]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Extend the multi_resume test for simultaneous resumptions
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
da1c088f 2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
92d7120c 35#include <openssl/dh.h>
b718f6fc 36#include <openssl/engine.h>
2cb4b5f6 37
20f8bc72 38#include "helpers/ssltestlib.h"
c887104f 39#include "testutil.h"
f297e4ec 40#include "testutil/output.h"
176db6dc 41#include "internal/nelem.h"
2b4cea1e 42#include "internal/tlsgroups.h"
fe5d9450 43#include "internal/ktls.h"
706457b7 44#include "../ssl/ssl_local.h"
0755722c 45#include "../ssl/record/methods/recmethod_local.h"
b0001d0c 46#include "filterprov.h"
2cb4b5f6 47
a763ca11
MC		 48#undef OSSL_NO_USABLE_TLS1_3
49#if defined(OPENSSL_NO_TLS1_3) \
50 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
51/*
52 * If we don't have ec or dh then there are no built-in groups that are usable
53 * with TLSv1.3
54 */
55# define OSSL_NO_USABLE_TLS1_3
56#endif
57
0c13cdf8
MC		 58/* Defined in tls-provider.c */
59int tls_provider_init(const OSSL_CORE_HANDLE *handle,
60 const OSSL_DISPATCH *in,
61 const OSSL_DISPATCH **out,
62 void **provctx);
852c2ed2 63
b4250010 64static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 65static OSSL_PROVIDER *defctxnull = NULL;
66
a763ca11 67#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 68
69static SSL_SESSION *clientpsk = NULL;
70static SSL_SESSION *serverpsk = NULL;
71static const char *pskid = "Identity";
72static const char *srvid;
73
74static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
75 size_t *idlen, SSL_SESSION **sess);
76static int find_session_cb(SSL *ssl, const unsigned char *identity,
77 size_t identity_len, SSL_SESSION **sess);
78
79static int use_session_cb_cnt = 0;
80static int find_session_cb_cnt = 0;
8614a4eb
MC		 81#endif
82
1a2a3a42 83static char *certsdir = NULL;
2cb4b5f6
MC		 84static char *cert = NULL;
85static char *privkey = NULL;
b3842539
MC		 86static char *cert2 = NULL;
87static char *privkey2 = NULL;
3105d846
MC		 88static char *cert1024 = NULL;
89static char *privkey1024 = NULL;
90static char *cert3072 = NULL;
91static char *privkey3072 = NULL;
92static char *cert4096 = NULL;
93static char *privkey4096 = NULL;
94static char *cert8192 = NULL;
95static char *privkey8192 = NULL;
76fd7a1d
MC		 96static char *srpvfile = NULL;
97static char *tmpfilename = NULL;
b2b8d188 98static char *dhfile = NULL;
2cb4b5f6 99
4f6c7044 100static int is_fips = 0;
50ea5cdc 101static int fips_ems_check = 0;
4f6c7044 102
cffe973c 103#define LOG_BUFFER_SIZE 2048
6acdd3e5 104static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 105static size_t server_log_buffer_index = 0;
6acdd3e5 106static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 107static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 108static int error_writing_log = 0;
109
8f8c11d8 110#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 111static const unsigned char orespder[] = "Dummy OCSP Response";
112static int ocsp_server_called = 0;
113static int ocsp_client_called = 0;
114
115static int cdummyarg = 1;
116static X509 *ocspcert = NULL;
8f8c11d8 117#endif
ba881d3b 118
cf72c757 119#define CLIENT_VERSION_LEN 2
84d5549e 120
f1a5939f
CB		 121/*
122 * This structure is used to validate that the correct number of log messages
123 * of various types are emitted when emitting secret logs.
124 */
125struct sslapitest_log_counts {
126 unsigned int rsa_key_exchange_count;
127 unsigned int master_secret_count;
cffe973c 128 unsigned int client_early_secret_count;
f1a5939f
CB		 129 unsigned int client_handshake_secret_count;
130 unsigned int server_handshake_secret_count;
131 unsigned int client_application_secret_count;
132 unsigned int server_application_secret_count;
01a2a654 133 unsigned int early_exporter_secret_count;
6329ce8f 134 unsigned int exporter_secret_count;
f1a5939f
CB		 135};
136
16afd71c 137
104a733d
MC		 138static int hostname_cb(SSL *s, int *al, void *arg)
139{
140 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
141
142 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
143 || strcmp(hostname, "altgoodhost") == 0))
144 return SSL_TLSEXT_ERR_OK;
145
146 return SSL_TLSEXT_ERR_NOACK;
147}
148
710756a9
RS		 149static void client_keylog_callback(const SSL *ssl, const char *line)
150{
6acdd3e5
CB		 151 int line_length = strlen(line);
152
153 /* If the log doesn't fit, error out. */
710756a9
RS		 154 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
155 TEST_info("Client log too full");
6acdd3e5
CB		 156 error_writing_log = 1;
157 return;
158 }
159
160 strcat(client_log_buffer, line);
161 client_log_buffer_index += line_length;
710756a9 162 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 163}
164
710756a9
RS		 165static void server_keylog_callback(const SSL *ssl, const char *line)
166{
6acdd3e5
CB		 167 int line_length = strlen(line);
168
169 /* If the log doesn't fit, error out. */
710756a9 170 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 171 TEST_info("Server log too full");
6acdd3e5
CB		 172 error_writing_log = 1;
173 return;
174 }
175
176 strcat(server_log_buffer, line);
177 server_log_buffer_index += line_length;
710756a9 178 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 179}
180
181static int compare_hex_encoded_buffer(const char *hex_encoded,
182 size_t hex_length,
183 const uint8_t *raw,
710756a9
RS		 184 size_t raw_length)
185{
186 size_t i, j;
187 char hexed[3];
6acdd3e5 188
710756a9 189 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 190 return 1;
6acdd3e5 191
710756a9 192 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 193 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 194 if (!TEST_int_eq(hexed[0], hex_encoded[j])
195 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 196 return 1;
6acdd3e5
CB		 197 }
198
199 return 0;
200}
201
202static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 203 const SSL_SESSION *session,
710756a9
RS		 204 struct sslapitest_log_counts *expected)
205{
6acdd3e5
CB		 206 char *token = NULL;
207 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
208 size_t client_random_size = SSL3_RANDOM_SIZE;
209 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
210 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 211 unsigned int rsa_key_exchange_count = 0;
212 unsigned int master_secret_count = 0;
cffe973c 213 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 214 unsigned int client_handshake_secret_count = 0;
215 unsigned int server_handshake_secret_count = 0;
216 unsigned int client_application_secret_count = 0;
217 unsigned int server_application_secret_count = 0;
01a2a654 218 unsigned int early_exporter_secret_count = 0;
6329ce8f 219 unsigned int exporter_secret_count = 0;
6acdd3e5 220
710756a9
RS		 221 for (token = strtok(buffer, " \n"); token != NULL;
222 token = strtok(NULL, " \n")) {
6acdd3e5 223 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 224 /*
225 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 226 * hex-encoded encrypted secret, then the hex-encoded pre-master
227 * secret.
228 */
710756a9 229 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 230 return 0;
710756a9 231 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 232 return 0;
710756a9 233 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 234 return 0;
f1a5939f
CB		 235 /*
236 * We can't sensibly check the log because the premaster secret is
237 * transient, and OpenSSL doesn't keep hold of it once the master
238 * secret is generated.
239 */
240 rsa_key_exchange_count++;
6acdd3e5 241 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 242 /*
243 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 244 * client random, then the hex-encoded master secret.
245 */
246 client_random_size = SSL_get_client_random(ssl,
247 actual_client_random,
248 SSL3_RANDOM_SIZE);
710756a9 249 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 250 return 0;
6acdd3e5 251
710756a9 252 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 253 return 0;
710756a9 254 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 255 return 0;
710756a9
RS		 256 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
257 actual_client_random,
258 client_random_size)))
f1a5939f 259 return 0;
6acdd3e5 260
710756a9 261 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 262 return 0;
6acdd3e5
CB		 263 master_key_size = SSL_SESSION_get_master_key(session,
264 actual_master_key,
265 master_key_size);
710756a9 266 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 267 return 0;
710756a9
RS		 268 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
269 actual_master_key,
270 master_key_size)))
f1a5939f 271 return 0;
f1a5939f 272 master_secret_count++;
cffe973c
PW		 273 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
274 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 275 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
276 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 277 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 278 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 279 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 280 /*
281 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
282 * client random, and then the hex-encoded secret. In this case,
283 * we treat all of these secrets identically and then just
284 * distinguish between them when counting what we saw.
285 */
cffe973c
PW		 286 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
287 client_early_secret_count++;
288 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 289 client_handshake_secret_count++;
290 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
291 server_handshake_secret_count++;
292 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
293 client_application_secret_count++;
294 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
295 server_application_secret_count++;
01a2a654
PW		 296 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
297 early_exporter_secret_count++;
6329ce8f
PW		 298 else if (strcmp(token, "EXPORTER_SECRET") == 0)
299 exporter_secret_count++;
f1a5939f
CB		 300
301 client_random_size = SSL_get_client_random(ssl,
302 actual_client_random,
303 SSL3_RANDOM_SIZE);
710756a9 304 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 305 return 0;
f1a5939f 306
710756a9 307 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 308 return 0;
710756a9 309 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 310 return 0;
710756a9
RS		 311 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
312 actual_client_random,
313 client_random_size)))
f1a5939f 314 return 0;
6acdd3e5 315
710756a9 316 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 317 return 0;
6acdd3e5 318 } else {
710756a9 319 TEST_info("Unexpected token %s\n", token);
f1a5939f 320 return 0;
6acdd3e5 321 }
6acdd3e5
CB		 322 }
323
710756a9
RS		 324 /* Got what we expected? */
325 if (!TEST_size_t_eq(rsa_key_exchange_count,
326 expected->rsa_key_exchange_count)
327 || !TEST_size_t_eq(master_secret_count,
328 expected->master_secret_count)
cffe973c
PW		 329 || !TEST_size_t_eq(client_early_secret_count,
330 expected->client_early_secret_count)
710756a9
RS		 331 || !TEST_size_t_eq(client_handshake_secret_count,
332 expected->client_handshake_secret_count)
333 || !TEST_size_t_eq(server_handshake_secret_count,
334 expected->server_handshake_secret_count)
335 || !TEST_size_t_eq(client_application_secret_count,
336 expected->client_application_secret_count)
337 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 338 expected->server_application_secret_count)
01a2a654
PW		 339 || !TEST_size_t_eq(early_exporter_secret_count,
340 expected->early_exporter_secret_count)
6329ce8f
PW		 341 || !TEST_size_t_eq(exporter_secret_count,
342 expected->exporter_secret_count))
710756a9
RS		 343 return 0;
344 return 1;
6acdd3e5
CB		 345}
346
a763ca11 347#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 348static int test_keylog(void)
349{
6acdd3e5
CB		 350 SSL_CTX *cctx = NULL, *sctx = NULL;
351 SSL *clientssl = NULL, *serverssl = NULL;
352 int testresult = 0;
6fc1e624 353 struct sslapitest_log_counts expected;
6acdd3e5
CB		 354
355 /* Clean up logging space */
6fc1e624 356 memset(&expected, 0, sizeof(expected));
710756a9
RS		 357 memset(client_log_buffer, 0, sizeof(client_log_buffer));
358 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 359 client_log_buffer_index = 0;
360 server_log_buffer_index = 0;
361 error_writing_log = 0;
362
5e30f2fd 363 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 364 TLS_client_method(),
5c587fb6 365 TLS1_VERSION, 0,
710756a9 366 &sctx, &cctx, cert, privkey)))
6acdd3e5 367 return 0;
6acdd3e5
CB		 368
369 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
370 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
371 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
372
f0deb4d3 373 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 374 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 375 goto end;
f0deb4d3 376
cf10df81
RS		 377 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
378 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 379 goto end;
6acdd3e5 380 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 381 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
382 == client_keylog_callback))
6acdd3e5 383 goto end;
710756a9 384 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 385 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
386 == server_keylog_callback))
6acdd3e5 387 goto end;
6acdd3e5 388
710756a9
RS		 389 /* Now do a handshake and check that the logs have been written to. */
390 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
391 &clientssl, NULL, NULL))
392 || !TEST_true(create_ssl_connection(serverssl, clientssl,
393 SSL_ERROR_NONE))
394 || !TEST_false(error_writing_log)
395 || !TEST_int_gt(client_log_buffer_index, 0)
396 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 397 goto end;
6acdd3e5 398
f1a5939f
CB		 399 /*
400 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 401 * do that by using strtok and confirming that we have more or less the
f1a5939f 402 * data we expect. For both client and server, we expect to see one master
a63fa5f7 403 * secret. The client should also see an RSA key exchange.
6acdd3e5 404 */
f1a5939f
CB		 405 expected.rsa_key_exchange_count = 1;
406 expected.master_secret_count = 1;
710756a9
RS		 407 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
408 SSL_get_session(clientssl), &expected)))
6acdd3e5 409 goto end;
f1a5939f
CB		 410
411 expected.rsa_key_exchange_count = 0;
710756a9
RS		 412 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
413 SSL_get_session(serverssl), &expected)))
6acdd3e5 414 goto end;
6acdd3e5
CB		 415
416 testresult = 1;
417
418end:
419 SSL_free(serverssl);
420 SSL_free(clientssl);
421 SSL_CTX_free(sctx);
422 SSL_CTX_free(cctx);
423
424 return testresult;
425}
c423ecaa 426#endif
6acdd3e5 427
a763ca11 428#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 429static int test_keylog_no_master_key(void)
430{
6acdd3e5
CB		 431 SSL_CTX *cctx = NULL, *sctx = NULL;
432 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 433 SSL_SESSION *sess = NULL;
6acdd3e5 434 int testresult = 0;
6fc1e624 435 struct sslapitest_log_counts expected;
cffe973c
PW		 436 unsigned char buf[1];
437 size_t readbytes, written;
6acdd3e5
CB		 438
439 /* Clean up logging space */
6fc1e624 440 memset(&expected, 0, sizeof(expected));
710756a9
RS		 441 memset(client_log_buffer, 0, sizeof(client_log_buffer));
442 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 443 client_log_buffer_index = 0;
444 server_log_buffer_index = 0;
445 error_writing_log = 0;
446
5e30f2fd
MC		 447 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
448 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 449 &sctx, &cctx, cert, privkey))
450 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 451 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 452 return 0;
6acdd3e5 453
cf10df81
RS		 454 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
455 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 456 goto end;
6acdd3e5
CB		 457
458 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 459 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
460 == client_keylog_callback))
6acdd3e5 461 goto end;
6acdd3e5 462
710756a9 463 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 464 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
465 == server_keylog_callback))
6acdd3e5 466 goto end;
6acdd3e5 467
710756a9
RS		 468 /* Now do a handshake and check that the logs have been written to. */
469 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
470 &clientssl, NULL, NULL))
471 || !TEST_true(create_ssl_connection(serverssl, clientssl,
472 SSL_ERROR_NONE))
473 || !TEST_false(error_writing_log))
6acdd3e5 474 goto end;
6acdd3e5 475
f1a5939f
CB		 476 /*
477 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 478 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 479 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 480 */
f1a5939f
CB		 481 expected.client_handshake_secret_count = 1;
482 expected.server_handshake_secret_count = 1;
483 expected.client_application_secret_count = 1;
484 expected.server_application_secret_count = 1;
6329ce8f 485 expected.exporter_secret_count = 1;
710756a9
RS		 486 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
487 SSL_get_session(clientssl), &expected))
488 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
489 SSL_get_session(serverssl),
490 &expected)))
6acdd3e5 491 goto end;
6acdd3e5 492
cffe973c
PW		 493 /* Terminate old session and resume with early data. */
494 sess = SSL_get1_session(clientssl);
495 SSL_shutdown(clientssl);
496 SSL_shutdown(serverssl);
497 SSL_free(serverssl);
498 SSL_free(clientssl);
499 serverssl = clientssl = NULL;
500
501 /* Reset key log */
502 memset(client_log_buffer, 0, sizeof(client_log_buffer));
503 memset(server_log_buffer, 0, sizeof(server_log_buffer));
504 client_log_buffer_index = 0;
505 server_log_buffer_index = 0;
506
507 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
508 &clientssl, NULL, NULL))
509 || !TEST_true(SSL_set_session(clientssl, sess))
510 /* Here writing 0 length early data is enough. */
511 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
512 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
513 &readbytes),
514 SSL_READ_EARLY_DATA_ERROR)
515 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
516 SSL_EARLY_DATA_ACCEPTED)
517 || !TEST_true(create_ssl_connection(serverssl, clientssl,
518 SSL_ERROR_NONE))
519 || !TEST_true(SSL_session_reused(clientssl)))
520 goto end;
521
522 /* In addition to the previous entries, expect early secrets. */
523 expected.client_early_secret_count = 1;
01a2a654 524 expected.early_exporter_secret_count = 1;
cffe973c
PW		 525 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
526 SSL_get_session(clientssl), &expected))
527 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
528 SSL_get_session(serverssl),
529 &expected)))
530 goto end;
531
6acdd3e5
CB		 532 testresult = 1;
533
534end:
cffe973c 535 SSL_SESSION_free(sess);
6acdd3e5
CB		 536 SSL_free(serverssl);
537 SSL_free(clientssl);
538 SSL_CTX_free(sctx);
539 SSL_CTX_free(cctx);
540
541 return testresult;
542}
543#endif
544
0c3eb279
DDO		 545static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
546{
547 int res = X509_verify_cert(ctx);
dfb39f73
TM		 548 int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
549 SSL *ssl;
550
551 /* this should not happen but check anyway */
552 if (idx < 0
553 || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL)
554 return 0;
0c3eb279
DDO		 555
556 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
557 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
dfb39f73
TM		 558 /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
559 return SSL_set_retry_verify(ssl);
560
0c3eb279
DDO		 561 return res;
562}
563
564static int test_client_cert_verify_cb(void)
565{
566 /* server key, cert, chain, and root */
567 char *skey = test_mk_file_path(certsdir, "leaf.key");
568 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
569 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
570 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
571 char *root = test_mk_file_path(certsdir, "rootCA.pem");
572 X509 *crt1 = NULL, *crt2 = NULL;
573 STACK_OF(X509) *server_chain;
574 SSL_CTX *cctx = NULL, *sctx = NULL;
575 SSL *clientssl = NULL, *serverssl = NULL;
576 int testresult = 0;
577
578 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
579 TLS_client_method(), TLS1_VERSION, 0,
580 &sctx, &cctx, NULL, NULL)))
581 goto end;
582 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
583 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
584 SSL_FILETYPE_PEM), 1)
585 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
586 goto end;
587 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
588 goto end;
589 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
590 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
592 &clientssl, NULL, NULL)))
593 goto end;
594
595 /* attempt SSL_connect() with incomplete server chain */
596 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
597 SSL_ERROR_WANT_RETRY_VERIFY)))
598 goto end;
599
600 /* application provides intermediate certs needed to verify server cert */
601 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
602 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
603 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
604 goto end;
605 /* add certs in reverse order to demonstrate real chain building */
606 if (!TEST_true(sk_X509_push(server_chain, crt1)))
607 goto end;
608 crt1 = NULL;
609 if (!TEST_true(sk_X509_push(server_chain, crt2)))
610 goto end;
611 crt2 = NULL;
612
613 /* continue SSL_connect(), must now succeed with completed server chain */
614 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
615 SSL_ERROR_NONE)))
616 goto end;
617
618 testresult = 1;
619
620end:
621 X509_free(crt1);
622 X509_free(crt2);
c38048e7
P		 623 if (clientssl != NULL) {
624 SSL_shutdown(clientssl);
625 SSL_free(clientssl);
626 }
627 if (serverssl != NULL) {
628 SSL_shutdown(serverssl);
629 SSL_free(serverssl);
630 }
0c3eb279
DDO		 631 SSL_CTX_free(sctx);
632 SSL_CTX_free(cctx);
633
634 OPENSSL_free(skey);
635 OPENSSL_free(leaf);
636 OPENSSL_free(int2);
637 OPENSSL_free(int1);
638 OPENSSL_free(root);
639
640 return testresult;
641}
642
4e4ae840
SL		 643static int test_ssl_build_cert_chain(void)
644{
645 int ret = 0;
646 SSL_CTX *ssl_ctx = NULL;
647 SSL *ssl = NULL;
648 char *skey = test_mk_file_path(certsdir, "leaf.key");
649 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
650
651 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
652 goto end;
653 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
654 goto end;
655 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
656 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
657 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
658 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
659 goto end;
660 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
661 | SSL_BUILD_CHAIN_FLAG_CHECK)))
662 goto end;
663 ret = 1;
664end:
665 SSL_free(ssl);
666 SSL_CTX_free(ssl_ctx);
667 OPENSSL_free(leaf_chain);
668 OPENSSL_free(skey);
669 return ret;
670}
671
c7debe81
TM		 672static int get_password_cb(char *buf, int size, int rw_flag, void *userdata)
673{
674 static const char pass[] = "testpass";
675
676 if (!TEST_int_eq(size, PEM_BUFSIZE))
677 return -1;
678
679 memcpy(buf, pass, sizeof(pass) - 1);
680 return sizeof(pass) - 1;
681}
682
4e4ae840
SL		 683static int test_ssl_ctx_build_cert_chain(void)
684{
685 int ret = 0;
686 SSL_CTX *ctx = NULL;
c7debe81 687 char *skey = test_mk_file_path(certsdir, "leaf-encrypted.key");
4e4ae840
SL		 688 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
689
690 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
691 goto end;
c7debe81 692 SSL_CTX_set_default_passwd_cb(ctx, get_password_cb);
4e4ae840
SL		 693 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
694 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
695 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
696 SSL_FILETYPE_PEM), 1)
697 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
698 goto end;
699 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
700 | SSL_BUILD_CHAIN_FLAG_CHECK)))
701 goto end;
702 ret = 1;
703end:
704 SSL_CTX_free(ctx);
705 OPENSSL_free(leaf_chain);
706 OPENSSL_free(skey);
707 return ret;
708}
709
e9ee6536 710#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 711static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 712{
713 int *ctr = arg;
714 const unsigned char *p;
8ea404fb 715 int *exts;
2afaee51
BK		 716 /* We only configure two ciphers, but the SCSV is added automatically. */
717#ifdef OPENSSL_NO_EC
718 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
719#else
720 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
721 0x2c, 0x00, 0xff};
722#endif
8ea404fb
BK		 723 const int expected_extensions[] = {
724#ifndef OPENSSL_NO_EC
725 11, 10,
726#endif
10ed1b72 727 35, 22, 23, 13};
2afaee51
BK		 728 size_t len;
729
730 /* Make sure we can defer processing and get called back. */
731 if ((*ctr)++ == 0)
f1b97da1 732 return SSL_CLIENT_HELLO_RETRY;
2afaee51 733
a9c0d8be 734 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 735 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 736 || !TEST_size_t_eq(
737 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 738 || !TEST_int_eq(*p, 0))
f1b97da1 739 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 740 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 741 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 742 if (len != OSSL_NELEM(expected_extensions) ||
743 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 744 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 745 OPENSSL_free(exts);
f1b97da1 746 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 747 }
748 OPENSSL_free(exts);
f1b97da1 749 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 750}
751
a9c0d8be 752static int test_client_hello_cb(void)
710756a9 753{
2afaee51
BK		 754 SSL_CTX *cctx = NULL, *sctx = NULL;
755 SSL *clientssl = NULL, *serverssl = NULL;
756 int testctr = 0, testresult = 0;
757
5e30f2fd
MC		 758 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
759 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 760 &sctx, &cctx, cert, privkey)))
2afaee51 761 goto end;
a9c0d8be 762 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 763
2afaee51
BK		 764 /* The gimpy cipher list we configure can't do TLS 1.3. */
765 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 766
710756a9
RS		 767 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
768 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
769 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
770 &clientssl, NULL, NULL))
771 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 772 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 773 /*
774 * Passing a -1 literal is a hack since
775 * the real value was lost.
776 * */
a9c0d8be
DB		 777 || !TEST_int_eq(SSL_get_error(serverssl, -1),
778 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 779 || !TEST_true(create_ssl_connection(serverssl, clientssl,
780 SSL_ERROR_NONE)))
2afaee51 781 goto end;
2afaee51
BK		 782
783 testresult = 1;
784
088dfa13
TS		 785end:
786 SSL_free(serverssl);
787 SSL_free(clientssl);
788 SSL_CTX_free(sctx);
789 SSL_CTX_free(cctx);
790
791 return testresult;
792}
793
794static int test_no_ems(void)
795{
796 SSL_CTX *cctx = NULL, *sctx = NULL;
797 SSL *clientssl = NULL, *serverssl = NULL;
50ea5cdc 798 int testresult = 0, status;
088dfa13 799
5e30f2fd 800 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 801 TLS1_VERSION, TLS1_2_VERSION,
802 &sctx, &cctx, cert, privkey)) {
803 printf("Unable to create SSL_CTX pair\n");
804 goto end;
805 }
806
807 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
808
809 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
810 printf("Unable to create SSL objects\n");
811 goto end;
812 }
813
50ea5cdc 814 status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
815 if (fips_ems_check) {
816 if (status == 1) {
eb4129e1 817 printf("When FIPS uses the EMS check a connection that doesn't use EMS should fail\n");
50ea5cdc 818 goto end;
819 }
820 } else {
821 if (!status) {
822 printf("Creating SSL connection failed\n");
823 goto end;
824 }
825 if (SSL_get_extms_support(serverssl)) {
826 printf("Server reports Extended Master Secret support\n");
827 goto end;
828 }
829 if (SSL_get_extms_support(clientssl)) {
830 printf("Client reports Extended Master Secret support\n");
831 goto end;
832 }
088dfa13
TS		 833 }
834 testresult = 1;
835
2afaee51
BK		 836end:
837 SSL_free(serverssl);
838 SSL_free(clientssl);
839 SSL_CTX_free(sctx);
840 SSL_CTX_free(cctx);
841
842 return testresult;
843}
844
3cd14e5e
BK		 845/*
846 * Very focused test to exercise a single case in the server-side state
847 * machine, when the ChangeCipherState message needs to actually change
848 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 849 * encryption to real encryption).
3cd14e5e
BK		 850 */
851static int test_ccs_change_cipher(void)
852{
853 SSL_CTX *cctx = NULL, *sctx = NULL;
854 SSL *clientssl = NULL, *serverssl = NULL;
855 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
856 int testresult = 0;
857 int i;
858 unsigned char buf;
859 size_t readbytes;
860
861 /*
e304aa87 862 * Create a connection so we can resume and potentially (but not) use
3cd14e5e
BK		 863 * a different cipher in the second connection.
864 */
5e30f2fd 865 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 866 TLS_client_method(),
867 TLS1_VERSION, TLS1_2_VERSION,
868 &sctx, &cctx, cert, privkey))
869 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
870 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
871 NULL, NULL))
872 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
873 || !TEST_true(create_ssl_connection(serverssl, clientssl,
874 SSL_ERROR_NONE))
875 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
876 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
877 goto end;
878
879 shutdown_ssl_connection(serverssl, clientssl);
880 serverssl = clientssl = NULL;
881
882 /* Resume, preferring a different cipher. Our server will force the
883 * same cipher to be used as the initial handshake. */
884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
885 NULL, NULL))
886 || !TEST_true(SSL_set_session(clientssl, sess))
887 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
888 || !TEST_true(create_ssl_connection(serverssl, clientssl,
889 SSL_ERROR_NONE))
890 || !TEST_true(SSL_session_reused(clientssl))
891 || !TEST_true(SSL_session_reused(serverssl))
892 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
893 || !TEST_ptr_eq(sesspre, sesspost)
894 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
895 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
896 goto end;
897 shutdown_ssl_connection(serverssl, clientssl);
898 serverssl = clientssl = NULL;
899
900 /*
901 * Now create a fresh connection and try to renegotiate a different
902 * cipher on it.
903 */
b3e6d666
BK		 904 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
905 NULL, NULL))
3cd14e5e
BK		 906 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
907 || !TEST_true(create_ssl_connection(serverssl, clientssl,
908 SSL_ERROR_NONE))
909 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
910 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
911 || !TEST_true(SSL_renegotiate(clientssl))
912 || !TEST_true(SSL_renegotiate_pending(clientssl)))
913 goto end;
914 /* Actually drive the renegotiation. */
915 for (i = 0; i < 3; i++) {
916 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
917 if (!TEST_ulong_eq(readbytes, 0))
918 goto end;
919 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
920 SSL_ERROR_WANT_READ)) {
921 goto end;
922 }
923 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
924 if (!TEST_ulong_eq(readbytes, 0))
925 goto end;
926 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
927 SSL_ERROR_WANT_READ)) {
928 goto end;
929 }
930 }
931 /* sesspre and sesspost should be different since the cipher changed. */
932 if (!TEST_false(SSL_renegotiate_pending(clientssl))
933 || !TEST_false(SSL_session_reused(clientssl))
934 || !TEST_false(SSL_session_reused(serverssl))
935 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
936 || !TEST_ptr_ne(sesspre, sesspost)
937 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
938 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
939 goto end;
940
941 shutdown_ssl_connection(serverssl, clientssl);
942 serverssl = clientssl = NULL;
943
944 testresult = 1;
945
946end:
947 SSL_free(serverssl);
948 SSL_free(clientssl);
949 SSL_CTX_free(sctx);
950 SSL_CTX_free(cctx);
951 SSL_SESSION_free(sess);
952
953 return testresult;
954}
fb121631 955#endif
3cd14e5e 956
149c4f98
MC		 957static int execute_test_large_message(const SSL_METHOD *smeth,
958 const SSL_METHOD *cmeth,
959 int min_version, int max_version,
960 int read_ahead)
961{
962 SSL_CTX *cctx = NULL, *sctx = NULL;
963 SSL *clientssl = NULL, *serverssl = NULL;
964 int testresult = 0;
965
5e30f2fd
MC		 966 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
967 max_version, &sctx, &cctx, cert,
968 privkey)))
84d5549e 969 goto end;
84d5549e 970
8ce390e1
MC		 971#ifdef OPENSSL_NO_DTLS1_2
972 if (smeth == DTLS_server_method()) {
973 /*
974 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
975 * level 0
976 */
977 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
978 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
979 "DEFAULT:@SECLEVEL=0")))
980 goto end;
981 }
982#endif
983
710756a9 984 if (read_ahead) {
7856332e
MC		 985 /*
986 * Test that read_ahead works correctly when dealing with large
987 * records
988 */
989 SSL_CTX_set_read_ahead(cctx, 1);
990 }
991
3860ef2a 992 if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
149c4f98 993 goto end;
84d5549e 994
710756a9
RS		 995 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
996 NULL, NULL))
997 || !TEST_true(create_ssl_connection(serverssl, clientssl,
998 SSL_ERROR_NONE)))
84d5549e 999 goto end;
84d5549e 1000
4bf08600
MC		 1001 /*
1002 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1003 * doesn't leak.
4bf08600 1004 */
710756a9 1005 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1006 goto end;
84d5549e 1007
4bf08600 1008 testresult = 1;
84d5549e 1009 end:
84d5549e
MC		 1010 SSL_free(serverssl);
1011 SSL_free(clientssl);
1012 SSL_CTX_free(sctx);
1013 SSL_CTX_free(cctx);
1014
1015 return testresult;
1016}
1017
da4db160 1018#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1019 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1020/* sock must be connected */
1021static int ktls_chk_platform(int sock)
1022{
1023 if (!ktls_enable(sock))
1024 return 0;
1025 return 1;
1026}
1027
e1fdd526 1028static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1029{
1030 static char count = 1;
1031 unsigned char cbuf[16000] = {0};
1032 unsigned char sbuf[16000];
1033 size_t err = 0;
e1fdd526
JB		 1034 char crec_wseq_before[SEQ_NUM_SIZE];
1035 char crec_wseq_after[SEQ_NUM_SIZE];
1036 char crec_rseq_before[SEQ_NUM_SIZE];
1037 char crec_rseq_after[SEQ_NUM_SIZE];
1038 char srec_wseq_before[SEQ_NUM_SIZE];
1039 char srec_wseq_after[SEQ_NUM_SIZE];
1040 char srec_rseq_before[SEQ_NUM_SIZE];
1041 char srec_rseq_after[SEQ_NUM_SIZE];
38b051a1
TM		 1042 SSL_CONNECTION *clientsc, *serversc;
1043
1044 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1045 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1046 goto end;
fe5d9450
BP		 1047
1048 cbuf[0] = count++;
2c50d7fb
MC		 1049 memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1050 memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1051 memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1052 memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1053
1054 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1055 goto end;
1056
1057 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1058 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1059 goto end;
1060 }
1061 }
1062
1063 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1064 goto end;
1065
1066 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1067 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1068 goto end;
1069 }
1070 }
1071
2c50d7fb
MC		 1072 memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
1073 memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1074 memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
cffafb5f 1075 memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1076
1077 /* verify the payload */
1078 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1079 goto end;
1080
e1fdd526
JB		 1081 /*
1082 * If ktls is used then kernel sequences are used instead of
1083 * OpenSSL sequences
1084 */
38b051a1 1085 if (!BIO_get_ktls_send(clientsc->wbio)) {
e1fdd526
JB		 1086 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1087 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1088 goto end;
1089 } else {
e1fdd526
JB		 1090 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1091 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1092 goto end;
1093 }
1094
38b051a1 1095 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1096 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1097 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1098 goto end;
1099 } else {
e1fdd526
JB		 1100 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1101 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1102 goto end;
1103 }
1104
38b051a1 1105 if (!BIO_get_ktls_recv(clientsc->wbio)) {
e1fdd526
JB		 1106 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1107 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1108 goto end;
1109 } else {
e1fdd526
JB		 1110 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1111 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1112 goto end;
1113 }
1114
38b051a1 1115 if (!BIO_get_ktls_recv(serversc->wbio)) {
e1fdd526
JB		 1116 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1117 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1118 goto end;
1119 } else {
e1fdd526
JB		 1120 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1121 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1122 goto end;
1123 }
fe5d9450
BP		 1124
1125 return 1;
1126end:
1127 return 0;
1128}
1129
a3a54179 1130static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1131 int tls_version, const char *cipher)
fe5d9450
BP		 1132{
1133 SSL_CTX *cctx = NULL, *sctx = NULL;
1134 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1135 int ktls_used = 0, testresult = 0;
1136 int cfd = -1, sfd = -1;
1137 int rx_supported;
38b051a1 1138 SSL_CONNECTION *clientsc, *serversc;
563f4be8
MC		 1139 unsigned char *buf = NULL;
1140 const size_t bufsz = SSL3_RT_MAX_PLAIN_LENGTH + 16;
1141 int ret;
1142 size_t offset = 0, i;
fe5d9450 1143
0c593328 1144 if (!TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
fe5d9450
BP		 1145 goto end;
1146
1147 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1148 if (!ktls_chk_platform(cfd)) {
1149 testresult = TEST_skip("Kernel does not support KTLS");
1150 goto end;
1151 }
fe5d9450 1152
a5d8a2f8
DB		 1153 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1154 testresult = TEST_skip("CHACHA is not supported in FIPS");
1155 goto end;
1156 }
1157
fe5d9450 1158 /* Create a session based on SHA-256 */
5e30f2fd 1159 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1160 TLS_client_method(),
da4db160 1161 tls_version, tls_version,
e1fdd526
JB		 1162 &sctx, &cctx, cert, privkey)))
1163 goto end;
1164
1165 if (tls_version == TLS1_3_VERSION) {
1166 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1167 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1168 goto end;
1169 } else {
1170 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1171 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1172 goto end;
1173 }
1174
1175 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1176 &clientssl, sfd, cfd)))
fe5d9450
BP		 1177 goto end;
1178
38b051a1
TM		 1179 if (!TEST_ptr(clientsc = SSL_CONNECTION_FROM_SSL_ONLY(clientssl))
1180 || !TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1181 goto end;
1182
a3a54179
MC		 1183 if (cis_ktls) {
1184 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1185 goto end;
1186 }
1187
a3a54179 1188 if (sis_ktls) {
e1fdd526 1189 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1190 goto end;
1191 }
1192
e1fdd526 1193 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1194 goto end;
1195
e1fdd526
JB		 1196 /*
1197 * The running kernel may not support a given cipher suite
1198 * or direction, so just check that KTLS isn't used when it
1199 * isn't enabled.
1200 */
a3a54179 1201 if (!cis_ktls) {
38b051a1 1202 if (!TEST_false(BIO_get_ktls_send(clientsc->wbio)))
fe5d9450
BP		 1203 goto end;
1204 } else {
38b051a1 1205 if (BIO_get_ktls_send(clientsc->wbio))
e1fdd526 1206 ktls_used = 1;
fe5d9450
BP		 1207 }
1208
a3a54179 1209 if (!sis_ktls) {
38b051a1 1210 if (!TEST_false(BIO_get_ktls_send(serversc->wbio)))
fe5d9450
BP		 1211 goto end;
1212 } else {
38b051a1 1213 if (BIO_get_ktls_send(serversc->wbio))
e1fdd526 1214 ktls_used = 1;
fe5d9450
BP		 1215 }
1216
a3a54179 1217#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1218 rx_supported = 0;
1219#else
7c78932b 1220 rx_supported = 1;
a3a54179 1221#endif
e1fdd526 1222 if (!cis_ktls || !rx_supported) {
38b051a1 1223 if (!TEST_false(BIO_get_ktls_recv(clientsc->rbio)))
2fab79af
BP		 1224 goto end;
1225 } else {
38b051a1 1226 if (BIO_get_ktls_send(clientsc->rbio))
e1fdd526 1227 ktls_used = 1;
2fab79af
BP		 1228 }
1229
e1fdd526 1230 if (!sis_ktls || !rx_supported) {
38b051a1 1231 if (!TEST_false(BIO_get_ktls_recv(serversc->rbio)))
2fab79af
BP		 1232 goto end;
1233 } else {
38b051a1 1234 if (BIO_get_ktls_send(serversc->rbio))
e1fdd526
JB		 1235 ktls_used = 1;
1236 }
1237
1238 if ((cis_ktls || sis_ktls) && !ktls_used) {
1239 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1240 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1241 "TLS 1.2", cipher);
1242 goto end;
2fab79af
BP		 1243 }
1244
e1fdd526 1245 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1246 goto end;
1247
563f4be8
MC		 1248 buf = OPENSSL_zalloc(bufsz);
1249 if (!TEST_ptr(buf))
1250 goto end;
1251
1252 /*
1253 * Write some data that exceeds the maximum record length. KTLS may choose
1254 * to coalesce this data into a single buffer when we read it again.
1255 */
1256 while ((ret = SSL_write(clientssl, buf, bufsz)) != (int)bufsz) {
1257 if (!TEST_true(SSL_get_error(clientssl, ret) == SSL_ERROR_WANT_WRITE))
1258 goto end;
1259 }
1260
1261 /* Now check that we can read all the data we wrote */
1262 do {
1263 ret = SSL_read(serverssl, buf + offset, bufsz - offset);
1264 if (ret <= 0) {
1265 if (!TEST_true(SSL_get_error(serverssl, ret) == SSL_ERROR_WANT_READ))
1266 goto end;
1267 } else {
1268 offset += ret;
1269 }
1270 } while (offset < bufsz);
1271
1272 if (!TEST_true(offset == bufsz))
1273 goto end;
1274 for (i = 0; i < bufsz; i++)
1275 if (!TEST_true(buf[i] == 0))
1276 goto end;
1277
fe5d9450
BP		 1278 testresult = 1;
1279end:
563f4be8 1280 OPENSSL_free(buf);
fe5d9450
BP		 1281 if (clientssl) {
1282 SSL_shutdown(clientssl);
1283 SSL_free(clientssl);
1284 }
1285 if (serverssl) {
1286 SSL_shutdown(serverssl);
1287 SSL_free(serverssl);
1288 }
1289 SSL_CTX_free(sctx);
1290 SSL_CTX_free(cctx);
1291 serverssl = clientssl = NULL;
e1fdd526
JB		 1292 if (cfd != -1)
1293 close(cfd);
1294 if (sfd != -1)
1295 close(sfd);
fe5d9450
BP		 1296 return testresult;
1297}
1298
7c3a7561
BP		 1299#define SENDFILE_SZ (16 * 4096)
1300#define SENDFILE_CHUNK (4 * 4096)
1301#define min(a,b) ((a) > (b) ? (b) : (a))
1302
cd715b7e
MM		 1303static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
1304 int zerocopy)
7c3a7561
BP		 1305{
1306 SSL_CTX *cctx = NULL, *sctx = NULL;
1307 SSL *clientssl = NULL, *serverssl = NULL;
1308 unsigned char *buf, *buf_dst;
1309 BIO *out = NULL, *in = NULL;
e1fdd526 1310 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1311 ssize_t chunk_size = 0;
1312 off_t chunk_off = 0;
1313 int testresult = 0;
1314 FILE *ffdp;
38b051a1 1315 SSL_CONNECTION *serversc;
7c3a7561
BP		 1316
1317 buf = OPENSSL_zalloc(SENDFILE_SZ);
1318 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1319 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
0c593328 1320 || !TEST_true(create_test_sockets(&cfd, &sfd, SOCK_STREAM, NULL)))
7c3a7561
BP		 1321 goto end;
1322
1323 /* Skip this test if the platform does not support ktls */
1324 if (!ktls_chk_platform(sfd)) {
e1fdd526 1325 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1326 goto end;
1327 }
1328
a5d8a2f8
DB		 1329 if (is_fips && strstr(cipher, "CHACHA") != NULL) {
1330 testresult = TEST_skip("CHACHA is not supported in FIPS");
1331 goto end;
1332 }
1333
7c3a7561 1334 /* Create a session based on SHA-256 */
5e30f2fd 1335 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1336 TLS_client_method(),
da4db160 1337 tls_version, tls_version,
e1fdd526
JB		 1338 &sctx, &cctx, cert, privkey)))
1339 goto end;
1340
1341 if (tls_version == TLS1_3_VERSION) {
1342 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1343 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1344 goto end;
1345 } else {
1346 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1347 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1348 goto end;
1349 }
1350
1351 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1352 &clientssl, sfd, cfd)))
1353 goto end;
1354
38b051a1
TM		 1355 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1356 goto end;
1357
e1fdd526 1358 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1359 goto end;
1360
cd715b7e
MM		 1361 if (zerocopy) {
1362 if (!TEST_true(SSL_set_options(serverssl,
1363 SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE)))
1364 goto end;
1365 }
1366
7c3a7561 1367 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1368 SSL_ERROR_NONE)))
7c3a7561
BP		 1369 goto end;
1370
38b051a1 1371 if (!BIO_get_ktls_send(serversc->wbio)) {
e1fdd526
JB		 1372 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1373 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1374 "TLS 1.2", cipher);
1375 goto end;
1376 }
1377
c9007bda 1378 if (!TEST_int_gt(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0), 0))
72c1e374
JB		 1379 goto end;
1380
7c3a7561
BP		 1381 out = BIO_new_file(tmpfilename, "wb");
1382 if (!TEST_ptr(out))
1383 goto end;
1384
1385 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1386 goto end;
1387
1388 BIO_free(out);
1389 out = NULL;
1390 in = BIO_new_file(tmpfilename, "rb");
1391 BIO_get_fp(in, &ffdp);
1392 ffd = fileno(ffdp);
1393
1394 while (chunk_off < SENDFILE_SZ) {
1395 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1396 while ((err = SSL_sendfile(serverssl,
1397 ffd,
1398 chunk_off,
1399 chunk_size,
1400 0)) != chunk_size) {
1401 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1402 goto end;
1403 }
1404 while ((err = SSL_read(clientssl,
1405 buf_dst + chunk_off,
1406 chunk_size)) != chunk_size) {
1407 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1408 goto end;
1409 }
1410
1411 /* verify the payload */
1412 if (!TEST_mem_eq(buf_dst + chunk_off,
1413 chunk_size,
1414 buf + chunk_off,
1415 chunk_size))
1416 goto end;
1417
1418 chunk_off += chunk_size;
1419 }
1420
1421 testresult = 1;
1422end:
1423 if (clientssl) {
1424 SSL_shutdown(clientssl);
1425 SSL_free(clientssl);
1426 }
1427 if (serverssl) {
1428 SSL_shutdown(serverssl);
1429 SSL_free(serverssl);
1430 }
1431 SSL_CTX_free(sctx);
1432 SSL_CTX_free(cctx);
1433 serverssl = clientssl = NULL;
1434 BIO_free(out);
1435 BIO_free(in);
e1fdd526
JB		 1436 if (cfd != -1)
1437 close(cfd);
1438 if (sfd != -1)
1439 close(sfd);
7c3a7561
BP		 1440 OPENSSL_free(buf);
1441 OPENSSL_free(buf_dst);
1442 return testresult;
1443}
1444
e1fdd526
JB		 1445static struct ktls_test_cipher {
1446 int tls_version;
1447 const char *cipher;
1448} ktls_test_ciphers[] = {
1449# if !defined(OPENSSL_NO_TLS1_2)
1450# ifdef OPENSSL_KTLS_AES_GCM_128
1451 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1452# endif
1453# ifdef OPENSSL_KTLS_AES_CCM_128
1454 { TLS1_2_VERSION, "AES128-CCM"},
1455# endif
1456# ifdef OPENSSL_KTLS_AES_GCM_256
1457 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1458# endif
11bac1b4 1459# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
2dded44a 1460# ifndef OPENSSL_NO_EC
11bac1b4 1461 { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"},
2dded44a 1462# endif
11bac1b4 1463# endif
e1fdd526
JB		 1464# endif
1465# if !defined(OSSL_NO_USABLE_TLS1_3)
1466# ifdef OPENSSL_KTLS_AES_GCM_128
1467 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1468# endif
1469# ifdef OPENSSL_KTLS_AES_CCM_128
1470 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1471# endif
1472# ifdef OPENSSL_KTLS_AES_GCM_256
1473 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1474# endif
11bac1b4
JB		 1475# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
1476 { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" },
1477# endif
e1fdd526
JB		 1478# endif
1479};
1480
1481#define NUM_KTLS_TEST_CIPHERS \
1482 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1483
da4db160
VF		 1484static int test_ktls(int test)
1485{
e1fdd526 1486 struct ktls_test_cipher *cipher;
a3a54179 1487 int cis_ktls, sis_ktls;
da4db160 1488
2cff17fd 1489 OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1490 cipher = &ktls_test_ciphers[test / 4];
da4db160 1491
a3a54179
MC		 1492 cis_ktls = (test & 1) != 0;
1493 sis_ktls = (test & 2) != 0;
cd03b5dc 1494
e1fdd526
JB		 1495 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1496 cipher->cipher);
2fab79af
BP		 1497}
1498
cd715b7e 1499static int test_ktls_sendfile(int test)
fe5d9450 1500{
e1fdd526 1501 struct ktls_test_cipher *cipher;
cd715b7e 1502 int tst = test >> 1;
da4db160 1503
2cff17fd 1504 OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS);
e1fdd526 1505 cipher = &ktls_test_ciphers[tst];
da4db160 1506
cd715b7e
MM		 1507 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher,
1508 test & 1);
fe5d9450 1509}
fe5d9450
BP		 1510#endif
1511
84d5549e
MC		 1512static int test_large_message_tls(void)
1513{
7856332e 1514 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1515 TLS1_VERSION, 0, 0);
7856332e
MC		 1516}
1517
1518static int test_large_message_tls_read_ahead(void)
1519{
1520 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1521 TLS1_VERSION, 0, 1);
84d5549e
MC		 1522}
1523
55386bef 1524#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1525static int test_large_message_dtls(void)
1526{
8ce390e1
MC		 1527# ifdef OPENSSL_NO_DTLS1_2
1528 /* Not supported in the FIPS provider */
1529 if (is_fips)
1530 return 1;
1531# endif
7856332e
MC		 1532 /*
1533 * read_ahead is not relevant to DTLS because DTLS always acts as if
1534 * read_ahead is set.
1535 */
84d5549e 1536 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1537 DTLS_client_method(),
5c587fb6 1538 DTLS1_VERSION, 0, 0);
84d5549e 1539}
55386bef 1540#endif
84d5549e 1541
3ff0a48a
MC		 1542/*
1543 * Test we can successfully send the maximum amount of application data. We
1544 * test each protocol version individually, each with and without EtM enabled.
1545 * TLSv1.3 doesn't use EtM so technically it is redundant to test both but it is
1546 * simpler this way. We also test all combinations with and without the
1547 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option which affects the size of the
1548 * underlying buffer.
1549 */
1550static int test_large_app_data(int tst)
1551{
1552 SSL_CTX *cctx = NULL, *sctx = NULL;
1553 SSL *clientssl = NULL, *serverssl = NULL;
1554 int testresult = 0, prot;
1555 unsigned char *msg, *buf = NULL;
1556 size_t written, readbytes;
2fda45d5
MC		 1557 const SSL_METHOD *smeth = TLS_server_method();
1558 const SSL_METHOD *cmeth = TLS_client_method();
3ff0a48a
MC		 1559
1560 switch (tst >> 2) {
1561 case 0:
1562#ifndef OSSL_NO_USABLE_TLS1_3
1563 prot = TLS1_3_VERSION;
1564 break;
1565#else
1566 return 1;
1567#endif
1568
1569 case 1:
1570#ifndef OPENSSL_NO_TLS1_2
1571 prot = TLS1_2_VERSION;
1572 break;
1573#else
1574 return 1;
1575#endif
1576
1577 case 2:
1578#ifndef OPENSSL_NO_TLS1_1
1579 prot = TLS1_1_VERSION;
1580 break;
1581#else
1582 return 1;
1583#endif
1584
1585 case 3:
1586#ifndef OPENSSL_NO_TLS1
1587 prot = TLS1_VERSION;
1588 break;
1589#else
1590 return 1;
1591#endif
1592
1593 case 4:
1594#ifndef OPENSSL_NO_SSL3
1595 prot = SSL3_VERSION;
1596 break;
1597#else
1598 return 1;
1599#endif
1600
2fda45d5
MC		 1601 case 5:
1602#ifndef OPENSSL_NO_DTLS1_2
1603 prot = DTLS1_2_VERSION;
1604 smeth = DTLS_server_method();
1605 cmeth = DTLS_client_method();
1606 break;
1607#else
1608 return 1;
1609#endif
1610
1611 case 6:
1612#ifndef OPENSSL_NO_DTLS1
1613 prot = DTLS1_VERSION;
1614 smeth = DTLS_server_method();
1615 cmeth = DTLS_client_method();
1616 break;
1617#else
1618 return 1;
1619#endif
1620
3ff0a48a
MC		 1621 default:
1622 /* Shouldn't happen */
1623 return 0;
1624 }
1625
2fda45d5 1626 if ((prot < TLS1_2_VERSION || prot == DTLS1_VERSION) && is_fips)
3ff0a48a
MC		 1627 return 1;
1628
1629 /* Maximal sized message of zeros */
1630 msg = OPENSSL_zalloc(SSL3_RT_MAX_PLAIN_LENGTH);
1631 if (!TEST_ptr(msg))
1632 goto end;
1633
1634 buf = OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH + 1);
1635 if (!TEST_ptr(buf))
1636 goto end;
1637 /* Set whole buffer to all bits set */
1638 memset(buf, 0xff, SSL3_RT_MAX_PLAIN_LENGTH + 1);
1639
2fda45d5 1640 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, prot, prot,
3ff0a48a
MC		 1641 &sctx, &cctx, cert, privkey)))
1642 goto end;
1643
2fda45d5 1644 if (prot < TLS1_2_VERSION || prot == DTLS1_VERSION) {
3ff0a48a
MC		 1645 /* Older protocol versions need SECLEVEL=0 due to SHA1 usage */
1646 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0"))
1647 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
1648 "DEFAULT:@SECLEVEL=0")))
1649 goto end;
1650 }
1651
1652 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1653 &clientssl, NULL, NULL)))
1654 goto end;
1655
1656 if ((tst & 1) != 0) {
1657 /* Setting this option gives us a minimally sized underlying buffer */
1658 if (!TEST_true(SSL_set_options(serverssl,
1659 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1660 || !TEST_true(SSL_set_options(clientssl,
1661 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
1662 goto end;
1663 }
1664
1665 if ((tst & 2) != 0) {
1666 /*
1667 * Setting this option means the MAC is added before encryption
1668 * giving us a larger record for the encryption process
1669 */
1670 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC))
1671 || !TEST_true(SSL_set_options(clientssl,
1672 SSL_OP_NO_ENCRYPT_THEN_MAC)))
1673 goto end;
1674 }
1675
1676 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
1677 goto end;
1678
1679 if (!TEST_true(SSL_write_ex(clientssl, msg, SSL3_RT_MAX_PLAIN_LENGTH,
1680 &written))
1681 || !TEST_size_t_eq(written, SSL3_RT_MAX_PLAIN_LENGTH))
1682 goto end;
1683
1684 /* We provide a buffer slightly larger than what we are actually expecting */
1685 if (!TEST_true(SSL_read_ex(serverssl, buf, SSL3_RT_MAX_PLAIN_LENGTH + 1,
1686 &readbytes)))
1687 goto end;
1688
1689 if (!TEST_mem_eq(msg, written, buf, readbytes))
1690 goto end;
1691
1692 testresult = 1;
1693end:
1694 OPENSSL_free(msg);
1695 OPENSSL_free(buf);
1696 SSL_free(serverssl);
1697 SSL_free(clientssl);
1698 SSL_CTX_free(sctx);
1699 SSL_CTX_free(cctx);
1700 return testresult;
1701}
1702
fb32f6ea
MC		 1703#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) \
1704 || !defined(OPENSSL_NO_DTLS)
163b8016
ME		 1705static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1706 const SSL_METHOD *cmeth,
1707 int min_version, int max_version)
1708{
1709 size_t i;
1710 SSL_CTX *cctx = NULL, *sctx = NULL;
1711 SSL *clientssl = NULL, *serverssl = NULL;
1712 int testresult = 0;
2eb91b0e 1713 const unsigned char *zbuf;
38b051a1 1714 SSL_CONNECTION *serversc;
eddb067e 1715 TLS_RECORD *rr;
163b8016
ME		 1716
1717 static unsigned char cbuf[16000];
1718 static unsigned char sbuf[16000];
1719
1720 if (!TEST_true(create_ssl_ctx_pair(libctx,
1721 smeth, cmeth,
1722 min_version, max_version,
1723 &sctx, &cctx, cert,
1724 privkey)))
1725 goto end;
1726
8ce390e1 1727# ifdef OPENSSL_NO_DTLS1_2
fb32f6ea 1728 if (smeth == DTLS_server_method()) {
8ce390e1
MC		 1729 /* Not supported in the FIPS provider */
1730 if (is_fips) {
1731 testresult = 1;
1732 goto end;
1733 };
8ce390e1
MC		 1734 /*
1735 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1736 * level 0
1737 */
1738 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1739 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1740 "DEFAULT:@SECLEVEL=0")))
1741 goto end;
1742 }
fb32f6ea 1743# endif
8ce390e1 1744
163b8016
ME		 1745 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1746 NULL, NULL)))
1747 goto end;
1748
1749 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1750 goto end;
1751
1752 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1753 SSL_ERROR_NONE)))
1754 goto end;
1755
1756 for (i = 0; i < sizeof(cbuf); i++) {
1757 cbuf[i] = i & 0xff;
1758 }
1759
1760 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1761 goto end;
1762
1763 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1764 goto end;
1765
1766 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1767 goto end;
1768
1769 /*
1770 * Since we called SSL_peek(), we know the data in the record
1771 * layer is a plaintext record. We can gather the pointer to check
1772 * for zeroization after SSL_read().
1773 */
38b051a1
TM		 1774 if (!TEST_ptr(serversc = SSL_CONNECTION_FROM_SSL_ONLY(serverssl)))
1775 goto end;
eddb067e 1776 rr = serversc->rlayer.tlsrecs;
4030869d 1777
eddb067e
MC		 1778 zbuf = &rr->data[rr->off];
1779 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1780 goto end;
163b8016
ME		 1781
1782 /*
1783 * After SSL_peek() the plaintext must still be stored in the
1784 * record.
1785 */
1786 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1787 goto end;
1788
1789 memset(sbuf, 0, sizeof(sbuf));
1790 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1791 goto end;
1792
1793 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1794 goto end;
1795
1796 /* Check if rbuf is cleansed */
1797 memset(cbuf, 0, sizeof(cbuf));
1798 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1799 goto end;
1800
1801 testresult = 1;
1802 end:
1803 SSL_free(serverssl);
1804 SSL_free(clientssl);
1805 SSL_CTX_free(sctx);
1806 SSL_CTX_free(cctx);
1807
1808 return testresult;
1809}
fb32f6ea
MC		 1810#endif /*
1811 * !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
1812 * || !defined(OPENSSL_NO_DTLS)
1813 */
163b8016
ME		 1814
1815static int test_cleanse_plaintext(void)
1816{
1817#if !defined(OPENSSL_NO_TLS1_2)
1818 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1819 TLS_client_method(),
1820 TLS1_2_VERSION,
1821 TLS1_2_VERSION)))
1822 return 0;
1823
1824#endif
1825
a763ca11 1826#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1827 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1828 TLS_client_method(),
1829 TLS1_3_VERSION,
1830 TLS1_3_VERSION)))
1831 return 0;
1832#endif
1833
1834#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1835
163b8016
ME		 1836 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1837 DTLS_client_method(),
1838 DTLS1_VERSION,
1839 0)))
1840 return 0;
1841#endif
1842 return 1;
1843}
1844
8f8c11d8 1845#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1846static int ocsp_server_cb(SSL *s, void *arg)
1847{
1848 int *argi = (int *)arg;
710756a9 1849 unsigned char *copy = NULL;
ba881d3b
MC		 1850 STACK_OF(OCSP_RESPID) *ids = NULL;
1851 OCSP_RESPID *id = NULL;
1852
1853 if (*argi == 2) {
1854 /* In this test we are expecting exactly 1 OCSP_RESPID */
1855 SSL_get_tlsext_status_ids(s, &ids);
1856 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1857 return SSL_TLSEXT_ERR_ALERT_FATAL;
1858
1859 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1860 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1861 return SSL_TLSEXT_ERR_ALERT_FATAL;
1862 } else if (*argi != 1) {
1863 return SSL_TLSEXT_ERR_ALERT_FATAL;
1864 }
1865
710756a9 1866 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1867 return SSL_TLSEXT_ERR_ALERT_FATAL;
1868
711d5a2f
P		 1869 if (!TEST_true(SSL_set_tlsext_status_ocsp_resp(s, copy,
1870 sizeof(orespder)))) {
1871 OPENSSL_free(copy);
1872 return SSL_TLSEXT_ERR_ALERT_FATAL;
1873 }
ba881d3b 1874 ocsp_server_called = 1;
ba881d3b
MC		 1875 return SSL_TLSEXT_ERR_OK;
1876}
1877
1878static int ocsp_client_cb(SSL *s, void *arg)
1879{
1880 int *argi = (int *)arg;
1881 const unsigned char *respderin;
1882 size_t len;
1883
1884 if (*argi != 1 && *argi != 2)
1885 return 0;
1886
1887 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1888 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1889 return 0;
1890
1891 ocsp_client_called = 1;
ba881d3b
MC		 1892 return 1;
1893}
1894
2cb4b5f6
MC		 1895static int test_tlsext_status_type(void)
1896{
ba881d3b
MC		 1897 SSL_CTX *cctx = NULL, *sctx = NULL;
1898 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1899 int testresult = 0;
ba881d3b
MC		 1900 STACK_OF(OCSP_RESPID) *ids = NULL;
1901 OCSP_RESPID *id = NULL;
1902 BIO *certbio = NULL;
2cb4b5f6 1903
5e30f2fd 1904 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1905 TLS1_VERSION, 0,
7d7f6834 1906 &sctx, &cctx, cert, privkey))
ba881d3b 1907 return 0;
2cb4b5f6 1908
710756a9 1909 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1910 goto end;
2cb4b5f6 1911
ba881d3b 1912 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1913
ba881d3b 1914 clientssl = SSL_new(cctx);
710756a9
RS		 1915 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1916 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1917 TLSEXT_STATUSTYPE_ocsp))
1918 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1919 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1920 goto end;
2cb4b5f6 1921
ba881d3b
MC		 1922 SSL_free(clientssl);
1923 clientssl = NULL;
2cb4b5f6 1924
710756a9
RS		 1925 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1926 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1927 goto end;
2cb4b5f6 1928
ba881d3b 1929 clientssl = SSL_new(cctx);
710756a9 1930 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1931 goto end;
ba881d3b
MC		 1932 SSL_free(clientssl);
1933 clientssl = NULL;
1934
1935 /*
1936 * Now actually do a handshake and check OCSP information is exchanged and
1937 * the callbacks get called
1938 */
ba881d3b
MC		 1939 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1940 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1941 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1942 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1944 &clientssl, NULL, NULL))
1945 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1946 SSL_ERROR_NONE))
1947 || !TEST_true(ocsp_client_called)
1948 || !TEST_true(ocsp_server_called))
ba881d3b 1949 goto end;
ba881d3b
MC		 1950 SSL_free(serverssl);
1951 SSL_free(clientssl);
1952 serverssl = NULL;
1953 clientssl = NULL;
1954
1955 /* Try again but this time force the server side callback to fail */
1956 ocsp_client_called = 0;
1957 ocsp_server_called = 0;
1958 cdummyarg = 0;
710756a9
RS		 1959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1960 &clientssl, NULL, NULL))
1961 /* This should fail because the callback will fail */
1962 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1963 SSL_ERROR_NONE))
1964 || !TEST_false(ocsp_client_called)
1965 || !TEST_false(ocsp_server_called))
ba881d3b 1966 goto end;
ba881d3b
MC		 1967 SSL_free(serverssl);
1968 SSL_free(clientssl);
1969 serverssl = NULL;
1970 clientssl = NULL;
1971
1972 /*
1973 * This time we'll get the client to send an OCSP_RESPID that it will
1974 * accept.
1975 */
1976 ocsp_client_called = 0;
1977 ocsp_server_called = 0;
1978 cdummyarg = 2;
710756a9
RS		 1979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1980 &clientssl, NULL, NULL)))
ba881d3b 1981 goto end;
ba881d3b
MC		 1982
1983 /*
1984 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1985 * specific one. We'll use the server cert.
ba881d3b 1986 */
710756a9
RS		 1987 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1988 || !TEST_ptr(id = OCSP_RESPID_new())
1989 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1990 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1991 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1992 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1993 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1994 goto end;
ba881d3b
MC		 1995 id = NULL;
1996 SSL_set_tlsext_status_ids(clientssl, ids);
1997 /* Control has been transferred */
1998 ids = NULL;
1999
2000 BIO_free(certbio);
2001 certbio = NULL;
2002
710756a9
RS		 2003 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2004 SSL_ERROR_NONE))
2005 || !TEST_true(ocsp_client_called)
2006 || !TEST_true(ocsp_server_called))
ba881d3b 2007 goto end;
ba881d3b 2008
2cb4b5f6
MC		 2009 testresult = 1;
2010
2011 end:
ba881d3b
MC		 2012 SSL_free(serverssl);
2013 SSL_free(clientssl);
2014 SSL_CTX_free(sctx);
2015 SSL_CTX_free(cctx);
2016 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
2017 OCSP_RESPID_free(id);
2018 BIO_free(certbio);
2019 X509_free(ocspcert);
2020 ocspcert = NULL;
2cb4b5f6
MC		 2021
2022 return testresult;
2023}
8f8c11d8 2024#endif
2cb4b5f6 2025
a763ca11 2026#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 2027static int new_called, remove_called, get_called;
eaa776da 2028
eaa776da
MC		 2029static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
2030{
2031 new_called++;
c0537ebd
MC		 2032 /*
2033 * sess has been up-refed for us, but we don't actually need it so free it
2034 * immediately.
2035 */
2036 SSL_SESSION_free(sess);
eaa776da
MC		 2037 return 1;
2038}
2039
2040static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
2041{
2042 remove_called++;
2043}
2044
7a301f08
MC		 2045static SSL_SESSION *get_sess_val = NULL;
2046
2047static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
2048 int *copy)
2049{
0afca811 2050 get_called++;
7a301f08
MC		 2051 *copy = 1;
2052 return get_sess_val;
2053}
2054
7a301f08 2055static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 2056 int use_ext_cache, long s_options)
2cb4b5f6
MC		 2057{
2058 SSL_CTX *sctx = NULL, *cctx = NULL;
2059 SSL *serverssl1 = NULL, *clientssl1 = NULL;
2060 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 2061# ifndef OPENSSL_NO_TLS1_1
eaa776da 2062 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 2063# endif
2cb4b5f6 2064 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 2065 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 2066
7e885b7b
P		 2067 new_called = remove_called = 0;
2068
36ff232c
MC		 2069 /* TLSv1.3 sends 2 NewSessionTickets */
2070 if (maxprot == TLS1_3_VERSION)
2071 numnewsesstick = 2;
2072
5e30f2fd
MC		 2073 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2074 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2075 &sctx, &cctx, cert, privkey)))
2cb4b5f6 2076 return 0;
2cb4b5f6 2077
7a301f08
MC		 2078 /*
2079 * Only allow the max protocol version so we can force a connection failure
2080 * later
2081 */
2082 SSL_CTX_set_min_proto_version(cctx, maxprot);
2083 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 2084
2085 /* Set up session cache */
7e885b7b 2086 if (use_ext_cache) {
eaa776da
MC		 2087 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2088 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
2089 }
7e885b7b 2090 if (use_int_cache) {
eaa776da
MC		 2091 /* Also covers instance where both are set */
2092 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
2093 } else {
2094 SSL_CTX_set_session_cache_mode(cctx,
2095 SSL_SESS_CACHE_CLIENT
2096 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2097 }
2cb4b5f6 2098
90fc2c26
NM		 2099 if (s_options) {
2100 SSL_CTX_set_options(sctx, s_options);
2101 }
2102
710756a9
RS		 2103 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2104 NULL, NULL))
2105 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2106 SSL_ERROR_NONE))
2107 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 2108 goto end;
2cb4b5f6 2109
710756a9 2110 /* Should fail because it should already be in the cache */
7e885b7b 2111 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 2112 goto end;
7a301f08 2113 if (use_ext_cache
36ff232c
MC		 2114 && (!TEST_int_eq(new_called, numnewsesstick)
2115
2116 || !TEST_int_eq(remove_called, 0)))
b4982125 2117 goto end;
b4982125 2118
c0537ebd
MC		 2119 new_called = remove_called = 0;
2120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2121 &clientssl2, NULL, NULL))
2122 || !TEST_true(SSL_set_session(clientssl2, sess1))
2123 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2124 SSL_ERROR_NONE))
2125 || !TEST_true(SSL_session_reused(clientssl2)))
2126 goto end;
2127
7a301f08
MC		 2128 if (maxprot == TLS1_3_VERSION) {
2129 /*
2130 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 2131 * resumed. Since we attempted a resume we should also have removed the
2132 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 2133 */
2134 if (use_ext_cache
2135 && (!TEST_int_eq(new_called, 1)
4cb00457 2136 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 2137 goto end;
2138 } else {
2139 /*
2140 * In TLSv1.2 we expect to have resumed so no sessions added or
2141 * removed.
2142 */
2143 if (use_ext_cache
2144 && (!TEST_int_eq(new_called, 0)
2145 || !TEST_int_eq(remove_called, 0)))
2146 goto end;
2147 }
c0537ebd
MC		 2148
2149 SSL_SESSION_free(sess1);
2150 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
2151 goto end;
2152 shutdown_ssl_connection(serverssl2, clientssl2);
2153 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 2154
2155 new_called = remove_called = 0;
710756a9
RS		 2156 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2157 &clientssl2, NULL, NULL))
2158 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2159 SSL_ERROR_NONE)))
2cb4b5f6 2160 goto end;
2cb4b5f6 2161
710756a9 2162 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 2163 goto end;
2cb4b5f6 2164
7a301f08 2165 if (use_ext_cache
36ff232c
MC		 2166 && (!TEST_int_eq(new_called, numnewsesstick)
2167 || !TEST_int_eq(remove_called, 0)))
eaa776da 2168 goto end;
eaa776da 2169
c0537ebd 2170 new_called = remove_called = 0;
2cb4b5f6 2171 /*
710756a9
RS		 2172 * This should clear sess2 from the cache because it is a "bad" session.
2173 * See SSL_set_session() documentation.
2cb4b5f6 2174 */
710756a9 2175 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 2176 goto end;
7a301f08
MC		 2177 if (use_ext_cache
2178 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 2179 goto end;
710756a9 2180 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 2181 goto end;
2cb4b5f6 2182
7e885b7b 2183 if (use_int_cache) {
710756a9
RS		 2184 /* Should succeeded because it should not already be in the cache */
2185 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
2186 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 2187 goto end;
eaa776da
MC		 2188 }
2189
c0537ebd 2190 new_called = remove_called = 0;
eaa776da 2191 /* This shouldn't be in the cache so should fail */
710756a9 2192 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 2193 goto end;
2cb4b5f6 2194
7a301f08
MC		 2195 if (use_ext_cache
2196 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2197 goto end;
2cb4b5f6 2198
bf208d95 2199# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 2200 new_called = remove_called = 0;
eaa776da
MC		 2201 /* Force a connection failure */
2202 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 2203 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
2204 &clientssl3, NULL, NULL))
2205 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 2206 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 2207 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
2208 SSL_ERROR_NONE)))
eaa776da 2209 goto end;
b4982125 2210
eaa776da 2211 /* We should have automatically removed the session from the cache */
7a301f08
MC		 2212 if (use_ext_cache
2213 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 2214 goto end;
2cb4b5f6 2215
710756a9 2216 /* Should succeed because it should not already be in the cache */
7e885b7b 2217 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 2218 goto end;
bf208d95 2219# endif
eaa776da 2220
7a301f08
MC		 2221 /* Now do some tests for server side caching */
2222 if (use_ext_cache) {
2223 SSL_CTX_sess_set_new_cb(cctx, NULL);
2224 SSL_CTX_sess_set_remove_cb(cctx, NULL);
2225 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2226 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
2227 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
2228 get_sess_val = NULL;
2229 }
2230
2231 SSL_CTX_set_session_cache_mode(cctx, 0);
2232 /* Internal caching is the default on the server side */
2233 if (!use_int_cache)
2234 SSL_CTX_set_session_cache_mode(sctx,
2235 SSL_SESS_CACHE_SERVER
2236 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2237
2238 SSL_free(serverssl1);
2239 SSL_free(clientssl1);
2240 serverssl1 = clientssl1 = NULL;
2241 SSL_free(serverssl2);
2242 SSL_free(clientssl2);
2243 serverssl2 = clientssl2 = NULL;
2244 SSL_SESSION_free(sess1);
2245 sess1 = NULL;
2246 SSL_SESSION_free(sess2);
2247 sess2 = NULL;
2248
2249 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2250 if (maxprot == TLS1_2_VERSION)
2251 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2252 new_called = remove_called = get_called = 0;
7a301f08
MC		 2253 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2254 NULL, NULL))
2255 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2256 SSL_ERROR_NONE))
2257 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2258 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2259 goto end;
2260
ee94ec2e
MC		 2261 if (use_int_cache) {
2262 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2263 /*
2264 * In TLSv1.3 it should not have been added to the internal cache,
2265 * except in the case where we also have an external cache (in that
2266 * case it gets added to the cache in order to generate remove
2267 * events after timeout).
2268 */
2269 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2270 goto end;
2271 } else {
2272 /* Should fail because it should already be in the cache */
2273 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2274 goto end;
2275 }
2276 }
7a301f08
MC		 2277
2278 if (use_ext_cache) {
2279 SSL_SESSION *tmp = sess2;
2280
36ff232c 2281 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2282 || !TEST_int_eq(remove_called, 0)
2283 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2284 goto end;
2285 /*
2286 * Delete the session from the internal cache to force a lookup from
2287 * the external cache. We take a copy first because
2288 * SSL_CTX_remove_session() also marks the session as non-resumable.
2289 */
ee94ec2e 2290 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6 2291 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
9fdf9a44
WL		 2292 || !TEST_true(sess2->owner != NULL)
2293 || !TEST_true(tmp->owner == NULL)
2294 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
3cb6a4d6
BK		 2295 goto end;
2296 SSL_SESSION_free(sess2);
2297 }
7a301f08
MC		 2298 sess2 = tmp;
2299 }
2300
0afca811 2301 new_called = remove_called = get_called = 0;
7a301f08
MC		 2302 get_sess_val = sess2;
2303 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2304 &clientssl2, NULL, NULL))
2305 || !TEST_true(SSL_set_session(clientssl2, sess1))
2306 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2307 SSL_ERROR_NONE))
2308 || !TEST_true(SSL_session_reused(clientssl2)))
2309 goto end;
2310
0afca811 2311 if (use_ext_cache) {
32305f88 2312 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2313 goto end;
2314
2315 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2316 if (!TEST_int_eq(new_called, 1)
2317 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2318 goto end;
2319 } else {
32305f88
MC		 2320 if (!TEST_int_eq(new_called, 0)
2321 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2322 goto end;
2323 }
2324 }
4842a27b
TS		 2325 /*
2326 * Make a small cache, force out all other sessions but
2327 * sess2, try to add sess1, which should succeed. Then
2328 * make sure it's there by checking the owners. Despite
2329 * the timeouts, sess1 should have kicked out sess2
2330 */
2331
2332 /* Make sess1 expire before sess2 */
2333 if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
2334 || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
2335 || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
2336 || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
2337 goto end;
2338
2339 if (!TEST_long_ne(SSL_CTX_sess_set_cache_size(sctx, 1), 0))
2340 goto end;
2341
2342 /* Don't care about results - cache should only be sess2 at end */
2343 SSL_CTX_add_session(sctx, sess1);
2344 SSL_CTX_add_session(sctx, sess2);
2345
2346 /* Now add sess1, and make sure it remains, despite timeout */
2347 if (!TEST_true(SSL_CTX_add_session(sctx, sess1))
2348 || !TEST_ptr(sess1->owner)
2349 || !TEST_ptr_null(sess2->owner))
2350 goto end;
7a301f08 2351
2cb4b5f6 2352 testresult = 1;
eaa776da 2353
2cb4b5f6
MC		 2354 end:
2355 SSL_free(serverssl1);
2356 SSL_free(clientssl1);
2357 SSL_free(serverssl2);
2358 SSL_free(clientssl2);
bf208d95 2359# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2360 SSL_free(serverssl3);
2361 SSL_free(clientssl3);
bf208d95 2362# endif
2cb4b5f6
MC		 2363 SSL_SESSION_free(sess1);
2364 SSL_SESSION_free(sess2);
2365 SSL_CTX_free(sctx);
2366 SSL_CTX_free(cctx);
2367
2368 return testresult;
2369}
a763ca11 2370#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2371
7fb4c820
MC		 2372static int test_session_with_only_int_cache(void)
2373{
a763ca11 2374#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2375 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2376 return 0;
2377#endif
2378
2379#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2380 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2381#else
2382 return 1;
2383#endif
eaa776da
MC		 2384}
2385
7fb4c820
MC		 2386static int test_session_with_only_ext_cache(void)
2387{
a763ca11 2388#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2389 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2390 return 0;
2391#endif
2392
2393#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2394 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2395#else
2396 return 1;
2397#endif
eaa776da
MC		 2398}
2399
7fb4c820
MC		 2400static int test_session_with_both_cache(void)
2401{
a763ca11 2402#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2403 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2404 return 0;
2405#endif
2406
2407#ifndef OPENSSL_NO_TLS1_2
2408 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2409#else
2410 return 1;
2411#endif
2412}
2413
2414static int test_session_wo_ca_names(void)
2415{
a763ca11 2416#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2417 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2418 return 0;
2419#endif
2420
2421#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2422 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2423#else
2424 return 1;
2425#endif
eaa776da
MC		 2426}
2427
90fc2c26 2428
a763ca11 2429#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2430static SSL_SESSION *sesscache[6];
2431static int do_cache;
36ff232c
MC		 2432
2433static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2434{
c22365b3
MC		 2435 if (do_cache) {
2436 sesscache[new_called] = sess;
2437 } else {
2438 /* We don't need the reference to the session, so free it */
2439 SSL_SESSION_free(sess);
2440 }
2441 new_called++;
2442
2443 return 1;
2444}
2445
2446static int post_handshake_verify(SSL *sssl, SSL *cssl)
2447{
2448 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2449 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2450 return 0;
2451
2452 /* Start handshake on the server and client */
2453 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2454 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2455 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2456 || !TEST_true(create_ssl_connection(sssl, cssl,
2457 SSL_ERROR_NONE)))
2458 return 0;
36ff232c
MC		 2459
2460 return 1;
2461}
2462
fbe9dafd 2463static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2464 SSL_CTX **cctx)
2465{
2466 int sess_id_ctx = 1;
2467
5e30f2fd
MC		 2468 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2469 TLS_client_method(), TLS1_VERSION, 0,
2470 sctx, cctx, cert, privkey))
03cdf559
MC		 2471 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2472 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2473 (void *)&sess_id_ctx,
2474 sizeof(sess_id_ctx))))
2475 return 0;
2476
2477 if (stateful)
2478 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2479
2480 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2481 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2482 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2483
2484 return 1;
2485}
2486
2487static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2488{
2489 SSL *serverssl = NULL, *clientssl = NULL;
2490 int i;
2491
2492 /* Test that we can resume with all the tickets we got given */
2493 for (i = 0; i < idx * 2; i++) {
2494 new_called = 0;
2495 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2496 &clientssl, NULL, NULL))
2497 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2498 goto end;
2499
32097b33 2500 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2501
2502 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2503 SSL_ERROR_NONE)))
2504 goto end;
2505
2506 /*
2507 * Following a successful resumption we only get 1 ticket. After a
2508 * failed one we should get idx tickets.
2509 */
2510 if (succ) {
2511 if (!TEST_true(SSL_session_reused(clientssl))
2512 || !TEST_int_eq(new_called, 1))
2513 goto end;
2514 } else {
2515 if (!TEST_false(SSL_session_reused(clientssl))
2516 || !TEST_int_eq(new_called, idx))
2517 goto end;
2518 }
2519
2520 new_called = 0;
2521 /* After a post-handshake authentication we should get 1 new ticket */
2522 if (succ
2523 && (!post_handshake_verify(serverssl, clientssl)
2524 || !TEST_int_eq(new_called, 1)))
2525 goto end;
2526
2527 SSL_shutdown(clientssl);
2528 SSL_shutdown(serverssl);
2529 SSL_free(serverssl);
2530 SSL_free(clientssl);
2531 serverssl = clientssl = NULL;
2532 SSL_SESSION_free(sesscache[i]);
2533 sesscache[i] = NULL;
2534 }
2535
2536 return 1;
2537
2538 end:
2539 SSL_free(clientssl);
2540 SSL_free(serverssl);
2541 return 0;
2542}
2543
04d7814a 2544static int test_tickets(int stateful, int idx)
36ff232c
MC		 2545{
2546 SSL_CTX *sctx = NULL, *cctx = NULL;
2547 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2548 int testresult = 0;
36ff232c
MC		 2549 size_t j;
2550
2551 /* idx is the test number, but also the number of tickets we want */
2552
2553 new_called = 0;
c22365b3 2554 do_cache = 1;
36ff232c 2555
fbe9dafd 2556 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2557 goto end;
2558
03cdf559
MC		 2559 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2560 &clientssl, NULL, NULL)))
2561 goto end;
2562
2563 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2564 SSL_ERROR_NONE))
2565 /* Check we got the number of tickets we were expecting */
2566 || !TEST_int_eq(idx, new_called))
2567 goto end;
04d7814a 2568
03cdf559
MC		 2569 SSL_shutdown(clientssl);
2570 SSL_shutdown(serverssl);
2571 SSL_free(serverssl);
2572 SSL_free(clientssl);
2573 SSL_CTX_free(sctx);
2574 SSL_CTX_free(cctx);
2575 clientssl = serverssl = NULL;
2576 sctx = cctx = NULL;
2577
2578 /*
2579 * Now we try to resume with the tickets we previously created. The
2580 * resumption attempt is expected to fail (because we're now using a new
2581 * SSL_CTX). We should see idx number of tickets issued again.
2582 */
2583
2584 /* Stop caching sessions - just count them */
2585 do_cache = 0;
2586
fbe9dafd 2587 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2588 goto end;
2589
2590 if (!check_resumption(idx, sctx, cctx, 0))
2591 goto end;
2592
2593 /* Start again with caching sessions */
2594 new_called = 0;
2595 do_cache = 1;
fbe9dafd
MC		 2596 SSL_CTX_free(sctx);
2597 SSL_CTX_free(cctx);
2598 sctx = cctx = NULL;
03cdf559 2599
fbe9dafd 2600 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2601 goto end;
36ff232c
MC		 2602
2603 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2604 &clientssl, NULL, NULL)))
2605 goto end;
2606
32097b33 2607 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2608
2609 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2610 SSL_ERROR_NONE))
2611 /* Check we got the number of tickets we were expecting */
2612 || !TEST_int_eq(idx, new_called))
2613 goto end;
2614
2615 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2616 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2617 || !TEST_int_eq(idx * 2, new_called))
2618 goto end;
2619
36ff232c
MC		 2620 SSL_shutdown(clientssl);
2621 SSL_shutdown(serverssl);
2622 SSL_free(serverssl);
2623 SSL_free(clientssl);
2624 serverssl = clientssl = NULL;
2625
c22365b3
MC		 2626 /* Stop caching sessions - just count them */
2627 do_cache = 0;
2628
03cdf559
MC		 2629 /*
2630 * Check we can resume with all the tickets we created. This time around the
2631 * resumptions should all be successful.
2632 */
2633 if (!check_resumption(idx, sctx, cctx, 1))
2634 goto end;
36ff232c
MC		 2635
2636 testresult = 1;
2637
2638 end:
2639 SSL_free(serverssl);
2640 SSL_free(clientssl);
c22365b3 2641 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2642 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2643 sesscache[j] = NULL;
2644 }
36ff232c
MC		 2645 SSL_CTX_free(sctx);
2646 SSL_CTX_free(cctx);
2647
2648 return testresult;
2649}
04d7814a
MC		 2650
2651static int test_stateless_tickets(int idx)
2652{
2653 return test_tickets(0, idx);
2654}
2655
2656static int test_stateful_tickets(int idx)
2657{
2658 return test_tickets(1, idx);
2659}
8614a4eb
MC		 2660
2661static int test_psk_tickets(void)
2662{
2663 SSL_CTX *sctx = NULL, *cctx = NULL;
2664 SSL *serverssl = NULL, *clientssl = NULL;
2665 int testresult = 0;
2666 int sess_id_ctx = 1;
2667
5e30f2fd
MC		 2668 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2669 TLS_client_method(), TLS1_VERSION, 0,
2670 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2671 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2672 (void *)&sess_id_ctx,
2673 sizeof(sess_id_ctx))))
2674 goto end;
2675
2676 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2677 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2678 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2679 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2680 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2681 use_session_cb_cnt = 0;
2682 find_session_cb_cnt = 0;
2683 srvid = pskid;
2684 new_called = 0;
2685
2686 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2687 NULL, NULL)))
2688 goto end;
10836921 2689 clientpsk = serverpsk = create_a_psk(clientssl, SHA384_DIGEST_LENGTH);
8614a4eb
MC		 2690 if (!TEST_ptr(clientpsk))
2691 goto end;
2692 SSL_SESSION_up_ref(clientpsk);
2693
2694 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2695 SSL_ERROR_NONE))
2696 || !TEST_int_eq(1, find_session_cb_cnt)
2697 || !TEST_int_eq(1, use_session_cb_cnt)
2698 /* We should always get 1 ticket when using external PSK */
2699 || !TEST_int_eq(1, new_called))
2700 goto end;
2701
2702 testresult = 1;
2703
2704 end:
2705 SSL_free(serverssl);
2706 SSL_free(clientssl);
2707 SSL_CTX_free(sctx);
2708 SSL_CTX_free(cctx);
2709 SSL_SESSION_free(clientpsk);
2710 SSL_SESSION_free(serverpsk);
2711 clientpsk = serverpsk = NULL;
2712
2713 return testresult;
2714}
f0049b86
BK		 2715
2716static int test_extra_tickets(int idx)
2717{
2718 SSL_CTX *sctx = NULL, *cctx = NULL;
2719 SSL *serverssl = NULL, *clientssl = NULL;
2720 BIO *bretry = BIO_new(bio_s_always_retry());
2721 BIO *tmp = NULL;
2722 int testresult = 0;
2723 int stateful = 0;
2724 size_t nbytes;
2725 unsigned char c, buf[1];
2726
2727 new_called = 0;
2728 do_cache = 1;
2729
2730 if (idx >= 3) {
2731 idx -= 3;
2732 stateful = 1;
2733 }
2734
2735 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2736 goto end;
2737 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2738 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2739 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2740
2741 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2742 &clientssl, NULL, NULL)))
2743 goto end;
2744
2745 /*
2746 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2747 * incremented by both client and server.
2748 */
2749 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2750 SSL_ERROR_NONE))
2751 /* Check we got the number of tickets we were expecting */
2752 || !TEST_int_eq(idx * 2, new_called)
2753 || !TEST_true(SSL_new_session_ticket(serverssl))
2754 || !TEST_true(SSL_new_session_ticket(serverssl))
2755 || !TEST_int_eq(idx * 2, new_called))
2756 goto end;
2757
2758 /* Now try a (real) write to actually send the tickets */
2759 c = '1';
2760 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2761 || !TEST_size_t_eq(1, nbytes)
2762 || !TEST_int_eq(idx * 2 + 2, new_called)
2763 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2764 || !TEST_int_eq(idx * 2 + 4, new_called)
2765 || !TEST_int_eq(sizeof(buf), nbytes)
2766 || !TEST_int_eq(c, buf[0])
2767 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2768 goto end;
2769
2770 /* Try with only requesting one new ticket, too */
2771 c = '2';
2772 new_called = 0;
2773 if (!TEST_true(SSL_new_session_ticket(serverssl))
2774 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2775 || !TEST_size_t_eq(sizeof(c), nbytes)
2776 || !TEST_int_eq(1, new_called)
2777 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2778 || !TEST_int_eq(2, new_called)
2779 || !TEST_size_t_eq(sizeof(buf), nbytes)
2780 || !TEST_int_eq(c, buf[0]))
2781 goto end;
2782
2783 /* Do it again but use dummy writes to drive the ticket generation */
2784 c = '3';
2785 new_called = 0;
2786 if (!TEST_true(SSL_new_session_ticket(serverssl))
2787 || !TEST_true(SSL_new_session_ticket(serverssl))
2788 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2789 || !TEST_size_t_eq(0, nbytes)
2790 || !TEST_int_eq(2, new_called)
2791 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2792 || !TEST_int_eq(4, new_called))
2793 goto end;
2794
a0bbcb42
BK		 2795 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2796 c = '4';
2797 new_called = 0;
2798 if (!TEST_true(SSL_new_session_ticket(serverssl))
2799 || !TEST_true(SSL_new_session_ticket(serverssl))
2800 || !TEST_true(SSL_do_handshake(serverssl))
2801 || !TEST_int_eq(2, new_called)
2802 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2803 || !TEST_int_eq(4, new_called))
2804 goto end;
2805
f0049b86
BK		 2806 /*
2807 * Use the always-retry BIO to exercise the logic that forces ticket
2808 * generation to wait until a record boundary.
2809 */
a0bbcb42 2810 c = '5';
f0049b86
BK		 2811 new_called = 0;
2812 tmp = SSL_get_wbio(serverssl);
2813 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2814 tmp = NULL;
2815 goto end;
2816 }
2817 SSL_set0_wbio(serverssl, bretry);
2818 bretry = NULL;
2819 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2820 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2821 || !TEST_size_t_eq(nbytes, 0))
2822 goto end;
2823 /* Restore a BIO that will let the write succeed */
2824 SSL_set0_wbio(serverssl, tmp);
2825 tmp = NULL;
a0bbcb42
BK		 2826 /*
2827 * These calls should just queue the request and not send anything
2828 * even if we explicitly try to hit the state machine.
2829 */
f0049b86
BK		 2830 if (!TEST_true(SSL_new_session_ticket(serverssl))
2831 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2832 || !TEST_int_eq(0, new_called)
2833 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2834 || !TEST_int_eq(0, new_called))
2835 goto end;
2836 /* Re-do the write; still no tickets sent */
2837 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2838 || !TEST_size_t_eq(1, nbytes)
2839 || !TEST_int_eq(0, new_called)
2840 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2841 || !TEST_int_eq(0, new_called)
2842 || !TEST_int_eq(sizeof(buf), nbytes)
2843 || !TEST_int_eq(c, buf[0])
2844 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2845 goto end;
a0bbcb42
BK		 2846 /* Even trying to hit the state machine now will still not send tickets */
2847 if (!TEST_true(SSL_do_handshake(serverssl))
2848 || !TEST_int_eq(0, new_called))
2849 goto end;
f0049b86 2850 /* Now the *next* write should send the tickets */
a0bbcb42 2851 c = '6';
f0049b86
BK		 2852 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2853 || !TEST_size_t_eq(1, nbytes)
2854 || !TEST_int_eq(2, new_called)
2855 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2856 || !TEST_int_eq(4, new_called)
2857 || !TEST_int_eq(sizeof(buf), nbytes)
2858 || !TEST_int_eq(c, buf[0])
2859 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2860 goto end;
2861
2862 SSL_shutdown(clientssl);
2863 SSL_shutdown(serverssl);
2864 testresult = 1;
2865
2866 end:
2867 BIO_free(bretry);
2868 BIO_free(tmp);
2869 SSL_free(serverssl);
2870 SSL_free(clientssl);
2871 SSL_CTX_free(sctx);
2872 SSL_CTX_free(cctx);
2873 clientssl = serverssl = NULL;
2874 sctx = cctx = NULL;
2875 return testresult;
2876}
04225915 2877#endif
36ff232c 2878
7d4488bb
MC		 2879#define USE_NULL 0
2880#define USE_BIO_1 1
2881#define USE_BIO_2 2
2882#define USE_DEFAULT 3
2883
2884#define CONNTYPE_CONNECTION_SUCCESS 0
2885#define CONNTYPE_CONNECTION_FAIL 1
2886#define CONNTYPE_NO_CONNECTION 2
2887
2888#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2889#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2890#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2891# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2892#else
2893# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2894#endif
2895
7d4488bb
MC		 2896#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2897 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2898 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2899
2900static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2901{
2902 switch (type) {
2903 case USE_NULL:
2904 *res = NULL;
2905 break;
2906 case USE_BIO_1:
2907 *res = bio1;
2908 break;
2909 case USE_BIO_2:
2910 *res = bio2;
2911 break;
2912 }
2913}
2914
7d4488bb
MC		 2915
2916/*
2917 * Tests calls to SSL_set_bio() under various conditions.
2918 *
2919 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2920 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2921 * then do more tests where we create a successful connection first using our
2922 * standard connection setup functions, and then call SSL_set_bio() with
2923 * various combinations of valid BIOs or NULL. We then repeat these tests
2924 * following a failed connection. In this last case we are looking to check that
2925 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2926 */
7fb4c820
MC		 2927static int test_ssl_set_bio(int idx)
2928{
7d4488bb 2929 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2930 BIO *bio1 = NULL;
2931 BIO *bio2 = NULL;
0fae8150 2932 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2933 SSL *serverssl = NULL, *clientssl = NULL;
2934 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2935 int testresult = 0;
2936
7d4488bb
MC		 2937 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2938 initrbio = idx % 3;
2939 idx /= 3;
2940 initwbio = idx % 3;
2941 idx /= 3;
2942 newrbio = idx % 3;
2943 idx /= 3;
2944 newwbio = idx % 3;
2945 conntype = CONNTYPE_NO_CONNECTION;
2946 } else {
2947 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2948 initrbio = initwbio = USE_DEFAULT;
2949 newrbio = idx % 2;
2950 idx /= 2;
2951 newwbio = idx % 2;
2952 idx /= 2;
2953 conntype = idx % 2;
2954 }
710756a9 2955
5e30f2fd
MC		 2956 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2957 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2958 &sctx, &cctx, cert, privkey)))
2959 goto end;
2960
2961 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2962 /*
2963 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2964 * because we reduced the number of tests in the definition of
2965 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2966 * mismatched protocol versions we will force a connection failure.
2967 */
2968 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2969 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2970 }
2971
2972 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2973 NULL, NULL)))
710756a9 2974 goto end;
7fb4c820 2975
710756a9
RS		 2976 if (initrbio == USE_BIO_1
2977 || initwbio == USE_BIO_1
2978 || newrbio == USE_BIO_1
7fb4c820 2979 || newwbio == USE_BIO_1) {
710756a9 2980 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2981 goto end;
7fb4c820
MC		 2982 }
2983
710756a9
RS		 2984 if (initrbio == USE_BIO_2
2985 || initwbio == USE_BIO_2
2986 || newrbio == USE_BIO_2
7fb4c820 2987 || newwbio == USE_BIO_2) {
710756a9 2988 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2989 goto end;
7fb4c820
MC		 2990 }
2991
7d4488bb
MC		 2992 if (initrbio != USE_DEFAULT) {
2993 setupbio(&irbio, bio1, bio2, initrbio);
2994 setupbio(&iwbio, bio1, bio2, initwbio);
2995 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2996
7d4488bb
MC		 2997 /*
2998 * We want to maintain our own refs to these BIO, so do an up ref for
2999 * each BIO that will have ownership transferred in the SSL_set_bio()
3000 * call
3001 */
3002 if (irbio != NULL)
3003 BIO_up_ref(irbio);
3004 if (iwbio != NULL && iwbio != irbio)
3005 BIO_up_ref(iwbio);
3006 }
7fb4c820 3007
7d4488bb
MC		 3008 if (conntype != CONNTYPE_NO_CONNECTION
3009 && !TEST_true(create_ssl_connection(serverssl, clientssl,
3010 SSL_ERROR_NONE)
3011 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
3012 goto end;
7fb4c820
MC		 3013
3014 setupbio(&nrbio, bio1, bio2, newrbio);
3015 setupbio(&nwbio, bio1, bio2, newwbio);
3016
3017 /*
3018 * We will (maybe) transfer ownership again so do more up refs.
3019 * SSL_set_bio() has some really complicated ownership rules where BIOs have
3020 * already been set!
3021 */
710756a9
RS		 3022 if (nrbio != NULL
3023 && nrbio != irbio
3024 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 3025 BIO_up_ref(nrbio);
710756a9
RS		 3026 if (nwbio != NULL
3027 && nwbio != nrbio
3028 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 3029 BIO_up_ref(nwbio);
3030
7d4488bb 3031 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 3032
3033 testresult = 1;
3034
3035 end:
7fb4c820
MC		 3036 BIO_free(bio1);
3037 BIO_free(bio2);
710756a9 3038
7fb4c820
MC		 3039 /*
3040 * This test is checking that the ref counting for SSL_set_bio is correct.
3041 * If we get here and we did too many frees then we will fail in the above
742ccab3 3042 * functions.
7fb4c820 3043 */
7d4488bb
MC		 3044 SSL_free(serverssl);
3045 SSL_free(clientssl);
3046 SSL_CTX_free(sctx);
3047 SSL_CTX_free(cctx);
7fb4c820
MC		 3048 return testresult;
3049}
3050
7e885b7b 3051typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 3052
7e885b7b 3053static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 3054{
3055 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 3056 SSL_CTX *ctx;
9a716987
MC		 3057 SSL *ssl = NULL;
3058 int testresult = 0;
3059
d8652be0 3060 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 3061 || !TEST_ptr(ssl = SSL_new(ctx))
3062 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
3063 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 3064 goto end;
9a716987
MC		 3065
3066 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
3067
3068 /*
742ccab3 3069 * If anything goes wrong here then we could leak memory.
9a716987
MC		 3070 */
3071 BIO_push(sslbio, membio1);
3072
69687aa8 3073 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 3074 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 3075 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
3076 ssl = NULL;
9a716987 3077 goto end;
493e7898 3078 }
7e885b7b 3079 if (change_bio == CHANGE_RBIO)
65e2d672 3080 SSL_set0_rbio(ssl, membio2);
9a716987 3081 else
65e2d672 3082 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 3083 }
3084 ssl = NULL;
3085
7e885b7b 3086 if (pop_ssl)
9a716987
MC		 3087 BIO_pop(sslbio);
3088 else
3089 BIO_pop(membio1);
3090
3091 testresult = 1;
3092 end:
3093 BIO_free(membio1);
3094 BIO_free(sslbio);
3095 SSL_free(ssl);
3096 SSL_CTX_free(ctx);
3097
3098 return testresult;
3099}
3100
3101static int test_ssl_bio_pop_next_bio(void)
3102{
7e885b7b 3103 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 3104}
3105
3106static int test_ssl_bio_pop_ssl_bio(void)
3107{
7e885b7b 3108 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 3109}
3110
3111static int test_ssl_bio_change_rbio(void)
3112{
7e885b7b 3113 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 3114}
3115
3116static int test_ssl_bio_change_wbio(void)
3117{
7e885b7b 3118 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 3119}
3120
a763ca11 3121#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 3122typedef struct {
3123 /* The list of sig algs */
3124 const int *list;
3125 /* The length of the list */
3126 size_t listlen;
3127 /* A sigalgs list in string format */
3128 const char *liststr;
3129 /* Whether setting the list should succeed */
3130 int valid;
3131 /* Whether creating a connection with the list should succeed */
3132 int connsuccess;
3133} sigalgs_list;
3134
3135static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 3136# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3137static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
3138static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 3139# endif
f1b25aae
MC		 3140static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
3141static const int invalidlist2[] = {NID_sha256, NID_undef};
3142static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
3143static const int invalidlist4[] = {NID_sha256};
3144static const sigalgs_list testsigalgs[] = {
3145 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 3146# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3147 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
3148 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 3149# endif
f1b25aae 3150 {NULL, 0, "RSA+SHA256", 1, 1},
2b4cea1e 3151 {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
c423ecaa 3152# ifndef OPENSSL_NO_EC
f1b25aae
MC		 3153 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
3154 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 3155# endif
f1b25aae
MC		 3156 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
3157 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
3158 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
3159 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
3160 {NULL, 0, "RSA", 0, 0},
3161 {NULL, 0, "SHA256", 0, 0},
3162 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 3163 {NULL, 0, "Invalid", 0, 0}
3164};
f1b25aae
MC		 3165
3166static int test_set_sigalgs(int idx)
3167{
3168 SSL_CTX *cctx = NULL, *sctx = NULL;
3169 SSL *clientssl = NULL, *serverssl = NULL;
3170 int testresult = 0;
3171 const sigalgs_list *curr;
3172 int testctx;
3173
3174 /* Should never happen */
710756a9 3175 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 3176 return 0;
3177
3178 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
3179 curr = testctx ? &testsigalgs[idx]
3180 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
3181
5e30f2fd
MC		 3182 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3183 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 3184 &sctx, &cctx, cert, privkey)))
f1b25aae 3185 return 0;
f1b25aae 3186
d2e491f2
MC		 3187 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
3188
f1b25aae
MC		 3189 if (testctx) {
3190 int ret;
710756a9 3191
f1b25aae
MC		 3192 if (curr->list != NULL)
3193 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
3194 else
3195 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
3196
3197 if (!ret) {
3198 if (curr->valid)
710756a9 3199 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3200 else
3201 testresult = 1;
3202 goto end;
3203 }
3204 if (!curr->valid) {
710756a9 3205 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 3206 goto end;
3207 }
3208 }
3209
710756a9
RS		 3210 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3211 &clientssl, NULL, NULL)))
f1b25aae 3212 goto end;
f1b25aae
MC		 3213
3214 if (!testctx) {
3215 int ret;
3216
3217 if (curr->list != NULL)
3218 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
3219 else
3220 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
3221 if (!ret) {
3222 if (curr->valid)
710756a9 3223 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 3224 else
3225 testresult = 1;
3226 goto end;
3227 }
710756a9 3228 if (!curr->valid)
f1b25aae 3229 goto end;
f1b25aae
MC		 3230 }
3231
710756a9
RS		 3232 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
3233 SSL_ERROR_NONE),
3234 curr->connsuccess))
f1b25aae 3235 goto end;
f1b25aae
MC		 3236
3237 testresult = 1;
3238
3239 end:
3240 SSL_free(serverssl);
3241 SSL_free(clientssl);
3242 SSL_CTX_free(sctx);
3243 SSL_CTX_free(cctx);
3244
3245 return testresult;
3246}
c423ecaa 3247#endif
f1b25aae 3248
a763ca11 3249#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 3250static int psk_client_cb_cnt = 0;
3251static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 3252
3253static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
3254 size_t *idlen, SSL_SESSION **sess)
3255{
3256 switch (++use_session_cb_cnt) {
3257 case 1:
3258 /* The first call should always have a NULL md */
3259 if (md != NULL)
3260 return 0;
3261 break;
3262
3263 case 2:
3264 /* The second call should always have an md */
3265 if (md == NULL)
3266 return 0;
3267 break;
3268
3269 default:
3270 /* We should only be called a maximum of twice */
3271 return 0;
3272 }
3273
57dee9bb
MC		 3274 if (clientpsk != NULL)
3275 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3276
57dee9bb 3277 *sess = clientpsk;
02a3ed5a
MC		 3278 *id = (const unsigned char *)pskid;
3279 *idlen = strlen(pskid);
3280
3281 return 1;
3282}
3283
c2b290c3 3284#ifndef OPENSSL_NO_PSK
532f9578
MC		 3285static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3286 unsigned int max_id_len,
3287 unsigned char *psk,
3288 unsigned int max_psk_len)
3289{
3290 unsigned int psklen = 0;
3291
3292 psk_client_cb_cnt++;
3293
3294 if (strlen(pskid) + 1 > max_id_len)
3295 return 0;
3296
3297 /* We should only ever be called a maximum of twice per connection */
3298 if (psk_client_cb_cnt > 2)
3299 return 0;
3300
3301 if (clientpsk == NULL)
3302 return 0;
3303
3304 /* We'll reuse the PSK we set up for TLSv1.3 */
3305 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3306 return 0;
3307 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3308 strncpy(id, pskid, max_id_len);
3309
3310 return psklen;
3311}
c2b290c3 3312#endif /* OPENSSL_NO_PSK */
532f9578 3313
02a3ed5a
MC		 3314static int find_session_cb(SSL *ssl, const unsigned char *identity,
3315 size_t identity_len, SSL_SESSION **sess)
3316{
3317 find_session_cb_cnt++;
3318
3319 /* We should only ever be called a maximum of twice per connection */
3320 if (find_session_cb_cnt > 2)
3321 return 0;
3322
57dee9bb 3323 if (serverpsk == NULL)
02a3ed5a
MC		 3324 return 0;
3325
3326 /* Identity should match that set by the client */
3327 if (strlen(srvid) != identity_len
3328 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3329 /* No PSK found, continue but without a PSK */
3330 *sess = NULL;
3331 return 1;
3332 }
3333
57dee9bb
MC		 3334 SSL_SESSION_up_ref(serverpsk);
3335 *sess = serverpsk;
02a3ed5a
MC		 3336
3337 return 1;
3338}
3339
c2b290c3 3340#ifndef OPENSSL_NO_PSK
532f9578
MC		 3341static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3342 unsigned char *psk, unsigned int max_psk_len)
3343{
3344 unsigned int psklen = 0;
3345
3346 psk_server_cb_cnt++;
3347
3348 /* We should only ever be called a maximum of twice per connection */
3349 if (find_session_cb_cnt > 2)
3350 return 0;
3351
3352 if (serverpsk == NULL)
3353 return 0;
3354
3355 /* Identity should match that set by the client */
3356 if (strcmp(srvid, identity) != 0) {
3357 return 0;
3358 }
3359
3360 /* We'll reuse the PSK we set up for TLSv1.3 */
3361 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3362 return 0;
3363 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3364
3365 return psklen;
3366}
c2b290c3 3367#endif /* OPENSSL_NO_PSK */
532f9578 3368
5f982038
MC		 3369#define MSG1 "Hello"
3370#define MSG2 "World."
3371#define MSG3 "This"
3372#define MSG4 "is"
3373#define MSG5 "a"
90049cea
MC		 3374#define MSG6 "test"
3375#define MSG7 "message."
5f982038 3376
2be5065b
MC		 3377static int artificial_ticket_time = 0;
3378
3379static int ed_gen_cb(SSL *s, void *arg)
3380{
3381 SSL_SESSION *sess = SSL_get0_session(s);
3382
3383 if (sess == NULL)
3384 return 0;
3385
3386 /*
3387 * Artificially give the ticket some age. Just do it for the number of
3388 * tickets we've been told to do.
3389 */
3390 if (artificial_ticket_time == 0)
3391 return 1;
3392 artificial_ticket_time--;
3393
ffc853bc 3394 if (SSL_SESSION_set_time_ex(sess, SSL_SESSION_get_time_ex(sess) - 10) == 0)
2be5065b
MC		 3395 return 0;
3396
3397 return 1;
3398}
3399
5f982038
MC		 3400/*
3401 * Helper method to setup objects for early data test. Caller frees objects on
3402 * error.
3403 */
3404static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
10836921
MC		 3405 SSL **serverssl, SSL_SESSION **sess, int idx,
3406 size_t mdsize)
5f982038 3407{
2be5065b
MC		 3408 int artificial = (artificial_ticket_time > 0);
3409
5a421415 3410 if (*sctx == NULL
5e30f2fd 3411 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3412 TLS_client_method(),
5c587fb6 3413 TLS1_VERSION, 0,
5a421415
MC		 3414 sctx, cctx, cert, privkey)))
3415 return 0;
3416
2be5065b
MC		 3417 if (artificial)
3418 SSL_CTX_set_session_ticket_cb(*sctx, ed_gen_cb, NULL, NULL);
3419
5a421415 3420 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3421 return 0;
5f982038 3422
02a3ed5a
MC		 3423 if (idx == 1) {
3424 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3425 SSL_CTX_set_read_ahead(*cctx, 1);
3426 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3427 } else if (idx == 2) {
3428 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3429 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3430 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3431 use_session_cb_cnt = 0;
3432 find_session_cb_cnt = 0;
3433 srvid = pskid;
3cb47b4e
MC		 3434 }
3435
710756a9 3436 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3437 NULL, NULL)))
3438 return 0;
3439
141e4709
MC		 3440 /*
3441 * For one of the run throughs (doesn't matter which one), we'll try sending
3442 * some SNI data in the initial ClientHello. This will be ignored (because
3443 * there is no SNI cb set up by the server), so it should not impact
3444 * early_data.
3445 */
3446 if (idx == 1
3447 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3448 return 0;
3449
02a3ed5a 3450 if (idx == 2) {
10836921 3451 clientpsk = create_a_psk(*clientssl, mdsize);
57dee9bb 3452 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3453 /*
3454 * We just choose an arbitrary value for max_early_data which
3455 * should be big enough for testing purposes.
3456 */
57dee9bb
MC		 3457 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3458 0x100))
3459 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3460 SSL_SESSION_free(clientpsk);
3461 clientpsk = NULL;
02a3ed5a
MC		 3462 return 0;
3463 }
57dee9bb 3464 serverpsk = clientpsk;
02a3ed5a 3465
c20e3b28
MC		 3466 if (sess != NULL) {
3467 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3468 SSL_SESSION_free(clientpsk);
3469 SSL_SESSION_free(serverpsk);
3470 clientpsk = serverpsk = NULL;
3471 return 0;
3472 }
57dee9bb 3473 *sess = clientpsk;
c20e3b28 3474 }
02a3ed5a
MC		 3475 return 1;
3476 }
3477
3478 if (sess == NULL)
3479 return 1;
3480
3481 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3482 SSL_ERROR_NONE)))
5f982038 3483 return 0;
5f982038
MC		 3484
3485 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3486 SSL_shutdown(*clientssl);
3487 SSL_shutdown(*serverssl);
5f982038
MC		 3488 SSL_free(*serverssl);
3489 SSL_free(*clientssl);
3490 *serverssl = *clientssl = NULL;
3491
2be5065b
MC		 3492 /*
3493 * Artificially give the ticket some age to match the artificial age we
3494 * gave it on the server side
3495 */
3496 if (artificial
ffc853bc
IH		 3497 && !TEST_time_t_gt(SSL_SESSION_set_time_ex(*sess,
3498 SSL_SESSION_get_time_ex(*sess) - 10), 0))
2be5065b
MC		 3499 return 0;
3500
710756a9
RS		 3501 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3502 clientssl, NULL, NULL))
3503 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3504 return 0;
5f982038
MC		 3505
3506 return 1;
3507}
3508
3cb47b4e 3509static int test_early_data_read_write(int idx)
5f982038
MC		 3510{
3511 SSL_CTX *cctx = NULL, *sctx = NULL;
3512 SSL *clientssl = NULL, *serverssl = NULL;
3513 int testresult = 0;
3514 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3515 unsigned char buf[20], data[1024];
3516 size_t readbytes, written, eoedlen, rawread, rawwritten;
3517 BIO *rbio;
5f982038 3518
2be5065b
MC		 3519 /* Artificially give the next 2 tickets some age for non PSK sessions */
3520 if (idx != 2)
3521 artificial_ticket_time = 2;
710756a9 3522 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3523 &serverssl, &sess, idx,
3524 SHA384_DIGEST_LENGTH))) {
2be5065b 3525 artificial_ticket_time = 0;
5f982038 3526 goto end;
2be5065b
MC		 3527 }
3528 artificial_ticket_time = 0;
5f982038
MC		 3529
3530 /* Write and read some early data */
710756a9
RS		 3531 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3532 &written))
3533 || !TEST_size_t_eq(written, strlen(MSG1))
3534 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3535 sizeof(buf), &readbytes),
3536 SSL_READ_EARLY_DATA_SUCCESS)
3537 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3538 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3539 SSL_EARLY_DATA_ACCEPTED))
5f982038 3540 goto end;
5f982038
MC		 3541
3542 /*
09f28874 3543 * Server should be able to write data, and client should be able to
5f982038
MC		 3544 * read it.
3545 */
710756a9
RS		 3546 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3547 &written))
3548 || !TEST_size_t_eq(written, strlen(MSG2))
3549 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3550 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3551 goto end;
5f982038
MC		 3552
3553 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3554 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3555 &written))
3556 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3557 goto end;
5f982038 3558
09f28874 3559 /* Server should still be able read early data after writing data */
710756a9
RS		 3560 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3561 &readbytes),
3562 SSL_READ_EARLY_DATA_SUCCESS)
3563 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3564 goto end;
5f982038 3565
09f28874 3566 /* Write more data from server and read it from client */
710756a9
RS		 3567 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3568 &written))
3569 || !TEST_size_t_eq(written, strlen(MSG4))
3570 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3571 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3572 goto end;
5f982038
MC		 3573
3574 /*
3575 * If client writes normal data it should mean writing early data is no
3576 * longer possible.
3577 */
710756a9
RS		 3578 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3579 || !TEST_size_t_eq(written, strlen(MSG5))
3580 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3581 SSL_EARLY_DATA_ACCEPTED))
5f982038 3582 goto end;
5f982038 3583
9b5c865d
MC		 3584 /*
3585 * At this point the client has written EndOfEarlyData, ClientFinished and
3586 * normal (fully protected) data. We are going to cause a delay between the
3587 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3588 * in the read BIO, and then just put back the EndOfEarlyData message.
3589 */
3590 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3591 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3592 || !TEST_size_t_lt(rawread, sizeof(data))
3593 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3594 goto end;
710756a9 3595
9b5c865d
MC		 3596 /* Record length is in the 4th and 5th bytes of the record header */
3597 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3598 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3599 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3600 goto end;
9b5c865d 3601
5f982038 3602 /* Server should be told that there is no more early data */
710756a9
RS		 3603 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3604 &readbytes),
3605 SSL_READ_EARLY_DATA_FINISH)
3606 || !TEST_size_t_eq(readbytes, 0))
5f982038 3607 goto end;
5f982038 3608
9b5c865d
MC		 3609 /*
3610 * Server has not finished init yet, so should still be able to write early
3611 * data.
3612 */
710756a9
RS		 3613 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3614 &written))
3615 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3616 goto end;
9b5c865d 3617
f8a303fa 3618 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3619 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3620 &rawwritten))
3621 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3622 goto end;
f8a303fa 3623
5f982038 3624 /* Server should be able to read normal data */
710756a9
RS		 3625 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3626 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3627 goto end;
5f982038 3628
09f28874 3629 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3630 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3631 &written)))
5f982038 3632 goto end;
5f982038 3633 ERR_clear_error();
710756a9
RS		 3634 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3635 &readbytes),
3636 SSL_READ_EARLY_DATA_ERROR))
5f982038 3637 goto end;
5f982038
MC		 3638 ERR_clear_error();
3639
9b5c865d 3640 /* Client should be able to read the data sent by the server */
710756a9
RS		 3641 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3642 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3643 goto end;
710756a9 3644
f8a303fa 3645 /*
36ff232c
MC		 3646 * Make sure we process the two NewSessionTickets. These arrive
3647 * post-handshake. We attempt reads which we do not expect to return any
3648 * data.
f8a303fa 3649 */
36ff232c
MC		 3650 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3651 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3652 &readbytes)))
f8a303fa 3653 goto end;
5f982038 3654
90049cea 3655 /* Server should be able to write normal data */
710756a9
RS		 3656 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3657 || !TEST_size_t_eq(written, strlen(MSG7))
3658 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3659 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3660 goto end;
90049cea 3661
c20e3b28 3662 SSL_SESSION_free(sess);
5f982038 3663 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3664 use_session_cb_cnt = 0;
3665 find_session_cb_cnt = 0;
5f982038
MC		 3666
3667 SSL_shutdown(clientssl);
3668 SSL_shutdown(serverssl);
5f982038
MC		 3669 SSL_free(serverssl);
3670 SSL_free(clientssl);
3671 serverssl = clientssl = NULL;
710756a9
RS		 3672 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3673 &clientssl, NULL, NULL))
3674 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3675 goto end;
5f982038
MC		 3676
3677 /* Write and read some early data */
710756a9
RS		 3678 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3679 &written))
3680 || !TEST_size_t_eq(written, strlen(MSG1))
3681 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3682 &readbytes),
3683 SSL_READ_EARLY_DATA_SUCCESS)
3684 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3685 goto end;
5f982038 3686
710756a9
RS		 3687 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3688 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3689 goto end;
5f982038 3690
09f28874 3691 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3692 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3693 &written)))
5f982038 3694 goto end;
5f982038 3695 ERR_clear_error();
710756a9
RS		 3696 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3697 &readbytes),
3698 SSL_READ_EARLY_DATA_ERROR))
5f982038 3699 goto end;
5f982038
MC		 3700 ERR_clear_error();
3701
3702 /* Client and server should be able to write/read normal data */
710756a9
RS		 3703 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3704 || !TEST_size_t_eq(written, strlen(MSG5))
3705 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3706 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3707 goto end;
5f982038
MC		 3708
3709 testresult = 1;
3710
3711 end:
c20e3b28 3712 SSL_SESSION_free(sess);
57dee9bb
MC		 3713 SSL_SESSION_free(clientpsk);
3714 SSL_SESSION_free(serverpsk);
3715 clientpsk = serverpsk = NULL;
5f982038
MC		 3716 SSL_free(serverssl);
3717 SSL_free(clientssl);
3718 SSL_CTX_free(sctx);
3719 SSL_CTX_free(cctx);
5f982038
MC		 3720 return testresult;
3721}
3722
5a421415
MC		 3723static int allow_ed_cb_called = 0;
3724
3725static int allow_early_data_cb(SSL *s, void *arg)
3726{
3727 int *usecb = (int *)arg;
3728
3729 allow_ed_cb_called++;
3730
3731 if (*usecb == 1)
3732 return 0;
3733
3734 return 1;
3735}
3736
3737/*
3738 * idx == 0: Standard early_data setup
3739 * idx == 1: early_data setup using read_ahead
3740 * usecb == 0: Don't use a custom early data callback
3741 * usecb == 1: Use a custom early data callback and reject the early data
3742 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3743 * confopt == 0: Configure anti-replay directly
3744 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3745 */
3bb5e5b0 3746static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3747{
3748 SSL_CTX *cctx = NULL, *sctx = NULL;
3749 SSL *clientssl = NULL, *serverssl = NULL;
3750 int testresult = 0;
3751 SSL_SESSION *sess = NULL;
5a421415
MC		 3752 size_t readbytes, written;
3753 unsigned char buf[20];
3754
3755 allow_ed_cb_called = 0;
3756
5e30f2fd
MC		 3757 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3758 TLS_client_method(), TLS1_VERSION, 0,
3759 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3760 return 0;
3761
3762 if (usecb > 0) {
3bb5e5b0
MC		 3763 if (confopt == 0) {
3764 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3765 } else {
3766 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3767
3768 if (!TEST_ptr(confctx))
3769 goto end;
3770 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3771 | SSL_CONF_FLAG_SERVER);
3772 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3773 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3774 2)) {
3775 SSL_CONF_CTX_free(confctx);
3776 goto end;
3777 }
3778 SSL_CONF_CTX_free(confctx);
3779 }
5a421415
MC		 3780 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3781 }
78fb5374
MC		 3782
3783 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3784 &serverssl, &sess, idx,
3785 SHA384_DIGEST_LENGTH)))
78fb5374
MC		 3786 goto end;
3787
3788 /*
3789 * The server is configured to accept early data. Create a connection to
3790 * "use up" the ticket
3791 */
3792 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3793 || !TEST_true(SSL_session_reused(clientssl)))
3794 goto end;
3795
3796 SSL_shutdown(clientssl);
3797 SSL_shutdown(serverssl);
3798 SSL_free(serverssl);
3799 SSL_free(clientssl);
3800 serverssl = clientssl = NULL;
3801
3802 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3803 &clientssl, NULL, NULL))
5a421415
MC		 3804 || !TEST_true(SSL_set_session(clientssl, sess)))
3805 goto end;
3806
3807 /* Write and read some early data */
3808 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3809 &written))
3810 || !TEST_size_t_eq(written, strlen(MSG1)))
3811 goto end;
3812
3813 if (usecb <= 1) {
3814 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3815 &readbytes),
3816 SSL_READ_EARLY_DATA_FINISH)
3817 /*
3818 * The ticket was reused, so the we should have rejected the
3819 * early data
3820 */
3821 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3822 SSL_EARLY_DATA_REJECTED))
3823 goto end;
3824 } else {
3825 /* In this case the callback decides to accept the early data */
3826 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3827 &readbytes),
3828 SSL_READ_EARLY_DATA_SUCCESS)
3829 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3830 /*
3831 * Server will have sent its flight so client can now send
3832 * end of early data and complete its half of the handshake
3833 */
3834 || !TEST_int_gt(SSL_connect(clientssl), 0)
3835 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3836 &readbytes),
3837 SSL_READ_EARLY_DATA_FINISH)
3838 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3839 SSL_EARLY_DATA_ACCEPTED))
3840 goto end;
3841 }
3842
3843 /* Complete the connection */
3844 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3845 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3846 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3847 goto end;
3848
3849 testresult = 1;
3850
3851 end:
c20e3b28 3852 SSL_SESSION_free(sess);
78fb5374
MC		 3853 SSL_SESSION_free(clientpsk);
3854 SSL_SESSION_free(serverpsk);
3855 clientpsk = serverpsk = NULL;
3856 SSL_free(serverssl);
3857 SSL_free(clientssl);
3858 SSL_CTX_free(sctx);
3859 SSL_CTX_free(cctx);
3860 return testresult;
3861}
3862
5a421415
MC		 3863static int test_early_data_replay(int idx)
3864{
3bb5e5b0 3865 int ret = 1, usecb, confopt;
5a421415 3866
3bb5e5b0
MC		 3867 for (usecb = 0; usecb < 3; usecb++) {
3868 for (confopt = 0; confopt < 2; confopt++)
3869 ret &= test_early_data_replay_int(idx, usecb, confopt);
3870 }
5a421415
MC		 3871
3872 return ret;
3873}
3874
10836921
MC		 3875static const char *ciphersuites[] = {
3876 "TLS_AES_128_CCM_8_SHA256",
3877 "TLS_AES_128_GCM_SHA256",
3878 "TLS_AES_256_GCM_SHA384",
3879 "TLS_AES_128_CCM_SHA256",
3880#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3881 "TLS_CHACHA20_POLY1305_SHA256"
3882#endif
3883};
3884
710756a9 3885/*
6b84e6bf
MC		 3886 * Helper function to test that a server attempting to read early data can
3887 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3888 * testtype: 0 == No HRR
3889 * testtype: 1 == HRR
0efa0ba4
MC		 3890 * testtype: 2 == HRR, invalid early_data sent after HRR
3891 * testtype: 3 == recv_max_early_data set to 0
710756a9 3892 */
10836921 3893static int early_data_skip_helper(int testtype, int cipher, int idx)
5f982038
MC		 3894{
3895 SSL_CTX *cctx = NULL, *sctx = NULL;
3896 SSL *clientssl = NULL, *serverssl = NULL;
3897 int testresult = 0;
018fcbec 3898 SSL_SESSION *sess = NULL;
5f982038
MC		 3899 unsigned char buf[20];
3900 size_t readbytes, written;
3901
10836921
MC		 3902 if (is_fips && cipher == 4)
3903 return 1;
3904
3905 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3906 TLS_client_method(),
3907 TLS1_VERSION, 0,
3908 &sctx, &cctx, cert, privkey)))
3909 goto end;
3910
3911 if (cipher == 0) {
3912 SSL_CTX_set_security_level(sctx, 0);
3913 SSL_CTX_set_security_level(cctx, 0);
3914 }
3915
3916 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, ciphersuites[cipher]))
3917 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, ciphersuites[cipher])))
3918 goto end;
3919
710756a9 3920 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 3921 &serverssl, &sess, idx,
3922 cipher == 2 ? SHA384_DIGEST_LENGTH
3923 : SHA256_DIGEST_LENGTH)))
5f982038
MC		 3924 goto end;
3925
0efa0ba4 3926 if (testtype == 1 || testtype == 2) {
6b84e6bf 3927 /* Force an HRR to occur */
dbc6268f
MC		 3928#if defined(OPENSSL_NO_EC)
3929 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3930 goto end;
3931#else
4032cd9a 3932 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
6b84e6bf 3933 goto end;
dbc6268f 3934#endif
02a3ed5a
MC		 3935 } else if (idx == 2) {
3936 /*
3937 * We force early_data rejection by ensuring the PSK identity is
3938 * unrecognised
3939 */
3940 srvid = "Dummy Identity";
6b84e6bf
MC		 3941 } else {
3942 /*
3943 * Deliberately corrupt the creation time. We take 20 seconds off the
3944 * time. It could be any value as long as it is not within tolerance.
3945 * This should mean the ticket is rejected.
3946 */
5d99881e 3947 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3948 goto end;
3949 }
5f982038 3950
0efa0ba4 3951 if (testtype == 3
0d1b7789
MC		 3952 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3953 goto end;
3954
5f982038 3955 /* Write some early data */
710756a9
RS		 3956 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3957 &written))
3958 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3959 goto end;
5f982038 3960
0d1b7789 3961 /* Server should reject the early data */
710756a9
RS		 3962 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3963 &readbytes),
3964 SSL_READ_EARLY_DATA_FINISH)
3965 || !TEST_size_t_eq(readbytes, 0)
3966 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3967 SSL_EARLY_DATA_REJECTED))
5f982038 3968 goto end;
5f982038 3969
0efa0ba4
MC		 3970 switch (testtype) {
3971 case 0:
3972 /* Nothing to do */
3973 break;
3974
3975 case 1:
6b84e6bf
MC		 3976 /*
3977 * Finish off the handshake. We perform the same writes and reads as
3978 * further down but we expect them to fail due to the incomplete
3979 * handshake.
3980 */
3981 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3982 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3983 &readbytes)))
3984 goto end;
0efa0ba4
MC		 3985 break;
3986
3987 case 2:
3988 {
3989 BIO *wbio = SSL_get_wbio(clientssl);
3990 /* A record that will appear as bad early_data */
3991 const unsigned char bad_early_data[] = {
3992 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3993 };
3994
3995 /*
3996 * We force the client to attempt a write. This will fail because
3997 * we're still in the handshake. It will cause the second
3998 * ClientHello to be sent.
3999 */
4000 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
4001 &written)))
4002 goto end;
4003
4004 /*
4005 * Inject some early_data after the second ClientHello. This should
4006 * cause the server to fail
4007 */
4008 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
4009 sizeof(bad_early_data), &written)))
4010 goto end;
4011 }
4012 /* fallthrough */
4013
4014 case 3:
0d1b7789 4015 /*
0efa0ba4
MC		 4016 * This client has sent more early_data than we are willing to skip
4017 * (case 3) or sent invalid early_data (case 2) so the connection should
4018 * abort.
0d1b7789
MC		 4019 */
4020 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4021 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
4022 goto end;
4023
4024 /* Connection has failed - nothing more to do */
4025 testresult = 1;
4026 goto end;
0efa0ba4
MC		 4027
4028 default:
4029 TEST_error("Invalid test type");
4030 goto end;
6b84e6bf
MC		 4031 }
4032
10836921 4033 ERR_clear_error();
0d1b7789
MC		 4034 /*
4035 * Should be able to send normal data despite rejection of early data. The
4036 * early_data should be skipped.
4037 */
710756a9
RS		 4038 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4039 || !TEST_size_t_eq(written, strlen(MSG2))
4040 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4041 SSL_EARLY_DATA_REJECTED)
4042 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4043 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4044 goto end;
5f982038 4045
10836921
MC		 4046 /*
4047 * Failure to decrypt early data records should not leave spurious errors
4048 * on the error stack
4049 */
4050 if (!TEST_long_eq(ERR_peek_error(), 0))
4051 goto end;
4052
5f982038
MC		 4053 testresult = 1;
4054
4055 end:
c20e3b28 4056 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4057 SSL_SESSION_free(serverpsk);
4058 clientpsk = serverpsk = NULL;
5f982038
MC		 4059 SSL_SESSION_free(sess);
4060 SSL_free(serverssl);
4061 SSL_free(clientssl);
4062 SSL_CTX_free(sctx);
4063 SSL_CTX_free(cctx);
5f982038
MC		 4064 return testresult;
4065}
4066
6b84e6bf
MC		 4067/*
4068 * Test that a server attempting to read early data can handle a connection
4069 * from a client where the early data is not acceptable.
4070 */
4071static int test_early_data_skip(int idx)
4072{
10836921
MC		 4073 return early_data_skip_helper(0,
4074 idx % OSSL_NELEM(ciphersuites),
4075 idx / OSSL_NELEM(ciphersuites));
6b84e6bf
MC		 4076}
4077
4078/*
4079 * Test that a server attempting to read early data can handle a connection
4080 * from a client where an HRR occurs.
4081 */
4082static int test_early_data_skip_hrr(int idx)
4083{
10836921
MC		 4084 return early_data_skip_helper(1,
4085 idx % OSSL_NELEM(ciphersuites),
4086 idx / OSSL_NELEM(ciphersuites));
6b84e6bf
MC		 4087}
4088
0efa0ba4
MC		 4089/*
4090 * Test that a server attempting to read early data can handle a connection
4091 * from a client where an HRR occurs and correctly fails if early_data is sent
4092 * after the HRR
4093 */
4094static int test_early_data_skip_hrr_fail(int idx)
4095{
10836921
MC		 4096 return early_data_skip_helper(2,
4097 idx % OSSL_NELEM(ciphersuites),
4098 idx / OSSL_NELEM(ciphersuites));
0efa0ba4
MC		 4099}
4100
0d1b7789
MC		 4101/*
4102 * Test that a server attempting to read early data will abort if it tries to
4103 * skip over too much.
4104 */
4105static int test_early_data_skip_abort(int idx)
4106{
10836921
MC		 4107 return early_data_skip_helper(3,
4108 idx % OSSL_NELEM(ciphersuites),
4109 idx / OSSL_NELEM(ciphersuites));
0d1b7789
MC		 4110}
4111
710756a9
RS		 4112/*
4113 * Test that a server attempting to read early data can handle a connection
4114 * from a client that doesn't send any.
4115 */
3cb47b4e 4116static int test_early_data_not_sent(int idx)
5f982038
MC		 4117{
4118 SSL_CTX *cctx = NULL, *sctx = NULL;
4119 SSL *clientssl = NULL, *serverssl = NULL;
4120 int testresult = 0;
018fcbec 4121 SSL_SESSION *sess = NULL;
5f982038
MC		 4122 unsigned char buf[20];
4123 size_t readbytes, written;
4124
710756a9 4125 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4126 &serverssl, &sess, idx,
4127 SHA384_DIGEST_LENGTH)))
5f982038
MC		 4128 goto end;
4129
4130 /* Write some data - should block due to handshake with server */
4131 SSL_set_connect_state(clientssl);
710756a9 4132 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4133 goto end;
5f982038
MC		 4134
4135 /* Server should detect that early data has not been sent */
710756a9
RS		 4136 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4137 &readbytes),
4138 SSL_READ_EARLY_DATA_FINISH)
4139 || !TEST_size_t_eq(readbytes, 0)
4140 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4141 SSL_EARLY_DATA_NOT_SENT)
4142 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4143 SSL_EARLY_DATA_NOT_SENT))
5f982038 4144 goto end;
5f982038
MC		 4145
4146 /* Continue writing the message we started earlier */
710756a9
RS		 4147 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4148 || !TEST_size_t_eq(written, strlen(MSG1))
4149 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4150 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4151 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
4152 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4153 goto end;
5f982038 4154
710756a9
RS		 4155 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4156 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4157 goto end;
5f982038
MC		 4158
4159 testresult = 1;
4160
4161 end:
5f982038 4162 SSL_SESSION_free(sess);
c20e3b28 4163 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4164 SSL_SESSION_free(serverpsk);
4165 clientpsk = serverpsk = NULL;
5f982038
MC		 4166 SSL_free(serverssl);
4167 SSL_free(clientssl);
4168 SSL_CTX_free(sctx);
4169 SSL_CTX_free(cctx);
5f982038
MC		 4170 return testresult;
4171}
4172
976e5323
MC		 4173static const char *servalpn;
4174
c7558d5b
PY		 4175static int alpn_select_cb(SSL *ssl, const unsigned char **out,
4176 unsigned char *outlen, const unsigned char *in,
4177 unsigned int inlen, void *arg)
976e5323 4178{
c7558d5b 4179 unsigned int protlen = 0;
976e5323
MC		 4180 const unsigned char *prot;
4181
c7558d5b
PY		 4182 for (prot = in; prot < in + inlen; prot += protlen) {
4183 protlen = *prot++;
5d99881e 4184 if (in + inlen < prot + protlen)
976e5323
MC		 4185 return SSL_TLSEXT_ERR_NOACK;
4186
4187 if (protlen == strlen(servalpn)
0bd42fde 4188 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 4189 *out = prot;
4190 *outlen = protlen;
4191 return SSL_TLSEXT_ERR_OK;
4192 }
4193 }
4194
4195 return SSL_TLSEXT_ERR_NOACK;
4196}
4197
57dee9bb 4198/* Test that a PSK can be used to send early_data */
976e5323
MC		 4199static int test_early_data_psk(int idx)
4200{
4201 SSL_CTX *cctx = NULL, *sctx = NULL;
4202 SSL *clientssl = NULL, *serverssl = NULL;
4203 int testresult = 0;
4204 SSL_SESSION *sess = NULL;
57dee9bb
MC		 4205 unsigned char alpnlist[] = {
4206 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
4207 'l', 'p', 'n'
4208 };
4209#define GOODALPNLEN 9
4210#define BADALPNLEN 8
4211#define GOODALPN (alpnlist)
4212#define BADALPN (alpnlist + GOODALPNLEN)
4213 int err = 0;
976e5323
MC		 4214 unsigned char buf[20];
4215 size_t readbytes, written;
57dee9bb 4216 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 4217 int edstatus = SSL_EARLY_DATA_ACCEPTED;
4218
4219 /* We always set this up with a final parameter of "2" for PSK */
4220 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4221 &serverssl, &sess, 2,
4222 SHA384_DIGEST_LENGTH)))
976e5323
MC		 4223 goto end;
4224
976e5323
MC		 4225 servalpn = "goodalpn";
4226
57dee9bb
MC		 4227 /*
4228 * Note: There is no test for inconsistent SNI with late client detection.
4229 * This is because servers do not acknowledge SNI even if they are using
4230 * it in a resumption handshake - so it is not actually possible for a
4231 * client to detect a problem.
4232 */
976e5323
MC		 4233 switch (idx) {
4234 case 0:
57dee9bb 4235 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 4236 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
4237 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4238 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
4239 goto end;
4240 break;
4241
4242 case 1:
57dee9bb 4243 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 4244 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
4245 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 4246 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
4247 GOODALPNLEN))
4248 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
4249 BADALPNLEN)))
976e5323
MC		 4250 goto end;
4251 break;
4252
4253 case 2:
4254 /*
4255 * Set invalid protocol version. Technically this affects PSKs without
4256 * early_data too, but we test it here because it is similar to the
4257 * SNI/ALPN consistency tests.
4258 */
4259 err = SSL_R_BAD_PSK;
4260 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
4261 goto end;
4262 break;
4263
4264 case 3:
4265 /*
49ef3d07
MC		 4266 * Set inconsistent SNI (server side). In this case the connection
4267 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
4268 * is associated with each handshake - not the session. Therefore it
4269 * should not matter that we used a different server name last time.
976e5323 4270 */
281bf233
MC		 4271 SSL_SESSION_free(serverpsk);
4272 serverpsk = SSL_SESSION_dup(clientpsk);
4273 if (!TEST_ptr(serverpsk)
4274 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
4275 goto end;
976e5323
MC		 4276 /* Fall through */
4277 case 4:
4278 /* Set consistent SNI */
976e5323
MC		 4279 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
4280 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
4281 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
4282 hostname_cb)))
4283 goto end;
4284 break;
4285
4286 case 5:
4287 /*
4288 * Set inconsistent ALPN (server detected). In this case the connection
4289 * will succeed but reject early_data.
4290 */
4291 servalpn = "badalpn";
4292 edstatus = SSL_EARLY_DATA_REJECTED;
4293 readearlyres = SSL_READ_EARLY_DATA_FINISH;
4294 /* Fall through */
4295 case 6:
976e5323 4296 /*
57dee9bb 4297 * Set consistent ALPN.
976e5323
MC		 4298 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
4299 * accepts a list of protos (each one length prefixed).
4300 * SSL_set1_alpn_selected accepts a single protocol (not length
4301 * prefixed)
4302 */
57dee9bb
MC		 4303 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
4304 GOODALPNLEN - 1))
4305 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
4306 GOODALPNLEN)))
976e5323
MC		 4307 goto end;
4308
4309 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4310 break;
4311
57dee9bb
MC		 4312 case 7:
4313 /* Set inconsistent ALPN (late client detection) */
4314 SSL_SESSION_free(serverpsk);
4315 serverpsk = SSL_SESSION_dup(clientpsk);
4316 if (!TEST_ptr(serverpsk)
4317 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
4318 BADALPN + 1,
4319 BADALPNLEN - 1))
4320 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4321 GOODALPN + 1,
4322 GOODALPNLEN - 1))
4323 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4324 sizeof(alpnlist))))
4325 goto end;
4326 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4327 edstatus = SSL_EARLY_DATA_ACCEPTED;
4328 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4329 /* SSL_connect() call should fail */
4330 connectres = -1;
4331 break;
4332
976e5323
MC		 4333 default:
4334 TEST_error("Bad test index");
4335 goto end;
4336 }
4337
4338 SSL_set_connect_state(clientssl);
4339 if (err != 0) {
4340 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4341 &written))
4342 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4343 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4344 goto end;
4345 } else {
4346 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4347 &written)))
4348 goto end;
4349
4350 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4351 &readbytes), readearlyres)
976e5323
MC		 4352 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4353 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4354 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4355 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4356 goto end;
4357 }
4358
4359 testresult = 1;
4360
4361 end:
c20e3b28 4362 SSL_SESSION_free(sess);
57dee9bb
MC		 4363 SSL_SESSION_free(clientpsk);
4364 SSL_SESSION_free(serverpsk);
4365 clientpsk = serverpsk = NULL;
976e5323
MC		 4366 SSL_free(serverssl);
4367 SSL_free(clientssl);
4368 SSL_CTX_free(sctx);
4369 SSL_CTX_free(cctx);
4370 return testresult;
4371}
4372
0b2b0be9 4373/*
4374 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4375 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4376 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4377 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4378 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4379 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4380 */
4381static int test_early_data_psk_with_all_ciphers(int idx)
4382{
4383 SSL_CTX *cctx = NULL, *sctx = NULL;
4384 SSL *clientssl = NULL, *serverssl = NULL;
4385 int testresult = 0;
4386 SSL_SESSION *sess = NULL;
4387 unsigned char buf[20];
4388 size_t readbytes, written;
4389 const SSL_CIPHER *cipher;
4390 const char *cipher_str[] = {
4391 TLS1_3_RFC_AES_128_GCM_SHA256,
4392 TLS1_3_RFC_AES_256_GCM_SHA384,
4393# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4394 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4395# else
4396 NULL,
4397# endif
4398 TLS1_3_RFC_AES_128_CCM_SHA256,
4399 TLS1_3_RFC_AES_128_CCM_8_SHA256
4400 };
4401 const unsigned char *cipher_bytes[] = {
4402 TLS13_AES_128_GCM_SHA256_BYTES,
4403 TLS13_AES_256_GCM_SHA384_BYTES,
4404# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4405 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4406# else
4407 NULL,
4408# endif
4409 TLS13_AES_128_CCM_SHA256_BYTES,
4410 TLS13_AES_128_CCM_8_SHA256_BYTES
4411 };
4412
4413 if (cipher_str[idx] == NULL)
4414 return 1;
4415 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4416 if (idx == 2 && is_fips == 1)
4417 return 1;
4418
4419 /* We always set this up with a final parameter of "2" for PSK */
4420 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4421 &serverssl, &sess, 2,
4422 SHA384_DIGEST_LENGTH)))
0b2b0be9 4423 goto end;
4424
e0710222
P		 4425 if (idx == 4) {
4426 /* CCM8 ciphers are considered low security due to their short tag */
4427 SSL_set_security_level(clientssl, 0);
4428 SSL_set_security_level(serverssl, 0);
4429 }
4430
0b2b0be9 4431 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4432 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4433 goto end;
4434
4435 /*
4436 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4437 * and assigns to both client and server with incremented reference
4438 * and the same instance is updated in 'sess'.
4439 * So updating ciphersuite in 'sess' which will get reflected in
4440 * PSK handshake using psk use sess and find sess cb.
4441 */
4442 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4443 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4444 goto end;
4445
4446 SSL_set_connect_state(clientssl);
4447 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4448 &written)))
4449 goto end;
4450
4451 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4452 &readbytes),
4453 SSL_READ_EARLY_DATA_SUCCESS)
4454 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4455 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4456 SSL_EARLY_DATA_ACCEPTED)
4457 || !TEST_int_eq(SSL_connect(clientssl), 1)
4458 || !TEST_int_eq(SSL_accept(serverssl), 1))
4459 goto end;
4460
4461 /* Send some normal data from client to server */
4462 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4463 || !TEST_size_t_eq(written, strlen(MSG2)))
4464 goto end;
4465
4466 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4467 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4468 goto end;
4469
4470 testresult = 1;
4471 end:
4472 SSL_SESSION_free(sess);
4473 SSL_SESSION_free(clientpsk);
4474 SSL_SESSION_free(serverpsk);
4475 clientpsk = serverpsk = NULL;
4476 if (clientssl != NULL)
4477 SSL_shutdown(clientssl);
4478 if (serverssl != NULL)
4479 SSL_shutdown(serverssl);
4480 SSL_free(serverssl);
4481 SSL_free(clientssl);
4482 SSL_CTX_free(sctx);
4483 SSL_CTX_free(cctx);
4484 return testresult;
4485}
4486
710756a9
RS		 4487/*
4488 * Test that a server that doesn't try to read early data can handle a
4489 * client sending some.
4490 */
3cb47b4e 4491static int test_early_data_not_expected(int idx)
5f982038
MC		 4492{
4493 SSL_CTX *cctx = NULL, *sctx = NULL;
4494 SSL *clientssl = NULL, *serverssl = NULL;
4495 int testresult = 0;
018fcbec 4496 SSL_SESSION *sess = NULL;
5f982038
MC		 4497 unsigned char buf[20];
4498 size_t readbytes, written;
4499
710756a9 4500 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4501 &serverssl, &sess, idx,
4502 SHA384_DIGEST_LENGTH)))
5f982038
MC		 4503 goto end;
4504
4505 /* Write some early data */
710756a9
RS		 4506 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4507 &written)))
5f982038 4508 goto end;
5f982038
MC		 4509
4510 /*
4511 * Server should skip over early data and then block waiting for client to
4512 * continue handshake
4513 */
710756a9
RS		 4514 if (!TEST_int_le(SSL_accept(serverssl), 0)
4515 || !TEST_int_gt(SSL_connect(clientssl), 0)
4516 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4517 SSL_EARLY_DATA_REJECTED)
4518 || !TEST_int_gt(SSL_accept(serverssl), 0)
4519 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4520 SSL_EARLY_DATA_REJECTED))
5f982038 4521 goto end;
5f982038
MC		 4522
4523 /* Send some normal data from client to server */
710756a9
RS		 4524 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4525 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4526 goto end;
5f982038 4527
710756a9
RS		 4528 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4529 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4530 goto end;
5f982038
MC		 4531
4532 testresult = 1;
4533
4534 end:
5f982038 4535 SSL_SESSION_free(sess);
c20e3b28 4536 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4537 SSL_SESSION_free(serverpsk);
4538 clientpsk = serverpsk = NULL;
5f982038
MC		 4539 SSL_free(serverssl);
4540 SSL_free(clientssl);
4541 SSL_CTX_free(sctx);
4542 SSL_CTX_free(cctx);
5f982038
MC		 4543 return testresult;
4544}
4545
4546
4547# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4548/*
4549 * Test that a server attempting to read early data can handle a connection
4550 * from a TLSv1.2 client.
4551 */
3cb47b4e 4552static int test_early_data_tls1_2(int idx)
5f982038
MC		 4553{
4554 SSL_CTX *cctx = NULL, *sctx = NULL;
4555 SSL *clientssl = NULL, *serverssl = NULL;
4556 int testresult = 0;
4557 unsigned char buf[20];
4558 size_t readbytes, written;
4559
02a3ed5a 4560 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 4561 &serverssl, NULL, idx,
4562 SHA384_DIGEST_LENGTH)))
5f982038 4563 goto end;
5f982038
MC		 4564
4565 /* Write some data - should block due to handshake with server */
4566 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4567 SSL_set_connect_state(clientssl);
710756a9 4568 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4569 goto end;
5f982038
MC		 4570
4571 /*
4572 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4573 * messages from client after ServerDone. Then SSL_read_early_data should
4574 * finish and detect that early data has not been sent
5f982038 4575 */
710756a9
RS		 4576 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4577 &readbytes),
4578 SSL_READ_EARLY_DATA_ERROR))
5f982038 4579 goto end;
5f982038
MC		 4580
4581 /*
4582 * Continue writing the message we started earlier. Will still block waiting
4583 * for the CCS/Finished from server
4584 */
710756a9
RS		 4585 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4586 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4587 &readbytes),
4588 SSL_READ_EARLY_DATA_FINISH)
4589 || !TEST_size_t_eq(readbytes, 0)
4590 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4591 SSL_EARLY_DATA_NOT_SENT))
5f982038 4592 goto end;
5f982038
MC		 4593
4594 /* Continue writing the message we started earlier */
710756a9
RS		 4595 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4596 || !TEST_size_t_eq(written, strlen(MSG1))
4597 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4598 SSL_EARLY_DATA_NOT_SENT)
4599 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4600 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4601 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4602 || !TEST_size_t_eq(written, strlen(MSG2))
4603 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4604 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4605 goto end;
5f982038
MC		 4606
4607 testresult = 1;
4608
4609 end:
57dee9bb
MC		 4610 SSL_SESSION_free(clientpsk);
4611 SSL_SESSION_free(serverpsk);
4612 clientpsk = serverpsk = NULL;
5f982038
MC		 4613 SSL_free(serverssl);
4614 SSL_free(clientssl);
4615 SSL_CTX_free(sctx);
4616 SSL_CTX_free(cctx);
4617
4618 return testresult;
4619}
ca0413ae
MC		 4620# endif /* OPENSSL_NO_TLS1_2 */
4621
034cb87b
MC		 4622/*
4623 * Test configuring the TLSv1.3 ciphersuites
4624 *
4625 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4626 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4627 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4628 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4629 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4630 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4631 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4632 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4633 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4634 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4635 */
4636static int test_set_ciphersuite(int idx)
4637{
4638 SSL_CTX *cctx = NULL, *sctx = NULL;
4639 SSL *clientssl = NULL, *serverssl = NULL;
4640 int testresult = 0;
4641
5e30f2fd
MC		 4642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4643 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4644 &sctx, &cctx, cert, privkey))
4645 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4646 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4647 goto end;
4648
4649 if (idx >=4 && idx <= 7) {
4650 /* SSL_CTX explicit cipher list */
4651 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4652 goto end;
4653 }
4654
4655 if (idx == 0 || idx == 4) {
4656 /* Default ciphersuite */
4657 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4658 "TLS_AES_128_GCM_SHA256")))
4659 goto end;
4660 } else if (idx == 1 || idx == 5) {
4661 /* Non default ciphersuite */
4662 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4663 "TLS_AES_128_CCM_SHA256")))
4664 goto end;
4665 }
4666
4667 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4668 &clientssl, NULL, NULL)))
4669 goto end;
4670
4671 if (idx == 8 || idx == 9) {
4672 /* SSL explicit cipher list */
4673 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4674 goto end;
4675 }
4676
4677 if (idx == 2 || idx == 6 || idx == 8) {
4678 /* Default ciphersuite */
4679 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4680 "TLS_AES_128_GCM_SHA256")))
4681 goto end;
4682 } else if (idx == 3 || idx == 7 || idx == 9) {
4683 /* Non default ciphersuite */
4684 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4685 "TLS_AES_128_CCM_SHA256")))
4686 goto end;
4687 }
4688
4689 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4690 goto end;
4691
4692 testresult = 1;
4693
4694 end:
4695 SSL_free(serverssl);
4696 SSL_free(clientssl);
4697 SSL_CTX_free(sctx);
4698 SSL_CTX_free(cctx);
4699
4700 return testresult;
4701}
4702
ca0413ae
MC		 4703static int test_ciphersuite_change(void)
4704{
4705 SSL_CTX *cctx = NULL, *sctx = NULL;
4706 SSL *clientssl = NULL, *serverssl = NULL;
4707 SSL_SESSION *clntsess = NULL;
4708 int testresult = 0;
4709 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4710
4711 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4712 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4713 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4714 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4715 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4716 "TLS_AES_128_GCM_SHA256:"
4717 "TLS_AES_256_GCM_SHA384:"
4718 "TLS_AES_128_CCM_SHA256"))
f865b081 4719 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
e0710222
P		 4720 "TLS_AES_128_GCM_SHA256")))
4721 goto end;
4722
4723 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4724 NULL, NULL))
ca0413ae
MC		 4725 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4726 SSL_ERROR_NONE)))
4727 goto end;
4728
4729 clntsess = SSL_get1_session(clientssl);
4730 /* Save for later */
4731 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4732 SSL_shutdown(clientssl);
4733 SSL_shutdown(serverssl);
4734 SSL_free(serverssl);
4735 SSL_free(clientssl);
4736 serverssl = clientssl = NULL;
4737
4738 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4739 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4740 "TLS_AES_128_CCM_SHA256"))
4741 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4742 &clientssl, NULL, NULL))
ca0413ae
MC		 4743 || !TEST_true(SSL_set_session(clientssl, clntsess))
4744 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4745 SSL_ERROR_NONE))
4746 || !TEST_true(SSL_session_reused(clientssl)))
4747 goto end;
4748
4749 SSL_SESSION_free(clntsess);
4750 clntsess = SSL_get1_session(clientssl);
4751 SSL_shutdown(clientssl);
4752 SSL_shutdown(serverssl);
4753 SSL_free(serverssl);
4754 SSL_free(clientssl);
4755 serverssl = clientssl = NULL;
4756
4757 /*
4758 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4759 * succeeds but does not resume.
ca0413ae 4760 */
f865b081 4761 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4762 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4763 NULL, NULL))
4764 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4766 SSL_ERROR_SSL))
0de6d66d 4767 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4768 goto end;
4769
4770 SSL_SESSION_free(clntsess);
4771 clntsess = NULL;
4772 SSL_shutdown(clientssl);
4773 SSL_shutdown(serverssl);
4774 SSL_free(serverssl);
4775 SSL_free(clientssl);
4776 serverssl = clientssl = NULL;
4777
4778 /* Create a session based on SHA384 */
f865b081 4779 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4780 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4781 &clientssl, NULL, NULL))
4782 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4783 SSL_ERROR_NONE)))
4784 goto end;
4785
4786 clntsess = SSL_get1_session(clientssl);
4787 SSL_shutdown(clientssl);
4788 SSL_shutdown(serverssl);
4789 SSL_free(serverssl);
4790 SSL_free(clientssl);
4791 serverssl = clientssl = NULL;
4792
f865b081
MC		 4793 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4794 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4795 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4796 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4797 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4798 NULL, NULL))
4799 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4800 /*
4801 * We use SSL_ERROR_WANT_READ below so that we can pause the
4802 * connection after the initial ClientHello has been sent to
4803 * enable us to make some session changes.
4804 */
ca0413ae
MC		 4805 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4806 SSL_ERROR_WANT_READ)))
4807 goto end;
4808
4809 /* Trick the client into thinking this session is for a different digest */
4810 clntsess->cipher = aes_128_gcm_sha256;
4811 clntsess->cipher_id = clntsess->cipher->id;
4812
4813 /*
3b0e88d3
MC		 4814 * Continue the previously started connection. Server has selected a SHA-384
4815 * ciphersuite, but client thinks the session is for SHA-256, so it should
4816 * bail out.
ca0413ae
MC		 4817 */
4818 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4819 SSL_ERROR_SSL))
4820 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4821 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4822 goto end;
4823
4824 testresult = 1;
4825
4826 end:
4827 SSL_SESSION_free(clntsess);
4828 SSL_free(serverssl);
4829 SSL_free(clientssl);
4830 SSL_CTX_free(sctx);
4831 SSL_CTX_free(cctx);
4832
4833 return testresult;
4834}
4835
8e63900a 4836/*
5bf2eade 4837 * Test TLSv1.3 Key exchange
4838 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4839 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4840 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4841 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4842 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4843 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4844 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4845 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4846 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4847 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4848 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4849 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4850 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4851 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4852 */
f89d3d69
BK		 4853# ifndef OPENSSL_NO_EC
4854static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4032cd9a
YL		 4855 NID_secp521r1,
4856# ifndef OPENSSL_NO_ECX
4857 NID_X25519, NID_X448
4858# endif
4859 };
f89d3d69
BK		 4860# endif
4861# ifndef OPENSSL_NO_DH
4862static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4863 NID_ffdhe6144, NID_ffdhe8192};
4864# endif
db26ec80 4865static int test_key_exchange(int idx)
8e63900a 4866{
4867 SSL_CTX *sctx = NULL, *cctx = NULL;
4868 SSL *serverssl = NULL, *clientssl = NULL;
4869 int testresult = 0;
fb8c6db4 4870 int kexch_alg;
4871 int *kexch_groups = &kexch_alg;
4872 int kexch_groups_size = 1;
8e63900a 4873 int max_version = TLS1_3_VERSION;
becbacd7 4874 char *kexch_name0 = NULL;
8e63900a 4875
4876 switch (idx) {
5bf2eade 4877# ifndef OPENSSL_NO_EC
db26ec80 4878# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4879 case 12:
fb8c6db4 4880 max_version = TLS1_2_VERSION;
db26ec80 4881# endif
fb8c6db4 4882 /* Fall through */
4883 case 0:
4884 kexch_groups = ecdhe_kexch_groups;
4885 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4886 kexch_name0 = "secp256r1";
fb8c6db4 4887 break;
5bf2eade 4888 case 1:
fb8c6db4 4889 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4890 kexch_name0 = "secp256r1";
fb8c6db4 4891 break;
5bf2eade 4892 case 2:
fb8c6db4 4893 kexch_alg = NID_secp384r1;
becbacd7 4894 kexch_name0 = "secp384r1";
fb8c6db4 4895 break;
5bf2eade 4896 case 3:
fb8c6db4 4897 kexch_alg = NID_secp521r1;
becbacd7 4898 kexch_name0 = "secp521r1";
fb8c6db4 4899 break;
4032cd9a 4900# ifndef OPENSSL_NO_ECX
5bf2eade 4901 case 4:
fb8c6db4 4902 kexch_alg = NID_X25519;
becbacd7 4903 kexch_name0 = "x25519";
fb8c6db4 4904 break;
5bf2eade 4905 case 5:
fb8c6db4 4906 kexch_alg = NID_X448;
becbacd7 4907 kexch_name0 = "x448";
fb8c6db4 4908 break;
4032cd9a 4909# endif
5bf2eade 4910# endif
4911# ifndef OPENSSL_NO_DH
db26ec80 4912# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4913 case 13:
dbc6268f 4914 max_version = TLS1_2_VERSION;
becbacd7 4915 kexch_name0 = "ffdhe2048";
db26ec80 4916# endif
dbc6268f 4917 /* Fall through */
5bf2eade 4918 case 6:
8e63900a 4919 kexch_groups = ffdhe_kexch_groups;
4920 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4921 kexch_name0 = "ffdhe2048";
8e63900a 4922 break;
5bf2eade 4923 case 7:
fb8c6db4 4924 kexch_alg = NID_ffdhe2048;
becbacd7 4925 kexch_name0 = "ffdhe2048";
fb8c6db4 4926 break;
5bf2eade 4927 case 8:
fb8c6db4 4928 kexch_alg = NID_ffdhe3072;
becbacd7 4929 kexch_name0 = "ffdhe3072";
fb8c6db4 4930 break;
5bf2eade 4931 case 9:
fb8c6db4 4932 kexch_alg = NID_ffdhe4096;
becbacd7 4933 kexch_name0 = "ffdhe4096";
fb8c6db4 4934 break;
5bf2eade 4935 case 10:
fb8c6db4 4936 kexch_alg = NID_ffdhe6144;
becbacd7 4937 kexch_name0 = "ffdhe6144";
fb8c6db4 4938 break;
5bf2eade 4939 case 11:
fb8c6db4 4940 kexch_alg = NID_ffdhe8192;
becbacd7 4941 kexch_name0 = "ffdhe8192";
8e63900a 4942 break;
5bf2eade 4943# endif
6597d62b
MC		 4944 default:
4945 /* We're skipping this test */
4946 return 1;
8e63900a 4947 }
4948
5e30f2fd
MC		 4949 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4950 TLS_client_method(), TLS1_VERSION,
4951 max_version, &sctx, &cctx, cert,
4952 privkey)))
8e63900a 4953 goto end;
4954
5bf2eade 4955 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4956 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4957 goto end;
4958
5bf2eade 4959 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4960 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4961 goto end;
4962
5bf2eade 4963 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4964 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4965 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4966 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4967 goto end;
4968
dbc6268f
MC		 4969 /*
4970 * Must include an EC ciphersuite so that we send supported groups in
4971 * TLSv1.2
4972 */
5bf2eade 4973# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4974 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4975 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4976 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4977 goto end;
5bf2eade 4978# endif
8e63900a 4979
4980 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4981 NULL, NULL)))
4982 goto end;
4983
4984 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4985 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4986 goto end;
4987
5bf2eade 4988 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4989 goto end;
8e63900a 4990
dbc6268f 4991 /*
5bf2eade 4992 * If Handshake succeeds the negotiated kexch alg should be the first one in
4993 * configured, except in the case of FFDHE groups (idx 13), which are
4994 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4995 */
4996 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4997 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4998 goto end;
becbacd7
MB		 4999
5000 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
5001 kexch_name0))
5002 goto end;
5003
75d48520
BK		 5004 /* We don't implement RFC 7919 named groups for TLS 1.2. */
5005 if (idx != 13) {
68668243
AB		 5006 if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
5007 || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
5008 goto end;
fb8c6db4 5009 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
5010 goto end;
5011 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
5012 goto end;
5013 }
8e63900a 5014
5015 testresult = 1;
5016 end:
5017 SSL_free(serverssl);
5018 SSL_free(clientssl);
5019 SSL_CTX_free(sctx);
5020 SSL_CTX_free(cctx);
5021 return testresult;
5022}
5023
c9cddf05
P		 5024# if !defined(OPENSSL_NO_TLS1_2) \
5025 && !defined(OPENSSL_NO_EC) \
5026 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 5027static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
5028 int isecdhe, int idx)
5029{
5030 int kexch_alg;
5031 int *kexch_groups = &kexch_alg;
5032 int numec, numff;
5033
5034 numec = OSSL_NELEM(ecdhe_kexch_groups);
5035 numff = OSSL_NELEM(ffdhe_kexch_groups);
5036 if (isecdhe)
5037 kexch_alg = ecdhe_kexch_groups[idx];
5038 else
5039 kexch_alg = ffdhe_kexch_groups[idx];
5040
5041 if (clientmulti) {
5042 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
5043 return 0;
5044 if (isecdhe) {
5045 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
5046 numec)))
5047 return 0;
5048 } else {
5049 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
5050 numff)))
5051 return 0;
5052 }
5053 } else {
5054 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
5055 return 0;
5056 if (isecdhe) {
5057 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
5058 numec)))
5059 return 0;
5060 } else {
5061 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
5062 numff)))
5063 return 0;
5064 }
5065 }
5066 return 1;
5067}
5068
5069/*-
5070 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
5071 * Run through both the ECDHE and FFDHE group lists used in the previous
5072 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
5073 * confirming the expected result; then perform a resumption handshake
5074 * while offering the same group list, and another resumption handshake
5075 * offering a different group list. The returned value should be the
5076 * negotiated group for the initial handshake; for TLS 1.3 resumption
5077 * handshakes the returned value will be negotiated on the resumption
5078 * handshake itself, but for TLS 1.2 resumption handshakes the value will
5079 * be cached in the session from the original handshake, regardless of what
5080 * was offered in the resumption ClientHello.
5081 *
5082 * Using E for the number of EC groups and F for the number of FF groups:
6dc56df2
BK		 5083 * E tests of ECDHE with TLS 1.3, server only has one group
5084 * F tests of FFDHE with TLS 1.3, server only has one group
5085 * E tests of ECDHE with TLS 1.2, server only has one group
5086 * F tests of FFDHE with TLS 1.2, server only has one group
3bd5319b
BK		 5087 * E tests of ECDHE with TLS 1.3, client sends only one group
5088 * F tests of FFDHE with TLS 1.3, client sends only one group
5089 * E tests of ECDHE with TLS 1.2, client sends only one group
5090 * F tests of FFDHE with TLS 1.2, client sends only one group
6dc56df2
BK		 5091 */
5092static int test_negotiated_group(int idx)
5093{
5094 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
5095 int expectednid;
5096 SSL_CTX *sctx = NULL, *cctx = NULL;
5097 SSL *serverssl = NULL, *clientssl = NULL;
5098 SSL_SESSION *origsess = NULL;
5099 int testresult = 0;
5100 int kexch_alg;
5101 int max_version = TLS1_3_VERSION;
5102
5103 numec = OSSL_NELEM(ecdhe_kexch_groups);
5104 numff = OSSL_NELEM(ffdhe_kexch_groups);
5105 numgroups = numec + numff;
5106 clientmulti = (idx < 2 * numgroups);
5107 idx = idx % (2 * numgroups);
5108 istls13 = (idx < numgroups);
5109 idx = idx % numgroups;
5110 isecdhe = (idx < numec);
5111 if (!isecdhe)
5112 idx -= numec;
5113 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
5114 if (isecdhe)
5115 kexch_alg = ecdhe_kexch_groups[idx];
5116 else
5117 kexch_alg = ffdhe_kexch_groups[idx];
5118 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
5119 if (!istls13 && !isecdhe)
5120 expectednid = NID_undef;
5121 else
5122 expectednid = kexch_alg;
5123
5124 if (!istls13)
5125 max_version = TLS1_2_VERSION;
5126
5127 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5128 TLS_client_method(), TLS1_VERSION,
5129 max_version, &sctx, &cctx, cert,
5130 privkey)))
5131 goto end;
5132
5133 /*
5134 * Force (EC)DHE ciphers for TLS 1.2.
5135 * Be sure to enable auto tmp DH so that FFDHE can succeed.
5136 */
5137 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
5138 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5139 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
5140 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
5141 goto end;
5142 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
5143 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
5144 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
5145 goto end;
5146
5147 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5148 NULL, NULL)))
5149 goto end;
5150
5151 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
5152 idx)))
5153 goto end;
5154
5155 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
5156 goto end;
5157
5158 /* Initial handshake; always the configured one */
5159 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5160 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5161 goto end;
5162
5163 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
5164 goto end;
5165
5166 SSL_shutdown(clientssl);
5167 SSL_shutdown(serverssl);
5168 SSL_free(serverssl);
5169 SSL_free(clientssl);
5170 serverssl = clientssl = NULL;
5171
5172 /* First resumption attempt; use the same config as initial handshake */
5173 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5174 NULL, NULL))
5175 || !TEST_true(SSL_set_session(clientssl, origsess))
5176 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5177 isecdhe, idx)))
5178 goto end;
5179
5180 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5181 || !TEST_true(SSL_session_reused(clientssl)))
5182 goto end;
5183
5184 /* Still had better agree, since nothing changed... */
5185 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5186 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5187 goto end;
5188
5189 SSL_shutdown(clientssl);
5190 SSL_shutdown(serverssl);
5191 SSL_free(serverssl);
5192 SSL_free(clientssl);
5193 serverssl = clientssl = NULL;
5194
5195 /*-
5196 * Second resumption attempt
5197 * The party that picks one group changes it, which we effectuate by
5198 * changing 'idx' and updating what we expect.
5199 */
5200 if (idx == 0)
5201 idx = 1;
5202 else
5203 idx--;
5204 if (istls13) {
5205 if (isecdhe)
5206 expectednid = ecdhe_kexch_groups[idx];
5207 else
5208 expectednid = ffdhe_kexch_groups[idx];
5209 /* Verify that we are changing what we expect. */
5210 if (!TEST_int_ne(expectednid, kexch_alg))
5211 goto end;
5212 } else {
5213 /* TLS 1.2 only supports named groups for ECDHE. */
5214 if (isecdhe)
5215 expectednid = kexch_alg;
5216 else
5217 expectednid = 0;
5218 }
5219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5220 NULL, NULL))
5221 || !TEST_true(SSL_set_session(clientssl, origsess))
5222 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
5223 isecdhe, idx)))
5224 goto end;
5225
5226 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5227 || !TEST_true(SSL_session_reused(clientssl)))
5228 goto end;
5229
5230 /* Check that we get what we expected */
5231 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
5232 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
5233 goto end;
5234
5235 testresult = 1;
5236 end:
5237 SSL_free(serverssl);
5238 SSL_free(clientssl);
5239 SSL_CTX_free(sctx);
5240 SSL_CTX_free(cctx);
5241 SSL_SESSION_free(origsess);
5242 return testresult;
5243}
5244# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
5245
5bf2eade 5246/*
5247 * Test TLSv1.3 Cipher Suite
5248 * Test 0 = Set TLS1.3 cipher on context
5249 * Test 1 = Set TLS1.3 cipher on SSL
5250 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
5251 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
5252 */
5253static int test_tls13_ciphersuite(int idx)
5254{
5255 SSL_CTX *sctx = NULL, *cctx = NULL;
5256 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 5257 static const struct {
5258 const char *ciphername;
5259 int fipscapable;
e0710222 5260 int low_security;
4f6c7044 5261 } t13_ciphers[] = {
e0710222
P		 5262 { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 },
5263 { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 },
5264 { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 },
5bf2eade 5265# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e0710222 5266 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
4f6c7044 5267 { TLS1_3_RFC_AES_256_GCM_SHA384
e0710222 5268 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 },
5bf2eade 5269# endif
e0710222
P		 5270 /* CCM8 ciphers are considered low security due to their short tag */
5271 { TLS1_3_RFC_AES_128_CCM_8_SHA256
5272 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }
5bf2eade 5273 };
5274 const char *t13_cipher = NULL;
5275 const char *t12_cipher = NULL;
5276 const char *negotiated_scipher;
5277 const char *negotiated_ccipher;
5278 int set_at_ctx = 0;
5279 int set_at_ssl = 0;
5280 int testresult = 0;
5281 int max_ver;
5282 size_t i;
5283
5284 switch (idx) {
5285 case 0:
5286 set_at_ctx = 1;
5287 break;
5288 case 1:
5289 set_at_ssl = 1;
5290 break;
5291 case 2:
5292 set_at_ctx = 1;
2d900758 5293 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5294 break;
5295 case 3:
5296 set_at_ssl = 1;
2d900758 5297 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 5298 break;
5299 }
5300
5301 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
5302# ifdef OPENSSL_NO_TLS1_2
5303 if (max_ver == TLS1_2_VERSION)
5304 continue;
5305# endif
5306 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 5307 if (is_fips && !t13_ciphers[i].fipscapable)
5308 continue;
5309 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 5310 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 5311 TLS_client_method(),
5312 TLS1_VERSION, max_ver,
5313 &sctx, &cctx, cert, privkey)))
5314 goto end;
5315
e0710222
P		 5316 if (t13_ciphers[i].low_security) {
5317 SSL_CTX_set_security_level(sctx, 0);
5318 SSL_CTX_set_security_level(cctx, 0);
5319 }
5320
5bf2eade 5321 if (set_at_ctx) {
5322 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
5323 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
5324 goto end;
5325 if (t12_cipher != NULL) {
5326 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
5327 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
5328 t12_cipher)))
5329 goto end;
5330 }
5331 }
5332
5333 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5334 &clientssl, NULL, NULL)))
5335 goto end;
5336
5337 if (set_at_ssl) {
5338 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
5339 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
5340 goto end;
5341 if (t12_cipher != NULL) {
5342 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
5343 || !TEST_true(SSL_set_cipher_list(clientssl,
5344 t12_cipher)))
5345 goto end;
5346 }
5347 }
5348
5349 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5350 SSL_ERROR_NONE)))
5351 goto end;
5352
5353 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5354 serverssl));
5355 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5356 clientssl));
5357 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5358 goto end;
5359
5360 /*
5361 * TEST_strn_eq is used below because t13_cipher can contain
5362 * multiple ciphersuites
5363 */
5364 if (max_ver == TLS1_3_VERSION
5365 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5366 strlen(negotiated_scipher)))
5367 goto end;
5368
5369# ifndef OPENSSL_NO_TLS1_2
5370 /* Below validation is not done when t12_cipher is NULL */
5371 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5372 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5373 goto end;
5374# endif
5375
5376 SSL_free(serverssl);
5377 serverssl = NULL;
5378 SSL_free(clientssl);
5379 clientssl = NULL;
5380 SSL_CTX_free(sctx);
5381 sctx = NULL;
5382 SSL_CTX_free(cctx);
5383 cctx = NULL;
5384 }
5385 }
5386
5387 testresult = 1;
5388 end:
5389 SSL_free(serverssl);
5390 SSL_free(clientssl);
5391 SSL_CTX_free(sctx);
5392 SSL_CTX_free(cctx);
5393 return testresult;
5394}
5395
0d8da779
MC		 5396/*
5397 * Test TLSv1.3 PSKs
5398 * Test 0 = Test new style callbacks
5399 * Test 1 = Test both new and old style callbacks
5400 * Test 2 = Test old style callbacks
5401 * Test 3 = Test old style callbacks with no certificate
5402 */
532f9578 5403static int test_tls13_psk(int idx)
ca8c71ba
MC		 5404{
5405 SSL_CTX *sctx = NULL, *cctx = NULL;
5406 SSL *serverssl = NULL, *clientssl = NULL;
5407 const SSL_CIPHER *cipher = NULL;
5408 const unsigned char key[] = {
5409 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5410 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5411 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5412 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5413 };
5414 int testresult = 0;
5415
5e30f2fd
MC		 5416 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5417 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5418 &sctx, &cctx, idx == 3 ? NULL : cert,
5419 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5420 goto end;
5421
0d8da779
MC		 5422 if (idx != 3) {
5423 /*
5424 * We use a ciphersuite with SHA256 to ease testing old style PSK
5425 * callbacks which will always default to SHA256. This should not be
5426 * necessary if we have no cert/priv key. In that case the server should
5427 * prefer SHA256 automatically.
5428 */
5429 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5430 "TLS_AES_128_GCM_SHA256")))
5431 goto end;
4f6c7044
MC		 5432 } else {
5433 /*
5434 * As noted above the server should prefer SHA256 automatically. However
5435 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5436 * code works even if we are testing with only the FIPS provider loaded.
5437 */
5438 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5439 "TLS_AES_256_GCM_SHA384:"
5440 "TLS_AES_128_GCM_SHA256")))
5441 goto end;
0d8da779 5442 }
532f9578
MC		 5443
5444 /*
5445 * Test 0: New style callbacks only
5446 * Test 1: New and old style callbacks (only the new ones should be used)
5447 * Test 2: Old style callbacks only
5448 */
5449 if (idx == 0 || idx == 1) {
5450 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5451 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5452 }
c2b290c3 5453#ifndef OPENSSL_NO_PSK
0d8da779 5454 if (idx >= 1) {
532f9578
MC		 5455 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5456 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5457 }
c2b290c3 5458#endif
ca8c71ba 5459 srvid = pskid;
02a3ed5a
MC		 5460 use_session_cb_cnt = 0;
5461 find_session_cb_cnt = 0;
532f9578
MC		 5462 psk_client_cb_cnt = 0;
5463 psk_server_cb_cnt = 0;
ca8c71ba 5464
0d8da779
MC		 5465 if (idx != 3) {
5466 /*
5467 * Check we can create a connection if callback decides not to send a
5468 * PSK
5469 */
5470 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5471 NULL, NULL))
5472 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5473 SSL_ERROR_NONE))
5474 || !TEST_false(SSL_session_reused(clientssl))
5475 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5476 goto end;
532f9578 5477
0d8da779
MC		 5478 if (idx == 0 || idx == 1) {
5479 if (!TEST_true(use_session_cb_cnt == 1)
5480 || !TEST_true(find_session_cb_cnt == 0)
5481 /*
5482 * If no old style callback then below should be 0
5483 * otherwise 1
5484 */
5485 || !TEST_true(psk_client_cb_cnt == idx)
5486 || !TEST_true(psk_server_cb_cnt == 0))
5487 goto end;
5488 } else {
5489 if (!TEST_true(use_session_cb_cnt == 0)
5490 || !TEST_true(find_session_cb_cnt == 0)
5491 || !TEST_true(psk_client_cb_cnt == 1)
5492 || !TEST_true(psk_server_cb_cnt == 0))
5493 goto end;
5494 }
5495
5496 shutdown_ssl_connection(serverssl, clientssl);
5497 serverssl = clientssl = NULL;
5498 use_session_cb_cnt = psk_client_cb_cnt = 0;
5499 }
ca8c71ba
MC		 5500
5501 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5502 NULL, NULL)))
5503 goto end;
5504
5505 /* Create the PSK */
532f9578 5506 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5507 clientpsk = SSL_SESSION_new();
5508 if (!TEST_ptr(clientpsk)
ca8c71ba 5509 || !TEST_ptr(cipher)
57dee9bb
MC		 5510 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5511 sizeof(key)))
5512 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5513 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5514 TLS1_3_VERSION))
5515 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5516 goto end;
57dee9bb 5517 serverpsk = clientpsk;
ca8c71ba
MC		 5518
5519 /* Check we can create a connection and the PSK is used */
5520 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5521 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5522 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5523 goto end;
5524
532f9578
MC		 5525 if (idx == 0 || idx == 1) {
5526 if (!TEST_true(use_session_cb_cnt == 1)
5527 || !TEST_true(find_session_cb_cnt == 1)
5528 || !TEST_true(psk_client_cb_cnt == 0)
5529 || !TEST_true(psk_server_cb_cnt == 0))
5530 goto end;
5531 } else {
5532 if (!TEST_true(use_session_cb_cnt == 0)
5533 || !TEST_true(find_session_cb_cnt == 0)
5534 || !TEST_true(psk_client_cb_cnt == 1)
5535 || !TEST_true(psk_server_cb_cnt == 1))
5536 goto end;
5537 }
5538
ca8c71ba
MC		 5539 shutdown_ssl_connection(serverssl, clientssl);
5540 serverssl = clientssl = NULL;
5541 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5542 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5543
5544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5545 NULL, NULL)))
5546 goto end;
5547
5548 /* Force an HRR */
dbc6268f
MC		 5549#if defined(OPENSSL_NO_EC)
5550 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5551 goto end;
5552#else
4032cd9a 5553 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
ca8c71ba 5554 goto end;
dbc6268f 5555#endif
ca8c71ba
MC		 5556
5557 /*
5558 * Check we can create a connection, the PSK is used and the callbacks are
5559 * called twice.
5560 */
5561 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5562 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5563 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5564 goto end;
5565
532f9578
MC		 5566 if (idx == 0 || idx == 1) {
5567 if (!TEST_true(use_session_cb_cnt == 2)
5568 || !TEST_true(find_session_cb_cnt == 2)
5569 || !TEST_true(psk_client_cb_cnt == 0)
5570 || !TEST_true(psk_server_cb_cnt == 0))
5571 goto end;
5572 } else {
5573 if (!TEST_true(use_session_cb_cnt == 0)
5574 || !TEST_true(find_session_cb_cnt == 0)
5575 || !TEST_true(psk_client_cb_cnt == 2)
5576 || !TEST_true(psk_server_cb_cnt == 2))
5577 goto end;
5578 }
5579
ca8c71ba
MC		 5580 shutdown_ssl_connection(serverssl, clientssl);
5581 serverssl = clientssl = NULL;
5582 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5583 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5584
0d8da779
MC		 5585 if (idx != 3) {
5586 /*
5587 * Check that if the server rejects the PSK we can still connect, but with
5588 * a full handshake
5589 */
5590 srvid = "Dummy Identity";
5591 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5592 NULL, NULL))
5593 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5594 SSL_ERROR_NONE))
5595 || !TEST_false(SSL_session_reused(clientssl))
5596 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5597 goto end;
532f9578 5598
0d8da779
MC		 5599 if (idx == 0 || idx == 1) {
5600 if (!TEST_true(use_session_cb_cnt == 1)
5601 || !TEST_true(find_session_cb_cnt == 1)
5602 || !TEST_true(psk_client_cb_cnt == 0)
5603 /*
5604 * If no old style callback then below should be 0
5605 * otherwise 1
5606 */
5607 || !TEST_true(psk_server_cb_cnt == idx))
5608 goto end;
5609 } else {
5610 if (!TEST_true(use_session_cb_cnt == 0)
5611 || !TEST_true(find_session_cb_cnt == 0)
5612 || !TEST_true(psk_client_cb_cnt == 1)
5613 || !TEST_true(psk_server_cb_cnt == 1))
5614 goto end;
5615 }
5616
5617 shutdown_ssl_connection(serverssl, clientssl);
5618 serverssl = clientssl = NULL;
5619 }
ca8c71ba
MC		 5620 testresult = 1;
5621
5622 end:
57dee9bb
MC		 5623 SSL_SESSION_free(clientpsk);
5624 SSL_SESSION_free(serverpsk);
5625 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5626 SSL_free(serverssl);
5627 SSL_free(clientssl);
5628 SSL_CTX_free(sctx);
5629 SSL_CTX_free(cctx);
5630 return testresult;
5631}
5632
71583393
MM		 5633#ifndef OSSL_NO_USABLE_TLS1_3
5634/*
5635 * Test TLS1.3 connection establishment succeeds with various configurations of
5636 * the options `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX`.
164a541b 5637 * The verification of whether the right KEX mode is chosen is not covered by
71583393
MM		 5638 * this test but by `test_tls13kexmodes`.
5639 *
5640 * Tests (idx & 1): Server has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5641 * Tests (idx & 2): Server has `SSL_OP_PREFER_NO_DHE_KEX` set.
5642 * Tests (idx & 4): Client has `SSL_OP_ALLOW_NO_DHE_KEX` set.
5643 */
5644static int test_tls13_no_dhe_kex(const int idx)
5645{
5646 SSL_CTX *sctx = NULL, *cctx = NULL;
5647 SSL *serverssl = NULL, *clientssl = NULL;
5648 int testresult = 0;
5649 size_t j;
5650 SSL_SESSION *saved_session;
5651
5652 int server_allow_no_dhe = (idx & 1) != 0;
5653 int server_prefer_no_dhe = (idx & 2) != 0;
5654 int client_allow_no_dhe = (idx & 4) != 0;
5655
5656 uint64_t server_options = 0
5657 | (server_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0)
5658 | (server_prefer_no_dhe ? SSL_OP_PREFER_NO_DHE_KEX : 0);
5659
5660 uint64_t client_options = 0
5661 | (client_allow_no_dhe ? SSL_OP_ALLOW_NO_DHE_KEX : 0);
5662
5663 new_called = 0;
5664 do_cache = 1;
5665
5666 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5667 TLS_client_method(), TLS1_3_VERSION, 0,
5668 &sctx, &cctx, cert, privkey)))
5669 goto end;
5670
5671 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
5672 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
5673
5674 SSL_CTX_set_options(sctx, server_options);
5675 SSL_CTX_set_options(cctx, client_options);
5676
5677 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
5678
5679 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5680 &clientssl, NULL, NULL)))
5681 goto end;
5682
5683 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5684 SSL_ERROR_NONE))
5685 /* Check we got the number of tickets we were expecting */
5686 || !TEST_int_eq(2, new_called))
5687 goto end;
5688
5689 /* We'll reuse the last ticket. */
5690 saved_session = sesscache[new_called - 1];
5691
5692 SSL_shutdown(clientssl);
5693 SSL_shutdown(serverssl);
5694 SSL_free(serverssl);
5695 SSL_free(clientssl);
5696 SSL_CTX_free(cctx);
5697 clientssl = serverssl = NULL;
5698 cctx = NULL;
5699
5700 /*
5701 * Now we resume with the last ticket we created.
5702 */
5703
5704 /* The server context already exists, so we only create the client. */
5705 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5706 TLS_client_method(), TLS1_3_VERSION, 0,
5707 NULL, &cctx, cert, privkey)))
5708 goto end;
5709
5710 SSL_CTX_set_options(cctx, client_options);
5711
5712 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5713 &clientssl, NULL, NULL))
5714 || !TEST_true(SSL_set_session(clientssl, saved_session)))
5715 goto end;
5716
5717 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5718 SSL_ERROR_NONE)))
5719 goto end;
5720
5721 /*
5722 * Make sure, the session was resumed.
5723 */
5724 if (!TEST_true(SSL_session_reused(clientssl)))
5725 goto end;
5726
5727 SSL_shutdown(clientssl);
5728 SSL_shutdown(serverssl);
5729
5730 testresult = 1;
5731
5732 end:
5733 SSL_free(serverssl);
5734 SSL_free(clientssl);
5735 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
5736 SSL_SESSION_free(sesscache[j]);
5737 sesscache[j] = NULL;
5738 }
5739 SSL_CTX_free(sctx);
5740 SSL_CTX_free(cctx);
5741
5742 return testresult;
5743}
5744#endif /* OSSL_NO_USABLE_TLS1_3 */
5745
c7b8ff25
MC		 5746static unsigned char cookie_magic_value[] = "cookie magic";
5747
5748static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5749 unsigned int *cookie_len)
5750{
5751 /*
5752 * Not suitable as a real cookie generation function but good enough for
5753 * testing!
5754 */
97ea1e7f
MC		 5755 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5756 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5757
5758 return 1;
5759}
5760
5761static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5762 unsigned int cookie_len)
5763{
97ea1e7f 5764 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5765 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5766 return 1;
5767
5768 return 0;
5769}
5770
3fa2812f
BS		 5771static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5772 size_t *cookie_len)
5773{
5774 unsigned int temp;
5775 int res = generate_cookie_callback(ssl, cookie, &temp);
5776 *cookie_len = temp;
5777 return res;
5778}
5779
5780static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5781 size_t cookie_len)
5782{
5783 return verify_cookie_callback(ssl, cookie, cookie_len);
5784}
5785
c7b8ff25
MC		 5786static int test_stateless(void)
5787{
5788 SSL_CTX *sctx = NULL, *cctx = NULL;
5789 SSL *serverssl = NULL, *clientssl = NULL;
5790 int testresult = 0;
5791
5e30f2fd
MC		 5792 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5793 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5794 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5795 goto end;
5796
e440f513
MC		 5797 /* The arrival of CCS messages can confuse the test */
5798 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5799
5800 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5801 NULL, NULL))
5802 /* Send the first ClientHello */
5803 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5804 SSL_ERROR_WANT_READ))
5805 /*
5806 * This should fail with a -1 return because we have no callbacks
5807 * set up
5808 */
5809 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5810 goto end;
5811
5812 /* Fatal error so abandon the connection from this client */
5813 SSL_free(clientssl);
5814 clientssl = NULL;
5815
c7b8ff25 5816 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5817 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5818 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5819
e440f513
MC		 5820 /*
5821 * Create a new connection from the client (we can reuse the server SSL
5822 * object).
5823 */
c7b8ff25
MC		 5824 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5825 NULL, NULL))
5826 /* Send the first ClientHello */
5827 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5828 SSL_ERROR_WANT_READ))
5829 /* This should fail because there is no cookie */
e440f513 5830 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5831 goto end;
5832
5833 /* Abandon the connection from this client */
5834 SSL_free(clientssl);
5835 clientssl = NULL;
5836
5837 /*
5838 * Now create a connection from a new client but with the same server SSL
5839 * object
5840 */
5841 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5842 NULL, NULL))
5843 /* Send the first ClientHello */
5844 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5845 SSL_ERROR_WANT_READ))
5846 /* This should fail because there is no cookie */
e440f513 5847 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5848 /* Send the second ClientHello */
5849 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5850 SSL_ERROR_WANT_READ))
5851 /* This should succeed because a cookie is now present */
e440f513 5852 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5853 /* Complete the connection */
5854 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5855 SSL_ERROR_NONE)))
5856 goto end;
5857
5858 shutdown_ssl_connection(serverssl, clientssl);
5859 serverssl = clientssl = NULL;
5860 testresult = 1;
5861
5862 end:
5863 SSL_free(serverssl);
5864 SSL_free(clientssl);
5865 SSL_CTX_free(sctx);
5866 SSL_CTX_free(cctx);
5867 return testresult;
5868
5869}
a763ca11 5870#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5871
a37008d9
MC		 5872static int clntaddoldcb = 0;
5873static int clntparseoldcb = 0;
5874static int srvaddoldcb = 0;
5875static int srvparseoldcb = 0;
5876static int clntaddnewcb = 0;
5877static int clntparsenewcb = 0;
5878static int srvaddnewcb = 0;
5879static int srvparsenewcb = 0;
bb01ef3f 5880static int snicb = 0;
a37008d9
MC		 5881
5882#define TEST_EXT_TYPE1 0xff00
5883
5884static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5885 size_t *outlen, int *al, void *add_arg)
5886{
5887 int *server = (int *)add_arg;
5888 unsigned char *data;
5889
5890 if (SSL_is_server(s))
5891 srvaddoldcb++;
5892 else
5893 clntaddoldcb++;
5894
710756a9
RS		 5895 if (*server != SSL_is_server(s)
5896 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5897 return -1;
5898
5899 *data = 1;
5900 *out = data;
5901 *outlen = sizeof(char);
a37008d9
MC		 5902 return 1;
5903}
5904
5905static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5906 void *add_arg)
5907{
5908 OPENSSL_free((unsigned char *)out);
5909}
5910
5911static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5912 size_t inlen, int *al, void *parse_arg)
5913{
5914 int *server = (int *)parse_arg;
5915
5916 if (SSL_is_server(s))
5917 srvparseoldcb++;
5918 else
5919 clntparseoldcb++;
5920
710756a9
RS		 5921 if (*server != SSL_is_server(s)
5922 || inlen != sizeof(char)
5923 || *in != 1)
a37008d9
MC		 5924 return -1;
5925
5926 return 1;
5927}
5928
5929static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5930 const unsigned char **out, size_t *outlen, X509 *x,
5931 size_t chainidx, int *al, void *add_arg)
5932{
5933 int *server = (int *)add_arg;
5934 unsigned char *data;
5935
5936 if (SSL_is_server(s))
5937 srvaddnewcb++;
5938 else
5939 clntaddnewcb++;
5940
710756a9
RS		 5941 if (*server != SSL_is_server(s)
5942 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5943 return -1;
5944
5945 *data = 1;
5946 *out = data;
710756a9 5947 *outlen = sizeof(*data);
a37008d9
MC		 5948 return 1;
5949}
5950
5951static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5952 const unsigned char *out, void *add_arg)
5953{
5954 OPENSSL_free((unsigned char *)out);
5955}
5956
5957static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5958 const unsigned char *in, size_t inlen, X509 *x,
5959 size_t chainidx, int *al, void *parse_arg)
5960{
5961 int *server = (int *)parse_arg;
5962
5963 if (SSL_is_server(s))
5964 srvparsenewcb++;
5965 else
5966 clntparsenewcb++;
5967
710756a9
RS		 5968 if (*server != SSL_is_server(s)
5969 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5970 return -1;
5971
5972 return 1;
5973}
bb01ef3f
MC		 5974
5975static int sni_cb(SSL *s, int *al, void *arg)
5976{
5977 SSL_CTX *ctx = (SSL_CTX *)arg;
5978
5979 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5980 *al = SSL_AD_INTERNAL_ERROR;
5981 return SSL_TLSEXT_ERR_ALERT_FATAL;
5982 }
5983 snicb++;
5984 return SSL_TLSEXT_ERR_OK;
5985}
5986
0db3a990
MC		 5987static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
5988{
5989 return 1;
5990}
5991
a37008d9
MC		 5992/*
5993 * Custom call back tests.
5994 * Test 0: Old style callbacks in TLSv1.2
5995 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5996 * Test 2: New style callbacks in TLSv1.2 with SNI
5997 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5998 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
0db3a990 5999 * Test 5: New style callbacks in TLSv1.3. Extensions in CR + Client Cert
a37008d9 6000 */
710756a9
RS		 6001static int test_custom_exts(int tst)
6002{
bb01ef3f 6003 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 6004 SSL *clientssl = NULL, *serverssl = NULL;
6005 int testresult = 0;
6006 static int server = 1;
6007 static int client = 0;
6008 SSL_SESSION *sess = NULL;
6009 unsigned int context;
6010
a763ca11 6011#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 6012 /* Skip tests for TLSv1.2 and below in this case */
6013 if (tst < 3)
6014 return 1;
6015#endif
6016
a37008d9
MC		 6017 /* Reset callback counters */
6018 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
6019 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 6020 snicb = 0;
a37008d9 6021
5e30f2fd
MC		 6022 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6023 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6024 &sctx, &cctx, cert, privkey)))
710756a9 6025 goto end;
a37008d9 6026
bb01ef3f 6027 if (tst == 2
5e30f2fd 6028 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 6029 TLS1_VERSION, 0,
7d7f6834 6030 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 6031 goto end;
6032
6033
6034 if (tst < 3) {
a37008d9
MC		 6035 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
6036 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 6037 if (sctx2 != NULL)
6038 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 6039 }
6040
0db3a990
MC		 6041 if (tst == 5) {
6042 context = SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
6043 | SSL_EXT_TLS1_3_CERTIFICATE;
6044 SSL_CTX_set_verify(sctx,
6045 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
6046 verify_cb);
6047 if (!TEST_int_eq(SSL_CTX_use_certificate_file(cctx, cert,
6048 SSL_FILETYPE_PEM), 1)
6049 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(cctx, privkey,
6050 SSL_FILETYPE_PEM), 1)
6051 || !TEST_int_eq(SSL_CTX_check_private_key(cctx), 1))
6052 goto end;
6053 } else if (tst == 4) {
710756a9
RS		 6054 context = SSL_EXT_CLIENT_HELLO
6055 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 6056 | SSL_EXT_TLS1_3_SERVER_HELLO
6057 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
6058 | SSL_EXT_TLS1_3_CERTIFICATE
6059 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
6060 } else {
710756a9
RS		 6061 context = SSL_EXT_CLIENT_HELLO
6062 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 6063 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
6064 }
6065
6066 /* Create a client side custom extension */
6067 if (tst == 0) {
710756a9
RS		 6068 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6069 old_add_cb, old_free_cb,
6070 &client, old_parse_cb,
6071 &client)))
6072 goto end;
a37008d9 6073 } else {
710756a9
RS		 6074 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
6075 new_add_cb, new_free_cb,
6076 &client, new_parse_cb, &client)))
6077 goto end;
a37008d9
MC		 6078 }
6079
6080 /* Should not be able to add duplicates */
710756a9
RS		 6081 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
6082 old_add_cb, old_free_cb,
6083 &client, old_parse_cb,
6084 &client))
6085 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
6086 context, new_add_cb,
6087 new_free_cb, &client,
6088 new_parse_cb, &client)))
6089 goto end;
a37008d9
MC		 6090
6091 /* Create a server side custom extension */
6092 if (tst == 0) {
710756a9
RS		 6093 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6094 old_add_cb, old_free_cb,
6095 &server, old_parse_cb,
6096 &server)))
6097 goto end;
a37008d9 6098 } else {
710756a9
RS		 6099 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
6100 new_add_cb, new_free_cb,
6101 &server, new_parse_cb, &server)))
6102 goto end;
bb01ef3f
MC		 6103 if (sctx2 != NULL
6104 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
6105 context, new_add_cb,
6106 new_free_cb, &server,
6107 new_parse_cb, &server)))
6108 goto end;
a37008d9
MC		 6109 }
6110
6111 /* Should not be able to add duplicates */
710756a9
RS		 6112 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
6113 old_add_cb, old_free_cb,
6114 &server, old_parse_cb,
6115 &server))
6116 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
6117 context, new_add_cb,
6118 new_free_cb, &server,
6119 new_parse_cb, &server)))
a37008d9 6120 goto end;
a37008d9 6121
bb01ef3f
MC		 6122 if (tst == 2) {
6123 /* Set up SNI */
6124 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
6125 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
6126 goto end;
6127 }
6128
710756a9
RS		 6129 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6130 &clientssl, NULL, NULL))
6131 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6132 SSL_ERROR_NONE)))
a37008d9 6133 goto end;
a37008d9
MC		 6134
6135 if (tst == 0) {
710756a9
RS		 6136 if (clntaddoldcb != 1
6137 || clntparseoldcb != 1
6138 || srvaddoldcb != 1
6139 || srvparseoldcb != 1)
a37008d9 6140 goto end;
bb01ef3f 6141 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 6142 if (clntaddnewcb != 1
6143 || clntparsenewcb != 1
6144 || srvaddnewcb != 1
bb01ef3f
MC		 6145 || srvparsenewcb != 1
6146 || (tst != 2 && snicb != 0)
6147 || (tst == 2 && snicb != 1))
a37008d9 6148 goto end;
0db3a990
MC		 6149 } else if (tst == 5) {
6150 if (clntaddnewcb != 1
6151 || clntparsenewcb != 1
6152 || srvaddnewcb != 1
6153 || srvparsenewcb != 1)
6154 goto end;
a37008d9 6155 } else {
36ff232c 6156 /* In this case there 2 NewSessionTicket messages created */
710756a9 6157 if (clntaddnewcb != 1
36ff232c
MC		 6158 || clntparsenewcb != 5
6159 || srvaddnewcb != 5
710756a9 6160 || srvparsenewcb != 1)
a37008d9 6161 goto end;
a37008d9
MC		 6162 }
6163
6164 sess = SSL_get1_session(clientssl);
a37008d9
MC		 6165 SSL_shutdown(clientssl);
6166 SSL_shutdown(serverssl);
a37008d9
MC		 6167 SSL_free(serverssl);
6168 SSL_free(clientssl);
6169 serverssl = clientssl = NULL;
6170
0db3a990
MC		 6171 if (tst == 3 || tst == 5) {
6172 /* We don't bother with the resumption aspects for these tests */
bb01ef3f
MC		 6173 testresult = 1;
6174 goto end;
6175 }
6176
710756a9
RS		 6177 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6178 NULL, NULL))
6179 || !TEST_true(SSL_set_session(clientssl, sess))
6180 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6181 SSL_ERROR_NONE)))
a37008d9 6182 goto end;
a37008d9
MC		 6183
6184 /*
6185 * For a resumed session we expect to add the ClientHello extension. For the
6186 * old style callbacks we ignore it on the server side because they set
6187 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
6188 * them.
6189 */
6190 if (tst == 0) {
710756a9
RS		 6191 if (clntaddoldcb != 2
6192 || clntparseoldcb != 1
6193 || srvaddoldcb != 1
6194 || srvparseoldcb != 1)
a37008d9 6195 goto end;
bb01ef3f 6196 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 6197 if (clntaddnewcb != 2
6198 || clntparsenewcb != 2
6199 || srvaddnewcb != 2
6200 || srvparsenewcb != 2)
a37008d9 6201 goto end;
a37008d9 6202 } else {
36ff232c
MC		 6203 /*
6204 * No Certificate message extensions in the resumption handshake,
6205 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
6206 */
710756a9 6207 if (clntaddnewcb != 2
36ff232c
MC		 6208 || clntparsenewcb != 8
6209 || srvaddnewcb != 8
710756a9 6210 || srvparsenewcb != 2)
a37008d9 6211 goto end;
a37008d9
MC		 6212 }
6213
6214 testresult = 1;
6215
6216end:
6217 SSL_SESSION_free(sess);
6218 SSL_free(serverssl);
6219 SSL_free(clientssl);
bb01ef3f 6220 SSL_CTX_free(sctx2);
a37008d9
MC		 6221 SSL_CTX_free(sctx);
6222 SSL_CTX_free(cctx);
a37008d9
MC		 6223 return testresult;
6224}
6225
555dd939 6226#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
16afd71c 6227
555dd939
DF		 6228#define SYNTHV1CONTEXT (SSL_EXT_TLS1_2_AND_BELOW_ONLY \
6229 | SSL_EXT_CLIENT_HELLO \
6230 | SSL_EXT_TLS1_2_SERVER_HELLO \
6231 | SSL_EXT_IGNORE_ON_RESUMPTION)
16afd71c 6232
555dd939
DF		 6233#define TLS13CONTEXT (SSL_EXT_TLS1_3_CERTIFICATE \
6234 | SSL_EXT_TLS1_2_SERVER_HELLO \
6235 | SSL_EXT_CLIENT_HELLO)
16afd71c 6236
555dd939
DF		 6237#define SERVERINFO_CUSTOM \
6238 0x00, (char)TLSEXT_TYPE_signed_certificate_timestamp, \
6239 0x00, 0x03, \
6240 0x04, 0x05, 0x06 \
6241
6242static const unsigned char serverinfo_custom_tls13[] = {
6243 0x00, 0x00, (TLS13CONTEXT >> 8) & 0xff, TLS13CONTEXT & 0xff,
6244 SERVERINFO_CUSTOM
6245};
6246static const unsigned char serverinfo_custom_v2[] = {
6247 0x00, 0x00, (SYNTHV1CONTEXT >> 8) & 0xff, SYNTHV1CONTEXT & 0xff,
6248 SERVERINFO_CUSTOM
6249};
6250static const unsigned char serverinfo_custom_v1[] = {
6251 SERVERINFO_CUSTOM
6252};
6253static const size_t serverinfo_custom_tls13_len = sizeof(serverinfo_custom_tls13);
6254static const size_t serverinfo_custom_v2_len = sizeof(serverinfo_custom_v2);
6255static const size_t serverinfo_custom_v1_len = sizeof(serverinfo_custom_v1);
6256
6257static int serverinfo_custom_parse_cb(SSL *s, unsigned int ext_type,
6258 unsigned int context,
6259 const unsigned char *in,
6260 size_t inlen, X509 *x,
6261 size_t chainidx, int *al,
6262 void *parse_arg)
6263{
6264 const size_t len = serverinfo_custom_v1_len;
6265 const unsigned char *si = &serverinfo_custom_v1[len - 3];
6266 int *p_cb_result = (int*)parse_arg;
6267 *p_cb_result = TEST_mem_eq(in, inlen, si, 3);
6268 return 1;
6269}
6270
6271static int test_serverinfo_custom(const int idx)
6272{
6273 SSL_CTX *sctx = NULL, *cctx = NULL;
6274 SSL *clientssl = NULL, *serverssl = NULL;
6275 int testresult = 0;
6276 int cb_result = 0;
6277
6278 /*
6279 * Following variables are set in the switch statement
6280 * according to the test iteration.
6281 * Default values do not make much sense: test would fail with them.
6282 */
6283 int serverinfo_version = 0;
6284 int protocol_version = 0;
6285 unsigned int extension_context = 0;
6286 const unsigned char *si = NULL;
6287 size_t si_len = 0;
6288
6289 const int call_use_serverinfo_ex = idx > 0;
6290 switch (idx) {
6291 case 0: /* FALLTHROUGH */
6292 case 1:
6293 serverinfo_version = SSL_SERVERINFOV1;
6294 protocol_version = TLS1_2_VERSION;
6295 extension_context = SYNTHV1CONTEXT;
6296 si = serverinfo_custom_v1;
6297 si_len = serverinfo_custom_v1_len;
6298 break;
6299 case 2:
6300 serverinfo_version = SSL_SERVERINFOV2;
6301 protocol_version = TLS1_2_VERSION;
6302 extension_context = SYNTHV1CONTEXT;
6303 si = serverinfo_custom_v2;
6304 si_len = serverinfo_custom_v2_len;
6305 break;
6306 case 3:
6307 serverinfo_version = SSL_SERVERINFOV2;
6308 protocol_version = TLS1_3_VERSION;
6309 extension_context = TLS13CONTEXT;
6310 si = serverinfo_custom_tls13;
6311 si_len = serverinfo_custom_tls13_len;
6312 break;
16afd71c
MC		 6313 }
6314
555dd939
DF		 6315 if (!TEST_true(create_ssl_ctx_pair(libctx,
6316 TLS_method(),
6317 TLS_method(),
6318 protocol_version,
6319 protocol_version,
6320 &sctx, &cctx, cert, privkey)))
6321 goto end;
16afd71c 6322
555dd939
DF		 6323 if (call_use_serverinfo_ex) {
6324 if (!TEST_true(SSL_CTX_use_serverinfo_ex(sctx, serverinfo_version,
6325 si, si_len)))
6326 goto end;
6327 } else {
6328 if (!TEST_true(SSL_CTX_use_serverinfo(sctx, si, si_len)))
6329 goto end;
16afd71c
MC		 6330 }
6331
555dd939
DF		 6332 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TLSEXT_TYPE_signed_certificate_timestamp,
6333 extension_context,
6334 NULL, NULL, NULL,
6335 serverinfo_custom_parse_cb,
6336 &cb_result))
6337 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6338 NULL, NULL))
6339 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6340 SSL_ERROR_NONE))
6341 || !TEST_int_eq(SSL_do_handshake(clientssl), 1))
6342 goto end;
6343
6344 if (!TEST_true(cb_result))
16afd71c
MC		 6345 goto end;
6346
6347 testresult = 1;
6348
6349 end:
555dd939
DF		 6350 SSL_free(serverssl);
6351 SSL_free(clientssl);
6352 SSL_CTX_free(sctx);
6353 SSL_CTX_free(cctx);
16afd71c
MC		 6354
6355 return testresult;
6356}
555dd939 6357#endif
16afd71c 6358
2197d1df
MC		 6359/*
6360 * Test that SSL_export_keying_material() produces expected results. There are
6361 * no test vectors so all we do is test that both sides of the communication
6362 * produce the same results for different protocol versions.
6363 */
0fb2815b
MC		 6364#define SMALL_LABEL_LEN 10
6365#define LONG_LABEL_LEN 249
2197d1df
MC		 6366static int test_export_key_mat(int tst)
6367{
a599574b 6368 int testresult = 0;
2197d1df
MC		 6369 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
6370 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 6371 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 6372 const unsigned char context[] = "context";
6373 const unsigned char *emptycontext = NULL;
ef9d8f2f 6374 unsigned char longcontext[1280];
5df160f1 6375 int test_longcontext = fips_provider_version_ge(libctx, 3, 3, 0);
ef9d8f2f
DU		 6376 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80], ckeymat4[80];
6377 unsigned char skeymat1[80], skeymat2[80], skeymat3[80], skeymat4[80];
0fb2815b 6378 size_t labellen;
a599574b
MC		 6379 const int protocols[] = {
6380 TLS1_VERSION,
6381 TLS1_1_VERSION,
6382 TLS1_2_VERSION,
0fb2815b
MC		 6383 TLS1_3_VERSION,
6384 TLS1_3_VERSION,
a599574b
MC		 6385 TLS1_3_VERSION
6386 };
2197d1df
MC		 6387
6388#ifdef OPENSSL_NO_TLS1
6389 if (tst == 0)
6390 return 1;
6391#endif
6392#ifdef OPENSSL_NO_TLS1_1
6393 if (tst == 1)
6394 return 1;
6395#endif
4f6c7044
MC		 6396 if (is_fips && (tst == 0 || tst == 1))
6397 return 1;
2197d1df
MC		 6398#ifdef OPENSSL_NO_TLS1_2
6399 if (tst == 2)
6400 return 1;
6401#endif
a763ca11 6402#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 6403 if (tst >= 3)
2197d1df
MC		 6404 return 1;
6405#endif
5e30f2fd
MC		 6406 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6407 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6408 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 6409 goto end;
6410
a599574b
MC		 6411 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
6412 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
6413 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 6414 if ((protocols[tst] < TLS1_2_VERSION) &&
6415 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
6416 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
6417 goto end;
2197d1df
MC		 6418
6419 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 6420 NULL)))
6421 goto end;
6422
6423 /*
6424 * Premature call of SSL_export_keying_material should just fail.
6425 */
6426 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6427 sizeof(ckeymat1), label,
6428 SMALL_LABEL_LEN + 1, context,
6429 sizeof(context) - 1, 1), 0))
6430 goto end;
6431
6432 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6433 SSL_ERROR_NONE)))
2197d1df
MC		 6434 goto end;
6435
0fb2815b
MC		 6436 if (tst == 5) {
6437 /*
6438 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
6439 * go over that.
6440 */
6441 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
6442 sizeof(ckeymat1), label,
6443 LONG_LABEL_LEN + 1, context,
6444 sizeof(context) - 1, 1), 0))
6445 goto end;
6446
6447 testresult = 1;
6448 goto end;
6449 } else if (tst == 4) {
6450 labellen = LONG_LABEL_LEN;
6451 } else {
6452 labellen = SMALL_LABEL_LEN;
6453 }
6454
ef9d8f2f
DU		 6455 memset(longcontext, 1, sizeof(longcontext));
6456
2197d1df
MC		 6457 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
6458 sizeof(ckeymat1), label,
0fb2815b 6459 labellen, context,
2197d1df
MC		 6460 sizeof(context) - 1, 1), 1)
6461 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
6462 sizeof(ckeymat2), label,
0fb2815b 6463 labellen,
2197d1df
MC		 6464 emptycontext,
6465 0, 1), 1)
6466 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
6467 sizeof(ckeymat3), label,
0fb2815b 6468 labellen,
2197d1df 6469 NULL, 0, 0), 1)
5df160f1
TM		 6470 || (test_longcontext
6471 && !TEST_int_eq(SSL_export_keying_material(clientssl,
6472 ckeymat4,
6473 sizeof(ckeymat4), label,
6474 labellen,
6475 longcontext,
6476 sizeof(longcontext), 1),
6477 1))
2197d1df
MC		 6478 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
6479 sizeof(skeymat1), label,
0fb2815b 6480 labellen,
2197d1df
MC		 6481 context,
6482 sizeof(context) -1, 1),
6483 1)
6484 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
6485 sizeof(skeymat2), label,
0fb2815b 6486 labellen,
2197d1df
MC		 6487 emptycontext,
6488 0, 1), 1)
6489 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
6490 sizeof(skeymat3), label,
0fb2815b 6491 labellen,
2197d1df 6492 NULL, 0, 0), 1)
5df160f1
TM		 6493 || (test_longcontext
6494 && !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat4,
6495 sizeof(skeymat4), label,
6496 labellen,
6497 longcontext,
6498 sizeof(longcontext), 1),
6499 1))
2197d1df
MC		 6500 /*
6501 * Check that both sides created the same key material with the
6502 * same context.
6503 */
6504 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6505 sizeof(skeymat1))
6506 /*
6507 * Check that both sides created the same key material with an
6508 * empty context.
6509 */
6510 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6511 sizeof(skeymat2))
6512 /*
6513 * Check that both sides created the same key material without a
6514 * context.
6515 */
6516 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
6517 sizeof(skeymat3))
ef9d8f2f
DU		 6518 /*
6519 * Check that both sides created the same key material with a
6520 * long context.
6521 */
5df160f1
TM		 6522 || (test_longcontext
6523 && !TEST_mem_eq(ckeymat4, sizeof(ckeymat4), skeymat4,
6524 sizeof(skeymat4)))
2197d1df
MC		 6525 /* Different contexts should produce different results */
6526 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6527 sizeof(ckeymat2)))
6528 goto end;
6529
6530 /*
6531 * Check that an empty context and no context produce different results in
6532 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
6533 */
0fb2815b 6534 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 6535 sizeof(ckeymat3)))
0fb2815b
MC		 6536 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
6537 sizeof(ckeymat3))))
2197d1df
MC		 6538 goto end;
6539
6540 testresult = 1;
6541
6542 end:
6543 SSL_free(serverssl);
6544 SSL_free(clientssl);
6545 SSL_CTX_free(sctx2);
6546 SSL_CTX_free(sctx);
6547 SSL_CTX_free(cctx);
6548
6549 return testresult;
6550}
6551
a763ca11 6552#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 6553/*
6554 * Test that SSL_export_keying_material_early() produces expected
6555 * results. There are no test vectors so all we do is test that both
6556 * sides of the communication produce the same results for different
6557 * protocol versions.
6558 */
6559static int test_export_key_mat_early(int idx)
6560{
6561 static const char label[] = "test label";
6562 static const unsigned char context[] = "context";
6563 int testresult = 0;
6564 SSL_CTX *cctx = NULL, *sctx = NULL;
6565 SSL *clientssl = NULL, *serverssl = NULL;
6566 SSL_SESSION *sess = NULL;
6567 const unsigned char *emptycontext = NULL;
6568 unsigned char ckeymat1[80], ckeymat2[80];
6569 unsigned char skeymat1[80], skeymat2[80];
6570 unsigned char buf[1];
6571 size_t readbytes, written;
6572
6573 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
10836921 6574 &sess, idx, SHA384_DIGEST_LENGTH)))
b38ede80
TT		 6575 goto end;
6576
6577 /* Here writing 0 length early data is enough. */
6578 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
6579 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
6580 &readbytes),
6581 SSL_READ_EARLY_DATA_ERROR)
6582 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6583 SSL_EARLY_DATA_ACCEPTED))
6584 goto end;
6585
6586 if (!TEST_int_eq(SSL_export_keying_material_early(
6587 clientssl, ckeymat1, sizeof(ckeymat1), label,
6588 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6589 || !TEST_int_eq(SSL_export_keying_material_early(
6590 clientssl, ckeymat2, sizeof(ckeymat2), label,
6591 sizeof(label) - 1, emptycontext, 0), 1)
6592 || !TEST_int_eq(SSL_export_keying_material_early(
6593 serverssl, skeymat1, sizeof(skeymat1), label,
6594 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6595 || !TEST_int_eq(SSL_export_keying_material_early(
6596 serverssl, skeymat2, sizeof(skeymat2), label,
6597 sizeof(label) - 1, emptycontext, 0), 1)
6598 /*
6599 * Check that both sides created the same key material with the
6600 * same context.
6601 */
6602 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6603 sizeof(skeymat1))
6604 /*
6605 * Check that both sides created the same key material with an
6606 * empty context.
6607 */
6608 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6609 sizeof(skeymat2))
6610 /* Different contexts should produce different results */
6611 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6612 sizeof(ckeymat2)))
6613 goto end;
6614
6615 testresult = 1;
6616
6617 end:
c20e3b28 6618 SSL_SESSION_free(sess);
b38ede80
TT		 6619 SSL_SESSION_free(clientpsk);
6620 SSL_SESSION_free(serverpsk);
34ff74eb 6621 clientpsk = serverpsk = NULL;
b38ede80
TT		 6622 SSL_free(serverssl);
6623 SSL_free(clientssl);
6624 SSL_CTX_free(sctx);
6625 SSL_CTX_free(cctx);
6626
6627 return testresult;
6628}
3409a5ff
MC		 6629
6630#define NUM_KEY_UPDATE_MESSAGES 40
6631/*
6632 * Test KeyUpdate.
6633 */
6634static int test_key_update(void)
6635{
6636 SSL_CTX *cctx = NULL, *sctx = NULL;
6637 SSL *clientssl = NULL, *serverssl = NULL;
6638 int testresult = 0, i, j;
6639 char buf[20];
6640 static char *mess = "A test message";
6641
5e30f2fd 6642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6643 TLS_client_method(),
6644 TLS1_3_VERSION,
6645 0,
6646 &sctx, &cctx, cert, privkey))
6647 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6648 NULL, NULL))
6649 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6650 SSL_ERROR_NONE)))
6651 goto end;
6652
6653 for (j = 0; j < 2; j++) {
6654 /* Send lots of KeyUpdate messages */
6655 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6656 if (!TEST_true(SSL_key_update(clientssl,
6657 (j == 0)
6658 ? SSL_KEY_UPDATE_NOT_REQUESTED
6659 : SSL_KEY_UPDATE_REQUESTED))
6660 || !TEST_true(SSL_do_handshake(clientssl)))
6661 goto end;
6662 }
6663
6664 /* Check that sending and receiving app data is ok */
6665 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6666 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6667 strlen(mess)))
6668 goto end;
a77b4dba
MC		 6669
6670 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6671 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6672 strlen(mess)))
6673 goto end;
3409a5ff
MC		 6674 }
6675
6676 testresult = 1;
6677
6678 end:
6679 SSL_free(serverssl);
6680 SSL_free(clientssl);
6681 SSL_CTX_free(sctx);
6682 SSL_CTX_free(cctx);
6683
6684 return testresult;
6685}
a77b4dba
MC		 6686
6687/*
0c48fda8 6688 * Test we can handle a KeyUpdate (update requested) message while
6689 * write data is pending in peer.
a77b4dba
MC		 6690 * Test 0: Client sends KeyUpdate while Server is writing
6691 * Test 1: Server sends KeyUpdate while Client is writing
6692 */
0c48fda8 6693static int test_key_update_peer_in_write(int tst)
a77b4dba
MC		 6694{
6695 SSL_CTX *cctx = NULL, *sctx = NULL;
6696 SSL *clientssl = NULL, *serverssl = NULL;
6697 int testresult = 0;
6698 char buf[20];
6699 static char *mess = "A test message";
6700 BIO *bretry = BIO_new(bio_s_always_retry());
6701 BIO *tmp = NULL;
6702 SSL *peerupdate = NULL, *peerwrite = NULL;
6703
6704 if (!TEST_ptr(bretry)
5e30f2fd 6705 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6706 TLS_client_method(),
6707 TLS1_3_VERSION,
6708 0,
6709 &sctx, &cctx, cert, privkey))
6710 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6711 NULL, NULL))
6712 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6713 SSL_ERROR_NONE)))
6714 goto end;
6715
6716 peerupdate = tst == 0 ? clientssl : serverssl;
6717 peerwrite = tst == 0 ? serverssl : clientssl;
6718
6719 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
0c48fda8 6720 || !TEST_int_eq(SSL_do_handshake(peerupdate), 1))
a77b4dba
MC		 6721 goto end;
6722
6723 /* Swap the writing endpoint's write BIO to force a retry */
6724 tmp = SSL_get_wbio(peerwrite);
6725 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6726 tmp = NULL;
6727 goto end;
6728 }
6729 SSL_set0_wbio(peerwrite, bretry);
6730 bretry = NULL;
6731
6732 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6733 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
7e1b0dc1
HL		 6734 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)
6735 || !TEST_true(SSL_want_write(peerwrite))
6736 || !TEST_true(SSL_net_write_desired(peerwrite)))
a77b4dba
MC		 6737 goto end;
6738
6739 /* Reinstate the original writing endpoint's write BIO */
6740 SSL_set0_wbio(peerwrite, tmp);
6741 tmp = NULL;
6742
6743 /* Now read some data - we will read the key update */
6744 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
7e1b0dc1
HL		 6745 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)
6746 || !TEST_true(SSL_want_read(peerwrite))
6747 || !TEST_true(SSL_net_read_desired(peerwrite)))
a77b4dba
MC		 6748 goto end;
6749
6750 /*
6751 * Complete the write we started previously and read it from the other
6752 * endpoint
6753 */
6754 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6755 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6756 goto end;
6757
6758 /* Write more data to ensure we send the KeyUpdate message back */
6759 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6760 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6761 goto end;
6762
7e1b0dc1
HL		 6763 if (!TEST_false(SSL_net_read_desired(peerwrite))
6764 || !TEST_false(SSL_net_write_desired(peerwrite))
6765 || !TEST_int_eq(SSL_want(peerwrite), SSL_NOTHING))
6766 goto end;
6767
a77b4dba
MC		 6768 testresult = 1;
6769
6770 end:
6771 SSL_free(serverssl);
6772 SSL_free(clientssl);
6773 SSL_CTX_free(sctx);
6774 SSL_CTX_free(cctx);
6775 BIO_free(bretry);
6776 BIO_free(tmp);
6777
6778 return testresult;
6779}
0c48fda8 6780
6781/*
6782 * Test we can handle a KeyUpdate (update requested) message while
6783 * peer read data is pending after peer accepted keyupdate(the msg header
6784 * had been read 5 bytes).
6785 * Test 0: Client sends KeyUpdate while Server is reading
6786 * Test 1: Server sends KeyUpdate while Client is reading
6787 */
6788static int test_key_update_peer_in_read(int tst)
6789{
6790 SSL_CTX *cctx = NULL, *sctx = NULL;
6791 SSL *clientssl = NULL, *serverssl = NULL;
6792 int testresult = 0;
6793 char prbuf[515], lwbuf[515] = {0};
6794 static char *mess = "A test message";
6795 BIO *lbio = NULL, *pbio = NULL;
6796 SSL *local = NULL, *peer = NULL;
6797
6798 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6799 TLS_client_method(),
6800 TLS1_3_VERSION,
6801 0,
6802 &sctx, &cctx, cert, privkey))
6803 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6804 NULL, NULL))
6805 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6806 SSL_ERROR_NONE)))
6807 goto end;
6808
6809 local = tst == 0 ? clientssl : serverssl;
6810 peer = tst == 0 ? serverssl : clientssl;
6811
6812 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6813 goto end;
6814
6815 SSL_set_bio(local, lbio, lbio);
6816 SSL_set_bio(peer, pbio, pbio);
6817
6818 /*
6819 * we first write keyupdate msg then appdata in local
6820 * write data in local will fail with SSL_ERROR_WANT_WRITE,because
6821 * lwbuf app data msg size + key updata msg size > 512(the size of
6822 * the bio pair buffer)
6823 */
6824 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6825 || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1)
6826 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6827 goto end;
6828
6829 /*
6830 * first read keyupdate msg in peer in peer
6831 * then read appdata that we know will fail with SSL_ERROR_WANT_READ
6832 */
6833 if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1)
6834 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ))
6835 goto end;
6836
6837 /* Now write some data in peer - we will write the key update */
6838 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)))
6839 goto end;
6840
6841 /*
6842 * write data in local previously that we will complete
6843 * read data in peer previously that we will complete
6844 */
6845 if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf))
6846 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf)))
6847 goto end;
6848
6849 /* check that sending and receiving appdata ok */
6850 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6851 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
6852 goto end;
6853
6854 testresult = 1;
6855
6856 end:
6857 SSL_free(serverssl);
6858 SSL_free(clientssl);
6859 SSL_CTX_free(sctx);
6860 SSL_CTX_free(cctx);
6861
6862 return testresult;
6863}
6864
6865/*
6866 * Test we can't send a KeyUpdate (update requested) message while
6867 * local write data is pending.
6868 * Test 0: Client sends KeyUpdate while Client is writing
6869 * Test 1: Server sends KeyUpdate while Server is writing
6870 */
6871static int test_key_update_local_in_write(int tst)
6872{
6873 SSL_CTX *cctx = NULL, *sctx = NULL;
6874 SSL *clientssl = NULL, *serverssl = NULL;
6875 int testresult = 0;
6876 char buf[20];
6877 static char *mess = "A test message";
6878 BIO *bretry = BIO_new(bio_s_always_retry());
6879 BIO *tmp = NULL;
6880 SSL *local = NULL, *peer = NULL;
6881
6882 if (!TEST_ptr(bretry)
6883 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6884 TLS_client_method(),
6885 TLS1_3_VERSION,
6886 0,
6887 &sctx, &cctx, cert, privkey))
6888 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6889 NULL, NULL))
6890 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6891 SSL_ERROR_NONE)))
6892 goto end;
6893
6894 local = tst == 0 ? clientssl : serverssl;
6895 peer = tst == 0 ? serverssl : clientssl;
6896
6897 /* Swap the writing endpoint's write BIO to force a retry */
6898 tmp = SSL_get_wbio(local);
6899 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6900 tmp = NULL;
6901 goto end;
6902 }
6903 SSL_set0_wbio(local, bretry);
6904 bretry = NULL;
6905
6906 /* write data in local will fail with SSL_ERROR_WANT_WRITE */
6907 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1)
6908 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE))
6909 goto end;
6910
6911 /* Reinstate the original writing endpoint's write BIO */
6912 SSL_set0_wbio(local, tmp);
6913 tmp = NULL;
6914
6915 /* SSL_key_update will fail, because writing in local*/
6916 if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6917 || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY))
6918 goto end;
6919
6920 ERR_clear_error();
6921 /* write data in local previously that we will complete */
6922 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)))
6923 goto end;
6924
6925 /* SSL_key_update will succeed because there is no pending write data */
6926 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
6927 || !TEST_int_eq(SSL_do_handshake(local), 1))
6928 goto end;
6929
6930 /*
6931 * we write some appdata in local
6932 * read data in peer - we will read the keyupdate msg
6933 */
6934 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
6935 || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess)))
6936 goto end;
6937
6938 /* Write more peer more data to ensure we send the keyupdate message back */
6939 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
6940 || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess)))
6941 goto end;
6942
6943 testresult = 1;
6944
6945 end:
6946 SSL_free(serverssl);
6947 SSL_free(clientssl);
6948 SSL_CTX_free(sctx);
6949 SSL_CTX_free(cctx);
6950 BIO_free(bretry);
6951 BIO_free(tmp);
6952
6953 return testresult;
6954}
6955
6956/*
6957 * Test we can handle a KeyUpdate (update requested) message while
6958 * local read data is pending(the msg header had been read 5 bytes).
6959 * Test 0: Client sends KeyUpdate while Client is reading
6960 * Test 1: Server sends KeyUpdate while Server is reading
6961 */
6962static int test_key_update_local_in_read(int tst)
6963{
6964 SSL_CTX *cctx = NULL, *sctx = NULL;
6965 SSL *clientssl = NULL, *serverssl = NULL;
6966 int testresult = 0;
6967 char lrbuf[515], pwbuf[515] = {0}, prbuf[20];
6968 static char *mess = "A test message";
6969 BIO *lbio = NULL, *pbio = NULL;
6970 SSL *local = NULL, *peer = NULL;
6971
6972 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6973 TLS_client_method(),
6974 TLS1_3_VERSION,
6975 0,
6976 &sctx, &cctx, cert, privkey))
6977 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6978 NULL, NULL))
6979 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6980 SSL_ERROR_NONE)))
6981 goto end;
6982
6983 local = tst == 0 ? clientssl : serverssl;
6984 peer = tst == 0 ? serverssl : clientssl;
6985
6986 if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1))
6987 goto end;
6988
6989 SSL_set_bio(local, lbio, lbio);
6990 SSL_set_bio(peer, pbio, pbio);
6991
6992 /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */
6993 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1)
6994 || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE))
6995 goto end;
6996
6997 /* read appdata in local will fail with SSL_ERROR_WANT_READ */
6998 if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1)
6999 || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ))
7000 goto end;
7001
7002 /* SSL_do_handshake will send keyupdate msg */
7003 if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED))
7004 || !TEST_int_eq(SSL_do_handshake(local), 1))
7005 goto end;
7006
7007 /*
7008 * write data in peer previously that we will complete
7009 * read data in local previously that we will complete
7010 */
7011 if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf))
7012 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf)))
7013 goto end;
7014
7015 /*
7016 * write data in local
7017 * read data in peer - we will read the key update
7018 */
7019 if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))
7020 || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess)))
7021 goto end;
7022
7023 /* Write more peer data to ensure we send the keyupdate message back */
7024 if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))
7025 || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess)))
7026 goto end;
7027
7028 testresult = 1;
7029
7030 end:
7031 SSL_free(serverssl);
7032 SSL_free(clientssl);
7033 SSL_CTX_free(sctx);
7034 SSL_CTX_free(cctx);
7035
7036 return testresult;
7037}
a763ca11 7038#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 7039
5de8c49d
MC		 7040/*
7041 * Test clearing a connection via SSL_clear(), or resetting it via
7042 * SSL_set_connect_state()/SSL_set_accept_state()
7043 * Test 0: SSL_set_connect_state, TLSv1.3
7044 * Test 1: SSL_set_connect_state, TLSv1.2
7045 * Test 2: SSL_set_accept_state, TLSv1.3
7046 * Test 3: SSL_set_accept_state, TLSv1.2
7047 * Test 4: SSL_clear (client), TLSv1.3
7048 * Test 5: SSL_clear (client), TLSv1.2
7049 * Test 6: SSL_clear (server), TLSv1.3
7050 * Test 7: SSL_clear (server), TLSv1.2
7051 */
e11b6aa4
MC		 7052static int test_ssl_clear(int idx)
7053{
7054 SSL_CTX *cctx = NULL, *sctx = NULL;
7055 SSL *clientssl = NULL, *serverssl = NULL;
5de8c49d 7056 SSL *writer, *reader;
e11b6aa4 7057 int testresult = 0;
5de8c49d
MC		 7058 int tls12test, servertest, cleartest;
7059 size_t written, readbytes;
7060 const char *msg = "Hello World";
7061 unsigned char buf[5];
7062
7063 tls12test = idx & 1;
7064 idx >>= 1;
7065 servertest = idx & 1;
7066 idx >>= 1;
7067 cleartest = idx & 1;
e11b6aa4
MC		 7068
7069#ifdef OPENSSL_NO_TLS1_2
5de8c49d
MC		 7070 if (tls12test == 1)
7071 return TEST_skip("No TLSv1.2 in this build");
e11b6aa4
MC		 7072#endif
7073
7074 /* Create an initial connection */
5e30f2fd
MC		 7075 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7076 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 7077 &sctx, &cctx, cert, privkey))
5de8c49d 7078 || (tls12test
e11b6aa4
MC		 7079 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
7080 TLS1_2_VERSION)))
7081 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7082 &clientssl, NULL, NULL))
7083 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7084 SSL_ERROR_NONE)))
7085 goto end;
7086
5de8c49d
MC		 7087 if (servertest) {
7088 writer = clientssl;
7089 reader = serverssl;
7090 } else {
7091 writer = serverssl;
7092 reader = clientssl;
7093 }
7094
7095 /* Write some data */
7096 if (!TEST_true(SSL_write_ex(writer, msg, strlen(msg), &written))
7097 || written != strlen(msg))
7098 goto end;
7099
7100 /*
7101 * Read a partial record. The remaining buffered data should be cleared by
7102 * the subsequent clear/reset
7103 */
7104 if (!TEST_true(SSL_read_ex(reader, buf, sizeof(buf), &readbytes))
7105 || readbytes != sizeof(buf))
7106 goto end;
7107
e11b6aa4
MC		 7108 SSL_shutdown(clientssl);
7109 SSL_shutdown(serverssl);
e11b6aa4 7110
5de8c49d
MC		 7111 /* Reset/clear one SSL object in order to reuse it. We free the other one */
7112 if (servertest) {
7113 if (cleartest) {
7114 if (!TEST_true(SSL_clear(serverssl)))
7115 goto end;
7116 } else {
7117 SSL_set_accept_state(serverssl);
7118 }
7119 /*
7120 * A peculiarity of SSL_clear() is that it does not clear the session.
7121 * This is intended behaviour so that a client can create a new
7122 * connection and reuse the session. But this doesn't make much sense
7123 * on the server side - and causes incorrect behaviour due to the
7124 * handshake failing (even though the documentation does say SSL_clear()
7125 * is supposed to work on the server side). We clear the session
7126 * explicitly - although note that the documentation for
7127 * SSL_set_session() says that its only useful for clients!
7128 */
7129 if (!TEST_true(SSL_set_session(serverssl, NULL)))
7130 goto end;
7131 SSL_free(clientssl);
7132 clientssl = NULL;
7133 } else {
7134 if (cleartest) {
7135 if (!TEST_true(SSL_clear(clientssl)))
7136 goto end;
7137 } else {
7138 SSL_set_connect_state(clientssl);
7139 }
7140 SSL_free(serverssl);
7141 serverssl = NULL;
7142 }
e11b6aa4
MC		 7143
7144 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7145 NULL, NULL))
7146 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7147 SSL_ERROR_NONE))
5de8c49d 7148 || !TEST_true(servertest || SSL_session_reused(clientssl)))
e11b6aa4
MC		 7149 goto end;
7150
7151 SSL_shutdown(clientssl);
7152 SSL_shutdown(serverssl);
7153
7154 testresult = 1;
7155
7156 end:
7157 SSL_free(serverssl);
7158 SSL_free(clientssl);
7159 SSL_CTX_free(sctx);
7160 SSL_CTX_free(cctx);
7161
7162 return testresult;
7163}
7164
cf72c757
F		 7165/* Parse CH and retrieve any MFL extension value if present */
7166static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
7167{
7168 long len;
7169 unsigned char *data;
72962d02 7170 PACKET pkt, pkt2, pkt3;
cf72c757
F		 7171 unsigned int MFL_code = 0, type = 0;
7172
1287dabd 7173 if (!TEST_uint_gt(len = BIO_get_mem_data(bio, (char **) &data), 0))
cf72c757
F		 7174 goto end;
7175
72962d02
P		 7176 memset(&pkt, 0, sizeof(pkt));
7177 memset(&pkt2, 0, sizeof(pkt2));
7178 memset(&pkt3, 0, sizeof(pkt3));
7179
9ba18520 7180 if (!TEST_long_gt(len, 0)
1287dabd 7181 || !TEST_true(PACKET_buf_init(&pkt, data, len))
cf72c757
F		 7182 /* Skip the record header */
7183 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
7184 /* Skip the handshake message header */
7185 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
7186 /* Skip client version and random */
7187 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
7188 + SSL3_RANDOM_SIZE))
7189 /* Skip session id */
7190 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7191 /* Skip ciphers */
7192 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
7193 /* Skip compression */
7194 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
7195 /* Extensions len */
7196 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
7197 goto end;
7198
7199 /* Loop through all extensions */
7200 while (PACKET_remaining(&pkt2)) {
7201 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
7202 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
7203 goto end;
7204
7205 if (type == TLSEXT_TYPE_max_fragment_length) {
7206 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
7207 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
7208 goto end;
7209
7210 *mfl_codemfl_code = MFL_code;
7211 return 1;
7212 }
7213 }
7214
7215 end:
7216 return 0;
7217}
7218
7219/* Maximum-Fragment-Length TLS extension mode to test */
7220static const unsigned char max_fragment_len_test[] = {
7221 TLSEXT_max_fragment_length_512,
7222 TLSEXT_max_fragment_length_1024,
7223 TLSEXT_max_fragment_length_2048,
7224 TLSEXT_max_fragment_length_4096
7225};
7226
7227static int test_max_fragment_len_ext(int idx_tst)
7228{
a763ca11 7229 SSL_CTX *ctx = NULL;
cf72c757
F		 7230 SSL *con = NULL;
7231 int testresult = 0, MFL_mode = 0;
7232 BIO *rbio, *wbio;
7233
a763ca11
MC		 7234 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
7235 TLS1_VERSION, 0, NULL, &ctx, NULL,
7236 NULL)))
7237 return 0;
cf72c757
F		 7238
7239 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
7240 ctx, max_fragment_len_test[idx_tst])))
7241 goto end;
7242
7243 con = SSL_new(ctx);
7244 if (!TEST_ptr(con))
7245 goto end;
7246
7247 rbio = BIO_new(BIO_s_mem());
7248 wbio = BIO_new(BIO_s_mem());
7249 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
7250 BIO_free(rbio);
7251 BIO_free(wbio);
7252 goto end;
7253 }
7254
7255 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 7256
7257 if (!TEST_int_le(SSL_connect(con), 0)) {
7258 /* This shouldn't succeed because we don't have a server! */
7259 goto end;
7260 }
7261
7262 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
7263 /* no MFL in client hello */
7264 goto end;
7265 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
7266 goto end;
7267
7268 testresult = 1;
7269
7270end:
7271 SSL_free(con);
7272 SSL_CTX_free(ctx);
7273
7274 return testresult;
7275}
7276
a763ca11 7277#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 7278static int test_pha_key_update(void)
7279{
7280 SSL_CTX *cctx = NULL, *sctx = NULL;
7281 SSL *clientssl = NULL, *serverssl = NULL;
7282 int testresult = 0;
7283
5e30f2fd
MC		 7284 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7285 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 7286 &sctx, &cctx, cert, privkey)))
7287 return 0;
7288
7289 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
7290 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
7291 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
7292 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
7293 goto end;
7294
e97be718 7295 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 7296
7297 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7298 NULL, NULL)))
7299 goto end;
7300
9d75dce3
TS		 7301 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7302 SSL_ERROR_NONE)))
7303 goto end;
7304
7305 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7306 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7307 goto end;
7308
7309 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
7310 goto end;
7311
7312 /* Start handshake on the server */
7313 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
7314 goto end;
7315
7316 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
7317 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7318 SSL_ERROR_NONE)))
7319 goto end;
7320
7321 SSL_shutdown(clientssl);
7322 SSL_shutdown(serverssl);
7323
7324 testresult = 1;
7325
7326 end:
7327 SSL_free(serverssl);
7328 SSL_free(clientssl);
7329 SSL_CTX_free(sctx);
7330 SSL_CTX_free(cctx);
7331 return testresult;
7332}
7333#endif
7334
76fd7a1d
MC		 7335#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
7336
7337static SRP_VBASE *vbase = NULL;
7338
7339static int ssl_srp_cb(SSL *s, int *ad, void *arg)
7340{
7341 int ret = SSL3_AL_FATAL;
7342 char *username;
7343 SRP_user_pwd *user = NULL;
7344
7345 username = SSL_get_srp_username(s);
7346 if (username == NULL) {
7347 *ad = SSL_AD_INTERNAL_ERROR;
7348 goto err;
7349 }
7350
7351 user = SRP_VBASE_get1_by_user(vbase, username);
7352 if (user == NULL) {
7353 *ad = SSL_AD_INTERNAL_ERROR;
7354 goto err;
7355 }
7356
7357 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
7358 user->info) <= 0) {
7359 *ad = SSL_AD_INTERNAL_ERROR;
7360 goto err;
7361 }
7362
7363 ret = 0;
7364
7365 err:
7366 SRP_user_pwd_free(user);
7367 return ret;
7368}
7369
7370static int create_new_vfile(char *userid, char *password, const char *filename)
7371{
7372 char *gNid = NULL;
7373 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
7374 TXT_DB *db = NULL;
7375 int ret = 0;
7376 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
7377 size_t i;
7378
7379 if (!TEST_ptr(dummy) || !TEST_ptr(row))
7380 goto end;
7381
20c00d0a 7382 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 7383 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 7384 if (!TEST_ptr(gNid))
7385 goto end;
7386
7387 /*
7388 * The only way to create an empty TXT_DB is to provide a BIO with no data
7389 * in it!
7390 */
7391 db = TXT_DB_read(dummy, DB_NUMBER);
7392 if (!TEST_ptr(db))
7393 goto end;
7394
7395 out = BIO_new_file(filename, "w");
7396 if (!TEST_ptr(out))
7397 goto end;
7398
7399 row[DB_srpid] = OPENSSL_strdup(userid);
7400 row[DB_srptype] = OPENSSL_strdup("V");
7401 row[DB_srpgN] = OPENSSL_strdup(gNid);
7402
7403 if (!TEST_ptr(row[DB_srpid])
7404 || !TEST_ptr(row[DB_srptype])
7405 || !TEST_ptr(row[DB_srpgN])
7406 || !TEST_true(TXT_DB_insert(db, row)))
7407 goto end;
7408
7409 row = NULL;
7410
aba9943f 7411 if (TXT_DB_write(out, db) <= 0)
76fd7a1d
MC		 7412 goto end;
7413
7414 ret = 1;
7415 end:
7416 if (row != NULL) {
7417 for (i = 0; i < DB_NUMBER; i++)
7418 OPENSSL_free(row[i]);
7419 }
7420 OPENSSL_free(row);
7421 BIO_free(dummy);
7422 BIO_free(out);
7423 TXT_DB_free(db);
7424
7425 return ret;
7426}
7427
7428static int create_new_vbase(char *userid, char *password)
7429{
7430 BIGNUM *verifier = NULL, *salt = NULL;
7431 const SRP_gN *lgN = NULL;
7432 SRP_user_pwd *user_pwd = NULL;
7433 int ret = 0;
7434
7435 lgN = SRP_get_default_gN(NULL);
7436 if (!TEST_ptr(lgN))
7437 goto end;
7438
20c00d0a 7439 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 7440 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 7441 goto end;
7442
7443 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
7444 if (!TEST_ptr(user_pwd))
7445 goto end;
7446
7447 user_pwd->N = lgN->N;
7448 user_pwd->g = lgN->g;
7449 user_pwd->id = OPENSSL_strdup(userid);
7450 if (!TEST_ptr(user_pwd->id))
7451 goto end;
7452
7453 user_pwd->v = verifier;
7454 user_pwd->s = salt;
7455 verifier = salt = NULL;
7456
7457 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
7458 goto end;
7459 user_pwd = NULL;
7460
7461 ret = 1;
7462end:
7463 SRP_user_pwd_free(user_pwd);
7464 BN_free(salt);
7465 BN_free(verifier);
7466
7467 return ret;
7468}
7469
7470/*
7471 * SRP tests
7472 *
7473 * Test 0: Simple successful SRP connection, new vbase
7474 * Test 1: Connection failure due to bad password, new vbase
7475 * Test 2: Simple successful SRP connection, vbase loaded from existing file
7476 * Test 3: Connection failure due to bad password, vbase loaded from existing
7477 * file
7478 * Test 4: Simple successful SRP connection, vbase loaded from new file
7479 * Test 5: Connection failure due to bad password, vbase loaded from new file
7480 */
7481static int test_srp(int tst)
7482{
7483 char *userid = "test", *password = "password", *tstsrpfile;
7484 SSL_CTX *cctx = NULL, *sctx = NULL;
7485 SSL *clientssl = NULL, *serverssl = NULL;
7486 int ret, testresult = 0;
7487
7488 vbase = SRP_VBASE_new(NULL);
7489 if (!TEST_ptr(vbase))
7490 goto end;
7491
7492 if (tst == 0 || tst == 1) {
7493 if (!TEST_true(create_new_vbase(userid, password)))
7494 goto end;
7495 } else {
7496 if (tst == 4 || tst == 5) {
7497 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
7498 goto end;
7499 tstsrpfile = tmpfilename;
7500 } else {
7501 tstsrpfile = srpvfile;
7502 }
7503 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
7504 goto end;
7505 }
7506
5e30f2fd
MC		 7507 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7508 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 7509 &sctx, &cctx, cert, privkey)))
7510 goto end;
7511
7512 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
7513 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
7514 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
7515 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
7516 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
7517 goto end;
7518
7519 if (tst % 2 == 1) {
7520 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
7521 goto end;
7522 } else {
7523 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
7524 goto end;
7525 }
7526
7527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7528 NULL, NULL)))
7529 goto end;
7530
7531 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
7532 if (ret) {
7533 if (!TEST_true(tst % 2 == 0))
7534 goto end;
7535 } else {
7536 if (!TEST_true(tst % 2 == 1))
7537 goto end;
7538 }
7539
7540 testresult = 1;
7541
7542 end:
7543 SRP_VBASE_free(vbase);
7544 vbase = NULL;
7545 SSL_free(serverssl);
7546 SSL_free(clientssl);
7547 SSL_CTX_free(sctx);
7548 SSL_CTX_free(cctx);
7549
7550 return testresult;
7551}
7552#endif
7553
5718fe45
MC		 7554static int info_cb_failed = 0;
7555static int info_cb_offset = 0;
7556static int info_cb_this_state = -1;
7557
7558static struct info_cb_states_st {
7559 int where;
7560 const char *statestr;
7561} info_cb_states[][60] = {
7562 {
7563 /* TLSv1.2 server followed by resumption */
e0f69c35
TS		 7564 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7565 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7566 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
7567 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
7568 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
7569 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7570 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7571 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7572 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"},
5718fe45
MC		 7573 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7574 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
7575 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7576 {SSL_CB_EXIT, NULL}, {0, NULL},
7577 }, {
7578 /* TLSv1.2 client followed by resumption */
e0f69c35 7579 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7580 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7581 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
7582 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
7583 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
7584 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7585 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35 7586 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7587 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7588 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
7589 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7590 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
7591 }, {
7592 /* TLSv1.3 server followed by resumption */
e0f69c35
TS		 7593 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7594 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45 7595 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
e0f69c35 7596 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
5718fe45 7597 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 7598 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7599 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
e0f69c35
TS		 7600 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7601 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4af5836b
MC		 7602 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7603 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7604 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7605 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7606 }, {
7607 /* TLSv1.3 client followed by resumption */
e0f69c35 7608 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7609 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7610 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
7611 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7612 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35
TS		 7613 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7614 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7615 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45 7616 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
e0f69c35 7617 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 7618 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7619 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7620 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
e0f69c35 7621 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
4af5836b 7622 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7623 }, {
7624 /* TLSv1.3 server, early_data */
e0f69c35
TS		 7625 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7626 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
5718fe45
MC		 7627 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7628 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7629 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7630 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 7631 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 7632 {SSL_CB_EXIT, NULL}, {0, NULL},
7633 }, {
7634 /* TLSv1.3 client, early_data */
e0f69c35 7635 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
5718fe45
MC		 7636 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
7637 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7638 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
7639 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7640 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
7641 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
e0f69c35 7642 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
4af5836b 7643 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
b67cb09f
TS		 7644 }, {
7645 /* TLSv1.3 server, certificate compression, followed by resumption */
7646 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7647 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7648 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSCC"},
7649 {SSL_CB_LOOP, "TWSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
7650 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
7651 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
7652 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
7653 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7654 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
7655 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
7656 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
7657 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7658 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
7659 }, {
7660 /* TLSv1.3 client, certificate compression, followed by resumption */
7661 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT"},
7662 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
7663 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSCC"},
7664 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
7665 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
7666 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"},
7667 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK"},
7668 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
7669 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
7670 {SSL_CB_LOOP, "PINIT"}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
7671 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
7672 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
7673 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
7674 {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "SSLOK"}, {SSL_CB_LOOP, "TRST"},
7675 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 7676 }, {
7677 {0, NULL},
7678 }
7679};
7680
7681static void sslapi_info_callback(const SSL *s, int where, int ret)
7682{
7683 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
7684
7685 /* We do not ever expect a connection to fail in this test */
7686 if (!TEST_false(ret == 0)) {
7687 info_cb_failed = 1;
7688 return;
7689 }
7690
7691 /*
7692 * Do some sanity checks. We never expect these things to happen in this
7693 * test
7694 */
7695 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
7696 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
7697 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
7698 info_cb_failed = 1;
7699 return;
7700 }
7701
7702 /* Now check we're in the right state */
7703 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
7704 info_cb_failed = 1;
7705 return;
7706 }
7707 if ((where & SSL_CB_LOOP) != 0
7708 && !TEST_int_eq(strcmp(SSL_state_string(s),
7709 state[info_cb_this_state].statestr), 0)) {
7710 info_cb_failed = 1;
7711 return;
7712 }
033c181b 7713
4af5836b
MC		 7714 /*
7715 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
7716 */
7717 if ((where & SSL_CB_HANDSHAKE_DONE)
7718 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 7719 info_cb_failed = 1;
7720 return;
7721 }
5718fe45
MC		 7722}
7723
7724/*
7725 * Test the info callback gets called when we expect it to.
7726 *
7727 * Test 0: TLSv1.2, server
7728 * Test 1: TLSv1.2, client
7729 * Test 2: TLSv1.3, server
7730 * Test 3: TLSv1.3, client
7731 * Test 4: TLSv1.3, server, early_data
7732 * Test 5: TLSv1.3, client, early_data
b67cb09f
TS		 7733 * Test 6: TLSv1.3, server, compressed certificate
7734 * Test 7: TLSv1.3, client, compressed certificate
5718fe45
MC		 7735 */
7736static int test_info_callback(int tst)
7737{
7738 SSL_CTX *cctx = NULL, *sctx = NULL;
7739 SSL *clientssl = NULL, *serverssl = NULL;
7740 SSL_SESSION *clntsess = NULL;
7741 int testresult = 0;
7742 int tlsvers;
7743
7744 if (tst < 2) {
1aac20f5
MC		 7745/* We need either ECDHE or DHE for the TLSv1.2 test to work */
7746#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
7747 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 7748 tlsvers = TLS1_2_VERSION;
7749#else
7750 return 1;
7751#endif
7752 } else {
a763ca11 7753#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 7754 tlsvers = TLS1_3_VERSION;
7755#else
7756 return 1;
7757#endif
7758 }
7759
7760 /* Reset globals */
7761 info_cb_failed = 0;
7762 info_cb_this_state = -1;
7763 info_cb_offset = tst;
7764
a763ca11 7765#ifndef OSSL_NO_USABLE_TLS1_3
b67cb09f 7766 if (tst >= 4 && tst < 6) {
5718fe45
MC		 7767 SSL_SESSION *sess = NULL;
7768 size_t written, readbytes;
7769 unsigned char buf[80];
7770
7771 /* early_data tests */
7772 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
10836921
MC		 7773 &serverssl, &sess, 0,
7774 SHA384_DIGEST_LENGTH)))
5718fe45
MC		 7775 goto end;
7776
7777 /* We don't actually need this reference */
7778 SSL_SESSION_free(sess);
7779
7780 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
7781 sslapi_info_callback);
7782
7783 /* Write and read some early data and then complete the connection */
7784 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
7785 &written))
7786 || !TEST_size_t_eq(written, strlen(MSG1))
7787 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
7788 sizeof(buf), &readbytes),
7789 SSL_READ_EARLY_DATA_SUCCESS)
7790 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
7791 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
7792 SSL_EARLY_DATA_ACCEPTED)
7793 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7794 SSL_ERROR_NONE))
7795 || !TEST_false(info_cb_failed))
7796 goto end;
7797
7798 testresult = 1;
7799 goto end;
7800 }
6e07834c 7801#endif
5718fe45 7802
5e30f2fd 7803 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 7804 TLS_client_method(),
7805 tlsvers, tlsvers, &sctx, &cctx, cert,
7806 privkey)))
7807 goto end;
7808
33c39a06
MC		 7809 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
7810 goto end;
7811
5718fe45
MC		 7812 /*
7813 * For even numbered tests we check the server callbacks. For odd numbers we
7814 * check the client.
7815 */
7816 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
7817 sslapi_info_callback);
b67cb09f
TS		 7818 if (tst >= 6) {
7819 if (!SSL_CTX_compress_certs(sctx, 0))
7820 goto end;
7821 }
5718fe45
MC		 7822
7823 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
7824 &clientssl, NULL, NULL))
7825 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7826 SSL_ERROR_NONE))
7827 || !TEST_false(info_cb_failed))
7828 goto end;
7829
7830
7831
7832 clntsess = SSL_get1_session(clientssl);
7833 SSL_shutdown(clientssl);
7834 SSL_shutdown(serverssl);
7835 SSL_free(serverssl);
7836 SSL_free(clientssl);
7837 serverssl = clientssl = NULL;
7838
7839 /* Now do a resumption */
7840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7841 NULL))
7842 || !TEST_true(SSL_set_session(clientssl, clntsess))
7843 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7844 SSL_ERROR_NONE))
7845 || !TEST_true(SSL_session_reused(clientssl))
7846 || !TEST_false(info_cb_failed))
7847 goto end;
7848
7849 testresult = 1;
7850
7851 end:
7852 SSL_free(serverssl);
7853 SSL_free(clientssl);
7854 SSL_SESSION_free(clntsess);
7855 SSL_CTX_free(sctx);
7856 SSL_CTX_free(cctx);
7857 return testresult;
7858}
7859
4a432af8
MC		 7860static int test_ssl_pending(int tst)
7861{
7862 SSL_CTX *cctx = NULL, *sctx = NULL;
7863 SSL *clientssl = NULL, *serverssl = NULL;
7864 int testresult = 0;
7865 char msg[] = "A test message";
7866 char buf[5];
7867 size_t written, readbytes;
7868
7869 if (tst == 0) {
5e30f2fd 7870 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 7871 TLS_client_method(),
5c587fb6 7872 TLS1_VERSION, 0,
4a432af8
MC		 7873 &sctx, &cctx, cert, privkey)))
7874 goto end;
7875 } else {
7876#ifndef OPENSSL_NO_DTLS
5e30f2fd 7877 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 7878 DTLS_client_method(),
5c587fb6 7879 DTLS1_VERSION, 0,
4a432af8
MC		 7880 &sctx, &cctx, cert, privkey)))
7881 goto end;
8ce390e1
MC		 7882
7883# ifdef OPENSSL_NO_DTLS1_2
7884 /* Not supported in the FIPS provider */
7885 if (is_fips) {
7886 testresult = 1;
7887 goto end;
7888 };
7889 /*
7890 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
7891 * level 0
7892 */
7893 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
7894 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
7895 "DEFAULT:@SECLEVEL=0")))
7896 goto end;
7897# endif
4a432af8
MC		 7898#else
7899 return 1;
7900#endif
7901 }
7902
7903 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7904 NULL, NULL))
7905 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7906 SSL_ERROR_NONE)))
7907 goto end;
7908
e8251092
MC		 7909 if (!TEST_int_eq(SSL_pending(clientssl), 0)
7910 || !TEST_false(SSL_has_pending(clientssl))
7911 || !TEST_int_eq(SSL_pending(serverssl), 0)
7912 || !TEST_false(SSL_has_pending(serverssl))
7913 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 7914 || !TEST_size_t_eq(written, sizeof(msg))
7915 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
7916 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 7917 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
7918 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 7919 goto end;
7920
7921 testresult = 1;
7922
7923 end:
7924 SSL_free(serverssl);
7925 SSL_free(clientssl);
7926 SSL_CTX_free(sctx);
7927 SSL_CTX_free(cctx);
7928
7929 return testresult;
7930}
7931
e401389a
MC		 7932static struct {
7933 unsigned int maxprot;
7934 const char *clntciphers;
7935 const char *clnttls13ciphers;
7936 const char *srvrciphers;
7937 const char *srvrtls13ciphers;
7938 const char *shared;
a96e6c34 7939 const char *fipsshared;
e401389a 7940} shared_ciphers_data[] = {
60155b9a
MC		 7941/*
7942 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
7943 * TLSv1.3 is enabled but TLSv1.2 is disabled.
7944 */
a763ca11 7945#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 7946 {
7947 TLS1_2_VERSION,
7948 "AES128-SHA:AES256-SHA",
7949 NULL,
7950 "AES256-SHA:DHE-RSA-AES128-SHA",
7951 NULL,
a96e6c34 7952 "AES256-SHA",
e401389a
MC		 7953 "AES256-SHA"
7954 },
a96e6c34
MC		 7955# if !defined(OPENSSL_NO_CHACHA) \
7956 && !defined(OPENSSL_NO_POLY1305) \
7957 && !defined(OPENSSL_NO_EC)
7958 {
7959 TLS1_2_VERSION,
7960 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7961 NULL,
7962 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7963 NULL,
7964 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7965 "AES128-SHA"
7966 },
7967# endif
e401389a
MC		 7968 {
7969 TLS1_2_VERSION,
7970 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7971 NULL,
7972 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7973 NULL,
a96e6c34 7974 "AES128-SHA:AES256-SHA",
e401389a
MC		 7975 "AES128-SHA:AES256-SHA"
7976 },
7977 {
7978 TLS1_2_VERSION,
7979 "AES128-SHA:AES256-SHA",
7980 NULL,
7981 "AES128-SHA:DHE-RSA-AES128-SHA",
7982 NULL,
a96e6c34 7983 "AES128-SHA",
e401389a
MC		 7984 "AES128-SHA"
7985 },
60155b9a
MC		 7986#endif
7987/*
7988 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7989 * enabled.
7990 */
a763ca11 7991#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7992 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7993 {
7994 TLS1_3_VERSION,
7995 "AES128-SHA:AES256-SHA",
7996 NULL,
7997 "AES256-SHA:AES128-SHA256",
7998 NULL,
7999 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 8000 "TLS_AES_128_GCM_SHA256:AES256-SHA",
8001 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 8002 },
60155b9a 8003#endif
a763ca11 8004#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 8005 {
8006 TLS1_3_VERSION,
8007 "AES128-SHA",
8008 "TLS_AES_256_GCM_SHA384",
8009 "AES256-SHA",
8010 "TLS_AES_256_GCM_SHA384",
a96e6c34 8011 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 8012 "TLS_AES_256_GCM_SHA384"
8013 },
8014#endif
8015};
8016
a96e6c34 8017static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 8018{
8019 SSL_CTX *cctx = NULL, *sctx = NULL;
8020 SSL *clientssl = NULL, *serverssl = NULL;
8021 int testresult = 0;
8022 char buf[1024];
b4250010 8023 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 8024
8025 if (!TEST_ptr(tmplibctx))
8026 goto end;
8027
8028 /*
8029 * Regardless of whether we're testing with the FIPS provider loaded into
8030 * libctx, we want one peer to always use the full set of ciphersuites
8031 * available. Therefore we use a separate libctx with the default provider
8032 * loaded into it. We run the same tests twice - once with the client side
8033 * having the full set of ciphersuites and once with the server side.
8034 */
8035 if (clnt) {
d8652be0 8036 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 8037 if (!TEST_ptr(cctx))
8038 goto end;
8039 } else {
d8652be0 8040 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 8041 if (!TEST_ptr(sctx))
8042 goto end;
8043 }
e401389a 8044
5e30f2fd 8045 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 8046 TLS_client_method(),
8047 TLS1_VERSION,
8048 shared_ciphers_data[tst].maxprot,
8049 &sctx, &cctx, cert, privkey)))
8050 goto end;
8051
8052 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8053 shared_ciphers_data[tst].clntciphers))
8054 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
8055 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
8056 shared_ciphers_data[tst].clnttls13ciphers)))
8057 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
8058 shared_ciphers_data[tst].srvrciphers))
8059 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
8060 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
8061 shared_ciphers_data[tst].srvrtls13ciphers))))
8062 goto end;
8063
8064
8065 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8066 NULL, NULL))
8067 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8068 SSL_ERROR_NONE)))
8069 goto end;
8070
8071 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 8072 || !TEST_int_eq(strcmp(buf,
8073 is_fips
8074 ? shared_ciphers_data[tst].fipsshared
8075 : shared_ciphers_data[tst].shared),
8076 0)) {
e401389a
MC		 8077 TEST_info("Shared ciphers are: %s\n", buf);
8078 goto end;
8079 }
8080
8081 testresult = 1;
8082
8083 end:
8084 SSL_free(serverssl);
8085 SSL_free(clientssl);
8086 SSL_CTX_free(sctx);
8087 SSL_CTX_free(cctx);
b4250010 8088 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 8089
8090 return testresult;
8091}
8092
a96e6c34
MC		 8093static int test_ssl_get_shared_ciphers(int tst)
8094{
8095 return int_test_ssl_get_shared_ciphers(tst, 0)
8096 && int_test_ssl_get_shared_ciphers(tst, 1);
8097}
8098
8099
d0191fe0 8100static const char *appdata = "Hello World";
61fb5923
MC		 8101static int gen_tick_called, dec_tick_called, tick_key_cb_called;
8102static int tick_key_renew = 0;
8103static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 8104
8105static int gen_tick_cb(SSL *s, void *arg)
8106{
8107 gen_tick_called = 1;
8108
8109 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
8110 strlen(appdata));
8111}
8112
8113static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
8114 const unsigned char *keyname,
8115 size_t keyname_length,
61fb5923
MC		 8116 SSL_TICKET_STATUS status,
8117 void *arg)
d0191fe0
MC		 8118{
8119 void *tickdata;
8120 size_t tickdlen;
8121
8122 dec_tick_called = 1;
8123
61fb5923
MC		 8124 if (status == SSL_TICKET_EMPTY)
8125 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 8126
61fb5923
MC		 8127 if (!TEST_true(status == SSL_TICKET_SUCCESS
8128 || status == SSL_TICKET_SUCCESS_RENEW))
8129 return SSL_TICKET_RETURN_ABORT;
8130
8131 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
8132 &tickdlen))
d0191fe0
MC		 8133 || !TEST_size_t_eq(tickdlen, strlen(appdata))
8134 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 8135 return SSL_TICKET_RETURN_ABORT;
d0191fe0 8136
61fb5923
MC		 8137 if (tick_key_cb_called) {
8138 /* Don't change what the ticket key callback wanted to do */
8139 switch (status) {
8140 case SSL_TICKET_NO_DECRYPT:
8141 return SSL_TICKET_RETURN_IGNORE_RENEW;
8142
8143 case SSL_TICKET_SUCCESS:
8144 return SSL_TICKET_RETURN_USE;
d0191fe0 8145
61fb5923
MC		 8146 case SSL_TICKET_SUCCESS_RENEW:
8147 return SSL_TICKET_RETURN_USE_RENEW;
8148
8149 default:
8150 return SSL_TICKET_RETURN_ABORT;
8151 }
8152 }
8153 return tick_dec_ret;
8154
8155}
d0191fe0 8156
a76ce286 8157#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 8158static int tick_key_cb(SSL *s, unsigned char key_name[16],
8159 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
8160 HMAC_CTX *hctx, int enc)
8161{
8162 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8163 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
3b7a3241
MC		 8164 EVP_CIPHER *aes128cbc;
8165 EVP_MD *sha256;
5e30f2fd 8166 int ret;
d0191fe0 8167
61fb5923 8168 tick_key_cb_called = 1;
3b7a3241
MC		 8169
8170 if (tick_key_renew == -1)
8171 return 0;
8172
8173 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8174 if (!TEST_ptr(aes128cbc))
8175 return 0;
8176 sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
8177 if (!TEST_ptr(sha256)) {
8178 EVP_CIPHER_free(aes128cbc);
8179 return 0;
8180 }
8181
d0191fe0
MC		 8182 memset(iv, 0, AES_BLOCK_SIZE);
8183 memset(key_name, 0, 16);
5e30f2fd
MC		 8184 if (aes128cbc == NULL
8185 || sha256 == NULL
8186 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
8187 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
8188 NULL))
8189 ret = -1;
8190 else
8191 ret = tick_key_renew ? 2 : 1;
d0191fe0 8192
5e30f2fd
MC		 8193 EVP_CIPHER_free(aes128cbc);
8194 EVP_MD_free(sha256);
8195
8196 return ret;
d0191fe0 8197}
a76ce286
P		 8198#endif
8199
8200static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
8201 unsigned char iv[EVP_MAX_IV_LENGTH],
8202 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
8203{
8204 const unsigned char tick_aes_key[16] = "0123456789abcdef";
8205 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 8206 OSSL_PARAM params[2];
3b7a3241 8207 EVP_CIPHER *aes128cbc;
5e30f2fd 8208 int ret;
a76ce286
P		 8209
8210 tick_key_cb_called = 1;
3b7a3241
MC		 8211
8212 if (tick_key_renew == -1)
8213 return 0;
8214
8215 aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
8216 if (!TEST_ptr(aes128cbc))
8217 return 0;
8218
a76ce286
P		 8219 memset(iv, 0, AES_BLOCK_SIZE);
8220 memset(key_name, 0, 16);
8221 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
8222 "SHA256", 0);
77e4ae58 8223 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 8224 if (aes128cbc == NULL
8225 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 8226 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
8227 params))
5e30f2fd
MC		 8228 ret = -1;
8229 else
8230 ret = tick_key_renew ? 2 : 1;
8231
8232 EVP_CIPHER_free(aes128cbc);
a76ce286 8233
5e30f2fd 8234 return ret;
a76ce286 8235}
d0191fe0
MC		 8236
8237/*
8238 * Test the various ticket callbacks
61fb5923
MC		 8239 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
8240 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
8241 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
8242 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
8243 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
8244 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
8245 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
8246 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 8247 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
8248 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
8249 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
8250 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
3b7a3241
MC		 8251 * Test 12: TLSv1.2, old ticket key callback, no ticket
8252 * Test 13: TLSv1.3, old ticket key callback, no ticket
8253 * Test 14: TLSv1.2, ticket key callback, ticket, no renewal
8254 * Test 15: TLSv1.3, ticket key callback, ticket, no renewal
8255 * Test 16: TLSv1.2, ticket key callback, ticket, renewal
8256 * Test 17: TLSv1.3, ticket key callback, ticket, renewal
8257 * Test 18: TLSv1.2, ticket key callback, no ticket
8258 * Test 19: TLSv1.3, ticket key callback, no ticket
d0191fe0
MC		 8259 */
8260static int test_ticket_callbacks(int tst)
8261{
8262 SSL_CTX *cctx = NULL, *sctx = NULL;
8263 SSL *clientssl = NULL, *serverssl = NULL;
8264 SSL_SESSION *clntsess = NULL;
8265 int testresult = 0;
8266
8267#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 8268 if (tst % 2 == 0)
d0191fe0
MC		 8269 return 1;
8270#endif
a763ca11 8271#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 8272 if (tst % 2 == 1)
d0191fe0
MC		 8273 return 1;
8274#endif
a76ce286 8275#ifdef OPENSSL_NO_DEPRECATED_3_0
3b7a3241 8276 if (tst >= 8 && tst <= 13)
a76ce286
P		 8277 return 1;
8278#endif
d0191fe0 8279
61fb5923 8280 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 8281
8282 /* Which tests the ticket key callback should request renewal for */
3c95ef22 8283
3b7a3241 8284 if (tst == 10 || tst == 11 || tst == 16 || tst == 17)
61fb5923 8285 tick_key_renew = 1;
3b7a3241
MC		 8286 else if (tst == 12 || tst == 13 || tst == 18 || tst == 19)
8287 tick_key_renew = -1; /* abort sending the ticket/0-length ticket */
d0191fe0 8288 else
61fb5923
MC		 8289 tick_key_renew = 0;
8290
8291 /* Which tests the decrypt ticket callback should request renewal for */
8292 switch (tst) {
8293 case 0:
8294 case 1:
8295 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
8296 break;
8297
8298 case 2:
8299 case 3:
8300 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
8301 break;
8302
8303 case 4:
8304 case 5:
8305 tick_dec_ret = SSL_TICKET_RETURN_USE;
8306 break;
8307
8308 case 6:
8309 case 7:
8310 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
8311 break;
8312
8313 default:
8314 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
8315 }
d0191fe0 8316
5e30f2fd 8317 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 8318 TLS_client_method(),
8319 TLS1_VERSION,
61fb5923
MC		 8320 ((tst % 2) == 0) ? TLS1_2_VERSION
8321 : TLS1_3_VERSION,
d0191fe0
MC		 8322 &sctx, &cctx, cert, privkey)))
8323 goto end;
8324
61fb5923
MC		 8325 /*
8326 * We only want sessions to resume from tickets - not the session cache. So
8327 * switch the cache off.
8328 */
8329 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
8330 goto end;
8331
d0191fe0
MC		 8332 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
8333 NULL)))
8334 goto end;
8335
3b7a3241 8336 if (tst >= 14) {
a76ce286
P		 8337 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
8338 goto end;
8339#ifndef OPENSSL_NO_DEPRECATED_3_0
8340 } else if (tst >= 8) {
8341 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
8342 goto end;
8343#endif
8344 }
d0191fe0
MC		 8345
8346 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8347 NULL, NULL))
8348 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8349 SSL_ERROR_NONE)))
8350 goto end;
8351
61fb5923
MC		 8352 /*
8353 * The decrypt ticket key callback in TLSv1.2 should be called even though
8354 * we have no ticket yet, because it gets called with a status of
8355 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
8356 * actually send any ticket data). This does not happen in TLSv1.3 because
8357 * it is not valid to send empty ticket data in TLSv1.3.
8358 */
d0191fe0 8359 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 8360 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 8361 goto end;
8362
8363 gen_tick_called = dec_tick_called = 0;
8364
8365 clntsess = SSL_get1_session(clientssl);
8366 SSL_shutdown(clientssl);
8367 SSL_shutdown(serverssl);
8368 SSL_free(serverssl);
8369 SSL_free(clientssl);
8370 serverssl = clientssl = NULL;
8371
8372 /* Now do a resumption */
8373 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8374 NULL))
8375 || !TEST_true(SSL_set_session(clientssl, clntsess))
8376 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 8377 SSL_ERROR_NONE)))
d0191fe0
MC		 8378 goto end;
8379
61fb5923 8380 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
3b7a3241
MC		 8381 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8382 || tick_key_renew == -1) {
61fb5923
MC		 8383 if (!TEST_false(SSL_session_reused(clientssl)))
8384 goto end;
8385 } else {
8386 if (!TEST_true(SSL_session_reused(clientssl)))
8387 goto end;
8388 }
8389
d0191fe0 8390 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 8391 (tick_key_renew
8392 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
8393 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
8394 ? 1 : 0)
3b7a3241
MC		 8395 /* There is no ticket to decrypt in tests 13 and 19 */
8396 || !TEST_int_eq(dec_tick_called, (tst == 13 || tst == 19) ? 0 : 1))
d0191fe0
MC		 8397 goto end;
8398
8399 testresult = 1;
8400
8401 end:
8402 SSL_SESSION_free(clntsess);
8403 SSL_free(serverssl);
8404 SSL_free(clientssl);
8405 SSL_CTX_free(sctx);
8406 SSL_CTX_free(cctx);
8407
8408 return testresult;
8409}
8410
e638112e
DB		 8411/*
8412 * Test incorrect shutdown.
8413 * Test 0: client does not shutdown properly,
8414 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
8415 * server should get SSL_ERROR_SSL
8416 * Test 1: client does not shutdown properly,
8417 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
8418 * server should get SSL_ERROR_ZERO_RETURN
8419 */
8420static int test_incorrect_shutdown(int tst)
8421{
8422 SSL_CTX *cctx = NULL, *sctx = NULL;
8423 SSL *clientssl = NULL, *serverssl = NULL;
8424 int testresult = 0;
8425 char buf[80];
8426 BIO *c2s;
8427
8428 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8429 TLS_client_method(), 0, 0,
8430 &sctx, &cctx, cert, privkey)))
8431 goto end;
8432
8433 if (tst == 1)
8434 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
8435
8436 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8437 NULL, NULL)))
8438 goto end;
8439
8440 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
8441 SSL_ERROR_NONE)))
8442 goto end;
8443
8444 c2s = SSL_get_rbio(serverssl);
8445 BIO_set_mem_eof_return(c2s, 0);
8446
8447 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
8448 goto end;
8449
8450 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
8451 goto end;
8452 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
8453 goto end;
8454
8455 testresult = 1;
8456
8457 end:
8458 SSL_free(serverssl);
8459 SSL_free(clientssl);
8460 SSL_CTX_free(sctx);
8461 SSL_CTX_free(cctx);
8462
8463 return testresult;
8464}
8465
c748834f
MC		 8466/*
8467 * Test bi-directional shutdown.
8468 * Test 0: TLSv1.2
8469 * Test 1: TLSv1.2, server continues to read/write after client shutdown
8470 * Test 2: TLSv1.3, no pending NewSessionTicket messages
8471 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 8472 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
8473 * sends key update, client reads it
57d7b988
MC		 8474 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
8475 * sends CertificateRequest, client reads and ignores it
8476 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 8477 * doesn't read it
8478 */
8479static int test_shutdown(int tst)
8480{
8481 SSL_CTX *cctx = NULL, *sctx = NULL;
8482 SSL *clientssl = NULL, *serverssl = NULL;
8483 int testresult = 0;
8484 char msg[] = "A test message";
8485 char buf[80];
8486 size_t written, readbytes;
80eff008 8487 SSL_SESSION *sess;
c748834f
MC		 8488
8489#ifdef OPENSSL_NO_TLS1_2
a97d19f7 8490 if (tst <= 1)
c748834f
MC		 8491 return 1;
8492#endif
a763ca11 8493#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 8494 if (tst >= 2)
c748834f
MC		 8495 return 1;
8496#endif
8497
5e30f2fd 8498 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 8499 TLS_client_method(),
8500 TLS1_VERSION,
8501 (tst <= 1) ? TLS1_2_VERSION
8502 : TLS1_3_VERSION,
57d7b988
MC		 8503 &sctx, &cctx, cert, privkey)))
8504 goto end;
8505
8506 if (tst == 5)
8507 SSL_CTX_set_post_handshake_auth(cctx, 1);
8508
8509 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 8510 NULL, NULL)))
8511 goto end;
8512
8513 if (tst == 3) {
8514 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
26dad42e 8515 SSL_ERROR_NONE, 1, 0))
80eff008
KR		 8516 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8517 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 8518 goto end;
8519 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 8520 SSL_ERROR_NONE))
8521 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8522 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 8523 goto end;
8524 }
8525
8526 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8527 goto end;
8528
8529 if (tst >= 4) {
8530 /*
8531 * Reading on the server after the client has sent close_notify should
8532 * fail and provide SSL_ERROR_ZERO_RETURN
8533 */
8534 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
8535 || !TEST_int_eq(SSL_get_error(serverssl, 0),
8536 SSL_ERROR_ZERO_RETURN)
8537 || !TEST_int_eq(SSL_get_shutdown(serverssl),
8538 SSL_RECEIVED_SHUTDOWN)
8539 /*
8540 * Even though we're shutdown on receive we should still be
8541 * able to write.
8542 */
80eff008
KR		 8543 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
8544 goto end;
57d7b988
MC		 8545 if (tst == 4
8546 && !TEST_true(SSL_key_update(serverssl,
8547 SSL_KEY_UPDATE_REQUESTED)))
8548 goto end;
8549 if (tst == 5) {
8550 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
8551 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
8552 goto end;
8553 }
8554 if ((tst == 4 || tst == 5)
8555 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 8556 goto end;
8557 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 8558 goto end;
57d7b988 8559 if (tst == 4 || tst == 5) {
80eff008 8560 /* Should still be able to read data from server */
c748834f 8561 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 8562 &readbytes))
8563 || !TEST_size_t_eq(readbytes, sizeof(msg))
8564 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
8565 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
8566 &readbytes))
c748834f
MC		 8567 || !TEST_size_t_eq(readbytes, sizeof(msg))
8568 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
8569 goto end;
8570 }
8571 }
8572
8573 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 8574 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 8575 goto end;
8576
8577 if (tst < 4) {
8578 /*
8579 * For these tests the client has sent close_notify but it has not yet
8580 * been received by the server. The server has not sent close_notify
8581 * yet.
8582 */
8583 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 8584 /*
8585 * Writing on the server after sending close_notify shouldn't
8586 * be possible.
8587 */
8588 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 8589 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 8590 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8591 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 8592 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
8593 goto end;
57d7b988 8594 } else if (tst == 4 || tst == 5) {
c748834f
MC		 8595 /*
8596 * In this test the client has sent close_notify and it has been
8597 * received by the server which has responded with a close_notify. The
358ffa05 8598 * client needs to read the close_notify sent by the server.
c748834f 8599 */
80eff008
KR		 8600 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
8601 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
8602 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 8603 goto end;
358ffa05
MC		 8604 } else {
8605 /*
57d7b988 8606 * tst == 6
358ffa05
MC		 8607 *
8608 * The client has sent close_notify and is expecting a close_notify
8609 * back, but instead there is application data first. The shutdown
8610 * should fail with a fatal error.
8611 */
8612 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
8613 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
8614 goto end;
c748834f
MC		 8615 }
8616
8617 testresult = 1;
8618
8619 end:
8620 SSL_free(serverssl);
8621 SSL_free(clientssl);
8622 SSL_CTX_free(sctx);
8623 SSL_CTX_free(cctx);
8624
8625 return testresult;
8626}
8627
cbf965b4
MC		 8628/*
8629 * Test that sending close_notify alerts works correctly in the case of a
8630 * retryable write failure.
8631 */
8632static int test_async_shutdown(void)
8633{
8634 SSL_CTX *cctx = NULL, *sctx = NULL;
8635 SSL *clientssl = NULL, *serverssl = NULL;
8636 int testresult = 0;
8637 BIO *bretry = BIO_new(bio_s_always_retry()), *tmp = NULL;
8638
8639 if (!TEST_ptr(bretry))
8640 goto end;
8641
8642 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8643 TLS_client_method(),
8644 0, 0,
8645 &sctx, &cctx, cert, privkey)))
8646 goto end;
8647
8648 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8649 NULL)))
8650 goto end;
8651
8652 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8653 goto end;
8654
8655 /* Close write side of clientssl */
8656 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
8657 goto end;
8658
8659 tmp = SSL_get_wbio(serverssl);
8660 if (!TEST_true(BIO_up_ref(tmp))) {
8661 tmp = NULL;
8662 goto end;
8663 }
8664 SSL_set0_wbio(serverssl, bretry);
8665 bretry = NULL;
8666
8667 /* First server shutdown should fail because of a retrable write failure */
8668 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8669 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8670 goto end;
8671
8672 /* Second server shutdown should fail for the same reason */
8673 if (!TEST_int_eq(SSL_shutdown(serverssl), -1)
8674 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
8675 goto end;
8676
8677 SSL_set0_wbio(serverssl, tmp);
8678 tmp = NULL;
8679
8680 /* Third server shutdown should send close_notify */
8681 if (!TEST_int_eq(SSL_shutdown(serverssl), 0))
8682 goto end;
8683
8684 /* Fourth server shutdown should read close_notify from client and finish */
8685 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
8686 goto end;
8687
8688 /* Client should also successfully fully shutdown */
8689 if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
8690 goto end;
8691
8692 testresult = 1;
8693 end:
8694 SSL_free(serverssl);
8695 SSL_free(clientssl);
8696 SSL_CTX_free(sctx);
8697 SSL_CTX_free(cctx);
8698 BIO_free(bretry);
8699 BIO_free(tmp);
8700
8701 return testresult;
8702}
8703
a763ca11 8704#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 8705static int cert_cb_cnt;
8706
8707static int cert_cb(SSL *s, void *arg)
8708{
8709 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 8710 BIO *in = NULL;
8711 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 8712 X509 *x509 = NULL, *rootx = NULL;
8713 STACK_OF(X509) *chain = NULL;
8714 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
8715 int ret = 0;
cd6fe29f
MC		 8716
8717 if (cert_cb_cnt == 0) {
8718 /* Suspend the handshake */
8719 cert_cb_cnt++;
8720 return -1;
8721 } else if (cert_cb_cnt == 1) {
8722 /*
8723 * Update the SSL_CTX, set the certificate and private key and then
8724 * continue the handshake normally.
8725 */
8726 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
8727 return 0;
8728
8729 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
8730 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
8731 SSL_FILETYPE_PEM))
8732 || !TEST_true(SSL_check_private_key(s)))
8733 return 0;
8734 cert_cb_cnt++;
8735 return 1;
7cb8fb07
BK		 8736 } else if (cert_cb_cnt == 3) {
8737 int rv;
1a2a3a42
MC		 8738
8739 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
8740 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8741 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8742 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
8743 goto out;
8744 chain = sk_X509_new_null();
8745 if (!TEST_ptr(chain))
8746 goto out;
7cb8fb07 8747 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8748 || !TEST_int_gt(BIO_read_filename(in, rootfile), 0)
d8652be0 8749 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 8750 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 8751 || !TEST_true(sk_X509_push(chain, rootx)))
8752 goto out;
8753 rootx = NULL;
8754 BIO_free(in);
8755 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8756 || !TEST_int_gt(BIO_read_filename(in, ecdsacert), 0)
d8652be0 8757 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 8758 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 8759 goto out;
8760 BIO_free(in);
8761 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
e3f03624 8762 || !TEST_int_gt(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 8763 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
8764 NULL, NULL,
8765 libctx, NULL)))
7cb8fb07 8766 goto out;
1a2a3a42 8767 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 8768 /*
8769 * If the cert doesn't show as valid here (e.g., because we don't
8770 * have any shared sigalgs), then we will not set it, and there will
8771 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
8772 * will cause tls_choose_sigalgs() to fail the connection.
8773 */
1a2a3a42
MC		 8774 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
8775 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 8776 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
8777 goto out;
8778 }
1a2a3a42
MC		 8779
8780 ret = 1;
cd6fe29f
MC		 8781 }
8782
8783 /* Abort the handshake */
7cb8fb07 8784 out:
1a2a3a42
MC		 8785 OPENSSL_free(ecdsacert);
8786 OPENSSL_free(ecdsakey);
8787 OPENSSL_free(rootfile);
7cb8fb07
BK		 8788 BIO_free(in);
8789 EVP_PKEY_free(pkey);
8790 X509_free(x509);
1a2a3a42 8791 X509_free(rootx);
79b2a2f2 8792 OSSL_STACK_OF_X509_free(chain);
1a2a3a42 8793 return ret;
cd6fe29f
MC		 8794}
8795
8796/*
8797 * Test the certificate callback.
8798 * Test 0: Callback fails
8799 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
8800 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 8801 * Test 3: Success - Call SSL_check_chain from the callback
8802 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
8803 * chain
8804 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 8805 */
8806static int test_cert_cb_int(int prot, int tst)
8807{
8808 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
8809 SSL *clientssl = NULL, *serverssl = NULL;
8810 int testresult = 0, ret;
8811
1a2a3a42
MC		 8812#ifdef OPENSSL_NO_EC
8813 /* We use an EC cert in these tests, so we skip in a no-ec build */
8814 if (tst >= 3)
8815 return 1;
8816#endif
8817
5e30f2fd 8818 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 8819 TLS_client_method(),
8820 TLS1_VERSION,
8821 prot,
8822 &sctx, &cctx, NULL, NULL)))
8823 goto end;
8824
8825 if (tst == 0)
8826 cert_cb_cnt = -1;
1a2a3a42 8827 else if (tst >= 3)
7cb8fb07 8828 cert_cb_cnt = 3;
cd6fe29f
MC		 8829 else
8830 cert_cb_cnt = 0;
1a2a3a42 8831
b0317df2 8832 if (tst == 2) {
7e1eda48 8833 snictx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
b0317df2
JJ		 8834 if (!TEST_ptr(snictx))
8835 goto end;
8836 }
8837
cd6fe29f
MC		 8838 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
8839
8840 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8841 NULL, NULL)))
8842 goto end;
8843
1a2a3a42
MC		 8844 if (tst == 4) {
8845 /*
8846 * We cause SSL_check_chain() to fail by specifying sig_algs that
8847 * the chain doesn't meet (the root uses an RSA cert)
8848 */
8849 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8850 "ecdsa_secp256r1_sha256")))
8851 goto end;
8852 } else if (tst == 5) {
8853 /*
8854 * We cause SSL_check_chain() to fail by specifying sig_algs that
8855 * the ee cert doesn't meet (the ee uses an ECDSA cert)
8856 */
8857 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
8858 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
8859 goto end;
8860 }
8861
cd6fe29f 8862 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 8863 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 8864 || (tst > 0
8865 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 8866 goto end;
8867 }
8868
8869 testresult = 1;
8870
8871 end:
8872 SSL_free(serverssl);
8873 SSL_free(clientssl);
8874 SSL_CTX_free(sctx);
8875 SSL_CTX_free(cctx);
8876 SSL_CTX_free(snictx);
8877
8878 return testresult;
8879}
7f1d923a 8880#endif
cd6fe29f
MC		 8881
8882static int test_cert_cb(int tst)
8883{
8884 int testresult = 1;
8885
8886#ifndef OPENSSL_NO_TLS1_2
8887 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
8888#endif
a763ca11 8889#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 8890 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
8891#endif
8892
8893 return testresult;
8894}
8895
6e46c065
MC		 8896static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
8897{
8c2bfd25 8898 X509 *xcert;
6e46c065
MC		 8899 EVP_PKEY *privpkey;
8900 BIO *in = NULL;
6725682d 8901 BIO *priv_in = NULL;
6e46c065 8902
8c2bfd25
TS		 8903 /* Check that SSL_get0_peer_certificate() returns something sensible */
8904 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 8905 return 0;
6e46c065
MC		 8906
8907 in = BIO_new_file(cert, "r");
8908 if (!TEST_ptr(in))
8909 return 0;
8910
d8652be0 8911 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 8912 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
8913 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 8914 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
8915 NULL, NULL,
8916 libctx, NULL)))
6725682d 8917 goto err;
6e46c065
MC		 8918
8919 *x509 = xcert;
8920 *pkey = privpkey;
8921
6725682d
SL		 8922 BIO_free(in);
8923 BIO_free(priv_in);
6e46c065 8924 return 1;
6725682d
SL		 8925err:
8926 X509_free(xcert);
8927 BIO_free(in);
8928 BIO_free(priv_in);
8929 return 0;
6e46c065
MC		 8930}
8931
6e46c065
MC		 8932static int test_client_cert_cb(int tst)
8933{
8934 SSL_CTX *cctx = NULL, *sctx = NULL;
8935 SSL *clientssl = NULL, *serverssl = NULL;
8936 int testresult = 0;
8937
8938#ifdef OPENSSL_NO_TLS1_2
8939 if (tst == 0)
8940 return 1;
8941#endif
a763ca11 8942#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 8943 if (tst == 1)
8944 return 1;
8945#endif
8946
5e30f2fd 8947 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 8948 TLS_client_method(),
8949 TLS1_VERSION,
8950 tst == 0 ? TLS1_2_VERSION
8951 : TLS1_3_VERSION,
8952 &sctx, &cctx, cert, privkey)))
8953 goto end;
8954
8955 /*
8956 * Test that setting a client_cert_cb results in a client certificate being
8957 * sent.
8958 */
8959 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
8960 SSL_CTX_set_verify(sctx,
8961 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
8962 verify_cb);
fb8c8359
MC		 8963
8964 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8965 NULL, NULL))
8966 || !TEST_true(create_ssl_connection(serverssl, clientssl,
8967 SSL_ERROR_NONE)))
8968 goto end;
8969
8970 testresult = 1;
8971
8972 end:
8973 SSL_free(serverssl);
8974 SSL_free(clientssl);
8975 SSL_CTX_free(sctx);
8976 SSL_CTX_free(cctx);
8977
8978 return testresult;
8979}
8980
a763ca11 8981#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 8982/*
8983 * Test setting certificate authorities on both client and server.
8984 *
8985 * Test 0: SSL_CTX_set0_CA_list() only
8986 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
8987 * Test 2: Only SSL_CTX_set_client_CA_list()
8988 */
8989static int test_ca_names_int(int prot, int tst)
8990{
8991 SSL_CTX *cctx = NULL, *sctx = NULL;
8992 SSL *clientssl = NULL, *serverssl = NULL;
8993 int testresult = 0;
8994 size_t i;
8995 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
8996 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
8997 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
8998 const STACK_OF(X509_NAME) *sktmp = NULL;
8999
9000 for (i = 0; i < OSSL_NELEM(name); i++) {
9001 name[i] = X509_NAME_new();
9002 if (!TEST_ptr(name[i])
9003 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
9004 MBSTRING_ASC,
9005 (unsigned char *)
9006 strnames[i],
9007 -1, -1, 0)))
9008 goto end;
9009 }
9010
5e30f2fd 9011 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 9012 TLS_client_method(),
9013 TLS1_VERSION,
9014 prot,
9015 &sctx, &cctx, cert, privkey)))
9016 goto end;
9017
9018 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
9019
9020 if (tst == 0 || tst == 1) {
9021 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9022 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
9023 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
9024 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9025 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
9026 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
9027 goto end;
9028
9029 SSL_CTX_set0_CA_list(sctx, sk1);
9030 SSL_CTX_set0_CA_list(cctx, sk2);
9031 sk1 = sk2 = NULL;
9032 }
9033 if (tst == 1 || tst == 2) {
9034 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
9035 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
9036 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
9037 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
9038 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
9039 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
9040 goto end;
9041
9042 SSL_CTX_set_client_CA_list(sctx, sk1);
9043 SSL_CTX_set_client_CA_list(cctx, sk2);
9044 sk1 = sk2 = NULL;
9045 }
9046
6e46c065
MC		 9047 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9048 NULL, NULL))
9049 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9050 SSL_ERROR_NONE)))
9051 goto end;
9052
fb8c8359
MC		 9053 /*
9054 * We only expect certificate authorities to have been sent to the server
9055 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
9056 */
9057 sktmp = SSL_get0_peer_CA_list(serverssl);
9058 if (prot == TLS1_3_VERSION
9059 && (tst == 0 || tst == 1)) {
9060 if (!TEST_ptr(sktmp)
9061 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9062 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9063 name[0]), 0)
9064 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9065 name[1]), 0))
9066 goto end;
9067 } else if (!TEST_ptr_null(sktmp)) {
9068 goto end;
9069 }
9070
9071 /*
9072 * In all tests we expect certificate authorities to have been sent to the
9073 * client. However, SSL_set_client_CA_list() should override
9074 * SSL_set0_CA_list()
9075 */
9076 sktmp = SSL_get0_peer_CA_list(clientssl);
9077 if (!TEST_ptr(sktmp)
9078 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
9079 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
9080 name[tst == 0 ? 0 : 2]), 0)
9081 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
9082 name[tst == 0 ? 1 : 3]), 0))
9083 goto end;
9084
6e46c065
MC		 9085 testresult = 1;
9086
9087 end:
9088 SSL_free(serverssl);
9089 SSL_free(clientssl);
9090 SSL_CTX_free(sctx);
9091 SSL_CTX_free(cctx);
fb8c8359
MC		 9092 for (i = 0; i < OSSL_NELEM(name); i++)
9093 X509_NAME_free(name[i]);
9094 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
9095 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
9096
9097 return testresult;
9098}
9099#endif
9100
9101static int test_ca_names(int tst)
9102{
9103 int testresult = 1;
9104
9105#ifndef OPENSSL_NO_TLS1_2
9106 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
9107#endif
a763ca11 9108#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 9109 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
9110#endif
6e46c065
MC		 9111
9112 return testresult;
9113}
9114
0d2bfe52
SL		 9115#ifndef OPENSSL_NO_TLS1_2
9116static const char *multiblock_cipherlist_data[]=
9117{
9118 "AES128-SHA",
9119 "AES128-SHA256",
9120 "AES256-SHA",
9121 "AES256-SHA256",
9122};
9123
9124/* Reduce the fragment size - so the multiblock test buffer can be small */
9125# define MULTIBLOCK_FRAGSIZE 512
9126
9127static int test_multiblock_write(int test_index)
9128{
9129 static const char *fetchable_ciphers[]=
9130 {
9131 "AES-128-CBC-HMAC-SHA1",
9132 "AES-128-CBC-HMAC-SHA256",
9133 "AES-256-CBC-HMAC-SHA1",
9134 "AES-256-CBC-HMAC-SHA256"
9135 };
9136 const char *cipherlist = multiblock_cipherlist_data[test_index];
9137 const SSL_METHOD *smeth = TLS_server_method();
9138 const SSL_METHOD *cmeth = TLS_client_method();
9139 int min_version = TLS1_VERSION;
9140 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
9141 SSL_CTX *cctx = NULL, *sctx = NULL;
9142 SSL *clientssl = NULL, *serverssl = NULL;
9143 int testresult = 0;
9144
9145 /*
9146 * Choose a buffer large enough to perform a multi-block operation
9147 * i.e: write_len >= 4 * frag_size
9148 * 9 * is chosen so that multiple multiblocks are used + some leftover.
9149 */
9150 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
9151 unsigned char buf[sizeof(msg)], *p = buf;
9152 size_t readbytes, written, len;
9153 EVP_CIPHER *ciph = NULL;
9154
9155 /*
9156 * Check if the cipher exists before attempting to use it since it only has
9157 * a hardware specific implementation.
9158 */
7c82a7a8 9159 ciph = EVP_CIPHER_fetch(libctx, fetchable_ciphers[test_index], "");
0d2bfe52
SL		 9160 if (ciph == NULL) {
9161 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
9162 return 1;
9163 }
9164 EVP_CIPHER_free(ciph);
9165
9166 /* Set up a buffer with some data that will be sent to the client */
9167 RAND_bytes(msg, sizeof(msg));
9168
5e30f2fd
MC		 9169 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
9170 max_version, &sctx, &cctx, cert,
9171 privkey)))
0d2bfe52
SL		 9172 goto end;
9173
9174 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
9175 goto end;
9176
9177 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9178 NULL, NULL)))
9179 goto end;
9180
9181 /* settings to force it to use AES-CBC-HMAC_SHA */
9182 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
9183 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
9184 goto end;
9185
9186 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9187 goto end;
9188
9189 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
9190 || !TEST_size_t_eq(written, sizeof(msg)))
9191 goto end;
9192
9193 len = written;
9194 while (len > 0) {
9195 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
9196 goto end;
9197 p += readbytes;
9198 len -= readbytes;
9199 }
9200 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
9201 goto end;
9202
9203 testresult = 1;
9204end:
9205 SSL_free(serverssl);
9206 SSL_free(clientssl);
9207 SSL_CTX_free(sctx);
9208 SSL_CTX_free(cctx);
9209
9210 return testresult;
9211}
9212#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 9213
25959e04
TS		 9214static int test_session_timeout(int test)
9215{
9216 /*
9217 * Test session ordering and timeout
9218 * Can't explicitly test performance of the new code,
9219 * but can test to see if the ordering of the sessions
ad31628c 9220 * are correct, and they are removed as expected
25959e04
TS		 9221 */
9222 SSL_SESSION *early = NULL;
9223 SSL_SESSION *middle = NULL;
9224 SSL_SESSION *late = NULL;
9225 SSL_CTX *ctx;
9226 int testresult = 0;
9227 long now = (long)time(NULL);
9228#define TIMEOUT 10
9229
9230 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
9231 || !TEST_ptr(early = SSL_SESSION_new())
9232 || !TEST_ptr(middle = SSL_SESSION_new())
9233 || !TEST_ptr(late = SSL_SESSION_new()))
9234 goto end;
9235
9236 /* assign unique session ids */
9237 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9238 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
9239 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9240 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
9241 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
9242 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
9243
9244 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9245 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9246 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9247 goto end;
9248
9249 /* Make sure they are all added */
9250 if (!TEST_ptr(early->prev)
9251 || !TEST_ptr(middle->prev)
9252 || !TEST_ptr(late->prev))
9253 goto end;
9254
9255 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
9256 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
9257 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
9258 goto end;
9259
9260 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
9261 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
9262 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
9263 goto end;
9264
9265 /* Make sure they are all still there */
9266 if (!TEST_ptr(early->prev)
9267 || !TEST_ptr(middle->prev)
9268 || !TEST_ptr(late->prev))
9269 goto end;
9270
9271 /* Make sure they are in the expected order */
9272 if (!TEST_ptr_eq(late->next, middle)
9273 || !TEST_ptr_eq(middle->next, early)
9274 || !TEST_ptr_eq(early->prev, middle)
9275 || !TEST_ptr_eq(middle->prev, late))
9276 goto end;
9277
9278 /* This should remove "early" */
9279 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
9280 if (!TEST_ptr_null(early->prev)
9281 || !TEST_ptr(middle->prev)
9282 || !TEST_ptr(late->prev))
9283 goto end;
9284
9285 /* This should remove "middle" */
9286 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
9287 if (!TEST_ptr_null(early->prev)
9288 || !TEST_ptr_null(middle->prev)
9289 || !TEST_ptr(late->prev))
9290 goto end;
9291
9292 /* This should remove "late" */
9293 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
9294 if (!TEST_ptr_null(early->prev)
9295 || !TEST_ptr_null(middle->prev)
9296 || !TEST_ptr_null(late->prev))
9297 goto end;
9298
9299 /* Add them back in again */
9300 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9301 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
9302 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
9303 goto end;
9304
9305 /* Make sure they are all added */
9306 if (!TEST_ptr(early->prev)
9307 || !TEST_ptr(middle->prev)
9308 || !TEST_ptr(late->prev))
9309 goto end;
9310
9311 /* This should remove all of them */
9312 SSL_CTX_flush_sessions(ctx, 0);
9313 if (!TEST_ptr_null(early->prev)
9314 || !TEST_ptr_null(middle->prev)
9315 || !TEST_ptr_null(late->prev))
9316 goto end;
9317
9318 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
9319 | SSL_CTX_get_session_cache_mode(ctx));
9320
9321 /* make sure |now| is NOT equal to the current time */
9322 now -= 10;
9323 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
9324 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
9325 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
9326 goto end;
9327
9328 testresult = 1;
9329 end:
9330 SSL_CTX_free(ctx);
9331 SSL_SESSION_free(early);
9332 SSL_SESSION_free(middle);
9333 SSL_SESSION_free(late);
9334 return testresult;
9335}
9336
49ef3d07
MC		 9337/*
9338 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
9339 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
9340 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
9341 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
9342 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
9343 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
9344 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
9345 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
9346 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
9347 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
9348 */
9349static int test_servername(int tst)
9350{
9351 SSL_CTX *cctx = NULL, *sctx = NULL;
9352 SSL *clientssl = NULL, *serverssl = NULL;
9353 int testresult = 0;
9354 SSL_SESSION *sess = NULL;
9355 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
9356
9357#ifdef OPENSSL_NO_TLS1_2
9358 if (tst <= 4)
9359 return 1;
9360#endif
a763ca11 9361#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 9362 if (tst >= 5)
9363 return 1;
9364#endif
9365
5e30f2fd 9366 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 9367 TLS_client_method(),
9368 TLS1_VERSION,
9369 (tst <= 4) ? TLS1_2_VERSION
9370 : TLS1_3_VERSION,
9371 &sctx, &cctx, cert, privkey))
9372 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9373 NULL, NULL)))
9374 goto end;
9375
9376 if (tst != 1 && tst != 6) {
9377 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
9378 hostname_cb)))
9379 goto end;
9380 }
9381
9382 if (tst != 3 && tst != 8) {
9383 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9384 goto end;
9385 sexpectedhost = cexpectedhost = "goodhost";
9386 }
9387
9388 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9389 goto end;
9390
9391 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
9392 cexpectedhost)
9393 || !TEST_str_eq(SSL_get_servername(serverssl,
9394 TLSEXT_NAMETYPE_host_name),
9395 sexpectedhost))
9396 goto end;
9397
9398 /* Now repeat with a resumption handshake */
9399
9400 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
9401 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
9402 || !TEST_true(SSL_SESSION_is_resumable(sess))
9403 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
9404 goto end;
9405
9406 SSL_free(clientssl);
9407 SSL_free(serverssl);
9408 clientssl = serverssl = NULL;
9409
9410 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
9411 NULL)))
9412 goto end;
9413
9414 if (!TEST_true(SSL_set_session(clientssl, sess)))
9415 goto end;
9416
9417 sexpectedhost = cexpectedhost = "goodhost";
9418 if (tst == 2 || tst == 7) {
9419 /* Set an inconsistent hostname */
9420 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
9421 goto end;
9422 /*
9423 * In TLSv1.2 we expect the hostname from the original handshake, in
9424 * TLSv1.3 we expect the hostname from this handshake
9425 */
9426 if (tst == 7)
9427 sexpectedhost = cexpectedhost = "altgoodhost";
9428
9429 if (!TEST_str_eq(SSL_get_servername(clientssl,
9430 TLSEXT_NAMETYPE_host_name),
9431 "altgoodhost"))
9432 goto end;
9433 } else if (tst == 4 || tst == 9) {
9434 /*
9435 * A TLSv1.3 session does not associate a session with a servername,
9436 * but a TLSv1.2 session does.
9437 */
9438 if (tst == 9)
9439 sexpectedhost = cexpectedhost = NULL;
9440
9441 if (!TEST_str_eq(SSL_get_servername(clientssl,
9442 TLSEXT_NAMETYPE_host_name),
9443 cexpectedhost))
9444 goto end;
9445 } else {
9446 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
9447 goto end;
9448 /*
9449 * In a TLSv1.2 resumption where the hostname was not acknowledged
9450 * we expect the hostname on the server to be empty. On the client we
9451 * return what was requested in this case.
9452 *
9453 * Similarly if the client didn't set a hostname on an original TLSv1.2
9454 * session but is now, the server hostname will be empty, but the client
9455 * is as we set it.
9456 */
9457 if (tst == 1 || tst == 3)
9458 sexpectedhost = NULL;
9459
9460 if (!TEST_str_eq(SSL_get_servername(clientssl,
9461 TLSEXT_NAMETYPE_host_name),
9462 "goodhost"))
9463 goto end;
9464 }
9465
9466 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9467 goto end;
9468
9469 if (!TEST_true(SSL_session_reused(clientssl))
9470 || !TEST_true(SSL_session_reused(serverssl))
9471 || !TEST_str_eq(SSL_get_servername(clientssl,
9472 TLSEXT_NAMETYPE_host_name),
9473 cexpectedhost)
9474 || !TEST_str_eq(SSL_get_servername(serverssl,
9475 TLSEXT_NAMETYPE_host_name),
9476 sexpectedhost))
9477 goto end;
9478
9479 testresult = 1;
9480
9481 end:
9482 SSL_SESSION_free(sess);
9483 SSL_free(serverssl);
9484 SSL_free(clientssl);
9485 SSL_CTX_free(sctx);
9486 SSL_CTX_free(cctx);
9487
9488 return testresult;
9489}
9490
2b4cea1e
TM		 9491static int test_unknown_sigalgs_groups(void)
9492{
9493 int ret = 0;
9494 SSL_CTX *ctx = NULL;
9495
9496 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
9497 goto end;
9498
9499 if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
9500 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9501 0))
9502 goto end;
9503 if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
9504 || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9505 || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9506 goto end;
9507
9508 if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
9509 "RSA+SHA256:?nonexistent:?RSA+SHA512"),
9510 0))
9511 goto end;
9512 if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
9513 || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
9514 || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
9515 goto end;
9516
9517 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9518 "nonexistent"),
9519 0))
9520 goto end;
9521
9522 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9523 "?nonexistent1:?nonexistent2:?nonexistent3"),
9524 0))
9525 goto end;
9526
9527#ifndef OPENSSL_NO_EC
9528 if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
9529 "P-256:nonexistent"),
9530 0))
9531 goto end;
9532
9533 if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
9534 "P-384:?nonexistent:?P-521"),
9535 0))
9536 goto end;
9537 if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
9538 || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
9539 || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
9540 goto end;
9541#endif
9542
9543 ret = 1;
9544 end:
9545 SSL_CTX_free(ctx);
9546 return ret;
9547}
9548
b1fdbc68 9549#if !defined(OPENSSL_NO_EC) \
a763ca11 9550 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 9551/*
9552 * Test that if signature algorithms are not available, then we do not offer or
9553 * accept them.
9554 * Test 0: Two RSA sig algs available: both RSA sig algs shared
9555 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
9556 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
9557 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
9558 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
9559 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
9560 */
9561static int test_sigalgs_available(int idx)
9562{
9563 SSL_CTX *cctx = NULL, *sctx = NULL;
9564 SSL *clientssl = NULL, *serverssl = NULL;
9565 int testresult = 0;
b4250010
DMSP		 9566 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
9567 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 9568 OSSL_PROVIDER *filterprov = NULL;
9569 int sig, hash;
9570
9571 if (!TEST_ptr(tmpctx))
9572 goto end;
9573
9574 if (idx != 0 && idx != 3) {
9575 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
9576 filter_provider_init)))
9577 goto end;
9578
9579 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
9580 if (!TEST_ptr(filterprov))
9581 goto end;
9582
9583 if (idx < 3) {
9584 /*
9585 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
9586 * or accepted for the peer that uses this libctx. Note that libssl
9587 * *requires* SHA2-256 to be available so we cannot disable that. We
9588 * also need SHA1 for our certificate.
9589 */
9590 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
9591 "SHA2-256:SHA1")))
9592 goto end;
9593 } else {
9594 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
9595 "ECDSA"))
4032cd9a
YL		 9596# ifdef OPENSSL_NO_ECX
9597 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
9598# else
b3842539 9599 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
4032cd9a
YL		 9600 "EC:X25519:X448"))
9601# endif
9602 )
b3842539
MC		 9603 goto end;
9604 }
9605
9606 if (idx == 1 || idx == 4)
9607 clientctx = tmpctx;
9608 else
9609 serverctx = tmpctx;
9610 }
9611
d8652be0
MC		 9612 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
9613 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 9614 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
9615 goto end;
b3842539 9616
b4c4a2c6
TM		 9617 if (idx != 5) {
9618 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9619 TLS_client_method(),
9620 TLS1_VERSION,
9621 0,
9622 &sctx, &cctx, cert, privkey)))
9623 goto end;
9624 } else {
9625 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9626 TLS_client_method(),
9627 TLS1_VERSION,
9628 0,
9629 &sctx, &cctx, cert2, privkey2)))
9630 goto end;
9631 }
b3842539 9632
b1fdbc68
MC		 9633 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
9634 if (idx < 4) {
9635 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9636 "ECDHE-RSA-AES128-GCM-SHA256")))
9637 goto end;
9638 } else {
9639 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
9640 "ECDHE-ECDSA-AES128-GCM-SHA256")))
9641 goto end;
9642 }
9643
b3842539
MC		 9644 if (idx < 3) {
9645 if (!SSL_CTX_set1_sigalgs_list(cctx,
9646 "rsa_pss_rsae_sha384"
9647 ":rsa_pss_rsae_sha256")
9648 || !SSL_CTX_set1_sigalgs_list(sctx,
9649 "rsa_pss_rsae_sha384"
9650 ":rsa_pss_rsae_sha256"))
9651 goto end;
9652 } else {
9653 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
9654 || !SSL_CTX_set1_sigalgs_list(sctx,
9655 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
9656 goto end;
9657 }
9658
b4c4a2c6
TM		 9659 if (idx != 5
9660 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
9661 SSL_FILETYPE_PEM), 1)
b3842539
MC		 9662 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
9663 privkey2,
9664 SSL_FILETYPE_PEM), 1)
b4c4a2c6 9665 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 9666 goto end;
9667
9668 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 9669 NULL, NULL)))
b3842539
MC		 9670 goto end;
9671
9672 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9673 goto end;
9674
9675 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
9676 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
9677 NULL, NULL),
9678 (idx == 0 || idx == 3) ? 2 : 1))
9679 goto end;
9680
9681 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
9682 goto end;
9683
9684 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
9685 : NID_rsassaPss))
9686 goto end;
9687
b0001d0c 9688 testresult = filter_provider_check_clean_finish();
b3842539
MC		 9689
9690 end:
9691 SSL_free(serverssl);
9692 SSL_free(clientssl);
9693 SSL_CTX_free(sctx);
9694 SSL_CTX_free(cctx);
9695 OSSL_PROVIDER_unload(filterprov);
b4250010 9696 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 9697
9698 return testresult;
9699}
b1fdbc68
MC		 9700#endif /*
9701 * !defined(OPENSSL_NO_EC) \
a763ca11 9702 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 9703 */
b3842539 9704
0c13cdf8 9705#ifndef OPENSSL_NO_TLS1_3
a763ca11 9706/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 9707static int test_pluggable_group(int idx)
0c13cdf8
MC		 9708{
9709 SSL_CTX *cctx = NULL, *sctx = NULL;
9710 SSL *clientssl = NULL, *serverssl = NULL;
9711 int testresult = 0;
9712 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 9713 /* Check that we are not impacted by a provider without any groups */
9714 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
f4ed6eed 9715 const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
0c13cdf8 9716
5ae54dba 9717 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 9718 goto end;
9719
9720 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9721 TLS_client_method(),
9722 TLS1_3_VERSION,
9723 TLS1_3_VERSION,
9724 &sctx, &cctx, cert, privkey))
9725 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9726 NULL, NULL)))
9727 goto end;
9728
f4ed6eed
MB		 9729 /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
9730 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
9731 /* removing a single algorithm from the list makes the test pass */
c8e3a4c6 9732 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 9733 goto end;
9734
9735 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9736 goto end;
9737
becbacd7
MB		 9738 if (!TEST_str_eq(group_name,
9739 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
9740 goto end;
9741
68668243
AB		 9742 if (!TEST_str_eq(group_name, SSL_get0_group_name(serverssl))
9743 || !TEST_str_eq(group_name, SSL_get0_group_name(clientssl)))
9744 goto end;
9745
0c13cdf8
MC		 9746 testresult = 1;
9747
9748 end:
9749 SSL_free(serverssl);
9750 SSL_free(clientssl);
9751 SSL_CTX_free(sctx);
9752 SSL_CTX_free(cctx);
9753 OSSL_PROVIDER_unload(tlsprov);
146aebc6 9754 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 9755
9756 return testresult;
9757}
ee58915c
MB		 9758
9759/*
9760 * This function triggers encode, decode and sign functions
9761 * of the artificial "xorhmacsig" algorithm implemented in tls-provider
9762 * creating private key and certificate files for use in TLS testing.
9763 */
9764static int create_cert_key(int idx, char *certfilename, char *privkeyfilename)
9765{
bbaeadb0 9766 EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx,
ee58915c
MB		 9767 (idx == 0) ? "xorhmacsig" : "xorhmacsha2sig", NULL);
9768 EVP_PKEY *pkey = NULL;
9769 X509 *x509 = X509_new();
9770 X509_NAME *name = NULL;
9771 BIO *keybio = NULL, *certbio = NULL;
9772 int ret = 1;
9773
9774 if (!TEST_ptr(evpctx)
9775 || !TEST_true(EVP_PKEY_keygen_init(evpctx))
9776 || !TEST_true(EVP_PKEY_generate(evpctx, &pkey))
9777 || !TEST_ptr(pkey)
9778 || !TEST_ptr(x509)
9779 || !TEST_true(ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
9780 || !TEST_true(X509_gmtime_adj(X509_getm_notBefore(x509), 0))
9781 || !TEST_true(X509_gmtime_adj(X509_getm_notAfter(x509), 31536000L))
9782 || !TEST_true(X509_set_pubkey(x509, pkey))
9783 || !TEST_ptr(name = X509_get_subject_name(x509))
9784 || !TEST_true(X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
9785 (unsigned char *)"CH", -1, -1, 0))
9786 || !TEST_true(X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
9787 (unsigned char *)"test.org", -1, -1, 0))
9788 || !TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
9789 (unsigned char *)"localhost", -1, -1, 0))
9790 || !TEST_true(X509_set_issuer_name(x509, name))
9791 || !TEST_true(X509_sign(x509, pkey, EVP_sha1()))
9792 || !TEST_ptr(keybio = BIO_new_file(privkeyfilename, "wb"))
9793 || !TEST_true(PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL))
9794 || !TEST_ptr(certbio = BIO_new_file(certfilename, "wb"))
9795 || !TEST_true(PEM_write_bio_X509(certbio, x509)))
9796 ret = 0;
9797
9798 EVP_PKEY_free(pkey);
9799 X509_free(x509);
9800 EVP_PKEY_CTX_free(evpctx);
9801 BIO_free(keybio);
9802 BIO_free(certbio);
9803 return ret;
9804}
9805
9806/*
9807 * Test that signature algorithms loaded via the provider interface can
9808 * correctly establish a TLS (1.3) connection.
9809 * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig"
9810 * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig"
3c95ef22
TS		 9811 * Test 2: Test 0 using RPK
9812 * Test 3: Test 1 using RPK
ee58915c
MB		 9813 */
9814static int test_pluggable_signature(int idx)
9815{
3c95ef22 9816 static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
ee58915c
MB		 9817 SSL_CTX *cctx = NULL, *sctx = NULL;
9818 SSL *clientssl = NULL, *serverssl = NULL;
9819 int testresult = 0;
9820 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
9821 OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default");
9822 char *certfilename = "tls-prov-cert.pem";
9823 char *privkeyfilename = "tls-prov-key.pem";
3c95ef22
TS		 9824 int sigidx = idx % 2;
9825 int rpkidx = idx / 2;
ee58915c
MB		 9826
9827 /* create key and certificate for the different algorithm types */
9828 if (!TEST_ptr(tlsprov)
3c95ef22 9829 || !TEST_true(create_cert_key(sigidx, certfilename, privkeyfilename)))
ee58915c
MB		 9830 goto end;
9831
9832 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9833 TLS_client_method(),
9834 TLS1_3_VERSION,
9835 TLS1_3_VERSION,
9836 &sctx, &cctx, certfilename, privkeyfilename))
9837 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9838 NULL, NULL)))
9839 goto end;
9840
3c95ef22
TS		 9841 /* Enable RPK for server cert */
9842 if (rpkidx) {
9843 if (!TEST_true(SSL_set1_server_cert_type(serverssl, cert_type_rpk, sizeof(cert_type_rpk)))
9844 || !TEST_true(SSL_set1_server_cert_type(clientssl, cert_type_rpk, sizeof(cert_type_rpk))))
9845 goto end;
9846 }
9847
ee58915c
MB		 9848 /* This is necessary to pass minimal setup w/o other groups configured */
9849 if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup"))
9850 || !TEST_true(SSL_set1_groups_list(clientssl, "xorgroup")))
9851 goto end;
9852
9853 /*
9854 * If this connection gets established, it must have been completed
9855 * via the tls-provider-implemented "hmacsig" algorithm, testing
9856 * both sign and verify functions during handshake.
9857 */
9858 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
9859 goto end;
9860
3c95ef22
TS		 9861 /* If using RPK, make sure we got one */
9862 if (rpkidx && !TEST_long_eq(SSL_get_verify_result(clientssl), X509_V_ERR_RPK_UNTRUSTED))
9863 goto end;
9864
ee58915c
MB		 9865 testresult = 1;
9866
9867 end:
9868 SSL_free(serverssl);
9869 SSL_free(clientssl);
9870 SSL_CTX_free(sctx);
9871 SSL_CTX_free(cctx);
9872 OSSL_PROVIDER_unload(tlsprov);
9873 OSSL_PROVIDER_unload(defaultprov);
9874
9875 return testresult;
9876}
0c13cdf8 9877#endif
b3842539 9878
49a36a52
MC		 9879#ifndef OPENSSL_NO_TLS1_2
9880static int test_ssl_dup(void)
9881{
9882 SSL_CTX *cctx = NULL, *sctx = NULL;
9883 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
9884 int testresult = 0;
9885 BIO *rbio = NULL, *wbio = NULL;
9886
9887 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9888 TLS_client_method(),
9889 0,
9890 0,
9891 &sctx, &cctx, cert, privkey)))
9892 goto end;
9893
9894 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
9895 NULL, NULL)))
9896 goto end;
9897
9898 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
9899 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
9900 goto end;
9901
9902 client2ssl = SSL_dup(clientssl);
9903 rbio = SSL_get_rbio(clientssl);
9904 if (!TEST_ptr(rbio)
9905 || !TEST_true(BIO_up_ref(rbio)))
9906 goto end;
9907 SSL_set0_rbio(client2ssl, rbio);
9908 rbio = NULL;
9909
9910 wbio = SSL_get_wbio(clientssl);
9911 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
9912 goto end;
9913 SSL_set0_wbio(client2ssl, wbio);
9914 rbio = NULL;
9915
9916 if (!TEST_ptr(client2ssl)
9917 /* Handshake not started so pointers should be different */
9918 || !TEST_ptr_ne(clientssl, client2ssl))
9919 goto end;
9920
9921 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
9922 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
9923 goto end;
9924
9925 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
9926 goto end;
9927
9928 SSL_free(clientssl);
9929 clientssl = SSL_dup(client2ssl);
9930 if (!TEST_ptr(clientssl)
9931 /* Handshake has finished so pointers should be the same */
9932 || !TEST_ptr_eq(clientssl, client2ssl))
9933 goto end;
9934
9935 testresult = 1;
9936
9937 end:
9938 SSL_free(serverssl);
9939 SSL_free(clientssl);
9940 SSL_free(client2ssl);
9941 SSL_CTX_free(sctx);
9942 SSL_CTX_free(cctx);
9943
9944 return testresult;
9945}
33c39a06
MC		 9946
9947# ifndef OPENSSL_NO_DH
9948
9949static EVP_PKEY *tmp_dh_params = NULL;
9950
9951/* Helper function for the test_set_tmp_dh() tests */
9952static EVP_PKEY *get_tmp_dh_params(void)
9953{
9954 if (tmp_dh_params == NULL) {
9955 BIGNUM *p = NULL;
9956 OSSL_PARAM_BLD *tmpl = NULL;
9957 EVP_PKEY_CTX *pctx = NULL;
9958 OSSL_PARAM *params = NULL;
9959 EVP_PKEY *dhpkey = NULL;
9960
9961 p = BN_get_rfc3526_prime_2048(NULL);
9962 if (!TEST_ptr(p))
9963 goto end;
9964
9965 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
9966 if (!TEST_ptr(pctx)
884400d7 9967 || !TEST_int_eq(EVP_PKEY_fromdata_init(pctx), 1))
33c39a06
MC		 9968 goto end;
9969
9970 tmpl = OSSL_PARAM_BLD_new();
9971 if (!TEST_ptr(tmpl)
9972 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
9973 OSSL_PKEY_PARAM_FFC_P,
9974 p))
9975 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
9976 OSSL_PKEY_PARAM_FFC_G,
9977 2)))
9978 goto end;
9979
9980 params = OSSL_PARAM_BLD_to_param(tmpl);
9981 if (!TEST_ptr(params)
884400d7 9982 || !TEST_int_eq(EVP_PKEY_fromdata(pctx, &dhpkey,
9983 EVP_PKEY_KEY_PARAMETERS,
9984 params), 1))
33c39a06
MC		 9985 goto end;
9986
9987 tmp_dh_params = dhpkey;
9988 end:
9989 BN_free(p);
9990 EVP_PKEY_CTX_free(pctx);
9991 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 9992 OSSL_PARAM_free(params);
33c39a06
MC		 9993 }
9994
f1619160 9995 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 9996 return NULL;
9997
9998 return tmp_dh_params;
9999}
10000
39f3427d 10001# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 10002/* Callback used by test_set_tmp_dh() */
10003static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
10004{
10005 EVP_PKEY *dhpkey = get_tmp_dh_params();
10006 DH *ret = NULL;
10007
10008 if (!TEST_ptr(dhpkey))
10009 return NULL;
10010
7bc0fdd3
MC		 10011 /*
10012 * libssl does not free the returned DH, so we free it now knowing that even
10013 * after we free dhpkey, there will still be a reference to the owning
10014 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
10015 * of time we need it for.
10016 */
10017 ret = EVP_PKEY_get1_DH(dhpkey);
10018 DH_free(ret);
33c39a06
MC		 10019
10020 EVP_PKEY_free(dhpkey);
10021
10022 return ret;
10023}
10024# endif
10025
10026/*
10027 * Test the various methods for setting temporary DH parameters
10028 *
10029 * Test 0: Default (no auto) setting
10030 * Test 1: Explicit SSL_CTX auto off
10031 * Test 2: Explicit SSL auto off
10032 * Test 3: Explicit SSL_CTX auto on
10033 * Test 4: Explicit SSL auto on
10034 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
10035 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
10036 *
10037 * The following are testing deprecated APIs, so we only run them if available
10038 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
10039 * Test 8: Explicit SSL auto off, custom DH params via DH
10040 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
10041 * Test 10: Explicit SSL auto off, custom DH params via callback
10042 */
10043static int test_set_tmp_dh(int idx)
10044{
10045 SSL_CTX *cctx = NULL, *sctx = NULL;
10046 SSL *clientssl = NULL, *serverssl = NULL;
10047 int testresult = 0;
10048 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
10049 int expected = (idx <= 2) ? 0 : 1;
10050 EVP_PKEY *dhpkey = NULL;
10051# ifndef OPENSSL_NO_DEPRECATED_3_0
10052 DH *dh = NULL;
10053# else
10054
10055 if (idx >= 7)
10056 return 1;
10057# endif
10058
10059 if (idx >= 5 && idx <= 8) {
10060 dhpkey = get_tmp_dh_params();
10061 if (!TEST_ptr(dhpkey))
10062 goto end;
10063 }
10064# ifndef OPENSSL_NO_DEPRECATED_3_0
10065 if (idx == 7 || idx == 8) {
7bc0fdd3 10066 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 10067 if (!TEST_ptr(dh))
10068 goto end;
10069 }
10070# endif
10071
10072 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10073 TLS_client_method(),
10074 0,
10075 0,
10076 &sctx, &cctx, cert, privkey)))
10077 goto end;
10078
10079 if ((idx & 1) == 1) {
10080 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
10081 goto end;
10082 }
10083
10084 if (idx == 5) {
10085 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
10086 goto end;
10087 dhpkey = NULL;
10088 }
10089# ifndef OPENSSL_NO_DEPRECATED_3_0
10090 else if (idx == 7) {
10091 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
10092 goto end;
10093 } else if (idx == 9) {
10094 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
10095 }
10096# endif
10097
10098 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10099 NULL, NULL)))
10100 goto end;
10101
10102 if ((idx & 1) == 0 && idx != 0) {
10103 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
10104 goto end;
10105 }
10106 if (idx == 6) {
10107 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
10108 goto end;
10109 dhpkey = NULL;
10110 }
10111# ifndef OPENSSL_NO_DEPRECATED_3_0
10112 else if (idx == 8) {
10113 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
10114 goto end;
10115 } else if (idx == 10) {
10116 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
10117 }
10118# endif
10119
10120 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10121 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10122 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
10123 goto end;
10124
10125 /*
10126 * If autoon then we should succeed. Otherwise we expect failure because
10127 * there are no parameters
10128 */
10129 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
10130 SSL_ERROR_NONE), expected))
10131 goto end;
10132
10133 testresult = 1;
10134
10135 end:
7bc0fdd3
MC		 10136# ifndef OPENSSL_NO_DEPRECATED_3_0
10137 DH_free(dh);
10138# endif
33c39a06
MC		 10139 SSL_free(serverssl);
10140 SSL_free(clientssl);
10141 SSL_CTX_free(sctx);
10142 SSL_CTX_free(cctx);
10143 EVP_PKEY_free(dhpkey);
10144
10145 return testresult;
10146}
3105d846
MC		 10147
10148/*
10149 * Test the auto DH keys are appropriately sized
10150 */
10151static int test_dh_auto(int idx)
10152{
61cab650
MC		 10153 SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
10154 SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
3105d846
MC		 10155 SSL *clientssl = NULL, *serverssl = NULL;
10156 int testresult = 0;
10157 EVP_PKEY *tmpkey = NULL;
10158 char *thiscert = NULL, *thiskey = NULL;
10159 size_t expdhsize = 0;
10160 const char *ciphersuite = "DHE-RSA-AES128-SHA";
10161
61cab650
MC		 10162 if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
10163 goto end;
10164
3105d846
MC		 10165 switch (idx) {
10166 case 0:
10167 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 10168 if (is_fips) {
10169 testresult = 1;
10170 goto end;
10171 }
3105d846
MC		 10172 thiscert = cert1024;
10173 thiskey = privkey1024;
10174 expdhsize = 1024;
61cab650
MC		 10175 SSL_CTX_set_security_level(sctx, 1);
10176 SSL_CTX_set_security_level(cctx, 1);
3105d846
MC		 10177 break;
10178 case 1:
10179 /* 2048 bit prime */
10180 thiscert = cert;
10181 thiskey = privkey;
10182 expdhsize = 2048;
10183 break;
10184 case 2:
10185 thiscert = cert3072;
10186 thiskey = privkey3072;
10187 expdhsize = 3072;
10188 break;
10189 case 3:
10190 thiscert = cert4096;
10191 thiskey = privkey4096;
10192 expdhsize = 4096;
10193 break;
10194 case 4:
10195 thiscert = cert8192;
10196 thiskey = privkey8192;
10197 expdhsize = 8192;
10198 break;
10199 /* No certificate cases */
10200 case 5:
10201 /* The FIPS provider doesn't support this DH size - so we ignore it */
61cab650
MC		 10202 if (is_fips) {
10203 testresult = 1;
10204 goto end;
10205 }
3105d846
MC		 10206 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
10207 expdhsize = 1024;
10208 break;
10209 case 6:
10210 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
10211 expdhsize = 3072;
10212 break;
10213 default:
10214 TEST_error("Invalid text index");
10215 goto end;
10216 }
10217
61cab650
MC		 10218 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
10219 NULL,
3105d846
MC		 10220 0,
10221 0,
10222 &sctx, &cctx, thiscert, thiskey)))
10223 goto end;
10224
10225 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
10226 NULL, NULL)))
10227 goto end;
10228
10229 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
10230 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
10231 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
10232 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
10233 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
10234 goto end;
10235
10236 /*
10237 * Send the server's first flight. At this point the server has created the
10238 * temporary DH key but hasn't finished using it yet. Once used it is
10239 * removed, so we cannot test it.
10240 */
10241 if (!TEST_int_le(SSL_connect(clientssl), 0)
10242 || !TEST_int_le(SSL_accept(serverssl), 0))
10243 goto end;
10244
10245 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
10246 goto end;
ed576acd 10247 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 10248 goto end;
10249
10250 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10251 goto end;
10252
10253 testresult = 1;
10254
10255 end:
10256 SSL_free(serverssl);
10257 SSL_free(clientssl);
10258 SSL_CTX_free(sctx);
10259 SSL_CTX_free(cctx);
10260 EVP_PKEY_free(tmpkey);
10261
10262 return testresult;
10263
10264}
33c39a06
MC		 10265# endif /* OPENSSL_NO_DH */
10266#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 10267
a763ca11 10268#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 10269/*
10270 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
10271 * that it works even without a certificate configured for the original
10272 * SSL_CTX
10273 */
10274static int test_sni_tls13(void)
10275{
10276 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
10277 SSL *clientssl = NULL, *serverssl = NULL;
10278 int testresult = 0;
10279
10280 /* Reset callback counter */
10281 snicb = 0;
10282
10283 /* Create an initial SSL_CTX with no certificate configured */
10284 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10285 if (!TEST_ptr(sctx))
10286 goto end;
10287 /* Require TLSv1.3 as a minimum */
10288 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10289 TLS_client_method(), TLS1_3_VERSION, 0,
10290 &sctx2, &cctx, cert, privkey)))
10291 goto end;
10292
10293 /* Set up SNI */
10294 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
10295 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
10296 goto end;
10297
10298 /*
10299 * Connection should still succeed because the final SSL_CTX has the right
10300 * certificates configured.
10301 */
10302 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10303 &clientssl, NULL, NULL))
10304 || !TEST_true(create_ssl_connection(serverssl, clientssl,
10305 SSL_ERROR_NONE)))
10306 goto end;
10307
10308 /* We should have had the SNI callback called exactly once */
10309 if (!TEST_int_eq(snicb, 1))
10310 goto end;
10311
10312 testresult = 1;
10313
10314end:
10315 SSL_free(serverssl);
10316 SSL_free(clientssl);
10317 SSL_CTX_free(sctx2);
10318 SSL_CTX_free(sctx);
10319 SSL_CTX_free(cctx);
10320 return testresult;
10321}
0089cc7f
TS		 10322
10323/*
10324 * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
10325 * 0 = TLSv1.2
10326 * 1 = TLSv1.3
10327 */
10328static int test_ticket_lifetime(int idx)
10329{
10330 SSL_CTX *cctx = NULL, *sctx = NULL;
10331 SSL *clientssl = NULL, *serverssl = NULL;
10332 int testresult = 0;
10333 int version = TLS1_3_VERSION;
10334
10335#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
10336#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
10337
10338 if (idx == 0) {
40fb5a4c
TS		 10339#ifdef OPENSSL_NO_TLS1_2
10340 return TEST_skip("TLS 1.2 is disabled.");
10341#else
0089cc7f 10342 version = TLS1_2_VERSION;
40fb5a4c 10343#endif
0089cc7f
TS		 10344 }
10345
10346 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10347 TLS_client_method(), version, version,
10348 &sctx, &cctx, cert, privkey)))
10349 goto end;
10350
10351 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10352 &clientssl, NULL, NULL)))
10353 goto end;
10354
10355 /*
10356 * Set the timeout to be more than 1 week
10357 * make sure the returned value is the default
10358 */
10359 if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC),
10360 SSL_get_default_timeout(serverssl)))
10361 goto end;
10362
10363 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10364 goto end;
10365
10366 if (idx == 0) {
10367 /* TLSv1.2 uses the set value */
10368 if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC))
10369 goto end;
10370 } else {
10371 /* TLSv1.3 uses the limited value */
10372 if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC))
10373 goto end;
10374 }
10375 testresult = 1;
10376
10377end:
10378 SSL_free(serverssl);
10379 SSL_free(clientssl);
10380 SSL_CTX_free(sctx);
10381 SSL_CTX_free(cctx);
10382 return testresult;
10383}
6582661f 10384#endif
feba11cf
TS		 10385/*
10386 * Test that setting an ALPN does not violate RFC
10387 */
10388static int test_set_alpn(void)
10389{
10390 SSL_CTX *ctx = NULL;
10391 SSL *ssl = NULL;
10392 int testresult = 0;
10393
10394 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
10395 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
10396 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
10397 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
10398 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
10399 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
10400
10401 /* Create an initial SSL_CTX with no certificate configured */
10402 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10403 if (!TEST_ptr(ctx))
10404 goto end;
10405
10406 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
10407 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
10408 goto end;
10409 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
10410 goto end;
10411 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
10412 goto end;
10413 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
10414 goto end;
10415 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
10416 goto end;
10417 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
10418 goto end;
10419 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
10420 goto end;
10421 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
10422 goto end;
10423 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
10424 goto end;
10425
10426 ssl = SSL_new(ctx);
10427 if (!TEST_ptr(ssl))
10428 goto end;
10429
10430 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
10431 goto end;
10432 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
10433 goto end;
10434 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
10435 goto end;
10436 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
10437 goto end;
10438 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
10439 goto end;
10440 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
10441 goto end;
10442 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
10443 goto end;
10444 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
10445 goto end;
10446 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
10447 goto end;
10448
10449 testresult = 1;
10450
10451end:
10452 SSL_free(ssl);
10453 SSL_CTX_free(ctx);
10454 return testresult;
10455}
6582661f 10456
948cf521
HL		 10457/*
10458 * Test SSL_CTX_set1_verify/chain_cert_store and SSL_CTX_get_verify/chain_cert_store.
10459 */
10460static int test_set_verify_cert_store_ssl_ctx(void)
10461{
10462 SSL_CTX *ctx = NULL;
10463 int testresult = 0;
10464 X509_STORE *store = NULL, *new_store = NULL,
10465 *cstore = NULL, *new_cstore = NULL;
10466
10467 /* Create an initial SSL_CTX. */
10468 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10469 if (!TEST_ptr(ctx))
10470 goto end;
10471
10472 /* Retrieve verify store pointer. */
10473 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10474 goto end;
10475
10476 /* Retrieve chain store pointer. */
10477 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10478 goto end;
10479
10480 /* We haven't set any yet, so this should be NULL. */
10481 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10482 goto end;
10483
10484 /* Create stores. We use separate stores so pointers are different. */
10485 new_store = X509_STORE_new();
10486 if (!TEST_ptr(new_store))
10487 goto end;
10488
10489 new_cstore = X509_STORE_new();
10490 if (!TEST_ptr(new_cstore))
10491 goto end;
10492
10493 /* Set stores. */
10494 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, new_store)))
10495 goto end;
10496
10497 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, new_cstore)))
10498 goto end;
10499
10500 /* Should be able to retrieve the same pointer. */
10501 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10502 goto end;
10503
10504 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10505 goto end;
10506
10507 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10508 goto end;
10509
10510 /* Should be able to unset again. */
10511 if (!TEST_true(SSL_CTX_set1_verify_cert_store(ctx, NULL)))
10512 goto end;
10513
10514 if (!TEST_true(SSL_CTX_set1_chain_cert_store(ctx, NULL)))
10515 goto end;
10516
10517 /* Should now be NULL. */
10518 if (!TEST_true(SSL_CTX_get0_verify_cert_store(ctx, &store)))
10519 goto end;
10520
10521 if (!TEST_true(SSL_CTX_get0_chain_cert_store(ctx, &cstore)))
10522 goto end;
10523
10524 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10525 goto end;
10526
10527 testresult = 1;
10528
10529end:
10530 X509_STORE_free(new_store);
10531 X509_STORE_free(new_cstore);
10532 SSL_CTX_free(ctx);
10533 return testresult;
10534}
10535
10536/*
10537 * Test SSL_set1_verify/chain_cert_store and SSL_get_verify/chain_cert_store.
10538 */
10539static int test_set_verify_cert_store_ssl(void)
10540{
10541 SSL_CTX *ctx = NULL;
10542 SSL *ssl = NULL;
10543 int testresult = 0;
10544 X509_STORE *store = NULL, *new_store = NULL,
10545 *cstore = NULL, *new_cstore = NULL;
10546
10547 /* Create an initial SSL_CTX. */
10548 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10549 if (!TEST_ptr(ctx))
10550 goto end;
10551
10552 /* Create an SSL object. */
10553 ssl = SSL_new(ctx);
10554 if (!TEST_ptr(ssl))
10555 goto end;
10556
10557 /* Retrieve verify store pointer. */
10558 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10559 goto end;
10560
10561 /* Retrieve chain store pointer. */
10562 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10563 goto end;
10564
10565 /* We haven't set any yet, so this should be NULL. */
10566 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10567 goto end;
10568
10569 /* Create stores. We use separate stores so pointers are different. */
10570 new_store = X509_STORE_new();
10571 if (!TEST_ptr(new_store))
10572 goto end;
10573
10574 new_cstore = X509_STORE_new();
10575 if (!TEST_ptr(new_cstore))
10576 goto end;
10577
10578 /* Set stores. */
10579 if (!TEST_true(SSL_set1_verify_cert_store(ssl, new_store)))
10580 goto end;
10581
10582 if (!TEST_true(SSL_set1_chain_cert_store(ssl, new_cstore)))
10583 goto end;
10584
10585 /* Should be able to retrieve the same pointer. */
10586 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10587 goto end;
10588
10589 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10590 goto end;
10591
10592 if (!TEST_ptr_eq(store, new_store) || !TEST_ptr_eq(cstore, new_cstore))
10593 goto end;
10594
10595 /* Should be able to unset again. */
10596 if (!TEST_true(SSL_set1_verify_cert_store(ssl, NULL)))
10597 goto end;
10598
10599 if (!TEST_true(SSL_set1_chain_cert_store(ssl, NULL)))
10600 goto end;
10601
10602 /* Should now be NULL. */
10603 if (!TEST_true(SSL_get0_verify_cert_store(ssl, &store)))
10604 goto end;
10605
10606 if (!TEST_true(SSL_get0_chain_cert_store(ssl, &cstore)))
10607 goto end;
10608
10609 if (!TEST_ptr_null(store) || !TEST_ptr_null(cstore))
10610 goto end;
10611
10612 testresult = 1;
10613
10614end:
10615 X509_STORE_free(new_store);
10616 X509_STORE_free(new_cstore);
10617 SSL_free(ssl);
10618 SSL_CTX_free(ctx);
10619 return testresult;
10620}
10621
10622
dfccfde0
CH		 10623static int test_inherit_verify_param(void)
10624{
10625 int testresult = 0;
10626
10627 SSL_CTX *ctx = NULL;
10628 X509_VERIFY_PARAM *cp = NULL;
10629 SSL *ssl = NULL;
10630 X509_VERIFY_PARAM *sp = NULL;
10631 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
10632
10633 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
10634 if (!TEST_ptr(ctx))
10635 goto end;
10636
10637 cp = SSL_CTX_get0_param(ctx);
10638 if (!TEST_ptr(cp))
10639 goto end;
10640 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
10641 goto end;
10642
10643 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
10644
10645 ssl = SSL_new(ctx);
10646 if (!TEST_ptr(ssl))
10647 goto end;
10648
10649 sp = SSL_get0_param(ssl);
10650 if (!TEST_ptr(sp))
10651 goto end;
10652 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
10653 goto end;
10654
10655 testresult = 1;
10656
10657 end:
10658 SSL_free(ssl);
10659 SSL_CTX_free(ctx);
10660
10661 return testresult;
10662}
10663
b2b8d188
DF		 10664static int test_load_dhfile(void)
10665{
10666#ifndef OPENSSL_NO_DH
10667 int testresult = 0;
10668
10669 SSL_CTX *ctx = NULL;
10670 SSL_CONF_CTX *cctx = NULL;
10671
10672 if (dhfile == NULL)
10673 return 1;
10674
10675 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()))
10676 || !TEST_ptr(cctx = SSL_CONF_CTX_new()))
10677 goto end;
10678
10679 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
10680 SSL_CONF_CTX_set_flags(cctx,
10681 SSL_CONF_FLAG_CERTIFICATE
10682 | SSL_CONF_FLAG_SERVER
10683 | SSL_CONF_FLAG_FILE);
10684
10685 if (!TEST_int_eq(SSL_CONF_cmd(cctx, "DHParameters", dhfile), 2))
10686 goto end;
10687
10688 testresult = 1;
10689end:
10690 SSL_CONF_CTX_free(cctx);
10691 SSL_CTX_free(ctx);
10692
10693 return testresult;
10694#else
10695 return TEST_skip("DH not supported by this build");
10696#endif
10697}
10698
f7565348
MC		 10699#ifndef OSSL_NO_USABLE_TLS1_3
10700/* Test that read_ahead works across a key change */
10701static int test_read_ahead_key_change(void)
10702{
10703 SSL_CTX *cctx = NULL, *sctx = NULL;
10704 SSL *clientssl = NULL, *serverssl = NULL;
10705 int testresult = 0;
10706 char *msg = "Hello World";
10707 size_t written, readbytes;
10708 char buf[80];
10709 int i;
10710
10711 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10712 TLS_client_method(), TLS1_3_VERSION, 0,
10713 &sctx, &cctx, cert, privkey)))
10714 goto end;
10715
10716 SSL_CTX_set_read_ahead(sctx, 1);
10717
10718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10719 &clientssl, NULL, NULL)))
10720 goto end;
10721
10722 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10723 goto end;
10724
10725 /* Write some data, send a key update, write more data */
10726 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10727 || !TEST_size_t_eq(written, strlen(msg)))
10728 goto end;
10729
10730 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
10731 goto end;
10732
10733 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10734 || !TEST_size_t_eq(written, strlen(msg)))
10735 goto end;
10736
10737 /*
10738 * Since read_ahead is on the first read below should read the record with
10739 * the first app data, the second record with the key update message, and
10740 * the third record with the app data all in one go. We should be able to
10741 * still process the read_ahead data correctly even though it crosses
10742 * epochs
10743 */
10744 for (i = 0; i < 2; i++) {
10745 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10746 &readbytes)))
10747 goto end;
10748
10749 buf[readbytes] = '\0';
10750 if (!TEST_str_eq(buf, msg))
10751 goto end;
10752 }
10753
10754 testresult = 1;
10755
10756end:
10757 SSL_free(serverssl);
10758 SSL_free(clientssl);
10759 SSL_CTX_free(sctx);
10760 SSL_CTX_free(cctx);
10761 return testresult;
10762}
f3f8e53c
MC		 10763
10764static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg)
10765{
10766 int *called = arg;
10767
10768 switch ((*called)++) {
10769 case 0:
10770 /* Add some padding to first record */
10771 return 512;
10772 case 1:
10773 /* Maximally pad the second record */
10774 return SSL3_RT_MAX_PLAIN_LENGTH - len;
10775 case 2:
10776 /*
10777 * Exceeding the maximum padding should be fine. It should just pad to
10778 * the maximum anyway
10779 */
10780 return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len;
10781 case 3:
10782 /*
10783 * Very large padding should also be ok. Should just pad to the maximum
10784 * allowed
10785 */
10786 return SIZE_MAX;
10787 default:
10788 return 0;
10789 }
10790}
10791
10792/*
10793 * Test that setting record padding in TLSv1.3 works as expected
10794 * Test 0: Record padding callback on the SSL_CTX
10795 * Test 1: Record padding callback on the SSL
10796 * Test 2: Record block padding on the SSL_CTX
10797 * Test 3: Record block padding on the SSL
10798 */
10799static int test_tls13_record_padding(int idx)
10800{
10801 SSL_CTX *cctx = NULL, *sctx = NULL;
10802 SSL *clientssl = NULL, *serverssl = NULL;
10803 int testresult = 0;
10804 char *msg = "Hello World";
10805 size_t written, readbytes;
10806 char buf[80];
10807 int i;
10808 int called = 0;
10809
10810 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10811 TLS_client_method(), TLS1_3_VERSION, 0,
10812 &sctx, &cctx, cert, privkey)))
10813 goto end;
10814
10815 if (idx == 0) {
10816 SSL_CTX_set_record_padding_callback(cctx, record_pad_cb);
10817 SSL_CTX_set_record_padding_callback_arg(cctx, &called);
10818 if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called))
10819 goto end;
10820 } else if (idx == 2) {
10821 /* Exceeding the max plain length should fail */
10822 if (!TEST_false(SSL_CTX_set_block_padding(cctx,
10823 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10824 goto end;
10825 if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512)))
10826 goto end;
10827 }
10828
10829 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10830 &clientssl, NULL, NULL)))
10831 goto end;
10832
10833 if (idx == 1) {
10834 SSL_set_record_padding_callback(clientssl, record_pad_cb);
10835 SSL_set_record_padding_callback_arg(clientssl, &called);
10836 if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called))
10837 goto end;
10838 } else if (idx == 3) {
10839 /* Exceeding the max plain length should fail */
10840 if (!TEST_false(SSL_set_block_padding(clientssl,
10841 SSL3_RT_MAX_PLAIN_LENGTH + 1)))
10842 goto end;
10843 if (!TEST_true(SSL_set_block_padding(clientssl, 512)))
10844 goto end;
10845 }
10846
10847 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
10848 goto end;
10849
10850 called = 0;
10851 /*
10852 * Write some data, then check we can read it. Do this four times to check
10853 * we can continue to write and read padded data after the initial record
10854 * padding has been added. We don't actually check that the padding has
10855 * been applied to the record - just that we can continue to communicate
10856 * normally and that the callback has been called (if appropriate).
10857 */
10858 for (i = 0; i < 4; i++) {
10859 if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written))
10860 || !TEST_size_t_eq(written, strlen(msg)))
10861 goto end;
10862
10863 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1,
10864 &readbytes))
10865 || !TEST_size_t_eq(written, readbytes))
10866 goto end;
10867
10868 buf[readbytes] = '\0';
10869 if (!TEST_str_eq(buf, msg))
10870 goto end;
10871 }
10872
10873 if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4))
10874 goto end;
10875
10876 testresult = 1;
10877end:
10878 SSL_free(serverssl);
10879 SSL_free(clientssl);
10880 SSL_CTX_free(sctx);
10881 SSL_CTX_free(cctx);
10882 return testresult;
10883}
f7565348
MC		 10884#endif /* OSSL_NO_USABLE_TLS1_3 */
10885
b718f6fc 10886#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
7765d25f
MC		 10887
10888static ENGINE *load_dasync(void)
10889{
10890 ENGINE *e;
10891
10892 if (!TEST_ptr(e = ENGINE_by_id("dasync")))
10893 return NULL;
10894
10895 if (!TEST_true(ENGINE_init(e))) {
10896 ENGINE_free(e);
10897 return NULL;
10898 }
10899
10900 if (!TEST_true(ENGINE_register_ciphers(e))) {
10901 ENGINE_free(e);
10902 return NULL;
10903 }
10904
10905 return e;
10906}
10907
b718f6fc
MC		 10908/*
10909 * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
10910 * support this yet. The only pipeline capable cipher that we have is in the
10911 * dasync engine (providers don't support this yet), so we have to use
10912 * deprecated APIs for this test.
10913 *
10914 * Test 0: Client has pipelining enabled, server does not
10915 * Test 1: Server has pipelining enabled, client does not
10916 * Test 2: Client has pipelining enabled, server does not: not enough data to
10917 * fill all the pipelines
10918 * Test 3: Client has pipelining enabled, server does not: not enough data to
10919 * fill all the pipelines by more than a full pipeline's worth
10920 * Test 4: Client has pipelining enabled, server does not: more data than all
10921 * the available pipelines can take
10922 * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
7765d25f
MC		 10923 * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
10924 * is created)
b718f6fc
MC		 10925 */
10926static int test_pipelining(int idx)
10927{
10928 SSL_CTX *cctx = NULL, *sctx = NULL;
10929 SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb;
10930 int testresult = 0, numreads;
10931 /* A 55 byte message */
10932 unsigned char *msg = (unsigned char *)
10933 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123";
10934 size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
10935 size_t expectedreads;
10936 unsigned char *buf = NULL;
7765d25f 10937 ENGINE *e = NULL;
b718f6fc 10938
7765d25f
MC		 10939 if (idx != 6) {
10940 e = load_dasync();
10941 if (e == NULL)
10942 return 0;
b718f6fc
MC		 10943 }
10944
b718f6fc
MC		 10945 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
10946 TLS_client_method(), 0,
10947 TLS1_2_VERSION, &sctx, &cctx, cert,
10948 privkey)))
10949 goto end;
10950
7765d25f
MC		 10951 if (idx == 6) {
10952 e = load_dasync();
10953 if (e == NULL)
10954 goto end;
10955 /* Now act like test 0 */
10956 idx = 0;
10957 }
10958
b718f6fc
MC		 10959 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
10960 &clientssl, NULL, NULL)))
10961 goto end;
10962
10963 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA")))
10964 goto end;
10965
10966 /* peera is always configured for pipelining, while peerb is not. */
10967 if (idx == 1) {
10968 peera = serverssl;
10969 peerb = clientssl;
10970
10971 } else {
10972 peera = clientssl;
10973 peerb = serverssl;
10974 }
10975
10976 if (idx == 5) {
10977 numpipes = 2;
10978 /* Maximum allowed fragment size */
10979 fragsize = SSL3_RT_MAX_PLAIN_LENGTH;
10980 msglen = fragsize * numpipes;
10981 msg = OPENSSL_malloc(msglen);
10982 if (!TEST_ptr(msg))
10983 goto end;
10984 if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0))
10985 goto end;
10986 } else if (idx == 4) {
10987 msglen = 55;
10988 } else {
10989 msglen = 50;
10990 }
10991 if (idx == 2)
10992 msglen -= 2; /* Send 2 less bytes */
10993 else if (idx == 3)
10994 msglen -= 12; /* Send 12 less bytes */
10995
10996 buf = OPENSSL_malloc(msglen);
10997 if (!TEST_ptr(buf))
10998 goto end;
10999
11000 if (idx == 5) {
11001 /*
11002 * Test that setting a split send fragment longer than the maximum
11003 * allowed fails
11004 */
11005 if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1)))
11006 goto end;
11007 }
11008
11009 /*
11010 * In the normal case. We have 5 pipelines with 10 bytes per pipeline
11011 * (50 bytes in total). This is a ridiculously small number of bytes -
11012 * but sufficient for our purposes
11013 */
11014 if (!TEST_true(SSL_set_max_pipelines(peera, numpipes))
11015 || !TEST_true(SSL_set_split_send_fragment(peera, fragsize)))
11016 goto end;
11017
11018 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11019 goto end;
11020
11021 /* Write some data from peera to peerb */
11022 if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written))
11023 || !TEST_size_t_eq(written, msglen))
11024 goto end;
11025
11026 /*
11027 * If the pipelining code worked, then we expect all |numpipes| pipelines to
11028 * have been used - except in test 3 where only |numpipes - 1| pipelines
11029 * will be used. This will result in |numpipes| records (|numpipes - 1| for
11030 * test 3) having been sent to peerb. Since peerb is not using read_ahead we
11031 * expect this to be read in |numpipes| or |numpipes - 1| separate
11032 * SSL_read_ex calls. In the case of test 4, there is then one additional
11033 * read for left over data that couldn't fit in the previous pipelines
11034 */
11035 for (offset = 0, numreads = 0;
11036 offset < msglen;
11037 offset += readbytes, numreads++) {
11038 if (!TEST_true(SSL_read_ex(peerb, buf + offset,
11039 msglen - offset, &readbytes)))
11040 goto end;
11041 }
11042
11043 expectedreads = idx == 4 ? numpipes + 1
11044 : (idx == 3 ? numpipes - 1 : numpipes);
11045 if (!TEST_mem_eq(msg, msglen, buf, offset)
11046 || !TEST_int_eq(numreads, expectedreads))
11047 goto end;
11048
11049 /*
11050 * Write some data from peerb to peera. We do this in up to |numpipes + 1|
11051 * chunks to exercise the read pipelining code on peera.
11052 */
11053 for (offset = 0; offset < msglen; offset += fragsize) {
11054 size_t sendlen = msglen - offset;
11055
11056 if (sendlen > fragsize)
11057 sendlen = fragsize;
11058 if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written))
11059 || !TEST_size_t_eq(written, sendlen))
11060 goto end;
11061 }
11062
11063 /*
11064 * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1|
11065 * separate chunks (depending on which test we are running). If the
11066 * pipelining is working then we expect peera to read up to numpipes chunks
11067 * and process them in parallel, giving back the complete result in a single
11068 * call to SSL_read_ex
11069 */
11070 if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes))
11071 || !TEST_size_t_le(readbytes, msglen))
11072 goto end;
11073
11074 if (idx == 4) {
11075 size_t readbytes2;
11076
11077 if (!TEST_true(SSL_read_ex(peera, buf + readbytes,
11078 msglen - readbytes, &readbytes2)))
11079 goto end;
11080 readbytes += readbytes2;
11081 if (!TEST_size_t_le(readbytes, msglen))
11082 goto end;
11083 }
11084
11085 if (!TEST_mem_eq(msg, msglen, buf, readbytes))
11086 goto end;
11087
11088 testresult = 1;
11089end:
11090 SSL_free(serverssl);
11091 SSL_free(clientssl);
11092 SSL_CTX_free(sctx);
11093 SSL_CTX_free(cctx);
7765d25f
MC		 11094 if (e != NULL) {
11095 ENGINE_unregister_ciphers(e);
11096 ENGINE_finish(e);
11097 ENGINE_free(e);
11098 }
b718f6fc 11099 OPENSSL_free(buf);
06a0d403 11100 if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
b718f6fc
MC		 11101 OPENSSL_free(msg);
11102 return testresult;
11103}
11104#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */
11105
843f6e27
MC		 11106static int check_version_string(SSL *s, int version)
11107{
11108 const char *verstr = NULL;
11109
11110 switch (version) {
11111 case SSL3_VERSION:
11112 verstr = "SSLv3";
11113 break;
11114 case TLS1_VERSION:
11115 verstr = "TLSv1";
11116 break;
11117 case TLS1_1_VERSION:
11118 verstr = "TLSv1.1";
11119 break;
11120 case TLS1_2_VERSION:
11121 verstr = "TLSv1.2";
11122 break;
11123 case TLS1_3_VERSION:
11124 verstr = "TLSv1.3";
11125 break;
11126 case DTLS1_VERSION:
11127 verstr = "DTLSv1";
11128 break;
11129 case DTLS1_2_VERSION:
11130 verstr = "DTLSv1.2";
11131 }
11132
11133 return TEST_str_eq(verstr, SSL_get_version(s));
11134}
11135
11136/*
11137 * Test that SSL_version, SSL_get_version, SSL_is_quic, SSL_is_tls and
11138 * SSL_is_dtls return the expected results for a (D)TLS connection. Compare with
11139 * test_version() in quicapitest.c which does the same thing for QUIC
11140 * connections.
11141 */
11142static int test_version(int idx)
11143{
11144 SSL_CTX *cctx = NULL, *sctx = NULL;
11145 SSL *clientssl = NULL, *serverssl = NULL;
11146 int testresult = 0, version;
11147 const SSL_METHOD *servmeth = TLS_server_method();
11148 const SSL_METHOD *clientmeth = TLS_client_method();
11149
11150 switch (idx) {
11151#if !defined(OPENSSL_NO_SSL3)
11152 case 0:
11153 version = SSL3_VERSION;
11154 break;
11155#endif
11156#if !defined(OPENSSL_NO_TLS1)
11157 case 1:
11158 version = TLS1_VERSION;
11159 break;
11160#endif
11161#if !defined(OPENSSL_NO_TLS1_2)
11162 case 2:
11163 version = TLS1_2_VERSION;
11164 break;
11165#endif
11166#if !defined(OSSL_NO_USABLE_TLS1_3)
11167 case 3:
11168 version = TLS1_3_VERSION;
11169 break;
11170#endif
11171#if !defined(OPENSSL_NO_DTLS1)
11172 case 4:
11173 version = DTLS1_VERSION;
11174 break;
11175#endif
11176#if !defined(OPENSSL_NO_DTLS1_2)
11177 case 5:
11178 version = DTLS1_2_VERSION;
11179 break;
11180#endif
11181 /*
11182 * NB we do not support QUIC in this test. That is covered by quicapitest.c
11183 * We also don't support DTLS1_BAD_VER since we have no server support for
11184 * that.
11185 */
11186 default:
11187 TEST_skip("Unsupported protocol version");
11188 return 1;
11189 }
11190
11191 if (is_fips
11192 && (version == SSL3_VERSION
11193 || version == TLS1_VERSION
11194 || version == DTLS1_VERSION)) {
11195 TEST_skip("Protocol version not supported with FIPS");
11196 return 1;
11197 }
11198
11199#if !defined(OPENSSL_NO_DTLS)
11200 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11201 servmeth = DTLS_server_method();
11202 clientmeth = DTLS_client_method();
11203 }
11204#endif
11205
11206 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, version,
11207 version, &sctx, &cctx, cert, privkey)))
11208 goto end;
11209
11210 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
11211 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
11212 "DEFAULT:@SECLEVEL=0")))
11213 goto end;
11214
11215 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11216 &clientssl, NULL, NULL)))
11217 goto end;
11218
11219 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11220 goto end;
11221
11222 if (!TEST_int_eq(SSL_version(serverssl), version)
11223 || !TEST_int_eq(SSL_version(clientssl), version)
11224 || !TEST_true(check_version_string(serverssl, version))
11225 || !TEST_true(check_version_string(clientssl, version)))
11226 goto end;
11227
11228 if (version == DTLS1_VERSION || version == DTLS1_2_VERSION) {
11229 if (!TEST_true(SSL_is_dtls(serverssl))
11230 || !TEST_true(SSL_is_dtls(clientssl))
11231 || !TEST_false(SSL_is_tls(serverssl))
11232 || !TEST_false(SSL_is_tls(clientssl))
11233 || !TEST_false(SSL_is_quic(serverssl))
11234 || !TEST_false(SSL_is_quic(clientssl)))
11235 goto end;
11236 } else {
11237 if (!TEST_true(SSL_is_tls(serverssl))
11238 || !TEST_true(SSL_is_tls(clientssl))
11239 || !TEST_false(SSL_is_dtls(serverssl))
11240 || !TEST_false(SSL_is_dtls(clientssl))
11241 || !TEST_false(SSL_is_quic(serverssl))
11242 || !TEST_false(SSL_is_quic(clientssl)))
11243 goto end;
11244 }
11245
11246 testresult = 1;
11247end:
11248 SSL_free(serverssl);
11249 SSL_free(clientssl);
11250 SSL_CTX_free(sctx);
11251 SSL_CTX_free(cctx);
11252 return testresult;
11253}
11254
79ee0172
MC		 11255/*
11256 * Test that the SSL_rstate_string*() APIs return sane results
11257 */
11258static int test_rstate_string(void)
11259{
11260 SSL_CTX *cctx = NULL, *sctx = NULL;
11261 SSL *clientssl = NULL, *serverssl = NULL;
11262 int testresult = 0, version;
11263 const SSL_METHOD *servmeth = TLS_server_method();
11264 const SSL_METHOD *clientmeth = TLS_client_method();
11265 size_t written, readbytes;
11266 unsigned char buf[2];
11267 unsigned char dummyheader[SSL3_RT_HEADER_LENGTH] = {
11268 SSL3_RT_APPLICATION_DATA,
11269 TLS1_2_VERSION_MAJOR,
11270 0, /* To be filled in later */
11271 0,
11272 1
11273 };
11274
11275 if (!TEST_true(create_ssl_ctx_pair(libctx, servmeth, clientmeth, 0,
11276 0, &sctx, &cctx, cert, privkey)))
11277 goto end;
11278
11279 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11280 &clientssl, NULL, NULL)))
11281 goto end;
11282
11283 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11284 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11285 goto end;
11286
11287 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11288 goto end;
11289
11290 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RH")
11291 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read header"))
11292 goto end;
11293
11294 /* Fill in the correct version for the record header */
11295 version = SSL_version(serverssl);
11296 if (version == TLS1_3_VERSION)
11297 version = TLS1_2_VERSION;
11298 dummyheader[2] = version & 0xff;
11299
11300 /*
11301 * Send a dummy header. If we continued to read the body as well this
11302 * would fail with a bad record mac, but we're not going to go that far.
11303 */
11304 if (!TEST_true(BIO_write_ex(SSL_get_rbio(serverssl), dummyheader,
11305 sizeof(dummyheader), &written))
11306 || !TEST_size_t_eq(written, SSL3_RT_HEADER_LENGTH))
11307 goto end;
11308
11309 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes)))
11310 goto end;
11311
11312 if (!TEST_str_eq(SSL_rstate_string(serverssl), "RB")
11313 || !TEST_str_eq(SSL_rstate_string_long(serverssl), "read body"))
11314 goto end;
11315
11316 testresult = 1;
11317end:
11318 SSL_free(serverssl);
11319 SSL_free(clientssl);
11320 SSL_CTX_free(sctx);
11321 SSL_CTX_free(cctx);
11322 return testresult;
11323}
11324
149c4f98
MC		 11325/*
11326 * Force a write retry during handshaking. We test various combinations of
11327 * scenarios. We test a large certificate message which will fill the buffering
11328 * BIO used in the handshake. We try with client auth on and off. Finally we
11329 * also try a BIO that indicates retry via a 0 return. BIO_write() is documented
11330 * to indicate retry via -1 - but sometimes BIOs don't do that.
11331 *
11332 * Test 0: Standard certificate message
11333 * Test 1: Large certificate message
11334 * Test 2: Standard cert, verify peer
11335 * Test 3: Large cert, verify peer
11336 * Test 4: Standard cert, BIO returns 0 on retry
11337 * Test 5: Large cert, BIO returns 0 on retry
11338 * Test 6: Standard cert, verify peer, BIO returns 0 on retry
11339 * Test 7: Large cert, verify peer, BIO returns 0 on retry
11340 * Test 8-15: Repeat of above with TLSv1.2
11341 */
11342static int test_handshake_retry(int idx)
11343{
11344 SSL_CTX *cctx = NULL, *sctx = NULL;
11345 SSL *clientssl = NULL, *serverssl = NULL;
11346 int testresult = 0;
11347 BIO *tmp = NULL, *bretry = BIO_new(bio_s_always_retry());
11348 int maxversion = 0;
11349
11350 if (!TEST_ptr(bretry))
11351 goto end;
11352
11353#ifndef OPENSSL_NO_TLS1_2
11354 if ((idx & 8) == 8)
11355 maxversion = TLS1_2_VERSION;
11356#else
11357 if ((idx & 8) == 8)
11358 return TEST_skip("No TLSv1.2");
11359#endif
11360
11361 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11362 TLS_client_method(), 0, maxversion,
11363 &sctx, &cctx, cert, privkey)))
11364 goto end;
11365
11366 /*
11367 * Add a large amount of data to fill the buffering BIO used by the SSL
11368 * object
11369 */
3860ef2a 11370 if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
149c4f98
MC		 11371 goto end;
11372
11373 /*
11374 * We don't actually configure a client cert, but neither do we fail if one
11375 * isn't present.
11376 */
11377 if ((idx & 2) == 2)
11378 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
11379
11380 if ((idx & 4) == 4)
11381 set_always_retry_err_val(0);
11382
11383 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
11384 &clientssl, NULL, NULL)))
11385 goto end;
11386
11387 tmp = SSL_get_wbio(serverssl);
11388 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
11389 tmp = NULL;
11390 goto end;
11391 }
11392 SSL_set0_wbio(serverssl, bretry);
11393 bretry = NULL;
11394
11395 if (!TEST_int_eq(SSL_connect(clientssl), -1))
11396 goto end;
11397
11398 if (!TEST_int_eq(SSL_accept(serverssl), -1)
11399 || !TEST_int_eq(SSL_get_error(serverssl, -1), SSL_ERROR_WANT_WRITE))
11400 goto end;
11401
11402 /* Restore a BIO that will let the write succeed */
11403 SSL_set0_wbio(serverssl, tmp);
11404 tmp = NULL;
11405
11406 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11407 goto end;
11408
11409 testresult = 1;
11410end:
11411 SSL_free(serverssl);
11412 SSL_free(clientssl);
11413 SSL_CTX_free(sctx);
11414 SSL_CTX_free(cctx);
11415 BIO_free(bretry);
11416 BIO_free(tmp);
11417 set_always_retry_err_val(-1);
11418 return testresult;
11419}
11420
dbbdb940
MC		 11421/*
11422 * Test that receiving retries when writing application data works as expected
11423 */
11424static int test_data_retry(void)
11425{
11426 SSL_CTX *cctx = NULL, *sctx = NULL;
11427 SSL *clientssl = NULL, *serverssl = NULL;
11428 int testresult = 0;
11429 unsigned char inbuf[1200], outbuf[1200];
11430 size_t i;
11431 BIO *tmp = NULL;
11432 BIO *bretry = BIO_new(bio_s_maybe_retry());
11433 size_t written, readbytes, totread = 0;
11434
11435 if (!TEST_ptr(bretry))
11436 goto end;
11437
11438 for (i = 0; i < sizeof(inbuf); i++)
74efc547 11439 inbuf[i] = (unsigned char)(0xff & i);
dbbdb940
MC		 11440 memset(outbuf, 0, sizeof(outbuf));
11441
11442 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11443 TLS_client_method(), 0, 0, &sctx, &cctx,
11444 cert, privkey)))
11445 goto end;
11446
11447 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
11448 NULL)))
11449 goto end;
11450
11451 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11452 goto end;
11453
11454 /* Smallest possible max send fragment is 512 */
11455 if (!TEST_true(SSL_set_max_send_fragment(clientssl, 512)))
11456 goto end;
11457
11458 tmp = SSL_get_wbio(clientssl);
11459 if (!TEST_ptr(tmp))
11460 goto end;
11461 if (!TEST_true(BIO_up_ref(tmp)))
11462 goto end;
11463 BIO_push(bretry, tmp);
11464 tmp = NULL;
11465 SSL_set0_wbio(clientssl, bretry);
11466 if (!BIO_up_ref(bretry)) {
11467 bretry = NULL;
11468 goto end;
11469 }
11470
11471 for (i = 0; i < 3; i++) {
11472 /* We expect this call to make no progress and indicate retry */
11473 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11474 goto end;
11475 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11476 goto end;
11477
164a541b 11478 /* Allow one write to progress, but the next one to signal retry */
dbbdb940
MC		 11479 if (!TEST_true(BIO_ctrl(bretry, MAYBE_RETRY_CTRL_SET_RETRY_AFTER_CNT, 1,
11480 NULL)))
11481 goto end;
11482
11483 if (i == 2)
11484 break;
11485
11486 /*
11487 * This call will hopefully make progress but will still indicate retry
11488 * because there is more data than will fit into a single record.
11489 */
11490 if (!TEST_false(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11491 goto end;
11492 if (!TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_WANT_WRITE))
11493 goto end;
11494 }
11495
11496 /* The final call should write the last chunk of data and succeed */
11497 if (!TEST_true(SSL_write_ex(clientssl, inbuf, sizeof(inbuf), &written)))
11498 goto end;
11499 /* Read all the data available */
11500 while (SSL_read_ex(serverssl, outbuf + totread, sizeof(outbuf) - totread,
11501 &readbytes))
11502 totread += readbytes;
11503 if (!TEST_mem_eq(inbuf, sizeof(inbuf), outbuf, totread))
11504 goto end;
11505
11506 testresult = 1;
11507end:
11508 SSL_free(serverssl);
11509 SSL_free(clientssl);
11510 SSL_CTX_free(sctx);
11511 SSL_CTX_free(cctx);
11512 BIO_free_all(bretry);
11513 BIO_free(tmp);
11514 return testresult;
11515}
11516
cfeaf33a
MC		 11517struct resume_servername_cb_data {
11518 int i;
11519 SSL_CTX *cctx;
11520 SSL_CTX *sctx;
11521 SSL_SESSION *sess;
11522 int recurse;
11523};
11524
11525/*
11526 * Servername callback. We use it here to run another complete handshake using
11527 * the same session - and mark the session as not_resuamble at the end
11528 */
11529static int resume_servername_cb(SSL *s, int *ad, void *arg)
11530{
11531 struct resume_servername_cb_data *cbdata = arg;
11532 SSL *serverssl = NULL, *clientssl = NULL;
11533 int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
11534
11535 if (cbdata->recurse)
11536 return SSL_TLSEXT_ERR_ALERT_FATAL;
11537
11538 if ((cbdata->i % 3) != 1)
11539 return SSL_TLSEXT_ERR_OK;
11540
11541 cbdata->recurse = 1;
11542
11543 if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
11544 &clientssl, NULL, NULL))
11545 || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
11546 goto end;
11547
11548 ERR_set_mark();
11549 /*
11550 * We expect this to fail - because the servername cb will fail. This will
11551 * mark the session as not_resumable.
11552 */
11553 if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
11554 ERR_clear_last_mark();
11555 goto end;
11556 }
11557 ERR_pop_to_mark();
11558
11559 ret = SSL_TLSEXT_ERR_OK;
11560 end:
11561 SSL_free(serverssl);
11562 SSL_free(clientssl);
11563 cbdata->recurse = 0;
11564 return ret;
11565}
0447cd69
MC		 11566/*
11567 * Test multiple resumptions and cache size handling
11568 * Test 0: TLSv1.3 (max_early_data set)
11569 * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
11570 * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
cfeaf33a
MC		 11571 * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
11572 * Test 4: TLSv1.2
0447cd69
MC		 11573 */
11574static int test_multi_resume(int idx)
11575{
11576 SSL_CTX *sctx = NULL, *cctx = NULL;
11577 SSL *serverssl = NULL, *clientssl = NULL;
11578 SSL_SESSION *sess = NULL;
11579 int max_version = TLS1_3_VERSION;
11580 int i, testresult = 0;
cfeaf33a 11581 struct resume_servername_cb_data cbdata;
0447cd69 11582
cfeaf33a
MC		 11583#if defined(OPENSSL_NO_TLS1_2)
11584 if (idx == 4)
11585 return TEST_skip("TLSv1.2 is disabled in this build");
11586#else
11587 if (idx == 4)
0447cd69 11588 max_version = TLS1_2_VERSION;
cfeaf33a
MC		 11589#endif
11590#if defined(OSSL_NO_USABLE_TLS1_3)
11591 if (idx != 4)
11592 return TEST_skip("No usable TLSv1.3 in this build");
11593#endif
0447cd69
MC		 11594
11595 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
11596 TLS_client_method(), TLS1_VERSION,
11597 max_version, &sctx, &cctx, cert,
11598 privkey)))
11599 goto end;
11600
11601 /*
11602 * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
11603 * replay protection), or if SSL_OP_NO_TICKET is in use
11604 */
11605 if (idx == 0 || idx == 2) {
11606 if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
11607 goto end;
11608 }
cfeaf33a 11609 if (idx == 1 || idx == 2 || idx == 3)
0447cd69
MC		 11610 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
11611
11612 SSL_CTX_sess_set_cache_size(sctx, 5);
11613
cfeaf33a
MC		 11614 if (idx == 3) {
11615 SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
11616 SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
11617 cbdata.cctx = cctx;
11618 cbdata.sctx = sctx;
11619 cbdata.recurse = 0;
11620 }
11621
0447cd69
MC		 11622 for (i = 0; i < 30; i++) {
11623 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
11624 NULL, NULL))
11625 || !TEST_true(SSL_set_session(clientssl, sess)))
11626 goto end;
11627
cfeaf33a
MC		 11628 /*
11629 * Check simultaneous resumes. We pause the connection part way through
11630 * the handshake by (mis)using the servername_cb. The pause occurs after
11631 * session resumption has already occurred, but before any session
11632 * tickets have been issued. While paused we run another complete
11633 * handshake resuming the same session.
11634 */
11635 if (idx == 3) {
11636 cbdata.i = i;
11637 cbdata.sess = sess;
11638 }
11639
0447cd69
MC		 11640 /*
11641 * Recreate a bug where dynamically changing the max_early_data value
11642 * can cause sessions in the session cache which cannot be deleted.
11643 */
11644 if ((idx == 0 || idx == 2) && (i % 3) == 2)
11645 SSL_set_max_early_data(serverssl, 0);
11646
11647 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
11648 goto end;
11649
11650 if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
11651 if (!TEST_false(SSL_session_reused(clientssl)))
11652 goto end;
11653 } else {
11654 if (!TEST_true(SSL_session_reused(clientssl)))
11655 goto end;
11656 }
11657 SSL_SESSION_free(sess);
11658
11659 /* Do a full handshake, followed by two resumptions */
11660 if ((i % 3) == 2) {
11661 sess = NULL;
11662 } else {
11663 if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
11664 goto end;
11665 }
11666
11667 SSL_shutdown(clientssl);
11668 SSL_shutdown(serverssl);
11669 SSL_free(serverssl);
11670 SSL_free(clientssl);
11671 serverssl = clientssl = NULL;
11672 }
11673
11674 /* We should never exceed the session cache size limit */
11675 if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
11676 goto end;
11677
11678 testresult = 1;
11679 end:
11680 SSL_free(serverssl);
11681 SSL_free(clientssl);
11682 SSL_CTX_free(sctx);
11683 SSL_CTX_free(cctx);
11684 SSL_SESSION_free(sess);
11685 return testresult;
11686}
11687
b2b8d188 11688OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
a43ce58f 11689
ad887416 11690int setup_tests(void)
2cb4b5f6 11691{
5e30f2fd
MC		 11692 char *modulename;
11693 char *configfile;
11694
b4250010 11695 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 11696 if (!TEST_ptr(libctx))
11697 return 0;
11698
11699 defctxnull = OSSL_PROVIDER_load(NULL, "null");
11700
11701 /*
11702 * Verify that the default and fips providers in the default libctx are not
11703 * available
11704 */
11705 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
11706 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
11707 return 0;
11708
8d242823
MC		 11709 if (!test_skip_common_options()) {
11710 TEST_error("Error parsing test options\n");
11711 return 0;
11712 }
11713
1a2a3a42
MC		 11714 if (!TEST_ptr(certsdir = test_get_argument(0))
11715 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 11716 || !TEST_ptr(tmpfilename = test_get_argument(2))
11717 || !TEST_ptr(modulename = test_get_argument(3))
b2b8d188
DF		 11718 || !TEST_ptr(configfile = test_get_argument(4))
11719 || !TEST_ptr(dhfile = test_get_argument(5)))
5e30f2fd
MC		 11720 return 0;
11721
b4250010 11722 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 11723 return 0;
11724
11725 /* Check we have the expected provider available */
11726 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
11727 return 0;
11728
11729 /* Check the default provider is not available */
11730 if (strcmp(modulename, "default") != 0
11731 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 11732 return 0;
2cb4b5f6 11733
50ea5cdc 11734 if (strcmp(modulename, "fips") == 0) {
11735 OSSL_PROVIDER *prov = NULL;
11736 OSSL_PARAM params[2];
11737
4f6c7044
MC		 11738 is_fips = 1;
11739
50ea5cdc 11740 prov = OSSL_PROVIDER_load(libctx, "fips");
11741 if (prov != NULL) {
11742 /* Query the fips provider to check if the check ems option is enabled */
11743 params[0] =
11744 OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
11745 &fips_ems_check);
11746 params[1] = OSSL_PARAM_construct_end();
11747 OSSL_PROVIDER_get_params(prov, params);
11748 OSSL_PROVIDER_unload(prov);
11749 }
11750 }
11751
0c13cdf8
MC		 11752 /*
11753 * We add, but don't load the test "tls-provider". We'll load it when we
11754 * need it.
11755 */
11756 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
11757 tls_provider_init)))
11758 return 0;
11759
11760
f297e4ec
RS		 11761 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
11762#ifdef OPENSSL_NO_CRYPTO_MDEBUG
11763 TEST_error("not supported in this build");
11764 return 0;
11765#else
11766 int i, mcount, rcount, fcount;
11767
11768 for (i = 0; i < 4; i++)
11769 test_export_key_mat(i);
11770 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
11771 test_printf_stdout("malloc %d realloc %d free %d\n",
11772 mcount, rcount, fcount);
11773 return 1;
11774#endif
11775 }
11776
1a2a3a42
MC		 11777 cert = test_mk_file_path(certsdir, "servercert.pem");
11778 if (cert == NULL)
b3842539 11779 goto err;
1a2a3a42
MC		 11780
11781 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 11782 if (privkey == NULL)
11783 goto err;
11784
11785 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
11786 if (cert2 == NULL)
11787 goto err;
11788
11789 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
11790 if (privkey2 == NULL)
11791 goto err;
1a2a3a42 11792
3105d846
MC		 11793 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
11794 if (cert1024 == NULL)
11795 goto err;
11796
11797 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
11798 if (privkey1024 == NULL)
11799 goto err;
11800
11801 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
11802 if (cert3072 == NULL)
11803 goto err;
11804
11805 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
11806 if (privkey3072 == NULL)
11807 goto err;
11808
11809 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
11810 if (cert4096 == NULL)
11811 goto err;
11812
11813 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
11814 if (privkey4096 == NULL)
11815 goto err;
11816
11817 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
11818 if (cert8192 == NULL)
11819 goto err;
11820
11821 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
11822 if (privkey8192 == NULL)
11823 goto err;
11824
50ea5cdc 11825 if (fips_ems_check) {
11826#ifndef OPENSSL_NO_TLS1_2
11827 ADD_TEST(test_no_ems);
11828#endif
11829 return 1;
11830 }
da4db160 11831#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 11832# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526 11833 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
cd715b7e 11834 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2);
c8e3a4c6 11835# endif
fe5d9450 11836#endif
84d5549e 11837 ADD_TEST(test_large_message_tls);
7856332e 11838 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 11839#ifndef OPENSSL_NO_DTLS
84d5549e 11840 ADD_TEST(test_large_message_dtls);
55386bef 11841#endif
2fda45d5 11842 ADD_ALL_TESTS(test_large_app_data, 28);
163b8016 11843 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 11844#ifndef OPENSSL_NO_OCSP
c887104f 11845 ADD_TEST(test_tlsext_status_type);
8f8c11d8 11846#endif
eaa776da
MC		 11847 ADD_TEST(test_session_with_only_int_cache);
11848 ADD_TEST(test_session_with_only_ext_cache);
11849 ADD_TEST(test_session_with_both_cache);
90fc2c26 11850 ADD_TEST(test_session_wo_ca_names);
a763ca11 11851#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 11852 ADD_ALL_TESTS(test_stateful_tickets, 3);
11853 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 11854 ADD_TEST(test_psk_tickets);
f0049b86 11855 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 11856#endif
7fb4c820 11857 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 11858 ADD_TEST(test_ssl_bio_pop_next_bio);
11859 ADD_TEST(test_ssl_bio_pop_ssl_bio);
11860 ADD_TEST(test_ssl_bio_change_rbio);
11861 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 11862#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 11863 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 11864 ADD_TEST(test_keylog);
c423ecaa 11865#endif
a763ca11 11866#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 11867 ADD_TEST(test_keylog_no_master_key);
11868#endif
0c3eb279 11869 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 11870 ADD_TEST(test_ssl_build_cert_chain);
11871 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 11872#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 11873 ADD_TEST(test_client_hello_cb);
088dfa13 11874 ADD_TEST(test_no_ems);
3cd14e5e 11875 ADD_TEST(test_ccs_change_cipher);
5f982038 11876#endif
a763ca11 11877#ifndef OSSL_NO_USABLE_TLS1_3
10836921 11878 ADD_ALL_TESTS(test_early_data_read_write, 6);
78fb5374
MC		 11879 /*
11880 * We don't do replay tests for external PSK. Replay protection isn't used
11881 * in that scenario.
11882 */
11883 ADD_ALL_TESTS(test_early_data_replay, 2);
10836921
MC		 11884 ADD_ALL_TESTS(test_early_data_skip, OSSL_NELEM(ciphersuites) * 3);
11885 ADD_ALL_TESTS(test_early_data_skip_hrr, OSSL_NELEM(ciphersuites) * 3);
11886 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, OSSL_NELEM(ciphersuites) * 3);
11887 ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3);
02a3ed5a 11888 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 11889 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 11890 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 11891 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 11892# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 11893 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 11894# endif
e9ee6536 11895#endif
a763ca11 11896#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 11897 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 11898 ADD_TEST(test_ciphersuite_change);
5bf2eade 11899 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
11900# ifdef OPENSSL_NO_PSK
c2b290c3 11901 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 11902# else
0d8da779 11903 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 11904# endif /* OPENSSL_NO_PSK */
71583393
MM		 11905#ifndef OSSL_NO_USABLE_TLS1_3
11906 ADD_ALL_TESTS(test_tls13_no_dhe_kex, 8);
11907#endif /* OSSL_NO_USABLE_TLS1_3 */
5bf2eade 11908# ifndef OPENSSL_NO_TLS1_2
11909 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 11910 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 11911# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
11912 ADD_ALL_TESTS(test_negotiated_group,
11913 4 * (OSSL_NELEM(ecdhe_kexch_groups)
11914 + OSSL_NELEM(ffdhe_kexch_groups)));
11915# endif
5bf2eade 11916# else
11917 /* Test with only TLSv1.3 versions */
11918 ADD_ALL_TESTS(test_key_exchange, 12);
11919# endif
0db3a990 11920 ADD_ALL_TESTS(test_custom_exts, 6);
c7b8ff25 11921 ADD_TEST(test_stateless);
9d75dce3 11922 ADD_TEST(test_pha_key_update);
a273157a 11923#else
bb01ef3f 11924 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 11925#endif
0fb2815b 11926 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 11927#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 11928 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 11929 ADD_TEST(test_key_update);
0c48fda8 11930 ADD_ALL_TESTS(test_key_update_peer_in_write, 2);
11931 ADD_ALL_TESTS(test_key_update_peer_in_read, 2);
11932 ADD_ALL_TESTS(test_key_update_local_in_write, 2);
11933 ADD_ALL_TESTS(test_key_update_local_in_read, 2);
b38ede80 11934#endif
5de8c49d 11935 ADD_ALL_TESTS(test_ssl_clear, 8);
cf72c757 11936 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 11937#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
11938 ADD_ALL_TESTS(test_srp, 6);
11939#endif
b67cb09f
TS		 11940#if !defined(OPENSSL_NO_COMP_ALG)
11941 /* Add compression case */
11942 ADD_ALL_TESTS(test_info_callback, 8);
11943#else
5718fe45 11944 ADD_ALL_TESTS(test_info_callback, 6);
b67cb09f 11945#endif
4a432af8 11946 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 11947 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
3b7a3241 11948 ADD_ALL_TESTS(test_ticket_callbacks, 20);
57d7b988 11949 ADD_ALL_TESTS(test_shutdown, 7);
cbf965b4 11950 ADD_TEST(test_async_shutdown);
e638112e 11951 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 11952 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 11953 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 11954 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 11955#ifndef OPENSSL_NO_TLS1_2
11956 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
11957#endif
49ef3d07 11958 ADD_ALL_TESTS(test_servername, 10);
2b4cea1e 11959 ADD_TEST(test_unknown_sigalgs_groups);
b1fdbc68 11960#if !defined(OPENSSL_NO_EC) \
a763ca11 11961 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 11962 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 11963#endif
11964#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 11965 ADD_ALL_TESTS(test_pluggable_group, 2);
3c95ef22 11966 ADD_ALL_TESTS(test_pluggable_signature, 4);
49a36a52
MC		 11967#endif
11968#ifndef OPENSSL_NO_TLS1_2
11969 ADD_TEST(test_ssl_dup);
33c39a06
MC		 11970# ifndef OPENSSL_NO_DH
11971 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 11972 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 11973# endif
6582661f 11974#endif
a763ca11 11975#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 11976 ADD_TEST(test_sni_tls13);
0089cc7f 11977 ADD_ALL_TESTS(test_ticket_lifetime, 2);
b3842539 11978#endif
dfccfde0 11979 ADD_TEST(test_inherit_verify_param);
feba11cf 11980 ADD_TEST(test_set_alpn);
948cf521
HL		 11981 ADD_TEST(test_set_verify_cert_store_ssl_ctx);
11982 ADD_TEST(test_set_verify_cert_store_ssl);
25959e04 11983 ADD_ALL_TESTS(test_session_timeout, 1);
b2b8d188 11984 ADD_TEST(test_load_dhfile);
f7565348
MC		 11985#ifndef OSSL_NO_USABLE_TLS1_3
11986 ADD_TEST(test_read_ahead_key_change);
f3f8e53c 11987 ADD_ALL_TESTS(test_tls13_record_padding, 4);
555dd939
DF		 11988#endif
11989#if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
11990 ADD_ALL_TESTS(test_serverinfo_custom, 4);
b718f6fc
MC		 11991#endif
11992#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
7765d25f 11993 ADD_ALL_TESTS(test_pipelining, 7);
f7565348 11994#endif
843f6e27 11995 ADD_ALL_TESTS(test_version, 6);
79ee0172 11996 ADD_TEST(test_rstate_string);
149c4f98 11997 ADD_ALL_TESTS(test_handshake_retry, 16);
dbbdb940 11998 ADD_TEST(test_data_retry);
cfeaf33a 11999 ADD_ALL_TESTS(test_multi_resume, 5);
ad887416 12000 return 1;
b3842539
MC		 12001
12002 err:
12003 OPENSSL_free(cert);
12004 OPENSSL_free(privkey);
12005 OPENSSL_free(cert2);
12006 OPENSSL_free(privkey2);
12007 return 0;
ad887416 12008}
2cb4b5f6 12009
ad887416
P		 12010void cleanup_tests(void)
12011{
8778f0eb 12012# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 12013 EVP_PKEY_free(tmp_dh_params);
12014#endif
1a2a3a42
MC		 12015 OPENSSL_free(cert);
12016 OPENSSL_free(privkey);
b3842539
MC		 12017 OPENSSL_free(cert2);
12018 OPENSSL_free(privkey2);
3105d846
MC		 12019 OPENSSL_free(cert1024);
12020 OPENSSL_free(privkey1024);
12021 OPENSSL_free(cert3072);
12022 OPENSSL_free(privkey3072);
12023 OPENSSL_free(cert4096);
12024 OPENSSL_free(privkey4096);
12025 OPENSSL_free(cert8192);
12026 OPENSSL_free(privkey8192);
fa454945 12027 bio_s_mempacket_test_free();
a77b4dba 12028 bio_s_always_retry_free();
dbbdb940 12029 bio_s_maybe_retry_free();
5e30f2fd 12030 OSSL_PROVIDER_unload(defctxnull);
b4250010 12031 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 12032}
A mirror of the official openssl repository