]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with binutils-2.29.
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
ad887416 2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
2cb4b5f6
MC		 17
18#include "ssltestlib.h"
c887104f 19#include "testutil.h"
176db6dc 20#include "internal/nelem.h"
ca0413ae 21#include "../ssl/ssl_locl.h"
2cb4b5f6
MC		 22
23static char *cert = NULL;
24static char *privkey = NULL;
25
6acdd3e5
CB		 26#define LOG_BUFFER_SIZE 1024
27static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 28static size_t server_log_buffer_index = 0;
6acdd3e5 29static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 30static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 31static int error_writing_log = 0;
32
8f8c11d8 33#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 34static const unsigned char orespder[] = "Dummy OCSP Response";
35static int ocsp_server_called = 0;
36static int ocsp_client_called = 0;
37
38static int cdummyarg = 1;
39static X509 *ocspcert = NULL;
8f8c11d8 40#endif
ba881d3b 41
84d5549e
MC		 42#define NUM_EXTRA_CERTS 40
43
f1a5939f
CB		 44/*
45 * This structure is used to validate that the correct number of log messages
46 * of various types are emitted when emitting secret logs.
47 */
48struct sslapitest_log_counts {
49 unsigned int rsa_key_exchange_count;
50 unsigned int master_secret_count;
51 unsigned int client_handshake_secret_count;
52 unsigned int server_handshake_secret_count;
53 unsigned int client_application_secret_count;
54 unsigned int server_application_secret_count;
55};
56
16afd71c
MC		 57
58static unsigned char serverinfov1[] = {
59 0xff, 0xff, /* Dummy extension type */
60 0x00, 0x01, /* Extension length is 1 byte */
61 0xff /* Dummy extension data */
62};
63
64static unsigned char serverinfov2[] = {
65 0x00, 0x00, 0x00,
66 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
67 0xff, 0xff, /* Dummy extension type */
68 0x00, 0x01, /* Extension length is 1 byte */
69 0xff /* Dummy extension data */
70};
71
710756a9
RS		 72static void client_keylog_callback(const SSL *ssl, const char *line)
73{
6acdd3e5
CB		 74 int line_length = strlen(line);
75
76 /* If the log doesn't fit, error out. */
710756a9
RS		 77 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
78 TEST_info("Client log too full");
6acdd3e5
CB		 79 error_writing_log = 1;
80 return;
81 }
82
83 strcat(client_log_buffer, line);
84 client_log_buffer_index += line_length;
710756a9 85 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 86}
87
710756a9
RS		 88static void server_keylog_callback(const SSL *ssl, const char *line)
89{
6acdd3e5
CB		 90 int line_length = strlen(line);
91
92 /* If the log doesn't fit, error out. */
710756a9 93 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 94 TEST_info("Server log too full");
6acdd3e5
CB		 95 error_writing_log = 1;
96 return;
97 }
98
99 strcat(server_log_buffer, line);
100 server_log_buffer_index += line_length;
710756a9 101 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 102}
103
104static int compare_hex_encoded_buffer(const char *hex_encoded,
105 size_t hex_length,
106 const uint8_t *raw,
710756a9
RS		 107 size_t raw_length)
108{
109 size_t i, j;
110 char hexed[3];
6acdd3e5 111
710756a9 112 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 113 return 1;
6acdd3e5 114
710756a9 115 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 116 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 117 if (!TEST_int_eq(hexed[0], hex_encoded[j])
118 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 119 return 1;
6acdd3e5
CB		 120 }
121
122 return 0;
123}
124
125static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 126 const SSL_SESSION *session,
710756a9
RS		 127 struct sslapitest_log_counts *expected)
128{
6acdd3e5
CB		 129 char *token = NULL;
130 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
131 size_t client_random_size = SSL3_RANDOM_SIZE;
132 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
133 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 134 unsigned int rsa_key_exchange_count = 0;
135 unsigned int master_secret_count = 0;
136 unsigned int client_handshake_secret_count = 0;
137 unsigned int server_handshake_secret_count = 0;
138 unsigned int client_application_secret_count = 0;
139 unsigned int server_application_secret_count = 0;
6acdd3e5 140
710756a9
RS		 141 for (token = strtok(buffer, " \n"); token != NULL;
142 token = strtok(NULL, " \n")) {
6acdd3e5 143 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 144 /*
145 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 146 * hex-encoded encrypted secret, then the hex-encoded pre-master
147 * secret.
148 */
710756a9 149 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 150 return 0;
710756a9 151 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 152 return 0;
710756a9 153 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 154 return 0;
f1a5939f
CB		 155 /*
156 * We can't sensibly check the log because the premaster secret is
157 * transient, and OpenSSL doesn't keep hold of it once the master
158 * secret is generated.
159 */
160 rsa_key_exchange_count++;
6acdd3e5 161 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 162 /*
163 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 164 * client random, then the hex-encoded master secret.
165 */
166 client_random_size = SSL_get_client_random(ssl,
167 actual_client_random,
168 SSL3_RANDOM_SIZE);
710756a9 169 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 170 return 0;
6acdd3e5 171
710756a9 172 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 173 return 0;
710756a9 174 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 175 return 0;
710756a9
RS		 176 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
177 actual_client_random,
178 client_random_size)))
f1a5939f 179 return 0;
6acdd3e5 180
710756a9 181 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 182 return 0;
6acdd3e5
CB		 183 master_key_size = SSL_SESSION_get_master_key(session,
184 actual_master_key,
185 master_key_size);
710756a9 186 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 187 return 0;
710756a9
RS		 188 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
189 actual_master_key,
190 master_key_size)))
f1a5939f 191 return 0;
f1a5939f 192 master_secret_count++;
710756a9
RS		 193 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
194 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
196 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
f1a5939f
CB		 197 /*
198 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
199 * client random, and then the hex-encoded secret. In this case,
200 * we treat all of these secrets identically and then just
201 * distinguish between them when counting what we saw.
202 */
203 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
204 client_handshake_secret_count++;
205 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
206 server_handshake_secret_count++;
207 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
208 client_application_secret_count++;
209 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
210 server_application_secret_count++;
211
212 client_random_size = SSL_get_client_random(ssl,
213 actual_client_random,
214 SSL3_RANDOM_SIZE);
710756a9 215 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 216 return 0;
f1a5939f 217
710756a9 218 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 219 return 0;
710756a9 220 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 221 return 0;
710756a9
RS		 222 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
223 actual_client_random,
224 client_random_size)))
f1a5939f 225 return 0;
6acdd3e5 226
710756a9 227 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 228 return 0;
f1a5939f
CB		 229
230 /*
231 * TODO(TLS1.3): test that application traffic secrets are what
232 * we expect */
6acdd3e5 233 } else {
710756a9 234 TEST_info("Unexpected token %s\n", token);
f1a5939f 235 return 0;
6acdd3e5 236 }
6acdd3e5
CB		 237 }
238
710756a9
RS		 239 /* Got what we expected? */
240 if (!TEST_size_t_eq(rsa_key_exchange_count,
241 expected->rsa_key_exchange_count)
242 || !TEST_size_t_eq(master_secret_count,
243 expected->master_secret_count)
244 || !TEST_size_t_eq(client_handshake_secret_count,
245 expected->client_handshake_secret_count)
246 || !TEST_size_t_eq(server_handshake_secret_count,
247 expected->server_handshake_secret_count)
248 || !TEST_size_t_eq(client_application_secret_count,
249 expected->client_application_secret_count)
250 || !TEST_size_t_eq(server_application_secret_count,
251 expected->server_application_secret_count))
252 return 0;
253 return 1;
6acdd3e5
CB		 254}
255
710756a9
RS		 256static int test_keylog(void)
257{
6acdd3e5
CB		 258 SSL_CTX *cctx = NULL, *sctx = NULL;
259 SSL *clientssl = NULL, *serverssl = NULL;
260 int testresult = 0;
f1a5939f 261 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 262
263 /* Clean up logging space */
710756a9
RS		 264 memset(client_log_buffer, 0, sizeof(client_log_buffer));
265 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 266 client_log_buffer_index = 0;
267 server_log_buffer_index = 0;
268 error_writing_log = 0;
269
710756a9
RS		 270 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
271 TLS_client_method(),
272 &sctx, &cctx, cert, privkey)))
6acdd3e5 273 return 0;
6acdd3e5
CB		 274
275 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
276 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
277 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
278
f0deb4d3 279 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 280 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 281 goto end;
f0deb4d3 282
cf10df81
RS		 283 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
284 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 285 goto end;
6acdd3e5 286 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 287 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
288 == client_keylog_callback))
6acdd3e5 289 goto end;
710756a9 290 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 291 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
292 == server_keylog_callback))
6acdd3e5 293 goto end;
6acdd3e5 294
710756a9
RS		 295 /* Now do a handshake and check that the logs have been written to. */
296 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
297 &clientssl, NULL, NULL))
298 || !TEST_true(create_ssl_connection(serverssl, clientssl,
299 SSL_ERROR_NONE))
300 || !TEST_false(error_writing_log)
301 || !TEST_int_gt(client_log_buffer_index, 0)
302 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 303 goto end;
6acdd3e5 304
f1a5939f
CB		 305 /*
306 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 307 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 308 * data we expect. For both client and server, we expect to see one master
309 * secret. The client should also see a RSA key exchange.
6acdd3e5 310 */
f1a5939f
CB		 311 expected.rsa_key_exchange_count = 1;
312 expected.master_secret_count = 1;
710756a9
RS		 313 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
314 SSL_get_session(clientssl), &expected)))
6acdd3e5 315 goto end;
f1a5939f
CB		 316
317 expected.rsa_key_exchange_count = 0;
710756a9
RS		 318 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
319 SSL_get_session(serverssl), &expected)))
6acdd3e5 320 goto end;
6acdd3e5
CB		 321
322 testresult = 1;
323
324end:
325 SSL_free(serverssl);
326 SSL_free(clientssl);
327 SSL_CTX_free(sctx);
328 SSL_CTX_free(cctx);
329
330 return testresult;
331}
332
333#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 334static int test_keylog_no_master_key(void)
335{
6acdd3e5
CB		 336 SSL_CTX *cctx = NULL, *sctx = NULL;
337 SSL *clientssl = NULL, *serverssl = NULL;
338 int testresult = 0;
f1a5939f 339 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 340
341 /* Clean up logging space */
710756a9
RS		 342 memset(client_log_buffer, 0, sizeof(client_log_buffer));
343 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 344 client_log_buffer_index = 0;
345 server_log_buffer_index = 0;
346 error_writing_log = 0;
347
710756a9
RS		 348 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
349 TLS_client_method(), &sctx,
350 &cctx, cert, privkey)))
6acdd3e5 351 return 0;
6acdd3e5 352
cf10df81
RS		 353 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
354 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 355 goto end;
6acdd3e5
CB		 356
357 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 358 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
359 == client_keylog_callback))
6acdd3e5 360 goto end;
6acdd3e5 361
710756a9 362 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 363 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
364 == server_keylog_callback))
6acdd3e5 365 goto end;
6acdd3e5 366
710756a9
RS		 367 /* Now do a handshake and check that the logs have been written to. */
368 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
369 &clientssl, NULL, NULL))
370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
371 SSL_ERROR_NONE))
372 || !TEST_false(error_writing_log))
6acdd3e5 373 goto end;
6acdd3e5 374
f1a5939f
CB		 375 /*
376 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 377 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 378 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 379 */
f1a5939f
CB		 380 expected.client_handshake_secret_count = 1;
381 expected.server_handshake_secret_count = 1;
382 expected.client_application_secret_count = 1;
383 expected.server_application_secret_count = 1;
710756a9
RS		 384 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
385 SSL_get_session(clientssl), &expected))
386 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
387 SSL_get_session(serverssl),
388 &expected)))
6acdd3e5 389 goto end;
6acdd3e5
CB		 390
391 testresult = 1;
392
393end:
394 SSL_free(serverssl);
395 SSL_free(clientssl);
396 SSL_CTX_free(sctx);
397 SSL_CTX_free(cctx);
398
399 return testresult;
400}
401#endif
402
e9ee6536 403#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 404static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 405{
406 int *ctr = arg;
407 const unsigned char *p;
8ea404fb 408 int *exts;
2afaee51
BK		 409 /* We only configure two ciphers, but the SCSV is added automatically. */
410#ifdef OPENSSL_NO_EC
411 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
412#else
413 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
414 0x2c, 0x00, 0xff};
415#endif
8ea404fb
BK		 416 const int expected_extensions[] = {
417#ifndef OPENSSL_NO_EC
418 11, 10,
419#endif
10ed1b72 420 35, 22, 23, 13};
2afaee51
BK		 421 size_t len;
422
423 /* Make sure we can defer processing and get called back. */
424 if ((*ctr)++ == 0)
f1b97da1 425 return SSL_CLIENT_HELLO_RETRY;
2afaee51 426
a9c0d8be 427 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 428 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 429 || !TEST_size_t_eq(
430 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 431 || !TEST_int_eq(*p, 0))
f1b97da1 432 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 433 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 434 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 435 if (len != OSSL_NELEM(expected_extensions) ||
436 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 437 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 438 OPENSSL_free(exts);
f1b97da1 439 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 440 }
441 OPENSSL_free(exts);
f1b97da1 442 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 443}
444
a9c0d8be 445static int test_client_hello_cb(void)
710756a9 446{
2afaee51
BK		 447 SSL_CTX *cctx = NULL, *sctx = NULL;
448 SSL *clientssl = NULL, *serverssl = NULL;
449 int testctr = 0, testresult = 0;
450
710756a9
RS		 451 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
452 TLS_client_method(), &sctx,
453 &cctx, cert, privkey)))
2afaee51 454 goto end;
a9c0d8be 455 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 456
2afaee51
BK		 457 /* The gimpy cipher list we configure can't do TLS 1.3. */
458 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 459
710756a9
RS		 460 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
461 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
462 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
463 &clientssl, NULL, NULL))
464 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 465 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 466 /*
467 * Passing a -1 literal is a hack since
468 * the real value was lost.
469 * */
a9c0d8be
DB		 470 || !TEST_int_eq(SSL_get_error(serverssl, -1),
471 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
473 SSL_ERROR_NONE)))
2afaee51 474 goto end;
2afaee51
BK		 475
476 testresult = 1;
477
478end:
479 SSL_free(serverssl);
480 SSL_free(clientssl);
481 SSL_CTX_free(sctx);
482 SSL_CTX_free(cctx);
483
484 return testresult;
485}
e9ee6536 486#endif
2afaee51 487
84d5549e 488static int execute_test_large_message(const SSL_METHOD *smeth,
7856332e 489 const SSL_METHOD *cmeth, int read_ahead)
84d5549e
MC		 490{
491 SSL_CTX *cctx = NULL, *sctx = NULL;
492 SSL *clientssl = NULL, *serverssl = NULL;
493 int testresult = 0;
494 int i;
710756a9 495 BIO *certbio = NULL;
84d5549e
MC		 496 X509 *chaincert = NULL;
497 int certlen;
498
710756a9 499 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 500 goto end;
84d5549e 501 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 502 BIO_free(certbio);
503 certbio = NULL;
710756a9 504 if (!TEST_ptr(chaincert))
fa454945 505 goto end;
84d5549e 506
710756a9
RS		 507 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
508 &cctx, cert, privkey)))
84d5549e 509 goto end;
84d5549e 510
710756a9 511 if (read_ahead) {
7856332e
MC		 512 /*
513 * Test that read_ahead works correctly when dealing with large
514 * records
515 */
516 SSL_CTX_set_read_ahead(cctx, 1);
517 }
518
84d5549e
MC		 519 /*
520 * We assume the supplied certificate is big enough so that if we add
521 * NUM_EXTRA_CERTS it will make the overall message large enough. The
522 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 523 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
524 * test we need to have a message larger than that.
84d5549e
MC		 525 */
526 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 527 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
528 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 529 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 530 if (!X509_up_ref(chaincert))
84d5549e 531 goto end;
84d5549e 532 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 533 X509_free(chaincert);
534 goto end;
535 }
536 }
537
710756a9
RS		 538 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
539 NULL, NULL))
540 || !TEST_true(create_ssl_connection(serverssl, clientssl,
541 SSL_ERROR_NONE)))
84d5549e 542 goto end;
84d5549e 543
4bf08600
MC		 544 /*
545 * Calling SSL_clear() first is not required but this tests that SSL_clear()
546 * doesn't leak (when using enable-crypto-mdebug).
547 */
710756a9 548 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 549 goto end;
84d5549e 550
4bf08600 551 testresult = 1;
84d5549e
MC		 552 end:
553 X509_free(chaincert);
554 SSL_free(serverssl);
555 SSL_free(clientssl);
556 SSL_CTX_free(sctx);
557 SSL_CTX_free(cctx);
558
559 return testresult;
560}
561
562static int test_large_message_tls(void)
563{
7856332e
MC		 564 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
565 0);
566}
567
568static int test_large_message_tls_read_ahead(void)
569{
570 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
571 1);
84d5549e
MC		 572}
573
55386bef 574#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 575static int test_large_message_dtls(void)
576{
7856332e
MC		 577 /*
578 * read_ahead is not relevant to DTLS because DTLS always acts as if
579 * read_ahead is set.
580 */
84d5549e 581 return execute_test_large_message(DTLS_server_method(),
7856332e 582 DTLS_client_method(), 0);
84d5549e 583}
55386bef 584#endif
84d5549e 585
8f8c11d8 586#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 587static int ocsp_server_cb(SSL *s, void *arg)
588{
589 int *argi = (int *)arg;
710756a9 590 unsigned char *copy = NULL;
ba881d3b
MC		 591 STACK_OF(OCSP_RESPID) *ids = NULL;
592 OCSP_RESPID *id = NULL;
593
594 if (*argi == 2) {
595 /* In this test we are expecting exactly 1 OCSP_RESPID */
596 SSL_get_tlsext_status_ids(s, &ids);
597 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
598 return SSL_TLSEXT_ERR_ALERT_FATAL;
599
600 id = sk_OCSP_RESPID_value(ids, 0);
601 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
602 return SSL_TLSEXT_ERR_ALERT_FATAL;
603 } else if (*argi != 1) {
604 return SSL_TLSEXT_ERR_ALERT_FATAL;
605 }
606
710756a9 607 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 608 return SSL_TLSEXT_ERR_ALERT_FATAL;
609
710756a9 610 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 611 ocsp_server_called = 1;
ba881d3b
MC		 612 return SSL_TLSEXT_ERR_OK;
613}
614
615static int ocsp_client_cb(SSL *s, void *arg)
616{
617 int *argi = (int *)arg;
618 const unsigned char *respderin;
619 size_t len;
620
621 if (*argi != 1 && *argi != 2)
622 return 0;
623
624 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 625 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 626 return 0;
627
628 ocsp_client_called = 1;
ba881d3b
MC		 629 return 1;
630}
631
2cb4b5f6
MC		 632static int test_tlsext_status_type(void)
633{
ba881d3b
MC		 634 SSL_CTX *cctx = NULL, *sctx = NULL;
635 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 636 int testresult = 0;
ba881d3b
MC		 637 STACK_OF(OCSP_RESPID) *ids = NULL;
638 OCSP_RESPID *id = NULL;
639 BIO *certbio = NULL;
2cb4b5f6 640
ba881d3b 641 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
710756a9 642 &cctx, cert, privkey))
ba881d3b 643 return 0;
2cb4b5f6 644
710756a9 645 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 646 goto end;
2cb4b5f6 647
ba881d3b 648 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 649
ba881d3b 650 clientssl = SSL_new(cctx);
710756a9
RS		 651 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
652 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
653 TLSEXT_STATUSTYPE_ocsp))
654 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
655 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 656 goto end;
2cb4b5f6 657
ba881d3b
MC		 658 SSL_free(clientssl);
659 clientssl = NULL;
2cb4b5f6 660
710756a9
RS		 661 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
662 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 663 goto end;
2cb4b5f6 664
ba881d3b 665 clientssl = SSL_new(cctx);
710756a9 666 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 667 goto end;
ba881d3b
MC		 668 SSL_free(clientssl);
669 clientssl = NULL;
670
671 /*
672 * Now actually do a handshake and check OCSP information is exchanged and
673 * the callbacks get called
674 */
ba881d3b
MC		 675 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
676 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
677 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
678 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
680 &clientssl, NULL, NULL))
681 || !TEST_true(create_ssl_connection(serverssl, clientssl,
682 SSL_ERROR_NONE))
683 || !TEST_true(ocsp_client_called)
684 || !TEST_true(ocsp_server_called))
ba881d3b 685 goto end;
ba881d3b
MC		 686 SSL_free(serverssl);
687 SSL_free(clientssl);
688 serverssl = NULL;
689 clientssl = NULL;
690
691 /* Try again but this time force the server side callback to fail */
692 ocsp_client_called = 0;
693 ocsp_server_called = 0;
694 cdummyarg = 0;
710756a9
RS		 695 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
696 &clientssl, NULL, NULL))
697 /* This should fail because the callback will fail */
698 || !TEST_false(create_ssl_connection(serverssl, clientssl,
699 SSL_ERROR_NONE))
700 || !TEST_false(ocsp_client_called)
701 || !TEST_false(ocsp_server_called))
ba881d3b 702 goto end;
ba881d3b
MC		 703 SSL_free(serverssl);
704 SSL_free(clientssl);
705 serverssl = NULL;
706 clientssl = NULL;
707
708 /*
709 * This time we'll get the client to send an OCSP_RESPID that it will
710 * accept.
711 */
712 ocsp_client_called = 0;
713 ocsp_server_called = 0;
714 cdummyarg = 2;
710756a9
RS		 715 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
716 &clientssl, NULL, NULL)))
ba881d3b 717 goto end;
ba881d3b
MC		 718
719 /*
720 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 721 * specific one. We'll use the server cert.
ba881d3b 722 */
710756a9
RS		 723 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
724 || !TEST_ptr(id = OCSP_RESPID_new())
725 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
726 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
727 NULL, NULL, NULL))
728 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
729 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 730 goto end;
ba881d3b
MC		 731 id = NULL;
732 SSL_set_tlsext_status_ids(clientssl, ids);
733 /* Control has been transferred */
734 ids = NULL;
735
736 BIO_free(certbio);
737 certbio = NULL;
738
710756a9
RS		 739 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
740 SSL_ERROR_NONE))
741 || !TEST_true(ocsp_client_called)
742 || !TEST_true(ocsp_server_called))
ba881d3b 743 goto end;
ba881d3b 744
2cb4b5f6
MC		 745 testresult = 1;
746
747 end:
ba881d3b
MC		 748 SSL_free(serverssl);
749 SSL_free(clientssl);
750 SSL_CTX_free(sctx);
751 SSL_CTX_free(cctx);
752 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
753 OCSP_RESPID_free(id);
754 BIO_free(certbio);
755 X509_free(ocspcert);
756 ocspcert = NULL;
2cb4b5f6
MC		 757
758 return testresult;
759}
8f8c11d8 760#endif
2cb4b5f6 761
bf208d95 762#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 763static int new_called, remove_called, get_called;
eaa776da 764
eaa776da
MC		 765static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
766{
767 new_called++;
c0537ebd
MC		 768 /*
769 * sess has been up-refed for us, but we don't actually need it so free it
770 * immediately.
771 */
772 SSL_SESSION_free(sess);
eaa776da
MC		 773 return 1;
774}
775
776static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
777{
778 remove_called++;
779}
780
7a301f08
MC		 781static SSL_SESSION *get_sess_val = NULL;
782
783static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
784 int *copy)
785{
0afca811 786 get_called++;
7a301f08
MC		 787 *copy = 1;
788 return get_sess_val;
789}
790
7a301f08
MC		 791static int execute_test_session(int maxprot, int use_int_cache,
792 int use_ext_cache)
2cb4b5f6
MC		 793{
794 SSL_CTX *sctx = NULL, *cctx = NULL;
795 SSL *serverssl1 = NULL, *clientssl1 = NULL;
796 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 797# ifndef OPENSSL_NO_TLS1_1
eaa776da 798 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 799# endif
2cb4b5f6
MC		 800 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
801 int testresult = 0;
802
7e885b7b
P		 803 new_called = remove_called = 0;
804
710756a9
RS		 805 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
806 TLS_client_method(), &sctx,
807 &cctx, cert, privkey)))
2cb4b5f6 808 return 0;
2cb4b5f6 809
7a301f08
MC		 810 /*
811 * Only allow the max protocol version so we can force a connection failure
812 * later
813 */
814 SSL_CTX_set_min_proto_version(cctx, maxprot);
815 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 816
817 /* Set up session cache */
7e885b7b 818 if (use_ext_cache) {
eaa776da
MC		 819 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
820 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
821 }
7e885b7b 822 if (use_int_cache) {
eaa776da
MC		 823 /* Also covers instance where both are set */
824 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
825 } else {
826 SSL_CTX_set_session_cache_mode(cctx,
827 SSL_SESS_CACHE_CLIENT
828 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
829 }
2cb4b5f6 830
710756a9
RS		 831 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
832 NULL, NULL))
833 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
834 SSL_ERROR_NONE))
835 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 836 goto end;
2cb4b5f6 837
710756a9 838 /* Should fail because it should already be in the cache */
7e885b7b 839 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 840 goto end;
7a301f08
MC		 841 if (use_ext_cache
842 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
b4982125 843 goto end;
b4982125 844
c0537ebd
MC		 845 new_called = remove_called = 0;
846 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
847 &clientssl2, NULL, NULL))
848 || !TEST_true(SSL_set_session(clientssl2, sess1))
849 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
850 SSL_ERROR_NONE))
851 || !TEST_true(SSL_session_reused(clientssl2)))
852 goto end;
853
7a301f08
MC		 854 if (maxprot == TLS1_3_VERSION) {
855 /*
856 * In TLSv1.3 we should have created a new session even though we have
857 * resumed. The original session should also have been removed.
858 */
859 if (use_ext_cache
860 && (!TEST_int_eq(new_called, 1)
861 || !TEST_int_eq(remove_called, 1)))
862 goto end;
863 } else {
864 /*
865 * In TLSv1.2 we expect to have resumed so no sessions added or
866 * removed.
867 */
868 if (use_ext_cache
869 && (!TEST_int_eq(new_called, 0)
870 || !TEST_int_eq(remove_called, 0)))
871 goto end;
872 }
c0537ebd
MC		 873
874 SSL_SESSION_free(sess1);
875 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
876 goto end;
877 shutdown_ssl_connection(serverssl2, clientssl2);
878 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 879
880 new_called = remove_called = 0;
710756a9
RS		 881 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
882 &clientssl2, NULL, NULL))
883 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
884 SSL_ERROR_NONE)))
2cb4b5f6 885 goto end;
2cb4b5f6 886
710756a9 887 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 888 goto end;
2cb4b5f6 889
7a301f08
MC		 890 if (use_ext_cache
891 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
eaa776da 892 goto end;
eaa776da 893
c0537ebd 894 new_called = remove_called = 0;
2cb4b5f6 895 /*
710756a9
RS		 896 * This should clear sess2 from the cache because it is a "bad" session.
897 * See SSL_set_session() documentation.
2cb4b5f6 898 */
710756a9 899 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 900 goto end;
7a301f08
MC		 901 if (use_ext_cache
902 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 903 goto end;
710756a9 904 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 905 goto end;
2cb4b5f6 906
7e885b7b 907 if (use_int_cache) {
710756a9
RS		 908 /* Should succeeded because it should not already be in the cache */
909 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
910 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 911 goto end;
eaa776da
MC		 912 }
913
c0537ebd 914 new_called = remove_called = 0;
eaa776da 915 /* This shouldn't be in the cache so should fail */
710756a9 916 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 917 goto end;
2cb4b5f6 918
7a301f08
MC		 919 if (use_ext_cache
920 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 921 goto end;
2cb4b5f6 922
bf208d95 923# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 924 new_called = remove_called = 0;
eaa776da
MC		 925 /* Force a connection failure */
926 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
928 &clientssl3, NULL, NULL))
929 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 930 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 931 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
932 SSL_ERROR_NONE)))
eaa776da 933 goto end;
b4982125 934
eaa776da 935 /* We should have automatically removed the session from the cache */
7a301f08
MC		 936 if (use_ext_cache
937 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 938 goto end;
2cb4b5f6 939
710756a9 940 /* Should succeed because it should not already be in the cache */
7e885b7b 941 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 942 goto end;
bf208d95 943# endif
eaa776da 944
7a301f08
MC		 945 /* Now do some tests for server side caching */
946 if (use_ext_cache) {
947 SSL_CTX_sess_set_new_cb(cctx, NULL);
948 SSL_CTX_sess_set_remove_cb(cctx, NULL);
949 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
950 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
951 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
952 get_sess_val = NULL;
953 }
954
955 SSL_CTX_set_session_cache_mode(cctx, 0);
956 /* Internal caching is the default on the server side */
957 if (!use_int_cache)
958 SSL_CTX_set_session_cache_mode(sctx,
959 SSL_SESS_CACHE_SERVER
960 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
961
962 SSL_free(serverssl1);
963 SSL_free(clientssl1);
964 serverssl1 = clientssl1 = NULL;
965 SSL_free(serverssl2);
966 SSL_free(clientssl2);
967 serverssl2 = clientssl2 = NULL;
968 SSL_SESSION_free(sess1);
969 sess1 = NULL;
970 SSL_SESSION_free(sess2);
971 sess2 = NULL;
972
973 SSL_CTX_set_max_proto_version(sctx, maxprot);
974 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 975 new_called = remove_called = get_called = 0;
7a301f08
MC		 976 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
977 NULL, NULL))
978 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
979 SSL_ERROR_NONE))
980 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
981 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
982 goto end;
983
984 /* Should fail because it should already be in the cache */
985 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
986 goto end;
987
988 if (use_ext_cache) {
989 SSL_SESSION *tmp = sess2;
990
0afca811
KY		 991 if (!TEST_int_eq(new_called, 1)
992 || !TEST_int_eq(remove_called, 0)
993 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 994 goto end;
995 /*
996 * Delete the session from the internal cache to force a lookup from
997 * the external cache. We take a copy first because
998 * SSL_CTX_remove_session() also marks the session as non-resumable.
999 */
3cb6a4d6
BK		 1000 if (use_int_cache) {
1001 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1002 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1003 goto end;
1004 SSL_SESSION_free(sess2);
1005 }
7a301f08
MC		 1006 sess2 = tmp;
1007 }
1008
0afca811 1009 new_called = remove_called = get_called = 0;
7a301f08
MC		 1010 get_sess_val = sess2;
1011 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1012 &clientssl2, NULL, NULL))
1013 || !TEST_true(SSL_set_session(clientssl2, sess1))
1014 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1015 SSL_ERROR_NONE))
1016 || !TEST_true(SSL_session_reused(clientssl2)))
1017 goto end;
1018
0afca811
KY		 1019 if (use_ext_cache) {
1020 if (!TEST_int_eq(new_called, 0)
1021 || !TEST_int_eq(remove_called, 0))
1022 goto end;
1023
1024 if (maxprot == TLS1_3_VERSION) {
1025 if (!TEST_int_eq(get_called, 0))
1026 goto end;
1027 } else {
1028 if (!TEST_int_eq(get_called, 1))
1029 goto end;
1030 }
1031 }
7a301f08 1032
2cb4b5f6 1033 testresult = 1;
eaa776da 1034
2cb4b5f6
MC		 1035 end:
1036 SSL_free(serverssl1);
1037 SSL_free(clientssl1);
1038 SSL_free(serverssl2);
1039 SSL_free(clientssl2);
bf208d95 1040# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1041 SSL_free(serverssl3);
1042 SSL_free(clientssl3);
bf208d95 1043# endif
2cb4b5f6
MC		 1044 SSL_SESSION_free(sess1);
1045 SSL_SESSION_free(sess2);
1046 SSL_CTX_free(sctx);
1047 SSL_CTX_free(cctx);
1048
1049 return testresult;
1050}
bf208d95 1051#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1052
7fb4c820
MC		 1053static int test_session_with_only_int_cache(void)
1054{
7a301f08
MC		 1055#ifndef OPENSSL_NO_TLS1_3
1056 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1057 return 0;
1058#endif
1059
1060#ifndef OPENSSL_NO_TLS1_2
1061 return execute_test_session(TLS1_2_VERSION, 1, 0);
1062#else
1063 return 1;
1064#endif
eaa776da
MC		 1065}
1066
7fb4c820
MC		 1067static int test_session_with_only_ext_cache(void)
1068{
7a301f08
MC		 1069#ifndef OPENSSL_NO_TLS1_3
1070 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1071 return 0;
1072#endif
1073
1074#ifndef OPENSSL_NO_TLS1_2
1075 return execute_test_session(TLS1_2_VERSION, 0, 1);
1076#else
1077 return 1;
1078#endif
eaa776da
MC		 1079}
1080
7fb4c820
MC		 1081static int test_session_with_both_cache(void)
1082{
7a301f08
MC		 1083#ifndef OPENSSL_NO_TLS1_3
1084 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1085 return 0;
1086#endif
1087
1088#ifndef OPENSSL_NO_TLS1_2
1089 return execute_test_session(TLS1_2_VERSION, 1, 1);
1090#else
1091 return 1;
1092#endif
eaa776da
MC		 1093}
1094
7fb4c820
MC		 1095#define USE_NULL 0
1096#define USE_BIO_1 1
1097#define USE_BIO_2 2
1098
1099#define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1100
1101static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1102{
1103 switch (type) {
1104 case USE_NULL:
1105 *res = NULL;
1106 break;
1107 case USE_BIO_1:
1108 *res = bio1;
1109 break;
1110 case USE_BIO_2:
1111 *res = bio2;
1112 break;
1113 }
1114}
1115
1116static int test_ssl_set_bio(int idx)
1117{
710756a9 1118 SSL_CTX *ctx;
7fb4c820
MC		 1119 BIO *bio1 = NULL;
1120 BIO *bio2 = NULL;
0fae8150 1121 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7fb4c820
MC		 1122 SSL *ssl = NULL;
1123 int initrbio, initwbio, newrbio, newwbio;
1124 int testresult = 0;
1125
7fb4c820
MC		 1126 initrbio = idx % 3;
1127 idx /= 3;
1128 initwbio = idx % 3;
1129 idx /= 3;
1130 newrbio = idx % 3;
1131 idx /= 3;
1132 newwbio = idx;
710756a9
RS		 1133 if (!TEST_int_le(newwbio, 2))
1134 return 0;
1135
1136 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1137 || !TEST_ptr(ssl = SSL_new(ctx)))
1138 goto end;
7fb4c820 1139
710756a9
RS		 1140 if (initrbio == USE_BIO_1
1141 || initwbio == USE_BIO_1
1142 || newrbio == USE_BIO_1
7fb4c820 1143 || newwbio == USE_BIO_1) {
710756a9 1144 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1145 goto end;
7fb4c820
MC		 1146 }
1147
710756a9
RS		 1148 if (initrbio == USE_BIO_2
1149 || initwbio == USE_BIO_2
1150 || newrbio == USE_BIO_2
7fb4c820 1151 || newwbio == USE_BIO_2) {
710756a9 1152 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1153 goto end;
7fb4c820
MC		 1154 }
1155
1156 setupbio(&irbio, bio1, bio2, initrbio);
1157 setupbio(&iwbio, bio1, bio2, initwbio);
1158
1159 /*
1160 * We want to maintain our own refs to these BIO, so do an up ref for each
69687aa8 1161 * BIO that will have ownership transferred in the SSL_set_bio() call
7fb4c820
MC		 1162 */
1163 if (irbio != NULL)
1164 BIO_up_ref(irbio);
1165 if (iwbio != NULL && iwbio != irbio)
1166 BIO_up_ref(iwbio);
1167
1168 SSL_set_bio(ssl, irbio, iwbio);
1169
1170 setupbio(&nrbio, bio1, bio2, newrbio);
1171 setupbio(&nwbio, bio1, bio2, newwbio);
1172
1173 /*
1174 * We will (maybe) transfer ownership again so do more up refs.
1175 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1176 * already been set!
1177 */
710756a9
RS		 1178 if (nrbio != NULL
1179 && nrbio != irbio
1180 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1181 BIO_up_ref(nrbio);
710756a9
RS		 1182 if (nwbio != NULL
1183 && nwbio != nrbio
1184 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1185 BIO_up_ref(nwbio);
1186
1187 SSL_set_bio(ssl, nrbio, nwbio);
1188
1189 testresult = 1;
1190
1191 end:
1192 SSL_free(ssl);
1193 BIO_free(bio1);
1194 BIO_free(bio2);
710756a9 1195
7fb4c820
MC		 1196 /*
1197 * This test is checking that the ref counting for SSL_set_bio is correct.
1198 * If we get here and we did too many frees then we will fail in the above
1199 * functions. If we haven't done enough then this will only be detected in
1200 * a crypto-mdebug build
1201 */
1202 SSL_CTX_free(ctx);
7fb4c820
MC		 1203 return testresult;
1204}
1205
7e885b7b 1206typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1207
7e885b7b 1208static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1209{
1210 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1211 SSL_CTX *ctx;
9a716987
MC		 1212 SSL *ssl = NULL;
1213 int testresult = 0;
1214
710756a9
RS		 1215 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1216 || !TEST_ptr(ssl = SSL_new(ctx))
1217 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1218 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1219 goto end;
9a716987
MC		 1220
1221 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1222
1223 /*
1224 * If anything goes wrong here then we could leak memory, so this will
1225 * be caught in a crypto-mdebug build
1226 */
1227 BIO_push(sslbio, membio1);
1228
69687aa8 1229 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1230 if (change_bio != NO_BIO_CHANGE) {
710756a9 1231 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1232 goto end;
7e885b7b 1233 if (change_bio == CHANGE_RBIO)
65e2d672 1234 SSL_set0_rbio(ssl, membio2);
9a716987 1235 else
65e2d672 1236 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1237 }
1238 ssl = NULL;
1239
7e885b7b 1240 if (pop_ssl)
9a716987
MC		 1241 BIO_pop(sslbio);
1242 else
1243 BIO_pop(membio1);
1244
1245 testresult = 1;
1246 end:
1247 BIO_free(membio1);
1248 BIO_free(sslbio);
1249 SSL_free(ssl);
1250 SSL_CTX_free(ctx);
1251
1252 return testresult;
1253}
1254
1255static int test_ssl_bio_pop_next_bio(void)
1256{
7e885b7b 1257 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1258}
1259
1260static int test_ssl_bio_pop_ssl_bio(void)
1261{
7e885b7b 1262 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1263}
1264
1265static int test_ssl_bio_change_rbio(void)
1266{
7e885b7b 1267 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1268}
1269
1270static int test_ssl_bio_change_wbio(void)
1271{
7e885b7b 1272 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1273}
1274
f1b25aae
MC		 1275typedef struct {
1276 /* The list of sig algs */
1277 const int *list;
1278 /* The length of the list */
1279 size_t listlen;
1280 /* A sigalgs list in string format */
1281 const char *liststr;
1282 /* Whether setting the list should succeed */
1283 int valid;
1284 /* Whether creating a connection with the list should succeed */
1285 int connsuccess;
1286} sigalgs_list;
1287
1288static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
5eeb6c6e 1289#ifndef OPENSSL_NO_EC
f1b25aae
MC		 1290static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1291static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
5eeb6c6e 1292#endif
f1b25aae
MC		 1293static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1294static const int invalidlist2[] = {NID_sha256, NID_undef};
1295static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1296static const int invalidlist4[] = {NID_sha256};
1297static const sigalgs_list testsigalgs[] = {
1298 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
5eeb6c6e 1299#ifndef OPENSSL_NO_EC
f1b25aae
MC		 1300 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1301 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
5eeb6c6e 1302#endif
f1b25aae 1303 {NULL, 0, "RSA+SHA256", 1, 1},
5eeb6c6e 1304#ifndef OPENSSL_NO_EC
f1b25aae
MC		 1305 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1306 {NULL, 0, "ECDSA+SHA512", 1, 0},
5eeb6c6e 1307#endif
f1b25aae
MC		 1308 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1309 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1310 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1311 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1312 {NULL, 0, "RSA", 0, 0},
1313 {NULL, 0, "SHA256", 0, 0},
1314 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1315 {NULL, 0, "Invalid", 0, 0}
1316};
f1b25aae
MC		 1317
1318static int test_set_sigalgs(int idx)
1319{
1320 SSL_CTX *cctx = NULL, *sctx = NULL;
1321 SSL *clientssl = NULL, *serverssl = NULL;
1322 int testresult = 0;
1323 const sigalgs_list *curr;
1324 int testctx;
1325
1326 /* Should never happen */
710756a9 1327 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1328 return 0;
1329
1330 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1331 curr = testctx ? &testsigalgs[idx]
1332 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1333
710756a9
RS		 1334 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1335 TLS_client_method(), &sctx,
1336 &cctx, cert, privkey)))
f1b25aae 1337 return 0;
f1b25aae 1338
d2e491f2
MC		 1339 /*
1340 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1341 * for TLSv1.2 for now until we add a new API.
1342 */
1343 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1344
f1b25aae
MC		 1345 if (testctx) {
1346 int ret;
710756a9 1347
f1b25aae
MC		 1348 if (curr->list != NULL)
1349 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1350 else
1351 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1352
1353 if (!ret) {
1354 if (curr->valid)
710756a9 1355 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1356 else
1357 testresult = 1;
1358 goto end;
1359 }
1360 if (!curr->valid) {
710756a9 1361 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1362 goto end;
1363 }
1364 }
1365
710756a9
RS		 1366 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1367 &clientssl, NULL, NULL)))
f1b25aae 1368 goto end;
f1b25aae
MC		 1369
1370 if (!testctx) {
1371 int ret;
1372
1373 if (curr->list != NULL)
1374 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1375 else
1376 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1377 if (!ret) {
1378 if (curr->valid)
710756a9 1379 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1380 else
1381 testresult = 1;
1382 goto end;
1383 }
710756a9 1384 if (!curr->valid)
f1b25aae 1385 goto end;
f1b25aae
MC		 1386 }
1387
710756a9
RS		 1388 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1389 SSL_ERROR_NONE),
1390 curr->connsuccess))
f1b25aae 1391 goto end;
f1b25aae
MC		 1392
1393 testresult = 1;
1394
1395 end:
1396 SSL_free(serverssl);
1397 SSL_free(clientssl);
1398 SSL_CTX_free(sctx);
1399 SSL_CTX_free(cctx);
1400
1401 return testresult;
1402}
1403
fff202e5
MC		 1404#ifndef OPENSSL_NO_TLS1_3
1405
57dee9bb
MC		 1406static SSL_SESSION *clientpsk = NULL;
1407static SSL_SESSION *serverpsk = NULL;
02a3ed5a
MC		 1408static const char *pskid = "Identity";
1409static const char *srvid;
1410
1411static int use_session_cb_cnt = 0;
1412static int find_session_cb_cnt = 0;
1413
1414static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1415 size_t *idlen, SSL_SESSION **sess)
1416{
1417 switch (++use_session_cb_cnt) {
1418 case 1:
1419 /* The first call should always have a NULL md */
1420 if (md != NULL)
1421 return 0;
1422 break;
1423
1424 case 2:
1425 /* The second call should always have an md */
1426 if (md == NULL)
1427 return 0;
1428 break;
1429
1430 default:
1431 /* We should only be called a maximum of twice */
1432 return 0;
1433 }
1434
57dee9bb
MC		 1435 if (clientpsk != NULL)
1436 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1437
57dee9bb 1438 *sess = clientpsk;
02a3ed5a
MC		 1439 *id = (const unsigned char *)pskid;
1440 *idlen = strlen(pskid);
1441
1442 return 1;
1443}
1444
1445static int find_session_cb(SSL *ssl, const unsigned char *identity,
1446 size_t identity_len, SSL_SESSION **sess)
1447{
1448 find_session_cb_cnt++;
1449
1450 /* We should only ever be called a maximum of twice per connection */
1451 if (find_session_cb_cnt > 2)
1452 return 0;
1453
57dee9bb 1454 if (serverpsk == NULL)
02a3ed5a
MC		 1455 return 0;
1456
1457 /* Identity should match that set by the client */
1458 if (strlen(srvid) != identity_len
1459 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1460 /* No PSK found, continue but without a PSK */
1461 *sess = NULL;
1462 return 1;
1463 }
1464
57dee9bb
MC		 1465 SSL_SESSION_up_ref(serverpsk);
1466 *sess = serverpsk;
02a3ed5a
MC		 1467
1468 return 1;
1469}
1470
5f982038
MC		 1471#define MSG1 "Hello"
1472#define MSG2 "World."
1473#define MSG3 "This"
1474#define MSG4 "is"
1475#define MSG5 "a"
90049cea
MC		 1476#define MSG6 "test"
1477#define MSG7 "message."
5f982038 1478
02a3ed5a
MC		 1479#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1480
5f982038
MC		 1481/*
1482 * Helper method to setup objects for early data test. Caller frees objects on
1483 * error.
1484 */
1485static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 1486 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 1487{
710756a9
RS		 1488 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1489 TLS_client_method(), sctx,
1490 cctx, cert, privkey)))
5f982038 1491 return 0;
5f982038 1492
02a3ed5a
MC		 1493 if (idx == 1) {
1494 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 1495 SSL_CTX_set_read_ahead(*cctx, 1);
1496 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 1497 } else if (idx == 2) {
1498 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1499 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1500 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1501 use_session_cb_cnt = 0;
1502 find_session_cb_cnt = 0;
1503 srvid = pskid;
3cb47b4e
MC		 1504 }
1505
710756a9 1506 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 1507 NULL, NULL)))
1508 return 0;
1509
141e4709
MC		 1510 /*
1511 * For one of the run throughs (doesn't matter which one), we'll try sending
1512 * some SNI data in the initial ClientHello. This will be ignored (because
1513 * there is no SNI cb set up by the server), so it should not impact
1514 * early_data.
1515 */
1516 if (idx == 1
1517 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1518 return 0;
1519
02a3ed5a
MC		 1520 if (idx == 2) {
1521 /* Create the PSK */
1522 const SSL_CIPHER *cipher = NULL;
1523 const unsigned char key[] = {
1524 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1525 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1526 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1527 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1528 0x2c, 0x2d, 0x2e, 0x2f
1529 };
1530
1531 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 1532 clientpsk = SSL_SESSION_new();
1533 if (!TEST_ptr(clientpsk)
02a3ed5a 1534 || !TEST_ptr(cipher)
57dee9bb 1535 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
02a3ed5a 1536 sizeof(key)))
57dee9bb 1537 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
02a3ed5a 1538 || !TEST_true(
57dee9bb 1539 SSL_SESSION_set_protocol_version(clientpsk,
02a3ed5a
MC		 1540 TLS1_3_VERSION))
1541 /*
1542 * We just choose an arbitrary value for max_early_data which
1543 * should be big enough for testing purposes.
1544 */
57dee9bb
MC		 1545 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1546 0x100))
1547 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1548 SSL_SESSION_free(clientpsk);
1549 clientpsk = NULL;
02a3ed5a
MC		 1550 return 0;
1551 }
57dee9bb 1552 serverpsk = clientpsk;
02a3ed5a
MC		 1553
1554 if (sess != NULL)
57dee9bb 1555 *sess = clientpsk;
02a3ed5a
MC		 1556 return 1;
1557 }
1558
1559 if (sess == NULL)
1560 return 1;
1561
1562 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1563 SSL_ERROR_NONE)))
5f982038 1564 return 0;
5f982038
MC		 1565
1566 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 1567 SSL_shutdown(*clientssl);
1568 SSL_shutdown(*serverssl);
5f982038
MC		 1569 SSL_free(*serverssl);
1570 SSL_free(*clientssl);
1571 *serverssl = *clientssl = NULL;
1572
710756a9
RS		 1573 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1574 clientssl, NULL, NULL))
1575 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 1576 return 0;
5f982038
MC		 1577
1578 return 1;
1579}
1580
3cb47b4e 1581static int test_early_data_read_write(int idx)
5f982038
MC		 1582{
1583 SSL_CTX *cctx = NULL, *sctx = NULL;
1584 SSL *clientssl = NULL, *serverssl = NULL;
1585 int testresult = 0;
1586 SSL_SESSION *sess = NULL;
9b5c865d
MC		 1587 unsigned char buf[20], data[1024];
1588 size_t readbytes, written, eoedlen, rawread, rawwritten;
1589 BIO *rbio;
5f982038 1590
710756a9
RS		 1591 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1592 &serverssl, &sess, idx)))
5f982038
MC		 1593 goto end;
1594
1595 /* Write and read some early data */
710756a9
RS		 1596 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1597 &written))
1598 || !TEST_size_t_eq(written, strlen(MSG1))
1599 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1600 sizeof(buf), &readbytes),
1601 SSL_READ_EARLY_DATA_SUCCESS)
1602 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1603 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1604 SSL_EARLY_DATA_ACCEPTED))
5f982038 1605 goto end;
5f982038
MC		 1606
1607 /*
09f28874 1608 * Server should be able to write data, and client should be able to
5f982038
MC		 1609 * read it.
1610 */
710756a9
RS		 1611 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1612 &written))
1613 || !TEST_size_t_eq(written, strlen(MSG2))
1614 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1615 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1616 goto end;
5f982038
MC		 1617
1618 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 1619 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1620 &written))
1621 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 1622 goto end;
5f982038 1623
09f28874 1624 /* Server should still be able read early data after writing data */
710756a9
RS		 1625 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1626 &readbytes),
1627 SSL_READ_EARLY_DATA_SUCCESS)
1628 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 1629 goto end;
5f982038 1630
09f28874 1631 /* Write more data from server and read it from client */
710756a9
RS		 1632 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1633 &written))
1634 || !TEST_size_t_eq(written, strlen(MSG4))
1635 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1636 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 1637 goto end;
5f982038
MC		 1638
1639 /*
1640 * If client writes normal data it should mean writing early data is no
1641 * longer possible.
1642 */
710756a9
RS		 1643 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1644 || !TEST_size_t_eq(written, strlen(MSG5))
1645 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1646 SSL_EARLY_DATA_ACCEPTED))
5f982038 1647 goto end;
5f982038 1648
9b5c865d
MC		 1649 /*
1650 * At this point the client has written EndOfEarlyData, ClientFinished and
1651 * normal (fully protected) data. We are going to cause a delay between the
1652 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1653 * in the read BIO, and then just put back the EndOfEarlyData message.
1654 */
1655 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 1656 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1657 || !TEST_size_t_lt(rawread, sizeof(data))
1658 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 1659 goto end;
710756a9 1660
9b5c865d
MC		 1661 /* Record length is in the 4th and 5th bytes of the record header */
1662 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 1663 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1664 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 1665 goto end;
9b5c865d 1666
5f982038 1667 /* Server should be told that there is no more early data */
710756a9
RS		 1668 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1669 &readbytes),
1670 SSL_READ_EARLY_DATA_FINISH)
1671 || !TEST_size_t_eq(readbytes, 0))
5f982038 1672 goto end;
5f982038 1673
9b5c865d
MC		 1674 /*
1675 * Server has not finished init yet, so should still be able to write early
1676 * data.
1677 */
710756a9
RS		 1678 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1679 &written))
1680 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 1681 goto end;
9b5c865d 1682
f8a303fa 1683 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 1684 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1685 &rawwritten))
1686 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 1687 goto end;
f8a303fa 1688
5f982038 1689 /* Server should be able to read normal data */
710756a9
RS		 1690 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1691 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 1692 goto end;
5f982038 1693
09f28874 1694 /* Client and server should not be able to write/read early data now */
710756a9
RS		 1695 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1696 &written)))
5f982038 1697 goto end;
5f982038 1698 ERR_clear_error();
710756a9
RS		 1699 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1700 &readbytes),
1701 SSL_READ_EARLY_DATA_ERROR))
5f982038 1702 goto end;
5f982038
MC		 1703 ERR_clear_error();
1704
9b5c865d 1705 /* Client should be able to read the data sent by the server */
710756a9
RS		 1706 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1707 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 1708 goto end;
710756a9 1709
f8a303fa
MC		 1710 /*
1711 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1712 * We attempt a read which we do not expect to return any data.
1713 */
710756a9 1714 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
f8a303fa 1715 goto end;
5f982038 1716
90049cea 1717 /* Server should be able to write normal data */
710756a9
RS		 1718 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1719 || !TEST_size_t_eq(written, strlen(MSG7))
1720 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1721 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 1722 goto end;
90049cea 1723
02a3ed5a
MC		 1724 /* We keep the PSK session around if using PSK */
1725 if (idx != 2)
1726 SSL_SESSION_free(sess);
5f982038 1727 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 1728 use_session_cb_cnt = 0;
1729 find_session_cb_cnt = 0;
5f982038
MC		 1730
1731 SSL_shutdown(clientssl);
1732 SSL_shutdown(serverssl);
5f982038
MC		 1733 SSL_free(serverssl);
1734 SSL_free(clientssl);
1735 serverssl = clientssl = NULL;
710756a9
RS		 1736 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1737 &clientssl, NULL, NULL))
1738 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 1739 goto end;
5f982038
MC		 1740
1741 /* Write and read some early data */
710756a9
RS		 1742 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1743 &written))
1744 || !TEST_size_t_eq(written, strlen(MSG1))
1745 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1746 &readbytes),
1747 SSL_READ_EARLY_DATA_SUCCESS)
1748 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 1749 goto end;
5f982038 1750
710756a9
RS		 1751 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1752 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 1753 goto end;
5f982038 1754
09f28874 1755 /* Client and server should not be able to write/read early data now */
710756a9
RS		 1756 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1757 &written)))
5f982038 1758 goto end;
5f982038 1759 ERR_clear_error();
710756a9
RS		 1760 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1761 &readbytes),
1762 SSL_READ_EARLY_DATA_ERROR))
5f982038 1763 goto end;
5f982038
MC		 1764 ERR_clear_error();
1765
1766 /* Client and server should be able to write/read normal data */
710756a9
RS		 1767 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1768 || !TEST_size_t_eq(written, strlen(MSG5))
1769 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1770 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 1771 goto end;
5f982038
MC		 1772
1773 testresult = 1;
1774
1775 end:
57dee9bb
MC		 1776 if (sess != clientpsk)
1777 SSL_SESSION_free(sess);
1778 SSL_SESSION_free(clientpsk);
1779 SSL_SESSION_free(serverpsk);
1780 clientpsk = serverpsk = NULL;
5f982038
MC		 1781 SSL_free(serverssl);
1782 SSL_free(clientssl);
1783 SSL_CTX_free(sctx);
1784 SSL_CTX_free(cctx);
5f982038
MC		 1785 return testresult;
1786}
1787
710756a9 1788/*
6b84e6bf
MC		 1789 * Helper function to test that a server attempting to read early data can
1790 * handle a connection from a client where the early data should be skipped.
710756a9 1791 */
6b84e6bf 1792static int early_data_skip_helper(int hrr, int idx)
5f982038
MC		 1793{
1794 SSL_CTX *cctx = NULL, *sctx = NULL;
1795 SSL *clientssl = NULL, *serverssl = NULL;
1796 int testresult = 0;
018fcbec 1797 SSL_SESSION *sess = NULL;
5f982038
MC		 1798 unsigned char buf[20];
1799 size_t readbytes, written;
1800
710756a9
RS		 1801 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1802 &serverssl, &sess, idx)))
5f982038
MC		 1803 goto end;
1804
6b84e6bf
MC		 1805 if (hrr) {
1806 /* Force an HRR to occur */
1807 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1808 goto end;
02a3ed5a
MC		 1809 } else if (idx == 2) {
1810 /*
1811 * We force early_data rejection by ensuring the PSK identity is
1812 * unrecognised
1813 */
1814 srvid = "Dummy Identity";
6b84e6bf
MC		 1815 } else {
1816 /*
1817 * Deliberately corrupt the creation time. We take 20 seconds off the
1818 * time. It could be any value as long as it is not within tolerance.
1819 * This should mean the ticket is rejected.
1820 */
1821 if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL) - 20)))
1822 goto end;
1823 }
5f982038
MC		 1824
1825 /* Write some early data */
710756a9
RS		 1826 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1827 &written))
1828 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 1829 goto end;
5f982038
MC		 1830
1831 /* Server should reject the early data and skip over it */
710756a9
RS		 1832 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1833 &readbytes),
1834 SSL_READ_EARLY_DATA_FINISH)
1835 || !TEST_size_t_eq(readbytes, 0)
1836 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1837 SSL_EARLY_DATA_REJECTED))
5f982038 1838 goto end;
5f982038 1839
6b84e6bf
MC		 1840 if (hrr) {
1841 /*
1842 * Finish off the handshake. We perform the same writes and reads as
1843 * further down but we expect them to fail due to the incomplete
1844 * handshake.
1845 */
1846 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1847 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1848 &readbytes)))
1849 goto end;
1850 }
1851
710756a9
RS		 1852 /* Should be able to send normal data despite rejection of early data */
1853 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1854 || !TEST_size_t_eq(written, strlen(MSG2))
1855 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1856 SSL_EARLY_DATA_REJECTED)
1857 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1858 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1859 goto end;
5f982038
MC		 1860
1861 testresult = 1;
1862
1863 end:
57dee9bb
MC		 1864 if (sess != clientpsk)
1865 SSL_SESSION_free(clientpsk);
1866 SSL_SESSION_free(serverpsk);
1867 clientpsk = serverpsk = NULL;
5f982038
MC		 1868 SSL_SESSION_free(sess);
1869 SSL_free(serverssl);
1870 SSL_free(clientssl);
1871 SSL_CTX_free(sctx);
1872 SSL_CTX_free(cctx);
5f982038
MC		 1873 return testresult;
1874}
1875
6b84e6bf
MC		 1876/*
1877 * Test that a server attempting to read early data can handle a connection
1878 * from a client where the early data is not acceptable.
1879 */
1880static int test_early_data_skip(int idx)
1881{
1882 return early_data_skip_helper(0, idx);
1883}
1884
1885/*
1886 * Test that a server attempting to read early data can handle a connection
1887 * from a client where an HRR occurs.
1888 */
1889static int test_early_data_skip_hrr(int idx)
1890{
1891 return early_data_skip_helper(1, idx);
1892}
1893
710756a9
RS		 1894/*
1895 * Test that a server attempting to read early data can handle a connection
1896 * from a client that doesn't send any.
1897 */
3cb47b4e 1898static int test_early_data_not_sent(int idx)
5f982038
MC		 1899{
1900 SSL_CTX *cctx = NULL, *sctx = NULL;
1901 SSL *clientssl = NULL, *serverssl = NULL;
1902 int testresult = 0;
018fcbec 1903 SSL_SESSION *sess = NULL;
5f982038
MC		 1904 unsigned char buf[20];
1905 size_t readbytes, written;
1906
710756a9
RS		 1907 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1908 &serverssl, &sess, idx)))
5f982038
MC		 1909 goto end;
1910
1911 /* Write some data - should block due to handshake with server */
1912 SSL_set_connect_state(clientssl);
710756a9 1913 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 1914 goto end;
5f982038
MC		 1915
1916 /* Server should detect that early data has not been sent */
710756a9
RS		 1917 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1918 &readbytes),
1919 SSL_READ_EARLY_DATA_FINISH)
1920 || !TEST_size_t_eq(readbytes, 0)
1921 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1922 SSL_EARLY_DATA_NOT_SENT)
1923 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1924 SSL_EARLY_DATA_NOT_SENT))
5f982038 1925 goto end;
5f982038
MC		 1926
1927 /* Continue writing the message we started earlier */
710756a9
RS		 1928 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1929 || !TEST_size_t_eq(written, strlen(MSG1))
1930 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1931 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1932 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
1933 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 1934 goto end;
5f982038 1935
3cb47b4e
MC		 1936 /*
1937 * Should block due to the NewSessionTicket arrival unless we're using
1938 * read_ahead
1939 */
02a3ed5a 1940 if (idx != 1) {
710756a9 1941 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
3cb47b4e 1942 goto end;
5f982038
MC		 1943 }
1944
710756a9
RS		 1945 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1946 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1947 goto end;
5f982038
MC		 1948
1949 testresult = 1;
1950
1951 end:
57dee9bb 1952 /* If using PSK then clientpsk and sess are the same */
5f982038 1953 SSL_SESSION_free(sess);
57dee9bb
MC		 1954 SSL_SESSION_free(serverpsk);
1955 clientpsk = serverpsk = NULL;
5f982038
MC		 1956 SSL_free(serverssl);
1957 SSL_free(clientssl);
1958 SSL_CTX_free(sctx);
1959 SSL_CTX_free(cctx);
5f982038
MC		 1960 return testresult;
1961}
1962
976e5323
MC		 1963static const char *servhostname;
1964
1965static int hostname_cb(SSL *s, int *al, void *arg)
1966{
1967 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1968
1969 if (hostname != NULL && strcmp(hostname, servhostname) == 0)
1970 return SSL_TLSEXT_ERR_OK;
1971
1972 return SSL_TLSEXT_ERR_NOACK;
1973}
1974
1975static const char *servalpn;
1976
c7558d5b
PY		 1977static int alpn_select_cb(SSL *ssl, const unsigned char **out,
1978 unsigned char *outlen, const unsigned char *in,
1979 unsigned int inlen, void *arg)
976e5323 1980{
c7558d5b 1981 unsigned int protlen = 0;
976e5323
MC		 1982 const unsigned char *prot;
1983
c7558d5b
PY		 1984 for (prot = in; prot < in + inlen; prot += protlen) {
1985 protlen = *prot++;
1986 if (in + inlen - prot < protlen)
976e5323
MC		 1987 return SSL_TLSEXT_ERR_NOACK;
1988
1989 if (protlen == strlen(servalpn)
0bd42fde 1990 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 1991 *out = prot;
1992 *outlen = protlen;
1993 return SSL_TLSEXT_ERR_OK;
1994 }
1995 }
1996
1997 return SSL_TLSEXT_ERR_NOACK;
1998}
1999
57dee9bb 2000/* Test that a PSK can be used to send early_data */
976e5323
MC		 2001static int test_early_data_psk(int idx)
2002{
2003 SSL_CTX *cctx = NULL, *sctx = NULL;
2004 SSL *clientssl = NULL, *serverssl = NULL;
2005 int testresult = 0;
2006 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2007 unsigned char alpnlist[] = {
2008 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2009 'l', 'p', 'n'
2010 };
2011#define GOODALPNLEN 9
2012#define BADALPNLEN 8
2013#define GOODALPN (alpnlist)
2014#define BADALPN (alpnlist + GOODALPNLEN)
2015 int err = 0;
976e5323
MC		 2016 unsigned char buf[20];
2017 size_t readbytes, written;
57dee9bb 2018 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2019 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2020
2021 /* We always set this up with a final parameter of "2" for PSK */
2022 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2023 &serverssl, &sess, 2)))
2024 goto end;
2025
2026 servhostname = "goodhost";
2027 servalpn = "goodalpn";
2028
57dee9bb
MC		 2029 /*
2030 * Note: There is no test for inconsistent SNI with late client detection.
2031 * This is because servers do not acknowledge SNI even if they are using
2032 * it in a resumption handshake - so it is not actually possible for a
2033 * client to detect a problem.
2034 */
976e5323
MC		 2035 switch (idx) {
2036 case 0:
57dee9bb 2037 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2038 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2039 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2040 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2041 goto end;
2042 break;
2043
2044 case 1:
57dee9bb 2045 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2046 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2047 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2048 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2049 GOODALPNLEN))
2050 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2051 BADALPNLEN)))
976e5323
MC		 2052 goto end;
2053 break;
2054
2055 case 2:
2056 /*
2057 * Set invalid protocol version. Technically this affects PSKs without
2058 * early_data too, but we test it here because it is similar to the
2059 * SNI/ALPN consistency tests.
2060 */
2061 err = SSL_R_BAD_PSK;
2062 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2063 goto end;
2064 break;
2065
2066 case 3:
2067 /*
2068 * Set inconsistent SNI (server detected). In this case the connection
2069 * will succeed but reject early_data.
2070 */
2071 servhostname = "badhost";
2072 edstatus = SSL_EARLY_DATA_REJECTED;
2073 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2074 /* Fall through */
2075 case 4:
2076 /* Set consistent SNI */
976e5323
MC		 2077 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2078 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2079 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2080 hostname_cb)))
2081 goto end;
2082 break;
2083
2084 case 5:
2085 /*
2086 * Set inconsistent ALPN (server detected). In this case the connection
2087 * will succeed but reject early_data.
2088 */
2089 servalpn = "badalpn";
2090 edstatus = SSL_EARLY_DATA_REJECTED;
2091 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2092 /* Fall through */
2093 case 6:
976e5323 2094 /*
57dee9bb 2095 * Set consistent ALPN.
976e5323
MC		 2096 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2097 * accepts a list of protos (each one length prefixed).
2098 * SSL_set1_alpn_selected accepts a single protocol (not length
2099 * prefixed)
2100 */
57dee9bb
MC		 2101 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2102 GOODALPNLEN - 1))
2103 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2104 GOODALPNLEN)))
976e5323
MC		 2105 goto end;
2106
2107 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2108 break;
2109
57dee9bb
MC		 2110 case 7:
2111 /* Set inconsistent ALPN (late client detection) */
2112 SSL_SESSION_free(serverpsk);
2113 serverpsk = SSL_SESSION_dup(clientpsk);
2114 if (!TEST_ptr(serverpsk)
2115 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2116 BADALPN + 1,
2117 BADALPNLEN - 1))
2118 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2119 GOODALPN + 1,
2120 GOODALPNLEN - 1))
2121 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2122 sizeof(alpnlist))))
2123 goto end;
2124 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2125 edstatus = SSL_EARLY_DATA_ACCEPTED;
2126 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2127 /* SSL_connect() call should fail */
2128 connectres = -1;
2129 break;
2130
976e5323
MC		 2131 default:
2132 TEST_error("Bad test index");
2133 goto end;
2134 }
2135
2136 SSL_set_connect_state(clientssl);
2137 if (err != 0) {
2138 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2139 &written))
2140 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2141 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2142 goto end;
2143 } else {
2144 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2145 &written)))
2146 goto end;
2147
2148 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2149 &readbytes), readearlyres)
976e5323
MC		 2150 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2151 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2152 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2153 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2154 goto end;
2155 }
2156
2157 testresult = 1;
2158
2159 end:
57dee9bb
MC		 2160 SSL_SESSION_free(clientpsk);
2161 SSL_SESSION_free(serverpsk);
2162 clientpsk = serverpsk = NULL;
976e5323
MC		 2163 SSL_free(serverssl);
2164 SSL_free(clientssl);
2165 SSL_CTX_free(sctx);
2166 SSL_CTX_free(cctx);
2167 return testresult;
2168}
2169
710756a9
RS		 2170/*
2171 * Test that a server that doesn't try to read early data can handle a
2172 * client sending some.
2173 */
3cb47b4e 2174static int test_early_data_not_expected(int idx)
5f982038
MC		 2175{
2176 SSL_CTX *cctx = NULL, *sctx = NULL;
2177 SSL *clientssl = NULL, *serverssl = NULL;
2178 int testresult = 0;
018fcbec 2179 SSL_SESSION *sess = NULL;
5f982038
MC		 2180 unsigned char buf[20];
2181 size_t readbytes, written;
2182
710756a9
RS		 2183 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2184 &serverssl, &sess, idx)))
5f982038
MC		 2185 goto end;
2186
2187 /* Write some early data */
710756a9
RS		 2188 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2189 &written)))
5f982038 2190 goto end;
5f982038
MC		 2191
2192 /*
2193 * Server should skip over early data and then block waiting for client to
2194 * continue handshake
2195 */
710756a9
RS		 2196 if (!TEST_int_le(SSL_accept(serverssl), 0)
2197 || !TEST_int_gt(SSL_connect(clientssl), 0)
2198 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2199 SSL_EARLY_DATA_REJECTED)
2200 || !TEST_int_gt(SSL_accept(serverssl), 0)
2201 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2202 SSL_EARLY_DATA_REJECTED))
5f982038 2203 goto end;
5f982038
MC		 2204
2205 /* Send some normal data from client to server */
710756a9
RS		 2206 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2207 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2208 goto end;
5f982038 2209
710756a9
RS		 2210 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2211 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2212 goto end;
5f982038
MC		 2213
2214 testresult = 1;
2215
2216 end:
57dee9bb 2217 /* If using PSK then clientpsk and sess are the same */
5f982038 2218 SSL_SESSION_free(sess);
57dee9bb
MC		 2219 SSL_SESSION_free(serverpsk);
2220 clientpsk = serverpsk = NULL;
5f982038
MC		 2221 SSL_free(serverssl);
2222 SSL_free(clientssl);
2223 SSL_CTX_free(sctx);
2224 SSL_CTX_free(cctx);
5f982038
MC		 2225 return testresult;
2226}
2227
2228
2229# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 2230/*
2231 * Test that a server attempting to read early data can handle a connection
2232 * from a TLSv1.2 client.
2233 */
3cb47b4e 2234static int test_early_data_tls1_2(int idx)
5f982038
MC		 2235{
2236 SSL_CTX *cctx = NULL, *sctx = NULL;
2237 SSL *clientssl = NULL, *serverssl = NULL;
2238 int testresult = 0;
2239 unsigned char buf[20];
2240 size_t readbytes, written;
2241
02a3ed5a
MC		 2242 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2243 &serverssl, NULL, idx)))
5f982038 2244 goto end;
5f982038
MC		 2245
2246 /* Write some data - should block due to handshake with server */
2247 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2248 SSL_set_connect_state(clientssl);
710756a9 2249 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2250 goto end;
5f982038
MC		 2251
2252 /*
2253 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 2254 * messages from client after ServerDone. Then SSL_read_early_data should
2255 * finish and detect that early data has not been sent
5f982038 2256 */
710756a9
RS		 2257 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2258 &readbytes),
2259 SSL_READ_EARLY_DATA_ERROR))
5f982038 2260 goto end;
5f982038
MC		 2261
2262 /*
2263 * Continue writing the message we started earlier. Will still block waiting
2264 * for the CCS/Finished from server
2265 */
710756a9
RS		 2266 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2267 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2268 &readbytes),
2269 SSL_READ_EARLY_DATA_FINISH)
2270 || !TEST_size_t_eq(readbytes, 0)
2271 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2272 SSL_EARLY_DATA_NOT_SENT))
5f982038 2273 goto end;
5f982038
MC		 2274
2275 /* Continue writing the message we started earlier */
710756a9
RS		 2276 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2277 || !TEST_size_t_eq(written, strlen(MSG1))
2278 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2279 SSL_EARLY_DATA_NOT_SENT)
2280 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2281 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2282 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2283 || !TEST_size_t_eq(written, strlen(MSG2))
2284 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2285 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2286 goto end;
5f982038
MC		 2287
2288 testresult = 1;
2289
2290 end:
57dee9bb
MC		 2291 /* If using PSK then clientpsk and sess are the same */
2292 SSL_SESSION_free(clientpsk);
2293 SSL_SESSION_free(serverpsk);
2294 clientpsk = serverpsk = NULL;
5f982038
MC		 2295 SSL_free(serverssl);
2296 SSL_free(clientssl);
2297 SSL_CTX_free(sctx);
2298 SSL_CTX_free(cctx);
2299
2300 return testresult;
2301}
ca0413ae
MC		 2302# endif /* OPENSSL_NO_TLS1_2 */
2303
2304static int test_ciphersuite_change(void)
2305{
2306 SSL_CTX *cctx = NULL, *sctx = NULL;
2307 SSL *clientssl = NULL, *serverssl = NULL;
2308 SSL_SESSION *clntsess = NULL;
2309 int testresult = 0;
2310 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2311
2312 /* Create a session based on SHA-256 */
2313 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2314 TLS_client_method(), &sctx,
2315 &cctx, cert, privkey))
2316 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
2317 "TLS13-AES-128-GCM-SHA256"))
2318 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2319 &clientssl, NULL, NULL))
2320 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2321 SSL_ERROR_NONE)))
2322 goto end;
2323
2324 clntsess = SSL_get1_session(clientssl);
2325 /* Save for later */
2326 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2327 SSL_shutdown(clientssl);
2328 SSL_shutdown(serverssl);
2329 SSL_free(serverssl);
2330 SSL_free(clientssl);
2331 serverssl = clientssl = NULL;
2332
2333 /* Check we can resume a session with a different SHA-256 ciphersuite */
2334 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2335 "TLS13-CHACHA20-POLY1305-SHA256"))
2336 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2337 NULL, NULL))
2338 || !TEST_true(SSL_set_session(clientssl, clntsess))
2339 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2340 SSL_ERROR_NONE))
2341 || !TEST_true(SSL_session_reused(clientssl)))
2342 goto end;
2343
2344 SSL_SESSION_free(clntsess);
2345 clntsess = SSL_get1_session(clientssl);
2346 SSL_shutdown(clientssl);
2347 SSL_shutdown(serverssl);
2348 SSL_free(serverssl);
2349 SSL_free(clientssl);
2350 serverssl = clientssl = NULL;
2351
2352 /*
2353 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 2354 * succeeds but does not resume.
ca0413ae
MC		 2355 */
2356 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2357 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2358 NULL, NULL))
2359 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 2360 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 2361 SSL_ERROR_SSL))
0de6d66d 2362 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 2363 goto end;
2364
2365 SSL_SESSION_free(clntsess);
2366 clntsess = NULL;
2367 SSL_shutdown(clientssl);
2368 SSL_shutdown(serverssl);
2369 SSL_free(serverssl);
2370 SSL_free(clientssl);
2371 serverssl = clientssl = NULL;
2372
2373 /* Create a session based on SHA384 */
2374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2375 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2376 &clientssl, NULL, NULL))
2377 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2378 SSL_ERROR_NONE)))
2379 goto end;
2380
2381 clntsess = SSL_get1_session(clientssl);
2382 SSL_shutdown(clientssl);
2383 SSL_shutdown(serverssl);
2384 SSL_free(serverssl);
2385 SSL_free(clientssl);
2386 serverssl = clientssl = NULL;
2387
2388 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2389 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
0de6d66d
MC		 2390 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
2391 "TLS13-AES-256-GCM-SHA384"))
ca0413ae
MC		 2392 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2393 NULL, NULL))
2394 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 2395 /*
2396 * We use SSL_ERROR_WANT_READ below so that we can pause the
2397 * connection after the initial ClientHello has been sent to
2398 * enable us to make some session changes.
2399 */
ca0413ae
MC		 2400 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2401 SSL_ERROR_WANT_READ)))
2402 goto end;
2403
2404 /* Trick the client into thinking this session is for a different digest */
2405 clntsess->cipher = aes_128_gcm_sha256;
2406 clntsess->cipher_id = clntsess->cipher->id;
2407
2408 /*
3b0e88d3
MC		 2409 * Continue the previously started connection. Server has selected a SHA-384
2410 * ciphersuite, but client thinks the session is for SHA-256, so it should
2411 * bail out.
ca0413ae
MC		 2412 */
2413 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2414 SSL_ERROR_SSL))
2415 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2416 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2417 goto end;
2418
2419 testresult = 1;
2420
2421 end:
2422 SSL_SESSION_free(clntsess);
2423 SSL_free(serverssl);
2424 SSL_free(clientssl);
2425 SSL_CTX_free(sctx);
2426 SSL_CTX_free(cctx);
2427
2428 return testresult;
2429}
2430
ca8c71ba
MC		 2431static int test_tls13_psk(void)
2432{
2433 SSL_CTX *sctx = NULL, *cctx = NULL;
2434 SSL *serverssl = NULL, *clientssl = NULL;
2435 const SSL_CIPHER *cipher = NULL;
2436 const unsigned char key[] = {
2437 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2438 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 2439 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2440 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 2441 };
2442 int testresult = 0;
2443
2444 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2445 TLS_client_method(), &sctx,
2446 &cctx, cert, privkey)))
2447 goto end;
2448
2449 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2450 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2451 srvid = pskid;
02a3ed5a
MC		 2452 use_session_cb_cnt = 0;
2453 find_session_cb_cnt = 0;
ca8c71ba
MC		 2454
2455 /* Check we can create a connection if callback decides not to send a PSK */
2456 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2457 NULL, NULL))
2458 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2459 SSL_ERROR_NONE))
2460 || !TEST_false(SSL_session_reused(clientssl))
2461 || !TEST_false(SSL_session_reused(serverssl))
2462 || !TEST_true(use_session_cb_cnt == 1)
2463 || !TEST_true(find_session_cb_cnt == 0))
2464 goto end;
2465
2466 shutdown_ssl_connection(serverssl, clientssl);
2467 serverssl = clientssl = NULL;
2468 use_session_cb_cnt = 0;
2469
2470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2471 NULL, NULL)))
2472 goto end;
2473
2474 /* Create the PSK */
2475 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 2476 clientpsk = SSL_SESSION_new();
2477 if (!TEST_ptr(clientpsk)
ca8c71ba 2478 || !TEST_ptr(cipher)
57dee9bb
MC		 2479 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2480 sizeof(key)))
2481 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2482 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2483 TLS1_3_VERSION))
2484 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 2485 goto end;
57dee9bb 2486 serverpsk = clientpsk;
ca8c71ba
MC		 2487
2488 /* Check we can create a connection and the PSK is used */
2489 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2490 || !TEST_true(SSL_session_reused(clientssl))
2491 || !TEST_true(SSL_session_reused(serverssl))
2492 || !TEST_true(use_session_cb_cnt == 1)
2493 || !TEST_true(find_session_cb_cnt == 1))
2494 goto end;
2495
2496 shutdown_ssl_connection(serverssl, clientssl);
2497 serverssl = clientssl = NULL;
2498 use_session_cb_cnt = find_session_cb_cnt = 0;
2499
2500 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2501 NULL, NULL)))
2502 goto end;
2503
2504 /* Force an HRR */
2505 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2506 goto end;
2507
2508 /*
2509 * Check we can create a connection, the PSK is used and the callbacks are
2510 * called twice.
2511 */
2512 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2513 || !TEST_true(SSL_session_reused(clientssl))
2514 || !TEST_true(SSL_session_reused(serverssl))
2515 || !TEST_true(use_session_cb_cnt == 2)
2516 || !TEST_true(find_session_cb_cnt == 2))
2517 goto end;
2518
2519 shutdown_ssl_connection(serverssl, clientssl);
2520 serverssl = clientssl = NULL;
2521 use_session_cb_cnt = find_session_cb_cnt = 0;
2522
2523 /*
2524 * Check that if the server rejects the PSK we can still connect, but with
2525 * a full handshake
2526 */
2527 srvid = "Dummy Identity";
2528 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2529 NULL, NULL))
2530 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2531 SSL_ERROR_NONE))
2532 || !TEST_false(SSL_session_reused(clientssl))
2533 || !TEST_false(SSL_session_reused(serverssl))
2534 || !TEST_true(use_session_cb_cnt == 1)
2535 || !TEST_true(find_session_cb_cnt == 1))
2536 goto end;
2537
2538 shutdown_ssl_connection(serverssl, clientssl);
2539 serverssl = clientssl = NULL;
2540 testresult = 1;
2541
2542 end:
57dee9bb
MC		 2543 SSL_SESSION_free(clientpsk);
2544 SSL_SESSION_free(serverpsk);
2545 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 2546 SSL_free(serverssl);
2547 SSL_free(clientssl);
2548 SSL_CTX_free(sctx);
2549 SSL_CTX_free(cctx);
2550 return testresult;
2551}
2552
ca0413ae 2553#endif /* OPENSSL_NO_TLS1_3 */
5f982038 2554
a37008d9
MC		 2555static int clntaddoldcb = 0;
2556static int clntparseoldcb = 0;
2557static int srvaddoldcb = 0;
2558static int srvparseoldcb = 0;
2559static int clntaddnewcb = 0;
2560static int clntparsenewcb = 0;
2561static int srvaddnewcb = 0;
2562static int srvparsenewcb = 0;
bb01ef3f 2563static int snicb = 0;
a37008d9
MC		 2564
2565#define TEST_EXT_TYPE1 0xff00
2566
2567static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2568 size_t *outlen, int *al, void *add_arg)
2569{
2570 int *server = (int *)add_arg;
2571 unsigned char *data;
2572
2573 if (SSL_is_server(s))
2574 srvaddoldcb++;
2575 else
2576 clntaddoldcb++;
2577
710756a9
RS		 2578 if (*server != SSL_is_server(s)
2579 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 2580 return -1;
2581
2582 *data = 1;
2583 *out = data;
2584 *outlen = sizeof(char);
a37008d9
MC		 2585 return 1;
2586}
2587
2588static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2589 void *add_arg)
2590{
2591 OPENSSL_free((unsigned char *)out);
2592}
2593
2594static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2595 size_t inlen, int *al, void *parse_arg)
2596{
2597 int *server = (int *)parse_arg;
2598
2599 if (SSL_is_server(s))
2600 srvparseoldcb++;
2601 else
2602 clntparseoldcb++;
2603
710756a9
RS		 2604 if (*server != SSL_is_server(s)
2605 || inlen != sizeof(char)
2606 || *in != 1)
a37008d9
MC		 2607 return -1;
2608
2609 return 1;
2610}
2611
2612static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2613 const unsigned char **out, size_t *outlen, X509 *x,
2614 size_t chainidx, int *al, void *add_arg)
2615{
2616 int *server = (int *)add_arg;
2617 unsigned char *data;
2618
2619 if (SSL_is_server(s))
2620 srvaddnewcb++;
2621 else
2622 clntaddnewcb++;
2623
710756a9
RS		 2624 if (*server != SSL_is_server(s)
2625 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 2626 return -1;
2627
2628 *data = 1;
2629 *out = data;
710756a9 2630 *outlen = sizeof(*data);
a37008d9
MC		 2631 return 1;
2632}
2633
2634static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2635 const unsigned char *out, void *add_arg)
2636{
2637 OPENSSL_free((unsigned char *)out);
2638}
2639
2640static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2641 const unsigned char *in, size_t inlen, X509 *x,
2642 size_t chainidx, int *al, void *parse_arg)
2643{
2644 int *server = (int *)parse_arg;
2645
2646 if (SSL_is_server(s))
2647 srvparsenewcb++;
2648 else
2649 clntparsenewcb++;
2650
710756a9
RS		 2651 if (*server != SSL_is_server(s)
2652 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 2653 return -1;
2654
2655 return 1;
2656}
bb01ef3f
MC		 2657
2658static int sni_cb(SSL *s, int *al, void *arg)
2659{
2660 SSL_CTX *ctx = (SSL_CTX *)arg;
2661
2662 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2663 *al = SSL_AD_INTERNAL_ERROR;
2664 return SSL_TLSEXT_ERR_ALERT_FATAL;
2665 }
2666 snicb++;
2667 return SSL_TLSEXT_ERR_OK;
2668}
2669
a37008d9
MC		 2670/*
2671 * Custom call back tests.
2672 * Test 0: Old style callbacks in TLSv1.2
2673 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 2674 * Test 2: New style callbacks in TLSv1.2 with SNI
2675 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2676 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 2677 */
710756a9
RS		 2678static int test_custom_exts(int tst)
2679{
bb01ef3f 2680 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 2681 SSL *clientssl = NULL, *serverssl = NULL;
2682 int testresult = 0;
2683 static int server = 1;
2684 static int client = 0;
2685 SSL_SESSION *sess = NULL;
2686 unsigned int context;
2687
2688 /* Reset callback counters */
2689 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2690 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 2691 snicb = 0;
a37008d9 2692
710756a9
RS		 2693 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2694 TLS_client_method(), &sctx,
2695 &cctx, cert, privkey)))
2696 goto end;
a37008d9 2697
bb01ef3f
MC		 2698 if (tst == 2
2699 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2700 NULL, cert, privkey)))
2701 goto end;
2702
2703
2704 if (tst < 3) {
a37008d9
MC		 2705 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2706 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 2707 if (sctx2 != NULL)
2708 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 2709 }
2710
bb01ef3f 2711 if (tst == 4) {
710756a9
RS		 2712 context = SSL_EXT_CLIENT_HELLO
2713 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 2714 | SSL_EXT_TLS1_3_SERVER_HELLO
2715 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2716 | SSL_EXT_TLS1_3_CERTIFICATE
2717 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2718 } else {
710756a9
RS		 2719 context = SSL_EXT_CLIENT_HELLO
2720 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 2721 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2722 }
2723
2724 /* Create a client side custom extension */
2725 if (tst == 0) {
710756a9
RS		 2726 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2727 old_add_cb, old_free_cb,
2728 &client, old_parse_cb,
2729 &client)))
2730 goto end;
a37008d9 2731 } else {
710756a9
RS		 2732 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2733 new_add_cb, new_free_cb,
2734 &client, new_parse_cb, &client)))
2735 goto end;
a37008d9
MC		 2736 }
2737
2738 /* Should not be able to add duplicates */
710756a9
RS		 2739 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2740 old_add_cb, old_free_cb,
2741 &client, old_parse_cb,
2742 &client))
2743 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2744 context, new_add_cb,
2745 new_free_cb, &client,
2746 new_parse_cb, &client)))
2747 goto end;
a37008d9
MC		 2748
2749 /* Create a server side custom extension */
2750 if (tst == 0) {
710756a9
RS		 2751 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2752 old_add_cb, old_free_cb,
2753 &server, old_parse_cb,
2754 &server)))
2755 goto end;
a37008d9 2756 } else {
710756a9
RS		 2757 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
2758 new_add_cb, new_free_cb,
2759 &server, new_parse_cb, &server)))
2760 goto end;
bb01ef3f
MC		 2761 if (sctx2 != NULL
2762 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
2763 context, new_add_cb,
2764 new_free_cb, &server,
2765 new_parse_cb, &server)))
2766 goto end;
a37008d9
MC		 2767 }
2768
2769 /* Should not be able to add duplicates */
710756a9
RS		 2770 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2771 old_add_cb, old_free_cb,
2772 &server, old_parse_cb,
2773 &server))
2774 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
2775 context, new_add_cb,
2776 new_free_cb, &server,
2777 new_parse_cb, &server)))
a37008d9 2778 goto end;
a37008d9 2779
bb01ef3f
MC		 2780 if (tst == 2) {
2781 /* Set up SNI */
2782 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
2783 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
2784 goto end;
2785 }
2786
710756a9
RS		 2787 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2788 &clientssl, NULL, NULL))
2789 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2790 SSL_ERROR_NONE)))
a37008d9 2791 goto end;
a37008d9
MC		 2792
2793 if (tst == 0) {
710756a9
RS		 2794 if (clntaddoldcb != 1
2795 || clntparseoldcb != 1
2796 || srvaddoldcb != 1
2797 || srvparseoldcb != 1)
a37008d9 2798 goto end;
bb01ef3f 2799 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 2800 if (clntaddnewcb != 1
2801 || clntparsenewcb != 1
2802 || srvaddnewcb != 1
bb01ef3f
MC		 2803 || srvparsenewcb != 1
2804 || (tst != 2 && snicb != 0)
2805 || (tst == 2 && snicb != 1))
a37008d9 2806 goto end;
a37008d9 2807 } else {
710756a9
RS		 2808 if (clntaddnewcb != 1
2809 || clntparsenewcb != 4
2810 || srvaddnewcb != 4
2811 || srvparsenewcb != 1)
a37008d9 2812 goto end;
a37008d9
MC		 2813 }
2814
2815 sess = SSL_get1_session(clientssl);
a37008d9
MC		 2816 SSL_shutdown(clientssl);
2817 SSL_shutdown(serverssl);
a37008d9
MC		 2818 SSL_free(serverssl);
2819 SSL_free(clientssl);
2820 serverssl = clientssl = NULL;
2821
bb01ef3f
MC		 2822 if (tst == 3) {
2823 /* We don't bother with the resumption aspects for this test */
2824 testresult = 1;
2825 goto end;
2826 }
2827
710756a9
RS		 2828 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2829 NULL, NULL))
2830 || !TEST_true(SSL_set_session(clientssl, sess))
2831 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2832 SSL_ERROR_NONE)))
a37008d9 2833 goto end;
a37008d9
MC		 2834
2835 /*
2836 * For a resumed session we expect to add the ClientHello extension. For the
2837 * old style callbacks we ignore it on the server side because they set
2838 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
2839 * them.
2840 */
2841 if (tst == 0) {
710756a9
RS		 2842 if (clntaddoldcb != 2
2843 || clntparseoldcb != 1
2844 || srvaddoldcb != 1
2845 || srvparseoldcb != 1)
a37008d9 2846 goto end;
bb01ef3f 2847 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 2848 if (clntaddnewcb != 2
2849 || clntparsenewcb != 2
2850 || srvaddnewcb != 2
2851 || srvparsenewcb != 2)
a37008d9 2852 goto end;
a37008d9
MC		 2853 } else {
2854 /* No Certificate message extensions in the resumption handshake */
710756a9
RS		 2855 if (clntaddnewcb != 2
2856 || clntparsenewcb != 7
2857 || srvaddnewcb != 7
2858 || srvparsenewcb != 2)
a37008d9 2859 goto end;
a37008d9
MC		 2860 }
2861
2862 testresult = 1;
2863
2864end:
2865 SSL_SESSION_free(sess);
2866 SSL_free(serverssl);
2867 SSL_free(clientssl);
bb01ef3f 2868 SSL_CTX_free(sctx2);
a37008d9
MC		 2869 SSL_CTX_free(sctx);
2870 SSL_CTX_free(cctx);
a37008d9
MC		 2871 return testresult;
2872}
2873
16afd71c
MC		 2874/*
2875 * Test loading of serverinfo data in various formats. test_sslmessages actually
2876 * tests to make sure the extensions appear in the handshake
2877 */
2878static int test_serverinfo(int tst)
2879{
2880 unsigned int version;
2881 unsigned char *sibuf;
2882 size_t sibuflen;
2883 int ret, expected, testresult = 0;
2884 SSL_CTX *ctx;
2885
2886 ctx = SSL_CTX_new(TLS_method());
2887 if (!TEST_ptr(ctx))
2888 goto end;
2889
2890 if ((tst & 0x01) == 0x01)
2891 version = SSL_SERVERINFOV2;
2892 else
2893 version = SSL_SERVERINFOV1;
2894
2895 if ((tst & 0x02) == 0x02) {
2896 sibuf = serverinfov2;
2897 sibuflen = sizeof(serverinfov2);
2898 expected = (version == SSL_SERVERINFOV2);
2899 } else {
2900 sibuf = serverinfov1;
2901 sibuflen = sizeof(serverinfov1);
2902 expected = (version == SSL_SERVERINFOV1);
2903 }
2904
2905 if ((tst & 0x04) == 0x04) {
2906 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
2907 } else {
2908 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
2909
2910 /*
2911 * The version variable is irrelevant in this case - it's what is in the
2912 * buffer that matters
2913 */
2914 if ((tst & 0x02) == 0x02)
2915 expected = 0;
2916 else
2917 expected = 1;
2918 }
2919
2920 if (!TEST_true(ret == expected))
2921 goto end;
2922
2923 testresult = 1;
2924
2925 end:
2926 SSL_CTX_free(ctx);
2927
2928 return testresult;
2929}
2930
2197d1df
MC		 2931/*
2932 * Test that SSL_export_keying_material() produces expected results. There are
2933 * no test vectors so all we do is test that both sides of the communication
2934 * produce the same results for different protocol versions.
2935 */
2936static int test_export_key_mat(int tst)
2937{
a599574b 2938 int testresult = 0;
2197d1df
MC		 2939 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
2940 SSL *clientssl = NULL, *serverssl = NULL;
2941 const char label[] = "test label";
2942 const unsigned char context[] = "context";
2943 const unsigned char *emptycontext = NULL;
2944 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
2945 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 2946 const int protocols[] = {
2947 TLS1_VERSION,
2948 TLS1_1_VERSION,
2949 TLS1_2_VERSION,
2950 TLS1_3_VERSION
2951 };
2197d1df
MC		 2952
2953#ifdef OPENSSL_NO_TLS1
2954 if (tst == 0)
2955 return 1;
2956#endif
2957#ifdef OPENSSL_NO_TLS1_1
2958 if (tst == 1)
2959 return 1;
2960#endif
2961#ifdef OPENSSL_NO_TLS1_2
2962 if (tst == 2)
2963 return 1;
2964#endif
2965#ifdef OPENSSL_NO_TLS1_3
2966 if (tst == 3)
2967 return 1;
2968#endif
2969 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2970 TLS_client_method(), &sctx,
2971 &cctx, cert, privkey)))
2972 goto end;
2973
a599574b
MC		 2974 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
2975 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
2976 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 2977
2978 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
2979 NULL))
2980 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2981 SSL_ERROR_NONE)))
2982 goto end;
2983
2984 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
2985 sizeof(ckeymat1), label,
2986 sizeof(label) - 1, context,
2987 sizeof(context) - 1, 1), 1)
2988 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
2989 sizeof(ckeymat2), label,
2990 sizeof(label) - 1,
2991 emptycontext,
2992 0, 1), 1)
2993 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
2994 sizeof(ckeymat3), label,
2995 sizeof(label) - 1,
2996 NULL, 0, 0), 1)
2997 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
2998 sizeof(skeymat1), label,
2999 sizeof(label) - 1,
3000 context,
3001 sizeof(context) -1, 1),
3002 1)
3003 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3004 sizeof(skeymat2), label,
3005 sizeof(label) - 1,
3006 emptycontext,
3007 0, 1), 1)
3008 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3009 sizeof(skeymat3), label,
3010 sizeof(label) - 1,
3011 NULL, 0, 0), 1)
3012 /*
3013 * Check that both sides created the same key material with the
3014 * same context.
3015 */
3016 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3017 sizeof(skeymat1))
3018 /*
3019 * Check that both sides created the same key material with an
3020 * empty context.
3021 */
3022 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3023 sizeof(skeymat2))
3024 /*
3025 * Check that both sides created the same key material without a
3026 * context.
3027 */
3028 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3029 sizeof(skeymat3))
3030 /* Different contexts should produce different results */
3031 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3032 sizeof(ckeymat2)))
3033 goto end;
3034
3035 /*
3036 * Check that an empty context and no context produce different results in
3037 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3038 */
3039 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3040 sizeof(ckeymat3)))
3041 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3042 sizeof(ckeymat3))))
3043 goto end;
3044
3045 testresult = 1;
3046
3047 end:
3048 SSL_free(serverssl);
3049 SSL_free(clientssl);
3050 SSL_CTX_free(sctx2);
3051 SSL_CTX_free(sctx);
3052 SSL_CTX_free(cctx);
3053
3054 return testresult;
3055}
3056
e11b6aa4
MC		 3057static int test_ssl_clear(int idx)
3058{
3059 SSL_CTX *cctx = NULL, *sctx = NULL;
3060 SSL *clientssl = NULL, *serverssl = NULL;
3061 int testresult = 0;
3062
3063#ifdef OPENSSL_NO_TLS1_2
3064 if (idx == 1)
3065 return 1;
3066#endif
3067
3068 /* Create an initial connection */
3069 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3070 TLS_client_method(), &sctx,
3071 &cctx, cert, privkey))
3072 || (idx == 1
3073 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3074 TLS1_2_VERSION)))
3075 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3076 &clientssl, NULL, NULL))
3077 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3078 SSL_ERROR_NONE)))
3079 goto end;
3080
3081 SSL_shutdown(clientssl);
3082 SSL_shutdown(serverssl);
3083 SSL_free(serverssl);
3084 serverssl = NULL;
3085
3086 /* Clear clientssl - we're going to reuse the object */
3087 if (!TEST_true(SSL_clear(clientssl)))
3088 goto end;
3089
3090 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3091 NULL, NULL))
3092 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3093 SSL_ERROR_NONE))
3094 || !TEST_true(SSL_session_reused(clientssl)))
3095 goto end;
3096
3097 SSL_shutdown(clientssl);
3098 SSL_shutdown(serverssl);
3099
3100 testresult = 1;
3101
3102 end:
3103 SSL_free(serverssl);
3104 SSL_free(clientssl);
3105 SSL_CTX_free(sctx);
3106 SSL_CTX_free(cctx);
3107
3108 return testresult;
3109}
3110
ad887416 3111int setup_tests(void)
2cb4b5f6 3112{
ad887416
P		 3113 if (!TEST_ptr(cert = test_get_argument(0))
3114 || !TEST_ptr(privkey = test_get_argument(1)))
710756a9 3115 return 0;
2cb4b5f6 3116
84d5549e 3117 ADD_TEST(test_large_message_tls);
7856332e 3118 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 3119#ifndef OPENSSL_NO_DTLS
84d5549e 3120 ADD_TEST(test_large_message_dtls);
55386bef 3121#endif
8f8c11d8 3122#ifndef OPENSSL_NO_OCSP
c887104f 3123 ADD_TEST(test_tlsext_status_type);
8f8c11d8 3124#endif
eaa776da
MC		 3125 ADD_TEST(test_session_with_only_int_cache);
3126 ADD_TEST(test_session_with_only_ext_cache);
3127 ADD_TEST(test_session_with_both_cache);
7fb4c820 3128 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 3129 ADD_TEST(test_ssl_bio_pop_next_bio);
3130 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3131 ADD_TEST(test_ssl_bio_change_rbio);
3132 ADD_TEST(test_ssl_bio_change_wbio);
f1b25aae 3133 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5
CB		 3134 ADD_TEST(test_keylog);
3135#ifndef OPENSSL_NO_TLS1_3
3136 ADD_TEST(test_keylog_no_master_key);
3137#endif
e9ee6536 3138#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 3139 ADD_TEST(test_client_hello_cb);
5f982038
MC		 3140#endif
3141#ifndef OPENSSL_NO_TLS1_3
02a3ed5a
MC		 3142 ADD_ALL_TESTS(test_early_data_read_write, 3);
3143 ADD_ALL_TESTS(test_early_data_skip, 3);
3144 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3145 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 3146 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 3147 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 3148# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 3149 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 3150# endif
e9ee6536 3151#endif
a273157a 3152#ifndef OPENSSL_NO_TLS1_3
ca0413ae 3153 ADD_TEST(test_ciphersuite_change);
ca8c71ba 3154 ADD_TEST(test_tls13_psk);
bb01ef3f 3155 ADD_ALL_TESTS(test_custom_exts, 5);
a273157a 3156#else
bb01ef3f 3157 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 3158#endif
16afd71c 3159 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 3160 ADD_ALL_TESTS(test_export_key_mat, 4);
e11b6aa4 3161 ADD_ALL_TESTS(test_ssl_clear, 2);
ad887416
P		 3162 return 1;
3163}
2cb4b5f6 3164
ad887416
P		 3165void cleanup_tests(void)
3166{
fa454945 3167 bio_s_mempacket_test_free();
2cb4b5f6 3168}
A mirror of the official openssl repository