]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SHAKE documentation updates for default output length.
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
fecb3aae 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
2cb4b5f6 36
20f8bc72 37#include "helpers/ssltestlib.h"
c887104f 38#include "testutil.h"
f297e4ec 39#include "testutil/output.h"
176db6dc 40#include "internal/nelem.h"
fe5d9450 41#include "internal/ktls.h"
706457b7 42#include "../ssl/ssl_local.h"
b0001d0c 43#include "filterprov.h"
2cb4b5f6 44
a763ca11
MC		 45#undef OSSL_NO_USABLE_TLS1_3
46#if defined(OPENSSL_NO_TLS1_3) \
47 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
48/*
49 * If we don't have ec or dh then there are no built-in groups that are usable
50 * with TLSv1.3
51 */
52# define OSSL_NO_USABLE_TLS1_3
53#endif
54
0c13cdf8
MC		 55/* Defined in tls-provider.c */
56int tls_provider_init(const OSSL_CORE_HANDLE *handle,
57 const OSSL_DISPATCH *in,
58 const OSSL_DISPATCH **out,
59 void **provctx);
852c2ed2 60
b4250010 61static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 62static OSSL_PROVIDER *defctxnull = NULL;
63
a763ca11 64#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 65
66static SSL_SESSION *clientpsk = NULL;
67static SSL_SESSION *serverpsk = NULL;
68static const char *pskid = "Identity";
69static const char *srvid;
70
71static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
72 size_t *idlen, SSL_SESSION **sess);
73static int find_session_cb(SSL *ssl, const unsigned char *identity,
74 size_t identity_len, SSL_SESSION **sess);
75
76static int use_session_cb_cnt = 0;
77static int find_session_cb_cnt = 0;
78
79static SSL_SESSION *create_a_psk(SSL *ssl);
80#endif
81
1a2a3a42 82static char *certsdir = NULL;
2cb4b5f6
MC		 83static char *cert = NULL;
84static char *privkey = NULL;
b3842539
MC		 85static char *cert2 = NULL;
86static char *privkey2 = NULL;
3105d846
MC		 87static char *cert1024 = NULL;
88static char *privkey1024 = NULL;
89static char *cert3072 = NULL;
90static char *privkey3072 = NULL;
91static char *cert4096 = NULL;
92static char *privkey4096 = NULL;
93static char *cert8192 = NULL;
94static char *privkey8192 = NULL;
76fd7a1d
MC		 95static char *srpvfile = NULL;
96static char *tmpfilename = NULL;
b2b8d188 97static char *dhfile = NULL;
2cb4b5f6 98
4f6c7044
MC		 99static int is_fips = 0;
100
cffe973c 101#define LOG_BUFFER_SIZE 2048
6acdd3e5 102static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 103static size_t server_log_buffer_index = 0;
6acdd3e5 104static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 105static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 106static int error_writing_log = 0;
107
8f8c11d8 108#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 109static const unsigned char orespder[] = "Dummy OCSP Response";
110static int ocsp_server_called = 0;
111static int ocsp_client_called = 0;
112
113static int cdummyarg = 1;
114static X509 *ocspcert = NULL;
8f8c11d8 115#endif
ba881d3b 116
84d5549e 117#define NUM_EXTRA_CERTS 40
cf72c757 118#define CLIENT_VERSION_LEN 2
84d5549e 119
f1a5939f
CB		 120/*
121 * This structure is used to validate that the correct number of log messages
122 * of various types are emitted when emitting secret logs.
123 */
124struct sslapitest_log_counts {
125 unsigned int rsa_key_exchange_count;
126 unsigned int master_secret_count;
cffe973c 127 unsigned int client_early_secret_count;
f1a5939f
CB		 128 unsigned int client_handshake_secret_count;
129 unsigned int server_handshake_secret_count;
130 unsigned int client_application_secret_count;
131 unsigned int server_application_secret_count;
01a2a654 132 unsigned int early_exporter_secret_count;
6329ce8f 133 unsigned int exporter_secret_count;
f1a5939f
CB		 134};
135
16afd71c
MC		 136
137static unsigned char serverinfov1[] = {
138 0xff, 0xff, /* Dummy extension type */
139 0x00, 0x01, /* Extension length is 1 byte */
140 0xff /* Dummy extension data */
141};
142
143static unsigned char serverinfov2[] = {
144 0x00, 0x00, 0x00,
145 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
146 0xff, 0xff, /* Dummy extension type */
147 0x00, 0x01, /* Extension length is 1 byte */
148 0xff /* Dummy extension data */
149};
150
104a733d
MC		 151static int hostname_cb(SSL *s, int *al, void *arg)
152{
153 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
154
155 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
156 || strcmp(hostname, "altgoodhost") == 0))
157 return SSL_TLSEXT_ERR_OK;
158
159 return SSL_TLSEXT_ERR_NOACK;
160}
161
710756a9
RS		 162static void client_keylog_callback(const SSL *ssl, const char *line)
163{
6acdd3e5
CB		 164 int line_length = strlen(line);
165
166 /* If the log doesn't fit, error out. */
710756a9
RS		 167 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
168 TEST_info("Client log too full");
6acdd3e5
CB		 169 error_writing_log = 1;
170 return;
171 }
172
173 strcat(client_log_buffer, line);
174 client_log_buffer_index += line_length;
710756a9 175 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 176}
177
710756a9
RS		 178static void server_keylog_callback(const SSL *ssl, const char *line)
179{
6acdd3e5
CB		 180 int line_length = strlen(line);
181
182 /* If the log doesn't fit, error out. */
710756a9 183 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 184 TEST_info("Server log too full");
6acdd3e5
CB		 185 error_writing_log = 1;
186 return;
187 }
188
189 strcat(server_log_buffer, line);
190 server_log_buffer_index += line_length;
710756a9 191 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 192}
193
194static int compare_hex_encoded_buffer(const char *hex_encoded,
195 size_t hex_length,
196 const uint8_t *raw,
710756a9
RS		 197 size_t raw_length)
198{
199 size_t i, j;
200 char hexed[3];
6acdd3e5 201
710756a9 202 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 203 return 1;
6acdd3e5 204
710756a9 205 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 206 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 207 if (!TEST_int_eq(hexed[0], hex_encoded[j])
208 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 209 return 1;
6acdd3e5
CB		 210 }
211
212 return 0;
213}
214
215static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 216 const SSL_SESSION *session,
710756a9
RS		 217 struct sslapitest_log_counts *expected)
218{
6acdd3e5
CB		 219 char *token = NULL;
220 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
221 size_t client_random_size = SSL3_RANDOM_SIZE;
222 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
223 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 224 unsigned int rsa_key_exchange_count = 0;
225 unsigned int master_secret_count = 0;
cffe973c 226 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 227 unsigned int client_handshake_secret_count = 0;
228 unsigned int server_handshake_secret_count = 0;
229 unsigned int client_application_secret_count = 0;
230 unsigned int server_application_secret_count = 0;
01a2a654 231 unsigned int early_exporter_secret_count = 0;
6329ce8f 232 unsigned int exporter_secret_count = 0;
6acdd3e5 233
710756a9
RS		 234 for (token = strtok(buffer, " \n"); token != NULL;
235 token = strtok(NULL, " \n")) {
6acdd3e5 236 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 237 /*
238 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 239 * hex-encoded encrypted secret, then the hex-encoded pre-master
240 * secret.
241 */
710756a9 242 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 243 return 0;
710756a9 244 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 245 return 0;
710756a9 246 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 247 return 0;
f1a5939f
CB		 248 /*
249 * We can't sensibly check the log because the premaster secret is
250 * transient, and OpenSSL doesn't keep hold of it once the master
251 * secret is generated.
252 */
253 rsa_key_exchange_count++;
6acdd3e5 254 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 255 /*
256 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 257 * client random, then the hex-encoded master secret.
258 */
259 client_random_size = SSL_get_client_random(ssl,
260 actual_client_random,
261 SSL3_RANDOM_SIZE);
710756a9 262 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 263 return 0;
6acdd3e5 264
710756a9 265 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 266 return 0;
710756a9 267 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 268 return 0;
710756a9
RS		 269 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
270 actual_client_random,
271 client_random_size)))
f1a5939f 272 return 0;
6acdd3e5 273
710756a9 274 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 275 return 0;
6acdd3e5
CB		 276 master_key_size = SSL_SESSION_get_master_key(session,
277 actual_master_key,
278 master_key_size);
710756a9 279 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 280 return 0;
710756a9
RS		 281 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
282 actual_master_key,
283 master_key_size)))
f1a5939f 284 return 0;
f1a5939f 285 master_secret_count++;
cffe973c
PW		 286 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 288 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
289 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 290 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 291 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 292 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 293 /*
294 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
295 * client random, and then the hex-encoded secret. In this case,
296 * we treat all of these secrets identically and then just
297 * distinguish between them when counting what we saw.
298 */
cffe973c
PW		 299 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
300 client_early_secret_count++;
301 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 302 client_handshake_secret_count++;
303 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
304 server_handshake_secret_count++;
305 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
306 client_application_secret_count++;
307 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
308 server_application_secret_count++;
01a2a654
PW		 309 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
310 early_exporter_secret_count++;
6329ce8f
PW		 311 else if (strcmp(token, "EXPORTER_SECRET") == 0)
312 exporter_secret_count++;
f1a5939f
CB		 313
314 client_random_size = SSL_get_client_random(ssl,
315 actual_client_random,
316 SSL3_RANDOM_SIZE);
710756a9 317 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 318 return 0;
f1a5939f 319
710756a9 320 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 321 return 0;
710756a9 322 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 323 return 0;
710756a9
RS		 324 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
325 actual_client_random,
326 client_random_size)))
f1a5939f 327 return 0;
6acdd3e5 328
710756a9 329 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 330 return 0;
6acdd3e5 331 } else {
710756a9 332 TEST_info("Unexpected token %s\n", token);
f1a5939f 333 return 0;
6acdd3e5 334 }
6acdd3e5
CB		 335 }
336
710756a9
RS		 337 /* Got what we expected? */
338 if (!TEST_size_t_eq(rsa_key_exchange_count,
339 expected->rsa_key_exchange_count)
340 || !TEST_size_t_eq(master_secret_count,
341 expected->master_secret_count)
cffe973c
PW		 342 || !TEST_size_t_eq(client_early_secret_count,
343 expected->client_early_secret_count)
710756a9
RS		 344 || !TEST_size_t_eq(client_handshake_secret_count,
345 expected->client_handshake_secret_count)
346 || !TEST_size_t_eq(server_handshake_secret_count,
347 expected->server_handshake_secret_count)
348 || !TEST_size_t_eq(client_application_secret_count,
349 expected->client_application_secret_count)
350 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 351 expected->server_application_secret_count)
01a2a654
PW		 352 || !TEST_size_t_eq(early_exporter_secret_count,
353 expected->early_exporter_secret_count)
6329ce8f
PW		 354 || !TEST_size_t_eq(exporter_secret_count,
355 expected->exporter_secret_count))
710756a9
RS		 356 return 0;
357 return 1;
6acdd3e5
CB		 358}
359
a763ca11 360#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 361static int test_keylog(void)
362{
6acdd3e5
CB		 363 SSL_CTX *cctx = NULL, *sctx = NULL;
364 SSL *clientssl = NULL, *serverssl = NULL;
365 int testresult = 0;
6fc1e624 366 struct sslapitest_log_counts expected;
6acdd3e5
CB		 367
368 /* Clean up logging space */
6fc1e624 369 memset(&expected, 0, sizeof(expected));
710756a9
RS		 370 memset(client_log_buffer, 0, sizeof(client_log_buffer));
371 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 372 client_log_buffer_index = 0;
373 server_log_buffer_index = 0;
374 error_writing_log = 0;
375
5e30f2fd 376 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 377 TLS_client_method(),
5c587fb6 378 TLS1_VERSION, 0,
710756a9 379 &sctx, &cctx, cert, privkey)))
6acdd3e5 380 return 0;
6acdd3e5
CB		 381
382 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
383 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
384 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
385
f0deb4d3 386 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 387 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 388 goto end;
f0deb4d3 389
cf10df81
RS		 390 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
391 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 392 goto end;
6acdd3e5 393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
6acdd3e5 396 goto end;
710756a9 397 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 398 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
399 == server_keylog_callback))
6acdd3e5 400 goto end;
6acdd3e5 401
710756a9
RS		 402 /* Now do a handshake and check that the logs have been written to. */
403 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
404 &clientssl, NULL, NULL))
405 || !TEST_true(create_ssl_connection(serverssl, clientssl,
406 SSL_ERROR_NONE))
407 || !TEST_false(error_writing_log)
408 || !TEST_int_gt(client_log_buffer_index, 0)
409 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 410 goto end;
6acdd3e5 411
f1a5939f
CB		 412 /*
413 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 414 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 415 * data we expect. For both client and server, we expect to see one master
416 * secret. The client should also see a RSA key exchange.
6acdd3e5 417 */
f1a5939f
CB		 418 expected.rsa_key_exchange_count = 1;
419 expected.master_secret_count = 1;
710756a9
RS		 420 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
421 SSL_get_session(clientssl), &expected)))
6acdd3e5 422 goto end;
f1a5939f
CB		 423
424 expected.rsa_key_exchange_count = 0;
710756a9
RS		 425 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
426 SSL_get_session(serverssl), &expected)))
6acdd3e5 427 goto end;
6acdd3e5
CB		 428
429 testresult = 1;
430
431end:
432 SSL_free(serverssl);
433 SSL_free(clientssl);
434 SSL_CTX_free(sctx);
435 SSL_CTX_free(cctx);
436
437 return testresult;
438}
c423ecaa 439#endif
6acdd3e5 440
a763ca11 441#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 442static int test_keylog_no_master_key(void)
443{
6acdd3e5
CB		 444 SSL_CTX *cctx = NULL, *sctx = NULL;
445 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 446 SSL_SESSION *sess = NULL;
6acdd3e5 447 int testresult = 0;
6fc1e624 448 struct sslapitest_log_counts expected;
cffe973c
PW		 449 unsigned char buf[1];
450 size_t readbytes, written;
6acdd3e5
CB		 451
452 /* Clean up logging space */
6fc1e624 453 memset(&expected, 0, sizeof(expected));
710756a9
RS		 454 memset(client_log_buffer, 0, sizeof(client_log_buffer));
455 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 456 client_log_buffer_index = 0;
457 server_log_buffer_index = 0;
458 error_writing_log = 0;
459
5e30f2fd
MC		 460 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
461 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 462 &sctx, &cctx, cert, privkey))
463 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 464 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 465 return 0;
6acdd3e5 466
cf10df81
RS		 467 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
468 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 469 goto end;
6acdd3e5
CB		 470
471 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 472 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
473 == client_keylog_callback))
6acdd3e5 474 goto end;
6acdd3e5 475
710756a9 476 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 477 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
478 == server_keylog_callback))
6acdd3e5 479 goto end;
6acdd3e5 480
710756a9
RS		 481 /* Now do a handshake and check that the logs have been written to. */
482 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
483 &clientssl, NULL, NULL))
484 || !TEST_true(create_ssl_connection(serverssl, clientssl,
485 SSL_ERROR_NONE))
486 || !TEST_false(error_writing_log))
6acdd3e5 487 goto end;
6acdd3e5 488
f1a5939f
CB		 489 /*
490 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 491 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 492 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 493 */
f1a5939f
CB		 494 expected.client_handshake_secret_count = 1;
495 expected.server_handshake_secret_count = 1;
496 expected.client_application_secret_count = 1;
497 expected.server_application_secret_count = 1;
6329ce8f 498 expected.exporter_secret_count = 1;
710756a9
RS		 499 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
500 SSL_get_session(clientssl), &expected))
501 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
502 SSL_get_session(serverssl),
503 &expected)))
6acdd3e5 504 goto end;
6acdd3e5 505
cffe973c
PW		 506 /* Terminate old session and resume with early data. */
507 sess = SSL_get1_session(clientssl);
508 SSL_shutdown(clientssl);
509 SSL_shutdown(serverssl);
510 SSL_free(serverssl);
511 SSL_free(clientssl);
512 serverssl = clientssl = NULL;
513
514 /* Reset key log */
515 memset(client_log_buffer, 0, sizeof(client_log_buffer));
516 memset(server_log_buffer, 0, sizeof(server_log_buffer));
517 client_log_buffer_index = 0;
518 server_log_buffer_index = 0;
519
520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
521 &clientssl, NULL, NULL))
522 || !TEST_true(SSL_set_session(clientssl, sess))
523 /* Here writing 0 length early data is enough. */
524 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
525 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
526 &readbytes),
527 SSL_READ_EARLY_DATA_ERROR)
528 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
529 SSL_EARLY_DATA_ACCEPTED)
530 || !TEST_true(create_ssl_connection(serverssl, clientssl,
531 SSL_ERROR_NONE))
532 || !TEST_true(SSL_session_reused(clientssl)))
533 goto end;
534
535 /* In addition to the previous entries, expect early secrets. */
536 expected.client_early_secret_count = 1;
01a2a654 537 expected.early_exporter_secret_count = 1;
cffe973c
PW		 538 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
539 SSL_get_session(clientssl), &expected))
540 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
541 SSL_get_session(serverssl),
542 &expected)))
543 goto end;
544
6acdd3e5
CB		 545 testresult = 1;
546
547end:
cffe973c 548 SSL_SESSION_free(sess);
6acdd3e5
CB		 549 SSL_free(serverssl);
550 SSL_free(clientssl);
551 SSL_CTX_free(sctx);
552 SSL_CTX_free(cctx);
553
554 return testresult;
555}
556#endif
557
0c3eb279
DDO		 558static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
559{
560 int res = X509_verify_cert(ctx);
dfb39f73
TM		 561 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
562 SSL *ssl;
563
564 /* this should not happen but check anyway */
565 if (idx < 0
566 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
567 return 0;
0c3eb279
DDO		 568
569 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
570 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
dfb39f73
TM		 571 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
572 return SSL_set_retry_verify(ssl);
573
0c3eb279
DDO		 574 return res;
575}
576
577static int test_client_cert_verify_cb(void)
578{
579 /* server key, cert, chain, and root */
580 char *skey = test_mk_file_path(certsdir, "leaf.key");
581 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
582 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
583 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
584 char *root = test_mk_file_path(certsdir, "rootCA.pem");
585 X509 *crt1 = NULL, *crt2 = NULL;
586 STACK_OF(X509) *server_chain;
587 SSL_CTX *cctx = NULL, *sctx = NULL;
588 SSL *clientssl = NULL, *serverssl = NULL;
589 int testresult = 0;
590
591 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
592 TLS_client_method(), TLS1_VERSION, 0,
593 &sctx, &cctx, NULL, NULL)))
594 goto end;
595 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
596 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
597 SSL_FILETYPE_PEM), 1)
598 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
599 goto end;
600 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
601 goto end;
602 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
603 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
605 &clientssl, NULL, NULL)))
606 goto end;
607
608 /* attempt SSL_connect() with incomplete server chain */
609 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
610 SSL_ERROR_WANT_RETRY_VERIFY)))
611 goto end;
612
613 /* application provides intermediate certs needed to verify server cert */
614 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
615 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
616 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
617 goto end;
618 /* add certs in reverse order to demonstrate real chain building */
619 if (!TEST_true(sk_X509_push(server_chain, crt1)))
620 goto end;
621 crt1 = NULL;
622 if (!TEST_true(sk_X509_push(server_chain, crt2)))
623 goto end;
624 crt2 = NULL;
625
626 /* continue SSL_connect(), must now succeed with completed server chain */
627 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
628 SSL_ERROR_NONE)))
629 goto end;
630
631 testresult = 1;
632
633end:
634 X509_free(crt1);
635 X509_free(crt2);
c38048e7
P		 636 if (clientssl != NULL) {
637 SSL_shutdown(clientssl);
638 SSL_free(clientssl);
639 }
640 if (serverssl != NULL) {
641 SSL_shutdown(serverssl);
642 SSL_free(serverssl);
643 }
0c3eb279
DDO		 644 SSL_CTX_free(sctx);
645 SSL_CTX_free(cctx);
646
647 OPENSSL_free(skey);
648 OPENSSL_free(leaf);
649 OPENSSL_free(int2);
650 OPENSSL_free(int1);
651 OPENSSL_free(root);
652
653 return testresult;
654}
655
4e4ae840
SL		 656static int test_ssl_build_cert_chain(void)
657{
658 int ret = 0;
659 SSL_CTX *ssl_ctx = NULL;
660 SSL *ssl = NULL;
661 char *skey = test_mk_file_path(certsdir, "leaf.key");
662 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
663
664 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
665 goto end;
666 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
667 goto end;
668 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
669 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
670 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
671 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
672 goto end;
673 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
674 | SSL_BUILD_CHAIN_FLAG_CHECK)))
675 goto end;
676 ret = 1;
677end:
678 SSL_free(ssl);
679 SSL_CTX_free(ssl_ctx);
680 OPENSSL_free(leaf_chain);
681 OPENSSL_free(skey);
682 return ret;
683}
684
c7debe81
TM		 685static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
686{
687 static const char pass[] = "testpass";
688
689 if (!TEST_int_eq(size, PEM_BUFSIZE))
690 return -1;
691
692 memcpy(buf, pass, sizeof(pass) - 1);
693 return sizeof(pass) - 1;
694}
695
4e4ae840
SL		 696static int test_ssl_ctx_build_cert_chain(void)
697{
698 int ret = 0;
699 SSL_CTX *ctx = NULL;
c7debe81 700 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
4e4ae840
SL		 701 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
702
703 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
704 goto end;
c7debe81 705 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
4e4ae840
SL		 706 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
707 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
708 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
709 SSL_FILETYPE_PEM), 1)
710 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
711 goto end;
712 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
713 | SSL_BUILD_CHAIN_FLAG_CHECK)))
714 goto end;
715 ret = 1;
716end:
717 SSL_CTX_free(ctx);
718 OPENSSL_free(leaf_chain);
719 OPENSSL_free(skey);
720 return ret;
721}
722
e9ee6536 723#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 724static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 725{
726 int *ctr = arg;
727 const unsigned char *p;
8ea404fb 728 int *exts;
2afaee51
BK		 729 /* We only configure two ciphers, but the SCSV is added automatically. */
730#ifdef OPENSSL_NO_EC
731 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
732#else
733 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
734 0x2c, 0x00, 0xff};
735#endif
8ea404fb
BK		 736 const int expected_extensions[] = {
737#ifndef OPENSSL_NO_EC
738 11, 10,
739#endif
10ed1b72 740 35, 22, 23, 13};
2afaee51
BK		 741 size_t len;
742
743 /* Make sure we can defer processing and get called back. */
744 if ((*ctr)++ == 0)
f1b97da1 745 return SSL_CLIENT_HELLO_RETRY;
2afaee51 746
a9c0d8be 747 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 748 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 749 || !TEST_size_t_eq(
750 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 751 || !TEST_int_eq(*p, 0))
f1b97da1 752 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 753 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 754 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 755 if (len != OSSL_NELEM(expected_extensions) ||
756 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 757 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 758 OPENSSL_free(exts);
f1b97da1 759 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 760 }
761 OPENSSL_free(exts);
f1b97da1 762 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 763}
764
a9c0d8be 765static int test_client_hello_cb(void)
710756a9 766{
2afaee51
BK		 767 SSL_CTX *cctx = NULL, *sctx = NULL;
768 SSL *clientssl = NULL, *serverssl = NULL;
769 int testctr = 0, testresult = 0;
770
5e30f2fd
MC		 771 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
772 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 773 &sctx, &cctx, cert, privkey)))
2afaee51 774 goto end;
a9c0d8be 775 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 776
2afaee51
BK		 777 /* The gimpy cipher list we configure can't do TLS 1.3. */
778 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 779
710756a9
RS		 780 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
781 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
782 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
783 &clientssl, NULL, NULL))
784 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 785 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 786 /*
787 * Passing a -1 literal is a hack since
788 * the real value was lost.
789 * */
a9c0d8be
DB		 790 || !TEST_int_eq(SSL_get_error(serverssl, -1),
791 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 792 || !TEST_true(create_ssl_connection(serverssl, clientssl,
793 SSL_ERROR_NONE)))
2afaee51 794 goto end;
2afaee51
BK		 795
796 testresult = 1;
797
088dfa13
TS		 798end:
799 SSL_free(serverssl);
800 SSL_free(clientssl);
801 SSL_CTX_free(sctx);
802 SSL_CTX_free(cctx);
803
804 return testresult;
805}
806
807static int test_no_ems(void)
808{
809 SSL_CTX *cctx = NULL, *sctx = NULL;
810 SSL *clientssl = NULL, *serverssl = NULL;
811 int testresult = 0;
812
5e30f2fd 813 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 814 TLS1_VERSION, TLS1_2_VERSION,
815 &sctx, &cctx, cert, privkey)) {
816 printf("Unable to create SSL_CTX pair\n");
817 goto end;
818 }
819
820 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
821
822 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
823 printf("Unable to create SSL objects\n");
824 goto end;
825 }
826
827 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
828 printf("Creating SSL connection failed\n");
829 goto end;
830 }
831
832 if (SSL_get_extms_support(serverssl)) {
833 printf("Server reports Extended Master Secret support\n");
834 goto end;
835 }
836
837 if (SSL_get_extms_support(clientssl)) {
838 printf("Client reports Extended Master Secret support\n");
839 goto end;
840 }
841 testresult = 1;
842
2afaee51
BK		 843end:
844 SSL_free(serverssl);
845 SSL_free(clientssl);
846 SSL_CTX_free(sctx);
847 SSL_CTX_free(cctx);
848
849 return testresult;
850}
851
3cd14e5e
BK		 852/*
853 * Very focused test to exercise a single case in the server-side state
854 * machine, when the ChangeCipherState message needs to actually change
855 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 856 * encryption to real encryption).
3cd14e5e
BK		 857 */
858static int test_ccs_change_cipher(void)
859{
860 SSL_CTX *cctx = NULL, *sctx = NULL;
861 SSL *clientssl = NULL, *serverssl = NULL;
862 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
863 int testresult = 0;
864 int i;
865 unsigned char buf;
866 size_t readbytes;
867
868 /*
e304aa87 869 * Create a connection so we can resume and potentially (but not) use
3cd14e5e
BK		 870 * a different cipher in the second connection.
871 */
5e30f2fd 872 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 873 TLS_client_method(),
874 TLS1_VERSION, TLS1_2_VERSION,
875 &sctx, &cctx, cert, privkey))
876 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
877 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
878 NULL, NULL))
879 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
881 SSL_ERROR_NONE))
882 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
883 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
884 goto end;
885
886 shutdown_ssl_connection(serverssl, clientssl);
887 serverssl = clientssl = NULL;
888
889 /* Resume, preferring a different cipher. Our server will force the
890 * same cipher to be used as the initial handshake. */
891 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
892 NULL, NULL))
893 || !TEST_true(SSL_set_session(clientssl, sess))
894 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
895 || !TEST_true(create_ssl_connection(serverssl, clientssl,
896 SSL_ERROR_NONE))
897 || !TEST_true(SSL_session_reused(clientssl))
898 || !TEST_true(SSL_session_reused(serverssl))
899 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
900 || !TEST_ptr_eq(sesspre, sesspost)
901 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
902 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
903 goto end;
904 shutdown_ssl_connection(serverssl, clientssl);
905 serverssl = clientssl = NULL;
906
907 /*
908 * Now create a fresh connection and try to renegotiate a different
909 * cipher on it.
910 */
b3e6d666
BK		 911 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
912 NULL, NULL))
3cd14e5e
BK		 913 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
914 || !TEST_true(create_ssl_connection(serverssl, clientssl,
915 SSL_ERROR_NONE))
916 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
917 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
918 || !TEST_true(SSL_renegotiate(clientssl))
919 || !TEST_true(SSL_renegotiate_pending(clientssl)))
920 goto end;
921 /* Actually drive the renegotiation. */
922 for (i = 0; i < 3; i++) {
923 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
925 goto end;
926 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
927 SSL_ERROR_WANT_READ)) {
928 goto end;
929 }
930 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
931 if (!TEST_ulong_eq(readbytes, 0))
932 goto end;
933 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
934 SSL_ERROR_WANT_READ)) {
935 goto end;
936 }
937 }
938 /* sesspre and sesspost should be different since the cipher changed. */
939 if (!TEST_false(SSL_renegotiate_pending(clientssl))
940 || !TEST_false(SSL_session_reused(clientssl))
941 || !TEST_false(SSL_session_reused(serverssl))
942 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
943 || !TEST_ptr_ne(sesspre, sesspost)
944 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
945 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
946 goto end;
947
948 shutdown_ssl_connection(serverssl, clientssl);
949 serverssl = clientssl = NULL;
950
951 testresult = 1;
952
953end:
954 SSL_free(serverssl);
955 SSL_free(clientssl);
956 SSL_CTX_free(sctx);
957 SSL_CTX_free(cctx);
958 SSL_SESSION_free(sess);
959
960 return testresult;
961}
fb121631 962#endif
3cd14e5e 963
84d5549e 964static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 965 const SSL_METHOD *cmeth,
966 int min_version, int max_version,
967 int read_ahead)
84d5549e
MC		 968{
969 SSL_CTX *cctx = NULL, *sctx = NULL;
970 SSL *clientssl = NULL, *serverssl = NULL;
971 int testresult = 0;
972 int i;
710756a9 973 BIO *certbio = NULL;
84d5549e
MC		 974 X509 *chaincert = NULL;
975 int certlen;
976
710756a9 977 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 978 goto end;
6725682d 979
d8652be0 980 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 981 goto end;
982
983 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
984 goto end;
fa454945
MC		 985 BIO_free(certbio);
986 certbio = NULL;
84d5549e 987
5e30f2fd
MC		 988 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
989 max_version, &sctx, &cctx, cert,
990 privkey)))
84d5549e 991 goto end;
84d5549e 992
8ce390e1
MC		 993#ifdef OPENSSL_NO_DTLS1_2
994 if (smeth == DTLS_server_method()) {
995 /*
996 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
997 * level 0
998 */
999 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1000 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1001 "DEFAULT:@SECLEVEL=0")))
1002 goto end;
1003 }
1004#endif
1005
710756a9 1006 if (read_ahead) {
7856332e
MC		 1007 /*
1008 * Test that read_ahead works correctly when dealing with large
1009 * records
1010 */
1011 SSL_CTX_set_read_ahead(cctx, 1);
1012 }
1013
84d5549e
MC		 1014 /*
1015 * We assume the supplied certificate is big enough so that if we add
1016 * NUM_EXTRA_CERTS it will make the overall message large enough. The
1017 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 1018 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
1019 * test we need to have a message larger than that.
84d5549e
MC		 1020 */
1021 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 1022 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1023 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 1024 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 1025 if (!X509_up_ref(chaincert))
84d5549e 1026 goto end;
84d5549e 1027 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 1028 X509_free(chaincert);
1029 goto end;
1030 }
1031 }
1032
710756a9
RS		 1033 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1034 NULL, NULL))
1035 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1036 SSL_ERROR_NONE)))
84d5549e 1037 goto end;
84d5549e 1038
4bf08600
MC		 1039 /*
1040 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1041 * doesn't leak.
4bf08600 1042 */
710756a9 1043 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1044 goto end;
84d5549e 1045
4bf08600 1046 testresult = 1;
84d5549e 1047 end:
6725682d 1048 BIO_free(certbio);
84d5549e
MC		 1049 X509_free(chaincert);
1050 SSL_free(serverssl);
1051 SSL_free(clientssl);
1052 SSL_CTX_free(sctx);
1053 SSL_CTX_free(cctx);
1054
1055 return testresult;
1056}
1057
da4db160 1058#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1059 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1060/* sock must be connected */
1061static int ktls_chk_platform(int sock)
1062{
1063 if (!ktls_enable(sock))
1064 return 0;
1065 return 1;
1066}
1067
e1fdd526 1068static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1069{
1070 static char count = 1;
1071 unsigned char cbuf[16000] = {0};
1072 unsigned char sbuf[16000];
1073 size_t err = 0;
e1fdd526
JB		 1074 char crec_wseq_before[SEQ_NUM_SIZE];
1075 char crec_wseq_after[SEQ_NUM_SIZE];
1076 char crec_rseq_before[SEQ_NUM_SIZE];
1077 char crec_rseq_after[SEQ_NUM_SIZE];
1078 char srec_wseq_before[SEQ_NUM_SIZE];
1079 char srec_wseq_after[SEQ_NUM_SIZE];
1080 char srec_rseq_before[SEQ_NUM_SIZE];
1081 char srec_rseq_after[SEQ_NUM_SIZE];
38b051a1
TM		 1082 SSL_CONNECTION *clientsc, *serversc;
1083
1084 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1085 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1086 goto end;
fe5d9450
BP		 1087
1088 cbuf[0] = count++;
38b051a1
TM		 1089 memcpy(crec_wseq_before, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE);
1090 memcpy(crec_rseq_before, &clientsc->rlayer.read_sequence, SEQ_NUM_SIZE);
1091 memcpy(srec_wseq_before, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE);
1092 memcpy(srec_rseq_before, &serversc->rlayer.read_sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1093
1094 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1095 goto end;
1096
1097 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1098 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1099 goto end;
1100 }
1101 }
1102
1103 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1104 goto end;
1105
1106 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1107 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1108 goto end;
1109 }
1110 }
1111
38b051a1
TM		 1112 memcpy(crec_wseq_after, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE);
1113 memcpy(crec_rseq_after, &clientsc->rlayer.read_sequence, SEQ_NUM_SIZE);
1114 memcpy(srec_wseq_after, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE);
1115 memcpy(srec_rseq_after, &serversc->rlayer.read_sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1116
1117 /* verify the payload */
1118 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1119 goto end;
1120
e1fdd526
JB		 1121 /*
1122 * If ktls is used then kernel sequences are used instead of
1123 * OpenSSL sequences
1124 */
38b051a1 1125 if (!BIO_get_ktls_send(clientsc->wbio)) {
e1fdd526
JB		 1126 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1127 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1128 goto end;
1129 } else {
e1fdd526
JB		 1130 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1131 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1132 goto end;
1133 }
1134
38b051a1 1135 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1136 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1137 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1138 goto end;
1139 } else {
e1fdd526
JB		 1140 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1141 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1142 goto end;
1143 }
1144
38b051a1 1145 if (!BIO_get_ktls_recv(clientsc->wbio)) {
e1fdd526
JB		 1146 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1147 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1148 goto end;
1149 } else {
e1fdd526
JB		 1150 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1151 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1152 goto end;
1153 }
1154
38b051a1 1155 if (!BIO_get_ktls_recv(serversc->wbio)) {
e1fdd526
JB		 1156 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1157 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1158 goto end;
1159 } else {
e1fdd526
JB		 1160 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1161 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1162 goto end;
1163 }
fe5d9450
BP		 1164
1165 return 1;
1166end:
1167 return 0;
1168}
1169
a3a54179 1170static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1171 int tls_version, const char *cipher)
fe5d9450
BP		 1172{
1173 SSL_CTX *cctx = NULL, *sctx = NULL;
1174 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1175 int ktls_used = 0, testresult = 0;
1176 int cfd = -1, sfd = -1;
1177 int rx_supported;
38b051a1 1178 SSL_CONNECTION *clientsc, *serversc;
fe5d9450
BP		 1179
1180 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1181 goto end;
1182
1183 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1184 if (!ktls_chk_platform(cfd)) {
1185 testresult = TEST_skip("Kernel does not support KTLS");
1186 goto end;
1187 }
fe5d9450 1188
a5d8a2f8
DB		 1189 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1190 testresult = TEST_skip("CHACHA is not supported in FIPS");
1191 goto end;
1192 }
1193
fe5d9450 1194 /* Create a session based on SHA-256 */
5e30f2fd 1195 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1196 TLS_client_method(),
da4db160 1197 tls_version, tls_version,
e1fdd526
JB		 1198 &sctx, &cctx, cert, privkey)))
1199 goto end;
1200
1201 if (tls_version == TLS1_3_VERSION) {
1202 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1203 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1204 goto end;
1205 } else {
1206 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1207 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1208 goto end;
1209 }
1210
1211 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1212 &clientssl, sfd, cfd)))
fe5d9450
BP		 1213 goto end;
1214
38b051a1
TM		 1215 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1216 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1217 goto end;
1218
a3a54179
MC		 1219 if (cis_ktls) {
1220 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1221 goto end;
1222 }
1223
a3a54179 1224 if (sis_ktls) {
e1fdd526 1225 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1226 goto end;
1227 }
1228
e1fdd526 1229 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1230 goto end;
1231
e1fdd526
JB		 1232 /*
1233 * The running kernel may not support a given cipher suite
1234 * or direction, so just check that KTLS isn't used when it
1235 * isn't enabled.
1236 */
a3a54179 1237 if (!cis_ktls) {
38b051a1 1238 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
fe5d9450
BP		 1239 goto end;
1240 } else {
38b051a1 1241 if (BIO_get_ktls_send(clientsc->wbio))
e1fdd526 1242 ktls_used = 1;
fe5d9450
BP		 1243 }
1244
a3a54179 1245 if (!sis_ktls) {
38b051a1 1246 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
fe5d9450
BP		 1247 goto end;
1248 } else {
38b051a1 1249 if (BIO_get_ktls_send(serversc->wbio))
e1fdd526 1250 ktls_used = 1;
fe5d9450
BP		 1251 }
1252
a3a54179 1253#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1254 rx_supported = 0;
1255#else
7c78932b 1256 rx_supported = 1;
a3a54179 1257#endif
e1fdd526 1258 if (!cis_ktls || !rx_supported) {
38b051a1 1259 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
2fab79af
BP		 1260 goto end;
1261 } else {
38b051a1 1262 if (BIO_get_ktls_send(clientsc->rbio))
e1fdd526 1263 ktls_used = 1;
2fab79af
BP		 1264 }
1265
e1fdd526 1266 if (!sis_ktls || !rx_supported) {
38b051a1 1267 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
2fab79af
BP		 1268 goto end;
1269 } else {
38b051a1 1270 if (BIO_get_ktls_send(serversc->rbio))
e1fdd526
JB		 1271 ktls_used = 1;
1272 }
1273
1274 if ((cis_ktls || sis_ktls) && !ktls_used) {
1275 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1276 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1277 "TLS 1.2", cipher);
1278 goto end;
2fab79af
BP		 1279 }
1280
e1fdd526 1281 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1282 goto end;
1283
1284 testresult = 1;
1285end:
1286 if (clientssl) {
1287 SSL_shutdown(clientssl);
1288 SSL_free(clientssl);
1289 }
1290 if (serverssl) {
1291 SSL_shutdown(serverssl);
1292 SSL_free(serverssl);
1293 }
1294 SSL_CTX_free(sctx);
1295 SSL_CTX_free(cctx);
1296 serverssl = clientssl = NULL;
e1fdd526
JB		 1297 if (cfd != -1)
1298 close(cfd);
1299 if (sfd != -1)
1300 close(sfd);
fe5d9450
BP		 1301 return testresult;
1302}
1303
7c3a7561
BP		 1304#define SENDFILE_SZ (16 * 4096)
1305#define SENDFILE_CHUNK (4 * 4096)
1306#define min(a,b) ((a) > (b) ? (b) : (a))
1307
e1fdd526 1308static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1309{
1310 SSL_CTX *cctx = NULL, *sctx = NULL;
1311 SSL *clientssl = NULL, *serverssl = NULL;
1312 unsigned char *buf, *buf_dst;
1313 BIO *out = NULL, *in = NULL;
e1fdd526 1314 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1315 ssize_t chunk_size = 0;
1316 off_t chunk_off = 0;
1317 int testresult = 0;
1318 FILE *ffdp;
38b051a1 1319 SSL_CONNECTION *serversc;
7c3a7561
BP		 1320
1321 buf = OPENSSL_zalloc(SENDFILE_SZ);
1322 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1323 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1324 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1325 goto end;
1326
1327 /* Skip this test if the platform does not support ktls */
1328 if (!ktls_chk_platform(sfd)) {
e1fdd526 1329 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1330 goto end;
1331 }
1332
a5d8a2f8
DB		 1333 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1334 testresult = TEST_skip("CHACHA is not supported in FIPS");
1335 goto end;
1336 }
1337
7c3a7561 1338 /* Create a session based on SHA-256 */
5e30f2fd 1339 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1340 TLS_client_method(),
da4db160 1341 tls_version, tls_version,
e1fdd526
JB		 1342 &sctx, &cctx, cert, privkey)))
1343 goto end;
1344
1345 if (tls_version == TLS1_3_VERSION) {
1346 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1348 goto end;
1349 } else {
1350 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1351 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1352 goto end;
1353 }
1354
1355 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1356 &clientssl, sfd, cfd)))
1357 goto end;
1358
38b051a1
TM		 1359 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1360 goto end;
1361
e1fdd526 1362 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1363 goto end;
1364
1365 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1366 SSL_ERROR_NONE)))
7c3a7561
BP		 1367 goto end;
1368
38b051a1 1369 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1370 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1371 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1372 "TLS 1.2", cipher);
1373 goto end;
1374 }
1375
c9007bda 1376 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1377 goto end;
1378
7c3a7561
BP		 1379 out = BIO_new_file(tmpfilename, "wb");
1380 if (!TEST_ptr(out))
1381 goto end;
1382
1383 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1384 goto end;
1385
1386 BIO_free(out);
1387 out = NULL;
1388 in = BIO_new_file(tmpfilename, "rb");
1389 BIO_get_fp(in, &ffdp);
1390 ffd = fileno(ffdp);
1391
1392 while (chunk_off < SENDFILE_SZ) {
1393 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1394 while ((err = SSL_sendfile(serverssl,
1395 ffd,
1396 chunk_off,
1397 chunk_size,
1398 0)) != chunk_size) {
1399 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1400 goto end;
1401 }
1402 while ((err = SSL_read(clientssl,
1403 buf_dst + chunk_off,
1404 chunk_size)) != chunk_size) {
1405 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1406 goto end;
1407 }
1408
1409 /* verify the payload */
1410 if (!TEST_mem_eq(buf_dst + chunk_off,
1411 chunk_size,
1412 buf + chunk_off,
1413 chunk_size))
1414 goto end;
1415
1416 chunk_off += chunk_size;
1417 }
1418
1419 testresult = 1;
1420end:
1421 if (clientssl) {
1422 SSL_shutdown(clientssl);
1423 SSL_free(clientssl);
1424 }
1425 if (serverssl) {
1426 SSL_shutdown(serverssl);
1427 SSL_free(serverssl);
1428 }
1429 SSL_CTX_free(sctx);
1430 SSL_CTX_free(cctx);
1431 serverssl = clientssl = NULL;
1432 BIO_free(out);
1433 BIO_free(in);
e1fdd526
JB		 1434 if (cfd != -1)
1435 close(cfd);
1436 if (sfd != -1)
1437 close(sfd);
7c3a7561
BP		 1438 OPENSSL_free(buf);
1439 OPENSSL_free(buf_dst);
1440 return testresult;
1441}
1442
e1fdd526
JB		 1443static struct ktls_test_cipher {
1444 int tls_version;
1445 const char *cipher;
1446} ktls_test_ciphers[] = {
1447# if !defined(OPENSSL_NO_TLS1_2)
1448# ifdef OPENSSL_KTLS_AES_GCM_128
1449 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1450# endif
1451# ifdef OPENSSL_KTLS_AES_CCM_128
1452 { TLS1_2_VERSION, "AES128-CCM"},
1453# endif
1454# ifdef OPENSSL_KTLS_AES_GCM_256
1455 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1456# endif
11bac1b4
JB		 1457# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1458 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
1459# endif
e1fdd526
JB		 1460# endif
1461# if !defined(OSSL_NO_USABLE_TLS1_3)
1462# ifdef OPENSSL_KTLS_AES_GCM_128
1463 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1464# endif
1465# ifdef OPENSSL_KTLS_AES_CCM_128
1466 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1467# endif
1468# ifdef OPENSSL_KTLS_AES_GCM_256
1469 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1470# endif
11bac1b4
JB		 1471# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1472 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1473# endif
e1fdd526
JB		 1474# endif
1475};
1476
1477#define NUM_KTLS_TEST_CIPHERS \
1478 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1479
da4db160
VF		 1480static int test_ktls(int test)
1481{
e1fdd526 1482 struct ktls_test_cipher *cipher;
a3a54179 1483 int cis_ktls, sis_ktls;
da4db160 1484
2cff17fd 1485 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1486 cipher = &ktls_test_ciphers[test / 4];
da4db160 1487
a3a54179
MC		 1488 cis_ktls = (test & 1) != 0;
1489 sis_ktls = (test & 2) != 0;
cd03b5dc 1490
e1fdd526
JB		 1491 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1492 cipher->cipher);
2fab79af
BP		 1493}
1494
e1fdd526 1495static int test_ktls_sendfile(int tst)
fe5d9450 1496{
e1fdd526 1497 struct ktls_test_cipher *cipher;
da4db160 1498
2cff17fd 1499 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1500 cipher = &ktls_test_ciphers[tst];
da4db160 1501
e1fdd526 1502 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
fe5d9450 1503}
fe5d9450
BP		 1504#endif
1505
84d5549e
MC		 1506static int test_large_message_tls(void)
1507{
7856332e 1508 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1509 TLS1_VERSION, 0, 0);
7856332e
MC		 1510}
1511
1512static int test_large_message_tls_read_ahead(void)
1513{
1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1515 TLS1_VERSION, 0, 1);
84d5549e
MC		 1516}
1517
55386bef 1518#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1519static int test_large_message_dtls(void)
1520{
8ce390e1
MC		 1521# ifdef OPENSSL_NO_DTLS1_2
1522 /* Not supported in the FIPS provider */
1523 if (is_fips)
1524 return 1;
1525# endif
7856332e
MC		 1526 /*
1527 * read_ahead is not relevant to DTLS because DTLS always acts as if
1528 * read_ahead is set.
1529 */
84d5549e 1530 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1531 DTLS_client_method(),
5c587fb6 1532 DTLS1_VERSION, 0, 0);
84d5549e 1533}
55386bef 1534#endif
84d5549e 1535
163b8016
ME		 1536static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1537 const SSL_METHOD *cmeth,
1538 int min_version, int max_version)
1539{
1540 size_t i;
1541 SSL_CTX *cctx = NULL, *sctx = NULL;
1542 SSL *clientssl = NULL, *serverssl = NULL;
1543 int testresult = 0;
1544 SSL3_RECORD *rr;
1545 void *zbuf;
38b051a1 1546 SSL_CONNECTION *serversc;
163b8016
ME		 1547
1548 static unsigned char cbuf[16000];
1549 static unsigned char sbuf[16000];
1550
1551 if (!TEST_true(create_ssl_ctx_pair(libctx,
1552 smeth, cmeth,
1553 min_version, max_version,
1554 &sctx, &cctx, cert,
1555 privkey)))
1556 goto end;
1557
8ce390e1
MC		 1558#ifdef OPENSSL_NO_DTLS1_2
1559 if (smeth == DTLS_server_method()) {
1560# ifdef OPENSSL_NO_DTLS1_2
1561 /* Not supported in the FIPS provider */
1562 if (is_fips) {
1563 testresult = 1;
1564 goto end;
1565 };
1566# endif
1567 /*
1568 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1569 * level 0
1570 */
1571 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1572 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1573 "DEFAULT:@SECLEVEL=0")))
1574 goto end;
1575 }
1576#endif
1577
163b8016
ME		 1578 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1579 NULL, NULL)))
1580 goto end;
1581
1582 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1583 goto end;
1584
1585 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1586 SSL_ERROR_NONE)))
1587 goto end;
1588
1589 for (i = 0; i < sizeof(cbuf); i++) {
1590 cbuf[i] = i & 0xff;
1591 }
1592
1593 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1594 goto end;
1595
1596 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1597 goto end;
1598
1599 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1600 goto end;
1601
1602 /*
1603 * Since we called SSL_peek(), we know the data in the record
1604 * layer is a plaintext record. We can gather the pointer to check
1605 * for zeroization after SSL_read().
1606 */
38b051a1
TM		 1607 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1608 goto end;
1609 rr = serversc->rlayer.rrec;
163b8016
ME		 1610 zbuf = &rr->data[rr->off];
1611 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1612 goto end;
1613
1614 /*
1615 * After SSL_peek() the plaintext must still be stored in the
1616 * record.
1617 */
1618 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1619 goto end;
1620
1621 memset(sbuf, 0, sizeof(sbuf));
1622 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1623 goto end;
1624
1625 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1626 goto end;
1627
1628 /* Check if rbuf is cleansed */
1629 memset(cbuf, 0, sizeof(cbuf));
1630 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1631 goto end;
1632
1633 testresult = 1;
1634 end:
1635 SSL_free(serverssl);
1636 SSL_free(clientssl);
1637 SSL_CTX_free(sctx);
1638 SSL_CTX_free(cctx);
1639
1640 return testresult;
1641}
1642
1643static int test_cleanse_plaintext(void)
1644{
1645#if !defined(OPENSSL_NO_TLS1_2)
1646 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1647 TLS_client_method(),
1648 TLS1_2_VERSION,
1649 TLS1_2_VERSION)))
1650 return 0;
1651
1652#endif
1653
a763ca11 1654#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1655 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1656 TLS_client_method(),
1657 TLS1_3_VERSION,
1658 TLS1_3_VERSION)))
1659 return 0;
1660#endif
1661
1662#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1663
163b8016
ME		 1664 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1665 DTLS_client_method(),
1666 DTLS1_VERSION,
1667 0)))
1668 return 0;
1669#endif
1670 return 1;
1671}
1672
8f8c11d8 1673#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1674static int ocsp_server_cb(SSL *s, void *arg)
1675{
1676 int *argi = (int *)arg;
710756a9 1677 unsigned char *copy = NULL;
ba881d3b
MC		 1678 STACK_OF(OCSP_RESPID) *ids = NULL;
1679 OCSP_RESPID *id = NULL;
1680
1681 if (*argi == 2) {
1682 /* In this test we are expecting exactly 1 OCSP_RESPID */
1683 SSL_get_tlsext_status_ids(s, &ids);
1684 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1685 return SSL_TLSEXT_ERR_ALERT_FATAL;
1686
1687 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1688 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1689 return SSL_TLSEXT_ERR_ALERT_FATAL;
1690 } else if (*argi != 1) {
1691 return SSL_TLSEXT_ERR_ALERT_FATAL;
1692 }
1693
710756a9 1694 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1695 return SSL_TLSEXT_ERR_ALERT_FATAL;
1696
711d5a2f
P		 1697 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1698 sizeof(orespder)))) {
1699 OPENSSL_free(copy);
1700 return SSL_TLSEXT_ERR_ALERT_FATAL;
1701 }
ba881d3b 1702 ocsp_server_called = 1;
ba881d3b
MC		 1703 return SSL_TLSEXT_ERR_OK;
1704}
1705
1706static int ocsp_client_cb(SSL *s, void *arg)
1707{
1708 int *argi = (int *)arg;
1709 const unsigned char *respderin;
1710 size_t len;
1711
1712 if (*argi != 1 && *argi != 2)
1713 return 0;
1714
1715 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1716 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1717 return 0;
1718
1719 ocsp_client_called = 1;
ba881d3b
MC		 1720 return 1;
1721}
1722
2cb4b5f6
MC		 1723static int test_tlsext_status_type(void)
1724{
ba881d3b
MC		 1725 SSL_CTX *cctx = NULL, *sctx = NULL;
1726 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1727 int testresult = 0;
ba881d3b
MC		 1728 STACK_OF(OCSP_RESPID) *ids = NULL;
1729 OCSP_RESPID *id = NULL;
1730 BIO *certbio = NULL;
2cb4b5f6 1731
5e30f2fd 1732 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1733 TLS1_VERSION, 0,
7d7f6834 1734 &sctx, &cctx, cert, privkey))
ba881d3b 1735 return 0;
2cb4b5f6 1736
710756a9 1737 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1738 goto end;
2cb4b5f6 1739
ba881d3b 1740 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1741
ba881d3b 1742 clientssl = SSL_new(cctx);
710756a9
RS		 1743 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1744 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1745 TLSEXT_STATUSTYPE_ocsp))
1746 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1747 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1748 goto end;
2cb4b5f6 1749
ba881d3b
MC		 1750 SSL_free(clientssl);
1751 clientssl = NULL;
2cb4b5f6 1752
710756a9
RS		 1753 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1754 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1755 goto end;
2cb4b5f6 1756
ba881d3b 1757 clientssl = SSL_new(cctx);
710756a9 1758 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1759 goto end;
ba881d3b
MC		 1760 SSL_free(clientssl);
1761 clientssl = NULL;
1762
1763 /*
1764 * Now actually do a handshake and check OCSP information is exchanged and
1765 * the callbacks get called
1766 */
ba881d3b
MC		 1767 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1768 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1769 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1770 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1771 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1772 &clientssl, NULL, NULL))
1773 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1774 SSL_ERROR_NONE))
1775 || !TEST_true(ocsp_client_called)
1776 || !TEST_true(ocsp_server_called))
ba881d3b 1777 goto end;
ba881d3b
MC		 1778 SSL_free(serverssl);
1779 SSL_free(clientssl);
1780 serverssl = NULL;
1781 clientssl = NULL;
1782
1783 /* Try again but this time force the server side callback to fail */
1784 ocsp_client_called = 0;
1785 ocsp_server_called = 0;
1786 cdummyarg = 0;
710756a9
RS		 1787 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1788 &clientssl, NULL, NULL))
1789 /* This should fail because the callback will fail */
1790 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1791 SSL_ERROR_NONE))
1792 || !TEST_false(ocsp_client_called)
1793 || !TEST_false(ocsp_server_called))
ba881d3b 1794 goto end;
ba881d3b
MC		 1795 SSL_free(serverssl);
1796 SSL_free(clientssl);
1797 serverssl = NULL;
1798 clientssl = NULL;
1799
1800 /*
1801 * This time we'll get the client to send an OCSP_RESPID that it will
1802 * accept.
1803 */
1804 ocsp_client_called = 0;
1805 ocsp_server_called = 0;
1806 cdummyarg = 2;
710756a9
RS		 1807 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1808 &clientssl, NULL, NULL)))
ba881d3b 1809 goto end;
ba881d3b
MC		 1810
1811 /*
1812 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1813 * specific one. We'll use the server cert.
ba881d3b 1814 */
710756a9
RS		 1815 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1816 || !TEST_ptr(id = OCSP_RESPID_new())
1817 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1818 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1819 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1820 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1821 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1822 goto end;
ba881d3b
MC		 1823 id = NULL;
1824 SSL_set_tlsext_status_ids(clientssl, ids);
1825 /* Control has been transferred */
1826 ids = NULL;
1827
1828 BIO_free(certbio);
1829 certbio = NULL;
1830
710756a9
RS		 1831 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1832 SSL_ERROR_NONE))
1833 || !TEST_true(ocsp_client_called)
1834 || !TEST_true(ocsp_server_called))
ba881d3b 1835 goto end;
ba881d3b 1836
2cb4b5f6
MC		 1837 testresult = 1;
1838
1839 end:
ba881d3b
MC		 1840 SSL_free(serverssl);
1841 SSL_free(clientssl);
1842 SSL_CTX_free(sctx);
1843 SSL_CTX_free(cctx);
1844 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1845 OCSP_RESPID_free(id);
1846 BIO_free(certbio);
1847 X509_free(ocspcert);
1848 ocspcert = NULL;
2cb4b5f6
MC		 1849
1850 return testresult;
1851}
8f8c11d8 1852#endif
2cb4b5f6 1853
a763ca11 1854#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1855static int new_called, remove_called, get_called;
eaa776da 1856
eaa776da
MC		 1857static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1858{
1859 new_called++;
c0537ebd
MC		 1860 /*
1861 * sess has been up-refed for us, but we don't actually need it so free it
1862 * immediately.
1863 */
1864 SSL_SESSION_free(sess);
eaa776da
MC		 1865 return 1;
1866}
1867
1868static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1869{
1870 remove_called++;
1871}
1872
7a301f08
MC		 1873static SSL_SESSION *get_sess_val = NULL;
1874
1875static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1876 int *copy)
1877{
0afca811 1878 get_called++;
7a301f08
MC		 1879 *copy = 1;
1880 return get_sess_val;
1881}
1882
7a301f08 1883static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1884 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1885{
1886 SSL_CTX *sctx = NULL, *cctx = NULL;
1887 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1888 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1889# ifndef OPENSSL_NO_TLS1_1
eaa776da 1890 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1891# endif
2cb4b5f6 1892 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1893 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1894
7e885b7b
P		 1895 new_called = remove_called = 0;
1896
36ff232c
MC		 1897 /* TLSv1.3 sends 2 NewSessionTickets */
1898 if (maxprot == TLS1_3_VERSION)
1899 numnewsesstick = 2;
1900
5e30f2fd
MC		 1901 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1902 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1903 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1904 return 0;
2cb4b5f6 1905
7a301f08
MC		 1906 /*
1907 * Only allow the max protocol version so we can force a connection failure
1908 * later
1909 */
1910 SSL_CTX_set_min_proto_version(cctx, maxprot);
1911 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1912
1913 /* Set up session cache */
7e885b7b 1914 if (use_ext_cache) {
eaa776da
MC		 1915 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1916 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1917 }
7e885b7b 1918 if (use_int_cache) {
eaa776da
MC		 1919 /* Also covers instance where both are set */
1920 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1921 } else {
1922 SSL_CTX_set_session_cache_mode(cctx,
1923 SSL_SESS_CACHE_CLIENT
1924 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1925 }
2cb4b5f6 1926
90fc2c26
NM		 1927 if (s_options) {
1928 SSL_CTX_set_options(sctx, s_options);
1929 }
1930
710756a9
RS		 1931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1932 NULL, NULL))
1933 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1934 SSL_ERROR_NONE))
1935 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1936 goto end;
2cb4b5f6 1937
710756a9 1938 /* Should fail because it should already be in the cache */
7e885b7b 1939 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1940 goto end;
7a301f08 1941 if (use_ext_cache
36ff232c
MC		 1942 && (!TEST_int_eq(new_called, numnewsesstick)
1943
1944 || !TEST_int_eq(remove_called, 0)))
b4982125 1945 goto end;
b4982125 1946
c0537ebd
MC		 1947 new_called = remove_called = 0;
1948 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1949 &clientssl2, NULL, NULL))
1950 || !TEST_true(SSL_set_session(clientssl2, sess1))
1951 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1952 SSL_ERROR_NONE))
1953 || !TEST_true(SSL_session_reused(clientssl2)))
1954 goto end;
1955
7a301f08
MC		 1956 if (maxprot == TLS1_3_VERSION) {
1957 /*
1958 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1959 * resumed. Since we attempted a resume we should also have removed the
1960 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1961 */
1962 if (use_ext_cache
1963 && (!TEST_int_eq(new_called, 1)
4cb00457 1964 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1965 goto end;
1966 } else {
1967 /*
1968 * In TLSv1.2 we expect to have resumed so no sessions added or
1969 * removed.
1970 */
1971 if (use_ext_cache
1972 && (!TEST_int_eq(new_called, 0)
1973 || !TEST_int_eq(remove_called, 0)))
1974 goto end;
1975 }
c0537ebd
MC		 1976
1977 SSL_SESSION_free(sess1);
1978 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1979 goto end;
1980 shutdown_ssl_connection(serverssl2, clientssl2);
1981 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1982
1983 new_called = remove_called = 0;
710756a9
RS		 1984 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1985 &clientssl2, NULL, NULL))
1986 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1987 SSL_ERROR_NONE)))
2cb4b5f6 1988 goto end;
2cb4b5f6 1989
710756a9 1990 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1991 goto end;
2cb4b5f6 1992
7a301f08 1993 if (use_ext_cache
36ff232c
MC		 1994 && (!TEST_int_eq(new_called, numnewsesstick)
1995 || !TEST_int_eq(remove_called, 0)))
eaa776da 1996 goto end;
eaa776da 1997
c0537ebd 1998 new_called = remove_called = 0;
2cb4b5f6 1999 /*
710756a9
RS		 2000 * This should clear sess2 from the cache because it is a "bad" session.
2001 * See SSL_set_session() documentation.
2cb4b5f6 2002 */
710756a9 2003 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 2004 goto end;
7a301f08
MC		 2005 if (use_ext_cache
2006 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 2007 goto end;
710756a9 2008 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 2009 goto end;
2cb4b5f6 2010
7e885b7b 2011 if (use_int_cache) {
710756a9
RS		 2012 /* Should succeeded because it should not already be in the cache */
2013 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2014 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 2015 goto end;
eaa776da
MC		 2016 }
2017
c0537ebd 2018 new_called = remove_called = 0;
eaa776da 2019 /* This shouldn't be in the cache so should fail */
710756a9 2020 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2021 goto end;
2cb4b5f6 2022
7a301f08
MC		 2023 if (use_ext_cache
2024 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2025 goto end;
2cb4b5f6 2026
bf208d95 2027# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2028 new_called = remove_called = 0;
eaa776da
MC		 2029 /* Force a connection failure */
2030 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2031 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2032 &clientssl3, NULL, NULL))
2033 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2034 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2035 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2036 SSL_ERROR_NONE)))
eaa776da 2037 goto end;
b4982125 2038
eaa776da 2039 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2040 if (use_ext_cache
2041 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2042 goto end;
2cb4b5f6 2043
710756a9 2044 /* Should succeed because it should not already be in the cache */
7e885b7b 2045 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2046 goto end;
bf208d95 2047# endif
eaa776da 2048
7a301f08
MC		 2049 /* Now do some tests for server side caching */
2050 if (use_ext_cache) {
2051 SSL_CTX_sess_set_new_cb(cctx, NULL);
2052 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2053 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2054 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2055 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2056 get_sess_val = NULL;
2057 }
2058
2059 SSL_CTX_set_session_cache_mode(cctx, 0);
2060 /* Internal caching is the default on the server side */
2061 if (!use_int_cache)
2062 SSL_CTX_set_session_cache_mode(sctx,
2063 SSL_SESS_CACHE_SERVER
2064 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2065
2066 SSL_free(serverssl1);
2067 SSL_free(clientssl1);
2068 serverssl1 = clientssl1 = NULL;
2069 SSL_free(serverssl2);
2070 SSL_free(clientssl2);
2071 serverssl2 = clientssl2 = NULL;
2072 SSL_SESSION_free(sess1);
2073 sess1 = NULL;
2074 SSL_SESSION_free(sess2);
2075 sess2 = NULL;
2076
2077 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2078 if (maxprot == TLS1_2_VERSION)
2079 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2080 new_called = remove_called = get_called = 0;
7a301f08
MC		 2081 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2082 NULL, NULL))
2083 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2084 SSL_ERROR_NONE))
2085 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2086 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2087 goto end;
2088
ee94ec2e
MC		 2089 if (use_int_cache) {
2090 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2091 /*
2092 * In TLSv1.3 it should not have been added to the internal cache,
2093 * except in the case where we also have an external cache (in that
2094 * case it gets added to the cache in order to generate remove
2095 * events after timeout).
2096 */
2097 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2098 goto end;
2099 } else {
2100 /* Should fail because it should already be in the cache */
2101 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2102 goto end;
2103 }
2104 }
7a301f08
MC		 2105
2106 if (use_ext_cache) {
2107 SSL_SESSION *tmp = sess2;
2108
36ff232c 2109 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2110 || !TEST_int_eq(remove_called, 0)
2111 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2112 goto end;
2113 /*
2114 * Delete the session from the internal cache to force a lookup from
2115 * the external cache. We take a copy first because
2116 * SSL_CTX_remove_session() also marks the session as non-resumable.
2117 */
ee94ec2e 2118 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2119 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2120 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2121 goto end;
2122 SSL_SESSION_free(sess2);
2123 }
7a301f08
MC		 2124 sess2 = tmp;
2125 }
2126
0afca811 2127 new_called = remove_called = get_called = 0;
7a301f08
MC		 2128 get_sess_val = sess2;
2129 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2130 &clientssl2, NULL, NULL))
2131 || !TEST_true(SSL_set_session(clientssl2, sess1))
2132 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2133 SSL_ERROR_NONE))
2134 || !TEST_true(SSL_session_reused(clientssl2)))
2135 goto end;
2136
0afca811 2137 if (use_ext_cache) {
32305f88 2138 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2139 goto end;
2140
2141 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2142 if (!TEST_int_eq(new_called, 1)
2143 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2144 goto end;
2145 } else {
32305f88
MC		 2146 if (!TEST_int_eq(new_called, 0)
2147 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2148 goto end;
2149 }
2150 }
4842a27b
TS		 2151 /*
2152 * Make a small cache, force out all other sessions but
2153 * sess2, try to add sess1, which should succeed. Then
2154 * make sure it's there by checking the owners. Despite
2155 * the timeouts, sess1 should have kicked out sess2
2156 */
2157
2158 /* Make sess1 expire before sess2 */
2159 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2160 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2161 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2162 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2163 goto end;
2164
2165 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2166 goto end;
2167
2168 /* Don't care about results - cache should only be sess2 at end */
2169 SSL_CTX_add_session(sctx, sess1);
2170 SSL_CTX_add_session(sctx, sess2);
2171
2172 /* Now add sess1, and make sure it remains, despite timeout */
2173 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2174 || !TEST_ptr(sess1->owner)
2175 || !TEST_ptr_null(sess2->owner))
2176 goto end;
7a301f08 2177
2cb4b5f6 2178 testresult = 1;
eaa776da 2179
2cb4b5f6
MC		 2180 end:
2181 SSL_free(serverssl1);
2182 SSL_free(clientssl1);
2183 SSL_free(serverssl2);
2184 SSL_free(clientssl2);
bf208d95 2185# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2186 SSL_free(serverssl3);
2187 SSL_free(clientssl3);
bf208d95 2188# endif
2cb4b5f6
MC		 2189 SSL_SESSION_free(sess1);
2190 SSL_SESSION_free(sess2);
2191 SSL_CTX_free(sctx);
2192 SSL_CTX_free(cctx);
2193
2194 return testresult;
2195}
a763ca11 2196#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2197
7fb4c820
MC		 2198static int test_session_with_only_int_cache(void)
2199{
a763ca11 2200#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2201 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2202 return 0;
2203#endif
2204
2205#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2206 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2207#else
2208 return 1;
2209#endif
eaa776da
MC		 2210}
2211
7fb4c820
MC		 2212static int test_session_with_only_ext_cache(void)
2213{
a763ca11 2214#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2215 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2216 return 0;
2217#endif
2218
2219#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2220 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2221#else
2222 return 1;
2223#endif
eaa776da
MC		 2224}
2225
7fb4c820
MC		 2226static int test_session_with_both_cache(void)
2227{
a763ca11 2228#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2229 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2230 return 0;
2231#endif
2232
2233#ifndef OPENSSL_NO_TLS1_2
2234 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2235#else
2236 return 1;
2237#endif
2238}
2239
2240static int test_session_wo_ca_names(void)
2241{
a763ca11 2242#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2243 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2244 return 0;
2245#endif
2246
2247#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2248 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2249#else
2250 return 1;
2251#endif
eaa776da
MC		 2252}
2253
90fc2c26 2254
a763ca11 2255#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2256static SSL_SESSION *sesscache[6];
2257static int do_cache;
36ff232c
MC		 2258
2259static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2260{
c22365b3
MC		 2261 if (do_cache) {
2262 sesscache[new_called] = sess;
2263 } else {
2264 /* We don't need the reference to the session, so free it */
2265 SSL_SESSION_free(sess);
2266 }
2267 new_called++;
2268
2269 return 1;
2270}
2271
2272static int post_handshake_verify(SSL *sssl, SSL *cssl)
2273{
2274 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2275 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2276 return 0;
2277
2278 /* Start handshake on the server and client */
2279 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2280 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2281 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2282 || !TEST_true(create_ssl_connection(sssl, cssl,
2283 SSL_ERROR_NONE)))
2284 return 0;
36ff232c
MC		 2285
2286 return 1;
2287}
2288
fbe9dafd 2289static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2290 SSL_CTX **cctx)
2291{
2292 int sess_id_ctx = 1;
2293
5e30f2fd
MC		 2294 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2295 TLS_client_method(), TLS1_VERSION, 0,
2296 sctx, cctx, cert, privkey))
03cdf559
MC		 2297 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2298 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2299 (void *)&sess_id_ctx,
2300 sizeof(sess_id_ctx))))
2301 return 0;
2302
2303 if (stateful)
2304 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2305
2306 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2307 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2308 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2309
2310 return 1;
2311}
2312
2313static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2314{
2315 SSL *serverssl = NULL, *clientssl = NULL;
2316 int i;
2317
2318 /* Test that we can resume with all the tickets we got given */
2319 for (i = 0; i < idx * 2; i++) {
2320 new_called = 0;
2321 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2322 &clientssl, NULL, NULL))
2323 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2324 goto end;
2325
32097b33 2326 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2327
2328 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2329 SSL_ERROR_NONE)))
2330 goto end;
2331
2332 /*
2333 * Following a successful resumption we only get 1 ticket. After a
2334 * failed one we should get idx tickets.
2335 */
2336 if (succ) {
2337 if (!TEST_true(SSL_session_reused(clientssl))
2338 || !TEST_int_eq(new_called, 1))
2339 goto end;
2340 } else {
2341 if (!TEST_false(SSL_session_reused(clientssl))
2342 || !TEST_int_eq(new_called, idx))
2343 goto end;
2344 }
2345
2346 new_called = 0;
2347 /* After a post-handshake authentication we should get 1 new ticket */
2348 if (succ
2349 && (!post_handshake_verify(serverssl, clientssl)
2350 || !TEST_int_eq(new_called, 1)))
2351 goto end;
2352
2353 SSL_shutdown(clientssl);
2354 SSL_shutdown(serverssl);
2355 SSL_free(serverssl);
2356 SSL_free(clientssl);
2357 serverssl = clientssl = NULL;
2358 SSL_SESSION_free(sesscache[i]);
2359 sesscache[i] = NULL;
2360 }
2361
2362 return 1;
2363
2364 end:
2365 SSL_free(clientssl);
2366 SSL_free(serverssl);
2367 return 0;
2368}
2369
04d7814a 2370static int test_tickets(int stateful, int idx)
36ff232c
MC		 2371{
2372 SSL_CTX *sctx = NULL, *cctx = NULL;
2373 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2374 int testresult = 0;
36ff232c
MC		 2375 size_t j;
2376
2377 /* idx is the test number, but also the number of tickets we want */
2378
2379 new_called = 0;
c22365b3 2380 do_cache = 1;
36ff232c 2381
fbe9dafd 2382 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2383 goto end;
2384
03cdf559
MC		 2385 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2386 &clientssl, NULL, NULL)))
2387 goto end;
2388
2389 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2390 SSL_ERROR_NONE))
2391 /* Check we got the number of tickets we were expecting */
2392 || !TEST_int_eq(idx, new_called))
2393 goto end;
04d7814a 2394
03cdf559
MC		 2395 SSL_shutdown(clientssl);
2396 SSL_shutdown(serverssl);
2397 SSL_free(serverssl);
2398 SSL_free(clientssl);
2399 SSL_CTX_free(sctx);
2400 SSL_CTX_free(cctx);
2401 clientssl = serverssl = NULL;
2402 sctx = cctx = NULL;
2403
2404 /*
2405 * Now we try to resume with the tickets we previously created. The
2406 * resumption attempt is expected to fail (because we're now using a new
2407 * SSL_CTX). We should see idx number of tickets issued again.
2408 */
2409
2410 /* Stop caching sessions - just count them */
2411 do_cache = 0;
2412
fbe9dafd 2413 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2414 goto end;
2415
2416 if (!check_resumption(idx, sctx, cctx, 0))
2417 goto end;
2418
2419 /* Start again with caching sessions */
2420 new_called = 0;
2421 do_cache = 1;
fbe9dafd
MC		 2422 SSL_CTX_free(sctx);
2423 SSL_CTX_free(cctx);
2424 sctx = cctx = NULL;
03cdf559 2425
fbe9dafd 2426 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2427 goto end;
36ff232c
MC		 2428
2429 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2430 &clientssl, NULL, NULL)))
2431 goto end;
2432
32097b33 2433 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2434
2435 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2436 SSL_ERROR_NONE))
2437 /* Check we got the number of tickets we were expecting */
2438 || !TEST_int_eq(idx, new_called))
2439 goto end;
2440
2441 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2442 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2443 || !TEST_int_eq(idx * 2, new_called))
2444 goto end;
2445
36ff232c
MC		 2446 SSL_shutdown(clientssl);
2447 SSL_shutdown(serverssl);
2448 SSL_free(serverssl);
2449 SSL_free(clientssl);
2450 serverssl = clientssl = NULL;
2451
c22365b3
MC		 2452 /* Stop caching sessions - just count them */
2453 do_cache = 0;
2454
03cdf559
MC		 2455 /*
2456 * Check we can resume with all the tickets we created. This time around the
2457 * resumptions should all be successful.
2458 */
2459 if (!check_resumption(idx, sctx, cctx, 1))
2460 goto end;
36ff232c
MC		 2461
2462 testresult = 1;
2463
2464 end:
2465 SSL_free(serverssl);
2466 SSL_free(clientssl);
c22365b3 2467 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2468 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2469 sesscache[j] = NULL;
2470 }
36ff232c
MC		 2471 SSL_CTX_free(sctx);
2472 SSL_CTX_free(cctx);
2473
2474 return testresult;
2475}
04d7814a
MC		 2476
2477static int test_stateless_tickets(int idx)
2478{
2479 return test_tickets(0, idx);
2480}
2481
2482static int test_stateful_tickets(int idx)
2483{
2484 return test_tickets(1, idx);
2485}
8614a4eb
MC		 2486
2487static int test_psk_tickets(void)
2488{
2489 SSL_CTX *sctx = NULL, *cctx = NULL;
2490 SSL *serverssl = NULL, *clientssl = NULL;
2491 int testresult = 0;
2492 int sess_id_ctx = 1;
2493
5e30f2fd
MC		 2494 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2495 TLS_client_method(), TLS1_VERSION, 0,
2496 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2497 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2498 (void *)&sess_id_ctx,
2499 sizeof(sess_id_ctx))))
2500 goto end;
2501
2502 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2503 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2504 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2505 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2506 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2507 use_session_cb_cnt = 0;
2508 find_session_cb_cnt = 0;
2509 srvid = pskid;
2510 new_called = 0;
2511
2512 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2513 NULL, NULL)))
2514 goto end;
2515 clientpsk = serverpsk = create_a_psk(clientssl);
2516 if (!TEST_ptr(clientpsk))
2517 goto end;
2518 SSL_SESSION_up_ref(clientpsk);
2519
2520 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2521 SSL_ERROR_NONE))
2522 || !TEST_int_eq(1, find_session_cb_cnt)
2523 || !TEST_int_eq(1, use_session_cb_cnt)
2524 /* We should always get 1 ticket when using external PSK */
2525 || !TEST_int_eq(1, new_called))
2526 goto end;
2527
2528 testresult = 1;
2529
2530 end:
2531 SSL_free(serverssl);
2532 SSL_free(clientssl);
2533 SSL_CTX_free(sctx);
2534 SSL_CTX_free(cctx);
2535 SSL_SESSION_free(clientpsk);
2536 SSL_SESSION_free(serverpsk);
2537 clientpsk = serverpsk = NULL;
2538
2539 return testresult;
2540}
f0049b86
BK		 2541
2542static int test_extra_tickets(int idx)
2543{
2544 SSL_CTX *sctx = NULL, *cctx = NULL;
2545 SSL *serverssl = NULL, *clientssl = NULL;
2546 BIO *bretry = BIO_new(bio_s_always_retry());
2547 BIO *tmp = NULL;
2548 int testresult = 0;
2549 int stateful = 0;
2550 size_t nbytes;
2551 unsigned char c, buf[1];
2552
2553 new_called = 0;
2554 do_cache = 1;
2555
2556 if (idx >= 3) {
2557 idx -= 3;
2558 stateful = 1;
2559 }
2560
2561 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2562 goto end;
2563 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2564 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2565 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2566
2567 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2568 &clientssl, NULL, NULL)))
2569 goto end;
2570
2571 /*
2572 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2573 * incremented by both client and server.
2574 */
2575 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2576 SSL_ERROR_NONE))
2577 /* Check we got the number of tickets we were expecting */
2578 || !TEST_int_eq(idx * 2, new_called)
2579 || !TEST_true(SSL_new_session_ticket(serverssl))
2580 || !TEST_true(SSL_new_session_ticket(serverssl))
2581 || !TEST_int_eq(idx * 2, new_called))
2582 goto end;
2583
2584 /* Now try a (real) write to actually send the tickets */
2585 c = '1';
2586 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2587 || !TEST_size_t_eq(1, nbytes)
2588 || !TEST_int_eq(idx * 2 + 2, new_called)
2589 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2590 || !TEST_int_eq(idx * 2 + 4, new_called)
2591 || !TEST_int_eq(sizeof(buf), nbytes)
2592 || !TEST_int_eq(c, buf[0])
2593 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2594 goto end;
2595
2596 /* Try with only requesting one new ticket, too */
2597 c = '2';
2598 new_called = 0;
2599 if (!TEST_true(SSL_new_session_ticket(serverssl))
2600 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2601 || !TEST_size_t_eq(sizeof(c), nbytes)
2602 || !TEST_int_eq(1, new_called)
2603 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2604 || !TEST_int_eq(2, new_called)
2605 || !TEST_size_t_eq(sizeof(buf), nbytes)
2606 || !TEST_int_eq(c, buf[0]))
2607 goto end;
2608
2609 /* Do it again but use dummy writes to drive the ticket generation */
2610 c = '3';
2611 new_called = 0;
2612 if (!TEST_true(SSL_new_session_ticket(serverssl))
2613 || !TEST_true(SSL_new_session_ticket(serverssl))
2614 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2615 || !TEST_size_t_eq(0, nbytes)
2616 || !TEST_int_eq(2, new_called)
2617 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2618 || !TEST_int_eq(4, new_called))
2619 goto end;
2620
a0bbcb42
BK		 2621 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2622 c = '4';
2623 new_called = 0;
2624 if (!TEST_true(SSL_new_session_ticket(serverssl))
2625 || !TEST_true(SSL_new_session_ticket(serverssl))
2626 || !TEST_true(SSL_do_handshake(serverssl))
2627 || !TEST_int_eq(2, new_called)
2628 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2629 || !TEST_int_eq(4, new_called))
2630 goto end;
2631
f0049b86
BK		 2632 /*
2633 * Use the always-retry BIO to exercise the logic that forces ticket
2634 * generation to wait until a record boundary.
2635 */
a0bbcb42 2636 c = '5';
f0049b86
BK		 2637 new_called = 0;
2638 tmp = SSL_get_wbio(serverssl);
2639 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2640 tmp = NULL;
2641 goto end;
2642 }
2643 SSL_set0_wbio(serverssl, bretry);
2644 bretry = NULL;
2645 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2646 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2647 || !TEST_size_t_eq(nbytes, 0))
2648 goto end;
2649 /* Restore a BIO that will let the write succeed */
2650 SSL_set0_wbio(serverssl, tmp);
2651 tmp = NULL;
a0bbcb42
BK		 2652 /*
2653 * These calls should just queue the request and not send anything
2654 * even if we explicitly try to hit the state machine.
2655 */
f0049b86
BK		 2656 if (!TEST_true(SSL_new_session_ticket(serverssl))
2657 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2658 || !TEST_int_eq(0, new_called)
2659 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2660 || !TEST_int_eq(0, new_called))
2661 goto end;
2662 /* Re-do the write; still no tickets sent */
2663 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2664 || !TEST_size_t_eq(1, nbytes)
2665 || !TEST_int_eq(0, new_called)
2666 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2667 || !TEST_int_eq(0, new_called)
2668 || !TEST_int_eq(sizeof(buf), nbytes)
2669 || !TEST_int_eq(c, buf[0])
2670 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2671 goto end;
a0bbcb42
BK		 2672 /* Even trying to hit the state machine now will still not send tickets */
2673 if (!TEST_true(SSL_do_handshake(serverssl))
2674 || !TEST_int_eq(0, new_called))
2675 goto end;
f0049b86 2676 /* Now the *next* write should send the tickets */
a0bbcb42 2677 c = '6';
f0049b86
BK		 2678 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2679 || !TEST_size_t_eq(1, nbytes)
2680 || !TEST_int_eq(2, new_called)
2681 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2682 || !TEST_int_eq(4, new_called)
2683 || !TEST_int_eq(sizeof(buf), nbytes)
2684 || !TEST_int_eq(c, buf[0])
2685 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2686 goto end;
2687
2688 SSL_shutdown(clientssl);
2689 SSL_shutdown(serverssl);
2690 testresult = 1;
2691
2692 end:
2693 BIO_free(bretry);
2694 BIO_free(tmp);
2695 SSL_free(serverssl);
2696 SSL_free(clientssl);
2697 SSL_CTX_free(sctx);
2698 SSL_CTX_free(cctx);
2699 clientssl = serverssl = NULL;
2700 sctx = cctx = NULL;
2701 return testresult;
2702}
04225915 2703#endif
36ff232c 2704
7d4488bb
MC		 2705#define USE_NULL 0
2706#define USE_BIO_1 1
2707#define USE_BIO_2 2
2708#define USE_DEFAULT 3
2709
2710#define CONNTYPE_CONNECTION_SUCCESS 0
2711#define CONNTYPE_CONNECTION_FAIL 1
2712#define CONNTYPE_NO_CONNECTION 2
2713
2714#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2715#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2716#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2717# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2718#else
2719# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2720#endif
2721
7d4488bb
MC		 2722#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2723 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2724 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2725
2726static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2727{
2728 switch (type) {
2729 case USE_NULL:
2730 *res = NULL;
2731 break;
2732 case USE_BIO_1:
2733 *res = bio1;
2734 break;
2735 case USE_BIO_2:
2736 *res = bio2;
2737 break;
2738 }
2739}
2740
7d4488bb
MC		 2741
2742/*
2743 * Tests calls to SSL_set_bio() under various conditions.
2744 *
2745 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2746 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2747 * then do more tests where we create a successful connection first using our
2748 * standard connection setup functions, and then call SSL_set_bio() with
2749 * various combinations of valid BIOs or NULL. We then repeat these tests
2750 * following a failed connection. In this last case we are looking to check that
2751 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2752 */
7fb4c820
MC		 2753static int test_ssl_set_bio(int idx)
2754{
7d4488bb 2755 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2756 BIO *bio1 = NULL;
2757 BIO *bio2 = NULL;
0fae8150 2758 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2759 SSL *serverssl = NULL, *clientssl = NULL;
2760 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2761 int testresult = 0;
2762
7d4488bb
MC		 2763 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2764 initrbio = idx % 3;
2765 idx /= 3;
2766 initwbio = idx % 3;
2767 idx /= 3;
2768 newrbio = idx % 3;
2769 idx /= 3;
2770 newwbio = idx % 3;
2771 conntype = CONNTYPE_NO_CONNECTION;
2772 } else {
2773 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2774 initrbio = initwbio = USE_DEFAULT;
2775 newrbio = idx % 2;
2776 idx /= 2;
2777 newwbio = idx % 2;
2778 idx /= 2;
2779 conntype = idx % 2;
2780 }
710756a9 2781
5e30f2fd
MC		 2782 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2783 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2784 &sctx, &cctx, cert, privkey)))
2785 goto end;
2786
2787 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2788 /*
2789 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2790 * because we reduced the number of tests in the definition of
2791 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2792 * mismatched protocol versions we will force a connection failure.
2793 */
2794 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2795 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2796 }
2797
2798 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2799 NULL, NULL)))
710756a9 2800 goto end;
7fb4c820 2801
710756a9
RS		 2802 if (initrbio == USE_BIO_1
2803 || initwbio == USE_BIO_1
2804 || newrbio == USE_BIO_1
7fb4c820 2805 || newwbio == USE_BIO_1) {
710756a9 2806 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2807 goto end;
7fb4c820
MC		 2808 }
2809
710756a9
RS		 2810 if (initrbio == USE_BIO_2
2811 || initwbio == USE_BIO_2
2812 || newrbio == USE_BIO_2
7fb4c820 2813 || newwbio == USE_BIO_2) {
710756a9 2814 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2815 goto end;
7fb4c820
MC		 2816 }
2817
7d4488bb
MC		 2818 if (initrbio != USE_DEFAULT) {
2819 setupbio(&irbio, bio1, bio2, initrbio);
2820 setupbio(&iwbio, bio1, bio2, initwbio);
2821 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2822
7d4488bb
MC		 2823 /*
2824 * We want to maintain our own refs to these BIO, so do an up ref for
2825 * each BIO that will have ownership transferred in the SSL_set_bio()
2826 * call
2827 */
2828 if (irbio != NULL)
2829 BIO_up_ref(irbio);
2830 if (iwbio != NULL && iwbio != irbio)
2831 BIO_up_ref(iwbio);
2832 }
7fb4c820 2833
7d4488bb
MC		 2834 if (conntype != CONNTYPE_NO_CONNECTION
2835 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2836 SSL_ERROR_NONE)
2837 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2838 goto end;
7fb4c820
MC		 2839
2840 setupbio(&nrbio, bio1, bio2, newrbio);
2841 setupbio(&nwbio, bio1, bio2, newwbio);
2842
2843 /*
2844 * We will (maybe) transfer ownership again so do more up refs.
2845 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2846 * already been set!
2847 */
710756a9
RS		 2848 if (nrbio != NULL
2849 && nrbio != irbio
2850 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2851 BIO_up_ref(nrbio);
710756a9
RS		 2852 if (nwbio != NULL
2853 && nwbio != nrbio
2854 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2855 BIO_up_ref(nwbio);
2856
7d4488bb 2857 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2858
2859 testresult = 1;
2860
2861 end:
7fb4c820
MC		 2862 BIO_free(bio1);
2863 BIO_free(bio2);
710756a9 2864
7fb4c820
MC		 2865 /*
2866 * This test is checking that the ref counting for SSL_set_bio is correct.
2867 * If we get here and we did too many frees then we will fail in the above
742ccab3 2868 * functions.
7fb4c820 2869 */
7d4488bb
MC		 2870 SSL_free(serverssl);
2871 SSL_free(clientssl);
2872 SSL_CTX_free(sctx);
2873 SSL_CTX_free(cctx);
7fb4c820
MC		 2874 return testresult;
2875}
2876
7e885b7b 2877typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2878
7e885b7b 2879static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2880{
2881 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2882 SSL_CTX *ctx;
9a716987
MC		 2883 SSL *ssl = NULL;
2884 int testresult = 0;
2885
d8652be0 2886 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2887 || !TEST_ptr(ssl = SSL_new(ctx))
2888 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2889 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2890 goto end;
9a716987
MC		 2891
2892 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2893
2894 /*
742ccab3 2895 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2896 */
2897 BIO_push(sslbio, membio1);
2898
69687aa8 2899 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2900 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 2901 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2902 ssl = NULL;
9a716987 2903 goto end;
493e7898 2904 }
7e885b7b 2905 if (change_bio == CHANGE_RBIO)
65e2d672 2906 SSL_set0_rbio(ssl, membio2);
9a716987 2907 else
65e2d672 2908 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2909 }
2910 ssl = NULL;
2911
7e885b7b 2912 if (pop_ssl)
9a716987
MC		 2913 BIO_pop(sslbio);
2914 else
2915 BIO_pop(membio1);
2916
2917 testresult = 1;
2918 end:
2919 BIO_free(membio1);
2920 BIO_free(sslbio);
2921 SSL_free(ssl);
2922 SSL_CTX_free(ctx);
2923
2924 return testresult;
2925}
2926
2927static int test_ssl_bio_pop_next_bio(void)
2928{
7e885b7b 2929 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2930}
2931
2932static int test_ssl_bio_pop_ssl_bio(void)
2933{
7e885b7b 2934 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2935}
2936
2937static int test_ssl_bio_change_rbio(void)
2938{
7e885b7b 2939 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2940}
2941
2942static int test_ssl_bio_change_wbio(void)
2943{
7e885b7b 2944 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2945}
2946
a763ca11 2947#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 2948typedef struct {
2949 /* The list of sig algs */
2950 const int *list;
2951 /* The length of the list */
2952 size_t listlen;
2953 /* A sigalgs list in string format */
2954 const char *liststr;
2955 /* Whether setting the list should succeed */
2956 int valid;
2957 /* Whether creating a connection with the list should succeed */
2958 int connsuccess;
2959} sigalgs_list;
2960
2961static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2962# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2963static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2964static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2965# endif
f1b25aae
MC		 2966static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2967static const int invalidlist2[] = {NID_sha256, NID_undef};
2968static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2969static const int invalidlist4[] = {NID_sha256};
2970static const sigalgs_list testsigalgs[] = {
2971 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2972# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2973 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2974 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2975# endif
f1b25aae 2976 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2977# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2978 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2979 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2980# endif
f1b25aae
MC		 2981 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2982 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2983 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2984 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2985 {NULL, 0, "RSA", 0, 0},
2986 {NULL, 0, "SHA256", 0, 0},
2987 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2988 {NULL, 0, "Invalid", 0, 0}
2989};
f1b25aae
MC		 2990
2991static int test_set_sigalgs(int idx)
2992{
2993 SSL_CTX *cctx = NULL, *sctx = NULL;
2994 SSL *clientssl = NULL, *serverssl = NULL;
2995 int testresult = 0;
2996 const sigalgs_list *curr;
2997 int testctx;
2998
2999 /* Should never happen */
710756a9 3000 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 3001 return 0;
3002
3003 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3004 curr = testctx ? &testsigalgs[idx]
3005 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3006
5e30f2fd
MC		 3007 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3008 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 3009 &sctx, &cctx, cert, privkey)))
f1b25aae 3010 return 0;
f1b25aae 3011
d2e491f2
MC		 3012 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3013
f1b25aae
MC		 3014 if (testctx) {
3015 int ret;
710756a9 3016
f1b25aae
MC		 3017 if (curr->list != NULL)
3018 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3019 else
3020 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3021
3022 if (!ret) {
3023 if (curr->valid)
710756a9 3024 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3025 else
3026 testresult = 1;
3027 goto end;
3028 }
3029 if (!curr->valid) {
710756a9 3030 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3031 goto end;
3032 }
3033 }
3034
710756a9
RS		 3035 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3036 &clientssl, NULL, NULL)))
f1b25aae 3037 goto end;
f1b25aae
MC		 3038
3039 if (!testctx) {
3040 int ret;
3041
3042 if (curr->list != NULL)
3043 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3044 else
3045 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3046 if (!ret) {
3047 if (curr->valid)
710756a9 3048 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3049 else
3050 testresult = 1;
3051 goto end;
3052 }
710756a9 3053 if (!curr->valid)
f1b25aae 3054 goto end;
f1b25aae
MC		 3055 }
3056
710756a9
RS		 3057 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3058 SSL_ERROR_NONE),
3059 curr->connsuccess))
f1b25aae 3060 goto end;
f1b25aae
MC		 3061
3062 testresult = 1;
3063
3064 end:
3065 SSL_free(serverssl);
3066 SSL_free(clientssl);
3067 SSL_CTX_free(sctx);
3068 SSL_CTX_free(cctx);
3069
3070 return testresult;
3071}
c423ecaa 3072#endif
f1b25aae 3073
a763ca11 3074#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3075static int psk_client_cb_cnt = 0;
3076static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3077
3078static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3079 size_t *idlen, SSL_SESSION **sess)
3080{
3081 switch (++use_session_cb_cnt) {
3082 case 1:
3083 /* The first call should always have a NULL md */
3084 if (md != NULL)
3085 return 0;
3086 break;
3087
3088 case 2:
3089 /* The second call should always have an md */
3090 if (md == NULL)
3091 return 0;
3092 break;
3093
3094 default:
3095 /* We should only be called a maximum of twice */
3096 return 0;
3097 }
3098
57dee9bb
MC		 3099 if (clientpsk != NULL)
3100 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3101
57dee9bb 3102 *sess = clientpsk;
02a3ed5a
MC		 3103 *id = (const unsigned char *)pskid;
3104 *idlen = strlen(pskid);
3105
3106 return 1;
3107}
3108
c2b290c3 3109#ifndef OPENSSL_NO_PSK
532f9578
MC		 3110static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3111 unsigned int max_id_len,
3112 unsigned char *psk,
3113 unsigned int max_psk_len)
3114{
3115 unsigned int psklen = 0;
3116
3117 psk_client_cb_cnt++;
3118
3119 if (strlen(pskid) + 1 > max_id_len)
3120 return 0;
3121
3122 /* We should only ever be called a maximum of twice per connection */
3123 if (psk_client_cb_cnt > 2)
3124 return 0;
3125
3126 if (clientpsk == NULL)
3127 return 0;
3128
3129 /* We'll reuse the PSK we set up for TLSv1.3 */
3130 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3131 return 0;
3132 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3133 strncpy(id, pskid, max_id_len);
3134
3135 return psklen;
3136}
c2b290c3 3137#endif /* OPENSSL_NO_PSK */
532f9578 3138
02a3ed5a
MC		 3139static int find_session_cb(SSL *ssl, const unsigned char *identity,
3140 size_t identity_len, SSL_SESSION **sess)
3141{
3142 find_session_cb_cnt++;
3143
3144 /* We should only ever be called a maximum of twice per connection */
3145 if (find_session_cb_cnt > 2)
3146 return 0;
3147
57dee9bb 3148 if (serverpsk == NULL)
02a3ed5a
MC		 3149 return 0;
3150
3151 /* Identity should match that set by the client */
3152 if (strlen(srvid) != identity_len
3153 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3154 /* No PSK found, continue but without a PSK */
3155 *sess = NULL;
3156 return 1;
3157 }
3158
57dee9bb
MC		 3159 SSL_SESSION_up_ref(serverpsk);
3160 *sess = serverpsk;
02a3ed5a
MC		 3161
3162 return 1;
3163}
3164
c2b290c3 3165#ifndef OPENSSL_NO_PSK
532f9578
MC		 3166static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3167 unsigned char *psk, unsigned int max_psk_len)
3168{
3169 unsigned int psklen = 0;
3170
3171 psk_server_cb_cnt++;
3172
3173 /* We should only ever be called a maximum of twice per connection */
3174 if (find_session_cb_cnt > 2)
3175 return 0;
3176
3177 if (serverpsk == NULL)
3178 return 0;
3179
3180 /* Identity should match that set by the client */
3181 if (strcmp(srvid, identity) != 0) {
3182 return 0;
3183 }
3184
3185 /* We'll reuse the PSK we set up for TLSv1.3 */
3186 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3187 return 0;
3188 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3189
3190 return psklen;
3191}
c2b290c3 3192#endif /* OPENSSL_NO_PSK */
532f9578 3193
5f982038
MC		 3194#define MSG1 "Hello"
3195#define MSG2 "World."
3196#define MSG3 "This"
3197#define MSG4 "is"
3198#define MSG5 "a"
90049cea
MC		 3199#define MSG6 "test"
3200#define MSG7 "message."
5f982038 3201
532f9578 3202#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3203#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3204#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3205#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3206#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3207
8614a4eb
MC		 3208
3209static SSL_SESSION *create_a_psk(SSL *ssl)
3210{
3211 const SSL_CIPHER *cipher = NULL;
3212 const unsigned char key[] = {
3213 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3214 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3215 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3216 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3217 0x2c, 0x2d, 0x2e, 0x2f
3218 };
3219 SSL_SESSION *sess = NULL;
3220
3221 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3222 sess = SSL_SESSION_new();
3223 if (!TEST_ptr(sess)
3224 || !TEST_ptr(cipher)
3225 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3226 sizeof(key)))
3227 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3228 || !TEST_true(
3229 SSL_SESSION_set_protocol_version(sess,
3230 TLS1_3_VERSION))) {
3231 SSL_SESSION_free(sess);
3232 return NULL;
3233 }
3234 return sess;
3235}
3236
5f982038
MC		 3237/*
3238 * Helper method to setup objects for early data test. Caller frees objects on
3239 * error.
3240 */
3241static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3242 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3243{
5a421415 3244 if (*sctx == NULL
5e30f2fd 3245 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3246 TLS_client_method(),
5c587fb6 3247 TLS1_VERSION, 0,
5a421415
MC		 3248 sctx, cctx, cert, privkey)))
3249 return 0;
3250
3251 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3252 return 0;
5f982038 3253
02a3ed5a
MC		 3254 if (idx == 1) {
3255 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3256 SSL_CTX_set_read_ahead(*cctx, 1);
3257 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3258 } else if (idx == 2) {
3259 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3260 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3261 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3262 use_session_cb_cnt = 0;
3263 find_session_cb_cnt = 0;
3264 srvid = pskid;
3cb47b4e
MC		 3265 }
3266
710756a9 3267 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3268 NULL, NULL)))
3269 return 0;
3270
141e4709
MC		 3271 /*
3272 * For one of the run throughs (doesn't matter which one), we'll try sending
3273 * some SNI data in the initial ClientHello. This will be ignored (because
3274 * there is no SNI cb set up by the server), so it should not impact
3275 * early_data.
3276 */
3277 if (idx == 1
3278 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3279 return 0;
3280
02a3ed5a 3281 if (idx == 2) {
8614a4eb 3282 clientpsk = create_a_psk(*clientssl);
57dee9bb 3283 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3284 /*
3285 * We just choose an arbitrary value for max_early_data which
3286 * should be big enough for testing purposes.
3287 */
57dee9bb
MC		 3288 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3289 0x100))
3290 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3291 SSL_SESSION_free(clientpsk);
3292 clientpsk = NULL;
02a3ed5a
MC		 3293 return 0;
3294 }
57dee9bb 3295 serverpsk = clientpsk;
02a3ed5a 3296
c20e3b28
MC		 3297 if (sess != NULL) {
3298 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3299 SSL_SESSION_free(clientpsk);
3300 SSL_SESSION_free(serverpsk);
3301 clientpsk = serverpsk = NULL;
3302 return 0;
3303 }
57dee9bb 3304 *sess = clientpsk;
c20e3b28 3305 }
02a3ed5a
MC		 3306 return 1;
3307 }
3308
3309 if (sess == NULL)
3310 return 1;
3311
3312 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3313 SSL_ERROR_NONE)))
5f982038 3314 return 0;
5f982038
MC		 3315
3316 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3317 SSL_shutdown(*clientssl);
3318 SSL_shutdown(*serverssl);
5f982038
MC		 3319 SSL_free(*serverssl);
3320 SSL_free(*clientssl);
3321 *serverssl = *clientssl = NULL;
3322
710756a9
RS		 3323 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3324 clientssl, NULL, NULL))
3325 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3326 return 0;
5f982038
MC		 3327
3328 return 1;
3329}
3330
3cb47b4e 3331static int test_early_data_read_write(int idx)
5f982038
MC		 3332{
3333 SSL_CTX *cctx = NULL, *sctx = NULL;
3334 SSL *clientssl = NULL, *serverssl = NULL;
3335 int testresult = 0;
3336 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3337 unsigned char buf[20], data[1024];
3338 size_t readbytes, written, eoedlen, rawread, rawwritten;
3339 BIO *rbio;
5f982038 3340
710756a9
RS		 3341 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3342 &serverssl, &sess, idx)))
5f982038
MC		 3343 goto end;
3344
3345 /* Write and read some early data */
710756a9
RS		 3346 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3347 &written))
3348 || !TEST_size_t_eq(written, strlen(MSG1))
3349 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3350 sizeof(buf), &readbytes),
3351 SSL_READ_EARLY_DATA_SUCCESS)
3352 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3353 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3354 SSL_EARLY_DATA_ACCEPTED))
5f982038 3355 goto end;
5f982038
MC		 3356
3357 /*
09f28874 3358 * Server should be able to write data, and client should be able to
5f982038
MC		 3359 * read it.
3360 */
710756a9
RS		 3361 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3362 &written))
3363 || !TEST_size_t_eq(written, strlen(MSG2))
3364 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3365 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3366 goto end;
5f982038
MC		 3367
3368 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3369 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3370 &written))
3371 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3372 goto end;
5f982038 3373
09f28874 3374 /* Server should still be able read early data after writing data */
710756a9
RS		 3375 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3376 &readbytes),
3377 SSL_READ_EARLY_DATA_SUCCESS)
3378 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3379 goto end;
5f982038 3380
09f28874 3381 /* Write more data from server and read it from client */
710756a9
RS		 3382 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3383 &written))
3384 || !TEST_size_t_eq(written, strlen(MSG4))
3385 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3386 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3387 goto end;
5f982038
MC		 3388
3389 /*
3390 * If client writes normal data it should mean writing early data is no
3391 * longer possible.
3392 */
710756a9
RS		 3393 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3394 || !TEST_size_t_eq(written, strlen(MSG5))
3395 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3396 SSL_EARLY_DATA_ACCEPTED))
5f982038 3397 goto end;
5f982038 3398
9b5c865d
MC		 3399 /*
3400 * At this point the client has written EndOfEarlyData, ClientFinished and
3401 * normal (fully protected) data. We are going to cause a delay between the
3402 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3403 * in the read BIO, and then just put back the EndOfEarlyData message.
3404 */
3405 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3406 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3407 || !TEST_size_t_lt(rawread, sizeof(data))
3408 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3409 goto end;
710756a9 3410
9b5c865d
MC		 3411 /* Record length is in the 4th and 5th bytes of the record header */
3412 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3413 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3414 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3415 goto end;
9b5c865d 3416
5f982038 3417 /* Server should be told that there is no more early data */
710756a9
RS		 3418 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3419 &readbytes),
3420 SSL_READ_EARLY_DATA_FINISH)
3421 || !TEST_size_t_eq(readbytes, 0))
5f982038 3422 goto end;
5f982038 3423
9b5c865d
MC		 3424 /*
3425 * Server has not finished init yet, so should still be able to write early
3426 * data.
3427 */
710756a9
RS		 3428 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3429 &written))
3430 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3431 goto end;
9b5c865d 3432
f8a303fa 3433 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3434 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3435 &rawwritten))
3436 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3437 goto end;
f8a303fa 3438
5f982038 3439 /* Server should be able to read normal data */
710756a9
RS		 3440 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3441 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3442 goto end;
5f982038 3443
09f28874 3444 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3445 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3446 &written)))
5f982038 3447 goto end;
5f982038 3448 ERR_clear_error();
710756a9
RS		 3449 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3450 &readbytes),
3451 SSL_READ_EARLY_DATA_ERROR))
5f982038 3452 goto end;
5f982038
MC		 3453 ERR_clear_error();
3454
9b5c865d 3455 /* Client should be able to read the data sent by the server */
710756a9
RS		 3456 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3457 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3458 goto end;
710756a9 3459
f8a303fa 3460 /*
36ff232c
MC		 3461 * Make sure we process the two NewSessionTickets. These arrive
3462 * post-handshake. We attempt reads which we do not expect to return any
3463 * data.
f8a303fa 3464 */
36ff232c
MC		 3465 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3466 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3467 &readbytes)))
f8a303fa 3468 goto end;
5f982038 3469
90049cea 3470 /* Server should be able to write normal data */
710756a9
RS		 3471 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3472 || !TEST_size_t_eq(written, strlen(MSG7))
3473 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3474 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3475 goto end;
90049cea 3476
c20e3b28 3477 SSL_SESSION_free(sess);
5f982038 3478 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3479 use_session_cb_cnt = 0;
3480 find_session_cb_cnt = 0;
5f982038
MC		 3481
3482 SSL_shutdown(clientssl);
3483 SSL_shutdown(serverssl);
5f982038
MC		 3484 SSL_free(serverssl);
3485 SSL_free(clientssl);
3486 serverssl = clientssl = NULL;
710756a9
RS		 3487 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3488 &clientssl, NULL, NULL))
3489 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3490 goto end;
5f982038
MC		 3491
3492 /* Write and read some early data */
710756a9
RS		 3493 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3494 &written))
3495 || !TEST_size_t_eq(written, strlen(MSG1))
3496 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3497 &readbytes),
3498 SSL_READ_EARLY_DATA_SUCCESS)
3499 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3500 goto end;
5f982038 3501
710756a9
RS		 3502 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3503 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3504 goto end;
5f982038 3505
09f28874 3506 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3507 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3508 &written)))
5f982038 3509 goto end;
5f982038 3510 ERR_clear_error();
710756a9
RS		 3511 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3512 &readbytes),
3513 SSL_READ_EARLY_DATA_ERROR))
5f982038 3514 goto end;
5f982038
MC		 3515 ERR_clear_error();
3516
3517 /* Client and server should be able to write/read normal data */
710756a9
RS		 3518 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3519 || !TEST_size_t_eq(written, strlen(MSG5))
3520 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3521 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3522 goto end;
5f982038
MC		 3523
3524 testresult = 1;
3525
3526 end:
c20e3b28 3527 SSL_SESSION_free(sess);
57dee9bb
MC		 3528 SSL_SESSION_free(clientpsk);
3529 SSL_SESSION_free(serverpsk);
3530 clientpsk = serverpsk = NULL;
5f982038
MC		 3531 SSL_free(serverssl);
3532 SSL_free(clientssl);
3533 SSL_CTX_free(sctx);
3534 SSL_CTX_free(cctx);
5f982038
MC		 3535 return testresult;
3536}
3537
5a421415
MC		 3538static int allow_ed_cb_called = 0;
3539
3540static int allow_early_data_cb(SSL *s, void *arg)
3541{
3542 int *usecb = (int *)arg;
3543
3544 allow_ed_cb_called++;
3545
3546 if (*usecb == 1)
3547 return 0;
3548
3549 return 1;
3550}
3551
3552/*
3553 * idx == 0: Standard early_data setup
3554 * idx == 1: early_data setup using read_ahead
3555 * usecb == 0: Don't use a custom early data callback
3556 * usecb == 1: Use a custom early data callback and reject the early data
3557 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3558 * confopt == 0: Configure anti-replay directly
3559 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3560 */
3bb5e5b0 3561static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3562{
3563 SSL_CTX *cctx = NULL, *sctx = NULL;
3564 SSL *clientssl = NULL, *serverssl = NULL;
3565 int testresult = 0;
3566 SSL_SESSION *sess = NULL;
5a421415
MC		 3567 size_t readbytes, written;
3568 unsigned char buf[20];
3569
3570 allow_ed_cb_called = 0;
3571
5e30f2fd
MC		 3572 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3573 TLS_client_method(), TLS1_VERSION, 0,
3574 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3575 return 0;
3576
3577 if (usecb > 0) {
3bb5e5b0
MC		 3578 if (confopt == 0) {
3579 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3580 } else {
3581 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3582
3583 if (!TEST_ptr(confctx))
3584 goto end;
3585 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3586 | SSL_CONF_FLAG_SERVER);
3587 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3588 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3589 2)) {
3590 SSL_CONF_CTX_free(confctx);
3591 goto end;
3592 }
3593 SSL_CONF_CTX_free(confctx);
3594 }
5a421415
MC		 3595 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3596 }
78fb5374
MC		 3597
3598 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3599 &serverssl, &sess, idx)))
3600 goto end;
3601
3602 /*
3603 * The server is configured to accept early data. Create a connection to
3604 * "use up" the ticket
3605 */
3606 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3607 || !TEST_true(SSL_session_reused(clientssl)))
3608 goto end;
3609
3610 SSL_shutdown(clientssl);
3611 SSL_shutdown(serverssl);
3612 SSL_free(serverssl);
3613 SSL_free(clientssl);
3614 serverssl = clientssl = NULL;
3615
3616 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3617 &clientssl, NULL, NULL))
5a421415
MC		 3618 || !TEST_true(SSL_set_session(clientssl, sess)))
3619 goto end;
3620
3621 /* Write and read some early data */
3622 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3623 &written))
3624 || !TEST_size_t_eq(written, strlen(MSG1)))
3625 goto end;
3626
3627 if (usecb <= 1) {
3628 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3629 &readbytes),
3630 SSL_READ_EARLY_DATA_FINISH)
3631 /*
3632 * The ticket was reused, so the we should have rejected the
3633 * early data
3634 */
3635 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3636 SSL_EARLY_DATA_REJECTED))
3637 goto end;
3638 } else {
3639 /* In this case the callback decides to accept the early data */
3640 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3641 &readbytes),
3642 SSL_READ_EARLY_DATA_SUCCESS)
3643 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3644 /*
3645 * Server will have sent its flight so client can now send
3646 * end of early data and complete its half of the handshake
3647 */
3648 || !TEST_int_gt(SSL_connect(clientssl), 0)
3649 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3650 &readbytes),
3651 SSL_READ_EARLY_DATA_FINISH)
3652 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3653 SSL_EARLY_DATA_ACCEPTED))
3654 goto end;
3655 }
3656
3657 /* Complete the connection */
3658 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3659 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3660 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3661 goto end;
3662
3663 testresult = 1;
3664
3665 end:
c20e3b28 3666 SSL_SESSION_free(sess);
78fb5374
MC		 3667 SSL_SESSION_free(clientpsk);
3668 SSL_SESSION_free(serverpsk);
3669 clientpsk = serverpsk = NULL;
3670 SSL_free(serverssl);
3671 SSL_free(clientssl);
3672 SSL_CTX_free(sctx);
3673 SSL_CTX_free(cctx);
3674 return testresult;
3675}
3676
5a421415
MC		 3677static int test_early_data_replay(int idx)
3678{
3bb5e5b0 3679 int ret = 1, usecb, confopt;
5a421415 3680
3bb5e5b0
MC		 3681 for (usecb = 0; usecb < 3; usecb++) {
3682 for (confopt = 0; confopt < 2; confopt++)
3683 ret &= test_early_data_replay_int(idx, usecb, confopt);
3684 }
5a421415
MC		 3685
3686 return ret;
3687}
3688
710756a9 3689/*
6b84e6bf
MC		 3690 * Helper function to test that a server attempting to read early data can
3691 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3692 * testtype: 0 == No HRR
3693 * testtype: 1 == HRR
0efa0ba4
MC		 3694 * testtype: 2 == HRR, invalid early_data sent after HRR
3695 * testtype: 3 == recv_max_early_data set to 0
710756a9 3696 */
0d1b7789 3697static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3698{
3699 SSL_CTX *cctx = NULL, *sctx = NULL;
3700 SSL *clientssl = NULL, *serverssl = NULL;
3701 int testresult = 0;
018fcbec 3702 SSL_SESSION *sess = NULL;
5f982038
MC		 3703 unsigned char buf[20];
3704 size_t readbytes, written;
3705
710756a9
RS		 3706 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3707 &serverssl, &sess, idx)))
5f982038
MC		 3708 goto end;
3709
0efa0ba4 3710 if (testtype == 1 || testtype == 2) {
6b84e6bf 3711 /* Force an HRR to occur */
dbc6268f
MC		 3712#if defined(OPENSSL_NO_EC)
3713 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3714 goto end;
3715#else
6b84e6bf
MC		 3716 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3717 goto end;
dbc6268f 3718#endif
02a3ed5a
MC		 3719 } else if (idx == 2) {
3720 /*
3721 * We force early_data rejection by ensuring the PSK identity is
3722 * unrecognised
3723 */
3724 srvid = "Dummy Identity";
6b84e6bf
MC		 3725 } else {
3726 /*
3727 * Deliberately corrupt the creation time. We take 20 seconds off the
3728 * time. It could be any value as long as it is not within tolerance.
3729 * This should mean the ticket is rejected.
3730 */
5d99881e 3731 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3732 goto end;
3733 }
5f982038 3734
0efa0ba4 3735 if (testtype == 3
0d1b7789
MC		 3736 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3737 goto end;
3738
5f982038 3739 /* Write some early data */
710756a9
RS		 3740 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3741 &written))
3742 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3743 goto end;
5f982038 3744
0d1b7789 3745 /* Server should reject the early data */
710756a9
RS		 3746 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3747 &readbytes),
3748 SSL_READ_EARLY_DATA_FINISH)
3749 || !TEST_size_t_eq(readbytes, 0)
3750 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3751 SSL_EARLY_DATA_REJECTED))
5f982038 3752 goto end;
5f982038 3753
0efa0ba4
MC		 3754 switch (testtype) {
3755 case 0:
3756 /* Nothing to do */
3757 break;
3758
3759 case 1:
6b84e6bf
MC		 3760 /*
3761 * Finish off the handshake. We perform the same writes and reads as
3762 * further down but we expect them to fail due to the incomplete
3763 * handshake.
3764 */
3765 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3766 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3767 &readbytes)))
3768 goto end;
0efa0ba4
MC		 3769 break;
3770
3771 case 2:
3772 {
3773 BIO *wbio = SSL_get_wbio(clientssl);
3774 /* A record that will appear as bad early_data */
3775 const unsigned char bad_early_data[] = {
3776 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3777 };
3778
3779 /*
3780 * We force the client to attempt a write. This will fail because
3781 * we're still in the handshake. It will cause the second
3782 * ClientHello to be sent.
3783 */
3784 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3785 &written)))
3786 goto end;
3787
3788 /*
3789 * Inject some early_data after the second ClientHello. This should
3790 * cause the server to fail
3791 */
3792 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3793 sizeof(bad_early_data), &written)))
3794 goto end;
3795 }
3796 /* fallthrough */
3797
3798 case 3:
0d1b7789 3799 /*
0efa0ba4
MC		 3800 * This client has sent more early_data than we are willing to skip
3801 * (case 3) or sent invalid early_data (case 2) so the connection should
3802 * abort.
0d1b7789
MC		 3803 */
3804 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3805 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3806 goto end;
3807
3808 /* Connection has failed - nothing more to do */
3809 testresult = 1;
3810 goto end;
0efa0ba4
MC		 3811
3812 default:
3813 TEST_error("Invalid test type");
3814 goto end;
6b84e6bf
MC		 3815 }
3816
0d1b7789
MC		 3817 /*
3818 * Should be able to send normal data despite rejection of early data. The
3819 * early_data should be skipped.
3820 */
710756a9
RS		 3821 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3822 || !TEST_size_t_eq(written, strlen(MSG2))
3823 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3824 SSL_EARLY_DATA_REJECTED)
3825 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3826 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3827 goto end;
5f982038
MC		 3828
3829 testresult = 1;
3830
3831 end:
c20e3b28 3832 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3833 SSL_SESSION_free(serverpsk);
3834 clientpsk = serverpsk = NULL;
5f982038
MC		 3835 SSL_SESSION_free(sess);
3836 SSL_free(serverssl);
3837 SSL_free(clientssl);
3838 SSL_CTX_free(sctx);
3839 SSL_CTX_free(cctx);
5f982038
MC		 3840 return testresult;
3841}
3842
6b84e6bf
MC		 3843/*
3844 * Test that a server attempting to read early data can handle a connection
3845 * from a client where the early data is not acceptable.
3846 */
3847static int test_early_data_skip(int idx)
3848{
3849 return early_data_skip_helper(0, idx);
3850}
3851
3852/*
3853 * Test that a server attempting to read early data can handle a connection
3854 * from a client where an HRR occurs.
3855 */
3856static int test_early_data_skip_hrr(int idx)
3857{
3858 return early_data_skip_helper(1, idx);
3859}
3860
0efa0ba4
MC		 3861/*
3862 * Test that a server attempting to read early data can handle a connection
3863 * from a client where an HRR occurs and correctly fails if early_data is sent
3864 * after the HRR
3865 */
3866static int test_early_data_skip_hrr_fail(int idx)
3867{
3868 return early_data_skip_helper(2, idx);
3869}
3870
0d1b7789
MC		 3871/*
3872 * Test that a server attempting to read early data will abort if it tries to
3873 * skip over too much.
3874 */
3875static int test_early_data_skip_abort(int idx)
3876{
0efa0ba4 3877 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3878}
3879
710756a9
RS		 3880/*
3881 * Test that a server attempting to read early data can handle a connection
3882 * from a client that doesn't send any.
3883 */
3cb47b4e 3884static int test_early_data_not_sent(int idx)
5f982038
MC		 3885{
3886 SSL_CTX *cctx = NULL, *sctx = NULL;
3887 SSL *clientssl = NULL, *serverssl = NULL;
3888 int testresult = 0;
018fcbec 3889 SSL_SESSION *sess = NULL;
5f982038
MC		 3890 unsigned char buf[20];
3891 size_t readbytes, written;
3892
710756a9
RS		 3893 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3894 &serverssl, &sess, idx)))
5f982038
MC		 3895 goto end;
3896
3897 /* Write some data - should block due to handshake with server */
3898 SSL_set_connect_state(clientssl);
710756a9 3899 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3900 goto end;
5f982038
MC		 3901
3902 /* Server should detect that early data has not been sent */
710756a9
RS		 3903 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3904 &readbytes),
3905 SSL_READ_EARLY_DATA_FINISH)
3906 || !TEST_size_t_eq(readbytes, 0)
3907 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3908 SSL_EARLY_DATA_NOT_SENT)
3909 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3910 SSL_EARLY_DATA_NOT_SENT))
5f982038 3911 goto end;
5f982038
MC		 3912
3913 /* Continue writing the message we started earlier */
710756a9
RS		 3914 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3915 || !TEST_size_t_eq(written, strlen(MSG1))
3916 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3917 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3918 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3919 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3920 goto end;
5f982038 3921
710756a9
RS		 3922 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3923 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3924 goto end;
5f982038
MC		 3925
3926 testresult = 1;
3927
3928 end:
5f982038 3929 SSL_SESSION_free(sess);
c20e3b28 3930 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3931 SSL_SESSION_free(serverpsk);
3932 clientpsk = serverpsk = NULL;
5f982038
MC		 3933 SSL_free(serverssl);
3934 SSL_free(clientssl);
3935 SSL_CTX_free(sctx);
3936 SSL_CTX_free(cctx);
5f982038
MC		 3937 return testresult;
3938}
3939
976e5323
MC		 3940static const char *servalpn;
3941
c7558d5b
PY		 3942static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3943 unsigned char *outlen, const unsigned char *in,
3944 unsigned int inlen, void *arg)
976e5323 3945{
c7558d5b 3946 unsigned int protlen = 0;
976e5323
MC		 3947 const unsigned char *prot;
3948
c7558d5b
PY		 3949 for (prot = in; prot < in + inlen; prot += protlen) {
3950 protlen = *prot++;
5d99881e 3951 if (in + inlen < prot + protlen)
976e5323
MC		 3952 return SSL_TLSEXT_ERR_NOACK;
3953
3954 if (protlen == strlen(servalpn)
0bd42fde 3955 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3956 *out = prot;
3957 *outlen = protlen;
3958 return SSL_TLSEXT_ERR_OK;
3959 }
3960 }
3961
3962 return SSL_TLSEXT_ERR_NOACK;
3963}
3964
57dee9bb 3965/* Test that a PSK can be used to send early_data */
976e5323
MC		 3966static int test_early_data_psk(int idx)
3967{
3968 SSL_CTX *cctx = NULL, *sctx = NULL;
3969 SSL *clientssl = NULL, *serverssl = NULL;
3970 int testresult = 0;
3971 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3972 unsigned char alpnlist[] = {
3973 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3974 'l', 'p', 'n'
3975 };
3976#define GOODALPNLEN 9
3977#define BADALPNLEN 8
3978#define GOODALPN (alpnlist)
3979#define BADALPN (alpnlist + GOODALPNLEN)
3980 int err = 0;
976e5323
MC		 3981 unsigned char buf[20];
3982 size_t readbytes, written;
57dee9bb 3983 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3984 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3985
3986 /* We always set this up with a final parameter of "2" for PSK */
3987 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3988 &serverssl, &sess, 2)))
3989 goto end;
3990
976e5323
MC		 3991 servalpn = "goodalpn";
3992
57dee9bb
MC		 3993 /*
3994 * Note: There is no test for inconsistent SNI with late client detection.
3995 * This is because servers do not acknowledge SNI even if they are using
3996 * it in a resumption handshake - so it is not actually possible for a
3997 * client to detect a problem.
3998 */
976e5323
MC		 3999 switch (idx) {
4000 case 0:
57dee9bb 4001 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 4002 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4003 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4004 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4005 goto end;
4006 break;
4007
4008 case 1:
57dee9bb 4009 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 4010 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4011 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 4012 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4013 GOODALPNLEN))
4014 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4015 BADALPNLEN)))
976e5323
MC		 4016 goto end;
4017 break;
4018
4019 case 2:
4020 /*
4021 * Set invalid protocol version. Technically this affects PSKs without
4022 * early_data too, but we test it here because it is similar to the
4023 * SNI/ALPN consistency tests.
4024 */
4025 err = SSL_R_BAD_PSK;
4026 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4027 goto end;
4028 break;
4029
4030 case 3:
4031 /*
49ef3d07
MC		 4032 * Set inconsistent SNI (server side). In this case the connection
4033 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4034 * is associated with each handshake - not the session. Therefore it
4035 * should not matter that we used a different server name last time.
976e5323 4036 */
281bf233
MC		 4037 SSL_SESSION_free(serverpsk);
4038 serverpsk = SSL_SESSION_dup(clientpsk);
4039 if (!TEST_ptr(serverpsk)
4040 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4041 goto end;
976e5323
MC		 4042 /* Fall through */
4043 case 4:
4044 /* Set consistent SNI */
976e5323
MC		 4045 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4046 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4047 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4048 hostname_cb)))
4049 goto end;
4050 break;
4051
4052 case 5:
4053 /*
4054 * Set inconsistent ALPN (server detected). In this case the connection
4055 * will succeed but reject early_data.
4056 */
4057 servalpn = "badalpn";
4058 edstatus = SSL_EARLY_DATA_REJECTED;
4059 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4060 /* Fall through */
4061 case 6:
976e5323 4062 /*
57dee9bb 4063 * Set consistent ALPN.
976e5323
MC		 4064 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4065 * accepts a list of protos (each one length prefixed).
4066 * SSL_set1_alpn_selected accepts a single protocol (not length
4067 * prefixed)
4068 */
57dee9bb
MC		 4069 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4070 GOODALPNLEN - 1))
4071 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4072 GOODALPNLEN)))
976e5323
MC		 4073 goto end;
4074
4075 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4076 break;
4077
57dee9bb
MC		 4078 case 7:
4079 /* Set inconsistent ALPN (late client detection) */
4080 SSL_SESSION_free(serverpsk);
4081 serverpsk = SSL_SESSION_dup(clientpsk);
4082 if (!TEST_ptr(serverpsk)
4083 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4084 BADALPN + 1,
4085 BADALPNLEN - 1))
4086 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4087 GOODALPN + 1,
4088 GOODALPNLEN - 1))
4089 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4090 sizeof(alpnlist))))
4091 goto end;
4092 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4093 edstatus = SSL_EARLY_DATA_ACCEPTED;
4094 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4095 /* SSL_connect() call should fail */
4096 connectres = -1;
4097 break;
4098
976e5323
MC		 4099 default:
4100 TEST_error("Bad test index");
4101 goto end;
4102 }
4103
4104 SSL_set_connect_state(clientssl);
4105 if (err != 0) {
4106 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4107 &written))
4108 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4109 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4110 goto end;
4111 } else {
4112 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4113 &written)))
4114 goto end;
4115
4116 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4117 &readbytes), readearlyres)
976e5323
MC		 4118 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4119 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4120 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4121 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4122 goto end;
4123 }
4124
4125 testresult = 1;
4126
4127 end:
c20e3b28 4128 SSL_SESSION_free(sess);
57dee9bb
MC		 4129 SSL_SESSION_free(clientpsk);
4130 SSL_SESSION_free(serverpsk);
4131 clientpsk = serverpsk = NULL;
976e5323
MC		 4132 SSL_free(serverssl);
4133 SSL_free(clientssl);
4134 SSL_CTX_free(sctx);
4135 SSL_CTX_free(cctx);
4136 return testresult;
4137}
4138
0b2b0be9 4139/*
4140 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4141 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4142 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4143 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4144 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4145 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4146 */
4147static int test_early_data_psk_with_all_ciphers(int idx)
4148{
4149 SSL_CTX *cctx = NULL, *sctx = NULL;
4150 SSL *clientssl = NULL, *serverssl = NULL;
4151 int testresult = 0;
4152 SSL_SESSION *sess = NULL;
4153 unsigned char buf[20];
4154 size_t readbytes, written;
4155 const SSL_CIPHER *cipher;
4156 const char *cipher_str[] = {
4157 TLS1_3_RFC_AES_128_GCM_SHA256,
4158 TLS1_3_RFC_AES_256_GCM_SHA384,
4159# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4160 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4161# else
4162 NULL,
4163# endif
4164 TLS1_3_RFC_AES_128_CCM_SHA256,
4165 TLS1_3_RFC_AES_128_CCM_8_SHA256
4166 };
4167 const unsigned char *cipher_bytes[] = {
4168 TLS13_AES_128_GCM_SHA256_BYTES,
4169 TLS13_AES_256_GCM_SHA384_BYTES,
4170# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4171 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4172# else
4173 NULL,
4174# endif
4175 TLS13_AES_128_CCM_SHA256_BYTES,
4176 TLS13_AES_128_CCM_8_SHA256_BYTES
4177 };
4178
4179 if (cipher_str[idx] == NULL)
4180 return 1;
4181 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4182 if (idx == 2 && is_fips == 1)
4183 return 1;
4184
4185 /* We always set this up with a final parameter of "2" for PSK */
4186 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4187 &serverssl, &sess, 2)))
4188 goto end;
4189
e0710222
P		 4190 if (idx == 4) {
4191 /* CCM8 ciphers are considered low security due to their short tag */
4192 SSL_set_security_level(clientssl, 0);
4193 SSL_set_security_level(serverssl, 0);
4194 }
4195
0b2b0be9 4196 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4197 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4198 goto end;
4199
4200 /*
4201 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4202 * and assigns to both client and server with incremented reference
4203 * and the same instance is updated in 'sess'.
4204 * So updating ciphersuite in 'sess' which will get reflected in
4205 * PSK handshake using psk use sess and find sess cb.
4206 */
4207 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4208 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4209 goto end;
4210
4211 SSL_set_connect_state(clientssl);
4212 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4213 &written)))
4214 goto end;
4215
4216 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4217 &readbytes),
4218 SSL_READ_EARLY_DATA_SUCCESS)
4219 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4220 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4221 SSL_EARLY_DATA_ACCEPTED)
4222 || !TEST_int_eq(SSL_connect(clientssl), 1)
4223 || !TEST_int_eq(SSL_accept(serverssl), 1))
4224 goto end;
4225
4226 /* Send some normal data from client to server */
4227 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4228 || !TEST_size_t_eq(written, strlen(MSG2)))
4229 goto end;
4230
4231 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4232 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4233 goto end;
4234
4235 testresult = 1;
4236 end:
4237 SSL_SESSION_free(sess);
4238 SSL_SESSION_free(clientpsk);
4239 SSL_SESSION_free(serverpsk);
4240 clientpsk = serverpsk = NULL;
4241 if (clientssl != NULL)
4242 SSL_shutdown(clientssl);
4243 if (serverssl != NULL)
4244 SSL_shutdown(serverssl);
4245 SSL_free(serverssl);
4246 SSL_free(clientssl);
4247 SSL_CTX_free(sctx);
4248 SSL_CTX_free(cctx);
4249 return testresult;
4250}
4251
710756a9
RS		 4252/*
4253 * Test that a server that doesn't try to read early data can handle a
4254 * client sending some.
4255 */
3cb47b4e 4256static int test_early_data_not_expected(int idx)
5f982038
MC		 4257{
4258 SSL_CTX *cctx = NULL, *sctx = NULL;
4259 SSL *clientssl = NULL, *serverssl = NULL;
4260 int testresult = 0;
018fcbec 4261 SSL_SESSION *sess = NULL;
5f982038
MC		 4262 unsigned char buf[20];
4263 size_t readbytes, written;
4264
710756a9
RS		 4265 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4266 &serverssl, &sess, idx)))
5f982038
MC		 4267 goto end;
4268
4269 /* Write some early data */
710756a9
RS		 4270 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4271 &written)))
5f982038 4272 goto end;
5f982038
MC		 4273
4274 /*
4275 * Server should skip over early data and then block waiting for client to
4276 * continue handshake
4277 */
710756a9
RS		 4278 if (!TEST_int_le(SSL_accept(serverssl), 0)
4279 || !TEST_int_gt(SSL_connect(clientssl), 0)
4280 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4281 SSL_EARLY_DATA_REJECTED)
4282 || !TEST_int_gt(SSL_accept(serverssl), 0)
4283 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4284 SSL_EARLY_DATA_REJECTED))
5f982038 4285 goto end;
5f982038
MC		 4286
4287 /* Send some normal data from client to server */
710756a9
RS		 4288 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4289 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4290 goto end;
5f982038 4291
710756a9
RS		 4292 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4293 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4294 goto end;
5f982038
MC		 4295
4296 testresult = 1;
4297
4298 end:
5f982038 4299 SSL_SESSION_free(sess);
c20e3b28 4300 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4301 SSL_SESSION_free(serverpsk);
4302 clientpsk = serverpsk = NULL;
5f982038
MC		 4303 SSL_free(serverssl);
4304 SSL_free(clientssl);
4305 SSL_CTX_free(sctx);
4306 SSL_CTX_free(cctx);
5f982038
MC		 4307 return testresult;
4308}
4309
4310
4311# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4312/*
4313 * Test that a server attempting to read early data can handle a connection
4314 * from a TLSv1.2 client.
4315 */
3cb47b4e 4316static int test_early_data_tls1_2(int idx)
5f982038
MC		 4317{
4318 SSL_CTX *cctx = NULL, *sctx = NULL;
4319 SSL *clientssl = NULL, *serverssl = NULL;
4320 int testresult = 0;
4321 unsigned char buf[20];
4322 size_t readbytes, written;
4323
02a3ed5a
MC		 4324 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4325 &serverssl, NULL, idx)))
5f982038 4326 goto end;
5f982038
MC		 4327
4328 /* Write some data - should block due to handshake with server */
4329 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4330 SSL_set_connect_state(clientssl);
710756a9 4331 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4332 goto end;
5f982038
MC		 4333
4334 /*
4335 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4336 * messages from client after ServerDone. Then SSL_read_early_data should
4337 * finish and detect that early data has not been sent
5f982038 4338 */
710756a9
RS		 4339 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4340 &readbytes),
4341 SSL_READ_EARLY_DATA_ERROR))
5f982038 4342 goto end;
5f982038
MC		 4343
4344 /*
4345 * Continue writing the message we started earlier. Will still block waiting
4346 * for the CCS/Finished from server
4347 */
710756a9
RS		 4348 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4349 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4350 &readbytes),
4351 SSL_READ_EARLY_DATA_FINISH)
4352 || !TEST_size_t_eq(readbytes, 0)
4353 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4354 SSL_EARLY_DATA_NOT_SENT))
5f982038 4355 goto end;
5f982038
MC		 4356
4357 /* Continue writing the message we started earlier */
710756a9
RS		 4358 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4359 || !TEST_size_t_eq(written, strlen(MSG1))
4360 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4361 SSL_EARLY_DATA_NOT_SENT)
4362 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4363 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4364 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4365 || !TEST_size_t_eq(written, strlen(MSG2))
4366 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4367 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4368 goto end;
5f982038
MC		 4369
4370 testresult = 1;
4371
4372 end:
57dee9bb
MC		 4373 SSL_SESSION_free(clientpsk);
4374 SSL_SESSION_free(serverpsk);
4375 clientpsk = serverpsk = NULL;
5f982038
MC		 4376 SSL_free(serverssl);
4377 SSL_free(clientssl);
4378 SSL_CTX_free(sctx);
4379 SSL_CTX_free(cctx);
4380
4381 return testresult;
4382}
ca0413ae
MC		 4383# endif /* OPENSSL_NO_TLS1_2 */
4384
034cb87b
MC		 4385/*
4386 * Test configuring the TLSv1.3 ciphersuites
4387 *
4388 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4389 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4390 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4391 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4392 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4393 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4394 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4395 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4396 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4397 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4398 */
4399static int test_set_ciphersuite(int idx)
4400{
4401 SSL_CTX *cctx = NULL, *sctx = NULL;
4402 SSL *clientssl = NULL, *serverssl = NULL;
4403 int testresult = 0;
4404
5e30f2fd
MC		 4405 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4406 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4407 &sctx, &cctx, cert, privkey))
4408 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4409 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4410 goto end;
4411
4412 if (idx >=4 && idx <= 7) {
4413 /* SSL_CTX explicit cipher list */
4414 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4415 goto end;
4416 }
4417
4418 if (idx == 0 || idx == 4) {
4419 /* Default ciphersuite */
4420 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4421 "TLS_AES_128_GCM_SHA256")))
4422 goto end;
4423 } else if (idx == 1 || idx == 5) {
4424 /* Non default ciphersuite */
4425 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4426 "TLS_AES_128_CCM_SHA256")))
4427 goto end;
4428 }
4429
4430 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4431 &clientssl, NULL, NULL)))
4432 goto end;
4433
4434 if (idx == 8 || idx == 9) {
4435 /* SSL explicit cipher list */
4436 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4437 goto end;
4438 }
4439
4440 if (idx == 2 || idx == 6 || idx == 8) {
4441 /* Default ciphersuite */
4442 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4443 "TLS_AES_128_GCM_SHA256")))
4444 goto end;
4445 } else if (idx == 3 || idx == 7 || idx == 9) {
4446 /* Non default ciphersuite */
4447 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4448 "TLS_AES_128_CCM_SHA256")))
4449 goto end;
4450 }
4451
4452 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4453 goto end;
4454
4455 testresult = 1;
4456
4457 end:
4458 SSL_free(serverssl);
4459 SSL_free(clientssl);
4460 SSL_CTX_free(sctx);
4461 SSL_CTX_free(cctx);
4462
4463 return testresult;
4464}
4465
ca0413ae
MC		 4466static int test_ciphersuite_change(void)
4467{
4468 SSL_CTX *cctx = NULL, *sctx = NULL;
4469 SSL *clientssl = NULL, *serverssl = NULL;
4470 SSL_SESSION *clntsess = NULL;
4471 int testresult = 0;
4472 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4473
4474 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4475 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4476 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4477 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4478 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4479 "TLS_AES_128_GCM_SHA256:"
4480 "TLS_AES_256_GCM_SHA384:"
4481 "TLS_AES_128_CCM_SHA256"))
f865b081 4482 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4483 "TLS_AES_128_GCM_SHA256")))
4484 goto end;
4485
4486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4487 NULL, NULL))
ca0413ae
MC		 4488 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4489 SSL_ERROR_NONE)))
4490 goto end;
4491
4492 clntsess = SSL_get1_session(clientssl);
4493 /* Save for later */
4494 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4495 SSL_shutdown(clientssl);
4496 SSL_shutdown(serverssl);
4497 SSL_free(serverssl);
4498 SSL_free(clientssl);
4499 serverssl = clientssl = NULL;
4500
4501 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4502 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4503 "TLS_AES_128_CCM_SHA256"))
4504 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4505 &clientssl, NULL, NULL))
ca0413ae
MC		 4506 || !TEST_true(SSL_set_session(clientssl, clntsess))
4507 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4508 SSL_ERROR_NONE))
4509 || !TEST_true(SSL_session_reused(clientssl)))
4510 goto end;
4511
4512 SSL_SESSION_free(clntsess);
4513 clntsess = SSL_get1_session(clientssl);
4514 SSL_shutdown(clientssl);
4515 SSL_shutdown(serverssl);
4516 SSL_free(serverssl);
4517 SSL_free(clientssl);
4518 serverssl = clientssl = NULL;
4519
4520 /*
4521 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4522 * succeeds but does not resume.
ca0413ae 4523 */
f865b081 4524 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4525 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4526 NULL, NULL))
4527 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4528 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4529 SSL_ERROR_SSL))
0de6d66d 4530 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4531 goto end;
4532
4533 SSL_SESSION_free(clntsess);
4534 clntsess = NULL;
4535 SSL_shutdown(clientssl);
4536 SSL_shutdown(serverssl);
4537 SSL_free(serverssl);
4538 SSL_free(clientssl);
4539 serverssl = clientssl = NULL;
4540
4541 /* Create a session based on SHA384 */
f865b081 4542 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4543 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4544 &clientssl, NULL, NULL))
4545 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4546 SSL_ERROR_NONE)))
4547 goto end;
4548
4549 clntsess = SSL_get1_session(clientssl);
4550 SSL_shutdown(clientssl);
4551 SSL_shutdown(serverssl);
4552 SSL_free(serverssl);
4553 SSL_free(clientssl);
4554 serverssl = clientssl = NULL;
4555
f865b081
MC		 4556 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4557 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4558 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4559 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4560 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4561 NULL, NULL))
4562 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4563 /*
4564 * We use SSL_ERROR_WANT_READ below so that we can pause the
4565 * connection after the initial ClientHello has been sent to
4566 * enable us to make some session changes.
4567 */
ca0413ae
MC		 4568 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4569 SSL_ERROR_WANT_READ)))
4570 goto end;
4571
4572 /* Trick the client into thinking this session is for a different digest */
4573 clntsess->cipher = aes_128_gcm_sha256;
4574 clntsess->cipher_id = clntsess->cipher->id;
4575
4576 /*
3b0e88d3
MC		 4577 * Continue the previously started connection. Server has selected a SHA-384
4578 * ciphersuite, but client thinks the session is for SHA-256, so it should
4579 * bail out.
ca0413ae
MC		 4580 */
4581 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4582 SSL_ERROR_SSL))
4583 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4584 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4585 goto end;
4586
4587 testresult = 1;
4588
4589 end:
4590 SSL_SESSION_free(clntsess);
4591 SSL_free(serverssl);
4592 SSL_free(clientssl);
4593 SSL_CTX_free(sctx);
4594 SSL_CTX_free(cctx);
4595
4596 return testresult;
4597}
4598
8e63900a 4599/*
5bf2eade 4600 * Test TLSv1.3 Key exchange
4601 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4602 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4603 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4604 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4605 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4606 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4607 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4608 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4609 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4610 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4611 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4612 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4613 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4614 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4615 */
f89d3d69
BK		 4616# ifndef OPENSSL_NO_EC
4617static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4618 NID_secp521r1, NID_X25519, NID_X448};
4619# endif
4620# ifndef OPENSSL_NO_DH
4621static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4622 NID_ffdhe6144, NID_ffdhe8192};
4623# endif
db26ec80 4624static int test_key_exchange(int idx)
8e63900a 4625{
4626 SSL_CTX *sctx = NULL, *cctx = NULL;
4627 SSL *serverssl = NULL, *clientssl = NULL;
4628 int testresult = 0;
fb8c6db4 4629 int kexch_alg;
4630 int *kexch_groups = &kexch_alg;
4631 int kexch_groups_size = 1;
8e63900a 4632 int max_version = TLS1_3_VERSION;
becbacd7 4633 char *kexch_name0 = NULL;
8e63900a 4634
4635 switch (idx) {
5bf2eade 4636# ifndef OPENSSL_NO_EC
db26ec80 4637# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4638 case 12:
fb8c6db4 4639 max_version = TLS1_2_VERSION;
db26ec80 4640# endif
fb8c6db4 4641 /* Fall through */
4642 case 0:
4643 kexch_groups = ecdhe_kexch_groups;
4644 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4645 kexch_name0 = "secp256r1";
fb8c6db4 4646 break;
5bf2eade 4647 case 1:
fb8c6db4 4648 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4649 kexch_name0 = "secp256r1";
fb8c6db4 4650 break;
5bf2eade 4651 case 2:
fb8c6db4 4652 kexch_alg = NID_secp384r1;
becbacd7 4653 kexch_name0 = "secp384r1";
fb8c6db4 4654 break;
5bf2eade 4655 case 3:
fb8c6db4 4656 kexch_alg = NID_secp521r1;
becbacd7 4657 kexch_name0 = "secp521r1";
fb8c6db4 4658 break;
5bf2eade 4659 case 4:
fb8c6db4 4660 kexch_alg = NID_X25519;
becbacd7 4661 kexch_name0 = "x25519";
fb8c6db4 4662 break;
5bf2eade 4663 case 5:
fb8c6db4 4664 kexch_alg = NID_X448;
becbacd7 4665 kexch_name0 = "x448";
fb8c6db4 4666 break;
5bf2eade 4667# endif
4668# ifndef OPENSSL_NO_DH
db26ec80 4669# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4670 case 13:
dbc6268f 4671 max_version = TLS1_2_VERSION;
becbacd7 4672 kexch_name0 = "ffdhe2048";
db26ec80 4673# endif
dbc6268f 4674 /* Fall through */
5bf2eade 4675 case 6:
8e63900a 4676 kexch_groups = ffdhe_kexch_groups;
4677 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4678 kexch_name0 = "ffdhe2048";
8e63900a 4679 break;
5bf2eade 4680 case 7:
fb8c6db4 4681 kexch_alg = NID_ffdhe2048;
becbacd7 4682 kexch_name0 = "ffdhe2048";
fb8c6db4 4683 break;
5bf2eade 4684 case 8:
fb8c6db4 4685 kexch_alg = NID_ffdhe3072;
becbacd7 4686 kexch_name0 = "ffdhe3072";
fb8c6db4 4687 break;
5bf2eade 4688 case 9:
fb8c6db4 4689 kexch_alg = NID_ffdhe4096;
becbacd7 4690 kexch_name0 = "ffdhe4096";
fb8c6db4 4691 break;
5bf2eade 4692 case 10:
fb8c6db4 4693 kexch_alg = NID_ffdhe6144;
becbacd7 4694 kexch_name0 = "ffdhe6144";
fb8c6db4 4695 break;
5bf2eade 4696 case 11:
fb8c6db4 4697 kexch_alg = NID_ffdhe8192;
becbacd7 4698 kexch_name0 = "ffdhe8192";
8e63900a 4699 break;
5bf2eade 4700# endif
6597d62b
MC		 4701 default:
4702 /* We're skipping this test */
4703 return 1;
8e63900a 4704 }
4705
5e30f2fd
MC		 4706 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4707 TLS_client_method(), TLS1_VERSION,
4708 max_version, &sctx, &cctx, cert,
4709 privkey)))
8e63900a 4710 goto end;
4711
5bf2eade 4712 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4713 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4714 goto end;
4715
5bf2eade 4716 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4717 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4718 goto end;
4719
5bf2eade 4720 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4721 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4722 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4723 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4724 goto end;
4725
dbc6268f
MC		 4726 /*
4727 * Must include an EC ciphersuite so that we send supported groups in
4728 * TLSv1.2
4729 */
5bf2eade 4730# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4731 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4732 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4733 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4734 goto end;
5bf2eade 4735# endif
8e63900a 4736
4737 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4738 NULL, NULL)))
4739 goto end;
4740
4741 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4742 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4743 goto end;
4744
5bf2eade 4745 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4746 goto end;
8e63900a 4747
dbc6268f 4748 /*
5bf2eade 4749 * If Handshake succeeds the negotiated kexch alg should be the first one in
4750 * configured, except in the case of FFDHE groups (idx 13), which are
4751 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4752 */
4753 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4754 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4755 goto end;
becbacd7
MB		 4756
4757 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4758 kexch_name0))
4759 goto end;
4760
75d48520
BK		 4761 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4762 if (idx != 13) {
fb8c6db4 4763 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4764 goto end;
4765 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4766 goto end;
4767 }
8e63900a 4768
4769 testresult = 1;
4770 end:
4771 SSL_free(serverssl);
4772 SSL_free(clientssl);
4773 SSL_CTX_free(sctx);
4774 SSL_CTX_free(cctx);
4775 return testresult;
4776}
4777
c9cddf05
P		 4778# if !defined(OPENSSL_NO_TLS1_2) \
4779 && !defined(OPENSSL_NO_EC) \
4780 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 4781static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4782 int isecdhe, int idx)
4783{
4784 int kexch_alg;
4785 int *kexch_groups = &kexch_alg;
4786 int numec, numff;
4787
4788 numec = OSSL_NELEM(ecdhe_kexch_groups);
4789 numff = OSSL_NELEM(ffdhe_kexch_groups);
4790 if (isecdhe)
4791 kexch_alg = ecdhe_kexch_groups[idx];
4792 else
4793 kexch_alg = ffdhe_kexch_groups[idx];
4794
4795 if (clientmulti) {
4796 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4797 return 0;
4798 if (isecdhe) {
4799 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4800 numec)))
4801 return 0;
4802 } else {
4803 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4804 numff)))
4805 return 0;
4806 }
4807 } else {
4808 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4809 return 0;
4810 if (isecdhe) {
4811 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4812 numec)))
4813 return 0;
4814 } else {
4815 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4816 numff)))
4817 return 0;
4818 }
4819 }
4820 return 1;
4821}
4822
4823/*-
4824 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4825 * Run through both the ECDHE and FFDHE group lists used in the previous
4826 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4827 * confirming the expected result; then perform a resumption handshake
4828 * while offering the same group list, and another resumption handshake
4829 * offering a different group list. The returned value should be the
4830 * negotiated group for the initial handshake; for TLS 1.3 resumption
4831 * handshakes the returned value will be negotiated on the resumption
4832 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4833 * be cached in the session from the original handshake, regardless of what
4834 * was offered in the resumption ClientHello.
4835 *
4836 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 4837 * E tests of ECDHE with TLS 1.3, server only has one group
4838 * F tests of FFDHE with TLS 1.3, server only has one group
4839 * E tests of ECDHE with TLS 1.2, server only has one group
4840 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 4841 * E tests of ECDHE with TLS 1.3, client sends only one group
4842 * F tests of FFDHE with TLS 1.3, client sends only one group
4843 * E tests of ECDHE with TLS 1.2, client sends only one group
4844 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 4845 */
4846static int test_negotiated_group(int idx)
4847{
4848 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4849 int expectednid;
4850 SSL_CTX *sctx = NULL, *cctx = NULL;
4851 SSL *serverssl = NULL, *clientssl = NULL;
4852 SSL_SESSION *origsess = NULL;
4853 int testresult = 0;
4854 int kexch_alg;
4855 int max_version = TLS1_3_VERSION;
4856
4857 numec = OSSL_NELEM(ecdhe_kexch_groups);
4858 numff = OSSL_NELEM(ffdhe_kexch_groups);
4859 numgroups = numec + numff;
4860 clientmulti = (idx < 2 * numgroups);
4861 idx = idx % (2 * numgroups);
4862 istls13 = (idx < numgroups);
4863 idx = idx % numgroups;
4864 isecdhe = (idx < numec);
4865 if (!isecdhe)
4866 idx -= numec;
4867 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4868 if (isecdhe)
4869 kexch_alg = ecdhe_kexch_groups[idx];
4870 else
4871 kexch_alg = ffdhe_kexch_groups[idx];
4872 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4873 if (!istls13 && !isecdhe)
4874 expectednid = NID_undef;
4875 else
4876 expectednid = kexch_alg;
4877
4878 if (!istls13)
4879 max_version = TLS1_2_VERSION;
4880
4881 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4882 TLS_client_method(), TLS1_VERSION,
4883 max_version, &sctx, &cctx, cert,
4884 privkey)))
4885 goto end;
4886
4887 /*
4888 * Force (EC)DHE ciphers for TLS 1.2.
4889 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4890 */
4891 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4892 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4893 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4894 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4895 goto end;
4896 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4897 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4898 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4899 goto end;
4900
4901 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4902 NULL, NULL)))
4903 goto end;
4904
4905 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4906 idx)))
4907 goto end;
4908
4909 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4910 goto end;
4911
4912 /* Initial handshake; always the configured one */
4913 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4914 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4915 goto end;
4916
4917 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4918 goto end;
4919
4920 SSL_shutdown(clientssl);
4921 SSL_shutdown(serverssl);
4922 SSL_free(serverssl);
4923 SSL_free(clientssl);
4924 serverssl = clientssl = NULL;
4925
4926 /* First resumption attempt; use the same config as initial handshake */
4927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4928 NULL, NULL))
4929 || !TEST_true(SSL_set_session(clientssl, origsess))
4930 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4931 isecdhe, idx)))
4932 goto end;
4933
4934 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4935 || !TEST_true(SSL_session_reused(clientssl)))
4936 goto end;
4937
4938 /* Still had better agree, since nothing changed... */
4939 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4940 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4941 goto end;
4942
4943 SSL_shutdown(clientssl);
4944 SSL_shutdown(serverssl);
4945 SSL_free(serverssl);
4946 SSL_free(clientssl);
4947 serverssl = clientssl = NULL;
4948
4949 /*-
4950 * Second resumption attempt
4951 * The party that picks one group changes it, which we effectuate by
4952 * changing 'idx' and updating what we expect.
4953 */
4954 if (idx == 0)
4955 idx = 1;
4956 else
4957 idx--;
4958 if (istls13) {
4959 if (isecdhe)
4960 expectednid = ecdhe_kexch_groups[idx];
4961 else
4962 expectednid = ffdhe_kexch_groups[idx];
4963 /* Verify that we are changing what we expect. */
4964 if (!TEST_int_ne(expectednid, kexch_alg))
4965 goto end;
4966 } else {
4967 /* TLS 1.2 only supports named groups for ECDHE. */
4968 if (isecdhe)
4969 expectednid = kexch_alg;
4970 else
4971 expectednid = 0;
4972 }
4973 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4974 NULL, NULL))
4975 || !TEST_true(SSL_set_session(clientssl, origsess))
4976 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4977 isecdhe, idx)))
4978 goto end;
4979
4980 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4981 || !TEST_true(SSL_session_reused(clientssl)))
4982 goto end;
4983
4984 /* Check that we get what we expected */
4985 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4986 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4987 goto end;
4988
4989 testresult = 1;
4990 end:
4991 SSL_free(serverssl);
4992 SSL_free(clientssl);
4993 SSL_CTX_free(sctx);
4994 SSL_CTX_free(cctx);
4995 SSL_SESSION_free(origsess);
4996 return testresult;
4997}
4998# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4999
5bf2eade 5000/*
5001 * Test TLSv1.3 Cipher Suite
5002 * Test 0 = Set TLS1.3 cipher on context
5003 * Test 1 = Set TLS1.3 cipher on SSL
5004 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5005 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5006 */
5007static int test_tls13_ciphersuite(int idx)
5008{
5009 SSL_CTX *sctx = NULL, *cctx = NULL;
5010 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 5011 static const struct {
5012 const char *ciphername;
5013 int fipscapable;
e0710222 5014 int low_security;
4f6c7044 5015 } t13_ciphers[] = {
e0710222
P		 5016 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5017 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5018 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 5019# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 5020 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 5021 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 5022 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 5023# endif
e0710222
P		 5024 /* CCM8 ciphers are considered low security due to their short tag */
5025 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5026 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5bf2eade 5027 };
5028 const char *t13_cipher = NULL;
5029 const char *t12_cipher = NULL;
5030 const char *negotiated_scipher;
5031 const char *negotiated_ccipher;
5032 int set_at_ctx = 0;
5033 int set_at_ssl = 0;
5034 int testresult = 0;
5035 int max_ver;
5036 size_t i;
5037
5038 switch (idx) {
5039 case 0:
5040 set_at_ctx = 1;
5041 break;
5042 case 1:
5043 set_at_ssl = 1;
5044 break;
5045 case 2:
5046 set_at_ctx = 1;
2d900758 5047 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5048 break;
5049 case 3:
5050 set_at_ssl = 1;
2d900758 5051 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5052 break;
5053 }
5054
5055 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5056# ifdef OPENSSL_NO_TLS1_2
5057 if (max_ver == TLS1_2_VERSION)
5058 continue;
5059# endif
5060 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 5061 if (is_fips && !t13_ciphers[i].fipscapable)
5062 continue;
5063 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 5064 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5065 TLS_client_method(),
5066 TLS1_VERSION, max_ver,
5067 &sctx, &cctx, cert, privkey)))
5068 goto end;
5069
e0710222
P		 5070 if (t13_ciphers[i].low_security) {
5071 SSL_CTX_set_security_level(sctx, 0);
5072 SSL_CTX_set_security_level(cctx, 0);
5073 }
5074
5bf2eade 5075 if (set_at_ctx) {
5076 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5077 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5078 goto end;
5079 if (t12_cipher != NULL) {
5080 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5081 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5082 t12_cipher)))
5083 goto end;
5084 }
5085 }
5086
5087 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5088 &clientssl, NULL, NULL)))
5089 goto end;
5090
5091 if (set_at_ssl) {
5092 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5093 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5094 goto end;
5095 if (t12_cipher != NULL) {
5096 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5097 || !TEST_true(SSL_set_cipher_list(clientssl,
5098 t12_cipher)))
5099 goto end;
5100 }
5101 }
5102
5103 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5104 SSL_ERROR_NONE)))
5105 goto end;
5106
5107 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5108 serverssl));
5109 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5110 clientssl));
5111 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5112 goto end;
5113
5114 /*
5115 * TEST_strn_eq is used below because t13_cipher can contain
5116 * multiple ciphersuites
5117 */
5118 if (max_ver == TLS1_3_VERSION
5119 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5120 strlen(negotiated_scipher)))
5121 goto end;
5122
5123# ifndef OPENSSL_NO_TLS1_2
5124 /* Below validation is not done when t12_cipher is NULL */
5125 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5126 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5127 goto end;
5128# endif
5129
5130 SSL_free(serverssl);
5131 serverssl = NULL;
5132 SSL_free(clientssl);
5133 clientssl = NULL;
5134 SSL_CTX_free(sctx);
5135 sctx = NULL;
5136 SSL_CTX_free(cctx);
5137 cctx = NULL;
5138 }
5139 }
5140
5141 testresult = 1;
5142 end:
5143 SSL_free(serverssl);
5144 SSL_free(clientssl);
5145 SSL_CTX_free(sctx);
5146 SSL_CTX_free(cctx);
5147 return testresult;
5148}
5149
0d8da779
MC		 5150/*
5151 * Test TLSv1.3 PSKs
5152 * Test 0 = Test new style callbacks
5153 * Test 1 = Test both new and old style callbacks
5154 * Test 2 = Test old style callbacks
5155 * Test 3 = Test old style callbacks with no certificate
5156 */
532f9578 5157static int test_tls13_psk(int idx)
ca8c71ba
MC		 5158{
5159 SSL_CTX *sctx = NULL, *cctx = NULL;
5160 SSL *serverssl = NULL, *clientssl = NULL;
5161 const SSL_CIPHER *cipher = NULL;
5162 const unsigned char key[] = {
5163 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5164 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5165 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5166 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5167 };
5168 int testresult = 0;
5169
5e30f2fd
MC		 5170 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5171 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5172 &sctx, &cctx, idx == 3 ? NULL : cert,
5173 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5174 goto end;
5175
0d8da779
MC		 5176 if (idx != 3) {
5177 /*
5178 * We use a ciphersuite with SHA256 to ease testing old style PSK
5179 * callbacks which will always default to SHA256. This should not be
5180 * necessary if we have no cert/priv key. In that case the server should
5181 * prefer SHA256 automatically.
5182 */
5183 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5184 "TLS_AES_128_GCM_SHA256")))
5185 goto end;
4f6c7044
MC		 5186 } else {
5187 /*
5188 * As noted above the server should prefer SHA256 automatically. However
5189 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5190 * code works even if we are testing with only the FIPS provider loaded.
5191 */
5192 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5193 "TLS_AES_256_GCM_SHA384:"
5194 "TLS_AES_128_GCM_SHA256")))
5195 goto end;
0d8da779 5196 }
532f9578
MC		 5197
5198 /*
5199 * Test 0: New style callbacks only
5200 * Test 1: New and old style callbacks (only the new ones should be used)
5201 * Test 2: Old style callbacks only
5202 */
5203 if (idx == 0 || idx == 1) {
5204 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5205 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5206 }
c2b290c3 5207#ifndef OPENSSL_NO_PSK
0d8da779 5208 if (idx >= 1) {
532f9578
MC		 5209 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5210 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5211 }
c2b290c3 5212#endif
ca8c71ba 5213 srvid = pskid;
02a3ed5a
MC		 5214 use_session_cb_cnt = 0;
5215 find_session_cb_cnt = 0;
532f9578
MC		 5216 psk_client_cb_cnt = 0;
5217 psk_server_cb_cnt = 0;
ca8c71ba 5218
0d8da779
MC		 5219 if (idx != 3) {
5220 /*
5221 * Check we can create a connection if callback decides not to send a
5222 * PSK
5223 */
5224 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5225 NULL, NULL))
5226 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5227 SSL_ERROR_NONE))
5228 || !TEST_false(SSL_session_reused(clientssl))
5229 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5230 goto end;
532f9578 5231
0d8da779
MC		 5232 if (idx == 0 || idx == 1) {
5233 if (!TEST_true(use_session_cb_cnt == 1)
5234 || !TEST_true(find_session_cb_cnt == 0)
5235 /*
5236 * If no old style callback then below should be 0
5237 * otherwise 1
5238 */
5239 || !TEST_true(psk_client_cb_cnt == idx)
5240 || !TEST_true(psk_server_cb_cnt == 0))
5241 goto end;
5242 } else {
5243 if (!TEST_true(use_session_cb_cnt == 0)
5244 || !TEST_true(find_session_cb_cnt == 0)
5245 || !TEST_true(psk_client_cb_cnt == 1)
5246 || !TEST_true(psk_server_cb_cnt == 0))
5247 goto end;
5248 }
5249
5250 shutdown_ssl_connection(serverssl, clientssl);
5251 serverssl = clientssl = NULL;
5252 use_session_cb_cnt = psk_client_cb_cnt = 0;
5253 }
ca8c71ba
MC		 5254
5255 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5256 NULL, NULL)))
5257 goto end;
5258
5259 /* Create the PSK */
532f9578 5260 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5261 clientpsk = SSL_SESSION_new();
5262 if (!TEST_ptr(clientpsk)
ca8c71ba 5263 || !TEST_ptr(cipher)
57dee9bb
MC		 5264 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5265 sizeof(key)))
5266 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5267 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5268 TLS1_3_VERSION))
5269 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5270 goto end;
57dee9bb 5271 serverpsk = clientpsk;
ca8c71ba
MC		 5272
5273 /* Check we can create a connection and the PSK is used */
5274 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5275 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5276 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5277 goto end;
5278
532f9578
MC		 5279 if (idx == 0 || idx == 1) {
5280 if (!TEST_true(use_session_cb_cnt == 1)
5281 || !TEST_true(find_session_cb_cnt == 1)
5282 || !TEST_true(psk_client_cb_cnt == 0)
5283 || !TEST_true(psk_server_cb_cnt == 0))
5284 goto end;
5285 } else {
5286 if (!TEST_true(use_session_cb_cnt == 0)
5287 || !TEST_true(find_session_cb_cnt == 0)
5288 || !TEST_true(psk_client_cb_cnt == 1)
5289 || !TEST_true(psk_server_cb_cnt == 1))
5290 goto end;
5291 }
5292
ca8c71ba
MC		 5293 shutdown_ssl_connection(serverssl, clientssl);
5294 serverssl = clientssl = NULL;
5295 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5296 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5297
5298 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5299 NULL, NULL)))
5300 goto end;
5301
5302 /* Force an HRR */
dbc6268f
MC		 5303#if defined(OPENSSL_NO_EC)
5304 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5305 goto end;
5306#else
ca8c71ba
MC		 5307 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5308 goto end;
dbc6268f 5309#endif
ca8c71ba
MC		 5310
5311 /*
5312 * Check we can create a connection, the PSK is used and the callbacks are
5313 * called twice.
5314 */
5315 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5316 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5317 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5318 goto end;
5319
532f9578
MC		 5320 if (idx == 0 || idx == 1) {
5321 if (!TEST_true(use_session_cb_cnt == 2)
5322 || !TEST_true(find_session_cb_cnt == 2)
5323 || !TEST_true(psk_client_cb_cnt == 0)
5324 || !TEST_true(psk_server_cb_cnt == 0))
5325 goto end;
5326 } else {
5327 if (!TEST_true(use_session_cb_cnt == 0)
5328 || !TEST_true(find_session_cb_cnt == 0)
5329 || !TEST_true(psk_client_cb_cnt == 2)
5330 || !TEST_true(psk_server_cb_cnt == 2))
5331 goto end;
5332 }
5333
ca8c71ba
MC		 5334 shutdown_ssl_connection(serverssl, clientssl);
5335 serverssl = clientssl = NULL;
5336 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5337 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5338
0d8da779
MC		 5339 if (idx != 3) {
5340 /*
5341 * Check that if the server rejects the PSK we can still connect, but with
5342 * a full handshake
5343 */
5344 srvid = "Dummy Identity";
5345 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5346 NULL, NULL))
5347 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5348 SSL_ERROR_NONE))
5349 || !TEST_false(SSL_session_reused(clientssl))
5350 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5351 goto end;
532f9578 5352
0d8da779
MC		 5353 if (idx == 0 || idx == 1) {
5354 if (!TEST_true(use_session_cb_cnt == 1)
5355 || !TEST_true(find_session_cb_cnt == 1)
5356 || !TEST_true(psk_client_cb_cnt == 0)
5357 /*
5358 * If no old style callback then below should be 0
5359 * otherwise 1
5360 */
5361 || !TEST_true(psk_server_cb_cnt == idx))
5362 goto end;
5363 } else {
5364 if (!TEST_true(use_session_cb_cnt == 0)
5365 || !TEST_true(find_session_cb_cnt == 0)
5366 || !TEST_true(psk_client_cb_cnt == 1)
5367 || !TEST_true(psk_server_cb_cnt == 1))
5368 goto end;
5369 }
5370
5371 shutdown_ssl_connection(serverssl, clientssl);
5372 serverssl = clientssl = NULL;
5373 }
ca8c71ba
MC		 5374 testresult = 1;
5375
5376 end:
57dee9bb
MC		 5377 SSL_SESSION_free(clientpsk);
5378 SSL_SESSION_free(serverpsk);
5379 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5380 SSL_free(serverssl);
5381 SSL_free(clientssl);
5382 SSL_CTX_free(sctx);
5383 SSL_CTX_free(cctx);
5384 return testresult;
5385}
5386
c7b8ff25
MC		 5387static unsigned char cookie_magic_value[] = "cookie magic";
5388
5389static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5390 unsigned int *cookie_len)
5391{
5392 /*
5393 * Not suitable as a real cookie generation function but good enough for
5394 * testing!
5395 */
97ea1e7f
MC		 5396 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5397 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5398
5399 return 1;
5400}
5401
5402static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5403 unsigned int cookie_len)
5404{
97ea1e7f 5405 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5406 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5407 return 1;
5408
5409 return 0;
5410}
5411
3fa2812f
BS		 5412static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5413 size_t *cookie_len)
5414{
5415 unsigned int temp;
5416 int res = generate_cookie_callback(ssl, cookie, &temp);
5417 *cookie_len = temp;
5418 return res;
5419}
5420
5421static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5422 size_t cookie_len)
5423{
5424 return verify_cookie_callback(ssl, cookie, cookie_len);
5425}
5426
c7b8ff25
MC		 5427static int test_stateless(void)
5428{
5429 SSL_CTX *sctx = NULL, *cctx = NULL;
5430 SSL *serverssl = NULL, *clientssl = NULL;
5431 int testresult = 0;
5432
5e30f2fd
MC		 5433 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5434 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5435 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5436 goto end;
5437
e440f513
MC		 5438 /* The arrival of CCS messages can confuse the test */
5439 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5440
5441 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5442 NULL, NULL))
5443 /* Send the first ClientHello */
5444 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5445 SSL_ERROR_WANT_READ))
5446 /*
5447 * This should fail with a -1 return because we have no callbacks
5448 * set up
5449 */
5450 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5451 goto end;
5452
5453 /* Fatal error so abandon the connection from this client */
5454 SSL_free(clientssl);
5455 clientssl = NULL;
5456
c7b8ff25 5457 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5458 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5459 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5460
e440f513
MC		 5461 /*
5462 * Create a new connection from the client (we can reuse the server SSL
5463 * object).
5464 */
c7b8ff25
MC		 5465 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5466 NULL, NULL))
5467 /* Send the first ClientHello */
5468 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5469 SSL_ERROR_WANT_READ))
5470 /* This should fail because there is no cookie */
e440f513 5471 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5472 goto end;
5473
5474 /* Abandon the connection from this client */
5475 SSL_free(clientssl);
5476 clientssl = NULL;
5477
5478 /*
5479 * Now create a connection from a new client but with the same server SSL
5480 * object
5481 */
5482 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5483 NULL, NULL))
5484 /* Send the first ClientHello */
5485 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5486 SSL_ERROR_WANT_READ))
5487 /* This should fail because there is no cookie */
e440f513 5488 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5489 /* Send the second ClientHello */
5490 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5491 SSL_ERROR_WANT_READ))
5492 /* This should succeed because a cookie is now present */
e440f513 5493 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5494 /* Complete the connection */
5495 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5496 SSL_ERROR_NONE)))
5497 goto end;
5498
5499 shutdown_ssl_connection(serverssl, clientssl);
5500 serverssl = clientssl = NULL;
5501 testresult = 1;
5502
5503 end:
5504 SSL_free(serverssl);
5505 SSL_free(clientssl);
5506 SSL_CTX_free(sctx);
5507 SSL_CTX_free(cctx);
5508 return testresult;
5509
5510}
a763ca11 5511#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5512
a37008d9
MC		 5513static int clntaddoldcb = 0;
5514static int clntparseoldcb = 0;
5515static int srvaddoldcb = 0;
5516static int srvparseoldcb = 0;
5517static int clntaddnewcb = 0;
5518static int clntparsenewcb = 0;
5519static int srvaddnewcb = 0;
5520static int srvparsenewcb = 0;
bb01ef3f 5521static int snicb = 0;
a37008d9
MC		 5522
5523#define TEST_EXT_TYPE1 0xff00
5524
5525static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5526 size_t *outlen, int *al, void *add_arg)
5527{
5528 int *server = (int *)add_arg;
5529 unsigned char *data;
5530
5531 if (SSL_is_server(s))
5532 srvaddoldcb++;
5533 else
5534 clntaddoldcb++;
5535
710756a9
RS		 5536 if (*server != SSL_is_server(s)
5537 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5538 return -1;
5539
5540 *data = 1;
5541 *out = data;
5542 *outlen = sizeof(char);
a37008d9
MC		 5543 return 1;
5544}
5545
5546static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5547 void *add_arg)
5548{
5549 OPENSSL_free((unsigned char *)out);
5550}
5551
5552static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5553 size_t inlen, int *al, void *parse_arg)
5554{
5555 int *server = (int *)parse_arg;
5556
5557 if (SSL_is_server(s))
5558 srvparseoldcb++;
5559 else
5560 clntparseoldcb++;
5561
710756a9
RS		 5562 if (*server != SSL_is_server(s)
5563 || inlen != sizeof(char)
5564 || *in != 1)
a37008d9
MC		 5565 return -1;
5566
5567 return 1;
5568}
5569
5570static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5571 const unsigned char **out, size_t *outlen, X509 *x,
5572 size_t chainidx, int *al, void *add_arg)
5573{
5574 int *server = (int *)add_arg;
5575 unsigned char *data;
5576
5577 if (SSL_is_server(s))
5578 srvaddnewcb++;
5579 else
5580 clntaddnewcb++;
5581
710756a9
RS		 5582 if (*server != SSL_is_server(s)
5583 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5584 return -1;
5585
5586 *data = 1;
5587 *out = data;
710756a9 5588 *outlen = sizeof(*data);
a37008d9
MC		 5589 return 1;
5590}
5591
5592static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5593 const unsigned char *out, void *add_arg)
5594{
5595 OPENSSL_free((unsigned char *)out);
5596}
5597
5598static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5599 const unsigned char *in, size_t inlen, X509 *x,
5600 size_t chainidx, int *al, void *parse_arg)
5601{
5602 int *server = (int *)parse_arg;
5603
5604 if (SSL_is_server(s))
5605 srvparsenewcb++;
5606 else
5607 clntparsenewcb++;
5608
710756a9
RS		 5609 if (*server != SSL_is_server(s)
5610 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5611 return -1;
5612
5613 return 1;
5614}
bb01ef3f
MC		 5615
5616static int sni_cb(SSL *s, int *al, void *arg)
5617{
5618 SSL_CTX *ctx = (SSL_CTX *)arg;
5619
5620 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5621 *al = SSL_AD_INTERNAL_ERROR;
5622 return SSL_TLSEXT_ERR_ALERT_FATAL;
5623 }
5624 snicb++;
5625 return SSL_TLSEXT_ERR_OK;
5626}
5627
0db3a990
MC		 5628static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5629{
5630 return 1;
5631}
5632
a37008d9
MC		 5633/*
5634 * Custom call back tests.
5635 * Test 0: Old style callbacks in TLSv1.2
5636 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5637 * Test 2: New style callbacks in TLSv1.2 with SNI
5638 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5639 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 5640 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 5641 */
710756a9
RS		 5642static int test_custom_exts(int tst)
5643{
bb01ef3f 5644 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5645 SSL *clientssl = NULL, *serverssl = NULL;
5646 int testresult = 0;
5647 static int server = 1;
5648 static int client = 0;
5649 SSL_SESSION *sess = NULL;
5650 unsigned int context;
5651
a763ca11 5652#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5653 /* Skip tests for TLSv1.2 and below in this case */
5654 if (tst < 3)
5655 return 1;
5656#endif
5657
a37008d9
MC		 5658 /* Reset callback counters */
5659 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5660 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5661 snicb = 0;
a37008d9 5662
5e30f2fd
MC		 5663 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5664 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5665 &sctx, &cctx, cert, privkey)))
710756a9 5666 goto end;
a37008d9 5667
bb01ef3f 5668 if (tst == 2
5e30f2fd 5669 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5670 TLS1_VERSION, 0,
7d7f6834 5671 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5672 goto end;
5673
5674
5675 if (tst < 3) {
a37008d9
MC		 5676 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5677 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5678 if (sctx2 != NULL)
5679 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5680 }
5681
0db3a990
MC		 5682 if (tst == 5) {
5683 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
5684 | SSL_EXT_TLS1_3_CERTIFICATE;
5685 SSL_CTX_set_verify(sctx,
5686 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
5687 verify_cb);
5688 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
5689 SSL_FILETYPE_PEM), 1)
5690 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
5691 SSL_FILETYPE_PEM), 1)
5692 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
5693 goto end;
5694 } else if (tst == 4) {
710756a9
RS		 5695 context = SSL_EXT_CLIENT_HELLO
5696 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5697 | SSL_EXT_TLS1_3_SERVER_HELLO
5698 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5699 | SSL_EXT_TLS1_3_CERTIFICATE
5700 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5701 } else {
710756a9
RS		 5702 context = SSL_EXT_CLIENT_HELLO
5703 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5704 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5705 }
5706
5707 /* Create a client side custom extension */
5708 if (tst == 0) {
710756a9
RS		 5709 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5710 old_add_cb, old_free_cb,
5711 &client, old_parse_cb,
5712 &client)))
5713 goto end;
a37008d9 5714 } else {
710756a9
RS		 5715 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5716 new_add_cb, new_free_cb,
5717 &client, new_parse_cb, &client)))
5718 goto end;
a37008d9
MC		 5719 }
5720
5721 /* Should not be able to add duplicates */
710756a9
RS		 5722 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5723 old_add_cb, old_free_cb,
5724 &client, old_parse_cb,
5725 &client))
5726 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5727 context, new_add_cb,
5728 new_free_cb, &client,
5729 new_parse_cb, &client)))
5730 goto end;
a37008d9
MC		 5731
5732 /* Create a server side custom extension */
5733 if (tst == 0) {
710756a9
RS		 5734 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5735 old_add_cb, old_free_cb,
5736 &server, old_parse_cb,
5737 &server)))
5738 goto end;
a37008d9 5739 } else {
710756a9
RS		 5740 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5741 new_add_cb, new_free_cb,
5742 &server, new_parse_cb, &server)))
5743 goto end;
bb01ef3f
MC		 5744 if (sctx2 != NULL
5745 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5746 context, new_add_cb,
5747 new_free_cb, &server,
5748 new_parse_cb, &server)))
5749 goto end;
a37008d9
MC		 5750 }
5751
5752 /* Should not be able to add duplicates */
710756a9
RS		 5753 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5754 old_add_cb, old_free_cb,
5755 &server, old_parse_cb,
5756 &server))
5757 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5758 context, new_add_cb,
5759 new_free_cb, &server,
5760 new_parse_cb, &server)))
a37008d9 5761 goto end;
a37008d9 5762
bb01ef3f
MC		 5763 if (tst == 2) {
5764 /* Set up SNI */
5765 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5766 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5767 goto end;
5768 }
5769
710756a9
RS		 5770 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5771 &clientssl, NULL, NULL))
5772 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5773 SSL_ERROR_NONE)))
a37008d9 5774 goto end;
a37008d9
MC		 5775
5776 if (tst == 0) {
710756a9
RS		 5777 if (clntaddoldcb != 1
5778 || clntparseoldcb != 1
5779 || srvaddoldcb != 1
5780 || srvparseoldcb != 1)
a37008d9 5781 goto end;
bb01ef3f 5782 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5783 if (clntaddnewcb != 1
5784 || clntparsenewcb != 1
5785 || srvaddnewcb != 1
bb01ef3f
MC		 5786 || srvparsenewcb != 1
5787 || (tst != 2 && snicb != 0)
5788 || (tst == 2 && snicb != 1))
a37008d9 5789 goto end;
0db3a990
MC		 5790 } else if (tst == 5) {
5791 if (clntaddnewcb != 1
5792 || clntparsenewcb != 1
5793 || srvaddnewcb != 1
5794 || srvparsenewcb != 1)
5795 goto end;
a37008d9 5796 } else {
36ff232c 5797 /* In this case there 2 NewSessionTicket messages created */
710756a9 5798 if (clntaddnewcb != 1
36ff232c
MC		 5799 || clntparsenewcb != 5
5800 || srvaddnewcb != 5
710756a9 5801 || srvparsenewcb != 1)
a37008d9 5802 goto end;
a37008d9
MC		 5803 }
5804
5805 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5806 SSL_shutdown(clientssl);
5807 SSL_shutdown(serverssl);
a37008d9
MC		 5808 SSL_free(serverssl);
5809 SSL_free(clientssl);
5810 serverssl = clientssl = NULL;
5811
0db3a990
MC		 5812 if (tst == 3 || tst == 5) {
5813 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 5814 testresult = 1;
5815 goto end;
5816 }
5817
710756a9
RS		 5818 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5819 NULL, NULL))
5820 || !TEST_true(SSL_set_session(clientssl, sess))
5821 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5822 SSL_ERROR_NONE)))
a37008d9 5823 goto end;
a37008d9
MC		 5824
5825 /*
5826 * For a resumed session we expect to add the ClientHello extension. For the
5827 * old style callbacks we ignore it on the server side because they set
5828 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5829 * them.
5830 */
5831 if (tst == 0) {
710756a9
RS		 5832 if (clntaddoldcb != 2
5833 || clntparseoldcb != 1
5834 || srvaddoldcb != 1
5835 || srvparseoldcb != 1)
a37008d9 5836 goto end;
bb01ef3f 5837 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5838 if (clntaddnewcb != 2
5839 || clntparsenewcb != 2
5840 || srvaddnewcb != 2
5841 || srvparsenewcb != 2)
a37008d9 5842 goto end;
a37008d9 5843 } else {
36ff232c
MC		 5844 /*
5845 * No Certificate message extensions in the resumption handshake,
5846 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5847 */
710756a9 5848 if (clntaddnewcb != 2
36ff232c
MC		 5849 || clntparsenewcb != 8
5850 || srvaddnewcb != 8
710756a9 5851 || srvparsenewcb != 2)
a37008d9 5852 goto end;
a37008d9
MC		 5853 }
5854
5855 testresult = 1;
5856
5857end:
5858 SSL_SESSION_free(sess);
5859 SSL_free(serverssl);
5860 SSL_free(clientssl);
bb01ef3f 5861 SSL_CTX_free(sctx2);
a37008d9
MC		 5862 SSL_CTX_free(sctx);
5863 SSL_CTX_free(cctx);
a37008d9
MC		 5864 return testresult;
5865}
5866
16afd71c
MC		 5867/*
5868 * Test loading of serverinfo data in various formats. test_sslmessages actually
5869 * tests to make sure the extensions appear in the handshake
5870 */
5871static int test_serverinfo(int tst)
5872{
5873 unsigned int version;
5874 unsigned char *sibuf;
5875 size_t sibuflen;
5876 int ret, expected, testresult = 0;
5877 SSL_CTX *ctx;
5878
d8652be0 5879 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5880 if (!TEST_ptr(ctx))
5881 goto end;
5882
5883 if ((tst & 0x01) == 0x01)
5884 version = SSL_SERVERINFOV2;
5885 else
5886 version = SSL_SERVERINFOV1;
5887
5888 if ((tst & 0x02) == 0x02) {
5889 sibuf = serverinfov2;
5890 sibuflen = sizeof(serverinfov2);
5891 expected = (version == SSL_SERVERINFOV2);
5892 } else {
5893 sibuf = serverinfov1;
5894 sibuflen = sizeof(serverinfov1);
5895 expected = (version == SSL_SERVERINFOV1);
5896 }
5897
5898 if ((tst & 0x04) == 0x04) {
5899 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5900 } else {
5901 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5902
5903 /*
5904 * The version variable is irrelevant in this case - it's what is in the
5905 * buffer that matters
5906 */
5907 if ((tst & 0x02) == 0x02)
5908 expected = 0;
5909 else
5910 expected = 1;
5911 }
5912
5913 if (!TEST_true(ret == expected))
5914 goto end;
5915
5916 testresult = 1;
5917
5918 end:
5919 SSL_CTX_free(ctx);
5920
5921 return testresult;
5922}
5923
2197d1df
MC		 5924/*
5925 * Test that SSL_export_keying_material() produces expected results. There are
5926 * no test vectors so all we do is test that both sides of the communication
5927 * produce the same results for different protocol versions.
5928 */
0fb2815b
MC		 5929#define SMALL_LABEL_LEN 10
5930#define LONG_LABEL_LEN 249
2197d1df
MC		 5931static int test_export_key_mat(int tst)
5932{
a599574b 5933 int testresult = 0;
2197d1df
MC		 5934 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5935 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5936 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5937 const unsigned char context[] = "context";
5938 const unsigned char *emptycontext = NULL;
5939 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5940 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5941 size_t labellen;
a599574b
MC		 5942 const int protocols[] = {
5943 TLS1_VERSION,
5944 TLS1_1_VERSION,
5945 TLS1_2_VERSION,
0fb2815b
MC		 5946 TLS1_3_VERSION,
5947 TLS1_3_VERSION,
a599574b
MC		 5948 TLS1_3_VERSION
5949 };
2197d1df
MC		 5950
5951#ifdef OPENSSL_NO_TLS1
5952 if (tst == 0)
5953 return 1;
5954#endif
5955#ifdef OPENSSL_NO_TLS1_1
5956 if (tst == 1)
5957 return 1;
5958#endif
4f6c7044
MC		 5959 if (is_fips && (tst == 0 || tst == 1))
5960 return 1;
2197d1df
MC		 5961#ifdef OPENSSL_NO_TLS1_2
5962 if (tst == 2)
5963 return 1;
5964#endif
a763ca11 5965#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 5966 if (tst >= 3)
2197d1df
MC		 5967 return 1;
5968#endif
5e30f2fd
MC		 5969 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5970 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5971 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5972 goto end;
5973
a599574b
MC		 5974 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5975 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5976 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5977 if ((protocols[tst] < TLS1_2_VERSION) &&
5978 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5979 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5980 goto end;
2197d1df
MC		 5981
5982 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5983 NULL)))
5984 goto end;
5985
5986 /*
5987 * Premature call of SSL_export_keying_material should just fail.
5988 */
5989 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5990 sizeof(ckeymat1), label,
5991 SMALL_LABEL_LEN + 1, context,
5992 sizeof(context) - 1, 1), 0))
5993 goto end;
5994
5995 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5996 SSL_ERROR_NONE)))
2197d1df
MC		 5997 goto end;
5998
0fb2815b
MC		 5999 if (tst == 5) {
6000 /*
6001 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6002 * go over that.
6003 */
6004 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6005 sizeof(ckeymat1), label,
6006 LONG_LABEL_LEN + 1, context,
6007 sizeof(context) - 1, 1), 0))
6008 goto end;
6009
6010 testresult = 1;
6011 goto end;
6012 } else if (tst == 4) {
6013 labellen = LONG_LABEL_LEN;
6014 } else {
6015 labellen = SMALL_LABEL_LEN;
6016 }
6017
2197d1df
MC		 6018 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6019 sizeof(ckeymat1), label,
0fb2815b 6020 labellen, context,
2197d1df
MC		 6021 sizeof(context) - 1, 1), 1)
6022 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6023 sizeof(ckeymat2), label,
0fb2815b 6024 labellen,
2197d1df
MC		 6025 emptycontext,
6026 0, 1), 1)
6027 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6028 sizeof(ckeymat3), label,
0fb2815b 6029 labellen,
2197d1df
MC		 6030 NULL, 0, 0), 1)
6031 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6032 sizeof(skeymat1), label,
0fb2815b 6033 labellen,
2197d1df
MC		 6034 context,
6035 sizeof(context) -1, 1),
6036 1)
6037 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6038 sizeof(skeymat2), label,
0fb2815b 6039 labellen,
2197d1df
MC		 6040 emptycontext,
6041 0, 1), 1)
6042 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6043 sizeof(skeymat3), label,
0fb2815b 6044 labellen,
2197d1df
MC		 6045 NULL, 0, 0), 1)
6046 /*
6047 * Check that both sides created the same key material with the
6048 * same context.
6049 */
6050 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6051 sizeof(skeymat1))
6052 /*
6053 * Check that both sides created the same key material with an
6054 * empty context.
6055 */
6056 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6057 sizeof(skeymat2))
6058 /*
6059 * Check that both sides created the same key material without a
6060 * context.
6061 */
6062 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6063 sizeof(skeymat3))
6064 /* Different contexts should produce different results */
6065 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6066 sizeof(ckeymat2)))
6067 goto end;
6068
6069 /*
6070 * Check that an empty context and no context produce different results in
6071 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6072 */
0fb2815b 6073 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6074 sizeof(ckeymat3)))
0fb2815b
MC		 6075 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6076 sizeof(ckeymat3))))
2197d1df
MC		 6077 goto end;
6078
6079 testresult = 1;
6080
6081 end:
6082 SSL_free(serverssl);
6083 SSL_free(clientssl);
6084 SSL_CTX_free(sctx2);
6085 SSL_CTX_free(sctx);
6086 SSL_CTX_free(cctx);
6087
6088 return testresult;
6089}
6090
a763ca11 6091#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6092/*
6093 * Test that SSL_export_keying_material_early() produces expected
6094 * results. There are no test vectors so all we do is test that both
6095 * sides of the communication produce the same results for different
6096 * protocol versions.
6097 */
6098static int test_export_key_mat_early(int idx)
6099{
6100 static const char label[] = "test label";
6101 static const unsigned char context[] = "context";
6102 int testresult = 0;
6103 SSL_CTX *cctx = NULL, *sctx = NULL;
6104 SSL *clientssl = NULL, *serverssl = NULL;
6105 SSL_SESSION *sess = NULL;
6106 const unsigned char *emptycontext = NULL;
6107 unsigned char ckeymat1[80], ckeymat2[80];
6108 unsigned char skeymat1[80], skeymat2[80];
6109 unsigned char buf[1];
6110 size_t readbytes, written;
6111
6112 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
6113 &sess, idx)))
6114 goto end;
6115
6116 /* Here writing 0 length early data is enough. */
6117 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6118 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6119 &readbytes),
6120 SSL_READ_EARLY_DATA_ERROR)
6121 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6122 SSL_EARLY_DATA_ACCEPTED))
6123 goto end;
6124
6125 if (!TEST_int_eq(SSL_export_keying_material_early(
6126 clientssl, ckeymat1, sizeof(ckeymat1), label,
6127 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6128 || !TEST_int_eq(SSL_export_keying_material_early(
6129 clientssl, ckeymat2, sizeof(ckeymat2), label,
6130 sizeof(label) - 1, emptycontext, 0), 1)
6131 || !TEST_int_eq(SSL_export_keying_material_early(
6132 serverssl, skeymat1, sizeof(skeymat1), label,
6133 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6134 || !TEST_int_eq(SSL_export_keying_material_early(
6135 serverssl, skeymat2, sizeof(skeymat2), label,
6136 sizeof(label) - 1, emptycontext, 0), 1)
6137 /*
6138 * Check that both sides created the same key material with the
6139 * same context.
6140 */
6141 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6142 sizeof(skeymat1))
6143 /*
6144 * Check that both sides created the same key material with an
6145 * empty context.
6146 */
6147 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6148 sizeof(skeymat2))
6149 /* Different contexts should produce different results */
6150 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6151 sizeof(ckeymat2)))
6152 goto end;
6153
6154 testresult = 1;
6155
6156 end:
c20e3b28 6157 SSL_SESSION_free(sess);
b38ede80
TT		 6158 SSL_SESSION_free(clientpsk);
6159 SSL_SESSION_free(serverpsk);
34ff74eb 6160 clientpsk = serverpsk = NULL;
b38ede80
TT		 6161 SSL_free(serverssl);
6162 SSL_free(clientssl);
6163 SSL_CTX_free(sctx);
6164 SSL_CTX_free(cctx);
6165
6166 return testresult;
6167}
3409a5ff
MC		 6168
6169#define NUM_KEY_UPDATE_MESSAGES 40
6170/*
6171 * Test KeyUpdate.
6172 */
6173static int test_key_update(void)
6174{
6175 SSL_CTX *cctx = NULL, *sctx = NULL;
6176 SSL *clientssl = NULL, *serverssl = NULL;
6177 int testresult = 0, i, j;
6178 char buf[20];
6179 static char *mess = "A test message";
6180
5e30f2fd 6181 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6182 TLS_client_method(),
6183 TLS1_3_VERSION,
6184 0,
6185 &sctx, &cctx, cert, privkey))
6186 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6187 NULL, NULL))
6188 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6189 SSL_ERROR_NONE)))
6190 goto end;
6191
6192 for (j = 0; j < 2; j++) {
6193 /* Send lots of KeyUpdate messages */
6194 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6195 if (!TEST_true(SSL_key_update(clientssl,
6196 (j == 0)
6197 ? SSL_KEY_UPDATE_NOT_REQUESTED
6198 : SSL_KEY_UPDATE_REQUESTED))
6199 || !TEST_true(SSL_do_handshake(clientssl)))
6200 goto end;
6201 }
6202
6203 /* Check that sending and receiving app data is ok */
6204 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6205 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6206 strlen(mess)))
6207 goto end;
a77b4dba
MC		 6208
6209 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6210 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6211 strlen(mess)))
6212 goto end;
3409a5ff
MC		 6213 }
6214
6215 testresult = 1;
6216
6217 end:
6218 SSL_free(serverssl);
6219 SSL_free(clientssl);
6220 SSL_CTX_free(sctx);
6221 SSL_CTX_free(cctx);
6222
6223 return testresult;
6224}
a77b4dba
MC		 6225
6226/*
0c48fda8 6227 * Test we can handle a KeyUpdate (update requested) message while
6228 * write data is pending in peer.
a77b4dba
MC		 6229 * Test 0: Client sends KeyUpdate while Server is writing
6230 * Test 1: Server sends KeyUpdate while Client is writing
6231 */
0c48fda8 6232static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6233{
6234 SSL_CTX *cctx = NULL, *sctx = NULL;
6235 SSL *clientssl = NULL, *serverssl = NULL;
6236 int testresult = 0;
6237 char buf[20];
6238 static char *mess = "A test message";
6239 BIO *bretry = BIO_new(bio_s_always_retry());
6240 BIO *tmp = NULL;
6241 SSL *peerupdate = NULL, *peerwrite = NULL;
6242
6243 if (!TEST_ptr(bretry)
5e30f2fd 6244 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6245 TLS_client_method(),
6246 TLS1_3_VERSION,
6247 0,
6248 &sctx, &cctx, cert, privkey))
6249 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6250 NULL, NULL))
6251 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6252 SSL_ERROR_NONE)))
6253 goto end;
6254
6255 peerupdate = tst == 0 ? clientssl : serverssl;
6256 peerwrite = tst == 0 ? serverssl : clientssl;
6257
6258 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6259 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6260 goto end;
6261
6262 /* Swap the writing endpoint's write BIO to force a retry */
6263 tmp = SSL_get_wbio(peerwrite);
6264 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6265 tmp = NULL;
6266 goto end;
6267 }
6268 SSL_set0_wbio(peerwrite, bretry);
6269 bretry = NULL;
6270
6271 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6272 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6273 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6274 goto end;
6275
6276 /* Reinstate the original writing endpoint's write BIO */
6277 SSL_set0_wbio(peerwrite, tmp);
6278 tmp = NULL;
6279
6280 /* Now read some data - we will read the key update */
6281 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6282 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6283 goto end;
6284
6285 /*
6286 * Complete the write we started previously and read it from the other
6287 * endpoint
6288 */
6289 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6290 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6291 goto end;
6292
6293 /* Write more data to ensure we send the KeyUpdate message back */
6294 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6295 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6296 goto end;
6297
6298 testresult = 1;
6299
6300 end:
6301 SSL_free(serverssl);
6302 SSL_free(clientssl);
6303 SSL_CTX_free(sctx);
6304 SSL_CTX_free(cctx);
6305 BIO_free(bretry);
6306 BIO_free(tmp);
6307
6308 return testresult;
6309}
0c48fda8 6310
6311/*
6312 * Test we can handle a KeyUpdate (update requested) message while
6313 * peer read data is pending after peer accepted keyupdate(the msg header
6314 * had been read 5 bytes).
6315 * Test 0: Client sends KeyUpdate while Server is reading
6316 * Test 1: Server sends KeyUpdate while Client is reading
6317 */
6318static int test_key_update_peer_in_read(int tst)
6319{
6320 SSL_CTX *cctx = NULL, *sctx = NULL;
6321 SSL *clientssl = NULL, *serverssl = NULL;
6322 int testresult = 0;
6323 char prbuf[515], lwbuf[515] = {0};
6324 static char *mess = "A test message";
6325 BIO *lbio = NULL, *pbio = NULL;
6326 SSL *local = NULL, *peer = NULL;
6327
6328 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6329 TLS_client_method(),
6330 TLS1_3_VERSION,
6331 0,
6332 &sctx, &cctx, cert, privkey))
6333 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6334 NULL, NULL))
6335 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6336 SSL_ERROR_NONE)))
6337 goto end;
6338
6339 local = tst == 0 ? clientssl : serverssl;
6340 peer = tst == 0 ? serverssl : clientssl;
6341
6342 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6343 goto end;
6344
6345 SSL_set_bio(local, lbio, lbio);
6346 SSL_set_bio(peer, pbio, pbio);
6347
6348 /*
6349 * we first write keyupdate msg then appdata in local
6350 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6351 * lwbuf app data msg size + key updata msg size > 512(the size of
6352 * the bio pair buffer)
6353 */
6354 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6355 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6356 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6357 goto end;
6358
6359 /*
6360 * first read keyupdate msg in peer in peer
6361 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6362 */
6363 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6364 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6365 goto end;
6366
6367 /* Now write some data in peer - we will write the key update */
6368 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6369 goto end;
6370
6371 /*
6372 * write data in local previously that we will complete
6373 * read data in peer previously that we will complete
6374 */
6375 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6376 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6377 goto end;
6378
6379 /* check that sending and receiving appdata ok */
6380 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6381 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6382 goto end;
6383
6384 testresult = 1;
6385
6386 end:
6387 SSL_free(serverssl);
6388 SSL_free(clientssl);
6389 SSL_CTX_free(sctx);
6390 SSL_CTX_free(cctx);
6391
6392 return testresult;
6393}
6394
6395/*
6396 * Test we can't send a KeyUpdate (update requested) message while
6397 * local write data is pending.
6398 * Test 0: Client sends KeyUpdate while Client is writing
6399 * Test 1: Server sends KeyUpdate while Server is writing
6400 */
6401static int test_key_update_local_in_write(int tst)
6402{
6403 SSL_CTX *cctx = NULL, *sctx = NULL;
6404 SSL *clientssl = NULL, *serverssl = NULL;
6405 int testresult = 0;
6406 char buf[20];
6407 static char *mess = "A test message";
6408 BIO *bretry = BIO_new(bio_s_always_retry());
6409 BIO *tmp = NULL;
6410 SSL *local = NULL, *peer = NULL;
6411
6412 if (!TEST_ptr(bretry)
6413 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6414 TLS_client_method(),
6415 TLS1_3_VERSION,
6416 0,
6417 &sctx, &cctx, cert, privkey))
6418 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6419 NULL, NULL))
6420 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6421 SSL_ERROR_NONE)))
6422 goto end;
6423
6424 local = tst == 0 ? clientssl : serverssl;
6425 peer = tst == 0 ? serverssl : clientssl;
6426
6427 /* Swap the writing endpoint's write BIO to force a retry */
6428 tmp = SSL_get_wbio(local);
6429 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6430 tmp = NULL;
6431 goto end;
6432 }
6433 SSL_set0_wbio(local, bretry);
6434 bretry = NULL;
6435
6436 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6437 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6438 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6439 goto end;
6440
6441 /* Reinstate the original writing endpoint's write BIO */
6442 SSL_set0_wbio(local, tmp);
6443 tmp = NULL;
6444
6445 /* SSL_key_update will fail, because writing in local*/
6446 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6447 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6448 goto end;
6449
6450 ERR_clear_error();
6451 /* write data in local previously that we will complete */
6452 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6453 goto end;
6454
6455 /* SSL_key_update will succeed because there is no pending write data */
6456 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6457 || !TEST_int_eq(SSL_do_handshake(local), 1))
6458 goto end;
6459
6460 /*
6461 * we write some appdata in local
6462 * read data in peer - we will read the keyupdate msg
6463 */
6464 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6465 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6466 goto end;
6467
6468 /* Write more peer more data to ensure we send the keyupdate message back */
6469 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6470 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6471 goto end;
6472
6473 testresult = 1;
6474
6475 end:
6476 SSL_free(serverssl);
6477 SSL_free(clientssl);
6478 SSL_CTX_free(sctx);
6479 SSL_CTX_free(cctx);
6480 BIO_free(bretry);
6481 BIO_free(tmp);
6482
6483 return testresult;
6484}
6485
6486/*
6487 * Test we can handle a KeyUpdate (update requested) message while
6488 * local read data is pending(the msg header had been read 5 bytes).
6489 * Test 0: Client sends KeyUpdate while Client is reading
6490 * Test 1: Server sends KeyUpdate while Server is reading
6491 */
6492static int test_key_update_local_in_read(int tst)
6493{
6494 SSL_CTX *cctx = NULL, *sctx = NULL;
6495 SSL *clientssl = NULL, *serverssl = NULL;
6496 int testresult = 0;
6497 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6498 static char *mess = "A test message";
6499 BIO *lbio = NULL, *pbio = NULL;
6500 SSL *local = NULL, *peer = NULL;
6501
6502 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6503 TLS_client_method(),
6504 TLS1_3_VERSION,
6505 0,
6506 &sctx, &cctx, cert, privkey))
6507 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6508 NULL, NULL))
6509 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6510 SSL_ERROR_NONE)))
6511 goto end;
6512
6513 local = tst == 0 ? clientssl : serverssl;
6514 peer = tst == 0 ? serverssl : clientssl;
6515
6516 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6517 goto end;
6518
6519 SSL_set_bio(local, lbio, lbio);
6520 SSL_set_bio(peer, pbio, pbio);
6521
6522 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6523 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6524 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6525 goto end;
6526
6527 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6528 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6529 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
6530 goto end;
6531
6532 /* SSL_do_handshake will send keyupdate msg */
6533 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6534 || !TEST_int_eq(SSL_do_handshake(local), 1))
6535 goto end;
6536
6537 /*
6538 * write data in peer previously that we will complete
6539 * read data in local previously that we will complete
6540 */
6541 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
6542 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
6543 goto end;
6544
6545 /*
6546 * write data in local
6547 * read data in peer - we will read the key update
6548 */
6549 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6550 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6551 goto end;
6552
6553 /* Write more peer data to ensure we send the keyupdate message back */
6554 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6555 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
6556 goto end;
6557
6558 testresult = 1;
6559
6560 end:
6561 SSL_free(serverssl);
6562 SSL_free(clientssl);
6563 SSL_CTX_free(sctx);
6564 SSL_CTX_free(cctx);
6565
6566 return testresult;
6567}
a763ca11 6568#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 6569
e11b6aa4
MC		 6570static int test_ssl_clear(int idx)
6571{
6572 SSL_CTX *cctx = NULL, *sctx = NULL;
6573 SSL *clientssl = NULL, *serverssl = NULL;
6574 int testresult = 0;
6575
6576#ifdef OPENSSL_NO_TLS1_2
6577 if (idx == 1)
6578 return 1;
6579#endif
6580
6581 /* Create an initial connection */
5e30f2fd
MC		 6582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6583 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6584 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 6585 || (idx == 1
6586 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6587 TLS1_2_VERSION)))
6588 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6589 &clientssl, NULL, NULL))
6590 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6591 SSL_ERROR_NONE)))
6592 goto end;
6593
6594 SSL_shutdown(clientssl);
6595 SSL_shutdown(serverssl);
6596 SSL_free(serverssl);
6597 serverssl = NULL;
6598
6599 /* Clear clientssl - we're going to reuse the object */
6600 if (!TEST_true(SSL_clear(clientssl)))
6601 goto end;
6602
6603 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6604 NULL, NULL))
6605 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6606 SSL_ERROR_NONE))
6607 || !TEST_true(SSL_session_reused(clientssl)))
6608 goto end;
6609
6610 SSL_shutdown(clientssl);
6611 SSL_shutdown(serverssl);
6612
6613 testresult = 1;
6614
6615 end:
6616 SSL_free(serverssl);
6617 SSL_free(clientssl);
6618 SSL_CTX_free(sctx);
6619 SSL_CTX_free(cctx);
6620
6621 return testresult;
6622}
6623
cf72c757
F		 6624/* Parse CH and retrieve any MFL extension value if present */
6625static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6626{
6627 long len;
6628 unsigned char *data;
72962d02 6629 PACKET pkt, pkt2, pkt3;
cf72c757
F		 6630 unsigned int MFL_code = 0, type = 0;
6631
1287dabd 6632 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 6633 goto end;
6634
72962d02
P		 6635 memset(&pkt, 0, sizeof(pkt));
6636 memset(&pkt2, 0, sizeof(pkt2));
6637 memset(&pkt3, 0, sizeof(pkt3));
6638
9ba18520 6639 if (!TEST_long_gt(len, 0)
1287dabd 6640 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 6641 /* Skip the record header */
6642 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6643 /* Skip the handshake message header */
6644 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6645 /* Skip client version and random */
6646 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6647 + SSL3_RANDOM_SIZE))
6648 /* Skip session id */
6649 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6650 /* Skip ciphers */
6651 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6652 /* Skip compression */
6653 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6654 /* Extensions len */
6655 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6656 goto end;
6657
6658 /* Loop through all extensions */
6659 while (PACKET_remaining(&pkt2)) {
6660 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6661 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6662 goto end;
6663
6664 if (type == TLSEXT_TYPE_max_fragment_length) {
6665 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6666 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6667 goto end;
6668
6669 *mfl_codemfl_code = MFL_code;
6670 return 1;
6671 }
6672 }
6673
6674 end:
6675 return 0;
6676}
6677
6678/* Maximum-Fragment-Length TLS extension mode to test */
6679static const unsigned char max_fragment_len_test[] = {
6680 TLSEXT_max_fragment_length_512,
6681 TLSEXT_max_fragment_length_1024,
6682 TLSEXT_max_fragment_length_2048,
6683 TLSEXT_max_fragment_length_4096
6684};
6685
6686static int test_max_fragment_len_ext(int idx_tst)
6687{
a763ca11 6688 SSL_CTX *ctx = NULL;
cf72c757
F		 6689 SSL *con = NULL;
6690 int testresult = 0, MFL_mode = 0;
6691 BIO *rbio, *wbio;
6692
a763ca11
MC		 6693 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6694 TLS1_VERSION, 0, NULL, &ctx, NULL,
6695 NULL)))
6696 return 0;
cf72c757
F		 6697
6698 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6699 ctx, max_fragment_len_test[idx_tst])))
6700 goto end;
6701
6702 con = SSL_new(ctx);
6703 if (!TEST_ptr(con))
6704 goto end;
6705
6706 rbio = BIO_new(BIO_s_mem());
6707 wbio = BIO_new(BIO_s_mem());
6708 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6709 BIO_free(rbio);
6710 BIO_free(wbio);
6711 goto end;
6712 }
6713
6714 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 6715
6716 if (!TEST_int_le(SSL_connect(con), 0)) {
6717 /* This shouldn't succeed because we don't have a server! */
6718 goto end;
6719 }
6720
6721 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6722 /* no MFL in client hello */
6723 goto end;
6724 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6725 goto end;
6726
6727 testresult = 1;
6728
6729end:
6730 SSL_free(con);
6731 SSL_CTX_free(ctx);
6732
6733 return testresult;
6734}
6735
a763ca11 6736#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 6737static int test_pha_key_update(void)
6738{
6739 SSL_CTX *cctx = NULL, *sctx = NULL;
6740 SSL *clientssl = NULL, *serverssl = NULL;
6741 int testresult = 0;
6742
5e30f2fd
MC		 6743 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6744 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6745 &sctx, &cctx, cert, privkey)))
6746 return 0;
6747
6748 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6749 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6750 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6751 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6752 goto end;
6753
e97be718 6754 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6755
6756 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6757 NULL, NULL)))
6758 goto end;
6759
9d75dce3
TS		 6760 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6761 SSL_ERROR_NONE)))
6762 goto end;
6763
6764 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6765 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6766 goto end;
6767
6768 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6769 goto end;
6770
6771 /* Start handshake on the server */
6772 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6773 goto end;
6774
6775 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6776 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6777 SSL_ERROR_NONE)))
6778 goto end;
6779
6780 SSL_shutdown(clientssl);
6781 SSL_shutdown(serverssl);
6782
6783 testresult = 1;
6784
6785 end:
6786 SSL_free(serverssl);
6787 SSL_free(clientssl);
6788 SSL_CTX_free(sctx);
6789 SSL_CTX_free(cctx);
6790 return testresult;
6791}
6792#endif
6793
76fd7a1d
MC		 6794#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6795
6796static SRP_VBASE *vbase = NULL;
6797
6798static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6799{
6800 int ret = SSL3_AL_FATAL;
6801 char *username;
6802 SRP_user_pwd *user = NULL;
6803
6804 username = SSL_get_srp_username(s);
6805 if (username == NULL) {
6806 *ad = SSL_AD_INTERNAL_ERROR;
6807 goto err;
6808 }
6809
6810 user = SRP_VBASE_get1_by_user(vbase, username);
6811 if (user == NULL) {
6812 *ad = SSL_AD_INTERNAL_ERROR;
6813 goto err;
6814 }
6815
6816 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6817 user->info) <= 0) {
6818 *ad = SSL_AD_INTERNAL_ERROR;
6819 goto err;
6820 }
6821
6822 ret = 0;
6823
6824 err:
6825 SRP_user_pwd_free(user);
6826 return ret;
6827}
6828
6829static int create_new_vfile(char *userid, char *password, const char *filename)
6830{
6831 char *gNid = NULL;
6832 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6833 TXT_DB *db = NULL;
6834 int ret = 0;
6835 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6836 size_t i;
6837
6838 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6839 goto end;
6840
20c00d0a 6841 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6842 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6843 if (!TEST_ptr(gNid))
6844 goto end;
6845
6846 /*
6847 * The only way to create an empty TXT_DB is to provide a BIO with no data
6848 * in it!
6849 */
6850 db = TXT_DB_read(dummy, DB_NUMBER);
6851 if (!TEST_ptr(db))
6852 goto end;
6853
6854 out = BIO_new_file(filename, "w");
6855 if (!TEST_ptr(out))
6856 goto end;
6857
6858 row[DB_srpid] = OPENSSL_strdup(userid);
6859 row[DB_srptype] = OPENSSL_strdup("V");
6860 row[DB_srpgN] = OPENSSL_strdup(gNid);
6861
6862 if (!TEST_ptr(row[DB_srpid])
6863 || !TEST_ptr(row[DB_srptype])
6864 || !TEST_ptr(row[DB_srpgN])
6865 || !TEST_true(TXT_DB_insert(db, row)))
6866 goto end;
6867
6868 row = NULL;
6869
aba9943f 6870 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 6871 goto end;
6872
6873 ret = 1;
6874 end:
6875 if (row != NULL) {
6876 for (i = 0; i < DB_NUMBER; i++)
6877 OPENSSL_free(row[i]);
6878 }
6879 OPENSSL_free(row);
6880 BIO_free(dummy);
6881 BIO_free(out);
6882 TXT_DB_free(db);
6883
6884 return ret;
6885}
6886
6887static int create_new_vbase(char *userid, char *password)
6888{
6889 BIGNUM *verifier = NULL, *salt = NULL;
6890 const SRP_gN *lgN = NULL;
6891 SRP_user_pwd *user_pwd = NULL;
6892 int ret = 0;
6893
6894 lgN = SRP_get_default_gN(NULL);
6895 if (!TEST_ptr(lgN))
6896 goto end;
6897
20c00d0a 6898 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6899 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6900 goto end;
6901
6902 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6903 if (!TEST_ptr(user_pwd))
6904 goto end;
6905
6906 user_pwd->N = lgN->N;
6907 user_pwd->g = lgN->g;
6908 user_pwd->id = OPENSSL_strdup(userid);
6909 if (!TEST_ptr(user_pwd->id))
6910 goto end;
6911
6912 user_pwd->v = verifier;
6913 user_pwd->s = salt;
6914 verifier = salt = NULL;
6915
6916 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6917 goto end;
6918 user_pwd = NULL;
6919
6920 ret = 1;
6921end:
6922 SRP_user_pwd_free(user_pwd);
6923 BN_free(salt);
6924 BN_free(verifier);
6925
6926 return ret;
6927}
6928
6929/*
6930 * SRP tests
6931 *
6932 * Test 0: Simple successful SRP connection, new vbase
6933 * Test 1: Connection failure due to bad password, new vbase
6934 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6935 * Test 3: Connection failure due to bad password, vbase loaded from existing
6936 * file
6937 * Test 4: Simple successful SRP connection, vbase loaded from new file
6938 * Test 5: Connection failure due to bad password, vbase loaded from new file
6939 */
6940static int test_srp(int tst)
6941{
6942 char *userid = "test", *password = "password", *tstsrpfile;
6943 SSL_CTX *cctx = NULL, *sctx = NULL;
6944 SSL *clientssl = NULL, *serverssl = NULL;
6945 int ret, testresult = 0;
6946
6947 vbase = SRP_VBASE_new(NULL);
6948 if (!TEST_ptr(vbase))
6949 goto end;
6950
6951 if (tst == 0 || tst == 1) {
6952 if (!TEST_true(create_new_vbase(userid, password)))
6953 goto end;
6954 } else {
6955 if (tst == 4 || tst == 5) {
6956 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6957 goto end;
6958 tstsrpfile = tmpfilename;
6959 } else {
6960 tstsrpfile = srpvfile;
6961 }
6962 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6963 goto end;
6964 }
6965
5e30f2fd
MC		 6966 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6967 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6968 &sctx, &cctx, cert, privkey)))
6969 goto end;
6970
6971 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6972 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6973 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6974 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6975 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6976 goto end;
6977
6978 if (tst % 2 == 1) {
6979 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6980 goto end;
6981 } else {
6982 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6983 goto end;
6984 }
6985
6986 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6987 NULL, NULL)))
6988 goto end;
6989
6990 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6991 if (ret) {
6992 if (!TEST_true(tst % 2 == 0))
6993 goto end;
6994 } else {
6995 if (!TEST_true(tst % 2 == 1))
6996 goto end;
6997 }
6998
6999 testresult = 1;
7000
7001 end:
7002 SRP_VBASE_free(vbase);
7003 vbase = NULL;
7004 SSL_free(serverssl);
7005 SSL_free(clientssl);
7006 SSL_CTX_free(sctx);
7007 SSL_CTX_free(cctx);
7008
7009 return testresult;
7010}
7011#endif
7012
5718fe45
MC		 7013static int info_cb_failed = 0;
7014static int info_cb_offset = 0;
7015static int info_cb_this_state = -1;
7016
7017static struct info_cb_states_st {
7018 int where;
7019 const char *statestr;
7020} info_cb_states[][60] = {
7021 {
7022 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 7023 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7024 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7025 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7026 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7027 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7028 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7029 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7030 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7031 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 7032 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7033 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7034 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7035 {SSL_CB_EXIT, NULL}, {0, NULL},
7036 }, {
7037 /* TLSv1.2 client followed by resumption */
e0f69c35 7038 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7039 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7040 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7041 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7042 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7043 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7044 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 7045 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7046 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7047 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7048 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7049 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7050 }, {
7051 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 7052 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7053 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 7054 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 7055 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 7056 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 7057 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7058 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 7059 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7060 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 7061 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7062 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7063 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7064 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7065 }, {
7066 /* TLSv1.3 client followed by resumption */
e0f69c35 7067 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7068 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7069 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7070 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7071 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7072 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7073 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7074 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7075 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7076 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7077 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7078 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7079 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7080 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7081 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7082 }, {
7083 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7084 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7085 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7086 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7087 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7088 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7089 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7090 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7091 {SSL_CB_EXIT, NULL}, {0, NULL},
7092 }, {
7093 /* TLSv1.3 client, early_data */
e0f69c35 7094 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7095 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7096 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7097 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7098 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7099 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7100 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7101 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7102 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7103 }, {
7104 {0, NULL},
7105 }
7106};
7107
7108static void sslapi_info_callback(const SSL *s, int where, int ret)
7109{
7110 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7111
7112 /* We do not ever expect a connection to fail in this test */
7113 if (!TEST_false(ret == 0)) {
7114 info_cb_failed = 1;
7115 return;
7116 }
7117
7118 /*
7119 * Do some sanity checks. We never expect these things to happen in this
7120 * test
7121 */
7122 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7123 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7124 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7125 info_cb_failed = 1;
7126 return;
7127 }
7128
7129 /* Now check we're in the right state */
7130 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7131 info_cb_failed = 1;
7132 return;
7133 }
7134 if ((where & SSL_CB_LOOP) != 0
7135 && !TEST_int_eq(strcmp(SSL_state_string(s),
7136 state[info_cb_this_state].statestr), 0)) {
7137 info_cb_failed = 1;
7138 return;
7139 }
033c181b 7140
4af5836b
MC		 7141 /*
7142 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7143 */
7144 if ((where & SSL_CB_HANDSHAKE_DONE)
7145 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7146 info_cb_failed = 1;
7147 return;
7148 }
5718fe45
MC		 7149}
7150
7151/*
7152 * Test the info callback gets called when we expect it to.
7153 *
7154 * Test 0: TLSv1.2, server
7155 * Test 1: TLSv1.2, client
7156 * Test 2: TLSv1.3, server
7157 * Test 3: TLSv1.3, client
7158 * Test 4: TLSv1.3, server, early_data
7159 * Test 5: TLSv1.3, client, early_data
7160 */
7161static int test_info_callback(int tst)
7162{
7163 SSL_CTX *cctx = NULL, *sctx = NULL;
7164 SSL *clientssl = NULL, *serverssl = NULL;
7165 SSL_SESSION *clntsess = NULL;
7166 int testresult = 0;
7167 int tlsvers;
7168
7169 if (tst < 2) {
1aac20f5
MC		 7170/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7171#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7172 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7173 tlsvers = TLS1_2_VERSION;
7174#else
7175 return 1;
7176#endif
7177 } else {
a763ca11 7178#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7179 tlsvers = TLS1_3_VERSION;
7180#else
7181 return 1;
7182#endif
7183 }
7184
7185 /* Reset globals */
7186 info_cb_failed = 0;
7187 info_cb_this_state = -1;
7188 info_cb_offset = tst;
7189
a763ca11 7190#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7191 if (tst >= 4) {
7192 SSL_SESSION *sess = NULL;
7193 size_t written, readbytes;
7194 unsigned char buf[80];
7195
7196 /* early_data tests */
7197 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
7198 &serverssl, &sess, 0)))
7199 goto end;
7200
7201 /* We don't actually need this reference */
7202 SSL_SESSION_free(sess);
7203
7204 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7205 sslapi_info_callback);
7206
7207 /* Write and read some early data and then complete the connection */
7208 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7209 &written))
7210 || !TEST_size_t_eq(written, strlen(MSG1))
7211 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7212 sizeof(buf), &readbytes),
7213 SSL_READ_EARLY_DATA_SUCCESS)
7214 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7215 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7216 SSL_EARLY_DATA_ACCEPTED)
7217 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7218 SSL_ERROR_NONE))
7219 || !TEST_false(info_cb_failed))
7220 goto end;
7221
7222 testresult = 1;
7223 goto end;
7224 }
6e07834c 7225#endif
5718fe45 7226
5e30f2fd 7227 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7228 TLS_client_method(),
7229 tlsvers, tlsvers, &sctx, &cctx, cert,
7230 privkey)))
7231 goto end;
7232
33c39a06
MC		 7233 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7234 goto end;
7235
5718fe45
MC		 7236 /*
7237 * For even numbered tests we check the server callbacks. For odd numbers we
7238 * check the client.
7239 */
7240 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7241 sslapi_info_callback);
7242
7243 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7244 &clientssl, NULL, NULL))
7245 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7246 SSL_ERROR_NONE))
7247 || !TEST_false(info_cb_failed))
7248 goto end;
7249
7250
7251
7252 clntsess = SSL_get1_session(clientssl);
7253 SSL_shutdown(clientssl);
7254 SSL_shutdown(serverssl);
7255 SSL_free(serverssl);
7256 SSL_free(clientssl);
7257 serverssl = clientssl = NULL;
7258
7259 /* Now do a resumption */
7260 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7261 NULL))
7262 || !TEST_true(SSL_set_session(clientssl, clntsess))
7263 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7264 SSL_ERROR_NONE))
7265 || !TEST_true(SSL_session_reused(clientssl))
7266 || !TEST_false(info_cb_failed))
7267 goto end;
7268
7269 testresult = 1;
7270
7271 end:
7272 SSL_free(serverssl);
7273 SSL_free(clientssl);
7274 SSL_SESSION_free(clntsess);
7275 SSL_CTX_free(sctx);
7276 SSL_CTX_free(cctx);
7277 return testresult;
7278}
7279
4a432af8
MC		 7280static int test_ssl_pending(int tst)
7281{
7282 SSL_CTX *cctx = NULL, *sctx = NULL;
7283 SSL *clientssl = NULL, *serverssl = NULL;
7284 int testresult = 0;
7285 char msg[] = "A test message";
7286 char buf[5];
7287 size_t written, readbytes;
7288
7289 if (tst == 0) {
5e30f2fd 7290 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7291 TLS_client_method(),
5c587fb6 7292 TLS1_VERSION, 0,
4a432af8
MC		 7293 &sctx, &cctx, cert, privkey)))
7294 goto end;
7295 } else {
7296#ifndef OPENSSL_NO_DTLS
5e30f2fd 7297 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7298 DTLS_client_method(),
5c587fb6 7299 DTLS1_VERSION, 0,
4a432af8
MC		 7300 &sctx, &cctx, cert, privkey)))
7301 goto end;
8ce390e1
MC		 7302
7303# ifdef OPENSSL_NO_DTLS1_2
7304 /* Not supported in the FIPS provider */
7305 if (is_fips) {
7306 testresult = 1;
7307 goto end;
7308 };
7309 /*
7310 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7311 * level 0
7312 */
7313 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7314 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7315 "DEFAULT:@SECLEVEL=0")))
7316 goto end;
7317# endif
4a432af8
MC		 7318#else
7319 return 1;
7320#endif
7321 }
7322
7323 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7324 NULL, NULL))
7325 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7326 SSL_ERROR_NONE)))
7327 goto end;
7328
e8251092
MC		 7329 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7330 || !TEST_false(SSL_has_pending(clientssl))
7331 || !TEST_int_eq(SSL_pending(serverssl), 0)
7332 || !TEST_false(SSL_has_pending(serverssl))
7333 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 7334 || !TEST_size_t_eq(written, sizeof(msg))
7335 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7336 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 7337 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7338 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 7339 goto end;
7340
7341 testresult = 1;
7342
7343 end:
7344 SSL_free(serverssl);
7345 SSL_free(clientssl);
7346 SSL_CTX_free(sctx);
7347 SSL_CTX_free(cctx);
7348
7349 return testresult;
7350}
7351
e401389a
MC		 7352static struct {
7353 unsigned int maxprot;
7354 const char *clntciphers;
7355 const char *clnttls13ciphers;
7356 const char *srvrciphers;
7357 const char *srvrtls13ciphers;
7358 const char *shared;
a96e6c34 7359 const char *fipsshared;
e401389a 7360} shared_ciphers_data[] = {
60155b9a
MC		 7361/*
7362 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7363 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7364 */
a763ca11 7365#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 7366 {
7367 TLS1_2_VERSION,
7368 "AES128-SHA:AES256-SHA",
7369 NULL,
7370 "AES256-SHA:DHE-RSA-AES128-SHA",
7371 NULL,
a96e6c34 7372 "AES256-SHA",
e401389a
MC		 7373 "AES256-SHA"
7374 },
a96e6c34
MC		 7375# if !defined(OPENSSL_NO_CHACHA) \
7376 && !defined(OPENSSL_NO_POLY1305) \
7377 && !defined(OPENSSL_NO_EC)
7378 {
7379 TLS1_2_VERSION,
7380 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7381 NULL,
7382 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7383 NULL,
7384 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7385 "AES128-SHA"
7386 },
7387# endif
e401389a
MC		 7388 {
7389 TLS1_2_VERSION,
7390 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7391 NULL,
7392 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7393 NULL,
a96e6c34 7394 "AES128-SHA:AES256-SHA",
e401389a
MC		 7395 "AES128-SHA:AES256-SHA"
7396 },
7397 {
7398 TLS1_2_VERSION,
7399 "AES128-SHA:AES256-SHA",
7400 NULL,
7401 "AES128-SHA:DHE-RSA-AES128-SHA",
7402 NULL,
a96e6c34 7403 "AES128-SHA",
e401389a
MC		 7404 "AES128-SHA"
7405 },
60155b9a
MC		 7406#endif
7407/*
7408 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7409 * enabled.
7410 */
a763ca11 7411#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7412 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7413 {
7414 TLS1_3_VERSION,
7415 "AES128-SHA:AES256-SHA",
7416 NULL,
7417 "AES256-SHA:AES128-SHA256",
7418 NULL,
7419 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 7420 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7421 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 7422 },
60155b9a 7423#endif
a763ca11 7424#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 7425 {
7426 TLS1_3_VERSION,
7427 "AES128-SHA",
7428 "TLS_AES_256_GCM_SHA384",
7429 "AES256-SHA",
7430 "TLS_AES_256_GCM_SHA384",
a96e6c34 7431 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 7432 "TLS_AES_256_GCM_SHA384"
7433 },
7434#endif
7435};
7436
a96e6c34 7437static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 7438{
7439 SSL_CTX *cctx = NULL, *sctx = NULL;
7440 SSL *clientssl = NULL, *serverssl = NULL;
7441 int testresult = 0;
7442 char buf[1024];
b4250010 7443 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 7444
7445 if (!TEST_ptr(tmplibctx))
7446 goto end;
7447
7448 /*
7449 * Regardless of whether we're testing with the FIPS provider loaded into
7450 * libctx, we want one peer to always use the full set of ciphersuites
7451 * available. Therefore we use a separate libctx with the default provider
7452 * loaded into it. We run the same tests twice - once with the client side
7453 * having the full set of ciphersuites and once with the server side.
7454 */
7455 if (clnt) {
d8652be0 7456 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 7457 if (!TEST_ptr(cctx))
7458 goto end;
7459 } else {
d8652be0 7460 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 7461 if (!TEST_ptr(sctx))
7462 goto end;
7463 }
e401389a 7464
5e30f2fd 7465 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 7466 TLS_client_method(),
7467 TLS1_VERSION,
7468 shared_ciphers_data[tst].maxprot,
7469 &sctx, &cctx, cert, privkey)))
7470 goto end;
7471
7472 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7473 shared_ciphers_data[tst].clntciphers))
7474 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7475 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7476 shared_ciphers_data[tst].clnttls13ciphers)))
7477 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7478 shared_ciphers_data[tst].srvrciphers))
7479 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7480 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7481 shared_ciphers_data[tst].srvrtls13ciphers))))
7482 goto end;
7483
7484
7485 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7486 NULL, NULL))
7487 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7488 SSL_ERROR_NONE)))
7489 goto end;
7490
7491 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 7492 || !TEST_int_eq(strcmp(buf,
7493 is_fips
7494 ? shared_ciphers_data[tst].fipsshared
7495 : shared_ciphers_data[tst].shared),
7496 0)) {
e401389a
MC		 7497 TEST_info("Shared ciphers are: %s\n", buf);
7498 goto end;
7499 }
7500
7501 testresult = 1;
7502
7503 end:
7504 SSL_free(serverssl);
7505 SSL_free(clientssl);
7506 SSL_CTX_free(sctx);
7507 SSL_CTX_free(cctx);
b4250010 7508 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 7509
7510 return testresult;
7511}
7512
a96e6c34
MC		 7513static int test_ssl_get_shared_ciphers(int tst)
7514{
7515 return int_test_ssl_get_shared_ciphers(tst, 0)
7516 && int_test_ssl_get_shared_ciphers(tst, 1);
7517}
7518
7519
d0191fe0 7520static const char *appdata = "Hello World";
61fb5923
MC		 7521static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7522static int tick_key_renew = 0;
7523static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 7524
7525static int gen_tick_cb(SSL *s, void *arg)
7526{
7527 gen_tick_called = 1;
7528
7529 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7530 strlen(appdata));
7531}
7532
7533static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7534 const unsigned char *keyname,
7535 size_t keyname_length,
61fb5923
MC		 7536 SSL_TICKET_STATUS status,
7537 void *arg)
d0191fe0
MC		 7538{
7539 void *tickdata;
7540 size_t tickdlen;
7541
7542 dec_tick_called = 1;
7543
61fb5923
MC		 7544 if (status == SSL_TICKET_EMPTY)
7545 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 7546
61fb5923
MC		 7547 if (!TEST_true(status == SSL_TICKET_SUCCESS
7548 || status == SSL_TICKET_SUCCESS_RENEW))
7549 return SSL_TICKET_RETURN_ABORT;
7550
7551 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7552 &tickdlen))
d0191fe0
MC		 7553 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7554 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 7555 return SSL_TICKET_RETURN_ABORT;
d0191fe0 7556
61fb5923
MC		 7557 if (tick_key_cb_called) {
7558 /* Don't change what the ticket key callback wanted to do */
7559 switch (status) {
7560 case SSL_TICKET_NO_DECRYPT:
7561 return SSL_TICKET_RETURN_IGNORE_RENEW;
7562
7563 case SSL_TICKET_SUCCESS:
7564 return SSL_TICKET_RETURN_USE;
d0191fe0 7565
61fb5923
MC		 7566 case SSL_TICKET_SUCCESS_RENEW:
7567 return SSL_TICKET_RETURN_USE_RENEW;
7568
7569 default:
7570 return SSL_TICKET_RETURN_ABORT;
7571 }
7572 }
7573 return tick_dec_ret;
7574
7575}
d0191fe0 7576
a76ce286 7577#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 7578static int tick_key_cb(SSL *s, unsigned char key_name[16],
7579 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7580 HMAC_CTX *hctx, int enc)
7581{
7582 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7583 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 7584 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7585 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7586 int ret;
d0191fe0 7587
61fb5923 7588 tick_key_cb_called = 1;
d0191fe0
MC		 7589 memset(iv, 0, AES_BLOCK_SIZE);
7590 memset(key_name, 0, 16);
5e30f2fd
MC		 7591 if (aes128cbc == NULL
7592 || sha256 == NULL
7593 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7594 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7595 NULL))
7596 ret = -1;
7597 else
7598 ret = tick_key_renew ? 2 : 1;
d0191fe0 7599
5e30f2fd
MC		 7600 EVP_CIPHER_free(aes128cbc);
7601 EVP_MD_free(sha256);
7602
7603 return ret;
d0191fe0 7604}
a76ce286
P		 7605#endif
7606
7607static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7608 unsigned char iv[EVP_MAX_IV_LENGTH],
7609 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7610{
7611 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7612 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 7613 OSSL_PARAM params[2];
5e30f2fd
MC		 7614 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7615 int ret;
a76ce286
P		 7616
7617 tick_key_cb_called = 1;
7618 memset(iv, 0, AES_BLOCK_SIZE);
7619 memset(key_name, 0, 16);
7620 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7621 "SHA256", 0);
77e4ae58 7622 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 7623 if (aes128cbc == NULL
7624 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 7625 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7626 params))
5e30f2fd
MC		 7627 ret = -1;
7628 else
7629 ret = tick_key_renew ? 2 : 1;
7630
7631 EVP_CIPHER_free(aes128cbc);
a76ce286 7632
5e30f2fd 7633 return ret;
a76ce286 7634}
d0191fe0
MC		 7635
7636/*
7637 * Test the various ticket callbacks
61fb5923
MC		 7638 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7639 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7640 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7641 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7642 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7643 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7644 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7645 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 7646 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7647 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7648 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7649 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7650 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7651 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7652 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7653 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 7654 */
7655static int test_ticket_callbacks(int tst)
7656{
7657 SSL_CTX *cctx = NULL, *sctx = NULL;
7658 SSL *clientssl = NULL, *serverssl = NULL;
7659 SSL_SESSION *clntsess = NULL;
7660 int testresult = 0;
7661
7662#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 7663 if (tst % 2 == 0)
d0191fe0
MC		 7664 return 1;
7665#endif
a763ca11 7666#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 7667 if (tst % 2 == 1)
d0191fe0
MC		 7668 return 1;
7669#endif
a76ce286
P		 7670#ifdef OPENSSL_NO_DEPRECATED_3_0
7671 if (tst >= 8 && tst <= 11)
7672 return 1;
7673#endif
d0191fe0 7674
61fb5923 7675 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 7676
7677 /* Which tests the ticket key callback should request renewal for */
a76ce286 7678 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 7679 tick_key_renew = 1;
d0191fe0 7680 else
61fb5923
MC		 7681 tick_key_renew = 0;
7682
7683 /* Which tests the decrypt ticket callback should request renewal for */
7684 switch (tst) {
7685 case 0:
7686 case 1:
7687 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7688 break;
7689
7690 case 2:
7691 case 3:
7692 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7693 break;
7694
7695 case 4:
7696 case 5:
7697 tick_dec_ret = SSL_TICKET_RETURN_USE;
7698 break;
7699
7700 case 6:
7701 case 7:
7702 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7703 break;
7704
7705 default:
7706 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7707 }
d0191fe0 7708
5e30f2fd 7709 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 7710 TLS_client_method(),
7711 TLS1_VERSION,
61fb5923
MC		 7712 ((tst % 2) == 0) ? TLS1_2_VERSION
7713 : TLS1_3_VERSION,
d0191fe0
MC		 7714 &sctx, &cctx, cert, privkey)))
7715 goto end;
7716
61fb5923
MC		 7717 /*
7718 * We only want sessions to resume from tickets - not the session cache. So
7719 * switch the cache off.
7720 */
7721 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7722 goto end;
7723
d0191fe0
MC		 7724 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7725 NULL)))
7726 goto end;
7727
a76ce286
P		 7728 if (tst >= 12) {
7729 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7730 goto end;
7731#ifndef OPENSSL_NO_DEPRECATED_3_0
7732 } else if (tst >= 8) {
7733 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7734 goto end;
7735#endif
7736 }
d0191fe0
MC		 7737
7738 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7739 NULL, NULL))
7740 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7741 SSL_ERROR_NONE)))
7742 goto end;
7743
61fb5923
MC		 7744 /*
7745 * The decrypt ticket key callback in TLSv1.2 should be called even though
7746 * we have no ticket yet, because it gets called with a status of
7747 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7748 * actually send any ticket data). This does not happen in TLSv1.3 because
7749 * it is not valid to send empty ticket data in TLSv1.3.
7750 */
d0191fe0 7751 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7752 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7753 goto end;
7754
7755 gen_tick_called = dec_tick_called = 0;
7756
7757 clntsess = SSL_get1_session(clientssl);
7758 SSL_shutdown(clientssl);
7759 SSL_shutdown(serverssl);
7760 SSL_free(serverssl);
7761 SSL_free(clientssl);
7762 serverssl = clientssl = NULL;
7763
7764 /* Now do a resumption */
7765 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7766 NULL))
7767 || !TEST_true(SSL_set_session(clientssl, clntsess))
7768 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7769 SSL_ERROR_NONE)))
d0191fe0
MC		 7770 goto end;
7771
61fb5923
MC		 7772 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7773 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7774 if (!TEST_false(SSL_session_reused(clientssl)))
7775 goto end;
7776 } else {
7777 if (!TEST_true(SSL_session_reused(clientssl)))
7778 goto end;
7779 }
7780
d0191fe0 7781 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7782 (tick_key_renew
7783 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7784 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7785 ? 1 : 0)
d0191fe0
MC		 7786 || !TEST_int_eq(dec_tick_called, 1))
7787 goto end;
7788
7789 testresult = 1;
7790
7791 end:
7792 SSL_SESSION_free(clntsess);
7793 SSL_free(serverssl);
7794 SSL_free(clientssl);
7795 SSL_CTX_free(sctx);
7796 SSL_CTX_free(cctx);
7797
7798 return testresult;
7799}
7800
e638112e
DB		 7801/*
7802 * Test incorrect shutdown.
7803 * Test 0: client does not shutdown properly,
7804 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7805 * server should get SSL_ERROR_SSL
7806 * Test 1: client does not shutdown properly,
7807 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7808 * server should get SSL_ERROR_ZERO_RETURN
7809 */
7810static int test_incorrect_shutdown(int tst)
7811{
7812 SSL_CTX *cctx = NULL, *sctx = NULL;
7813 SSL *clientssl = NULL, *serverssl = NULL;
7814 int testresult = 0;
7815 char buf[80];
7816 BIO *c2s;
7817
7818 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7819 TLS_client_method(), 0, 0,
7820 &sctx, &cctx, cert, privkey)))
7821 goto end;
7822
7823 if (tst == 1)
7824 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7825
7826 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7827 NULL, NULL)))
7828 goto end;
7829
7830 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7831 SSL_ERROR_NONE)))
7832 goto end;
7833
7834 c2s = SSL_get_rbio(serverssl);
7835 BIO_set_mem_eof_return(c2s, 0);
7836
7837 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7838 goto end;
7839
7840 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7841 goto end;
7842 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7843 goto end;
7844
7845 testresult = 1;
7846
7847 end:
7848 SSL_free(serverssl);
7849 SSL_free(clientssl);
7850 SSL_CTX_free(sctx);
7851 SSL_CTX_free(cctx);
7852
7853 return testresult;
7854}
7855
c748834f
MC		 7856/*
7857 * Test bi-directional shutdown.
7858 * Test 0: TLSv1.2
7859 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7860 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7861 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7862 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7863 * sends key update, client reads it
57d7b988
MC		 7864 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7865 * sends CertificateRequest, client reads and ignores it
7866 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7867 * doesn't read it
7868 */
7869static int test_shutdown(int tst)
7870{
7871 SSL_CTX *cctx = NULL, *sctx = NULL;
7872 SSL *clientssl = NULL, *serverssl = NULL;
7873 int testresult = 0;
7874 char msg[] = "A test message";
7875 char buf[80];
7876 size_t written, readbytes;
80eff008 7877 SSL_SESSION *sess;
c748834f
MC		 7878
7879#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7880 if (tst <= 1)
c748834f
MC		 7881 return 1;
7882#endif
a763ca11 7883#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 7884 if (tst >= 2)
c748834f
MC		 7885 return 1;
7886#endif
7887
5e30f2fd 7888 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7889 TLS_client_method(),
7890 TLS1_VERSION,
7891 (tst <= 1) ? TLS1_2_VERSION
7892 : TLS1_3_VERSION,
57d7b988
MC		 7893 &sctx, &cctx, cert, privkey)))
7894 goto end;
7895
7896 if (tst == 5)
7897 SSL_CTX_set_post_handshake_auth(cctx, 1);
7898
7899 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7900 NULL, NULL)))
7901 goto end;
7902
7903 if (tst == 3) {
7904 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7905 SSL_ERROR_NONE, 1))
80eff008
KR		 7906 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7907 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7908 goto end;
7909 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7910 SSL_ERROR_NONE))
7911 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7912 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7913 goto end;
7914 }
7915
7916 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7917 goto end;
7918
7919 if (tst >= 4) {
7920 /*
7921 * Reading on the server after the client has sent close_notify should
7922 * fail and provide SSL_ERROR_ZERO_RETURN
7923 */
7924 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7925 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7926 SSL_ERROR_ZERO_RETURN)
7927 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7928 SSL_RECEIVED_SHUTDOWN)
7929 /*
7930 * Even though we're shutdown on receive we should still be
7931 * able to write.
7932 */
80eff008
KR		 7933 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7934 goto end;
57d7b988
MC		 7935 if (tst == 4
7936 && !TEST_true(SSL_key_update(serverssl,
7937 SSL_KEY_UPDATE_REQUESTED)))
7938 goto end;
7939 if (tst == 5) {
7940 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7941 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7942 goto end;
7943 }
7944 if ((tst == 4 || tst == 5)
7945 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7946 goto end;
7947 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7948 goto end;
57d7b988 7949 if (tst == 4 || tst == 5) {
80eff008 7950 /* Should still be able to read data from server */
c748834f 7951 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7952 &readbytes))
7953 || !TEST_size_t_eq(readbytes, sizeof(msg))
7954 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7955 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7956 &readbytes))
c748834f
MC		 7957 || !TEST_size_t_eq(readbytes, sizeof(msg))
7958 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7959 goto end;
7960 }
7961 }
7962
7963 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7964 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7965 goto end;
7966
7967 if (tst < 4) {
7968 /*
7969 * For these tests the client has sent close_notify but it has not yet
7970 * been received by the server. The server has not sent close_notify
7971 * yet.
7972 */
7973 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7974 /*
7975 * Writing on the server after sending close_notify shouldn't
7976 * be possible.
7977 */
7978 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7979 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7980 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7981 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7982 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7983 goto end;
57d7b988 7984 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7985 /*
7986 * In this test the client has sent close_notify and it has been
7987 * received by the server which has responded with a close_notify. The
358ffa05 7988 * client needs to read the close_notify sent by the server.
c748834f 7989 */
80eff008
KR		 7990 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7991 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7992 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7993 goto end;
358ffa05
MC		 7994 } else {
7995 /*
57d7b988 7996 * tst == 6
358ffa05
MC		 7997 *
7998 * The client has sent close_notify and is expecting a close_notify
7999 * back, but instead there is application data first. The shutdown
8000 * should fail with a fatal error.
8001 */
8002 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8003 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8004 goto end;
c748834f
MC		 8005 }
8006
8007 testresult = 1;
8008
8009 end:
8010 SSL_free(serverssl);
8011 SSL_free(clientssl);
8012 SSL_CTX_free(sctx);
8013 SSL_CTX_free(cctx);
8014
8015 return testresult;
8016}
8017
a763ca11 8018#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 8019static int cert_cb_cnt;
8020
8021static int cert_cb(SSL *s, void *arg)
8022{
8023 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 8024 BIO *in = NULL;
8025 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 8026 X509 *x509 = NULL, *rootx = NULL;
8027 STACK_OF(X509) *chain = NULL;
8028 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8029 int ret = 0;
cd6fe29f
MC		 8030
8031 if (cert_cb_cnt == 0) {
8032 /* Suspend the handshake */
8033 cert_cb_cnt++;
8034 return -1;
8035 } else if (cert_cb_cnt == 1) {
8036 /*
8037 * Update the SSL_CTX, set the certificate and private key and then
8038 * continue the handshake normally.
8039 */
8040 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8041 return 0;
8042
8043 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8044 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8045 SSL_FILETYPE_PEM))
8046 || !TEST_true(SSL_check_private_key(s)))
8047 return 0;
8048 cert_cb_cnt++;
8049 return 1;
7cb8fb07
BK		 8050 } else if (cert_cb_cnt == 3) {
8051 int rv;
1a2a3a42
MC		 8052
8053 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8054 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8055 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8056 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8057 goto out;
8058 chain = sk_X509_new_null();
8059 if (!TEST_ptr(chain))
8060 goto out;
7cb8fb07 8061 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8062 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 8063 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 8064 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8065 || !TEST_true(sk_X509_push(chain, rootx)))
8066 goto out;
8067 rootx = NULL;
8068 BIO_free(in);
8069 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8070 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8071 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8072 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8073 goto out;
8074 BIO_free(in);
8075 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8076 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8077 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8078 NULL, NULL,
8079 libctx, NULL)))
7cb8fb07 8080 goto out;
1a2a3a42 8081 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8082 /*
8083 * If the cert doesn't show as valid here (e.g., because we don't
8084 * have any shared sigalgs), then we will not set it, and there will
8085 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8086 * will cause tls_choose_sigalgs() to fail the connection.
8087 */
1a2a3a42
MC		 8088 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8089 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8090 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8091 goto out;
8092 }
1a2a3a42
MC		 8093
8094 ret = 1;
cd6fe29f
MC		 8095 }
8096
8097 /* Abort the handshake */
7cb8fb07 8098 out:
1a2a3a42
MC		 8099 OPENSSL_free(ecdsacert);
8100 OPENSSL_free(ecdsakey);
8101 OPENSSL_free(rootfile);
7cb8fb07
BK		 8102 BIO_free(in);
8103 EVP_PKEY_free(pkey);
8104 X509_free(x509);
1a2a3a42 8105 X509_free(rootx);
79b2a2f2 8106 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8107 return ret;
cd6fe29f
MC		 8108}
8109
8110/*
8111 * Test the certificate callback.
8112 * Test 0: Callback fails
8113 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8114 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8115 * Test 3: Success - Call SSL_check_chain from the callback
8116 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8117 * chain
8118 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8119 */
8120static int test_cert_cb_int(int prot, int tst)
8121{
8122 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8123 SSL *clientssl = NULL, *serverssl = NULL;
8124 int testresult = 0, ret;
8125
1a2a3a42
MC		 8126#ifdef OPENSSL_NO_EC
8127 /* We use an EC cert in these tests, so we skip in a no-ec build */
8128 if (tst >= 3)
8129 return 1;
8130#endif
8131
5e30f2fd 8132 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8133 TLS_client_method(),
8134 TLS1_VERSION,
8135 prot,
8136 &sctx, &cctx, NULL, NULL)))
8137 goto end;
8138
8139 if (tst == 0)
8140 cert_cb_cnt = -1;
1a2a3a42 8141 else if (tst >= 3)
7cb8fb07 8142 cert_cb_cnt = 3;
cd6fe29f
MC		 8143 else
8144 cert_cb_cnt = 0;
1a2a3a42 8145
b0317df2 8146 if (tst == 2) {
7e1eda48 8147 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
b0317df2
JJ		 8148 if (!TEST_ptr(snictx))
8149 goto end;
8150 }
8151
cd6fe29f
MC		 8152 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8153
8154 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8155 NULL, NULL)))
8156 goto end;
8157
1a2a3a42
MC		 8158 if (tst == 4) {
8159 /*
8160 * We cause SSL_check_chain() to fail by specifying sig_algs that
8161 * the chain doesn't meet (the root uses an RSA cert)
8162 */
8163 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8164 "ecdsa_secp256r1_sha256")))
8165 goto end;
8166 } else if (tst == 5) {
8167 /*
8168 * We cause SSL_check_chain() to fail by specifying sig_algs that
8169 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8170 */
8171 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8172 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8173 goto end;
8174 }
8175
cd6fe29f 8176 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8177 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8178 || (tst > 0
8179 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8180 goto end;
8181 }
8182
8183 testresult = 1;
8184
8185 end:
8186 SSL_free(serverssl);
8187 SSL_free(clientssl);
8188 SSL_CTX_free(sctx);
8189 SSL_CTX_free(cctx);
8190 SSL_CTX_free(snictx);
8191
8192 return testresult;
8193}
7f1d923a 8194#endif
cd6fe29f
MC		 8195
8196static int test_cert_cb(int tst)
8197{
8198 int testresult = 1;
8199
8200#ifndef OPENSSL_NO_TLS1_2
8201 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8202#endif
a763ca11 8203#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8204 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8205#endif
8206
8207 return testresult;
8208}
8209
6e46c065
MC		 8210static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8211{
8c2bfd25 8212 X509 *xcert;
6e46c065
MC		 8213 EVP_PKEY *privpkey;
8214 BIO *in = NULL;
6725682d 8215 BIO *priv_in = NULL;
6e46c065 8216
8c2bfd25
TS		 8217 /* Check that SSL_get0_peer_certificate() returns something sensible */
8218 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8219 return 0;
6e46c065
MC		 8220
8221 in = BIO_new_file(cert, "r");
8222 if (!TEST_ptr(in))
8223 return 0;
8224
d8652be0 8225 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 8226 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8227 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 8228 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8229 NULL, NULL,
8230 libctx, NULL)))
6725682d 8231 goto err;
6e46c065
MC		 8232
8233 *x509 = xcert;
8234 *pkey = privpkey;
8235
6725682d
SL		 8236 BIO_free(in);
8237 BIO_free(priv_in);
6e46c065 8238 return 1;
6725682d
SL		 8239err:
8240 X509_free(xcert);
8241 BIO_free(in);
8242 BIO_free(priv_in);
8243 return 0;
6e46c065
MC		 8244}
8245
6e46c065
MC		 8246static int test_client_cert_cb(int tst)
8247{
8248 SSL_CTX *cctx = NULL, *sctx = NULL;
8249 SSL *clientssl = NULL, *serverssl = NULL;
8250 int testresult = 0;
8251
8252#ifdef OPENSSL_NO_TLS1_2
8253 if (tst == 0)
8254 return 1;
8255#endif
a763ca11 8256#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 8257 if (tst == 1)
8258 return 1;
8259#endif
8260
5e30f2fd 8261 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 8262 TLS_client_method(),
8263 TLS1_VERSION,
8264 tst == 0 ? TLS1_2_VERSION
8265 : TLS1_3_VERSION,
8266 &sctx, &cctx, cert, privkey)))
8267 goto end;
8268
8269 /*
8270 * Test that setting a client_cert_cb results in a client certificate being
8271 * sent.
8272 */
8273 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8274 SSL_CTX_set_verify(sctx,
8275 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8276 verify_cb);
fb8c8359
MC		 8277
8278 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8279 NULL, NULL))
8280 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8281 SSL_ERROR_NONE)))
8282 goto end;
8283
8284 testresult = 1;
8285
8286 end:
8287 SSL_free(serverssl);
8288 SSL_free(clientssl);
8289 SSL_CTX_free(sctx);
8290 SSL_CTX_free(cctx);
8291
8292 return testresult;
8293}
8294
a763ca11 8295#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 8296/*
8297 * Test setting certificate authorities on both client and server.
8298 *
8299 * Test 0: SSL_CTX_set0_CA_list() only
8300 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8301 * Test 2: Only SSL_CTX_set_client_CA_list()
8302 */
8303static int test_ca_names_int(int prot, int tst)
8304{
8305 SSL_CTX *cctx = NULL, *sctx = NULL;
8306 SSL *clientssl = NULL, *serverssl = NULL;
8307 int testresult = 0;
8308 size_t i;
8309 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8310 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8311 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8312 const STACK_OF(X509_NAME) *sktmp = NULL;
8313
8314 for (i = 0; i < OSSL_NELEM(name); i++) {
8315 name[i] = X509_NAME_new();
8316 if (!TEST_ptr(name[i])
8317 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
8318 MBSTRING_ASC,
8319 (unsigned char *)
8320 strnames[i],
8321 -1, -1, 0)))
8322 goto end;
8323 }
8324
5e30f2fd 8325 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 8326 TLS_client_method(),
8327 TLS1_VERSION,
8328 prot,
8329 &sctx, &cctx, cert, privkey)))
8330 goto end;
8331
8332 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
8333
8334 if (tst == 0 || tst == 1) {
8335 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8336 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
8337 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
8338 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8339 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
8340 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
8341 goto end;
8342
8343 SSL_CTX_set0_CA_list(sctx, sk1);
8344 SSL_CTX_set0_CA_list(cctx, sk2);
8345 sk1 = sk2 = NULL;
8346 }
8347 if (tst == 1 || tst == 2) {
8348 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
8349 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
8350 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
8351 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
8352 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
8353 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
8354 goto end;
8355
8356 SSL_CTX_set_client_CA_list(sctx, sk1);
8357 SSL_CTX_set_client_CA_list(cctx, sk2);
8358 sk1 = sk2 = NULL;
8359 }
8360
6e46c065
MC		 8361 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8362 NULL, NULL))
8363 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8364 SSL_ERROR_NONE)))
8365 goto end;
8366
fb8c8359
MC		 8367 /*
8368 * We only expect certificate authorities to have been sent to the server
8369 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
8370 */
8371 sktmp = SSL_get0_peer_CA_list(serverssl);
8372 if (prot == TLS1_3_VERSION
8373 && (tst == 0 || tst == 1)) {
8374 if (!TEST_ptr(sktmp)
8375 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8376 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8377 name[0]), 0)
8378 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8379 name[1]), 0))
8380 goto end;
8381 } else if (!TEST_ptr_null(sktmp)) {
8382 goto end;
8383 }
8384
8385 /*
8386 * In all tests we expect certificate authorities to have been sent to the
8387 * client. However, SSL_set_client_CA_list() should override
8388 * SSL_set0_CA_list()
8389 */
8390 sktmp = SSL_get0_peer_CA_list(clientssl);
8391 if (!TEST_ptr(sktmp)
8392 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8393 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8394 name[tst == 0 ? 0 : 2]), 0)
8395 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8396 name[tst == 0 ? 1 : 3]), 0))
8397 goto end;
8398
6e46c065
MC		 8399 testresult = 1;
8400
8401 end:
8402 SSL_free(serverssl);
8403 SSL_free(clientssl);
8404 SSL_CTX_free(sctx);
8405 SSL_CTX_free(cctx);
fb8c8359
MC		 8406 for (i = 0; i < OSSL_NELEM(name); i++)
8407 X509_NAME_free(name[i]);
8408 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8409 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8410
8411 return testresult;
8412}
8413#endif
8414
8415static int test_ca_names(int tst)
8416{
8417 int testresult = 1;
8418
8419#ifndef OPENSSL_NO_TLS1_2
8420 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8421#endif
a763ca11 8422#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 8423 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8424#endif
6e46c065
MC		 8425
8426 return testresult;
8427}
8428
0d2bfe52
SL		 8429#ifndef OPENSSL_NO_TLS1_2
8430static const char *multiblock_cipherlist_data[]=
8431{
8432 "AES128-SHA",
8433 "AES128-SHA256",
8434 "AES256-SHA",
8435 "AES256-SHA256",
8436};
8437
8438/* Reduce the fragment size - so the multiblock test buffer can be small */
8439# define MULTIBLOCK_FRAGSIZE 512
8440
8441static int test_multiblock_write(int test_index)
8442{
8443 static const char *fetchable_ciphers[]=
8444 {
8445 "AES-128-CBC-HMAC-SHA1",
8446 "AES-128-CBC-HMAC-SHA256",
8447 "AES-256-CBC-HMAC-SHA1",
8448 "AES-256-CBC-HMAC-SHA256"
8449 };
8450 const char *cipherlist = multiblock_cipherlist_data[test_index];
8451 const SSL_METHOD *smeth = TLS_server_method();
8452 const SSL_METHOD *cmeth = TLS_client_method();
8453 int min_version = TLS1_VERSION;
8454 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8455 SSL_CTX *cctx = NULL, *sctx = NULL;
8456 SSL *clientssl = NULL, *serverssl = NULL;
8457 int testresult = 0;
8458
8459 /*
8460 * Choose a buffer large enough to perform a multi-block operation
8461 * i.e: write_len >= 4 * frag_size
8462 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8463 */
8464 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8465 unsigned char buf[sizeof(msg)], *p = buf;
8466 size_t readbytes, written, len;
8467 EVP_CIPHER *ciph = NULL;
8468
8469 /*
8470 * Check if the cipher exists before attempting to use it since it only has
8471 * a hardware specific implementation.
8472 */
8473 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8474 if (ciph == NULL) {
8475 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8476 return 1;
8477 }
8478 EVP_CIPHER_free(ciph);
8479
8480 /* Set up a buffer with some data that will be sent to the client */
8481 RAND_bytes(msg, sizeof(msg));
8482
5e30f2fd
MC		 8483 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8484 max_version, &sctx, &cctx, cert,
8485 privkey)))
0d2bfe52
SL		 8486 goto end;
8487
8488 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8489 goto end;
8490
8491 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8492 NULL, NULL)))
8493 goto end;
8494
8495 /* settings to force it to use AES-CBC-HMAC_SHA */
8496 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8497 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8498 goto end;
8499
8500 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8501 goto end;
8502
8503 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8504 || !TEST_size_t_eq(written, sizeof(msg)))
8505 goto end;
8506
8507 len = written;
8508 while (len > 0) {
8509 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8510 goto end;
8511 p += readbytes;
8512 len -= readbytes;
8513 }
8514 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8515 goto end;
8516
8517 testresult = 1;
8518end:
8519 SSL_free(serverssl);
8520 SSL_free(clientssl);
8521 SSL_CTX_free(sctx);
8522 SSL_CTX_free(cctx);
8523
8524 return testresult;
8525}
8526#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 8527
25959e04
TS		 8528static int test_session_timeout(int test)
8529{
8530 /*
8531 * Test session ordering and timeout
8532 * Can't explicitly test performance of the new code,
8533 * but can test to see if the ordering of the sessions
8534 * are correct, and they they are removed as expected
8535 */
8536 SSL_SESSION *early = NULL;
8537 SSL_SESSION *middle = NULL;
8538 SSL_SESSION *late = NULL;
8539 SSL_CTX *ctx;
8540 int testresult = 0;
8541 long now = (long)time(NULL);
8542#define TIMEOUT 10
8543
8544 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8545 || !TEST_ptr(early = SSL_SESSION_new())
8546 || !TEST_ptr(middle = SSL_SESSION_new())
8547 || !TEST_ptr(late = SSL_SESSION_new()))
8548 goto end;
8549
8550 /* assign unique session ids */
8551 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8552 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8553 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8554 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8555 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8556 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8557
8558 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8559 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8560 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8561 goto end;
8562
8563 /* Make sure they are all added */
8564 if (!TEST_ptr(early->prev)
8565 || !TEST_ptr(middle->prev)
8566 || !TEST_ptr(late->prev))
8567 goto end;
8568
8569 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8570 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8571 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8572 goto end;
8573
8574 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8575 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8576 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8577 goto end;
8578
8579 /* Make sure they are all still there */
8580 if (!TEST_ptr(early->prev)
8581 || !TEST_ptr(middle->prev)
8582 || !TEST_ptr(late->prev))
8583 goto end;
8584
8585 /* Make sure they are in the expected order */
8586 if (!TEST_ptr_eq(late->next, middle)
8587 || !TEST_ptr_eq(middle->next, early)
8588 || !TEST_ptr_eq(early->prev, middle)
8589 || !TEST_ptr_eq(middle->prev, late))
8590 goto end;
8591
8592 /* This should remove "early" */
8593 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8594 if (!TEST_ptr_null(early->prev)
8595 || !TEST_ptr(middle->prev)
8596 || !TEST_ptr(late->prev))
8597 goto end;
8598
8599 /* This should remove "middle" */
8600 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8601 if (!TEST_ptr_null(early->prev)
8602 || !TEST_ptr_null(middle->prev)
8603 || !TEST_ptr(late->prev))
8604 goto end;
8605
8606 /* This should remove "late" */
8607 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8608 if (!TEST_ptr_null(early->prev)
8609 || !TEST_ptr_null(middle->prev)
8610 || !TEST_ptr_null(late->prev))
8611 goto end;
8612
8613 /* Add them back in again */
8614 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8615 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8616 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8617 goto end;
8618
8619 /* Make sure they are all added */
8620 if (!TEST_ptr(early->prev)
8621 || !TEST_ptr(middle->prev)
8622 || !TEST_ptr(late->prev))
8623 goto end;
8624
8625 /* This should remove all of them */
8626 SSL_CTX_flush_sessions(ctx, 0);
8627 if (!TEST_ptr_null(early->prev)
8628 || !TEST_ptr_null(middle->prev)
8629 || !TEST_ptr_null(late->prev))
8630 goto end;
8631
8632 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8633 | SSL_CTX_get_session_cache_mode(ctx));
8634
8635 /* make sure |now| is NOT equal to the current time */
8636 now -= 10;
8637 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8638 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8639 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8640 goto end;
8641
8642 testresult = 1;
8643 end:
8644 SSL_CTX_free(ctx);
8645 SSL_SESSION_free(early);
8646 SSL_SESSION_free(middle);
8647 SSL_SESSION_free(late);
8648 return testresult;
8649}
8650
49ef3d07
MC		 8651/*
8652 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8653 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8654 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8655 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8656 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8657 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8658 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8659 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8660 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8661 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8662 */
8663static int test_servername(int tst)
8664{
8665 SSL_CTX *cctx = NULL, *sctx = NULL;
8666 SSL *clientssl = NULL, *serverssl = NULL;
8667 int testresult = 0;
8668 SSL_SESSION *sess = NULL;
8669 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8670
8671#ifdef OPENSSL_NO_TLS1_2
8672 if (tst <= 4)
8673 return 1;
8674#endif
a763ca11 8675#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 8676 if (tst >= 5)
8677 return 1;
8678#endif
8679
5e30f2fd 8680 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 8681 TLS_client_method(),
8682 TLS1_VERSION,
8683 (tst <= 4) ? TLS1_2_VERSION
8684 : TLS1_3_VERSION,
8685 &sctx, &cctx, cert, privkey))
8686 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8687 NULL, NULL)))
8688 goto end;
8689
8690 if (tst != 1 && tst != 6) {
8691 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8692 hostname_cb)))
8693 goto end;
8694 }
8695
8696 if (tst != 3 && tst != 8) {
8697 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8698 goto end;
8699 sexpectedhost = cexpectedhost = "goodhost";
8700 }
8701
8702 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8703 goto end;
8704
8705 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8706 cexpectedhost)
8707 || !TEST_str_eq(SSL_get_servername(serverssl,
8708 TLSEXT_NAMETYPE_host_name),
8709 sexpectedhost))
8710 goto end;
8711
8712 /* Now repeat with a resumption handshake */
8713
8714 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8715 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8716 || !TEST_true(SSL_SESSION_is_resumable(sess))
8717 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8718 goto end;
8719
8720 SSL_free(clientssl);
8721 SSL_free(serverssl);
8722 clientssl = serverssl = NULL;
8723
8724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8725 NULL)))
8726 goto end;
8727
8728 if (!TEST_true(SSL_set_session(clientssl, sess)))
8729 goto end;
8730
8731 sexpectedhost = cexpectedhost = "goodhost";
8732 if (tst == 2 || tst == 7) {
8733 /* Set an inconsistent hostname */
8734 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8735 goto end;
8736 /*
8737 * In TLSv1.2 we expect the hostname from the original handshake, in
8738 * TLSv1.3 we expect the hostname from this handshake
8739 */
8740 if (tst == 7)
8741 sexpectedhost = cexpectedhost = "altgoodhost";
8742
8743 if (!TEST_str_eq(SSL_get_servername(clientssl,
8744 TLSEXT_NAMETYPE_host_name),
8745 "altgoodhost"))
8746 goto end;
8747 } else if (tst == 4 || tst == 9) {
8748 /*
8749 * A TLSv1.3 session does not associate a session with a servername,
8750 * but a TLSv1.2 session does.
8751 */
8752 if (tst == 9)
8753 sexpectedhost = cexpectedhost = NULL;
8754
8755 if (!TEST_str_eq(SSL_get_servername(clientssl,
8756 TLSEXT_NAMETYPE_host_name),
8757 cexpectedhost))
8758 goto end;
8759 } else {
8760 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8761 goto end;
8762 /*
8763 * In a TLSv1.2 resumption where the hostname was not acknowledged
8764 * we expect the hostname on the server to be empty. On the client we
8765 * return what was requested in this case.
8766 *
8767 * Similarly if the client didn't set a hostname on an original TLSv1.2
8768 * session but is now, the server hostname will be empty, but the client
8769 * is as we set it.
8770 */
8771 if (tst == 1 || tst == 3)
8772 sexpectedhost = NULL;
8773
8774 if (!TEST_str_eq(SSL_get_servername(clientssl,
8775 TLSEXT_NAMETYPE_host_name),
8776 "goodhost"))
8777 goto end;
8778 }
8779
8780 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8781 goto end;
8782
8783 if (!TEST_true(SSL_session_reused(clientssl))
8784 || !TEST_true(SSL_session_reused(serverssl))
8785 || !TEST_str_eq(SSL_get_servername(clientssl,
8786 TLSEXT_NAMETYPE_host_name),
8787 cexpectedhost)
8788 || !TEST_str_eq(SSL_get_servername(serverssl,
8789 TLSEXT_NAMETYPE_host_name),
8790 sexpectedhost))
8791 goto end;
8792
8793 testresult = 1;
8794
8795 end:
8796 SSL_SESSION_free(sess);
8797 SSL_free(serverssl);
8798 SSL_free(clientssl);
8799 SSL_CTX_free(sctx);
8800 SSL_CTX_free(cctx);
8801
8802 return testresult;
8803}
8804
b1fdbc68 8805#if !defined(OPENSSL_NO_EC) \
a763ca11 8806 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 8807/*
8808 * Test that if signature algorithms are not available, then we do not offer or
8809 * accept them.
8810 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8811 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8812 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8813 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8814 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8815 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8816 */
8817static int test_sigalgs_available(int idx)
8818{
8819 SSL_CTX *cctx = NULL, *sctx = NULL;
8820 SSL *clientssl = NULL, *serverssl = NULL;
8821 int testresult = 0;
b4250010
DMSP		 8822 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8823 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 8824 OSSL_PROVIDER *filterprov = NULL;
8825 int sig, hash;
8826
8827 if (!TEST_ptr(tmpctx))
8828 goto end;
8829
8830 if (idx != 0 && idx != 3) {
8831 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8832 filter_provider_init)))
8833 goto end;
8834
8835 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8836 if (!TEST_ptr(filterprov))
8837 goto end;
8838
8839 if (idx < 3) {
8840 /*
8841 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8842 * or accepted for the peer that uses this libctx. Note that libssl
8843 * *requires* SHA2-256 to be available so we cannot disable that. We
8844 * also need SHA1 for our certificate.
8845 */
8846 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8847 "SHA2-256:SHA1")))
8848 goto end;
8849 } else {
8850 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8851 "ECDSA"))
8852 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8853 "EC:X25519:X448")))
8854 goto end;
8855 }
8856
8857 if (idx == 1 || idx == 4)
8858 clientctx = tmpctx;
8859 else
8860 serverctx = tmpctx;
8861 }
8862
d8652be0
MC		 8863 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8864 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 8865 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8866 goto end;
b3842539 8867
b4c4a2c6
TM		 8868 if (idx != 5) {
8869 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8870 TLS_client_method(),
8871 TLS1_VERSION,
8872 0,
8873 &sctx, &cctx, cert, privkey)))
8874 goto end;
8875 } else {
8876 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8877 TLS_client_method(),
8878 TLS1_VERSION,
8879 0,
8880 &sctx, &cctx, cert2, privkey2)))
8881 goto end;
8882 }
b3842539 8883
b1fdbc68
MC		 8884 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8885 if (idx < 4) {
8886 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8887 "ECDHE-RSA-AES128-GCM-SHA256")))
8888 goto end;
8889 } else {
8890 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8891 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8892 goto end;
8893 }
8894
b3842539
MC		 8895 if (idx < 3) {
8896 if (!SSL_CTX_set1_sigalgs_list(cctx,
8897 "rsa_pss_rsae_sha384"
8898 ":rsa_pss_rsae_sha256")
8899 || !SSL_CTX_set1_sigalgs_list(sctx,
8900 "rsa_pss_rsae_sha384"
8901 ":rsa_pss_rsae_sha256"))
8902 goto end;
8903 } else {
8904 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8905 || !SSL_CTX_set1_sigalgs_list(sctx,
8906 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8907 goto end;
8908 }
8909
b4c4a2c6
TM		 8910 if (idx != 5
8911 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8912 SSL_FILETYPE_PEM), 1)
b3842539
MC		 8913 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8914 privkey2,
8915 SSL_FILETYPE_PEM), 1)
b4c4a2c6 8916 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 8917 goto end;
8918
8919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 8920 NULL, NULL)))
b3842539
MC		 8921 goto end;
8922
8923 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8924 goto end;
8925
8926 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8927 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8928 NULL, NULL),
8929 (idx == 0 || idx == 3) ? 2 : 1))
8930 goto end;
8931
8932 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8933 goto end;
8934
8935 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8936 : NID_rsassaPss))
8937 goto end;
8938
b0001d0c 8939 testresult = filter_provider_check_clean_finish();
b3842539
MC		 8940
8941 end:
8942 SSL_free(serverssl);
8943 SSL_free(clientssl);
8944 SSL_CTX_free(sctx);
8945 SSL_CTX_free(cctx);
8946 OSSL_PROVIDER_unload(filterprov);
b4250010 8947 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 8948
8949 return testresult;
8950}
b1fdbc68
MC		 8951#endif /*
8952 * !defined(OPENSSL_NO_EC) \
a763ca11 8953 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 8954 */
b3842539 8955
0c13cdf8 8956#ifndef OPENSSL_NO_TLS1_3
a763ca11 8957/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 8958static int test_pluggable_group(int idx)
0c13cdf8
MC		 8959{
8960 SSL_CTX *cctx = NULL, *sctx = NULL;
8961 SSL *clientssl = NULL, *serverssl = NULL;
8962 int testresult = 0;
8963 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 8964 /* Check that we are not impacted by a provider without any groups */
8965 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 8966 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 8967
5ae54dba 8968 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 8969 goto end;
8970
5ae54dba
MC		 8971 if (legacyprov == NULL) {
8972 /*
8973 * In this case we assume we've been built with "no-legacy" and skip
8974 * this test (there is no OPENSSL_NO_LEGACY)
8975 */
8976 testresult = 1;
8977 goto end;
8978 }
8979
0c13cdf8
MC		 8980 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8981 TLS_client_method(),
8982 TLS1_3_VERSION,
8983 TLS1_3_VERSION,
8984 &sctx, &cctx, cert, privkey))
8985 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8986 NULL, NULL)))
8987 goto end;
8988
c8e3a4c6
NT		 8989 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8990 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 8991 goto end;
8992
8993 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8994 goto end;
8995
becbacd7
MB		 8996 if (!TEST_str_eq(group_name,
8997 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8998 goto end;
8999
0c13cdf8
MC		 9000 testresult = 1;
9001
9002 end:
9003 SSL_free(serverssl);
9004 SSL_free(clientssl);
9005 SSL_CTX_free(sctx);
9006 SSL_CTX_free(cctx);
9007 OSSL_PROVIDER_unload(tlsprov);
146aebc6 9008 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 9009
9010 return testresult;
9011}
9012#endif
b3842539 9013
49a36a52
MC		 9014#ifndef OPENSSL_NO_TLS1_2
9015static int test_ssl_dup(void)
9016{
9017 SSL_CTX *cctx = NULL, *sctx = NULL;
9018 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9019 int testresult = 0;
9020 BIO *rbio = NULL, *wbio = NULL;
9021
9022 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9023 TLS_client_method(),
9024 0,
9025 0,
9026 &sctx, &cctx, cert, privkey)))
9027 goto end;
9028
9029 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9030 NULL, NULL)))
9031 goto end;
9032
9033 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9034 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9035 goto end;
9036
9037 client2ssl = SSL_dup(clientssl);
9038 rbio = SSL_get_rbio(clientssl);
9039 if (!TEST_ptr(rbio)
9040 || !TEST_true(BIO_up_ref(rbio)))
9041 goto end;
9042 SSL_set0_rbio(client2ssl, rbio);
9043 rbio = NULL;
9044
9045 wbio = SSL_get_wbio(clientssl);
9046 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9047 goto end;
9048 SSL_set0_wbio(client2ssl, wbio);
9049 rbio = NULL;
9050
9051 if (!TEST_ptr(client2ssl)
9052 /* Handshake not started so pointers should be different */
9053 || !TEST_ptr_ne(clientssl, client2ssl))
9054 goto end;
9055
9056 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9057 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9058 goto end;
9059
9060 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9061 goto end;
9062
9063 SSL_free(clientssl);
9064 clientssl = SSL_dup(client2ssl);
9065 if (!TEST_ptr(clientssl)
9066 /* Handshake has finished so pointers should be the same */
9067 || !TEST_ptr_eq(clientssl, client2ssl))
9068 goto end;
9069
9070 testresult = 1;
9071
9072 end:
9073 SSL_free(serverssl);
9074 SSL_free(clientssl);
9075 SSL_free(client2ssl);
9076 SSL_CTX_free(sctx);
9077 SSL_CTX_free(cctx);
9078
9079 return testresult;
9080}
33c39a06
MC		 9081
9082# ifndef OPENSSL_NO_DH
9083
9084static EVP_PKEY *tmp_dh_params = NULL;
9085
9086/* Helper function for the test_set_tmp_dh() tests */
9087static EVP_PKEY *get_tmp_dh_params(void)
9088{
9089 if (tmp_dh_params == NULL) {
9090 BIGNUM *p = NULL;
9091 OSSL_PARAM_BLD *tmpl = NULL;
9092 EVP_PKEY_CTX *pctx = NULL;
9093 OSSL_PARAM *params = NULL;
9094 EVP_PKEY *dhpkey = NULL;
9095
9096 p = BN_get_rfc3526_prime_2048(NULL);
9097 if (!TEST_ptr(p))
9098 goto end;
9099
9100 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9101 if (!TEST_ptr(pctx)
884400d7 9102 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 9103 goto end;
9104
9105 tmpl = OSSL_PARAM_BLD_new();
9106 if (!TEST_ptr(tmpl)
9107 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9108 OSSL_PKEY_PARAM_FFC_P,
9109 p))
9110 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9111 OSSL_PKEY_PARAM_FFC_G,
9112 2)))
9113 goto end;
9114
9115 params = OSSL_PARAM_BLD_to_param(tmpl);
9116 if (!TEST_ptr(params)
884400d7 9117 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9118 EVP_PKEY_KEY_PARAMETERS,
9119 params), 1))
33c39a06
MC		 9120 goto end;
9121
9122 tmp_dh_params = dhpkey;
9123 end:
9124 BN_free(p);
9125 EVP_PKEY_CTX_free(pctx);
9126 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 9127 OSSL_PARAM_free(params);
33c39a06
MC		 9128 }
9129
f1619160 9130 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 9131 return NULL;
9132
9133 return tmp_dh_params;
9134}
9135
39f3427d 9136# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 9137/* Callback used by test_set_tmp_dh() */
9138static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
9139{
9140 EVP_PKEY *dhpkey = get_tmp_dh_params();
9141 DH *ret = NULL;
9142
9143 if (!TEST_ptr(dhpkey))
9144 return NULL;
9145
7bc0fdd3
MC		 9146 /*
9147 * libssl does not free the returned DH, so we free it now knowing that even
9148 * after we free dhpkey, there will still be a reference to the owning
9149 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
9150 * of time we need it for.
9151 */
9152 ret = EVP_PKEY_get1_DH(dhpkey);
9153 DH_free(ret);
33c39a06
MC		 9154
9155 EVP_PKEY_free(dhpkey);
9156
9157 return ret;
9158}
9159# endif
9160
9161/*
9162 * Test the various methods for setting temporary DH parameters
9163 *
9164 * Test 0: Default (no auto) setting
9165 * Test 1: Explicit SSL_CTX auto off
9166 * Test 2: Explicit SSL auto off
9167 * Test 3: Explicit SSL_CTX auto on
9168 * Test 4: Explicit SSL auto on
9169 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
9170 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
9171 *
9172 * The following are testing deprecated APIs, so we only run them if available
9173 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
9174 * Test 8: Explicit SSL auto off, custom DH params via DH
9175 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
9176 * Test 10: Explicit SSL auto off, custom DH params via callback
9177 */
9178static int test_set_tmp_dh(int idx)
9179{
9180 SSL_CTX *cctx = NULL, *sctx = NULL;
9181 SSL *clientssl = NULL, *serverssl = NULL;
9182 int testresult = 0;
9183 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
9184 int expected = (idx <= 2) ? 0 : 1;
9185 EVP_PKEY *dhpkey = NULL;
9186# ifndef OPENSSL_NO_DEPRECATED_3_0
9187 DH *dh = NULL;
9188# else
9189
9190 if (idx >= 7)
9191 return 1;
9192# endif
9193
9194 if (idx >= 5 && idx <= 8) {
9195 dhpkey = get_tmp_dh_params();
9196 if (!TEST_ptr(dhpkey))
9197 goto end;
9198 }
9199# ifndef OPENSSL_NO_DEPRECATED_3_0
9200 if (idx == 7 || idx == 8) {
7bc0fdd3 9201 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 9202 if (!TEST_ptr(dh))
9203 goto end;
9204 }
9205# endif
9206
9207 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9208 TLS_client_method(),
9209 0,
9210 0,
9211 &sctx, &cctx, cert, privkey)))
9212 goto end;
9213
9214 if ((idx & 1) == 1) {
9215 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
9216 goto end;
9217 }
9218
9219 if (idx == 5) {
9220 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
9221 goto end;
9222 dhpkey = NULL;
9223 }
9224# ifndef OPENSSL_NO_DEPRECATED_3_0
9225 else if (idx == 7) {
9226 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
9227 goto end;
9228 } else if (idx == 9) {
9229 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
9230 }
9231# endif
9232
9233 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9234 NULL, NULL)))
9235 goto end;
9236
9237 if ((idx & 1) == 0 && idx != 0) {
9238 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
9239 goto end;
9240 }
9241 if (idx == 6) {
9242 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
9243 goto end;
9244 dhpkey = NULL;
9245 }
9246# ifndef OPENSSL_NO_DEPRECATED_3_0
9247 else if (idx == 8) {
9248 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
9249 goto end;
9250 } else if (idx == 10) {
9251 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
9252 }
9253# endif
9254
9255 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9256 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9257 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
9258 goto end;
9259
9260 /*
9261 * If autoon then we should succeed. Otherwise we expect failure because
9262 * there are no parameters
9263 */
9264 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
9265 SSL_ERROR_NONE), expected))
9266 goto end;
9267
9268 testresult = 1;
9269
9270 end:
7bc0fdd3
MC		 9271# ifndef OPENSSL_NO_DEPRECATED_3_0
9272 DH_free(dh);
9273# endif
33c39a06
MC		 9274 SSL_free(serverssl);
9275 SSL_free(clientssl);
9276 SSL_CTX_free(sctx);
9277 SSL_CTX_free(cctx);
9278 EVP_PKEY_free(dhpkey);
9279
9280 return testresult;
9281}
3105d846
MC		 9282
9283/*
9284 * Test the auto DH keys are appropriately sized
9285 */
9286static int test_dh_auto(int idx)
9287{
61cab650
MC		 9288 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
9289 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 9290 SSL *clientssl = NULL, *serverssl = NULL;
9291 int testresult = 0;
9292 EVP_PKEY *tmpkey = NULL;
9293 char *thiscert = NULL, *thiskey = NULL;
9294 size_t expdhsize = 0;
9295 const char *ciphersuite = "DHE-RSA-AES128-SHA";
9296
61cab650
MC		 9297 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
9298 goto end;
9299
3105d846
MC		 9300 switch (idx) {
9301 case 0:
9302 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9303 if (is_fips) {
9304 testresult = 1;
9305 goto end;
9306 }
3105d846
MC		 9307 thiscert = cert1024;
9308 thiskey = privkey1024;
9309 expdhsize = 1024;
61cab650
MC		 9310 SSL_CTX_set_security_level(sctx, 1);
9311 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 9312 break;
9313 case 1:
9314 /* 2048 bit prime */
9315 thiscert = cert;
9316 thiskey = privkey;
9317 expdhsize = 2048;
9318 break;
9319 case 2:
9320 thiscert = cert3072;
9321 thiskey = privkey3072;
9322 expdhsize = 3072;
9323 break;
9324 case 3:
9325 thiscert = cert4096;
9326 thiskey = privkey4096;
9327 expdhsize = 4096;
9328 break;
9329 case 4:
9330 thiscert = cert8192;
9331 thiskey = privkey8192;
9332 expdhsize = 8192;
9333 break;
9334 /* No certificate cases */
9335 case 5:
9336 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 9337 if (is_fips) {
9338 testresult = 1;
9339 goto end;
9340 }
3105d846
MC		 9341 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
9342 expdhsize = 1024;
9343 break;
9344 case 6:
9345 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
9346 expdhsize = 3072;
9347 break;
9348 default:
9349 TEST_error("Invalid text index");
9350 goto end;
9351 }
9352
61cab650
MC		 9353 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
9354 NULL,
3105d846
MC		 9355 0,
9356 0,
9357 &sctx, &cctx, thiscert, thiskey)))
9358 goto end;
9359
9360 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9361 NULL, NULL)))
9362 goto end;
9363
9364 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
9365 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
9366 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
9367 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
9368 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
9369 goto end;
9370
9371 /*
9372 * Send the server's first flight. At this point the server has created the
9373 * temporary DH key but hasn't finished using it yet. Once used it is
9374 * removed, so we cannot test it.
9375 */
9376 if (!TEST_int_le(SSL_connect(clientssl), 0)
9377 || !TEST_int_le(SSL_accept(serverssl), 0))
9378 goto end;
9379
9380 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
9381 goto end;
ed576acd 9382 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 9383 goto end;
9384
9385 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9386 goto end;
9387
9388 testresult = 1;
9389
9390 end:
9391 SSL_free(serverssl);
9392 SSL_free(clientssl);
9393 SSL_CTX_free(sctx);
9394 SSL_CTX_free(cctx);
9395 EVP_PKEY_free(tmpkey);
9396
9397 return testresult;
9398
9399}
33c39a06
MC		 9400# endif /* OPENSSL_NO_DH */
9401#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 9402
a763ca11 9403#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 9404/*
9405 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9406 * that it works even without a certificate configured for the original
9407 * SSL_CTX
9408 */
9409static int test_sni_tls13(void)
9410{
9411 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9412 SSL *clientssl = NULL, *serverssl = NULL;
9413 int testresult = 0;
9414
9415 /* Reset callback counter */
9416 snicb = 0;
9417
9418 /* Create an initial SSL_CTX with no certificate configured */
9419 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9420 if (!TEST_ptr(sctx))
9421 goto end;
9422 /* Require TLSv1.3 as a minimum */
9423 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9424 TLS_client_method(), TLS1_3_VERSION, 0,
9425 &sctx2, &cctx, cert, privkey)))
9426 goto end;
9427
9428 /* Set up SNI */
9429 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9430 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9431 goto end;
9432
9433 /*
9434 * Connection should still succeed because the final SSL_CTX has the right
9435 * certificates configured.
9436 */
9437 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9438 &clientssl, NULL, NULL))
9439 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9440 SSL_ERROR_NONE)))
9441 goto end;
9442
9443 /* We should have had the SNI callback called exactly once */
9444 if (!TEST_int_eq(snicb, 1))
9445 goto end;
9446
9447 testresult = 1;
9448
9449end:
9450 SSL_free(serverssl);
9451 SSL_free(clientssl);
9452 SSL_CTX_free(sctx2);
9453 SSL_CTX_free(sctx);
9454 SSL_CTX_free(cctx);
9455 return testresult;
9456}
0089cc7f
TS		 9457
9458/*
9459 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
9460 * 0 = TLSv1.2
9461 * 1 = TLSv1.3
9462 */
9463static int test_ticket_lifetime(int idx)
9464{
9465 SSL_CTX *cctx = NULL, *sctx = NULL;
9466 SSL *clientssl = NULL, *serverssl = NULL;
9467 int testresult = 0;
9468 int version = TLS1_3_VERSION;
9469
9470#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
9471#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
9472
9473 if (idx == 0) {
40fb5a4c
TS		 9474#ifdef OPENSSL_NO_TLS1_2
9475 return TEST_skip("TLS 1.2 is disabled.");
9476#else
0089cc7f 9477 version = TLS1_2_VERSION;
40fb5a4c 9478#endif
0089cc7f
TS		 9479 }
9480
9481 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9482 TLS_client_method(), version, version,
9483 &sctx, &cctx, cert, privkey)))
9484 goto end;
9485
9486 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9487 &clientssl, NULL, NULL)))
9488 goto end;
9489
9490 /*
9491 * Set the timeout to be more than 1 week
9492 * make sure the returned value is the default
9493 */
9494 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
9495 SSL_get_default_timeout(serverssl)))
9496 goto end;
9497
9498 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9499 goto end;
9500
9501 if (idx == 0) {
9502 /* TLSv1.2 uses the set value */
9503 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
9504 goto end;
9505 } else {
9506 /* TLSv1.3 uses the limited value */
9507 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
9508 goto end;
9509 }
9510 testresult = 1;
9511
9512end:
9513 SSL_free(serverssl);
9514 SSL_free(clientssl);
9515 SSL_CTX_free(sctx);
9516 SSL_CTX_free(cctx);
9517 return testresult;
9518}
6582661f 9519#endif
feba11cf
TS		 9520/*
9521 * Test that setting an ALPN does not violate RFC
9522 */
9523static int test_set_alpn(void)
9524{
9525 SSL_CTX *ctx = NULL;
9526 SSL *ssl = NULL;
9527 int testresult = 0;
9528
9529 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9530 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9531 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9532 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9533 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9534 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9535
9536 /* Create an initial SSL_CTX with no certificate configured */
9537 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9538 if (!TEST_ptr(ctx))
9539 goto end;
9540
9541 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9542 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9543 goto end;
9544 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9545 goto end;
9546 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9547 goto end;
9548 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9549 goto end;
9550 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9551 goto end;
9552 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9553 goto end;
9554 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9555 goto end;
9556 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9557 goto end;
9558 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9559 goto end;
9560
9561 ssl = SSL_new(ctx);
9562 if (!TEST_ptr(ssl))
9563 goto end;
9564
9565 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9566 goto end;
9567 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9568 goto end;
9569 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9570 goto end;
9571 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9572 goto end;
9573 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9574 goto end;
9575 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9576 goto end;
9577 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9578 goto end;
9579 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9580 goto end;
9581 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9582 goto end;
9583
9584 testresult = 1;
9585
9586end:
9587 SSL_free(ssl);
9588 SSL_CTX_free(ctx);
9589 return testresult;
9590}
6582661f 9591
948cf521
HL		 9592/*
9593 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
9594 */
9595static int test_set_verify_cert_store_ssl_ctx(void)
9596{
9597 SSL_CTX *ctx = NULL;
9598 int testresult = 0;
9599 X509_STORE *store = NULL, *new_store = NULL,
9600 *cstore = NULL, *new_cstore = NULL;
9601
9602 /* Create an initial SSL_CTX. */
9603 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9604 if (!TEST_ptr(ctx))
9605 goto end;
9606
9607 /* Retrieve verify store pointer. */
9608 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9609 goto end;
9610
9611 /* Retrieve chain store pointer. */
9612 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9613 goto end;
9614
9615 /* We haven't set any yet, so this should be NULL. */
9616 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9617 goto end;
9618
9619 /* Create stores. We use separate stores so pointers are different. */
9620 new_store = X509_STORE_new();
9621 if (!TEST_ptr(new_store))
9622 goto end;
9623
9624 new_cstore = X509_STORE_new();
9625 if (!TEST_ptr(new_cstore))
9626 goto end;
9627
9628 /* Set stores. */
9629 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
9630 goto end;
9631
9632 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
9633 goto end;
9634
9635 /* Should be able to retrieve the same pointer. */
9636 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9637 goto end;
9638
9639 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9640 goto end;
9641
9642 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9643 goto end;
9644
9645 /* Should be able to unset again. */
9646 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
9647 goto end;
9648
9649 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
9650 goto end;
9651
9652 /* Should now be NULL. */
9653 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
9654 goto end;
9655
9656 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
9657 goto end;
9658
9659 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9660 goto end;
9661
9662 testresult = 1;
9663
9664end:
9665 X509_STORE_free(new_store);
9666 X509_STORE_free(new_cstore);
9667 SSL_CTX_free(ctx);
9668 return testresult;
9669}
9670
9671/*
9672 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
9673 */
9674static int test_set_verify_cert_store_ssl(void)
9675{
9676 SSL_CTX *ctx = NULL;
9677 SSL *ssl = NULL;
9678 int testresult = 0;
9679 X509_STORE *store = NULL, *new_store = NULL,
9680 *cstore = NULL, *new_cstore = NULL;
9681
9682 /* Create an initial SSL_CTX. */
9683 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9684 if (!TEST_ptr(ctx))
9685 goto end;
9686
9687 /* Create an SSL object. */
9688 ssl = SSL_new(ctx);
9689 if (!TEST_ptr(ssl))
9690 goto end;
9691
9692 /* Retrieve verify store pointer. */
9693 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9694 goto end;
9695
9696 /* Retrieve chain store pointer. */
9697 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9698 goto end;
9699
9700 /* We haven't set any yet, so this should be NULL. */
9701 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9702 goto end;
9703
9704 /* Create stores. We use separate stores so pointers are different. */
9705 new_store = X509_STORE_new();
9706 if (!TEST_ptr(new_store))
9707 goto end;
9708
9709 new_cstore = X509_STORE_new();
9710 if (!TEST_ptr(new_cstore))
9711 goto end;
9712
9713 /* Set stores. */
9714 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
9715 goto end;
9716
9717 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
9718 goto end;
9719
9720 /* Should be able to retrieve the same pointer. */
9721 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9722 goto end;
9723
9724 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9725 goto end;
9726
9727 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
9728 goto end;
9729
9730 /* Should be able to unset again. */
9731 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
9732 goto end;
9733
9734 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
9735 goto end;
9736
9737 /* Should now be NULL. */
9738 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
9739 goto end;
9740
9741 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
9742 goto end;
9743
9744 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
9745 goto end;
9746
9747 testresult = 1;
9748
9749end:
9750 X509_STORE_free(new_store);
9751 X509_STORE_free(new_cstore);
9752 SSL_free(ssl);
9753 SSL_CTX_free(ctx);
9754 return testresult;
9755}
9756
9757
dfccfde0
CH		 9758static int test_inherit_verify_param(void)
9759{
9760 int testresult = 0;
9761
9762 SSL_CTX *ctx = NULL;
9763 X509_VERIFY_PARAM *cp = NULL;
9764 SSL *ssl = NULL;
9765 X509_VERIFY_PARAM *sp = NULL;
9766 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9767
9768 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9769 if (!TEST_ptr(ctx))
9770 goto end;
9771
9772 cp = SSL_CTX_get0_param(ctx);
9773 if (!TEST_ptr(cp))
9774 goto end;
9775 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9776 goto end;
9777
9778 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9779
9780 ssl = SSL_new(ctx);
9781 if (!TEST_ptr(ssl))
9782 goto end;
9783
9784 sp = SSL_get0_param(ssl);
9785 if (!TEST_ptr(sp))
9786 goto end;
9787 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9788 goto end;
9789
9790 testresult = 1;
9791
9792 end:
9793 SSL_free(ssl);
9794 SSL_CTX_free(ctx);
9795
9796 return testresult;
9797}
9798
b2b8d188
DF		 9799static int test_load_dhfile(void)
9800{
9801#ifndef OPENSSL_NO_DH
9802 int testresult = 0;
9803
9804 SSL_CTX *ctx = NULL;
9805 SSL_CONF_CTX *cctx = NULL;
9806
9807 if (dhfile == NULL)
9808 return 1;
9809
9810 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
9811 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
9812 goto end;
9813
9814 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
9815 SSL_CONF_CTX_set_flags(cctx,
9816 SSL_CONF_FLAG_CERTIFICATE
9817 | SSL_CONF_FLAG_SERVER
9818 | SSL_CONF_FLAG_FILE);
9819
9820 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
9821 goto end;
9822
9823 testresult = 1;
9824end:
9825 SSL_CONF_CTX_free(cctx);
9826 SSL_CTX_free(ctx);
9827
9828 return testresult;
9829#else
9830 return TEST_skip("DH not supported by this build");
9831#endif
9832}
9833
9834OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
a43ce58f 9835
ad887416 9836int setup_tests(void)
2cb4b5f6 9837{
5e30f2fd
MC		 9838 char *modulename;
9839 char *configfile;
9840
b4250010 9841 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 9842 if (!TEST_ptr(libctx))
9843 return 0;
9844
9845 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9846
9847 /*
9848 * Verify that the default and fips providers in the default libctx are not
9849 * available
9850 */
9851 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9852 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9853 return 0;
9854
8d242823
MC		 9855 if (!test_skip_common_options()) {
9856 TEST_error("Error parsing test options\n");
9857 return 0;
9858 }
9859
1a2a3a42
MC		 9860 if (!TEST_ptr(certsdir = test_get_argument(0))
9861 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 9862 || !TEST_ptr(tmpfilename = test_get_argument(2))
9863 || !TEST_ptr(modulename = test_get_argument(3))
b2b8d188
DF		 9864 || !TEST_ptr(configfile = test_get_argument(4))
9865 || !TEST_ptr(dhfile = test_get_argument(5)))
5e30f2fd
MC		 9866 return 0;
9867
b4250010 9868 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 9869 return 0;
9870
9871 /* Check we have the expected provider available */
9872 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9873 return 0;
9874
9875 /* Check the default provider is not available */
9876 if (strcmp(modulename, "default") != 0
9877 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 9878 return 0;
2cb4b5f6 9879
4f6c7044
MC		 9880 if (strcmp(modulename, "fips") == 0)
9881 is_fips = 1;
9882
0c13cdf8
MC		 9883 /*
9884 * We add, but don't load the test "tls-provider". We'll load it when we
9885 * need it.
9886 */
9887 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9888 tls_provider_init)))
9889 return 0;
9890
9891
f297e4ec
RS		 9892 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9893#ifdef OPENSSL_NO_CRYPTO_MDEBUG
9894 TEST_error("not supported in this build");
9895 return 0;
9896#else
9897 int i, mcount, rcount, fcount;
9898
9899 for (i = 0; i < 4; i++)
9900 test_export_key_mat(i);
9901 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9902 test_printf_stdout("malloc %d realloc %d free %d\n",
9903 mcount, rcount, fcount);
9904 return 1;
9905#endif
9906 }
9907
1a2a3a42
MC		 9908 cert = test_mk_file_path(certsdir, "servercert.pem");
9909 if (cert == NULL)
b3842539 9910 goto err;
1a2a3a42
MC		 9911
9912 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 9913 if (privkey == NULL)
9914 goto err;
9915
9916 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9917 if (cert2 == NULL)
9918 goto err;
9919
9920 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9921 if (privkey2 == NULL)
9922 goto err;
1a2a3a42 9923
3105d846
MC		 9924 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9925 if (cert1024 == NULL)
9926 goto err;
9927
9928 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9929 if (privkey1024 == NULL)
9930 goto err;
9931
9932 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9933 if (cert3072 == NULL)
9934 goto err;
9935
9936 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9937 if (privkey3072 == NULL)
9938 goto err;
9939
9940 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9941 if (cert4096 == NULL)
9942 goto err;
9943
9944 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9945 if (privkey4096 == NULL)
9946 goto err;
9947
9948 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9949 if (cert8192 == NULL)
9950 goto err;
9951
9952 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9953 if (privkey8192 == NULL)
9954 goto err;
9955
da4db160 9956#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 9957# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526
JB		 9958 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9959 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
c8e3a4c6 9960# endif
fe5d9450 9961#endif
84d5549e 9962 ADD_TEST(test_large_message_tls);
7856332e 9963 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 9964#ifndef OPENSSL_NO_DTLS
84d5549e 9965 ADD_TEST(test_large_message_dtls);
55386bef 9966#endif
163b8016 9967 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 9968#ifndef OPENSSL_NO_OCSP
c887104f 9969 ADD_TEST(test_tlsext_status_type);
8f8c11d8 9970#endif
eaa776da
MC		 9971 ADD_TEST(test_session_with_only_int_cache);
9972 ADD_TEST(test_session_with_only_ext_cache);
9973 ADD_TEST(test_session_with_both_cache);
90fc2c26 9974 ADD_TEST(test_session_wo_ca_names);
a763ca11 9975#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 9976 ADD_ALL_TESTS(test_stateful_tickets, 3);
9977 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 9978 ADD_TEST(test_psk_tickets);
f0049b86 9979 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 9980#endif
7fb4c820 9981 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 9982 ADD_TEST(test_ssl_bio_pop_next_bio);
9983 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9984 ADD_TEST(test_ssl_bio_change_rbio);
9985 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 9986#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 9987 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 9988 ADD_TEST(test_keylog);
c423ecaa 9989#endif
a763ca11 9990#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 9991 ADD_TEST(test_keylog_no_master_key);
9992#endif
0c3eb279 9993 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 9994 ADD_TEST(test_ssl_build_cert_chain);
9995 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 9996#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 9997 ADD_TEST(test_client_hello_cb);
088dfa13 9998 ADD_TEST(test_no_ems);
3cd14e5e 9999 ADD_TEST(test_ccs_change_cipher);
5f982038 10000#endif
a763ca11 10001#ifndef OSSL_NO_USABLE_TLS1_3
02a3ed5a 10002 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 10003 /*
10004 * We don't do replay tests for external PSK. Replay protection isn't used
10005 * in that scenario.
10006 */
10007 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 10008 ADD_ALL_TESTS(test_early_data_skip, 3);
10009 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 10010 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 10011 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 10012 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 10013 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 10014 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 10015 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 10016# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 10017 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 10018# endif
e9ee6536 10019#endif
a763ca11 10020#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 10021 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 10022 ADD_TEST(test_ciphersuite_change);
5bf2eade 10023 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
10024# ifdef OPENSSL_NO_PSK
c2b290c3 10025 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 10026# else
0d8da779 10027 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 10028# endif /* OPENSSL_NO_PSK */
10029# ifndef OPENSSL_NO_TLS1_2
10030 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 10031 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 10032# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
10033 ADD_ALL_TESTS(test_negotiated_group,
10034 4 * (OSSL_NELEM(ecdhe_kexch_groups)
10035 + OSSL_NELEM(ffdhe_kexch_groups)));
10036# endif
5bf2eade 10037# else
10038 /* Test with only TLSv1.3 versions */
10039 ADD_ALL_TESTS(test_key_exchange, 12);
10040# endif
0db3a990 10041 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 10042 ADD_TEST(test_stateless);
9d75dce3 10043 ADD_TEST(test_pha_key_update);
a273157a 10044#else
bb01ef3f 10045 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 10046#endif
16afd71c 10047 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 10048 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 10049#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 10050 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 10051 ADD_TEST(test_key_update);
0c48fda8 10052 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
10053 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
10054 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
10055 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 10056#endif
e11b6aa4 10057 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 10058 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 10059#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
10060 ADD_ALL_TESTS(test_srp, 6);
10061#endif
5718fe45 10062 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 10063 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 10064 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 10065 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 10066 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 10067 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 10068 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 10069 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 10070 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 10071#ifndef OPENSSL_NO_TLS1_2
10072 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
10073#endif
49ef3d07 10074 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 10075#if !defined(OPENSSL_NO_EC) \
a763ca11 10076 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 10077 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 10078#endif
10079#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 10080 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 10081#endif
10082#ifndef OPENSSL_NO_TLS1_2
10083 ADD_TEST(test_ssl_dup);
33c39a06
MC		 10084# ifndef OPENSSL_NO_DH
10085 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 10086 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 10087# endif
6582661f 10088#endif
a763ca11 10089#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 10090 ADD_TEST(test_sni_tls13);
0089cc7f 10091 ADD_ALL_TESTS(test_ticket_lifetime, 2);
b3842539 10092#endif
dfccfde0 10093 ADD_TEST(test_inherit_verify_param);
feba11cf 10094 ADD_TEST(test_set_alpn);
948cf521
HL		 10095 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
10096 ADD_TEST(test_set_verify_cert_store_ssl);
25959e04 10097 ADD_ALL_TESTS(test_session_timeout, 1);
b2b8d188 10098 ADD_TEST(test_load_dhfile);
ad887416 10099 return 1;
b3842539
MC		 10100
10101 err:
10102 OPENSSL_free(cert);
10103 OPENSSL_free(privkey);
10104 OPENSSL_free(cert2);
10105 OPENSSL_free(privkey2);
10106 return 0;
ad887416 10107}
2cb4b5f6 10108
ad887416
P		 10109void cleanup_tests(void)
10110{
8778f0eb 10111# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 10112 EVP_PKEY_free(tmp_dh_params);
10113#endif
1a2a3a42
MC		 10114 OPENSSL_free(cert);
10115 OPENSSL_free(privkey);
b3842539
MC		 10116 OPENSSL_free(cert2);
10117 OPENSSL_free(privkey2);
3105d846
MC		 10118 OPENSSL_free(cert1024);
10119 OPENSSL_free(privkey1024);
10120 OPENSSL_free(cert3072);
10121 OPENSSL_free(privkey3072);
10122 OPENSSL_free(cert4096);
10123 OPENSSL_free(privkey4096);
10124 OPENSSL_free(cert8192);
10125 OPENSSL_free(privkey8192);
fa454945 10126 bio_s_mempacket_test_free();
a77b4dba 10127 bio_s_always_retry_free();
5e30f2fd 10128 OSSL_PROVIDER_unload(defctxnull);
b4250010 10129 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 10130}
A mirror of the official openssl repository