;
8828 cert_cb_cnt++;
8829 return 1;
7cb8fb07
BK		 8830 } else if (cert_cb_cnt == 3) {
8831 int rv;
1a2a3a42
MC		 8832
8833 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8834 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8835 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8836 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8837 goto out;
8838 chain = sk_X509_new_null();
8839 if (!TEST_ptr(chain))
8840 goto out;
7cb8fb07 8841 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8842 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 8843 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 8844 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8845 || !TEST_true(sk_X509_push(chain, rootx)))
8846 goto out;
8847 rootx = NULL;
8848 BIO_free(in);
8849 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8850 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8851 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8852 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8853 goto out;
8854 BIO_free(in);
8855 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8856 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8857 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8858 NULL, NULL,
8859 libctx, NULL)))
7cb8fb07 8860 goto out;
1a2a3a42 8861 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8862 /*
8863 * If the cert doesn't show as valid here (e.g., because we don't
8864 * have any shared sigalgs), then we will not set it, and there will
8865 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8866 * will cause tls_choose_sigalgs() to fail the connection.
8867 */
1a2a3a42
MC		 8868 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8869 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8870 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8871 goto out;
8872 }
1a2a3a42
MC		 8873
8874 ret = 1;
cd6fe29f
MC		 8875 }
8876
8877 /* Abort the handshake */
7cb8fb07 8878 out:
1a2a3a42
MC		 8879 OPENSSL_free(ecdsacert);
8880 OPENSSL_free(ecdsakey);
8881 OPENSSL_free(rootfile);
7cb8fb07
BK		 8882 BIO_free(in);
8883 EVP_PKEY_free(pkey);
8884 X509_free(x509);
1a2a3a42 8885 X509_free(rootx);
79b2a2f2 8886 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8887 return ret;
cd6fe29f
MC		 8888}
8889
8890/*
8891 * Test the certificate callback.
8892 * Test 0: Callback fails
8893 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8894 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8895 * Test 3: Success - Call SSL_check_chain from the callback
8896 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8897 * chain
8898 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8899 */
8900static int test_cert_cb_int(int prot, int tst)
8901{
8902 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8903 SSL *clientssl = NULL, *serverssl = NULL;
8904 int testresult = 0, ret;
8905
1a2a3a42
MC		 8906#ifdef OPENSSL_NO_EC
8907 /* We use an EC cert in these tests, so we skip in a no-ec build */
8908 if (tst >= 3)
8909 return 1;
8910#endif
8911
5e30f2fd 8912 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8913 TLS_client_method(),
8914 TLS1_VERSION,
8915 prot,
8916 &sctx, &cctx, NULL, NULL)))
8917 goto end;
8918
8919 if (tst == 0)
8920 cert_cb_cnt = -1;
1a2a3a42 8921 else if (tst >= 3)
7cb8fb07 8922 cert_cb_cnt = 3;
cd6fe29f
MC		 8923 else
8924 cert_cb_cnt = 0;
1a2a3a42 8925
b0317df2 8926 if (tst == 2) {
7e1eda48 8927 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
b0317df2
JJ		 8928 if (!TEST_ptr(snictx))
8929 goto end;
8930 }
8931
cd6fe29f
MC		 8932 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8933
8934 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8935 NULL, NULL)))
8936 goto end;
8937
1a2a3a42
MC		 8938 if (tst == 4) {
8939 /*
8940 * We cause SSL_check_chain() to fail by specifying sig_algs that
8941 * the chain doesn't meet (the root uses an RSA cert)
8942 */
8943 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8944 "ecdsa_secp256r1_sha256")))
8945 goto end;
8946 } else if (tst == 5) {
8947 /*
8948 * We cause SSL_check_chain() to fail by specifying sig_algs that
8949 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8950 */
8951 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8952 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8953 goto end;
8954 }
8955
cd6fe29f 8956 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8957 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8958 || (tst > 0
8959 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8960 goto end;
8961 }
8962
8963 testresult = 1;
8964
8965 end:
8966 SSL_free(serverssl);
8967 SSL_free(clientssl);
8968 SSL_CTX_free(sctx);
8969 SSL_CTX_free(cctx);
8970 SSL_CTX_free(snictx);
8971
8972 return testresult;
8973}
7f1d923a 8974#endif
cd6fe29f
MC		 8975
8976static int test_cert_cb(int tst)
8977{
8978 int testresult = 1;
8979
8980#ifndef OPENSSL_NO_TLS1_2
8981 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8982#endif
a763ca11 8983#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8984 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8985#endif
8986
8987 return testresult;
8988}
8989
6e46c065
MC		 8990static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8991{
8c2bfd25 8992 X509 *xcert;
6e46c065
MC		 8993 EVP_PKEY *privpkey;
8994 BIO *in = NULL;
6725682d 8995 BIO *priv_in = NULL;
6e46c065 8996
8c2bfd25
TS		 8997 /* Check that SSL_get0_peer_certificate() returns something sensible */
8998 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8999 return 0;
6e46c065
MC		 9000
9001 in = BIO_new_file(cert, "r");
9002 if (!TEST_ptr(in))
9003 return 0;
9004
d8652be0 9005 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 9006 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
9007 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 9008 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
9009 NULL, NULL,
9010 libctx, NULL)))
6725682d 9011 goto err;
6e46c065
MC		 9012
9013 *x509 = xcert;
9014 *pkey = privpkey;
9015
6725682d
SL		 9016 BIO_free(in);
9017 BIO_free(priv_in);
6e46c065 9018 return 1;
6725682d
SL		 9019err:
9020 X509_free(xcert);
9021 BIO_free(in);
9022 BIO_free(priv_in);
9023 return 0;
6e46c065
MC		 9024}
9025
6e46c065
MC		 9026static int test_client_cert_cb(int tst)
9027{
9028 SSL_CTX *cctx = NULL, *sctx = NULL;
9029 SSL *clientssl = NULL, *serverssl = NULL;
9030 int testresult = 0;
9031
9032#ifdef OPENSSL_NO_TLS1_2
9033 if (tst == 0)
9034 return 1;
9035#endif
a763ca11 9036#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 9037 if (tst == 1)
9038 return 1;
9039#endif
9040
5e30f2fd 9041 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 9042 TLS_client_method(),
9043 TLS1_VERSION,
9044 tst == 0 ? TLS1_2_VERSION
9045 : TLS1_3_VERSION,
9046 &sctx, &cctx, cert, privkey)))
9047 goto end;
9048
9049 /*
9050 * Test that setting a client_cert_cb results in a client certificate being
9051 * sent.
9052 */
9053 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
9054 SSL_CTX_set_verify(sctx,
9055 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
9056 verify_cb);
fb8c8359
MC		 9057
9058 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9059 NULL, NULL))
9060 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9061 SSL_ERROR_NONE)))
9062 goto end;
9063
9064 testresult = 1;
9065
9066 end:
9067 SSL_free(serverssl);
9068 SSL_free(clientssl);
9069 SSL_CTX_free(sctx);
9070 SSL_CTX_free(cctx);
9071
9072 return testresult;
9073}
9074
a763ca11 9075#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 9076/*
9077 * Test setting certificate authorities on both client and server.
9078 *
9079 * Test 0: SSL_CTX_set0_CA_list() only
9080 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
9081 * Test 2: Only SSL_CTX_set_client_CA_list()
9082 */
9083static int test_ca_names_int(int prot, int tst)
9084{
9085 SSL_CTX *cctx = NULL, *sctx = NULL;
9086 SSL *clientssl = NULL, *serverssl = NULL;
9087 int testresult = 0;
9088 size_t i;
9089 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
9090 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
9091 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
9092 const STACK_OF(X509_NAME) *sktmp = NULL;
9093
9094 for (i = 0; i < OSSL_NELEM(name); i++) {
9095 name[i] = X509_NAME_new();
9096 if (!TEST_ptr(name[i])
9097 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9098 MBSTRING_ASC,
9099 (unsigned char *)
9100 strnames[i],
9101 -1, -1, 0)))
9102 goto end;
9103 }
9104
5e30f2fd 9105 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 9106 TLS_client_method(),
9107 TLS1_VERSION,
9108 prot,
9109 &sctx, &cctx, cert, privkey)))
9110 goto end;
9111
9112 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9113
9114 if (tst == 0 || tst == 1) {
9115 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9116 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9117 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9118 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9119 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9120 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9121 goto end;
9122
9123 SSL_CTX_set0_CA_list(sctx, sk1);
9124 SSL_CTX_set0_CA_list(cctx, sk2);
9125 sk1 = sk2 = NULL;
9126 }
9127 if (tst == 1 || tst == 2) {
9128 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9129 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9130 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9131 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9132 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9133 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9134 goto end;
9135
9136 SSL_CTX_set_client_CA_list(sctx, sk1);
9137 SSL_CTX_set_client_CA_list(cctx, sk2);
9138 sk1 = sk2 = NULL;
9139 }
9140
6e46c065
MC		 9141 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9142 NULL, NULL))
9143 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9144 SSL_ERROR_NONE)))
9145 goto end;
9146
fb8c8359
MC		 9147 /*
9148 * We only expect certificate authorities to have been sent to the server
9149 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9150 */
9151 sktmp = SSL_get0_peer_CA_list(serverssl);
9152 if (prot == TLS1_3_VERSION
9153 && (tst == 0 || tst == 1)) {
9154 if (!TEST_ptr(sktmp)
9155 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9156 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9157 name[0]), 0)
9158 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9159 name[1]), 0))
9160 goto end;
9161 } else if (!TEST_ptr_null(sktmp)) {
9162 goto end;
9163 }
9164
9165 /*
9166 * In all tests we expect certificate authorities to have been sent to the
9167 * client. However, SSL_set_client_CA_list() should override
9168 * SSL_set0_CA_list()
9169 */
9170 sktmp = SSL_get0_peer_CA_list(clientssl);
9171 if (!TEST_ptr(sktmp)
9172 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9173 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9174 name[tst == 0 ? 0 : 2]), 0)
9175 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9176 name[tst == 0 ? 1 : 3]), 0))
9177 goto end;
9178
6e46c065
MC		 9179 testresult = 1;
9180
9181 end:
9182 SSL_free(serverssl);
9183 SSL_free(clientssl);
9184 SSL_CTX_free(sctx);
9185 SSL_CTX_free(cctx);
fb8c8359
MC		 9186 for (i = 0; i < OSSL_NELEM(name); i++)
9187 X509_NAME_free(name[i]);
9188 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9189 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9190
9191 return testresult;
9192}
9193#endif
9194
9195static int test_ca_names(int tst)
9196{
9197 int testresult = 1;
9198
9199#ifndef OPENSSL_NO_TLS1_2
9200 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9201#endif
a763ca11 9202#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 9203 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9204#endif
6e46c065
MC		 9205
9206 return testresult;
9207}
9208
0d2bfe52
SL		 9209#ifndef OPENSSL_NO_TLS1_2
9210static const char *multiblock_cipherlist_data[]=
9211{
9212 "AES128-SHA",
9213 "AES128-SHA256",
9214 "AES256-SHA",
9215 "AES256-SHA256",
9216};
9217
9218/* Reduce the fragment size - so the multiblock test buffer can be small */
9219# define MULTIBLOCK_FRAGSIZE 512
9220
9221static int test_multiblock_write(int test_index)
9222{
9223 static const char *fetchable_ciphers[]=
9224 {
9225 "AES-128-CBC-HMAC-SHA1",
9226 "AES-128-CBC-HMAC-SHA256",
9227 "AES-256-CBC-HMAC-SHA1",
9228 "AES-256-CBC-HMAC-SHA256"
9229 };
9230 const char *cipherlist = multiblock_cipherlist_data[test_index];
9231 const SSL_METHOD *smeth = TLS_server_method();
9232 const SSL_METHOD *cmeth = TLS_client_method();
9233 int min_version = TLS1_VERSION;
9234 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9235 SSL_CTX *cctx = NULL, *sctx = NULL;
9236 SSL *clientssl = NULL, *serverssl = NULL;
9237 int testresult = 0;
9238
9239 /*
9240 * Choose a buffer large enough to perform a multi-block operation
9241 * i.e: write_len >= 4 * frag_size
9242 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9243 */
9244 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9245 unsigned char buf[sizeof(msg)], *p = buf;
9246 size_t readbytes, written, len;
9247 EVP_CIPHER *ciph = NULL;
9248
9249 /*
9250 * Check if the cipher exists before attempting to use it since it only has
9251 * a hardware specific implementation.
9252 */
7c82a7a8 9253 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
0d2bfe52
SL		 9254 if (ciph == NULL) {
9255 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9256 return 1;
9257 }
9258 EVP_CIPHER_free(ciph);
9259
9260 /* Set up a buffer with some data that will be sent to the client */
9261 RAND_bytes(msg, sizeof(msg));
9262
5e30f2fd
MC		 9263 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9264 max_version, &sctx, &cctx, cert,
9265 privkey)))
0d2bfe52
SL		 9266 goto end;
9267
9268 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9269 goto end;
9270
9271 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9272 NULL, NULL)))
9273 goto end;
9274
9275 /* settings to force it to use AES-CBC-HMAC_SHA */
9276 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9277 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9278 goto end;
9279
9280 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9281 goto end;
9282
9283 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9284 || !TEST_size_t_eq(written, sizeof(msg)))
9285 goto end;
9286
9287 len = written;
9288 while (len > 0) {
9289 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9290 goto end;
9291 p += readbytes;
9292 len -= readbytes;
9293 }
9294 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9295 goto end;
9296
9297 testresult = 1;
9298end:
9299 SSL_free(serverssl);
9300 SSL_free(clientssl);
9301 SSL_CTX_free(sctx);
9302 SSL_CTX_free(cctx);
9303
9304 return testresult;
9305}
9306#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 9307
25959e04
TS		 9308static int test_session_timeout(int test)
9309{
9310 /*
9311 * Test session ordering and timeout
9312 * Can't explicitly test performance of the new code,
9313 * but can test to see if the ordering of the sessions
ad31628c 9314 * are correct, and they are removed as expected
25959e04
TS		 9315 */
9316 SSL_SESSION *early = NULL;
9317 SSL_SESSION *middle = NULL;
9318 SSL_SESSION *late = NULL;
9319 SSL_CTX *ctx;
9320 int testresult = 0;
9321 long now = (long)time(NULL);
9322#define TIMEOUT 10
9323
9324 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9325 || !TEST_ptr(early = SSL_SESSION_new())
9326 || !TEST_ptr(middle = SSL_SESSION_new())
9327 || !TEST_ptr(late = SSL_SESSION_new()))
9328 goto end;
9329
9330 /* assign unique session ids */
9331 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9332 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9333 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9334 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9335 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9336 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9337
9338 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9339 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9340 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9341 goto end;
9342
9343 /* Make sure they are all added */
9344 if (!TEST_ptr(early->prev)
9345 || !TEST_ptr(middle->prev)
9346 || !TEST_ptr(late->prev))
9347 goto end;
9348
9349 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9350 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9351 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9352 goto end;
9353
9354 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9355 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9356 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9357 goto end;
9358
9359 /* Make sure they are all still there */
9360 if (!TEST_ptr(early->prev)
9361 || !TEST_ptr(middle->prev)
9362 || !TEST_ptr(late->prev))
9363 goto end;
9364
9365 /* Make sure they are in the expected order */
9366 if (!TEST_ptr_eq(late->next, middle)
9367 || !TEST_ptr_eq(middle->next, early)
9368 || !TEST_ptr_eq(early->prev, middle)
9369 || !TEST_ptr_eq(middle->prev, late))
9370 goto end;
9371
9372 /* This should remove "early" */
9373 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9374 if (!TEST_ptr_null(early->prev)
9375 || !TEST_ptr(middle->prev)
9376 || !TEST_ptr(late->prev))
9377 goto end;
9378
9379 /* This should remove "middle" */
9380 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9381 if (!TEST_ptr_null(early->prev)
9382 || !TEST_ptr_null(middle->prev)
9383 || !TEST_ptr(late->prev))
9384 goto end;
9385
9386 /* This should remove "late" */
9387 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9388 if (!TEST_ptr_null(early->prev)
9389 || !TEST_ptr_null(middle->prev)
9390 || !TEST_ptr_null(late->prev))
9391 goto end;
9392
9393 /* Add them back in again */
9394 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9395 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9396 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9397 goto end;
9398
9399 /* Make sure they are all added */
9400 if (!TEST_ptr(early->prev)
9401 || !TEST_ptr(middle->prev)
9402 || !TEST_ptr(late->prev))
9403 goto end;
9404
9405 /* This should remove all of them */
9406 SSL_CTX_flush_sessions(ctx, 0);
9407 if (!TEST_ptr_null(early->prev)
9408 || !TEST_ptr_null(middle->prev)
9409 || !TEST_ptr_null(late->prev))
9410 goto end;
9411
9412 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9413 | SSL_CTX_get_session_cache_mode(ctx));
9414
9415 /* make sure |now| is NOT equal to the current time */
9416 now -= 10;
9417 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9418 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9419 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9420 goto end;
9421
9422 testresult = 1;
9423 end:
9424 SSL_CTX_free(ctx);
9425 SSL_SESSION_free(early);
9426 SSL_SESSION_free(middle);
9427 SSL_SESSION_free(late);
9428 return testresult;
9429}
9430
4a3e8f08
MC		 9431/*
9432 * Test that a session cache overflow works as expected
9433 * Test 0: TLSv1.3, timeout on new session later than old session
9434 * Test 1: TLSv1.2, timeout on new session later than old session
9435 * Test 2: TLSv1.3, timeout on new session earlier than old session
9436 * Test 3: TLSv1.2, timeout on new session earlier than old session
9437 */
9438#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
9439static int test_session_cache_overflow(int idx)
9440{
9441 SSL_CTX *sctx = NULL, *cctx = NULL;
9442 SSL *serverssl = NULL, *clientssl = NULL;
9443 int testresult = 0;
9444 SSL_SESSION *sess = NULL;
9445
9446#ifdef OSSL_NO_USABLE_TLS1_3
9447 /* If no TLSv1.3 available then do nothing in this case */
9448 if (idx % 2 == 0)
9449 return TEST_skip("No TLSv1.3 available");
9450#endif
9451#ifdef OPENSSL_NO_TLS1_2
9452 /* If no TLSv1.2 available then do nothing in this case */
9453 if (idx % 2 == 1)
9454 return TEST_skip("No TLSv1.2 available");
9455#endif
9456
9457 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9458 TLS_client_method(), TLS1_VERSION,
9459 (idx % 2 == 0) ? TLS1_3_VERSION
9460 : TLS1_2_VERSION,
9461 &sctx, &cctx, cert, privkey))
9462 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
9463 goto end;
9464
9465 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
9466 get_sess_val = NULL;
9467
9468 SSL_CTX_sess_set_cache_size(sctx, 1);
9469
9470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9471 NULL, NULL)))
9472 goto end;
9473
9474 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9475 goto end;
9476
9477 if (idx > 1) {
9478 sess = SSL_get_session(serverssl);
9479 if (!TEST_ptr(sess))
9480 goto end;
9481
9482 /*
9483 * Cause this session to have a longer timeout than the next session to
9484 * be added.
9485 */
9486 if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX))) {
9487 sess = NULL;
9488 goto end;
9489 }
9490 sess = NULL;
9491 }
9492
9493 SSL_shutdown(serverssl);
9494 SSL_shutdown(clientssl);
9495 SSL_free(serverssl);
9496 SSL_free(clientssl);
9497 serverssl = clientssl = NULL;
9498
9499 /*
9500 * Session cache size is 1 and we already populated the cache with a session
9501 * so the next connection should cause an overflow.
9502 */
9503
9504 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9505 NULL, NULL)))
9506 goto end;
9507
9508 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9509 goto end;
9510
9511 /*
9512 * The session we just negotiated may have been already removed from the
9513 * internal cache - but we will return it anyway from our external cache.
9514 */
9515 get_sess_val = SSL_get_session(serverssl);
9516 if (!TEST_ptr(get_sess_val))
9517 goto end;
9518 sess = SSL_get1_session(clientssl);
9519 if (!TEST_ptr(sess))
9520 goto end;
9521
9522 SSL_shutdown(serverssl);
9523 SSL_shutdown(clientssl);
9524 SSL_free(serverssl);
9525 SSL_free(clientssl);
9526 serverssl = clientssl = NULL;
9527
9528 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9529 NULL, NULL)))
9530 goto end;
9531
9532 if (!TEST_true(SSL_set_session(clientssl, sess)))
9533 goto end;
9534
9535 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9536 goto end;
9537
9538 testresult = 1;
9539
9540 end:
9541 SSL_free(serverssl);
9542 SSL_free(clientssl);
9543 SSL_CTX_free(sctx);
9544 SSL_CTX_free(cctx);
9545 SSL_SESSION_free(sess);
9546
9547 return testresult;
9548}
9549#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
9550
49ef3d07
MC		 9551/*
9552 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9553 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9554 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9555 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9556 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9557 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9558 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9559 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9560 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9561 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9562 */
9563static int test_servername(int tst)
9564{
9565 SSL_CTX *cctx = NULL, *sctx = NULL;
9566 SSL *clientssl = NULL, *serverssl = NULL;
9567 int testresult = 0;
9568 SSL_SESSION *sess = NULL;
9569 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9570
9571#ifdef OPENSSL_NO_TLS1_2
9572 if (tst <= 4)
9573 return 1;
9574#endif
a763ca11 9575#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 9576 if (tst >= 5)
9577 return 1;
9578#endif
9579
5e30f2fd 9580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 9581 TLS_client_method(),
9582 TLS1_VERSION,
9583 (tst <= 4) ? TLS1_2_VERSION
9584 : TLS1_3_VERSION,
9585 &sctx, &cctx, cert, privkey))
9586 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9587 NULL, NULL)))
9588 goto end;
9589
9590 if (tst != 1 && tst != 6) {
9591 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9592 hostname_cb)))
9593 goto end;
9594 }
9595
9596 if (tst != 3 && tst != 8) {
9597 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9598 goto end;
9599 sexpectedhost = cexpectedhost = "goodhost";
9600 }
9601
9602 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9603 goto end;
9604
9605 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9606 cexpectedhost)
9607 || !TEST_str_eq(SSL_get_servername(serverssl,
9608 TLSEXT_NAMETYPE_host_name),
9609 sexpectedhost))
9610 goto end;
9611
9612 /* Now repeat with a resumption handshake */
9613
9614 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9615 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9616 || !TEST_true(SSL_SESSION_is_resumable(sess))
9617 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9618 goto end;
9619
9620 SSL_free(clientssl);
9621 SSL_free(serverssl);
9622 clientssl = serverssl = NULL;
9623
9624 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9625 NULL)))
9626 goto end;
9627
9628 if (!TEST_true(SSL_set_session(clientssl, sess)))
9629 goto end;
9630
9631 sexpectedhost = cexpectedhost = "goodhost";
9632 if (tst == 2 || tst == 7) {
9633 /* Set an inconsistent hostname */
9634 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9635 goto end;
9636 /*
9637 * In TLSv1.2 we expect the hostname from the original handshake, in
9638 * TLSv1.3 we expect the hostname from this handshake
9639 */
9640 if (tst == 7)
9641 sexpectedhost = cexpectedhost = "altgoodhost";
9642
9643 if (!TEST_str_eq(SSL_get_servername(clientssl,
9644 TLSEXT_NAMETYPE_host_name),
9645 "altgoodhost"))
9646 goto end;
9647 } else if (tst == 4 || tst == 9) {
9648 /*
9649 * A TLSv1.3 session does not associate a session with a servername,
9650 * but a TLSv1.2 session does.
9651 */
9652 if (tst == 9)
9653 sexpectedhost = cexpectedhost = NULL;
9654
9655 if (!TEST_str_eq(SSL_get_servername(clientssl,
9656 TLSEXT_NAMETYPE_host_name),
9657 cexpectedhost))
9658 goto end;
9659 } else {
9660 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9661 goto end;
9662 /*
9663 * In a TLSv1.2 resumption where the hostname was not acknowledged
9664 * we expect the hostname on the server to be empty. On the client we
9665 * return what was requested in this case.
9666 *
9667 * Similarly if the client didn't set a hostname on an original TLSv1.2
9668 * session but is now, the server hostname will be empty, but the client
9669 * is as we set it.
9670 */
9671 if (tst == 1 || tst == 3)
9672 sexpectedhost = NULL;
9673
9674 if (!TEST_str_eq(SSL_get_servername(clientssl,
9675 TLSEXT_NAMETYPE_host_name),
9676 "goodhost"))
9677 goto end;
9678 }
9679
9680 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9681 goto end;
9682
9683 if (!TEST_true(SSL_session_reused(clientssl))
9684 || !TEST_true(SSL_session_reused(serverssl))
9685 || !TEST_str_eq(SSL_get_servername(clientssl,
9686 TLSEXT_NAMETYPE_host_name),
9687 cexpectedhost)
9688 || !TEST_str_eq(SSL_get_servername(serverssl,
9689 TLSEXT_NAMETYPE_host_name),
9690 sexpectedhost))
9691 goto end;
9692
9693 testresult = 1;
9694
9695 end:
9696 SSL_SESSION_free(sess);
9697 SSL_free(serverssl);
9698 SSL_free(clientssl);
9699 SSL_CTX_free(sctx);
9700 SSL_CTX_free(cctx);
9701
9702 return testresult;
9703}
9704
2b4cea1e
TM		 9705static int test_unknown_sigalgs_groups(void)
9706{
9707 int ret = 0;
9708 SSL_CTX *ctx = NULL;
9709
9710 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9711 goto end;
9712
9713 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9714 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9715 0))
9716 goto end;
9717 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9718 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9719 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9720 goto end;
9721
9722 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9723 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9724 0))
9725 goto end;
9726 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9727 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9728 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9729 goto end;
9730
9731 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9732 "nonexistent"),
9733 0))
9734 goto end;
9735
9736 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9737 "?nonexistent1:?nonexistent2:?nonexistent3"),
9738 0))
9739 goto end;
9740
9741#ifndef OPENSSL_NO_EC
9742 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9743 "P-256:nonexistent"),
9744 0))
9745 goto end;
9746
9747 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9748 "P-384:?nonexistent:?P-521"),
9749 0))
9750 goto end;
9751 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
9752 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
9753 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
9754 goto end;
9755#endif
9756
9757 ret = 1;
9758 end:
9759 SSL_CTX_free(ctx);
9760 return ret;
9761}
9762
b1fdbc68 9763#if !defined(OPENSSL_NO_EC) \
a763ca11 9764 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 9765/*
9766 * Test that if signature algorithms are not available, then we do not offer or
9767 * accept them.
9768 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9769 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9770 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9771 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9772 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9773 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9774 */
9775static int test_sigalgs_available(int idx)
9776{
9777 SSL_CTX *cctx = NULL, *sctx = NULL;
9778 SSL *clientssl = NULL, *serverssl = NULL;
9779 int testresult = 0;
b4250010
DMSP		 9780 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9781 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 9782 OSSL_PROVIDER *filterprov = NULL;
9783 int sig, hash;
9784
9785 if (!TEST_ptr(tmpctx))
9786 goto end;
9787
9788 if (idx != 0 && idx != 3) {
9789 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9790 filter_provider_init)))
9791 goto end;
9792
9793 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9794 if (!TEST_ptr(filterprov))
9795 goto end;
9796
9797 if (idx < 3) {
9798 /*
9799 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9800 * or accepted for the peer that uses this libctx. Note that libssl
9801 * *requires* SHA2-256 to be available so we cannot disable that. We
9802 * also need SHA1 for our certificate.
9803 */
9804 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9805 "SHA2-256:SHA1")))
9806 goto end;
9807 } else {
9808 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9809 "ECDSA"))
4032cd9a
YL		 9810# ifdef OPENSSL_NO_ECX
9811 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9812# else
b3842539 9813 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
4032cd9a
YL		 9814 "EC:X25519:X448"))
9815# endif
9816 )
b3842539
MC		 9817 goto end;
9818 }
9819
9820 if (idx == 1 || idx == 4)
9821 clientctx = tmpctx;
9822 else
9823 serverctx = tmpctx;
9824 }
9825
d8652be0
MC		 9826 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9827 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 9828 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9829 goto end;
b3842539 9830
b4c4a2c6
TM		 9831 if (idx != 5) {
9832 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9833 TLS_client_method(),
9834 TLS1_VERSION,
9835 0,
9836 &sctx, &cctx, cert, privkey)))
9837 goto end;
9838 } else {
9839 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9840 TLS_client_method(),
9841 TLS1_VERSION,
9842 0,
9843 &sctx, &cctx, cert2, privkey2)))
9844 goto end;
9845 }
b3842539 9846
b1fdbc68
MC		 9847 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9848 if (idx < 4) {
9849 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9850 "ECDHE-RSA-AES128-GCM-SHA256")))
9851 goto end;
9852 } else {
9853 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9854 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9855 goto end;
9856 }
9857
b3842539
MC		 9858 if (idx < 3) {
9859 if (!SSL_CTX_set1_sigalgs_list(cctx,
9860 "rsa_pss_rsae_sha384"
9861 ":rsa_pss_rsae_sha256")
9862 || !SSL_CTX_set1_sigalgs_list(sctx,
9863 "rsa_pss_rsae_sha384"
9864 ":rsa_pss_rsae_sha256"))
9865 goto end;
9866 } else {
9867 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9868 || !SSL_CTX_set1_sigalgs_list(sctx,
9869 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9870 goto end;
9871 }
9872
b4c4a2c6
TM		 9873 if (idx != 5
9874 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9875 SSL_FILETYPE_PEM), 1)
b3842539
MC		 9876 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9877 privkey2,
9878 SSL_FILETYPE_PEM), 1)
b4c4a2c6 9879 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 9880 goto end;
9881
9882 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 9883 NULL, NULL)))
b3842539
MC		 9884 goto end;
9885
9886 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9887 goto end;
9888
9889 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9890 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9891 NULL, NULL),
9892 (idx == 0 || idx == 3) ? 2 : 1))
9893 goto end;
9894
9895 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9896 goto end;
9897
9898 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9899 : NID_rsassaPss))
9900 goto end;
9901
b0001d0c 9902 testresult = filter_provider_check_clean_finish();
b3842539
MC		 9903
9904 end:
9905 SSL_free(serverssl);
9906 SSL_free(clientssl);
9907 SSL_CTX_free(sctx);
9908 SSL_CTX_free(cctx);
9909 OSSL_PROVIDER_unload(filterprov);
b4250010 9910 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 9911
9912 return testresult;
9913}
b1fdbc68
MC		 9914#endif /*
9915 * !defined(OPENSSL_NO_EC) \
a763ca11 9916 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 9917 */
b3842539 9918
0c13cdf8 9919#ifndef OPENSSL_NO_TLS1_3
a763ca11 9920/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 9921static int test_pluggable_group(int idx)
0c13cdf8
MC		 9922{
9923 SSL_CTX *cctx = NULL, *sctx = NULL;
9924 SSL *clientssl = NULL, *serverssl = NULL;
9925 int testresult = 0;
9926 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 9927 /* Check that we are not impacted by a provider without any groups */
9928 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
f4ed6eed 9929 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
0c13cdf8 9930
5ae54dba 9931 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 9932 goto end;
9933
9934 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9935 TLS_client_method(),
9936 TLS1_3_VERSION,
9937 TLS1_3_VERSION,
9938 &sctx, &cctx, cert, privkey))
9939 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9940 NULL, NULL)))
9941 goto end;
9942
f4ed6eed
MB		 9943 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9944 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9945 /* removing a single algorithm from the list makes the test pass */
c8e3a4c6 9946 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 9947 goto end;
9948
9949 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9950 goto end;
9951
becbacd7
MB		 9952 if (!TEST_str_eq(group_name,
9953 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9954 goto end;
9955
68668243
AB		 9956 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9957 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9958 goto end;
9959
0c13cdf8
MC		 9960 testresult = 1;
9961
9962 end:
9963 SSL_free(serverssl);
9964 SSL_free(clientssl);
9965 SSL_CTX_free(sctx);
9966 SSL_CTX_free(cctx);
9967 OSSL_PROVIDER_unload(tlsprov);
146aebc6 9968 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 9969
9970 return testresult;
9971}
ee58915c
MB		 9972
9973/*
9974 * This function triggers encode, decode and sign functions
9975 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9976 * creating private key and certificate files for use in TLS testing.
9977 */
9978static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9979{
bbaeadb0 9980 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
ee58915c
MB		 9981 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9982 EVP_PKEY *pkey = NULL;
9983 X509 *x509 = X509_new();
9984 X509_NAME *name = NULL;
9985 BIO *keybio = NULL, *certbio = NULL;
9986 int ret = 1;
9987
9988 if (!TEST_ptr(evpctx)
9989 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9990 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9991 || !TEST_ptr(pkey)
9992 || !TEST_ptr(x509)
9993 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9994 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9995 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9996 || !TEST_true(X509_set_pubkey(x509, pkey))
9997 || !TEST_ptr(name = X509_get_subject_name(x509))
9998 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9999 (unsigned char *)"CH", -1, -1, 0))
10000 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
10001 (unsigned char *)"test.org", -1, -1, 0))
10002 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
10003 (unsigned char *)"localhost", -1, -1, 0))
10004 || !TEST_true(X509_set_issuer_name(x509, name))
10005 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
10006 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
10007 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
10008 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
10009 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
10010 ret = 0;
10011
10012 EVP_PKEY_free(pkey);
10013 X509_free(x509);
10014 EVP_PKEY_CTX_free(evpctx);
10015 BIO_free(keybio);
10016 BIO_free(certbio);
10017 return ret;
10018}
10019
10020/*
10021 * Test that signature algorithms loaded via the provider interface can
10022 * correctly establish a TLS (1.3) connection.
10023 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
10024 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
3c95ef22
TS		 10025 * Test 2: Test 0 using RPK
10026 * Test 3: Test 1 using RPK
ee58915c
MB		 10027 */
10028static int test_pluggable_signature(int idx)
10029{
3c95ef22 10030 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
ee58915c
MB		 10031 SSL_CTX *cctx = NULL, *sctx = NULL;
10032 SSL *clientssl = NULL, *serverssl = NULL;
10033 int testresult = 0;
10034 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
10035 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
10036 char *certfilename = "tls-prov-cert.pem";
10037 char *privkeyfilename = "tls-prov-key.pem";
3c95ef22
TS		 10038 int sigidx = idx % 2;
10039 int rpkidx = idx / 2;
ee58915c
MB		 10040
10041 /* create key and certificate for the different algorithm types */
10042 if (!TEST_ptr(tlsprov)
3c95ef22 10043 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
ee58915c
MB		 10044 goto end;
10045
10046 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10047 TLS_client_method(),
10048 TLS1_3_VERSION,
10049 TLS1_3_VERSION,
10050 &sctx, &cctx, certfilename, privkeyfilename))
10051 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10052 NULL, NULL)))
10053 goto end;
10054
3c95ef22
TS		 10055 /* Enable RPK for server cert */
10056 if (rpkidx) {
10057 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
10058 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
10059 goto end;
10060 }
10061
ee58915c
MB		 10062 /* This is necessary to pass minimal setup w/o other groups configured */
10063 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
10064 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
10065 goto end;
10066
10067 /*
10068 * If this connection gets established, it must have been completed
10069 * via the tls-provider-implemented "hmacsig" algorithm, testing
10070 * both sign and verify functions during handshake.
10071 */
10072 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10073 goto end;
10074
3c95ef22
TS		 10075 /* If using RPK, make sure we got one */
10076 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
10077 goto end;
10078
ee58915c
MB		 10079 testresult = 1;
10080
10081 end:
10082 SSL_free(serverssl);
10083 SSL_free(clientssl);
10084 SSL_CTX_free(sctx);
10085 SSL_CTX_free(cctx);
10086 OSSL_PROVIDER_unload(tlsprov);
10087 OSSL_PROVIDER_unload(defaultprov);
10088
10089 return testresult;
10090}
0c13cdf8 10091#endif
b3842539 10092
49a36a52
MC		 10093#ifndef OPENSSL_NO_TLS1_2
10094static int test_ssl_dup(void)
10095{
10096 SSL_CTX *cctx = NULL, *sctx = NULL;
10097 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
10098 int testresult = 0;
10099 BIO *rbio = NULL, *wbio = NULL;
10100
10101 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10102 TLS_client_method(),
10103 0,
10104 0,
10105 &sctx, &cctx, cert, privkey)))
10106 goto end;
10107
10108 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10109 NULL, NULL)))
10110 goto end;
10111
10112 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10113 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
10114 goto end;
10115
10116 client2ssl = SSL_dup(clientssl);
10117 rbio = SSL_get_rbio(clientssl);
10118 if (!TEST_ptr(rbio)
10119 || !TEST_true(BIO_up_ref(rbio)))
10120 goto end;
10121 SSL_set0_rbio(client2ssl, rbio);
10122 rbio = NULL;
10123
10124 wbio = SSL_get_wbio(clientssl);
10125 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
10126 goto end;
10127 SSL_set0_wbio(client2ssl, wbio);
10128 rbio = NULL;
10129
10130 if (!TEST_ptr(client2ssl)
10131 /* Handshake not started so pointers should be different */
10132 || !TEST_ptr_ne(clientssl, client2ssl))
10133 goto end;
10134
10135 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
10136 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
10137 goto end;
10138
10139 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
10140 goto end;
10141
10142 SSL_free(clientssl);
10143 clientssl = SSL_dup(client2ssl);
10144 if (!TEST_ptr(clientssl)
10145 /* Handshake has finished so pointers should be the same */
10146 || !TEST_ptr_eq(clientssl, client2ssl))
10147 goto end;
10148
10149 testresult = 1;
10150
10151 end:
10152 SSL_free(serverssl);
10153 SSL_free(clientssl);
10154 SSL_free(client2ssl);
10155 SSL_CTX_free(sctx);
10156 SSL_CTX_free(cctx);
10157
10158 return testresult;
10159}
33c39a06 10160
c8dddc61
MC		 10161static int secret_cb(SSL *s, void *secretin, int *secret_len,
10162 STACK_OF(SSL_CIPHER) *peer_ciphers,
10163 const SSL_CIPHER **cipher, void *arg)
10164{
10165 int i;
10166 unsigned char *secret = secretin;
10167
10168 /* Just use a fixed master secret */
10169 for (i = 0; i < *secret_len; i++)
10170 secret[i] = 0xff;
10171
10172 /* We don't set a preferred cipher */
10173
10174 return 1;
10175}
10176
10177/*
10178 * Test the session_secret_cb which is designed for use with EAP-FAST
10179 */
10180static int test_session_secret_cb(void)
10181{
10182 SSL_CTX *cctx = NULL, *sctx = NULL;
10183 SSL *clientssl = NULL, *serverssl = NULL;
10184 SSL_SESSION *secret_sess = NULL;
10185 int testresult = 0;
10186
10187 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10188 TLS_client_method(),
10189 0,
10190 0,
10191 &sctx, &cctx, cert, privkey)))
10192 goto end;
10193
10194 /* Create an initial connection and save the session */
10195 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10196 NULL, NULL)))
10197 goto end;
10198
10199 /* session_secret_cb does not support TLSv1.3 */
10200 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10201 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION)))
10202 goto end;
10203
10204 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10205 goto end;
10206
10207 if (!TEST_ptr(secret_sess = SSL_get1_session(clientssl)))
10208 goto end;
10209
10210 shutdown_ssl_connection(serverssl, clientssl);
10211 serverssl = clientssl = NULL;
10212
10213 /* Resume the earlier session */
10214 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10215 NULL, NULL)))
10216 goto end;
10217
10218 /*
10219 * No session ids for EAP-FAST - otherwise the state machine gets very
10220 * confused.
10221 */
10222 if (!TEST_true(SSL_SESSION_set1_id(secret_sess, NULL, 0)))
10223 goto end;
10224
10225 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
10226 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10227 || !TEST_true(SSL_set_session_secret_cb(serverssl, secret_cb,
10228 NULL))
10229 || !TEST_true(SSL_set_session_secret_cb(clientssl, secret_cb,
10230 NULL))
10231 || !TEST_true(SSL_set_session(clientssl, secret_sess)))
10232 goto end;
10233
10234 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10235 goto end;
10236
10237 testresult = 1;
10238
10239 end:
10240 SSL_SESSION_free(secret_sess);
10241 SSL_free(serverssl);
10242 SSL_free(clientssl);
10243 SSL_CTX_free(sctx);
10244 SSL_CTX_free(cctx);
10245
10246 return testresult;
10247}
10248
33c39a06
MC		 10249# ifndef OPENSSL_NO_DH
10250
10251static EVP_PKEY *tmp_dh_params = NULL;
10252
10253/* Helper function for the test_set_tmp_dh() tests */
10254static EVP_PKEY *get_tmp_dh_params(void)
10255{
10256 if (tmp_dh_params == NULL) {
10257 BIGNUM *p = NULL;
10258 OSSL_PARAM_BLD *tmpl = NULL;
10259 EVP_PKEY_CTX *pctx = NULL;
10260 OSSL_PARAM *params = NULL;
10261 EVP_PKEY *dhpkey = NULL;
10262
10263 p = BN_get_rfc3526_prime_2048(NULL);
10264 if (!TEST_ptr(p))
10265 goto end;
10266
10267 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
10268 if (!TEST_ptr(pctx)
884400d7 10269 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 10270 goto end;
10271
10272 tmpl = OSSL_PARAM_BLD_new();
10273 if (!TEST_ptr(tmpl)
10274 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
10275 OSSL_PKEY_PARAM_FFC_P,
10276 p))
10277 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
10278 OSSL_PKEY_PARAM_FFC_G,
10279 2)))
10280 goto end;
10281
10282 params = OSSL_PARAM_BLD_to_param(tmpl);
10283 if (!TEST_ptr(params)
884400d7 10284 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
10285 EVP_PKEY_KEY_PARAMETERS,
10286 params), 1))
33c39a06
MC		 10287 goto end;
10288
10289 tmp_dh_params = dhpkey;
10290 end:
10291 BN_free(p);
10292 EVP_PKEY_CTX_free(pctx);
10293 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 10294 OSSL_PARAM_free(params);
33c39a06
MC		 10295 }
10296
f1619160 10297 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 10298 return NULL;
10299
10300 return tmp_dh_params;
10301}
10302
39f3427d 10303# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 10304/* Callback used by test_set_tmp_dh() */
10305static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10306{
10307 EVP_PKEY *dhpkey = get_tmp_dh_params();
10308 DH *ret = NULL;
10309
10310 if (!TEST_ptr(dhpkey))
10311 return NULL;
10312
7bc0fdd3
MC		 10313 /*
10314 * libssl does not free the returned DH, so we free it now knowing that even
10315 * after we free dhpkey, there will still be a reference to the owning
10316 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10317 * of time we need it for.
10318 */
10319 ret = EVP_PKEY_get1_DH(dhpkey);
10320 DH_free(ret);
33c39a06
MC		 10321
10322 EVP_PKEY_free(dhpkey);
10323
10324 return ret;
10325}
10326# endif
10327
10328/*
10329 * Test the various methods for setting temporary DH parameters
10330 *
10331 * Test 0: Default (no auto) setting
10332 * Test 1: Explicit SSL_CTX auto off
10333 * Test 2: Explicit SSL auto off
10334 * Test 3: Explicit SSL_CTX auto on
10335 * Test 4: Explicit SSL auto on
10336 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10337 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
10338 *
10339 * The following are testing deprecated APIs, so we only run them if available
10340 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
10341 * Test 8: Explicit SSL auto off, custom DH params via DH
10342 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
10343 * Test 10: Explicit SSL auto off, custom DH params via callback
10344 */
10345static int test_set_tmp_dh(int idx)
10346{
10347 SSL_CTX *cctx = NULL, *sctx = NULL;
10348 SSL *clientssl = NULL, *serverssl = NULL;
10349 int testresult = 0;
10350 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10351 int expected = (idx <= 2) ? 0 : 1;
10352 EVP_PKEY *dhpkey = NULL;
10353# ifndef OPENSSL_NO_DEPRECATED_3_0
10354 DH *dh = NULL;
10355# else
10356
10357 if (idx >= 7)
10358 return 1;
10359# endif
10360
10361 if (idx >= 5 && idx <= 8) {
10362 dhpkey = get_tmp_dh_params();
10363 if (!TEST_ptr(dhpkey))
10364 goto end;
10365 }
10366# ifndef OPENSSL_NO_DEPRECATED_3_0
10367 if (idx == 7 || idx == 8) {
7bc0fdd3 10368 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 10369 if (!TEST_ptr(dh))
10370 goto end;
10371 }
10372# endif
10373
10374 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10375 TLS_client_method(),
10376 0,
10377 0,
10378 &sctx, &cctx, cert, privkey)))
10379 goto end;
10380
10381 if ((idx & 1) == 1) {
10382 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10383 goto end;
10384 }
10385
10386 if (idx == 5) {
10387 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10388 goto end;
10389 dhpkey = NULL;
10390 }
10391# ifndef OPENSSL_NO_DEPRECATED_3_0
10392 else if (idx == 7) {
10393 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10394 goto end;
10395 } else if (idx == 9) {
10396 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10397 }
10398# endif
10399
10400 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10401 NULL, NULL)))
10402 goto end;
10403
10404 if ((idx & 1) == 0 && idx != 0) {
10405 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10406 goto end;
10407 }
10408 if (idx == 6) {
10409 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10410 goto end;
10411 dhpkey = NULL;
10412 }
10413# ifndef OPENSSL_NO_DEPRECATED_3_0
10414 else if (idx == 8) {
10415 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10416 goto end;
10417 } else if (idx == 10) {
10418 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10419 }
10420# endif
10421
10422 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10423 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10424 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10425 goto end;
10426
10427 /*
10428 * If autoon then we should succeed. Otherwise we expect failure because
10429 * there are no parameters
10430 */
10431 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10432 SSL_ERROR_NONE), expected))
10433 goto end;
10434
10435 testresult = 1;
10436
10437 end:
7bc0fdd3
MC		 10438# ifndef OPENSSL_NO_DEPRECATED_3_0
10439 DH_free(dh);
10440# endif
33c39a06
MC		 10441 SSL_free(serverssl);
10442 SSL_free(clientssl);
10443 SSL_CTX_free(sctx);
10444 SSL_CTX_free(cctx);
10445 EVP_PKEY_free(dhpkey);
10446
10447 return testresult;
10448}
3105d846
MC		 10449
10450/*
10451 * Test the auto DH keys are appropriately sized
10452 */
10453static int test_dh_auto(int idx)
10454{
61cab650
MC		 10455 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10456 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 10457 SSL *clientssl = NULL, *serverssl = NULL;
10458 int testresult = 0;
10459 EVP_PKEY *tmpkey = NULL;
10460 char *thiscert = NULL, *thiskey = NULL;
10461 size_t expdhsize = 0;
10462 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10463
61cab650
MC		 10464 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10465 goto end;
10466
3105d846
MC		 10467 switch (idx) {
10468 case 0:
10469 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 10470 if (is_fips) {
10471 testresult = 1;
10472 goto end;
10473 }
3105d846
MC		 10474 thiscert = cert1024;
10475 thiskey = privkey1024;
10476 expdhsize = 1024;
61cab650
MC		 10477 SSL_CTX_set_security_level(sctx, 1);
10478 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 10479 break;
10480 case 1:
10481 /* 2048 bit prime */
10482 thiscert = cert;
10483 thiskey = privkey;
10484 expdhsize = 2048;
10485 break;
10486 case 2:
10487 thiscert = cert3072;
10488 thiskey = privkey3072;
10489 expdhsize = 3072;
10490 break;
10491 case 3:
10492 thiscert = cert4096;
10493 thiskey = privkey4096;
10494 expdhsize = 4096;
10495 break;
10496 case 4:
10497 thiscert = cert8192;
10498 thiskey = privkey8192;
10499 expdhsize = 8192;
10500 break;
10501 /* No certificate cases */
10502 case 5:
10503 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 10504 if (is_fips) {
10505 testresult = 1;
10506 goto end;
10507 }
3105d846
MC		 10508 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10509 expdhsize = 1024;
10510 break;
10511 case 6:
10512 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10513 expdhsize = 3072;
10514 break;
10515 default:
10516 TEST_error("Invalid text index");
10517 goto end;
10518 }
10519
61cab650
MC		 10520 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10521 NULL,
3105d846
MC		 10522 0,
10523 0,
10524 &sctx, &cctx, thiscert, thiskey)))
10525 goto end;
10526
10527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10528 NULL, NULL)))
10529 goto end;
10530
10531 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10532 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10533 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10534 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10535 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10536 goto end;
10537
10538 /*
10539 * Send the server's first flight. At this point the server has created the
10540 * temporary DH key but hasn't finished using it yet. Once used it is
10541 * removed, so we cannot test it.
10542 */
10543 if (!TEST_int_le(SSL_connect(clientssl), 0)
10544 || !TEST_int_le(SSL_accept(serverssl), 0))
10545 goto end;
10546
10547 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10548 goto end;
ed576acd 10549 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 10550 goto end;
10551
10552 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10553 goto end;
10554
10555 testresult = 1;
10556
10557 end:
10558 SSL_free(serverssl);
10559 SSL_free(clientssl);
10560 SSL_CTX_free(sctx);
10561 SSL_CTX_free(cctx);
10562 EVP_PKEY_free(tmpkey);
10563
10564 return testresult;
10565
10566}
33c39a06
MC		 10567# endif /* OPENSSL_NO_DH */
10568#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 10569
a763ca11 10570#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 10571/*
10572 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10573 * that it works even without a certificate configured for the original
10574 * SSL_CTX
10575 */
10576static int test_sni_tls13(void)
10577{
10578 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10579 SSL *clientssl = NULL, *serverssl = NULL;
10580 int testresult = 0;
10581
10582 /* Reset callback counter */
10583 snicb = 0;
10584
10585 /* Create an initial SSL_CTX with no certificate configured */
10586 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10587 if (!TEST_ptr(sctx))
10588 goto end;
10589 /* Require TLSv1.3 as a minimum */
10590 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10591 TLS_client_method(), TLS1_3_VERSION, 0,
10592 &sctx2, &cctx, cert, privkey)))
10593 goto end;
10594
10595 /* Set up SNI */
10596 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10597 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10598 goto end;
10599
10600 /*
10601 * Connection should still succeed because the final SSL_CTX has the right
10602 * certificates configured.
10603 */
10604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10605 &clientssl, NULL, NULL))
10606 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10607 SSL_ERROR_NONE)))
10608 goto end;
10609
10610 /* We should have had the SNI callback called exactly once */
10611 if (!TEST_int_eq(snicb, 1))
10612 goto end;
10613
10614 testresult = 1;
10615
10616end:
10617 SSL_free(serverssl);
10618 SSL_free(clientssl);
10619 SSL_CTX_free(sctx2);
10620 SSL_CTX_free(sctx);
10621 SSL_CTX_free(cctx);
10622 return testresult;
10623}
0089cc7f
TS		 10624
10625/*
10626 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10627 * 0 = TLSv1.2
10628 * 1 = TLSv1.3
10629 */
10630static int test_ticket_lifetime(int idx)
10631{
10632 SSL_CTX *cctx = NULL, *sctx = NULL;
10633 SSL *clientssl = NULL, *serverssl = NULL;
10634 int testresult = 0;
10635 int version = TLS1_3_VERSION;
10636
10637#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10638#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10639
10640 if (idx == 0) {
40fb5a4c
TS		 10641#ifdef OPENSSL_NO_TLS1_2
10642 return TEST_skip("TLS 1.2 is disabled.");
10643#else
0089cc7f 10644 version = TLS1_2_VERSION;
40fb5a4c 10645#endif
0089cc7f
TS		 10646 }
10647
10648 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10649 TLS_client_method(), version, version,
10650 &sctx, &cctx, cert, privkey)))
10651 goto end;
10652
10653 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10654 &clientssl, NULL, NULL)))
10655 goto end;
10656
10657 /*
10658 * Set the timeout to be more than 1 week
10659 * make sure the returned value is the default
10660 */
10661 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10662 SSL_get_default_timeout(serverssl)))
10663 goto end;
10664
10665 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10666 goto end;
10667
10668 if (idx == 0) {
10669 /* TLSv1.2 uses the set value */
10670 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10671 goto end;
10672 } else {
10673 /* TLSv1.3 uses the limited value */
10674 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10675 goto end;
10676 }
10677 testresult = 1;
10678
10679end:
10680 SSL_free(serverssl);
10681 SSL_free(clientssl);
10682 SSL_CTX_free(sctx);
10683 SSL_CTX_free(cctx);
10684 return testresult;
10685}
6582661f 10686#endif
feba11cf
TS		 10687/*
10688 * Test that setting an ALPN does not violate RFC
10689 */
10690static int test_set_alpn(void)
10691{
10692 SSL_CTX *ctx = NULL;
10693 SSL *ssl = NULL;
10694 int testresult = 0;
10695
10696 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10697 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10698 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10699 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10700 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10701 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10702
10703 /* Create an initial SSL_CTX with no certificate configured */
10704 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10705 if (!TEST_ptr(ctx))
10706 goto end;
10707
10708 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10709 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10710 goto end;
10711 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10712 goto end;
10713 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10714 goto end;
10715 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10716 goto end;
10717 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10718 goto end;
10719 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10720 goto end;
10721 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10722 goto end;
10723 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10724 goto end;
10725 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10726 goto end;
10727
10728 ssl = SSL_new(ctx);
10729 if (!TEST_ptr(ssl))
10730 goto end;
10731
10732 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10733 goto end;
10734 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10735 goto end;
10736 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10737 goto end;
10738 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10739 goto end;
10740 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10741 goto end;
10742 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10743 goto end;
10744 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10745 goto end;
10746 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10747 goto end;
10748 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10749 goto end;
10750
10751 testresult = 1;
10752
10753end:
10754 SSL_free(ssl);
10755 SSL_CTX_free(ctx);
10756 return testresult;
10757}
6582661f 10758
948cf521
HL		 10759/*
10760 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10761 */
10762static int test_set_verify_cert_store_ssl_ctx(void)
10763{
10764 SSL_CTX *ctx = NULL;
10765 int testresult = 0;
10766 X509_STORE *store = NULL, *new_store = NULL,
10767 *cstore = NULL, *new_cstore = NULL;
10768
10769 /* Create an initial SSL_CTX. */
10770 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10771 if (!TEST_ptr(ctx))
10772 goto end;
10773
10774 /* Retrieve verify store pointer. */
10775 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10776 goto end;
10777
10778 /* Retrieve chain store pointer. */
10779 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10780 goto end;
10781
10782 /* We haven't set any yet, so this should be NULL. */
10783 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10784 goto end;
10785
10786 /* Create stores. We use separate stores so pointers are different. */
10787 new_store = X509_STORE_new();
10788 if (!TEST_ptr(new_store))
10789 goto end;
10790
10791 new_cstore = X509_STORE_new();
10792 if (!TEST_ptr(new_cstore))
10793 goto end;
10794
10795 /* Set stores. */
10796 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10797 goto end;
10798
10799 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10800 goto end;
10801
10802 /* Should be able to retrieve the same pointer. */
10803 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10804 goto end;
10805
10806 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10807 goto end;
10808
10809 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10810 goto end;
10811
10812 /* Should be able to unset again. */
10813 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10814 goto end;
10815
10816 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10817 goto end;
10818
10819 /* Should now be NULL. */
10820 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10821 goto end;
10822
10823 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10824 goto end;
10825
10826 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10827 goto end;
10828
10829 testresult = 1;
10830
10831end:
10832 X509_STORE_free(new_store);
10833 X509_STORE_free(new_cstore);
10834 SSL_CTX_free(ctx);
10835 return testresult;
10836}
10837
10838/*
10839 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10840 */
10841static int test_set_verify_cert_store_ssl(void)
10842{
10843 SSL_CTX *ctx = NULL;
10844 SSL *ssl = NULL;
10845 int testresult = 0;
10846 X509_STORE *store = NULL, *new_store = NULL,
10847 *cstore = NULL, *new_cstore = NULL;
10848
10849 /* Create an initial SSL_CTX. */
10850 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10851 if (!TEST_ptr(ctx))
10852 goto end;
10853
10854 /* Create an SSL object. */
10855 ssl = SSL_new(ctx);
10856 if (!TEST_ptr(ssl))
10857 goto end;
10858
10859 /* Retrieve verify store pointer. */
10860 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10861 goto end;
10862
10863 /* Retrieve chain store pointer. */
10864 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10865 goto end;
10866
10867 /* We haven't set any yet, so this should be NULL. */
10868 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10869 goto end;
10870
10871 /* Create stores. We use separate stores so pointers are different. */
10872 new_store = X509_STORE_new();
10873 if (!TEST_ptr(new_store))
10874 goto end;
10875
10876 new_cstore = X509_STORE_new();
10877 if (!TEST_ptr(new_cstore))
10878 goto end;
10879
10880 /* Set stores. */
10881 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10882 goto end;
10883
10884 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10885 goto end;
10886
10887 /* Should be able to retrieve the same pointer. */
10888 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10889 goto end;
10890
10891 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10892 goto end;
10893
10894 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10895 goto end;
10896
10897 /* Should be able to unset again. */
10898 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10899 goto end;
10900
10901 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10902 goto end;
10903
10904 /* Should now be NULL. */
10905 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10906 goto end;
10907
10908 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10909 goto end;
10910
10911 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10912 goto end;
10913
10914 testresult = 1;
10915
10916end:
10917 X509_STORE_free(new_store);
10918 X509_STORE_free(new_cstore);
10919 SSL_free(ssl);
10920 SSL_CTX_free(ctx);
10921 return testresult;
10922}
10923
10924
dfccfde0
CH		 10925static int test_inherit_verify_param(void)
10926{
10927 int testresult = 0;
10928
10929 SSL_CTX *ctx = NULL;
10930 X509_VERIFY_PARAM *cp = NULL;
10931 SSL *ssl = NULL;
10932 X509_VERIFY_PARAM *sp = NULL;
10933 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10934
10935 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10936 if (!TEST_ptr(ctx))
10937 goto end;
10938
10939 cp = SSL_CTX_get0_param(ctx);
10940 if (!TEST_ptr(cp))
10941 goto end;
10942 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10943 goto end;
10944
10945 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10946
10947 ssl = SSL_new(ctx);
10948 if (!TEST_ptr(ssl))
10949 goto end;
10950
10951 sp = SSL_get0_param(ssl);
10952 if (!TEST_ptr(sp))
10953 goto end;
10954 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10955 goto end;
10956
10957 testresult = 1;
10958
10959 end:
10960 SSL_free(ssl);
10961 SSL_CTX_free(ctx);
10962
10963 return testresult;
10964}
10965
b2b8d188
DF		 10966static int test_load_dhfile(void)
10967{
10968#ifndef OPENSSL_NO_DH
10969 int testresult = 0;
10970
10971 SSL_CTX *ctx = NULL;
10972 SSL_CONF_CTX *cctx = NULL;
10973
10974 if (dhfile == NULL)
10975 return 1;
10976
10977 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10978 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10979 goto end;
10980
10981 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10982 SSL_CONF_CTX_set_flags(cctx,
10983 SSL_CONF_FLAG_CERTIFICATE
10984 | SSL_CONF_FLAG_SERVER
10985 | SSL_CONF_FLAG_FILE);
10986
10987 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10988 goto end;
10989
10990 testresult = 1;
10991end:
10992 SSL_CONF_CTX_free(cctx);
10993 SSL_CTX_free(ctx);
10994
10995 return testresult;
10996#else
10997 return TEST_skip("DH not supported by this build");
10998#endif
10999}
11000
f7565348
MC		 11001#ifndef OSSL_NO_USABLE_TLS1_3
11002/* Test that read_ahead works across a key change */
11003static int test_read_ahead_key_change(void)
11004{
11005 SSL_CTX *cctx = NULL, *sctx = NULL;
11006 SSL *clientssl = NULL, *serverssl = NULL;
11007 int testresult = 0;
11008 char *msg = "Hello World";
11009 size_t written, readbytes;
11010 char buf[80];
11011 int i;
11012
11013 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11014 TLS_client_method(), TLS1_3_VERSION, 0,
11015 &sctx, &cctx, cert, privkey)))
11016 goto end;
11017
11018 SSL_CTX_set_read_ahead(sctx, 1);
11019
11020 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11021 &clientssl, NULL, NULL)))
11022 goto end;
11023
11024 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11025 goto end;
11026
11027 /* Write some data, send a key update, write more data */
11028 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11029 || !TEST_size_t_eq(written, strlen(msg)))
11030 goto end;
11031
11032 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
11033 goto end;
11034
11035 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11036 || !TEST_size_t_eq(written, strlen(msg)))
11037 goto end;
11038
11039 /*
11040 * Since read_ahead is on the first read below should read the record with
11041 * the first app data, the second record with the key update message, and
11042 * the third record with the app data all in one go. We should be able to
11043 * still process the read_ahead data correctly even though it crosses
11044 * epochs
11045 */
11046 for (i = 0; i < 2; i++) {
11047 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11048 &readbytes)))
11049 goto end;
11050
11051 buf[readbytes] = '\0';
11052 if (!TEST_str_eq(buf, msg))
11053 goto end;
11054 }
11055
11056 testresult = 1;
11057
11058end:
11059 SSL_free(serverssl);
11060 SSL_free(clientssl);
11061 SSL_CTX_free(sctx);
11062 SSL_CTX_free(cctx);
11063 return testresult;
11064}
f3f8e53c
MC		 11065
11066static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
11067{
11068 int *called = arg;
11069
11070 switch ((*called)++) {
11071 case 0:
11072 /* Add some padding to first record */
11073 return 512;
11074 case 1:
11075 /* Maximally pad the second record */
11076 return SSL3_RT_MAX_PLAIN_LENGTH - len;
11077 case 2:
11078 /*
11079 * Exceeding the maximum padding should be fine. It should just pad to
11080 * the maximum anyway
11081 */
11082 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
11083 case 3:
11084 /*
11085 * Very large padding should also be ok. Should just pad to the maximum
11086 * allowed
11087 */
11088 return SIZE_MAX;
11089 default:
11090 return 0;
11091 }
11092}
11093
11094/*
11095 * Test that setting record padding in TLSv1.3 works as expected
11096 * Test 0: Record padding callback on the SSL_CTX
11097 * Test 1: Record padding callback on the SSL
11098 * Test 2: Record block padding on the SSL_CTX
11099 * Test 3: Record block padding on the SSL
11100 */
11101static int test_tls13_record_padding(int idx)
11102{
11103 SSL_CTX *cctx = NULL, *sctx = NULL;
11104 SSL *clientssl = NULL, *serverssl = NULL;
11105 int testresult = 0;
11106 char *msg = "Hello World";
11107 size_t written, readbytes;
11108 char buf[80];
11109 int i;
11110 int called = 0;
11111
11112 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11113 TLS_client_method(), TLS1_3_VERSION, 0,
11114 &sctx, &cctx, cert, privkey)))
11115 goto end;
11116
11117 if (idx == 0) {
11118 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
11119 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
11120 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
11121 goto end;
11122 } else if (idx == 2) {
11123 /* Exceeding the max plain length should fail */
11124 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
11125 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11126 goto end;
11127 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
11128 goto end;
11129 }
11130
11131 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11132 &clientssl, NULL, NULL)))
11133 goto end;
11134
11135 if (idx == 1) {
11136 SSL_set_record_padding_callback(clientssl, record_pad_cb);
11137 SSL_set_record_padding_callback_arg(clientssl, &called);
11138 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
11139 goto end;
11140 } else if (idx == 3) {
11141 /* Exceeding the max plain length should fail */
11142 if (!TEST_false(SSL_set_block_padding(clientssl,
11143 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
11144 goto end;
11145 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
11146 goto end;
11147 }
11148
11149 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11150 goto end;
11151
11152 called = 0;
11153 /*
11154 * Write some data, then check we can read it. Do this four times to check
11155 * we can continue to write and read padded data after the initial record
11156 * padding has been added. We don't actually check that the padding has
11157 * been applied to the record - just that we can continue to communicate
11158 * normally and that the callback has been called (if appropriate).
11159 */
11160 for (i = 0; i < 4; i++) {
11161 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
11162 || !TEST_size_t_eq(written, strlen(msg)))
11163 goto end;
11164
11165 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
11166 &readbytes))
11167 || !TEST_size_t_eq(written, readbytes))
11168 goto end;
11169
11170 buf[readbytes] = '\0';
11171 if (!TEST_str_eq(buf, msg))
11172 goto end;
11173 }
11174
11175 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
11176 goto end;
11177
11178 testresult = 1;
11179end:
11180 SSL_free(serverssl);
11181 SSL_free(clientssl);
11182 SSL_CTX_free(sctx);
11183 SSL_CTX_free(cctx);
11184 return testresult;
11185}
f7565348
MC		 11186#endif /* OSSL_NO_USABLE_TLS1_3 */
11187
b718f6fc 11188#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
7765d25f
MC		 11189
11190static ENGINE *load_dasync(void)
11191{
11192 ENGINE *e;
11193
11194 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
11195 return NULL;
11196
11197 if (!TEST_true(ENGINE_init(e))) {
11198 ENGINE_free(e);
11199 return NULL;
11200 }
11201
11202 if (!TEST_true(ENGINE_register_ciphers(e))) {
11203 ENGINE_free(e);
11204 return NULL;
11205 }
11206
11207 return e;
11208}
11209
b718f6fc
MC		 11210/*
11211 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
11212 * support this yet. The only pipeline capable cipher that we have is in the
11213 * dasync engine (providers don't support this yet), so we have to use
11214 * deprecated APIs for this test.
11215 *
11216 * Test 0: Client has pipelining enabled, server does not
11217 * Test 1: Server has pipelining enabled, client does not
11218 * Test 2: Client has pipelining enabled, server does not: not enough data to
11219 * fill all the pipelines
11220 * Test 3: Client has pipelining enabled, server does not: not enough data to
11221 * fill all the pipelines by more than a full pipeline's worth
11222 * Test 4: Client has pipelining enabled, server does not: more data than all
11223 * the available pipelines can take
11224 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
7765d25f
MC		 11225 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
11226 * is created)
b718f6fc
MC		 11227 */
11228static int test_pipelining(int idx)
11229{
11230 SSL_CTX *cctx = NULL, *sctx = NULL;
11231 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
11232 int testresult = 0, numreads;
11233 /* A 55 byte message */
11234 unsigned char *msg = (unsigned char *)
11235 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
11236 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
11237 size_t expectedreads;
11238 unsigned char *buf = NULL;
7765d25f 11239 ENGINE *e = NULL;
b718f6fc 11240
7765d25f
MC		 11241 if (idx != 6) {
11242 e = load_dasync();
11243 if (e == NULL)
11244 return 0;
b718f6fc
MC		 11245 }
11246
b718f6fc
MC		 11247 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11248 TLS_client_method(), 0,
11249 TLS1_2_VERSION, &sctx, &cctx, cert,
11250 privkey)))
11251 goto end;
11252
7765d25f
MC		 11253 if (idx == 6) {
11254 e = load_dasync();
11255 if (e == NULL)
11256 goto end;
11257 /* Now act like test 0 */
11258 idx = 0;
11259 }
11260
b718f6fc
MC		 11261 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11262 &clientssl, NULL, NULL)))
11263 goto end;
11264
11265 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
11266 goto end;
11267
11268 /* peera is always configured for pipelining, while peerb is not. */
11269 if (idx == 1) {
11270 peera = serverssl;
11271 peerb = clientssl;
11272
11273 } else {
11274 peera = clientssl;
11275 peerb = serverssl;
11276 }
11277
11278 if (idx == 5) {
11279 numpipes = 2;
11280 /* Maximum allowed fragment size */
11281 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
11282 msglen = fragsize * numpipes;
11283 msg = OPENSSL_malloc(msglen);
11284 if (!TEST_ptr(msg))
11285 goto end;
11286 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
11287 goto end;
11288 } else if (idx == 4) {
11289 msglen = 55;
11290 } else {
11291 msglen = 50;
11292 }
11293 if (idx == 2)
11294 msglen -= 2; /* Send 2 less bytes */
11295 else if (idx == 3)
11296 msglen -= 12; /* Send 12 less bytes */
11297
11298 buf = OPENSSL_malloc(msglen);
11299 if (!TEST_ptr(buf))
11300 goto end;
11301
11302 if (idx == 5) {
11303 /*
11304 * Test that setting a split send fragment longer than the maximum
11305 * allowed fails
11306 */
11307 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11308 goto end;
11309 }
11310
11311 /*
11312 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11313 * (50 bytes in total). This is a ridiculously small number of bytes -
11314 * but sufficient for our purposes
11315 */
11316 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11317 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11318 goto end;
11319
11320 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11321 goto end;
11322
11323 /* Write some data from peera to peerb */
11324 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11325 || !TEST_size_t_eq(written, msglen))
11326 goto end;
11327
11328 /*
11329 * If the pipelining code worked, then we expect all |numpipes| pipelines to
11330 * have been used - except in test 3 where only |numpipes - 1| pipelines
11331 * will be used. This will result in |numpipes| records (|numpipes - 1| for
11332 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11333 * expect this to be read in |numpipes| or |numpipes - 1| separate
11334 * SSL_read_ex calls. In the case of test 4, there is then one additional
11335 * read for left over data that couldn't fit in the previous pipelines
11336 */
11337 for (offset = 0, numreads = 0;
11338 offset < msglen;
11339 offset += readbytes, numreads++) {
11340 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11341 msglen - offset, &readbytes)))
11342 goto end;
11343 }
11344
11345 expectedreads = idx == 4 ? numpipes + 1
11346 : (idx == 3 ? numpipes - 1 : numpipes);
11347 if (!TEST_mem_eq(msg, msglen, buf, offset)
11348 || !TEST_int_eq(numreads, expectedreads))
11349 goto end;
11350
11351 /*
11352 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11353 * chunks to exercise the read pipelining code on peera.
11354 */
11355 for (offset = 0; offset < msglen; offset += fragsize) {
11356 size_t sendlen = msglen - offset;
11357
11358 if (sendlen > fragsize)
11359 sendlen = fragsize;
11360 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11361 || !TEST_size_t_eq(written, sendlen))
11362 goto end;
11363 }
11364
11365 /*
11366 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11367 * separate chunks (depending on which test we are running). If the
11368 * pipelining is working then we expect peera to read up to numpipes chunks
11369 * and process them in parallel, giving back the complete result in a single
11370 * call to SSL_read_ex
11371 */
11372 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11373 || !TEST_size_t_le(readbytes, msglen))
11374 goto end;
11375
11376 if (idx == 4) {
11377 size_t readbytes2;
11378
11379 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11380 msglen - readbytes, &readbytes2)))
11381 goto end;
11382 readbytes += readbytes2;
11383 if (!TEST_size_t_le(readbytes, msglen))
11384 goto end;
11385 }
11386
11387 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11388 goto end;
11389
11390 testresult = 1;
11391end:
11392 SSL_free(serverssl);
11393 SSL_free(clientssl);
11394 SSL_CTX_free(sctx);
11395 SSL_CTX_free(cctx);
7765d25f
MC		 11396 if (e != NULL) {
11397 ENGINE_unregister_ciphers(e);
11398 ENGINE_finish(e);
11399 ENGINE_free(e);
11400 }
b718f6fc 11401 OPENSSL_free(buf);
06a0d403 11402 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
b718f6fc
MC		 11403 OPENSSL_free(msg);
11404 return testresult;
11405}
11406#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11407
843f6e27
MC		 11408static int check_version_string(SSL *s, int version)
11409{
11410 const char *verstr = NULL;
11411
11412 switch (version) {
11413 case SSL3_VERSION:
11414 verstr = "SSLv3";
11415 break;
11416 case TLS1_VERSION:
11417 verstr = "TLSv1";
11418 break;
11419 case TLS1_1_VERSION:
11420 verstr = "TLSv1.1";
11421 break;
11422 case TLS1_2_VERSION:
11423 verstr = "TLSv1.2";
11424 break;
11425 case TLS1_3_VERSION:
11426 verstr = "TLSv1.3";
11427 break;
11428 case DTLS1_VERSION:
11429 verstr = "DTLSv1";
11430 break;
11431 case DTLS1_2_VERSION:
11432 verstr = "DTLSv1.2";
11433 }
11434
11435 return TEST_str_eq(verstr, SSL_get_version(s));
11436}
11437
11438/*
11439 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11440 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11441 * test_version() in quicapitest.c which does the same thing for QUIC
11442 * connections.
11443 */
11444static int test_version(int idx)
11445{
11446 SSL_CTX *cctx = NULL, *sctx = NULL;
11447 SSL *clientssl = NULL, *serverssl = NULL;
11448 int testresult = 0, version;
11449 const SSL_METHOD *servmeth = TLS_server_method();
11450 const SSL_METHOD *clientmeth = TLS_client_method();
11451
11452 switch (idx) {
11453#if !defined(OPENSSL_NO_SSL3)
11454 case 0:
11455 version = SSL3_VERSION;
11456 break;
11457#endif
11458#if !defined(OPENSSL_NO_TLS1)
11459 case 1:
11460 version = TLS1_VERSION;
11461 break;
11462#endif
11463#if !defined(OPENSSL_NO_TLS1_2)
11464 case 2:
11465 version = TLS1_2_VERSION;
11466 break;
11467#endif
11468#if !defined(OSSL_NO_USABLE_TLS1_3)
11469 case 3:
11470 version = TLS1_3_VERSION;
11471 break;
11472#endif
11473#if !defined(OPENSSL_NO_DTLS1)
11474 case 4:
11475 version = DTLS1_VERSION;
11476 break;
11477#endif
11478#if !defined(OPENSSL_NO_DTLS1_2)
11479 case 5:
11480 version = DTLS1_2_VERSION;
11481 break;
11482#endif
11483 /*
11484 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11485 * We also don't support DTLS1_BAD_VER since we have no server support for
11486 * that.
11487 */
11488 default:
11489 TEST_skip("Unsupported protocol version");
11490 return 1;
11491 }
11492
11493 if (is_fips
11494 && (version == SSL3_VERSION
11495 || version == TLS1_VERSION
11496 || version == DTLS1_VERSION)) {
11497 TEST_skip("Protocol version not supported with FIPS");
11498 return 1;
11499 }
11500
11501#if !defined(OPENSSL_NO_DTLS)
11502 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11503 servmeth = DTLS_server_method();
11504 clientmeth = DTLS_client_method();
11505 }
11506#endif
11507
11508 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11509 version, &sctx, &cctx, cert, privkey)))
11510 goto end;
11511
11512 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11513 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11514 "DEFAULT:@SECLEVEL=0")))
11515 goto end;
11516
11517 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11518 &clientssl, NULL, NULL)))
11519 goto end;
11520
11521 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11522 goto end;
11523
11524 if (!TEST_int_eq(SSL_version(serverssl), version)
11525 || !TEST_int_eq(SSL_version(clientssl), version)
11526 || !TEST_true(check_version_string(serverssl, version))
11527 || !TEST_true(check_version_string(clientssl, version)))
11528 goto end;
11529
11530 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11531 if (!TEST_true(SSL_is_dtls(serverssl))
11532 || !TEST_true(SSL_is_dtls(clientssl))
11533 || !TEST_false(SSL_is_tls(serverssl))
11534 || !TEST_false(SSL_is_tls(clientssl))
11535 || !TEST_false(SSL_is_quic(serverssl))
11536 || !TEST_false(SSL_is_quic(clientssl)))
11537 goto end;
11538 } else {
11539 if (!TEST_true(SSL_is_tls(serverssl))
11540 || !TEST_true(SSL_is_tls(clientssl))
11541 || !TEST_false(SSL_is_dtls(serverssl))
11542 || !TEST_false(SSL_is_dtls(clientssl))
11543 || !TEST_false(SSL_is_quic(serverssl))
11544 || !TEST_false(SSL_is_quic(clientssl)))
11545 goto end;
11546 }
11547
11548 testresult = 1;
11549end:
11550 SSL_free(serverssl);
11551 SSL_free(clientssl);
11552 SSL_CTX_free(sctx);
11553 SSL_CTX_free(cctx);
11554 return testresult;
11555}
11556
79ee0172
MC		 11557/*
11558 * Test that the SSL_rstate_string*() APIs return sane results
11559 */
11560static int test_rstate_string(void)
11561{
11562 SSL_CTX *cctx = NULL, *sctx = NULL;
11563 SSL *clientssl = NULL, *serverssl = NULL;
11564 int testresult = 0, version;
11565 const SSL_METHOD *servmeth = TLS_server_method();
11566 const SSL_METHOD *clientmeth = TLS_client_method();
11567 size_t written, readbytes;
11568 unsigned char buf[2];
11569 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11570 SSL3_RT_APPLICATION_DATA,
11571 TLS1_2_VERSION_MAJOR,
11572 0, /* To be filled in later */
11573 0,
11574 1
11575 };
11576
11577 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11578 0, &sctx, &cctx, cert, privkey)))
11579 goto end;
11580
11581 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11582 &clientssl, NULL, NULL)))
11583 goto end;
11584
11585 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11586 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11587 goto end;
11588
11589 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11590 goto end;
11591
11592 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11593 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11594 goto end;
11595
11596 /* Fill in the correct version for the record header */
11597 version = SSL_version(serverssl);
11598 if (version == TLS1_3_VERSION)
11599 version = TLS1_2_VERSION;
11600 dummyheader[2] = version & 0xff;
11601
11602 /*
11603 * Send a dummy header. If we continued to read the body as well this
11604 * would fail with a bad record mac, but we're not going to go that far.
11605 */
11606 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11607 sizeof(dummyheader), &written))
11608 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11609 goto end;
11610
11611 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11612 goto end;
11613
11614 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11615 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11616 goto end;
11617
11618 testresult = 1;
11619end:
11620 SSL_free(serverssl);
11621 SSL_free(clientssl);
11622 SSL_CTX_free(sctx);
11623 SSL_CTX_free(cctx);
11624 return testresult;
11625}
11626
149c4f98
MC		 11627/*
11628 * Force a write retry during handshaking. We test various combinations of
11629 * scenarios. We test a large certificate message which will fill the buffering
11630 * BIO used in the handshake. We try with client auth on and off. Finally we
11631 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11632 * to indicate retry via -1 - but sometimes BIOs don't do that.
11633 *
11634 * Test 0: Standard certificate message
11635 * Test 1: Large certificate message
11636 * Test 2: Standard cert, verify peer
11637 * Test 3: Large cert, verify peer
11638 * Test 4: Standard cert, BIO returns 0 on retry
11639 * Test 5: Large cert, BIO returns 0 on retry
11640 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11641 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11642 * Test 8-15: Repeat of above with TLSv1.2
11643 */
11644static int test_handshake_retry(int idx)
11645{
11646 SSL_CTX *cctx = NULL, *sctx = NULL;
11647 SSL *clientssl = NULL, *serverssl = NULL;
11648 int testresult = 0;
11649 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11650 int maxversion = 0;
11651
11652 if (!TEST_ptr(bretry))
11653 goto end;
11654
11655#ifndef OPENSSL_NO_TLS1_2
11656 if ((idx & 8) == 8)
11657 maxversion = TLS1_2_VERSION;
11658#else
11659 if ((idx & 8) == 8)
11660 return TEST_skip("No TLSv1.2");
11661#endif
11662
11663 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11664 TLS_client_method(), 0, maxversion,
11665 &sctx, &cctx, cert, privkey)))
11666 goto end;
11667
11668 /*
11669 * Add a large amount of data to fill the buffering BIO used by the SSL
11670 * object
11671 */
3860ef2a 11672 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
149c4f98
MC		 11673 goto end;
11674
11675 /*
11676 * We don't actually configure a client cert, but neither do we fail if one
11677 * isn't present.
11678 */
11679 if ((idx & 2) == 2)
11680 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11681
11682 if ((idx & 4) == 4)
11683 set_always_retry_err_val(0);
11684
11685 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11686 &clientssl, NULL, NULL)))
11687 goto end;
11688
11689 tmp = SSL_get_wbio(serverssl);
11690 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11691 tmp = NULL;
11692 goto end;
11693 }
11694 SSL_set0_wbio(serverssl, bretry);
11695 bretry = NULL;
11696
11697 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11698 goto end;
11699
11700 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11701 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11702 goto end;
11703
11704 /* Restore a BIO that will let the write succeed */
11705 SSL_set0_wbio(serverssl, tmp);
11706 tmp = NULL;
11707
11708 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11709 goto end;
11710
11711 testresult = 1;
11712end:
11713 SSL_free(serverssl);
11714 SSL_free(clientssl);
11715 SSL_CTX_free(sctx);
11716 SSL_CTX_free(cctx);
11717 BIO_free(bretry);
11718 BIO_free(tmp);
11719 set_always_retry_err_val(-1);
11720 return testresult;
11721}
11722
dbbdb940
MC		 11723/*
11724 * Test that receiving retries when writing application data works as expected
11725 */
11726static int test_data_retry(void)
11727{
11728 SSL_CTX *cctx = NULL, *sctx = NULL;
11729 SSL *clientssl = NULL, *serverssl = NULL;
11730 int testresult = 0;
11731 unsigned char inbuf[1200], outbuf[1200];
11732 size_t i;
11733 BIO *tmp = NULL;
11734 BIO *bretry = BIO_new(bio_s_maybe_retry());
11735 size_t written, readbytes, totread = 0;
11736
11737 if (!TEST_ptr(bretry))
11738 goto end;
11739
11740 for (i = 0; i < sizeof(inbuf); i++)
74efc547 11741 inbuf[i] = (unsigned char)(0xff & i);
dbbdb940
MC		 11742 memset(outbuf, 0, sizeof(outbuf));
11743
11744 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11745 TLS_client_method(), 0, 0, &sctx, &cctx,
11746 cert, privkey)))
11747 goto end;
11748
11749 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11750 NULL)))
11751 goto end;
11752
11753 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11754 goto end;
11755
11756 /* Smallest possible max send fragment is 512 */
11757 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11758 goto end;
11759
11760 tmp = SSL_get_wbio(clientssl);
11761 if (!TEST_ptr(tmp))
11762 goto end;
11763 if (!TEST_true(BIO_up_ref(tmp)))
11764 goto end;
11765 BIO_push(bretry, tmp);
11766 tmp = NULL;
11767 SSL_set0_wbio(clientssl, bretry);
11768 if (!BIO_up_ref(bretry)) {
11769 bretry = NULL;
11770 goto end;
11771 }
11772
11773 for (i = 0; i < 3; i++) {
11774 /* We expect this call to make no progress and indicate retry */
11775 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11776 goto end;
11777 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11778 goto end;
11779
164a541b 11780 /* Allow one write to progress, but the next one to signal retry */
dbbdb940
MC		 11781 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
11782 NULL)))
11783 goto end;
11784
11785 if (i == 2)
11786 break;
11787
11788 /*
11789 * This call will hopefully make progress but will still indicate retry
11790 * because there is more data than will fit into a single record.
11791 */
11792 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11793 goto end;
11794 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11795 goto end;
11796 }
11797
11798 /* The final call should write the last chunk of data and succeed */
11799 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11800 goto end;
11801 /* Read all the data available */
11802 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
11803 &readbytes))
11804 totread += readbytes;
11805 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
11806 goto end;
11807
11808 testresult = 1;
11809end:
11810 SSL_free(serverssl);
11811 SSL_free(clientssl);
11812 SSL_CTX_free(sctx);
11813 SSL_CTX_free(cctx);
11814 BIO_free_all(bretry);
11815 BIO_free(tmp);
11816 return testresult;
11817}
11818
cfeaf33a
MC		 11819struct resume_servername_cb_data {
11820 int i;
11821 SSL_CTX *cctx;
11822 SSL_CTX *sctx;
11823 SSL_SESSION *sess;
11824 int recurse;
11825};
11826
11827/*
11828 * Servername callback. We use it here to run another complete handshake using
11829 * the same session - and mark the session as not_resuamble at the end
11830 */
11831static int resume_servername_cb(SSL *s, int *ad, void *arg)
11832{
11833 struct resume_servername_cb_data *cbdata = arg;
11834 SSL *serverssl = NULL, *clientssl = NULL;
11835 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
11836
11837 if (cbdata->recurse)
11838 return SSL_TLSEXT_ERR_ALERT_FATAL;
11839
11840 if ((cbdata->i % 3) != 1)
11841 return SSL_TLSEXT_ERR_OK;
11842
11843 cbdata->recurse = 1;
11844
11845 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
11846 &clientssl, NULL, NULL))
11847 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
11848 goto end;
11849
11850 ERR_set_mark();
11851 /*
11852 * We expect this to fail - because the servername cb will fail. This will
11853 * mark the session as not_resumable.
11854 */
11855 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
11856 ERR_clear_last_mark();
11857 goto end;
11858 }
11859 ERR_pop_to_mark();
11860
11861 ret = SSL_TLSEXT_ERR_OK;
11862 end:
11863 SSL_free(serverssl);
11864 SSL_free(clientssl);
11865 cbdata->recurse = 0;
11866 return ret;
11867}
0447cd69
MC		 11868/*
11869 * Test multiple resumptions and cache size handling
11870 * Test 0: TLSv1.3 (max_early_data set)
11871 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
11872 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
cfeaf33a
MC		 11873 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
11874 * Test 4: TLSv1.2
0447cd69
MC		 11875 */
11876static int test_multi_resume(int idx)
11877{
11878 SSL_CTX *sctx = NULL, *cctx = NULL;
11879 SSL *serverssl = NULL, *clientssl = NULL;
11880 SSL_SESSION *sess = NULL;
11881 int max_version = TLS1_3_VERSION;
11882 int i, testresult = 0;
cfeaf33a 11883 struct resume_servername_cb_data cbdata;
0447cd69 11884
cfeaf33a
MC		 11885#if defined(OPENSSL_NO_TLS1_2)
11886 if (idx == 4)
11887 return TEST_skip("TLSv1.2 is disabled in this build");
11888#else
11889 if (idx == 4)
0447cd69 11890 max_version = TLS1_2_VERSION;
cfeaf33a
MC		 11891#endif
11892#if defined(OSSL_NO_USABLE_TLS1_3)
11893 if (idx != 4)
11894 return TEST_skip("No usable TLSv1.3 in this build");
11895#endif
0447cd69
MC		 11896
11897 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11898 TLS_client_method(), TLS1_VERSION,
11899 max_version, &sctx, &cctx, cert,
11900 privkey)))
11901 goto end;
11902
11903 /*
11904 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
11905 * replay protection), or if SSL_OP_NO_TICKET is in use
11906 */
11907 if (idx == 0 || idx == 2) {
11908 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
11909 goto end;
11910 }
cfeaf33a 11911 if (idx == 1 || idx == 2 || idx == 3)
0447cd69
MC		 11912 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
11913
11914 SSL_CTX_sess_set_cache_size(sctx, 5);
11915
cfeaf33a
MC		 11916 if (idx == 3) {
11917 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
11918 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
11919 cbdata.cctx = cctx;
11920 cbdata.sctx = sctx;
11921 cbdata.recurse = 0;
11922 }
11923
0447cd69
MC		 11924 for (i = 0; i < 30; i++) {
11925 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11926 NULL, NULL))
11927 || !TEST_true(SSL_set_session(clientssl, sess)))
11928 goto end;
11929
cfeaf33a
MC		 11930 /*
11931 * Check simultaneous resumes. We pause the connection part way through
11932 * the handshake by (mis)using the servername_cb. The pause occurs after
11933 * session resumption has already occurred, but before any session
11934 * tickets have been issued. While paused we run another complete
11935 * handshake resuming the same session.
11936 */
11937 if (idx == 3) {
11938 cbdata.i = i;
11939 cbdata.sess = sess;
11940 }
11941
0447cd69
MC		 11942 /*
11943 * Recreate a bug where dynamically changing the max_early_data value
11944 * can cause sessions in the session cache which cannot be deleted.
11945 */
11946 if ((idx == 0 || idx == 2) && (i % 3) == 2)
11947 SSL_set_max_early_data(serverssl, 0);
11948
11949 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11950 goto end;
11951
11952 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
11953 if (!TEST_false(SSL_session_reused(clientssl)))
11954 goto end;
11955 } else {
11956 if (!TEST_true(SSL_session_reused(clientssl)))
11957 goto end;
11958 }
11959 SSL_SESSION_free(sess);
11960
11961 /* Do a full handshake, followed by two resumptions */
11962 if ((i % 3) == 2) {
11963 sess = NULL;
11964 } else {
11965 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
11966 goto end;
11967 }
11968
11969 SSL_shutdown(clientssl);
11970 SSL_shutdown(serverssl);
11971 SSL_free(serverssl);
11972 SSL_free(clientssl);
11973 serverssl = clientssl = NULL;
11974 }
11975
11976 /* We should never exceed the session cache size limit */
11977 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
11978 goto end;
11979
11980 testresult = 1;
11981 end:
11982 SSL_free(serverssl);
11983 SSL_free(clientssl);
11984 SSL_CTX_free(sctx);
11985 SSL_CTX_free(cctx);
11986 SSL_SESSION_free(sess);
11987 return testresult;
11988}
11989
b2b8d188 11990OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
a43ce58f 11991
ad887416 11992int setup_tests(void)
2cb4b5f6 11993{
5e30f2fd
MC		 11994 char *modulename;
11995 char *configfile;
11996
b4250010 11997 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 11998 if (!TEST_ptr(libctx))
11999 return 0;
12000
12001 defctxnull = OSSL_PROVIDER_load(NULL, "null");
12002
12003 /*
12004 * Verify that the default and fips providers in the default libctx are not
12005 * available
12006 */
12007 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
12008 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
12009 return 0;
12010
8d242823
MC		 12011 if (!test_skip_common_options()) {
12012 TEST_error("Error parsing test options\n");
12013 return 0;
12014 }
12015
1a2a3a42
MC		 12016 if (!TEST_ptr(certsdir = test_get_argument(0))
12017 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 12018 || !TEST_ptr(tmpfilename = test_get_argument(2))
12019 || !TEST_ptr(modulename = test_get_argument(3))
b2b8d188
DF		 12020 || !TEST_ptr(configfile = test_get_argument(4))
12021 || !TEST_ptr(dhfile = test_get_argument(5)))
5e30f2fd
MC		 12022 return 0;
12023
b4250010 12024 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 12025 return 0;
12026
12027 /* Check we have the expected provider available */
12028 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
12029 return 0;
12030
12031 /* Check the default provider is not available */
12032 if (strcmp(modulename, "default") != 0
12033 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 12034 return 0;
2cb4b5f6 12035
50ea5cdc 12036 if (strcmp(modulename, "fips") == 0) {
12037 OSSL_PROVIDER *prov = NULL;
12038 OSSL_PARAM params[2];
12039
4f6c7044
MC		 12040 is_fips = 1;
12041
50ea5cdc 12042 prov = OSSL_PROVIDER_load(libctx, "fips");
12043 if (prov != NULL) {
12044 /* Query the fips provider to check if the check ems option is enabled */
12045 params[0] =
12046 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
12047 &fips_ems_check);
12048 params[1] = OSSL_PARAM_construct_end();
12049 OSSL_PROVIDER_get_params(prov, params);
12050 OSSL_PROVIDER_unload(prov);
12051 }
12052 }
12053
0c13cdf8
MC		 12054 /*
12055 * We add, but don't load the test "tls-provider". We'll load it when we
12056 * need it.
12057 */
12058 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
12059 tls_provider_init)))
12060 return 0;
12061
12062
f297e4ec
RS		 12063 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
12064#ifdef OPENSSL_NO_CRYPTO_MDEBUG
12065 TEST_error("not supported in this build");
12066 return 0;
12067#else
12068 int i, mcount, rcount, fcount;
12069
12070 for (i = 0; i < 4; i++)
12071 test_export_key_mat(i);
12072 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
12073 test_printf_stdout("malloc %d realloc %d free %d\n",
12074 mcount, rcount, fcount);
12075 return 1;
12076#endif
12077 }
12078
1a2a3a42
MC		 12079 cert = test_mk_file_path(certsdir, "servercert.pem");
12080 if (cert == NULL)
b3842539 12081 goto err;
1a2a3a42
MC		 12082
12083 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 12084 if (privkey == NULL)
12085 goto err;
12086
12087 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
12088 if (cert2 == NULL)
12089 goto err;
12090
12091 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
12092 if (privkey2 == NULL)
12093 goto err;
1a2a3a42 12094
3105d846
MC		 12095 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
12096 if (cert1024 == NULL)
12097 goto err;
12098
12099 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
12100 if (privkey1024 == NULL)
12101 goto err;
12102
12103 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
12104 if (cert3072 == NULL)
12105 goto err;
12106
12107 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
12108 if (privkey3072 == NULL)
12109 goto err;
12110
12111 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
12112 if (cert4096 == NULL)
12113 goto err;
12114
12115 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
12116 if (privkey4096 == NULL)
12117 goto err;
12118
12119 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
12120 if (cert8192 == NULL)
12121 goto err;
12122
12123 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
12124 if (privkey8192 == NULL)
12125 goto err;
12126
50ea5cdc 12127 if (fips_ems_check) {
12128#ifndef OPENSSL_NO_TLS1_2
12129 ADD_TEST(test_no_ems);
12130#endif
12131 return 1;
12132 }
da4db160 12133#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 12134# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526 12135 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
cd715b7e 12136 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
c8e3a4c6 12137# endif
fe5d9450 12138#endif
84d5549e 12139 ADD_TEST(test_large_message_tls);
7856332e 12140 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 12141#ifndef OPENSSL_NO_DTLS
84d5549e 12142 ADD_TEST(test_large_message_dtls);
55386bef 12143#endif
2fda45d5 12144 ADD_ALL_TESTS(test_large_app_data, 28);
163b8016 12145 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 12146#ifndef OPENSSL_NO_OCSP
c887104f 12147 ADD_TEST(test_tlsext_status_type);
8f8c11d8 12148#endif
eaa776da
MC		 12149 ADD_TEST(test_session_with_only_int_cache);
12150 ADD_TEST(test_session_with_only_ext_cache);
12151 ADD_TEST(test_session_with_both_cache);
90fc2c26 12152 ADD_TEST(test_session_wo_ca_names);
a763ca11 12153#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 12154 ADD_ALL_TESTS(test_stateful_tickets, 3);
12155 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 12156 ADD_TEST(test_psk_tickets);
f0049b86 12157 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 12158#endif
7fb4c820 12159 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 12160 ADD_TEST(test_ssl_bio_pop_next_bio);
12161 ADD_TEST(test_ssl_bio_pop_ssl_bio);
12162 ADD_TEST(test_ssl_bio_change_rbio);
12163 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 12164#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 12165 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 12166 ADD_TEST(test_keylog);
c423ecaa 12167#endif
a763ca11 12168#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 12169 ADD_TEST(test_keylog_no_master_key);
12170#endif
0c3eb279 12171 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 12172 ADD_TEST(test_ssl_build_cert_chain);
12173 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 12174#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 12175 ADD_TEST(test_client_hello_cb);
088dfa13 12176 ADD_TEST(test_no_ems);
3cd14e5e 12177 ADD_TEST(test_ccs_change_cipher);
5f982038 12178#endif
a763ca11 12179#ifndef OSSL_NO_USABLE_TLS1_3
10836921 12180 ADD_ALL_TESTS(test_early_data_read_write, 6);
78fb5374
MC		 12181 /*
12182 * We don't do replay tests for external PSK. Replay protection isn't used
12183 * in that scenario.
12184 */
12185 ADD_ALL_TESTS(test_early_data_replay, 2);
10836921
MC		 12186 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
12187 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
12188 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
12189 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
02a3ed5a 12190 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 12191 ADD_ALL_TESTS(test_early_data_psk, 8);
b6a5e801 12192 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 7);
02a3ed5a 12193 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 12194# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 12195 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 12196# endif
e9ee6536 12197#endif
a763ca11 12198#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 12199 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 12200 ADD_TEST(test_ciphersuite_change);
5bf2eade 12201 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
12202# ifdef OPENSSL_NO_PSK
c2b290c3 12203 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 12204# else
0d8da779 12205 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 12206# endif /* OPENSSL_NO_PSK */
71583393
MM		 12207#ifndef OSSL_NO_USABLE_TLS1_3
12208 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
12209#endif /* OSSL_NO_USABLE_TLS1_3 */
5bf2eade 12210# ifndef OPENSSL_NO_TLS1_2
12211 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 12212 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 12213# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
12214 ADD_ALL_TESTS(test_negotiated_group,
12215 4 * (OSSL_NELEM(ecdhe_kexch_groups)
12216 + OSSL_NELEM(ffdhe_kexch_groups)));
12217# endif
5bf2eade 12218# else
12219 /* Test with only TLSv1.3 versions */
12220 ADD_ALL_TESTS(test_key_exchange, 12);
12221# endif
0db3a990 12222 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 12223 ADD_TEST(test_stateless);
9d75dce3 12224 ADD_TEST(test_pha_key_update);
a273157a 12225#else
bb01ef3f 12226 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 12227#endif
0fb2815b 12228 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 12229#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 12230 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 12231 ADD_TEST(test_key_update);
0c48fda8 12232 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
12233 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
12234 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
12235 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 12236#endif
5de8c49d 12237 ADD_ALL_TESTS(test_ssl_clear, 8);
cf72c757 12238 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 12239#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
12240 ADD_ALL_TESTS(test_srp, 6);
12241#endif
b67cb09f
TS		 12242#if !defined(OPENSSL_NO_COMP_ALG)
12243 /* Add compression case */
12244 ADD_ALL_TESTS(test_info_callback, 8);
12245#else
5718fe45 12246 ADD_ALL_TESTS(test_info_callback, 6);
b67cb09f 12247#endif
4a432af8 12248 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 12249 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
3b7a3241 12250 ADD_ALL_TESTS(test_ticket_callbacks, 20);
57d7b988 12251 ADD_ALL_TESTS(test_shutdown, 7);
cbf965b4 12252 ADD_TEST(test_async_shutdown);
e638112e 12253 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 12254 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 12255 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 12256 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 12257#ifndef OPENSSL_NO_TLS1_2
12258 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
12259#endif
49ef3d07 12260 ADD_ALL_TESTS(test_servername, 10);
2b4cea1e 12261 ADD_TEST(test_unknown_sigalgs_groups);
b1fdbc68 12262#if !defined(OPENSSL_NO_EC) \
a763ca11 12263 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 12264 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 12265#endif
12266#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 12267 ADD_ALL_TESTS(test_pluggable_group, 2);
3c95ef22 12268 ADD_ALL_TESTS(test_pluggable_signature, 4);
49a36a52
MC		 12269#endif
12270#ifndef OPENSSL_NO_TLS1_2
12271 ADD_TEST(test_ssl_dup);
c8dddc61 12272 ADD_TEST(test_session_secret_cb);
33c39a06
MC		 12273# ifndef OPENSSL_NO_DH
12274 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 12275 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 12276# endif
6582661f 12277#endif
a763ca11 12278#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 12279 ADD_TEST(test_sni_tls13);
0089cc7f 12280 ADD_ALL_TESTS(test_ticket_lifetime, 2);
b3842539 12281#endif
dfccfde0 12282 ADD_TEST(test_inherit_verify_param);
feba11cf 12283 ADD_TEST(test_set_alpn);
948cf521
HL		 12284 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
12285 ADD_TEST(test_set_verify_cert_store_ssl);
25959e04 12286 ADD_ALL_TESTS(test_session_timeout, 1);
4a3e8f08
MC		 12287#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
12288 ADD_ALL_TESTS(test_session_cache_overflow, 4);
12289#endif
b2b8d188 12290 ADD_TEST(test_load_dhfile);
f7565348
MC		 12291#ifndef OSSL_NO_USABLE_TLS1_3
12292 ADD_TEST(test_read_ahead_key_change);
f3f8e53c 12293 ADD_ALL_TESTS(test_tls13_record_padding, 4);
555dd939
DF		 12294#endif
12295#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
12296 ADD_ALL_TESTS(test_serverinfo_custom, 4);
b718f6fc
MC		 12297#endif
12298#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
7765d25f 12299 ADD_ALL_TESTS(test_pipelining, 7);
f7565348 12300#endif
843f6e27 12301 ADD_ALL_TESTS(test_version, 6);
79ee0172 12302 ADD_TEST(test_rstate_string);
149c4f98 12303 ADD_ALL_TESTS(test_handshake_retry, 16);
dbbdb940 12304 ADD_TEST(test_data_retry);
cfeaf33a 12305 ADD_ALL_TESTS(test_multi_resume, 5);
ad887416 12306 return 1;
b3842539
MC		 12307
12308 err:
12309 OPENSSL_free(cert);
12310 OPENSSL_free(privkey);
12311 OPENSSL_free(cert2);
12312 OPENSSL_free(privkey2);
12313 return 0;
ad887416 12314}
2cb4b5f6 12315
ad887416
P		 12316void cleanup_tests(void)
12317{
8778f0eb 12318# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 12319 EVP_PKEY_free(tmp_dh_params);
12320#endif
1a2a3a42
MC		 12321 OPENSSL_free(cert);
12322 OPENSSL_free(privkey);
b3842539
MC		 12323 OPENSSL_free(cert2);
12324 OPENSSL_free(privkey2);
3105d846
MC		 12325 OPENSSL_free(cert1024);
12326 OPENSSL_free(privkey1024);
12327 OPENSSL_free(cert3072);
12328 OPENSSL_free(privkey3072);
12329 OPENSSL_free(cert4096);
12330 OPENSSL_free(privkey4096);
12331 OPENSSL_free(cert8192);
12332 OPENSSL_free(privkey8192);
fa454945 12333 bio_s_mempacket_test_free();
a77b4dba 12334 bio_s_always_retry_free();
dbbdb940 12335 bio_s_maybe_retry_free();
5e30f2fd 12336 OSSL_PROVIDER_unload(defctxnull);
b4250010 12337 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 12338}
A mirror of the official openssl repository