]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ssl/ssl_txt: fix NULL-check
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
76fd7a1d
MC		 17#include <openssl/srp.h>
18#include <openssl/txt_db.h>
d0191fe0 19#include <openssl/aes.h>
2cb4b5f6
MC		 20
21#include "ssltestlib.h"
c887104f 22#include "testutil.h"
f297e4ec 23#include "testutil/output.h"
176db6dc 24#include "internal/nelem.h"
ca0413ae 25#include "../ssl/ssl_locl.h"
2cb4b5f6
MC		 26
27static char *cert = NULL;
28static char *privkey = NULL;
76fd7a1d
MC		 29static char *srpvfile = NULL;
30static char *tmpfilename = NULL;
2cb4b5f6 31
cffe973c 32#define LOG_BUFFER_SIZE 2048
6acdd3e5 33static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 34static size_t server_log_buffer_index = 0;
6acdd3e5 35static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 36static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 37static int error_writing_log = 0;
38
8f8c11d8 39#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 40static const unsigned char orespder[] = "Dummy OCSP Response";
41static int ocsp_server_called = 0;
42static int ocsp_client_called = 0;
43
44static int cdummyarg = 1;
45static X509 *ocspcert = NULL;
8f8c11d8 46#endif
ba881d3b 47
84d5549e 48#define NUM_EXTRA_CERTS 40
cf72c757 49#define CLIENT_VERSION_LEN 2
84d5549e 50
f1a5939f
CB		 51/*
52 * This structure is used to validate that the correct number of log messages
53 * of various types are emitted when emitting secret logs.
54 */
55struct sslapitest_log_counts {
56 unsigned int rsa_key_exchange_count;
57 unsigned int master_secret_count;
cffe973c 58 unsigned int client_early_secret_count;
f1a5939f
CB		 59 unsigned int client_handshake_secret_count;
60 unsigned int server_handshake_secret_count;
61 unsigned int client_application_secret_count;
62 unsigned int server_application_secret_count;
01a2a654 63 unsigned int early_exporter_secret_count;
6329ce8f 64 unsigned int exporter_secret_count;
f1a5939f
CB		 65};
66
16afd71c
MC		 67
68static unsigned char serverinfov1[] = {
69 0xff, 0xff, /* Dummy extension type */
70 0x00, 0x01, /* Extension length is 1 byte */
71 0xff /* Dummy extension data */
72};
73
74static unsigned char serverinfov2[] = {
75 0x00, 0x00, 0x00,
76 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
77 0xff, 0xff, /* Dummy extension type */
78 0x00, 0x01, /* Extension length is 1 byte */
79 0xff /* Dummy extension data */
80};
81
710756a9
RS		 82static void client_keylog_callback(const SSL *ssl, const char *line)
83{
6acdd3e5
CB		 84 int line_length = strlen(line);
85
86 /* If the log doesn't fit, error out. */
710756a9
RS		 87 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
88 TEST_info("Client log too full");
6acdd3e5
CB		 89 error_writing_log = 1;
90 return;
91 }
92
93 strcat(client_log_buffer, line);
94 client_log_buffer_index += line_length;
710756a9 95 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 96}
97
710756a9
RS		 98static void server_keylog_callback(const SSL *ssl, const char *line)
99{
6acdd3e5
CB		 100 int line_length = strlen(line);
101
102 /* If the log doesn't fit, error out. */
710756a9 103 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 104 TEST_info("Server log too full");
6acdd3e5
CB		 105 error_writing_log = 1;
106 return;
107 }
108
109 strcat(server_log_buffer, line);
110 server_log_buffer_index += line_length;
710756a9 111 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 112}
113
114static int compare_hex_encoded_buffer(const char *hex_encoded,
115 size_t hex_length,
116 const uint8_t *raw,
710756a9
RS		 117 size_t raw_length)
118{
119 size_t i, j;
120 char hexed[3];
6acdd3e5 121
710756a9 122 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 123 return 1;
6acdd3e5 124
710756a9 125 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 126 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 127 if (!TEST_int_eq(hexed[0], hex_encoded[j])
128 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 129 return 1;
6acdd3e5
CB		 130 }
131
132 return 0;
133}
134
135static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 136 const SSL_SESSION *session,
710756a9
RS		 137 struct sslapitest_log_counts *expected)
138{
6acdd3e5
CB		 139 char *token = NULL;
140 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
141 size_t client_random_size = SSL3_RANDOM_SIZE;
142 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
143 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 144 unsigned int rsa_key_exchange_count = 0;
145 unsigned int master_secret_count = 0;
cffe973c 146 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 147 unsigned int client_handshake_secret_count = 0;
148 unsigned int server_handshake_secret_count = 0;
149 unsigned int client_application_secret_count = 0;
150 unsigned int server_application_secret_count = 0;
01a2a654 151 unsigned int early_exporter_secret_count = 0;
6329ce8f 152 unsigned int exporter_secret_count = 0;
6acdd3e5 153
710756a9
RS		 154 for (token = strtok(buffer, " \n"); token != NULL;
155 token = strtok(NULL, " \n")) {
6acdd3e5 156 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 157 /*
158 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 159 * hex-encoded encrypted secret, then the hex-encoded pre-master
160 * secret.
161 */
710756a9 162 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 163 return 0;
710756a9 164 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 165 return 0;
710756a9 166 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 167 return 0;
f1a5939f
CB		 168 /*
169 * We can't sensibly check the log because the premaster secret is
170 * transient, and OpenSSL doesn't keep hold of it once the master
171 * secret is generated.
172 */
173 rsa_key_exchange_count++;
6acdd3e5 174 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 175 /*
176 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 177 * client random, then the hex-encoded master secret.
178 */
179 client_random_size = SSL_get_client_random(ssl,
180 actual_client_random,
181 SSL3_RANDOM_SIZE);
710756a9 182 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 183 return 0;
6acdd3e5 184
710756a9 185 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 186 return 0;
710756a9 187 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 188 return 0;
710756a9
RS		 189 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
190 actual_client_random,
191 client_random_size)))
f1a5939f 192 return 0;
6acdd3e5 193
710756a9 194 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 195 return 0;
6acdd3e5
CB		 196 master_key_size = SSL_SESSION_get_master_key(session,
197 actual_master_key,
198 master_key_size);
710756a9 199 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 200 return 0;
710756a9
RS		 201 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
202 actual_master_key,
203 master_key_size)))
f1a5939f 204 return 0;
f1a5939f 205 master_secret_count++;
cffe973c
PW		 206 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
207 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 208 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
209 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 210 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 211 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 212 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 213 /*
214 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
215 * client random, and then the hex-encoded secret. In this case,
216 * we treat all of these secrets identically and then just
217 * distinguish between them when counting what we saw.
218 */
cffe973c
PW		 219 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
220 client_early_secret_count++;
221 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 222 client_handshake_secret_count++;
223 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
224 server_handshake_secret_count++;
225 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
226 client_application_secret_count++;
227 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
228 server_application_secret_count++;
01a2a654
PW		 229 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
230 early_exporter_secret_count++;
6329ce8f
PW		 231 else if (strcmp(token, "EXPORTER_SECRET") == 0)
232 exporter_secret_count++;
f1a5939f
CB		 233
234 client_random_size = SSL_get_client_random(ssl,
235 actual_client_random,
236 SSL3_RANDOM_SIZE);
710756a9 237 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 238 return 0;
f1a5939f 239
710756a9 240 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 241 return 0;
710756a9 242 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 243 return 0;
710756a9
RS		 244 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
245 actual_client_random,
246 client_random_size)))
f1a5939f 247 return 0;
6acdd3e5 248
710756a9 249 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 250 return 0;
f1a5939f
CB		 251
252 /*
253 * TODO(TLS1.3): test that application traffic secrets are what
254 * we expect */
6acdd3e5 255 } else {
710756a9 256 TEST_info("Unexpected token %s\n", token);
f1a5939f 257 return 0;
6acdd3e5 258 }
6acdd3e5
CB		 259 }
260
710756a9
RS		 261 /* Got what we expected? */
262 if (!TEST_size_t_eq(rsa_key_exchange_count,
263 expected->rsa_key_exchange_count)
264 || !TEST_size_t_eq(master_secret_count,
265 expected->master_secret_count)
cffe973c
PW		 266 || !TEST_size_t_eq(client_early_secret_count,
267 expected->client_early_secret_count)
710756a9
RS		 268 || !TEST_size_t_eq(client_handshake_secret_count,
269 expected->client_handshake_secret_count)
270 || !TEST_size_t_eq(server_handshake_secret_count,
271 expected->server_handshake_secret_count)
272 || !TEST_size_t_eq(client_application_secret_count,
273 expected->client_application_secret_count)
274 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 275 expected->server_application_secret_count)
01a2a654
PW		 276 || !TEST_size_t_eq(early_exporter_secret_count,
277 expected->early_exporter_secret_count)
6329ce8f
PW		 278 || !TEST_size_t_eq(exporter_secret_count,
279 expected->exporter_secret_count))
710756a9
RS		 280 return 0;
281 return 1;
6acdd3e5
CB		 282}
283
c423ecaa 284#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 285static int test_keylog(void)
286{
6acdd3e5
CB		 287 SSL_CTX *cctx = NULL, *sctx = NULL;
288 SSL *clientssl = NULL, *serverssl = NULL;
289 int testresult = 0;
f1a5939f 290 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 291
292 /* Clean up logging space */
710756a9
RS		 293 memset(client_log_buffer, 0, sizeof(client_log_buffer));
294 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 295 client_log_buffer_index = 0;
296 server_log_buffer_index = 0;
297 error_writing_log = 0;
298
710756a9
RS		 299 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
300 TLS_client_method(),
7d7f6834 301 TLS1_VERSION, TLS_MAX_VERSION,
710756a9 302 &sctx, &cctx, cert, privkey)))
6acdd3e5 303 return 0;
6acdd3e5
CB		 304
305 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
306 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
307 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
308
f0deb4d3 309 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 310 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 311 goto end;
f0deb4d3 312
cf10df81
RS		 313 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
314 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 315 goto end;
6acdd3e5 316 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 317 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
318 == client_keylog_callback))
6acdd3e5 319 goto end;
710756a9 320 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 321 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
322 == server_keylog_callback))
6acdd3e5 323 goto end;
6acdd3e5 324
710756a9
RS		 325 /* Now do a handshake and check that the logs have been written to. */
326 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
327 &clientssl, NULL, NULL))
328 || !TEST_true(create_ssl_connection(serverssl, clientssl,
329 SSL_ERROR_NONE))
330 || !TEST_false(error_writing_log)
331 || !TEST_int_gt(client_log_buffer_index, 0)
332 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 333 goto end;
6acdd3e5 334
f1a5939f
CB		 335 /*
336 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 337 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 338 * data we expect. For both client and server, we expect to see one master
339 * secret. The client should also see a RSA key exchange.
6acdd3e5 340 */
f1a5939f
CB		 341 expected.rsa_key_exchange_count = 1;
342 expected.master_secret_count = 1;
710756a9
RS		 343 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
344 SSL_get_session(clientssl), &expected)))
6acdd3e5 345 goto end;
f1a5939f
CB		 346
347 expected.rsa_key_exchange_count = 0;
710756a9
RS		 348 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
349 SSL_get_session(serverssl), &expected)))
6acdd3e5 350 goto end;
6acdd3e5
CB		 351
352 testresult = 1;
353
354end:
355 SSL_free(serverssl);
356 SSL_free(clientssl);
357 SSL_CTX_free(sctx);
358 SSL_CTX_free(cctx);
359
360 return testresult;
361}
c423ecaa 362#endif
6acdd3e5
CB		 363
364#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 365static int test_keylog_no_master_key(void)
366{
6acdd3e5
CB		 367 SSL_CTX *cctx = NULL, *sctx = NULL;
368 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 369 SSL_SESSION *sess = NULL;
6acdd3e5 370 int testresult = 0;
f1a5939f 371 struct sslapitest_log_counts expected = {0};
cffe973c
PW		 372 unsigned char buf[1];
373 size_t readbytes, written;
6acdd3e5
CB		 374
375 /* Clean up logging space */
710756a9
RS		 376 memset(client_log_buffer, 0, sizeof(client_log_buffer));
377 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 378 client_log_buffer_index = 0;
379 server_log_buffer_index = 0;
380 error_writing_log = 0;
381
7d7f6834
RL		 382 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
383 TLS1_VERSION, TLS_MAX_VERSION,
cffe973c
PW		 384 &sctx, &cctx, cert, privkey))
385 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 386 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 387 return 0;
6acdd3e5 388
cf10df81
RS		 389 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
390 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 391 goto end;
6acdd3e5
CB		 392
393 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 394 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
395 == client_keylog_callback))
6acdd3e5 396 goto end;
6acdd3e5 397
710756a9 398 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 399 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
400 == server_keylog_callback))
6acdd3e5 401 goto end;
6acdd3e5 402
710756a9
RS		 403 /* Now do a handshake and check that the logs have been written to. */
404 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
405 &clientssl, NULL, NULL))
406 || !TEST_true(create_ssl_connection(serverssl, clientssl,
407 SSL_ERROR_NONE))
408 || !TEST_false(error_writing_log))
6acdd3e5 409 goto end;
6acdd3e5 410
f1a5939f
CB		 411 /*
412 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 413 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 414 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 415 */
f1a5939f
CB		 416 expected.client_handshake_secret_count = 1;
417 expected.server_handshake_secret_count = 1;
418 expected.client_application_secret_count = 1;
419 expected.server_application_secret_count = 1;
6329ce8f 420 expected.exporter_secret_count = 1;
710756a9
RS		 421 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
422 SSL_get_session(clientssl), &expected))
423 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl),
425 &expected)))
6acdd3e5 426 goto end;
6acdd3e5 427
cffe973c
PW		 428 /* Terminate old session and resume with early data. */
429 sess = SSL_get1_session(clientssl);
430 SSL_shutdown(clientssl);
431 SSL_shutdown(serverssl);
432 SSL_free(serverssl);
433 SSL_free(clientssl);
434 serverssl = clientssl = NULL;
435
436 /* Reset key log */
437 memset(client_log_buffer, 0, sizeof(client_log_buffer));
438 memset(server_log_buffer, 0, sizeof(server_log_buffer));
439 client_log_buffer_index = 0;
440 server_log_buffer_index = 0;
441
442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
443 &clientssl, NULL, NULL))
444 || !TEST_true(SSL_set_session(clientssl, sess))
445 /* Here writing 0 length early data is enough. */
446 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
447 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
448 &readbytes),
449 SSL_READ_EARLY_DATA_ERROR)
450 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
451 SSL_EARLY_DATA_ACCEPTED)
452 || !TEST_true(create_ssl_connection(serverssl, clientssl,
453 SSL_ERROR_NONE))
454 || !TEST_true(SSL_session_reused(clientssl)))
455 goto end;
456
457 /* In addition to the previous entries, expect early secrets. */
458 expected.client_early_secret_count = 1;
01a2a654 459 expected.early_exporter_secret_count = 1;
cffe973c
PW		 460 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
461 SSL_get_session(clientssl), &expected))
462 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
463 SSL_get_session(serverssl),
464 &expected)))
465 goto end;
466
6acdd3e5
CB		 467 testresult = 1;
468
469end:
cffe973c 470 SSL_SESSION_free(sess);
6acdd3e5
CB		 471 SSL_free(serverssl);
472 SSL_free(clientssl);
473 SSL_CTX_free(sctx);
474 SSL_CTX_free(cctx);
475
476 return testresult;
477}
478#endif
479
e9ee6536 480#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 481static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 482{
483 int *ctr = arg;
484 const unsigned char *p;
8ea404fb 485 int *exts;
2afaee51
BK		 486 /* We only configure two ciphers, but the SCSV is added automatically. */
487#ifdef OPENSSL_NO_EC
488 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
489#else
490 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
491 0x2c, 0x00, 0xff};
492#endif
8ea404fb
BK		 493 const int expected_extensions[] = {
494#ifndef OPENSSL_NO_EC
495 11, 10,
496#endif
10ed1b72 497 35, 22, 23, 13};
2afaee51
BK		 498 size_t len;
499
500 /* Make sure we can defer processing and get called back. */
501 if ((*ctr)++ == 0)
f1b97da1 502 return SSL_CLIENT_HELLO_RETRY;
2afaee51 503
a9c0d8be 504 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 505 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 506 || !TEST_size_t_eq(
507 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 508 || !TEST_int_eq(*p, 0))
f1b97da1 509 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 510 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 511 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 512 if (len != OSSL_NELEM(expected_extensions) ||
513 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 514 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 515 OPENSSL_free(exts);
f1b97da1 516 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 517 }
518 OPENSSL_free(exts);
f1b97da1 519 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 520}
521
a9c0d8be 522static int test_client_hello_cb(void)
710756a9 523{
2afaee51
BK		 524 SSL_CTX *cctx = NULL, *sctx = NULL;
525 SSL *clientssl = NULL, *serverssl = NULL;
526 int testctr = 0, testresult = 0;
527
7d7f6834
RL		 528 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
529 TLS1_VERSION, TLS_MAX_VERSION,
530 &sctx, &cctx, cert, privkey)))
2afaee51 531 goto end;
a9c0d8be 532 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 533
2afaee51
BK		 534 /* The gimpy cipher list we configure can't do TLS 1.3. */
535 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 536
710756a9
RS		 537 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
538 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
539 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
540 &clientssl, NULL, NULL))
541 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 542 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 543 /*
544 * Passing a -1 literal is a hack since
545 * the real value was lost.
546 * */
a9c0d8be
DB		 547 || !TEST_int_eq(SSL_get_error(serverssl, -1),
548 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 549 || !TEST_true(create_ssl_connection(serverssl, clientssl,
550 SSL_ERROR_NONE)))
2afaee51 551 goto end;
2afaee51
BK		 552
553 testresult = 1;
554
555end:
556 SSL_free(serverssl);
557 SSL_free(clientssl);
558 SSL_CTX_free(sctx);
559 SSL_CTX_free(cctx);
560
561 return testresult;
562}
e9ee6536 563#endif
2afaee51 564
84d5549e 565static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 566 const SSL_METHOD *cmeth,
567 int min_version, int max_version,
568 int read_ahead)
84d5549e
MC		 569{
570 SSL_CTX *cctx = NULL, *sctx = NULL;
571 SSL *clientssl = NULL, *serverssl = NULL;
572 int testresult = 0;
573 int i;
710756a9 574 BIO *certbio = NULL;
84d5549e
MC		 575 X509 *chaincert = NULL;
576 int certlen;
577
710756a9 578 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 579 goto end;
84d5549e 580 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 581 BIO_free(certbio);
582 certbio = NULL;
710756a9 583 if (!TEST_ptr(chaincert))
fa454945 584 goto end;
84d5549e 585
7d7f6834
RL		 586 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
587 &sctx, &cctx, cert, privkey)))
84d5549e 588 goto end;
84d5549e 589
710756a9 590 if (read_ahead) {
7856332e
MC		 591 /*
592 * Test that read_ahead works correctly when dealing with large
593 * records
594 */
595 SSL_CTX_set_read_ahead(cctx, 1);
596 }
597
84d5549e
MC		 598 /*
599 * We assume the supplied certificate is big enough so that if we add
600 * NUM_EXTRA_CERTS it will make the overall message large enough. The
601 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 602 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
603 * test we need to have a message larger than that.
84d5549e
MC		 604 */
605 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 606 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
607 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 608 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 609 if (!X509_up_ref(chaincert))
84d5549e 610 goto end;
84d5549e 611 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 612 X509_free(chaincert);
613 goto end;
614 }
615 }
616
710756a9
RS		 617 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
618 NULL, NULL))
619 || !TEST_true(create_ssl_connection(serverssl, clientssl,
620 SSL_ERROR_NONE)))
84d5549e 621 goto end;
84d5549e 622
4bf08600
MC		 623 /*
624 * Calling SSL_clear() first is not required but this tests that SSL_clear()
625 * doesn't leak (when using enable-crypto-mdebug).
626 */
710756a9 627 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 628 goto end;
84d5549e 629
4bf08600 630 testresult = 1;
84d5549e
MC		 631 end:
632 X509_free(chaincert);
633 SSL_free(serverssl);
634 SSL_free(clientssl);
635 SSL_CTX_free(sctx);
636 SSL_CTX_free(cctx);
637
638 return testresult;
639}
640
641static int test_large_message_tls(void)
642{
7856332e 643 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 644 TLS1_VERSION, TLS_MAX_VERSION,
7856332e
MC		 645 0);
646}
647
648static int test_large_message_tls_read_ahead(void)
649{
650 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
7d7f6834 651 TLS1_VERSION, TLS_MAX_VERSION,
7856332e 652 1);
84d5549e
MC		 653}
654
55386bef 655#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 656static int test_large_message_dtls(void)
657{
7856332e
MC		 658 /*
659 * read_ahead is not relevant to DTLS because DTLS always acts as if
660 * read_ahead is set.
661 */
84d5549e 662 return execute_test_large_message(DTLS_server_method(),
7d7f6834
RL		 663 DTLS_client_method(),
664 DTLS1_VERSION, DTLS_MAX_VERSION,
665 0);
84d5549e 666}
55386bef 667#endif
84d5549e 668
8f8c11d8 669#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 670static int ocsp_server_cb(SSL *s, void *arg)
671{
672 int *argi = (int *)arg;
710756a9 673 unsigned char *copy = NULL;
ba881d3b
MC		 674 STACK_OF(OCSP_RESPID) *ids = NULL;
675 OCSP_RESPID *id = NULL;
676
677 if (*argi == 2) {
678 /* In this test we are expecting exactly 1 OCSP_RESPID */
679 SSL_get_tlsext_status_ids(s, &ids);
680 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
681 return SSL_TLSEXT_ERR_ALERT_FATAL;
682
683 id = sk_OCSP_RESPID_value(ids, 0);
684 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
685 return SSL_TLSEXT_ERR_ALERT_FATAL;
686 } else if (*argi != 1) {
687 return SSL_TLSEXT_ERR_ALERT_FATAL;
688 }
689
710756a9 690 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 691 return SSL_TLSEXT_ERR_ALERT_FATAL;
692
710756a9 693 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 694 ocsp_server_called = 1;
ba881d3b
MC		 695 return SSL_TLSEXT_ERR_OK;
696}
697
698static int ocsp_client_cb(SSL *s, void *arg)
699{
700 int *argi = (int *)arg;
701 const unsigned char *respderin;
702 size_t len;
703
704 if (*argi != 1 && *argi != 2)
705 return 0;
706
707 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 708 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 709 return 0;
710
711 ocsp_client_called = 1;
ba881d3b
MC		 712 return 1;
713}
714
2cb4b5f6
MC		 715static int test_tlsext_status_type(void)
716{
ba881d3b
MC		 717 SSL_CTX *cctx = NULL, *sctx = NULL;
718 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 719 int testresult = 0;
ba881d3b
MC		 720 STACK_OF(OCSP_RESPID) *ids = NULL;
721 OCSP_RESPID *id = NULL;
722 BIO *certbio = NULL;
2cb4b5f6 723
7d7f6834
RL		 724 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
725 TLS1_VERSION, TLS_MAX_VERSION,
726 &sctx, &cctx, cert, privkey))
ba881d3b 727 return 0;
2cb4b5f6 728
710756a9 729 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 730 goto end;
2cb4b5f6 731
ba881d3b 732 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 733
ba881d3b 734 clientssl = SSL_new(cctx);
710756a9
RS		 735 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
736 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
737 TLSEXT_STATUSTYPE_ocsp))
738 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
739 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 740 goto end;
2cb4b5f6 741
ba881d3b
MC		 742 SSL_free(clientssl);
743 clientssl = NULL;
2cb4b5f6 744
710756a9
RS		 745 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
746 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 747 goto end;
2cb4b5f6 748
ba881d3b 749 clientssl = SSL_new(cctx);
710756a9 750 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 751 goto end;
ba881d3b
MC		 752 SSL_free(clientssl);
753 clientssl = NULL;
754
755 /*
756 * Now actually do a handshake and check OCSP information is exchanged and
757 * the callbacks get called
758 */
ba881d3b
MC		 759 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
760 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
761 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
762 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 763 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
764 &clientssl, NULL, NULL))
765 || !TEST_true(create_ssl_connection(serverssl, clientssl,
766 SSL_ERROR_NONE))
767 || !TEST_true(ocsp_client_called)
768 || !TEST_true(ocsp_server_called))
ba881d3b 769 goto end;
ba881d3b
MC		 770 SSL_free(serverssl);
771 SSL_free(clientssl);
772 serverssl = NULL;
773 clientssl = NULL;
774
775 /* Try again but this time force the server side callback to fail */
776 ocsp_client_called = 0;
777 ocsp_server_called = 0;
778 cdummyarg = 0;
710756a9
RS		 779 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
780 &clientssl, NULL, NULL))
781 /* This should fail because the callback will fail */
782 || !TEST_false(create_ssl_connection(serverssl, clientssl,
783 SSL_ERROR_NONE))
784 || !TEST_false(ocsp_client_called)
785 || !TEST_false(ocsp_server_called))
ba881d3b 786 goto end;
ba881d3b
MC		 787 SSL_free(serverssl);
788 SSL_free(clientssl);
789 serverssl = NULL;
790 clientssl = NULL;
791
792 /*
793 * This time we'll get the client to send an OCSP_RESPID that it will
794 * accept.
795 */
796 ocsp_client_called = 0;
797 ocsp_server_called = 0;
798 cdummyarg = 2;
710756a9
RS		 799 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
800 &clientssl, NULL, NULL)))
ba881d3b 801 goto end;
ba881d3b
MC		 802
803 /*
804 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 805 * specific one. We'll use the server cert.
ba881d3b 806 */
710756a9
RS		 807 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
808 || !TEST_ptr(id = OCSP_RESPID_new())
809 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
810 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
811 NULL, NULL, NULL))
812 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
813 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 814 goto end;
ba881d3b
MC		 815 id = NULL;
816 SSL_set_tlsext_status_ids(clientssl, ids);
817 /* Control has been transferred */
818 ids = NULL;
819
820 BIO_free(certbio);
821 certbio = NULL;
822
710756a9
RS		 823 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
824 SSL_ERROR_NONE))
825 || !TEST_true(ocsp_client_called)
826 || !TEST_true(ocsp_server_called))
ba881d3b 827 goto end;
ba881d3b 828
2cb4b5f6
MC		 829 testresult = 1;
830
831 end:
ba881d3b
MC		 832 SSL_free(serverssl);
833 SSL_free(clientssl);
834 SSL_CTX_free(sctx);
835 SSL_CTX_free(cctx);
836 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
837 OCSP_RESPID_free(id);
838 BIO_free(certbio);
839 X509_free(ocspcert);
840 ocspcert = NULL;
2cb4b5f6
MC		 841
842 return testresult;
843}
8f8c11d8 844#endif
2cb4b5f6 845
bf208d95 846#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 847static int new_called, remove_called, get_called;
eaa776da 848
eaa776da
MC		 849static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
850{
851 new_called++;
c0537ebd
MC		 852 /*
853 * sess has been up-refed for us, but we don't actually need it so free it
854 * immediately.
855 */
856 SSL_SESSION_free(sess);
eaa776da
MC		 857 return 1;
858}
859
860static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
861{
862 remove_called++;
863}
864
7a301f08
MC		 865static SSL_SESSION *get_sess_val = NULL;
866
867static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
868 int *copy)
869{
0afca811 870 get_called++;
7a301f08
MC		 871 *copy = 1;
872 return get_sess_val;
873}
874
7a301f08
MC		 875static int execute_test_session(int maxprot, int use_int_cache,
876 int use_ext_cache)
2cb4b5f6
MC		 877{
878 SSL_CTX *sctx = NULL, *cctx = NULL;
879 SSL *serverssl1 = NULL, *clientssl1 = NULL;
880 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 881# ifndef OPENSSL_NO_TLS1_1
eaa776da 882 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 883# endif
2cb4b5f6 884 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 885 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 886
7e885b7b
P		 887 new_called = remove_called = 0;
888
36ff232c
MC		 889 /* TLSv1.3 sends 2 NewSessionTickets */
890 if (maxprot == TLS1_3_VERSION)
891 numnewsesstick = 2;
892
7d7f6834
RL		 893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
894 TLS1_VERSION, TLS_MAX_VERSION,
895 &sctx, &cctx, cert, privkey)))
2cb4b5f6 896 return 0;
2cb4b5f6 897
7a301f08
MC		 898 /*
899 * Only allow the max protocol version so we can force a connection failure
900 * later
901 */
902 SSL_CTX_set_min_proto_version(cctx, maxprot);
903 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 904
905 /* Set up session cache */
7e885b7b 906 if (use_ext_cache) {
eaa776da
MC		 907 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
908 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
909 }
7e885b7b 910 if (use_int_cache) {
eaa776da
MC		 911 /* Also covers instance where both are set */
912 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
913 } else {
914 SSL_CTX_set_session_cache_mode(cctx,
915 SSL_SESS_CACHE_CLIENT
916 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
917 }
2cb4b5f6 918
710756a9
RS		 919 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
920 NULL, NULL))
921 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
922 SSL_ERROR_NONE))
923 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 924 goto end;
2cb4b5f6 925
710756a9 926 /* Should fail because it should already be in the cache */
7e885b7b 927 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 928 goto end;
7a301f08 929 if (use_ext_cache
36ff232c
MC		 930 && (!TEST_int_eq(new_called, numnewsesstick)
931
932 || !TEST_int_eq(remove_called, 0)))
b4982125 933 goto end;
b4982125 934
c0537ebd
MC		 935 new_called = remove_called = 0;
936 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
937 &clientssl2, NULL, NULL))
938 || !TEST_true(SSL_set_session(clientssl2, sess1))
939 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
940 SSL_ERROR_NONE))
941 || !TEST_true(SSL_session_reused(clientssl2)))
942 goto end;
943
7a301f08
MC		 944 if (maxprot == TLS1_3_VERSION) {
945 /*
946 * In TLSv1.3 we should have created a new session even though we have
36ff232c 947 * resumed.
7a301f08
MC		 948 */
949 if (use_ext_cache
950 && (!TEST_int_eq(new_called, 1)
36ff232c 951 || !TEST_int_eq(remove_called, 0)))
7a301f08
MC		 952 goto end;
953 } else {
954 /*
955 * In TLSv1.2 we expect to have resumed so no sessions added or
956 * removed.
957 */
958 if (use_ext_cache
959 && (!TEST_int_eq(new_called, 0)
960 || !TEST_int_eq(remove_called, 0)))
961 goto end;
962 }
c0537ebd
MC		 963
964 SSL_SESSION_free(sess1);
965 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
966 goto end;
967 shutdown_ssl_connection(serverssl2, clientssl2);
968 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 969
970 new_called = remove_called = 0;
710756a9
RS		 971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
972 &clientssl2, NULL, NULL))
973 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
974 SSL_ERROR_NONE)))
2cb4b5f6 975 goto end;
2cb4b5f6 976
710756a9 977 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 978 goto end;
2cb4b5f6 979
7a301f08 980 if (use_ext_cache
36ff232c
MC		 981 && (!TEST_int_eq(new_called, numnewsesstick)
982 || !TEST_int_eq(remove_called, 0)))
eaa776da 983 goto end;
eaa776da 984
c0537ebd 985 new_called = remove_called = 0;
2cb4b5f6 986 /*
710756a9
RS		 987 * This should clear sess2 from the cache because it is a "bad" session.
988 * See SSL_set_session() documentation.
2cb4b5f6 989 */
710756a9 990 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 991 goto end;
7a301f08
MC		 992 if (use_ext_cache
993 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 994 goto end;
710756a9 995 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 996 goto end;
2cb4b5f6 997
7e885b7b 998 if (use_int_cache) {
710756a9
RS		 999 /* Should succeeded because it should not already be in the cache */
1000 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1001 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1002 goto end;
eaa776da
MC		 1003 }
1004
c0537ebd 1005 new_called = remove_called = 0;
eaa776da 1006 /* This shouldn't be in the cache so should fail */
710756a9 1007 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1008 goto end;
2cb4b5f6 1009
7a301f08
MC		 1010 if (use_ext_cache
1011 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1012 goto end;
2cb4b5f6 1013
bf208d95 1014# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1015 new_called = remove_called = 0;
eaa776da
MC		 1016 /* Force a connection failure */
1017 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1018 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1019 &clientssl3, NULL, NULL))
1020 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1021 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1022 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1023 SSL_ERROR_NONE)))
eaa776da 1024 goto end;
b4982125 1025
eaa776da 1026 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1027 if (use_ext_cache
1028 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1029 goto end;
2cb4b5f6 1030
710756a9 1031 /* Should succeed because it should not already be in the cache */
7e885b7b 1032 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1033 goto end;
bf208d95 1034# endif
eaa776da 1035
7a301f08
MC		 1036 /* Now do some tests for server side caching */
1037 if (use_ext_cache) {
1038 SSL_CTX_sess_set_new_cb(cctx, NULL);
1039 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1040 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1041 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1042 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1043 get_sess_val = NULL;
1044 }
1045
1046 SSL_CTX_set_session_cache_mode(cctx, 0);
1047 /* Internal caching is the default on the server side */
1048 if (!use_int_cache)
1049 SSL_CTX_set_session_cache_mode(sctx,
1050 SSL_SESS_CACHE_SERVER
1051 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1052
1053 SSL_free(serverssl1);
1054 SSL_free(clientssl1);
1055 serverssl1 = clientssl1 = NULL;
1056 SSL_free(serverssl2);
1057 SSL_free(clientssl2);
1058 serverssl2 = clientssl2 = NULL;
1059 SSL_SESSION_free(sess1);
1060 sess1 = NULL;
1061 SSL_SESSION_free(sess2);
1062 sess2 = NULL;
1063
1064 SSL_CTX_set_max_proto_version(sctx, maxprot);
1065 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1066 new_called = remove_called = get_called = 0;
7a301f08
MC		 1067 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1068 NULL, NULL))
1069 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1070 SSL_ERROR_NONE))
1071 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1072 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1073 goto end;
1074
ee94ec2e
MC		 1075 if (use_int_cache) {
1076 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1077 /*
1078 * In TLSv1.3 it should not have been added to the internal cache,
1079 * except in the case where we also have an external cache (in that
1080 * case it gets added to the cache in order to generate remove
1081 * events after timeout).
1082 */
1083 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1084 goto end;
1085 } else {
1086 /* Should fail because it should already be in the cache */
1087 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1088 goto end;
1089 }
1090 }
7a301f08
MC		 1091
1092 if (use_ext_cache) {
1093 SSL_SESSION *tmp = sess2;
1094
36ff232c 1095 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1096 || !TEST_int_eq(remove_called, 0)
1097 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1098 goto end;
1099 /*
1100 * Delete the session from the internal cache to force a lookup from
1101 * the external cache. We take a copy first because
1102 * SSL_CTX_remove_session() also marks the session as non-resumable.
1103 */
ee94ec2e 1104 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1105 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1106 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1107 goto end;
1108 SSL_SESSION_free(sess2);
1109 }
7a301f08
MC		 1110 sess2 = tmp;
1111 }
1112
0afca811 1113 new_called = remove_called = get_called = 0;
7a301f08
MC		 1114 get_sess_val = sess2;
1115 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1116 &clientssl2, NULL, NULL))
1117 || !TEST_true(SSL_set_session(clientssl2, sess1))
1118 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1119 SSL_ERROR_NONE))
1120 || !TEST_true(SSL_session_reused(clientssl2)))
1121 goto end;
1122
0afca811 1123 if (use_ext_cache) {
32305f88 1124 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1125 goto end;
1126
1127 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1128 if (!TEST_int_eq(new_called, 1)
1129 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1130 goto end;
1131 } else {
32305f88
MC		 1132 if (!TEST_int_eq(new_called, 0)
1133 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1134 goto end;
1135 }
1136 }
7a301f08 1137
2cb4b5f6 1138 testresult = 1;
eaa776da 1139
2cb4b5f6
MC		 1140 end:
1141 SSL_free(serverssl1);
1142 SSL_free(clientssl1);
1143 SSL_free(serverssl2);
1144 SSL_free(clientssl2);
bf208d95 1145# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1146 SSL_free(serverssl3);
1147 SSL_free(clientssl3);
bf208d95 1148# endif
2cb4b5f6
MC		 1149 SSL_SESSION_free(sess1);
1150 SSL_SESSION_free(sess2);
1151 SSL_CTX_free(sctx);
1152 SSL_CTX_free(cctx);
1153
1154 return testresult;
1155}
bf208d95 1156#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1157
7fb4c820
MC		 1158static int test_session_with_only_int_cache(void)
1159{
7a301f08
MC		 1160#ifndef OPENSSL_NO_TLS1_3
1161 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1162 return 0;
1163#endif
1164
1165#ifndef OPENSSL_NO_TLS1_2
1166 return execute_test_session(TLS1_2_VERSION, 1, 0);
1167#else
1168 return 1;
1169#endif
eaa776da
MC		 1170}
1171
7fb4c820
MC		 1172static int test_session_with_only_ext_cache(void)
1173{
7a301f08
MC		 1174#ifndef OPENSSL_NO_TLS1_3
1175 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1176 return 0;
1177#endif
1178
1179#ifndef OPENSSL_NO_TLS1_2
1180 return execute_test_session(TLS1_2_VERSION, 0, 1);
1181#else
1182 return 1;
1183#endif
eaa776da
MC		 1184}
1185
7fb4c820
MC		 1186static int test_session_with_both_cache(void)
1187{
7a301f08
MC		 1188#ifndef OPENSSL_NO_TLS1_3
1189 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1190 return 0;
1191#endif
1192
1193#ifndef OPENSSL_NO_TLS1_2
1194 return execute_test_session(TLS1_2_VERSION, 1, 1);
1195#else
1196 return 1;
1197#endif
eaa776da
MC		 1198}
1199
c22365b3
MC		 1200static SSL_SESSION *sesscache[6];
1201static int do_cache;
36ff232c
MC		 1202
1203static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1204{
c22365b3
MC		 1205 if (do_cache) {
1206 sesscache[new_called] = sess;
1207 } else {
1208 /* We don't need the reference to the session, so free it */
1209 SSL_SESSION_free(sess);
1210 }
1211 new_called++;
1212
1213 return 1;
1214}
1215
1216static int post_handshake_verify(SSL *sssl, SSL *cssl)
1217{
1218 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1219 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1220 return 0;
1221
1222 /* Start handshake on the server and client */
1223 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1224 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1225 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1226 || !TEST_true(create_ssl_connection(sssl, cssl,
1227 SSL_ERROR_NONE)))
1228 return 0;
36ff232c
MC		 1229
1230 return 1;
1231}
1232
1233static int test_tickets(int idx)
1234{
1235 SSL_CTX *sctx = NULL, *cctx = NULL;
1236 SSL *serverssl = NULL, *clientssl = NULL;
1237 int testresult = 0, i;
1238 size_t j;
1239
1240 /* idx is the test number, but also the number of tickets we want */
1241
1242 new_called = 0;
c22365b3 1243 do_cache = 1;
36ff232c
MC		 1244
1245 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1246 TLS1_VERSION, TLS_MAX_VERSION, &sctx,
1247 &cctx, cert, privkey))
1248 || !TEST_true(SSL_CTX_set_num_tickets(sctx, idx)))
1249 goto end;
1250
1251 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
1252 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1253 SSL_CTX_sess_set_new_cb(cctx, new_cachesession_cb);
1254
1255 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1256 &clientssl, NULL, NULL)))
1257 goto end;
1258
1259 SSL_force_post_handshake_auth(clientssl);
1260
1261 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1262 SSL_ERROR_NONE))
1263 /* Check we got the number of tickets we were expecting */
1264 || !TEST_int_eq(idx, new_called))
1265 goto end;
1266
1267 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 1268 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 1269 || !TEST_int_eq(idx * 2, new_called))
1270 goto end;
1271
36ff232c
MC		 1272 SSL_shutdown(clientssl);
1273 SSL_shutdown(serverssl);
1274 SSL_free(serverssl);
1275 SSL_free(clientssl);
1276 serverssl = clientssl = NULL;
1277
c22365b3
MC		 1278 /* Stop caching sessions - just count them */
1279 do_cache = 0;
1280
36ff232c 1281 /* Test that we can resume with all the tickets we got given */
c22365b3
MC		 1282 for (i = 0; i < idx * 2; i++) {
1283 new_called = 0;
36ff232c
MC		 1284 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1285 &clientssl, NULL, NULL))
c22365b3
MC		 1286 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
1287 goto end;
1288
1289 SSL_force_post_handshake_auth(clientssl);
1290
1291 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
36ff232c 1292 SSL_ERROR_NONE))
c22365b3
MC		 1293 || !TEST_true(SSL_session_reused(clientssl))
1294 /* Following a resumption we only get 1 ticket */
1295 || !TEST_int_eq(new_called, 1))
1296 goto end;
1297
1298 new_called = 0;
1299 /* After a post-handshake authentication we should get 1 new ticket */
1300 if (!post_handshake_verify(serverssl, clientssl)
1301 || !TEST_int_eq(new_called, 1))
36ff232c
MC		 1302 goto end;
1303
1304 SSL_shutdown(clientssl);
1305 SSL_shutdown(serverssl);
1306 SSL_free(serverssl);
1307 SSL_free(clientssl);
1308 serverssl = clientssl = NULL;
1309 SSL_SESSION_free(sesscache[i]);
1310 sesscache[i] = NULL;
1311 }
1312
1313 testresult = 1;
1314
1315 end:
1316 SSL_free(serverssl);
1317 SSL_free(clientssl);
c22365b3 1318 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 1319 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 1320 sesscache[j] = NULL;
1321 }
36ff232c
MC		 1322 SSL_CTX_free(sctx);
1323 SSL_CTX_free(cctx);
1324
1325 return testresult;
1326}
1327
7d4488bb
MC		 1328#define USE_NULL 0
1329#define USE_BIO_1 1
1330#define USE_BIO_2 2
1331#define USE_DEFAULT 3
1332
1333#define CONNTYPE_CONNECTION_SUCCESS 0
1334#define CONNTYPE_CONNECTION_FAIL 1
1335#define CONNTYPE_NO_CONNECTION 2
1336
1337#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1338#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
1339#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
1340# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
1341#else
1342# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
1343#endif
1344
7d4488bb
MC		 1345#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
1346 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
1347 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 1348
1349static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1350{
1351 switch (type) {
1352 case USE_NULL:
1353 *res = NULL;
1354 break;
1355 case USE_BIO_1:
1356 *res = bio1;
1357 break;
1358 case USE_BIO_2:
1359 *res = bio2;
1360 break;
1361 }
1362}
1363
7d4488bb
MC		 1364
1365/*
1366 * Tests calls to SSL_set_bio() under various conditions.
1367 *
1368 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
1369 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
1370 * then do more tests where we create a successful connection first using our
1371 * standard connection setup functions, and then call SSL_set_bio() with
1372 * various combinations of valid BIOs or NULL. We then repeat these tests
1373 * following a failed connection. In this last case we are looking to check that
1374 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
1375 */
7fb4c820
MC		 1376static int test_ssl_set_bio(int idx)
1377{
7d4488bb 1378 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 1379 BIO *bio1 = NULL;
1380 BIO *bio2 = NULL;
0fae8150 1381 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 1382 SSL *serverssl = NULL, *clientssl = NULL;
1383 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 1384 int testresult = 0;
1385
7d4488bb
MC		 1386 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
1387 initrbio = idx % 3;
1388 idx /= 3;
1389 initwbio = idx % 3;
1390 idx /= 3;
1391 newrbio = idx % 3;
1392 idx /= 3;
1393 newwbio = idx % 3;
1394 conntype = CONNTYPE_NO_CONNECTION;
1395 } else {
1396 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
1397 initrbio = initwbio = USE_DEFAULT;
1398 newrbio = idx % 2;
1399 idx /= 2;
1400 newwbio = idx % 2;
1401 idx /= 2;
1402 conntype = idx % 2;
1403 }
710756a9 1404
7d4488bb
MC		 1405 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1406 TLS1_VERSION, TLS_MAX_VERSION,
1407 &sctx, &cctx, cert, privkey)))
1408 goto end;
1409
1410 if (conntype == CONNTYPE_CONNECTION_FAIL) {
1411 /*
1412 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
1413 * because we reduced the number of tests in the definition of
1414 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
1415 * mismatched protocol versions we will force a connection failure.
1416 */
1417 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
1418 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1419 }
1420
1421 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1422 NULL, NULL)))
710756a9 1423 goto end;
7fb4c820 1424
710756a9
RS		 1425 if (initrbio == USE_BIO_1
1426 || initwbio == USE_BIO_1
1427 || newrbio == USE_BIO_1
7fb4c820 1428 || newwbio == USE_BIO_1) {
710756a9 1429 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1430 goto end;
7fb4c820
MC		 1431 }
1432
710756a9
RS		 1433 if (initrbio == USE_BIO_2
1434 || initwbio == USE_BIO_2
1435 || newrbio == USE_BIO_2
7fb4c820 1436 || newwbio == USE_BIO_2) {
710756a9 1437 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1438 goto end;
7fb4c820
MC		 1439 }
1440
7d4488bb
MC		 1441 if (initrbio != USE_DEFAULT) {
1442 setupbio(&irbio, bio1, bio2, initrbio);
1443 setupbio(&iwbio, bio1, bio2, initwbio);
1444 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 1445
7d4488bb
MC		 1446 /*
1447 * We want to maintain our own refs to these BIO, so do an up ref for
1448 * each BIO that will have ownership transferred in the SSL_set_bio()
1449 * call
1450 */
1451 if (irbio != NULL)
1452 BIO_up_ref(irbio);
1453 if (iwbio != NULL && iwbio != irbio)
1454 BIO_up_ref(iwbio);
1455 }
7fb4c820 1456
7d4488bb
MC		 1457 if (conntype != CONNTYPE_NO_CONNECTION
1458 && !TEST_true(create_ssl_connection(serverssl, clientssl,
1459 SSL_ERROR_NONE)
1460 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
1461 goto end;
7fb4c820
MC		 1462
1463 setupbio(&nrbio, bio1, bio2, newrbio);
1464 setupbio(&nwbio, bio1, bio2, newwbio);
1465
1466 /*
1467 * We will (maybe) transfer ownership again so do more up refs.
1468 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1469 * already been set!
1470 */
710756a9
RS		 1471 if (nrbio != NULL
1472 && nrbio != irbio
1473 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1474 BIO_up_ref(nrbio);
710756a9
RS		 1475 if (nwbio != NULL
1476 && nwbio != nrbio
1477 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1478 BIO_up_ref(nwbio);
1479
7d4488bb 1480 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 1481
1482 testresult = 1;
1483
1484 end:
7fb4c820
MC		 1485 BIO_free(bio1);
1486 BIO_free(bio2);
710756a9 1487
7fb4c820
MC		 1488 /*
1489 * This test is checking that the ref counting for SSL_set_bio is correct.
1490 * If we get here and we did too many frees then we will fail in the above
1491 * functions. If we haven't done enough then this will only be detected in
1492 * a crypto-mdebug build
1493 */
7d4488bb
MC		 1494 SSL_free(serverssl);
1495 SSL_free(clientssl);
1496 SSL_CTX_free(sctx);
1497 SSL_CTX_free(cctx);
7fb4c820
MC		 1498 return testresult;
1499}
1500
7e885b7b 1501typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1502
7e885b7b 1503static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1504{
1505 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1506 SSL_CTX *ctx;
9a716987
MC		 1507 SSL *ssl = NULL;
1508 int testresult = 0;
1509
710756a9
RS		 1510 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1511 || !TEST_ptr(ssl = SSL_new(ctx))
1512 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1513 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1514 goto end;
9a716987
MC		 1515
1516 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1517
1518 /*
1519 * If anything goes wrong here then we could leak memory, so this will
1520 * be caught in a crypto-mdebug build
1521 */
1522 BIO_push(sslbio, membio1);
1523
69687aa8 1524 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1525 if (change_bio != NO_BIO_CHANGE) {
710756a9 1526 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1527 goto end;
7e885b7b 1528 if (change_bio == CHANGE_RBIO)
65e2d672 1529 SSL_set0_rbio(ssl, membio2);
9a716987 1530 else
65e2d672 1531 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1532 }
1533 ssl = NULL;
1534
7e885b7b 1535 if (pop_ssl)
9a716987
MC		 1536 BIO_pop(sslbio);
1537 else
1538 BIO_pop(membio1);
1539
1540 testresult = 1;
1541 end:
1542 BIO_free(membio1);
1543 BIO_free(sslbio);
1544 SSL_free(ssl);
1545 SSL_CTX_free(ctx);
1546
1547 return testresult;
1548}
1549
1550static int test_ssl_bio_pop_next_bio(void)
1551{
7e885b7b 1552 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1553}
1554
1555static int test_ssl_bio_pop_ssl_bio(void)
1556{
7e885b7b 1557 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1558}
1559
1560static int test_ssl_bio_change_rbio(void)
1561{
7e885b7b 1562 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1563}
1564
1565static int test_ssl_bio_change_wbio(void)
1566{
7e885b7b 1567 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1568}
1569
c423ecaa 1570#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1571typedef struct {
1572 /* The list of sig algs */
1573 const int *list;
1574 /* The length of the list */
1575 size_t listlen;
1576 /* A sigalgs list in string format */
1577 const char *liststr;
1578 /* Whether setting the list should succeed */
1579 int valid;
1580 /* Whether creating a connection with the list should succeed */
1581 int connsuccess;
1582} sigalgs_list;
1583
1584static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1585# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1586static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1587static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1588# endif
f1b25aae
MC		 1589static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1590static const int invalidlist2[] = {NID_sha256, NID_undef};
1591static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1592static const int invalidlist4[] = {NID_sha256};
1593static const sigalgs_list testsigalgs[] = {
1594 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1595# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1596 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1597 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1598# endif
f1b25aae 1599 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1600# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1601 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1602 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1603# endif
f1b25aae
MC		 1604 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1605 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1606 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1607 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1608 {NULL, 0, "RSA", 0, 0},
1609 {NULL, 0, "SHA256", 0, 0},
1610 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1611 {NULL, 0, "Invalid", 0, 0}
1612};
f1b25aae
MC		 1613
1614static int test_set_sigalgs(int idx)
1615{
1616 SSL_CTX *cctx = NULL, *sctx = NULL;
1617 SSL *clientssl = NULL, *serverssl = NULL;
1618 int testresult = 0;
1619 const sigalgs_list *curr;
1620 int testctx;
1621
1622 /* Should never happen */
710756a9 1623 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1624 return 0;
1625
1626 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1627 curr = testctx ? &testsigalgs[idx]
1628 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1629
7d7f6834
RL		 1630 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1631 TLS1_VERSION, TLS_MAX_VERSION,
1632 &sctx, &cctx, cert, privkey)))
f1b25aae 1633 return 0;
f1b25aae 1634
d2e491f2
MC		 1635 /*
1636 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1637 * for TLSv1.2 for now until we add a new API.
1638 */
1639 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1640
f1b25aae
MC		 1641 if (testctx) {
1642 int ret;
710756a9 1643
f1b25aae
MC		 1644 if (curr->list != NULL)
1645 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1646 else
1647 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1648
1649 if (!ret) {
1650 if (curr->valid)
710756a9 1651 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1652 else
1653 testresult = 1;
1654 goto end;
1655 }
1656 if (!curr->valid) {
710756a9 1657 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1658 goto end;
1659 }
1660 }
1661
710756a9
RS		 1662 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1663 &clientssl, NULL, NULL)))
f1b25aae 1664 goto end;
f1b25aae
MC		 1665
1666 if (!testctx) {
1667 int ret;
1668
1669 if (curr->list != NULL)
1670 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1671 else
1672 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1673 if (!ret) {
1674 if (curr->valid)
710756a9 1675 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1676 else
1677 testresult = 1;
1678 goto end;
1679 }
710756a9 1680 if (!curr->valid)
f1b25aae 1681 goto end;
f1b25aae
MC		 1682 }
1683
710756a9
RS		 1684 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1685 SSL_ERROR_NONE),
1686 curr->connsuccess))
f1b25aae 1687 goto end;
f1b25aae
MC		 1688
1689 testresult = 1;
1690
1691 end:
1692 SSL_free(serverssl);
1693 SSL_free(clientssl);
1694 SSL_CTX_free(sctx);
1695 SSL_CTX_free(cctx);
1696
1697 return testresult;
1698}
c423ecaa 1699#endif
f1b25aae 1700
fff202e5
MC		 1701#ifndef OPENSSL_NO_TLS1_3
1702
57dee9bb
MC		 1703static SSL_SESSION *clientpsk = NULL;
1704static SSL_SESSION *serverpsk = NULL;
02a3ed5a
MC		 1705static const char *pskid = "Identity";
1706static const char *srvid;
1707
1708static int use_session_cb_cnt = 0;
1709static int find_session_cb_cnt = 0;
532f9578
MC		 1710static int psk_client_cb_cnt = 0;
1711static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 1712
1713static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1714 size_t *idlen, SSL_SESSION **sess)
1715{
1716 switch (++use_session_cb_cnt) {
1717 case 1:
1718 /* The first call should always have a NULL md */
1719 if (md != NULL)
1720 return 0;
1721 break;
1722
1723 case 2:
1724 /* The second call should always have an md */
1725 if (md == NULL)
1726 return 0;
1727 break;
1728
1729 default:
1730 /* We should only be called a maximum of twice */
1731 return 0;
1732 }
1733
57dee9bb
MC		 1734 if (clientpsk != NULL)
1735 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1736
57dee9bb 1737 *sess = clientpsk;
02a3ed5a
MC		 1738 *id = (const unsigned char *)pskid;
1739 *idlen = strlen(pskid);
1740
1741 return 1;
1742}
1743
c2b290c3 1744#ifndef OPENSSL_NO_PSK
532f9578
MC		 1745static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
1746 unsigned int max_id_len,
1747 unsigned char *psk,
1748 unsigned int max_psk_len)
1749{
1750 unsigned int psklen = 0;
1751
1752 psk_client_cb_cnt++;
1753
1754 if (strlen(pskid) + 1 > max_id_len)
1755 return 0;
1756
1757 /* We should only ever be called a maximum of twice per connection */
1758 if (psk_client_cb_cnt > 2)
1759 return 0;
1760
1761 if (clientpsk == NULL)
1762 return 0;
1763
1764 /* We'll reuse the PSK we set up for TLSv1.3 */
1765 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
1766 return 0;
1767 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
1768 strncpy(id, pskid, max_id_len);
1769
1770 return psklen;
1771}
c2b290c3 1772#endif /* OPENSSL_NO_PSK */
532f9578 1773
02a3ed5a
MC		 1774static int find_session_cb(SSL *ssl, const unsigned char *identity,
1775 size_t identity_len, SSL_SESSION **sess)
1776{
1777 find_session_cb_cnt++;
1778
1779 /* We should only ever be called a maximum of twice per connection */
1780 if (find_session_cb_cnt > 2)
1781 return 0;
1782
57dee9bb 1783 if (serverpsk == NULL)
02a3ed5a
MC		 1784 return 0;
1785
1786 /* Identity should match that set by the client */
1787 if (strlen(srvid) != identity_len
1788 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1789 /* No PSK found, continue but without a PSK */
1790 *sess = NULL;
1791 return 1;
1792 }
1793
57dee9bb
MC		 1794 SSL_SESSION_up_ref(serverpsk);
1795 *sess = serverpsk;
02a3ed5a
MC		 1796
1797 return 1;
1798}
1799
c2b290c3 1800#ifndef OPENSSL_NO_PSK
532f9578
MC		 1801static unsigned int psk_server_cb(SSL *ssl, const char *identity,
1802 unsigned char *psk, unsigned int max_psk_len)
1803{
1804 unsigned int psklen = 0;
1805
1806 psk_server_cb_cnt++;
1807
1808 /* We should only ever be called a maximum of twice per connection */
1809 if (find_session_cb_cnt > 2)
1810 return 0;
1811
1812 if (serverpsk == NULL)
1813 return 0;
1814
1815 /* Identity should match that set by the client */
1816 if (strcmp(srvid, identity) != 0) {
1817 return 0;
1818 }
1819
1820 /* We'll reuse the PSK we set up for TLSv1.3 */
1821 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
1822 return 0;
1823 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
1824
1825 return psklen;
1826}
c2b290c3 1827#endif /* OPENSSL_NO_PSK */
532f9578 1828
5f982038
MC		 1829#define MSG1 "Hello"
1830#define MSG2 "World."
1831#define MSG3 "This"
1832#define MSG4 "is"
1833#define MSG5 "a"
90049cea
MC		 1834#define MSG6 "test"
1835#define MSG7 "message."
5f982038 1836
02a3ed5a 1837#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
532f9578 1838#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
02a3ed5a 1839
5f982038
MC		 1840/*
1841 * Helper method to setup objects for early data test. Caller frees objects on
1842 * error.
1843 */
1844static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 1845 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 1846{
7d7f6834
RL		 1847 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
1848 TLS1_VERSION, TLS_MAX_VERSION,
1849 sctx, cctx, cert, privkey))
c39e4048 1850 || !TEST_true(SSL_CTX_set_max_early_data(*sctx,
c39e4048 1851 SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 1852 return 0;
5f982038 1853
02a3ed5a
MC		 1854 if (idx == 1) {
1855 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 1856 SSL_CTX_set_read_ahead(*cctx, 1);
1857 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 1858 } else if (idx == 2) {
1859 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1860 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1861 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1862 use_session_cb_cnt = 0;
1863 find_session_cb_cnt = 0;
1864 srvid = pskid;
3cb47b4e
MC		 1865 }
1866
710756a9 1867 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 1868 NULL, NULL)))
1869 return 0;
1870
141e4709
MC		 1871 /*
1872 * For one of the run throughs (doesn't matter which one), we'll try sending
1873 * some SNI data in the initial ClientHello. This will be ignored (because
1874 * there is no SNI cb set up by the server), so it should not impact
1875 * early_data.
1876 */
1877 if (idx == 1
1878 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1879 return 0;
1880
02a3ed5a
MC		 1881 if (idx == 2) {
1882 /* Create the PSK */
1883 const SSL_CIPHER *cipher = NULL;
1884 const unsigned char key[] = {
1885 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1886 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1887 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1888 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1889 0x2c, 0x2d, 0x2e, 0x2f
1890 };
1891
1892 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 1893 clientpsk = SSL_SESSION_new();
1894 if (!TEST_ptr(clientpsk)
02a3ed5a 1895 || !TEST_ptr(cipher)
57dee9bb 1896 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
02a3ed5a 1897 sizeof(key)))
57dee9bb 1898 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
02a3ed5a 1899 || !TEST_true(
57dee9bb 1900 SSL_SESSION_set_protocol_version(clientpsk,
02a3ed5a
MC		 1901 TLS1_3_VERSION))
1902 /*
1903 * We just choose an arbitrary value for max_early_data which
1904 * should be big enough for testing purposes.
1905 */
57dee9bb
MC		 1906 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1907 0x100))
1908 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1909 SSL_SESSION_free(clientpsk);
1910 clientpsk = NULL;
02a3ed5a
MC		 1911 return 0;
1912 }
57dee9bb 1913 serverpsk = clientpsk;
02a3ed5a 1914
c20e3b28
MC		 1915 if (sess != NULL) {
1916 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1917 SSL_SESSION_free(clientpsk);
1918 SSL_SESSION_free(serverpsk);
1919 clientpsk = serverpsk = NULL;
1920 return 0;
1921 }
57dee9bb 1922 *sess = clientpsk;
c20e3b28 1923 }
02a3ed5a
MC		 1924 return 1;
1925 }
1926
1927 if (sess == NULL)
1928 return 1;
1929
1930 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1931 SSL_ERROR_NONE)))
5f982038 1932 return 0;
5f982038
MC		 1933
1934 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 1935 SSL_shutdown(*clientssl);
1936 SSL_shutdown(*serverssl);
5f982038
MC		 1937 SSL_free(*serverssl);
1938 SSL_free(*clientssl);
1939 *serverssl = *clientssl = NULL;
1940
710756a9
RS		 1941 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1942 clientssl, NULL, NULL))
1943 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 1944 return 0;
5f982038
MC		 1945
1946 return 1;
1947}
1948
3cb47b4e 1949static int test_early_data_read_write(int idx)
5f982038
MC		 1950{
1951 SSL_CTX *cctx = NULL, *sctx = NULL;
1952 SSL *clientssl = NULL, *serverssl = NULL;
1953 int testresult = 0;
1954 SSL_SESSION *sess = NULL;
9b5c865d
MC		 1955 unsigned char buf[20], data[1024];
1956 size_t readbytes, written, eoedlen, rawread, rawwritten;
1957 BIO *rbio;
5f982038 1958
710756a9
RS		 1959 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1960 &serverssl, &sess, idx)))
5f982038
MC		 1961 goto end;
1962
1963 /* Write and read some early data */
710756a9
RS		 1964 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1965 &written))
1966 || !TEST_size_t_eq(written, strlen(MSG1))
1967 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1968 sizeof(buf), &readbytes),
1969 SSL_READ_EARLY_DATA_SUCCESS)
1970 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1971 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1972 SSL_EARLY_DATA_ACCEPTED))
5f982038 1973 goto end;
5f982038
MC		 1974
1975 /*
09f28874 1976 * Server should be able to write data, and client should be able to
5f982038
MC		 1977 * read it.
1978 */
710756a9
RS		 1979 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1980 &written))
1981 || !TEST_size_t_eq(written, strlen(MSG2))
1982 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1983 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1984 goto end;
5f982038
MC		 1985
1986 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 1987 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1988 &written))
1989 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 1990 goto end;
5f982038 1991
09f28874 1992 /* Server should still be able read early data after writing data */
710756a9
RS		 1993 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1994 &readbytes),
1995 SSL_READ_EARLY_DATA_SUCCESS)
1996 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 1997 goto end;
5f982038 1998
09f28874 1999 /* Write more data from server and read it from client */
710756a9
RS		 2000 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
2001 &written))
2002 || !TEST_size_t_eq(written, strlen(MSG4))
2003 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2004 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 2005 goto end;
5f982038
MC		 2006
2007 /*
2008 * If client writes normal data it should mean writing early data is no
2009 * longer possible.
2010 */
710756a9
RS		 2011 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2012 || !TEST_size_t_eq(written, strlen(MSG5))
2013 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2014 SSL_EARLY_DATA_ACCEPTED))
5f982038 2015 goto end;
5f982038 2016
9b5c865d
MC		 2017 /*
2018 * At this point the client has written EndOfEarlyData, ClientFinished and
2019 * normal (fully protected) data. We are going to cause a delay between the
2020 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
2021 * in the read BIO, and then just put back the EndOfEarlyData message.
2022 */
2023 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 2024 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
2025 || !TEST_size_t_lt(rawread, sizeof(data))
2026 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 2027 goto end;
710756a9 2028
9b5c865d
MC		 2029 /* Record length is in the 4th and 5th bytes of the record header */
2030 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 2031 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
2032 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 2033 goto end;
9b5c865d 2034
5f982038 2035 /* Server should be told that there is no more early data */
710756a9
RS		 2036 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2037 &readbytes),
2038 SSL_READ_EARLY_DATA_FINISH)
2039 || !TEST_size_t_eq(readbytes, 0))
5f982038 2040 goto end;
5f982038 2041
9b5c865d
MC		 2042 /*
2043 * Server has not finished init yet, so should still be able to write early
2044 * data.
2045 */
710756a9
RS		 2046 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
2047 &written))
2048 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 2049 goto end;
9b5c865d 2050
f8a303fa 2051 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 2052 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
2053 &rawwritten))
2054 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 2055 goto end;
f8a303fa 2056
5f982038 2057 /* Server should be able to read normal data */
710756a9
RS		 2058 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2059 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2060 goto end;
5f982038 2061
09f28874 2062 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2063 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2064 &written)))
5f982038 2065 goto end;
5f982038 2066 ERR_clear_error();
710756a9
RS		 2067 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2068 &readbytes),
2069 SSL_READ_EARLY_DATA_ERROR))
5f982038 2070 goto end;
5f982038
MC		 2071 ERR_clear_error();
2072
9b5c865d 2073 /* Client should be able to read the data sent by the server */
710756a9
RS		 2074 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2075 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 2076 goto end;
710756a9 2077
f8a303fa 2078 /*
36ff232c
MC		 2079 * Make sure we process the two NewSessionTickets. These arrive
2080 * post-handshake. We attempt reads which we do not expect to return any
2081 * data.
f8a303fa 2082 */
36ff232c
MC		 2083 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2084 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
2085 &readbytes)))
f8a303fa 2086 goto end;
5f982038 2087
90049cea 2088 /* Server should be able to write normal data */
710756a9
RS		 2089 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
2090 || !TEST_size_t_eq(written, strlen(MSG7))
2091 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2092 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 2093 goto end;
90049cea 2094
c20e3b28 2095 SSL_SESSION_free(sess);
5f982038 2096 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 2097 use_session_cb_cnt = 0;
2098 find_session_cb_cnt = 0;
5f982038
MC		 2099
2100 SSL_shutdown(clientssl);
2101 SSL_shutdown(serverssl);
5f982038
MC		 2102 SSL_free(serverssl);
2103 SSL_free(clientssl);
2104 serverssl = clientssl = NULL;
710756a9
RS		 2105 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2106 &clientssl, NULL, NULL))
2107 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 2108 goto end;
5f982038
MC		 2109
2110 /* Write and read some early data */
710756a9
RS		 2111 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2112 &written))
2113 || !TEST_size_t_eq(written, strlen(MSG1))
2114 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2115 &readbytes),
2116 SSL_READ_EARLY_DATA_SUCCESS)
2117 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 2118 goto end;
5f982038 2119
710756a9
RS		 2120 if (!TEST_int_gt(SSL_connect(clientssl), 0)
2121 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 2122 goto end;
5f982038 2123
09f28874 2124 /* Client and server should not be able to write/read early data now */
710756a9
RS		 2125 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
2126 &written)))
5f982038 2127 goto end;
5f982038 2128 ERR_clear_error();
710756a9
RS		 2129 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2130 &readbytes),
2131 SSL_READ_EARLY_DATA_ERROR))
5f982038 2132 goto end;
5f982038
MC		 2133 ERR_clear_error();
2134
2135 /* Client and server should be able to write/read normal data */
710756a9
RS		 2136 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
2137 || !TEST_size_t_eq(written, strlen(MSG5))
2138 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2139 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 2140 goto end;
5f982038
MC		 2141
2142 testresult = 1;
2143
2144 end:
c20e3b28 2145 SSL_SESSION_free(sess);
57dee9bb
MC		 2146 SSL_SESSION_free(clientpsk);
2147 SSL_SESSION_free(serverpsk);
2148 clientpsk = serverpsk = NULL;
5f982038
MC		 2149 SSL_free(serverssl);
2150 SSL_free(clientssl);
2151 SSL_CTX_free(sctx);
2152 SSL_CTX_free(cctx);
5f982038
MC		 2153 return testresult;
2154}
2155
78fb5374
MC		 2156static int test_early_data_replay(int idx)
2157{
2158 SSL_CTX *cctx = NULL, *sctx = NULL;
2159 SSL *clientssl = NULL, *serverssl = NULL;
2160 int testresult = 0;
2161 SSL_SESSION *sess = NULL;
2162
2163 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2164 &serverssl, &sess, idx)))
2165 goto end;
2166
2167 /*
2168 * The server is configured to accept early data. Create a connection to
2169 * "use up" the ticket
2170 */
2171 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2172 || !TEST_true(SSL_session_reused(clientssl)))
2173 goto end;
2174
2175 SSL_shutdown(clientssl);
2176 SSL_shutdown(serverssl);
2177 SSL_free(serverssl);
2178 SSL_free(clientssl);
2179 serverssl = clientssl = NULL;
2180
2181 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2182 &clientssl, NULL, NULL))
2183 || !TEST_true(SSL_set_session(clientssl, sess))
2184 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2185 SSL_ERROR_NONE))
2186 /*
2187 * This time we should not have resumed the session because we
2188 * already used it once.
2189 */
2190 || !TEST_false(SSL_session_reused(clientssl)))
2191 goto end;
2192
2193 testresult = 1;
2194
2195 end:
c20e3b28 2196 SSL_SESSION_free(sess);
78fb5374
MC		 2197 SSL_SESSION_free(clientpsk);
2198 SSL_SESSION_free(serverpsk);
2199 clientpsk = serverpsk = NULL;
2200 SSL_free(serverssl);
2201 SSL_free(clientssl);
2202 SSL_CTX_free(sctx);
2203 SSL_CTX_free(cctx);
2204 return testresult;
2205}
2206
710756a9 2207/*
6b84e6bf
MC		 2208 * Helper function to test that a server attempting to read early data can
2209 * handle a connection from a client where the early data should be skipped.
710756a9 2210 */
6b84e6bf 2211static int early_data_skip_helper(int hrr, int idx)
5f982038
MC		 2212{
2213 SSL_CTX *cctx = NULL, *sctx = NULL;
2214 SSL *clientssl = NULL, *serverssl = NULL;
2215 int testresult = 0;
018fcbec 2216 SSL_SESSION *sess = NULL;
5f982038
MC		 2217 unsigned char buf[20];
2218 size_t readbytes, written;
2219
710756a9
RS		 2220 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2221 &serverssl, &sess, idx)))
5f982038
MC		 2222 goto end;
2223
6b84e6bf
MC		 2224 if (hrr) {
2225 /* Force an HRR to occur */
2226 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2227 goto end;
02a3ed5a
MC		 2228 } else if (idx == 2) {
2229 /*
2230 * We force early_data rejection by ensuring the PSK identity is
2231 * unrecognised
2232 */
2233 srvid = "Dummy Identity";
6b84e6bf
MC		 2234 } else {
2235 /*
2236 * Deliberately corrupt the creation time. We take 20 seconds off the
2237 * time. It could be any value as long as it is not within tolerance.
2238 * This should mean the ticket is rejected.
2239 */
5d99881e 2240 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 2241 goto end;
2242 }
5f982038
MC		 2243
2244 /* Write some early data */
710756a9
RS		 2245 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2246 &written))
2247 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 2248 goto end;
5f982038
MC		 2249
2250 /* Server should reject the early data and skip over it */
710756a9
RS		 2251 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2252 &readbytes),
2253 SSL_READ_EARLY_DATA_FINISH)
2254 || !TEST_size_t_eq(readbytes, 0)
2255 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2256 SSL_EARLY_DATA_REJECTED))
5f982038 2257 goto end;
5f982038 2258
6b84e6bf
MC		 2259 if (hrr) {
2260 /*
2261 * Finish off the handshake. We perform the same writes and reads as
2262 * further down but we expect them to fail due to the incomplete
2263 * handshake.
2264 */
2265 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2266 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
2267 &readbytes)))
2268 goto end;
2269 }
2270
710756a9
RS		 2271 /* Should be able to send normal data despite rejection of early data */
2272 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2273 || !TEST_size_t_eq(written, strlen(MSG2))
2274 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2275 SSL_EARLY_DATA_REJECTED)
2276 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2277 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2278 goto end;
5f982038
MC		 2279
2280 testresult = 1;
2281
2282 end:
c20e3b28 2283 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2284 SSL_SESSION_free(serverpsk);
2285 clientpsk = serverpsk = NULL;
5f982038
MC		 2286 SSL_SESSION_free(sess);
2287 SSL_free(serverssl);
2288 SSL_free(clientssl);
2289 SSL_CTX_free(sctx);
2290 SSL_CTX_free(cctx);
5f982038
MC		 2291 return testresult;
2292}
2293
6b84e6bf
MC		 2294/*
2295 * Test that a server attempting to read early data can handle a connection
2296 * from a client where the early data is not acceptable.
2297 */
2298static int test_early_data_skip(int idx)
2299{
2300 return early_data_skip_helper(0, idx);
2301}
2302
2303/*
2304 * Test that a server attempting to read early data can handle a connection
2305 * from a client where an HRR occurs.
2306 */
2307static int test_early_data_skip_hrr(int idx)
2308{
2309 return early_data_skip_helper(1, idx);
2310}
2311
710756a9
RS		 2312/*
2313 * Test that a server attempting to read early data can handle a connection
2314 * from a client that doesn't send any.
2315 */
3cb47b4e 2316static int test_early_data_not_sent(int idx)
5f982038
MC		 2317{
2318 SSL_CTX *cctx = NULL, *sctx = NULL;
2319 SSL *clientssl = NULL, *serverssl = NULL;
2320 int testresult = 0;
018fcbec 2321 SSL_SESSION *sess = NULL;
5f982038
MC		 2322 unsigned char buf[20];
2323 size_t readbytes, written;
2324
710756a9
RS		 2325 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2326 &serverssl, &sess, idx)))
5f982038
MC		 2327 goto end;
2328
2329 /* Write some data - should block due to handshake with server */
2330 SSL_set_connect_state(clientssl);
710756a9 2331 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2332 goto end;
5f982038
MC		 2333
2334 /* Server should detect that early data has not been sent */
710756a9
RS		 2335 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2336 &readbytes),
2337 SSL_READ_EARLY_DATA_FINISH)
2338 || !TEST_size_t_eq(readbytes, 0)
2339 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2340 SSL_EARLY_DATA_NOT_SENT)
2341 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2342 SSL_EARLY_DATA_NOT_SENT))
5f982038 2343 goto end;
5f982038
MC		 2344
2345 /* Continue writing the message we started earlier */
710756a9
RS		 2346 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2347 || !TEST_size_t_eq(written, strlen(MSG1))
2348 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2349 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2350 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
2351 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2352 goto end;
5f982038 2353
3cb47b4e
MC		 2354 /*
2355 * Should block due to the NewSessionTicket arrival unless we're using
c0638ade 2356 * read_ahead, or PSKs
3cb47b4e 2357 */
c0638ade 2358 if (idx != 1 && idx != 2) {
710756a9 2359 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
3cb47b4e 2360 goto end;
5f982038
MC		 2361 }
2362
710756a9
RS		 2363 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
2364 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2365 goto end;
5f982038
MC		 2366
2367 testresult = 1;
2368
2369 end:
5f982038 2370 SSL_SESSION_free(sess);
c20e3b28 2371 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2372 SSL_SESSION_free(serverpsk);
2373 clientpsk = serverpsk = NULL;
5f982038
MC		 2374 SSL_free(serverssl);
2375 SSL_free(clientssl);
2376 SSL_CTX_free(sctx);
2377 SSL_CTX_free(cctx);
5f982038
MC		 2378 return testresult;
2379}
2380
976e5323
MC		 2381static int hostname_cb(SSL *s, int *al, void *arg)
2382{
2383 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2384
281bf233 2385 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 2386 return SSL_TLSEXT_ERR_OK;
2387
2388 return SSL_TLSEXT_ERR_NOACK;
2389}
2390
2391static const char *servalpn;
2392
c7558d5b
PY		 2393static int alpn_select_cb(SSL *ssl, const unsigned char **out,
2394 unsigned char *outlen, const unsigned char *in,
2395 unsigned int inlen, void *arg)
976e5323 2396{
c7558d5b 2397 unsigned int protlen = 0;
976e5323
MC		 2398 const unsigned char *prot;
2399
c7558d5b
PY		 2400 for (prot = in; prot < in + inlen; prot += protlen) {
2401 protlen = *prot++;
5d99881e 2402 if (in + inlen < prot + protlen)
976e5323
MC		 2403 return SSL_TLSEXT_ERR_NOACK;
2404
2405 if (protlen == strlen(servalpn)
0bd42fde 2406 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 2407 *out = prot;
2408 *outlen = protlen;
2409 return SSL_TLSEXT_ERR_OK;
2410 }
2411 }
2412
2413 return SSL_TLSEXT_ERR_NOACK;
2414}
2415
57dee9bb 2416/* Test that a PSK can be used to send early_data */
976e5323
MC		 2417static int test_early_data_psk(int idx)
2418{
2419 SSL_CTX *cctx = NULL, *sctx = NULL;
2420 SSL *clientssl = NULL, *serverssl = NULL;
2421 int testresult = 0;
2422 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2423 unsigned char alpnlist[] = {
2424 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2425 'l', 'p', 'n'
2426 };
2427#define GOODALPNLEN 9
2428#define BADALPNLEN 8
2429#define GOODALPN (alpnlist)
2430#define BADALPN (alpnlist + GOODALPNLEN)
2431 int err = 0;
976e5323
MC		 2432 unsigned char buf[20];
2433 size_t readbytes, written;
57dee9bb 2434 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2435 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2436
2437 /* We always set this up with a final parameter of "2" for PSK */
2438 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2439 &serverssl, &sess, 2)))
2440 goto end;
2441
976e5323
MC		 2442 servalpn = "goodalpn";
2443
57dee9bb
MC		 2444 /*
2445 * Note: There is no test for inconsistent SNI with late client detection.
2446 * This is because servers do not acknowledge SNI even if they are using
2447 * it in a resumption handshake - so it is not actually possible for a
2448 * client to detect a problem.
2449 */
976e5323
MC		 2450 switch (idx) {
2451 case 0:
57dee9bb 2452 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2453 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2454 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2455 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2456 goto end;
2457 break;
2458
2459 case 1:
57dee9bb 2460 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2461 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2462 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2463 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2464 GOODALPNLEN))
2465 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2466 BADALPNLEN)))
976e5323
MC		 2467 goto end;
2468 break;
2469
2470 case 2:
2471 /*
2472 * Set invalid protocol version. Technically this affects PSKs without
2473 * early_data too, but we test it here because it is similar to the
2474 * SNI/ALPN consistency tests.
2475 */
2476 err = SSL_R_BAD_PSK;
2477 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2478 goto end;
2479 break;
2480
2481 case 3:
2482 /*
2483 * Set inconsistent SNI (server detected). In this case the connection
2484 * will succeed but reject early_data.
2485 */
281bf233
MC		 2486 SSL_SESSION_free(serverpsk);
2487 serverpsk = SSL_SESSION_dup(clientpsk);
2488 if (!TEST_ptr(serverpsk)
2489 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2490 goto end;
976e5323
MC		 2491 edstatus = SSL_EARLY_DATA_REJECTED;
2492 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2493 /* Fall through */
2494 case 4:
2495 /* Set consistent SNI */
976e5323
MC		 2496 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2497 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2498 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2499 hostname_cb)))
2500 goto end;
2501 break;
2502
2503 case 5:
2504 /*
2505 * Set inconsistent ALPN (server detected). In this case the connection
2506 * will succeed but reject early_data.
2507 */
2508 servalpn = "badalpn";
2509 edstatus = SSL_EARLY_DATA_REJECTED;
2510 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2511 /* Fall through */
2512 case 6:
976e5323 2513 /*
57dee9bb 2514 * Set consistent ALPN.
976e5323
MC		 2515 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2516 * accepts a list of protos (each one length prefixed).
2517 * SSL_set1_alpn_selected accepts a single protocol (not length
2518 * prefixed)
2519 */
57dee9bb
MC		 2520 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2521 GOODALPNLEN - 1))
2522 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2523 GOODALPNLEN)))
976e5323
MC		 2524 goto end;
2525
2526 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2527 break;
2528
57dee9bb
MC		 2529 case 7:
2530 /* Set inconsistent ALPN (late client detection) */
2531 SSL_SESSION_free(serverpsk);
2532 serverpsk = SSL_SESSION_dup(clientpsk);
2533 if (!TEST_ptr(serverpsk)
2534 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2535 BADALPN + 1,
2536 BADALPNLEN - 1))
2537 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2538 GOODALPN + 1,
2539 GOODALPNLEN - 1))
2540 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2541 sizeof(alpnlist))))
2542 goto end;
2543 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2544 edstatus = SSL_EARLY_DATA_ACCEPTED;
2545 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2546 /* SSL_connect() call should fail */
2547 connectres = -1;
2548 break;
2549
976e5323
MC		 2550 default:
2551 TEST_error("Bad test index");
2552 goto end;
2553 }
2554
2555 SSL_set_connect_state(clientssl);
2556 if (err != 0) {
2557 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2558 &written))
2559 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2560 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2561 goto end;
2562 } else {
2563 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2564 &written)))
2565 goto end;
2566
2567 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2568 &readbytes), readearlyres)
976e5323
MC		 2569 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2570 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2571 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2572 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2573 goto end;
2574 }
2575
2576 testresult = 1;
2577
2578 end:
c20e3b28 2579 SSL_SESSION_free(sess);
57dee9bb
MC		 2580 SSL_SESSION_free(clientpsk);
2581 SSL_SESSION_free(serverpsk);
2582 clientpsk = serverpsk = NULL;
976e5323
MC		 2583 SSL_free(serverssl);
2584 SSL_free(clientssl);
2585 SSL_CTX_free(sctx);
2586 SSL_CTX_free(cctx);
2587 return testresult;
2588}
2589
710756a9
RS		 2590/*
2591 * Test that a server that doesn't try to read early data can handle a
2592 * client sending some.
2593 */
3cb47b4e 2594static int test_early_data_not_expected(int idx)
5f982038
MC		 2595{
2596 SSL_CTX *cctx = NULL, *sctx = NULL;
2597 SSL *clientssl = NULL, *serverssl = NULL;
2598 int testresult = 0;
018fcbec 2599 SSL_SESSION *sess = NULL;
5f982038
MC		 2600 unsigned char buf[20];
2601 size_t readbytes, written;
2602
710756a9
RS		 2603 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2604 &serverssl, &sess, idx)))
5f982038
MC		 2605 goto end;
2606
2607 /* Write some early data */
710756a9
RS		 2608 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2609 &written)))
5f982038 2610 goto end;
5f982038
MC		 2611
2612 /*
2613 * Server should skip over early data and then block waiting for client to
2614 * continue handshake
2615 */
710756a9
RS		 2616 if (!TEST_int_le(SSL_accept(serverssl), 0)
2617 || !TEST_int_gt(SSL_connect(clientssl), 0)
2618 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2619 SSL_EARLY_DATA_REJECTED)
2620 || !TEST_int_gt(SSL_accept(serverssl), 0)
2621 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2622 SSL_EARLY_DATA_REJECTED))
5f982038 2623 goto end;
5f982038
MC		 2624
2625 /* Send some normal data from client to server */
710756a9
RS		 2626 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2627 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2628 goto end;
5f982038 2629
710756a9
RS		 2630 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2631 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2632 goto end;
5f982038
MC		 2633
2634 testresult = 1;
2635
2636 end:
5f982038 2637 SSL_SESSION_free(sess);
c20e3b28 2638 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 2639 SSL_SESSION_free(serverpsk);
2640 clientpsk = serverpsk = NULL;
5f982038
MC		 2641 SSL_free(serverssl);
2642 SSL_free(clientssl);
2643 SSL_CTX_free(sctx);
2644 SSL_CTX_free(cctx);
5f982038
MC		 2645 return testresult;
2646}
2647
2648
2649# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 2650/*
2651 * Test that a server attempting to read early data can handle a connection
2652 * from a TLSv1.2 client.
2653 */
3cb47b4e 2654static int test_early_data_tls1_2(int idx)
5f982038
MC		 2655{
2656 SSL_CTX *cctx = NULL, *sctx = NULL;
2657 SSL *clientssl = NULL, *serverssl = NULL;
2658 int testresult = 0;
2659 unsigned char buf[20];
2660 size_t readbytes, written;
2661
02a3ed5a
MC		 2662 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2663 &serverssl, NULL, idx)))
5f982038 2664 goto end;
5f982038
MC		 2665
2666 /* Write some data - should block due to handshake with server */
2667 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2668 SSL_set_connect_state(clientssl);
710756a9 2669 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2670 goto end;
5f982038
MC		 2671
2672 /*
2673 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 2674 * messages from client after ServerDone. Then SSL_read_early_data should
2675 * finish and detect that early data has not been sent
5f982038 2676 */
710756a9
RS		 2677 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2678 &readbytes),
2679 SSL_READ_EARLY_DATA_ERROR))
5f982038 2680 goto end;
5f982038
MC		 2681
2682 /*
2683 * Continue writing the message we started earlier. Will still block waiting
2684 * for the CCS/Finished from server
2685 */
710756a9
RS		 2686 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2687 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2688 &readbytes),
2689 SSL_READ_EARLY_DATA_FINISH)
2690 || !TEST_size_t_eq(readbytes, 0)
2691 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2692 SSL_EARLY_DATA_NOT_SENT))
5f982038 2693 goto end;
5f982038
MC		 2694
2695 /* Continue writing the message we started earlier */
710756a9
RS		 2696 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2697 || !TEST_size_t_eq(written, strlen(MSG1))
2698 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2699 SSL_EARLY_DATA_NOT_SENT)
2700 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2701 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2702 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2703 || !TEST_size_t_eq(written, strlen(MSG2))
2704 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2705 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2706 goto end;
5f982038
MC		 2707
2708 testresult = 1;
2709
2710 end:
57dee9bb
MC		 2711 SSL_SESSION_free(clientpsk);
2712 SSL_SESSION_free(serverpsk);
2713 clientpsk = serverpsk = NULL;
5f982038
MC		 2714 SSL_free(serverssl);
2715 SSL_free(clientssl);
2716 SSL_CTX_free(sctx);
2717 SSL_CTX_free(cctx);
2718
2719 return testresult;
2720}
ca0413ae
MC		 2721# endif /* OPENSSL_NO_TLS1_2 */
2722
034cb87b
MC		 2723/*
2724 * Test configuring the TLSv1.3 ciphersuites
2725 *
2726 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
2727 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
2728 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
2729 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
2730 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2731 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
2732 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
2733 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
2734 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
2735 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
2736 */
2737static int test_set_ciphersuite(int idx)
2738{
2739 SSL_CTX *cctx = NULL, *sctx = NULL;
2740 SSL *clientssl = NULL, *serverssl = NULL;
2741 int testresult = 0;
2742
2743 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2744 TLS1_VERSION, TLS_MAX_VERSION,
2745 &sctx, &cctx, cert, privkey))
2746 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2747 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
2748 goto end;
2749
2750 if (idx >=4 && idx <= 7) {
2751 /* SSL_CTX explicit cipher list */
2752 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
2753 goto end;
2754 }
2755
2756 if (idx == 0 || idx == 4) {
2757 /* Default ciphersuite */
2758 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2759 "TLS_AES_128_GCM_SHA256")))
2760 goto end;
2761 } else if (idx == 1 || idx == 5) {
2762 /* Non default ciphersuite */
2763 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2764 "TLS_AES_128_CCM_SHA256")))
2765 goto end;
2766 }
2767
2768 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2769 &clientssl, NULL, NULL)))
2770 goto end;
2771
2772 if (idx == 8 || idx == 9) {
2773 /* SSL explicit cipher list */
2774 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
2775 goto end;
2776 }
2777
2778 if (idx == 2 || idx == 6 || idx == 8) {
2779 /* Default ciphersuite */
2780 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2781 "TLS_AES_128_GCM_SHA256")))
2782 goto end;
2783 } else if (idx == 3 || idx == 7 || idx == 9) {
2784 /* Non default ciphersuite */
2785 if (!TEST_true(SSL_set_ciphersuites(clientssl,
2786 "TLS_AES_128_CCM_SHA256")))
2787 goto end;
2788 }
2789
2790 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
2791 goto end;
2792
2793 testresult = 1;
2794
2795 end:
2796 SSL_free(serverssl);
2797 SSL_free(clientssl);
2798 SSL_CTX_free(sctx);
2799 SSL_CTX_free(cctx);
2800
2801 return testresult;
2802}
2803
ca0413ae
MC		 2804static int test_ciphersuite_change(void)
2805{
2806 SSL_CTX *cctx = NULL, *sctx = NULL;
2807 SSL *clientssl = NULL, *serverssl = NULL;
2808 SSL_SESSION *clntsess = NULL;
2809 int testresult = 0;
2810 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2811
2812 /* Create a session based on SHA-256 */
7d7f6834
RL		 2813 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2814 TLS1_VERSION, TLS_MAX_VERSION,
2815 &sctx, &cctx, cert, privkey))
f865b081
MC		 2816 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
2817 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 2818 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2819 &clientssl, NULL, NULL))
2820 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2821 SSL_ERROR_NONE)))
2822 goto end;
2823
2824 clntsess = SSL_get1_session(clientssl);
2825 /* Save for later */
2826 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2827 SSL_shutdown(clientssl);
2828 SSL_shutdown(serverssl);
2829 SSL_free(serverssl);
2830 SSL_free(clientssl);
2831 serverssl = clientssl = NULL;
2832
71cff963 2833# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae 2834 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081
MC		 2835 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2836 "TLS_CHACHA20_POLY1305_SHA256"))
ca0413ae
MC		 2837 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2838 NULL, NULL))
2839 || !TEST_true(SSL_set_session(clientssl, clntsess))
2840 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2841 SSL_ERROR_NONE))
2842 || !TEST_true(SSL_session_reused(clientssl)))
2843 goto end;
2844
2845 SSL_SESSION_free(clntsess);
2846 clntsess = SSL_get1_session(clientssl);
2847 SSL_shutdown(clientssl);
2848 SSL_shutdown(serverssl);
2849 SSL_free(serverssl);
2850 SSL_free(clientssl);
2851 serverssl = clientssl = NULL;
71cff963 2852# endif
ca0413ae
MC		 2853
2854 /*
2855 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 2856 * succeeds but does not resume.
ca0413ae 2857 */
f865b081 2858 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2859 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2860 NULL, NULL))
2861 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 2862 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 2863 SSL_ERROR_SSL))
0de6d66d 2864 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 2865 goto end;
2866
2867 SSL_SESSION_free(clntsess);
2868 clntsess = NULL;
2869 SSL_shutdown(clientssl);
2870 SSL_shutdown(serverssl);
2871 SSL_free(serverssl);
2872 SSL_free(clientssl);
2873 serverssl = clientssl = NULL;
2874
2875 /* Create a session based on SHA384 */
f865b081 2876 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2877 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2878 &clientssl, NULL, NULL))
2879 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2880 SSL_ERROR_NONE)))
2881 goto end;
2882
2883 clntsess = SSL_get1_session(clientssl);
2884 SSL_shutdown(clientssl);
2885 SSL_shutdown(serverssl);
2886 SSL_free(serverssl);
2887 SSL_free(clientssl);
2888 serverssl = clientssl = NULL;
2889
f865b081
MC		 2890 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2891 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
2892 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
2893 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 2894 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2895 NULL, NULL))
2896 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 2897 /*
2898 * We use SSL_ERROR_WANT_READ below so that we can pause the
2899 * connection after the initial ClientHello has been sent to
2900 * enable us to make some session changes.
2901 */
ca0413ae
MC		 2902 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2903 SSL_ERROR_WANT_READ)))
2904 goto end;
2905
2906 /* Trick the client into thinking this session is for a different digest */
2907 clntsess->cipher = aes_128_gcm_sha256;
2908 clntsess->cipher_id = clntsess->cipher->id;
2909
2910 /*
3b0e88d3
MC		 2911 * Continue the previously started connection. Server has selected a SHA-384
2912 * ciphersuite, but client thinks the session is for SHA-256, so it should
2913 * bail out.
ca0413ae
MC		 2914 */
2915 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2916 SSL_ERROR_SSL))
2917 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2918 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2919 goto end;
2920
2921 testresult = 1;
2922
2923 end:
2924 SSL_SESSION_free(clntsess);
2925 SSL_free(serverssl);
2926 SSL_free(clientssl);
2927 SSL_CTX_free(sctx);
2928 SSL_CTX_free(cctx);
2929
2930 return testresult;
2931}
2932
0d8da779
MC		 2933/*
2934 * Test TLSv1.3 PSKs
2935 * Test 0 = Test new style callbacks
2936 * Test 1 = Test both new and old style callbacks
2937 * Test 2 = Test old style callbacks
2938 * Test 3 = Test old style callbacks with no certificate
2939 */
532f9578 2940static int test_tls13_psk(int idx)
ca8c71ba
MC		 2941{
2942 SSL_CTX *sctx = NULL, *cctx = NULL;
2943 SSL *serverssl = NULL, *clientssl = NULL;
2944 const SSL_CIPHER *cipher = NULL;
2945 const unsigned char key[] = {
2946 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2947 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 2948 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2949 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 2950 };
2951 int testresult = 0;
2952
7d7f6834
RL		 2953 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
2954 TLS1_VERSION, TLS_MAX_VERSION,
0d8da779
MC		 2955 &sctx, &cctx, idx == 3 ? NULL : cert,
2956 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 2957 goto end;
2958
0d8da779
MC		 2959 if (idx != 3) {
2960 /*
2961 * We use a ciphersuite with SHA256 to ease testing old style PSK
2962 * callbacks which will always default to SHA256. This should not be
2963 * necessary if we have no cert/priv key. In that case the server should
2964 * prefer SHA256 automatically.
2965 */
2966 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
2967 "TLS_AES_128_GCM_SHA256")))
2968 goto end;
2969 }
532f9578
MC		 2970
2971 /*
2972 * Test 0: New style callbacks only
2973 * Test 1: New and old style callbacks (only the new ones should be used)
2974 * Test 2: Old style callbacks only
2975 */
2976 if (idx == 0 || idx == 1) {
2977 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2978 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2979 }
c2b290c3 2980#ifndef OPENSSL_NO_PSK
0d8da779 2981 if (idx >= 1) {
532f9578
MC		 2982 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
2983 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
2984 }
c2b290c3 2985#endif
ca8c71ba 2986 srvid = pskid;
02a3ed5a
MC		 2987 use_session_cb_cnt = 0;
2988 find_session_cb_cnt = 0;
532f9578
MC		 2989 psk_client_cb_cnt = 0;
2990 psk_server_cb_cnt = 0;
ca8c71ba 2991
0d8da779
MC		 2992 if (idx != 3) {
2993 /*
2994 * Check we can create a connection if callback decides not to send a
2995 * PSK
2996 */
2997 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2998 NULL, NULL))
2999 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3000 SSL_ERROR_NONE))
3001 || !TEST_false(SSL_session_reused(clientssl))
3002 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3003 goto end;
532f9578 3004
0d8da779
MC		 3005 if (idx == 0 || idx == 1) {
3006 if (!TEST_true(use_session_cb_cnt == 1)
3007 || !TEST_true(find_session_cb_cnt == 0)
3008 /*
3009 * If no old style callback then below should be 0
3010 * otherwise 1
3011 */
3012 || !TEST_true(psk_client_cb_cnt == idx)
3013 || !TEST_true(psk_server_cb_cnt == 0))
3014 goto end;
3015 } else {
3016 if (!TEST_true(use_session_cb_cnt == 0)
3017 || !TEST_true(find_session_cb_cnt == 0)
3018 || !TEST_true(psk_client_cb_cnt == 1)
3019 || !TEST_true(psk_server_cb_cnt == 0))
3020 goto end;
3021 }
3022
3023 shutdown_ssl_connection(serverssl, clientssl);
3024 serverssl = clientssl = NULL;
3025 use_session_cb_cnt = psk_client_cb_cnt = 0;
3026 }
ca8c71ba
MC		 3027
3028 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3029 NULL, NULL)))
3030 goto end;
3031
3032 /* Create the PSK */
532f9578 3033 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 3034 clientpsk = SSL_SESSION_new();
3035 if (!TEST_ptr(clientpsk)
ca8c71ba 3036 || !TEST_ptr(cipher)
57dee9bb
MC		 3037 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
3038 sizeof(key)))
3039 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
3040 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
3041 TLS1_3_VERSION))
3042 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 3043 goto end;
57dee9bb 3044 serverpsk = clientpsk;
ca8c71ba
MC		 3045
3046 /* Check we can create a connection and the PSK is used */
3047 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3048 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3049 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3050 goto end;
3051
532f9578
MC		 3052 if (idx == 0 || idx == 1) {
3053 if (!TEST_true(use_session_cb_cnt == 1)
3054 || !TEST_true(find_session_cb_cnt == 1)
3055 || !TEST_true(psk_client_cb_cnt == 0)
3056 || !TEST_true(psk_server_cb_cnt == 0))
3057 goto end;
3058 } else {
3059 if (!TEST_true(use_session_cb_cnt == 0)
3060 || !TEST_true(find_session_cb_cnt == 0)
3061 || !TEST_true(psk_client_cb_cnt == 1)
3062 || !TEST_true(psk_server_cb_cnt == 1))
3063 goto end;
3064 }
3065
ca8c71ba
MC		 3066 shutdown_ssl_connection(serverssl, clientssl);
3067 serverssl = clientssl = NULL;
3068 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3069 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 3070
3071 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3072 NULL, NULL)))
3073 goto end;
3074
3075 /* Force an HRR */
3076 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3077 goto end;
3078
3079 /*
3080 * Check we can create a connection, the PSK is used and the callbacks are
3081 * called twice.
3082 */
3083 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3084 || !TEST_true(SSL_session_reused(clientssl))
532f9578 3085 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 3086 goto end;
3087
532f9578
MC		 3088 if (idx == 0 || idx == 1) {
3089 if (!TEST_true(use_session_cb_cnt == 2)
3090 || !TEST_true(find_session_cb_cnt == 2)
3091 || !TEST_true(psk_client_cb_cnt == 0)
3092 || !TEST_true(psk_server_cb_cnt == 0))
3093 goto end;
3094 } else {
3095 if (!TEST_true(use_session_cb_cnt == 0)
3096 || !TEST_true(find_session_cb_cnt == 0)
3097 || !TEST_true(psk_client_cb_cnt == 2)
3098 || !TEST_true(psk_server_cb_cnt == 2))
3099 goto end;
3100 }
3101
ca8c71ba
MC		 3102 shutdown_ssl_connection(serverssl, clientssl);
3103 serverssl = clientssl = NULL;
3104 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 3105 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 3106
0d8da779
MC		 3107 if (idx != 3) {
3108 /*
3109 * Check that if the server rejects the PSK we can still connect, but with
3110 * a full handshake
3111 */
3112 srvid = "Dummy Identity";
3113 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3114 NULL, NULL))
3115 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3116 SSL_ERROR_NONE))
3117 || !TEST_false(SSL_session_reused(clientssl))
3118 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 3119 goto end;
532f9578 3120
0d8da779
MC		 3121 if (idx == 0 || idx == 1) {
3122 if (!TEST_true(use_session_cb_cnt == 1)
3123 || !TEST_true(find_session_cb_cnt == 1)
3124 || !TEST_true(psk_client_cb_cnt == 0)
3125 /*
3126 * If no old style callback then below should be 0
3127 * otherwise 1
3128 */
3129 || !TEST_true(psk_server_cb_cnt == idx))
3130 goto end;
3131 } else {
3132 if (!TEST_true(use_session_cb_cnt == 0)
3133 || !TEST_true(find_session_cb_cnt == 0)
3134 || !TEST_true(psk_client_cb_cnt == 1)
3135 || !TEST_true(psk_server_cb_cnt == 1))
3136 goto end;
3137 }
3138
3139 shutdown_ssl_connection(serverssl, clientssl);
3140 serverssl = clientssl = NULL;
3141 }
ca8c71ba
MC		 3142 testresult = 1;
3143
3144 end:
57dee9bb
MC		 3145 SSL_SESSION_free(clientpsk);
3146 SSL_SESSION_free(serverpsk);
3147 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 3148 SSL_free(serverssl);
3149 SSL_free(clientssl);
3150 SSL_CTX_free(sctx);
3151 SSL_CTX_free(cctx);
3152 return testresult;
3153}
3154
c7b8ff25
MC		 3155static unsigned char cookie_magic_value[] = "cookie magic";
3156
3157static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
3158 unsigned int *cookie_len)
3159{
3160 /*
3161 * Not suitable as a real cookie generation function but good enough for
3162 * testing!
3163 */
97ea1e7f
MC		 3164 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
3165 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 3166
3167 return 1;
3168}
3169
3170static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
3171 unsigned int cookie_len)
3172{
97ea1e7f 3173 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 3174 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
3175 return 1;
3176
3177 return 0;
3178}
3179
3fa2812f
BS		 3180static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
3181 size_t *cookie_len)
3182{
3183 unsigned int temp;
3184 int res = generate_cookie_callback(ssl, cookie, &temp);
3185 *cookie_len = temp;
3186 return res;
3187}
3188
3189static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
3190 size_t cookie_len)
3191{
3192 return verify_cookie_callback(ssl, cookie, cookie_len);
3193}
3194
c7b8ff25
MC		 3195static int test_stateless(void)
3196{
3197 SSL_CTX *sctx = NULL, *cctx = NULL;
3198 SSL *serverssl = NULL, *clientssl = NULL;
3199 int testresult = 0;
3200
7d7f6834
RL		 3201 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3202 TLS1_VERSION, TLS_MAX_VERSION,
3203 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 3204 goto end;
3205
e440f513
MC		 3206 /* The arrival of CCS messages can confuse the test */
3207 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
3208
3209 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3210 NULL, NULL))
3211 /* Send the first ClientHello */
3212 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3213 SSL_ERROR_WANT_READ))
3214 /*
3215 * This should fail with a -1 return because we have no callbacks
3216 * set up
3217 */
3218 || !TEST_int_eq(SSL_stateless(serverssl), -1))
3219 goto end;
3220
3221 /* Fatal error so abandon the connection from this client */
3222 SSL_free(clientssl);
3223 clientssl = NULL;
3224
c7b8ff25 3225 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 3226 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
3227 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 3228
e440f513
MC		 3229 /*
3230 * Create a new connection from the client (we can reuse the server SSL
3231 * object).
3232 */
c7b8ff25
MC		 3233 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3234 NULL, NULL))
3235 /* Send the first ClientHello */
3236 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3237 SSL_ERROR_WANT_READ))
3238 /* This should fail because there is no cookie */
e440f513 3239 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 3240 goto end;
3241
3242 /* Abandon the connection from this client */
3243 SSL_free(clientssl);
3244 clientssl = NULL;
3245
3246 /*
3247 * Now create a connection from a new client but with the same server SSL
3248 * object
3249 */
3250 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3251 NULL, NULL))
3252 /* Send the first ClientHello */
3253 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3254 SSL_ERROR_WANT_READ))
3255 /* This should fail because there is no cookie */
e440f513 3256 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 3257 /* Send the second ClientHello */
3258 || !TEST_false(create_ssl_connection(serverssl, clientssl,
3259 SSL_ERROR_WANT_READ))
3260 /* This should succeed because a cookie is now present */
e440f513 3261 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 3262 /* Complete the connection */
3263 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3264 SSL_ERROR_NONE)))
3265 goto end;
3266
3267 shutdown_ssl_connection(serverssl, clientssl);
3268 serverssl = clientssl = NULL;
3269 testresult = 1;
3270
3271 end:
3272 SSL_free(serverssl);
3273 SSL_free(clientssl);
3274 SSL_CTX_free(sctx);
3275 SSL_CTX_free(cctx);
3276 return testresult;
3277
3278}
ca0413ae 3279#endif /* OPENSSL_NO_TLS1_3 */
5f982038 3280
a37008d9
MC		 3281static int clntaddoldcb = 0;
3282static int clntparseoldcb = 0;
3283static int srvaddoldcb = 0;
3284static int srvparseoldcb = 0;
3285static int clntaddnewcb = 0;
3286static int clntparsenewcb = 0;
3287static int srvaddnewcb = 0;
3288static int srvparsenewcb = 0;
bb01ef3f 3289static int snicb = 0;
a37008d9
MC		 3290
3291#define TEST_EXT_TYPE1 0xff00
3292
3293static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
3294 size_t *outlen, int *al, void *add_arg)
3295{
3296 int *server = (int *)add_arg;
3297 unsigned char *data;
3298
3299 if (SSL_is_server(s))
3300 srvaddoldcb++;
3301 else
3302 clntaddoldcb++;
3303
710756a9
RS		 3304 if (*server != SSL_is_server(s)
3305 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3306 return -1;
3307
3308 *data = 1;
3309 *out = data;
3310 *outlen = sizeof(char);
a37008d9
MC		 3311 return 1;
3312}
3313
3314static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
3315 void *add_arg)
3316{
3317 OPENSSL_free((unsigned char *)out);
3318}
3319
3320static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
3321 size_t inlen, int *al, void *parse_arg)
3322{
3323 int *server = (int *)parse_arg;
3324
3325 if (SSL_is_server(s))
3326 srvparseoldcb++;
3327 else
3328 clntparseoldcb++;
3329
710756a9
RS		 3330 if (*server != SSL_is_server(s)
3331 || inlen != sizeof(char)
3332 || *in != 1)
a37008d9
MC		 3333 return -1;
3334
3335 return 1;
3336}
3337
3338static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
3339 const unsigned char **out, size_t *outlen, X509 *x,
3340 size_t chainidx, int *al, void *add_arg)
3341{
3342 int *server = (int *)add_arg;
3343 unsigned char *data;
3344
3345 if (SSL_is_server(s))
3346 srvaddnewcb++;
3347 else
3348 clntaddnewcb++;
3349
710756a9
RS		 3350 if (*server != SSL_is_server(s)
3351 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 3352 return -1;
3353
3354 *data = 1;
3355 *out = data;
710756a9 3356 *outlen = sizeof(*data);
a37008d9
MC		 3357 return 1;
3358}
3359
3360static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
3361 const unsigned char *out, void *add_arg)
3362{
3363 OPENSSL_free((unsigned char *)out);
3364}
3365
3366static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
3367 const unsigned char *in, size_t inlen, X509 *x,
3368 size_t chainidx, int *al, void *parse_arg)
3369{
3370 int *server = (int *)parse_arg;
3371
3372 if (SSL_is_server(s))
3373 srvparsenewcb++;
3374 else
3375 clntparsenewcb++;
3376
710756a9
RS		 3377 if (*server != SSL_is_server(s)
3378 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 3379 return -1;
3380
3381 return 1;
3382}
bb01ef3f
MC		 3383
3384static int sni_cb(SSL *s, int *al, void *arg)
3385{
3386 SSL_CTX *ctx = (SSL_CTX *)arg;
3387
3388 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
3389 *al = SSL_AD_INTERNAL_ERROR;
3390 return SSL_TLSEXT_ERR_ALERT_FATAL;
3391 }
3392 snicb++;
3393 return SSL_TLSEXT_ERR_OK;
3394}
3395
a37008d9
MC		 3396/*
3397 * Custom call back tests.
3398 * Test 0: Old style callbacks in TLSv1.2
3399 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 3400 * Test 2: New style callbacks in TLSv1.2 with SNI
3401 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
3402 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 3403 */
710756a9
RS		 3404static int test_custom_exts(int tst)
3405{
bb01ef3f 3406 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 3407 SSL *clientssl = NULL, *serverssl = NULL;
3408 int testresult = 0;
3409 static int server = 1;
3410 static int client = 0;
3411 SSL_SESSION *sess = NULL;
3412 unsigned int context;
3413
c423ecaa
MC		 3414#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
3415 /* Skip tests for TLSv1.2 and below in this case */
3416 if (tst < 3)
3417 return 1;
3418#endif
3419
a37008d9
MC		 3420 /* Reset callback counters */
3421 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
3422 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 3423 snicb = 0;
a37008d9 3424
7d7f6834
RL		 3425 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3426 TLS1_VERSION, TLS_MAX_VERSION,
3427 &sctx, &cctx, cert, privkey)))
710756a9 3428 goto end;
a37008d9 3429
bb01ef3f 3430 if (tst == 2
7d7f6834
RL		 3431 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
3432 TLS1_VERSION, TLS_MAX_VERSION,
3433 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 3434 goto end;
3435
3436
3437 if (tst < 3) {
a37008d9
MC		 3438 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
3439 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 3440 if (sctx2 != NULL)
3441 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 3442 }
3443
bb01ef3f 3444 if (tst == 4) {
710756a9
RS		 3445 context = SSL_EXT_CLIENT_HELLO
3446 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3447 | SSL_EXT_TLS1_3_SERVER_HELLO
3448 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
3449 | SSL_EXT_TLS1_3_CERTIFICATE
3450 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
3451 } else {
710756a9
RS		 3452 context = SSL_EXT_CLIENT_HELLO
3453 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 3454 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
3455 }
3456
3457 /* Create a client side custom extension */
3458 if (tst == 0) {
710756a9
RS		 3459 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3460 old_add_cb, old_free_cb,
3461 &client, old_parse_cb,
3462 &client)))
3463 goto end;
a37008d9 3464 } else {
710756a9
RS		 3465 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
3466 new_add_cb, new_free_cb,
3467 &client, new_parse_cb, &client)))
3468 goto end;
a37008d9
MC		 3469 }
3470
3471 /* Should not be able to add duplicates */
710756a9
RS		 3472 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
3473 old_add_cb, old_free_cb,
3474 &client, old_parse_cb,
3475 &client))
3476 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
3477 context, new_add_cb,
3478 new_free_cb, &client,
3479 new_parse_cb, &client)))
3480 goto end;
a37008d9
MC		 3481
3482 /* Create a server side custom extension */
3483 if (tst == 0) {
710756a9
RS		 3484 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3485 old_add_cb, old_free_cb,
3486 &server, old_parse_cb,
3487 &server)))
3488 goto end;
a37008d9 3489 } else {
710756a9
RS		 3490 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
3491 new_add_cb, new_free_cb,
3492 &server, new_parse_cb, &server)))
3493 goto end;
bb01ef3f
MC		 3494 if (sctx2 != NULL
3495 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
3496 context, new_add_cb,
3497 new_free_cb, &server,
3498 new_parse_cb, &server)))
3499 goto end;
a37008d9
MC		 3500 }
3501
3502 /* Should not be able to add duplicates */
710756a9
RS		 3503 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
3504 old_add_cb, old_free_cb,
3505 &server, old_parse_cb,
3506 &server))
3507 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
3508 context, new_add_cb,
3509 new_free_cb, &server,
3510 new_parse_cb, &server)))
a37008d9 3511 goto end;
a37008d9 3512
bb01ef3f
MC		 3513 if (tst == 2) {
3514 /* Set up SNI */
3515 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
3516 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
3517 goto end;
3518 }
3519
710756a9
RS		 3520 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3521 &clientssl, NULL, NULL))
3522 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3523 SSL_ERROR_NONE)))
a37008d9 3524 goto end;
a37008d9
MC		 3525
3526 if (tst == 0) {
710756a9
RS		 3527 if (clntaddoldcb != 1
3528 || clntparseoldcb != 1
3529 || srvaddoldcb != 1
3530 || srvparseoldcb != 1)
a37008d9 3531 goto end;
bb01ef3f 3532 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3533 if (clntaddnewcb != 1
3534 || clntparsenewcb != 1
3535 || srvaddnewcb != 1
bb01ef3f
MC		 3536 || srvparsenewcb != 1
3537 || (tst != 2 && snicb != 0)
3538 || (tst == 2 && snicb != 1))
a37008d9 3539 goto end;
a37008d9 3540 } else {
36ff232c 3541 /* In this case there 2 NewSessionTicket messages created */
710756a9 3542 if (clntaddnewcb != 1
36ff232c
MC		 3543 || clntparsenewcb != 5
3544 || srvaddnewcb != 5
710756a9 3545 || srvparsenewcb != 1)
a37008d9 3546 goto end;
a37008d9
MC		 3547 }
3548
3549 sess = SSL_get1_session(clientssl);
a37008d9
MC		 3550 SSL_shutdown(clientssl);
3551 SSL_shutdown(serverssl);
a37008d9
MC		 3552 SSL_free(serverssl);
3553 SSL_free(clientssl);
3554 serverssl = clientssl = NULL;
3555
bb01ef3f
MC		 3556 if (tst == 3) {
3557 /* We don't bother with the resumption aspects for this test */
3558 testresult = 1;
3559 goto end;
3560 }
3561
710756a9
RS		 3562 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3563 NULL, NULL))
3564 || !TEST_true(SSL_set_session(clientssl, sess))
3565 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3566 SSL_ERROR_NONE)))
a37008d9 3567 goto end;
a37008d9
MC		 3568
3569 /*
3570 * For a resumed session we expect to add the ClientHello extension. For the
3571 * old style callbacks we ignore it on the server side because they set
3572 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
3573 * them.
3574 */
3575 if (tst == 0) {
710756a9
RS		 3576 if (clntaddoldcb != 2
3577 || clntparseoldcb != 1
3578 || srvaddoldcb != 1
3579 || srvparseoldcb != 1)
a37008d9 3580 goto end;
bb01ef3f 3581 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 3582 if (clntaddnewcb != 2
3583 || clntparsenewcb != 2
3584 || srvaddnewcb != 2
3585 || srvparsenewcb != 2)
a37008d9 3586 goto end;
a37008d9 3587 } else {
36ff232c
MC		 3588 /*
3589 * No Certificate message extensions in the resumption handshake,
3590 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
3591 */
710756a9 3592 if (clntaddnewcb != 2
36ff232c
MC		 3593 || clntparsenewcb != 8
3594 || srvaddnewcb != 8
710756a9 3595 || srvparsenewcb != 2)
a37008d9 3596 goto end;
a37008d9
MC		 3597 }
3598
3599 testresult = 1;
3600
3601end:
3602 SSL_SESSION_free(sess);
3603 SSL_free(serverssl);
3604 SSL_free(clientssl);
bb01ef3f 3605 SSL_CTX_free(sctx2);
a37008d9
MC		 3606 SSL_CTX_free(sctx);
3607 SSL_CTX_free(cctx);
a37008d9
MC		 3608 return testresult;
3609}
3610
16afd71c
MC		 3611/*
3612 * Test loading of serverinfo data in various formats. test_sslmessages actually
3613 * tests to make sure the extensions appear in the handshake
3614 */
3615static int test_serverinfo(int tst)
3616{
3617 unsigned int version;
3618 unsigned char *sibuf;
3619 size_t sibuflen;
3620 int ret, expected, testresult = 0;
3621 SSL_CTX *ctx;
3622
3623 ctx = SSL_CTX_new(TLS_method());
3624 if (!TEST_ptr(ctx))
3625 goto end;
3626
3627 if ((tst & 0x01) == 0x01)
3628 version = SSL_SERVERINFOV2;
3629 else
3630 version = SSL_SERVERINFOV1;
3631
3632 if ((tst & 0x02) == 0x02) {
3633 sibuf = serverinfov2;
3634 sibuflen = sizeof(serverinfov2);
3635 expected = (version == SSL_SERVERINFOV2);
3636 } else {
3637 sibuf = serverinfov1;
3638 sibuflen = sizeof(serverinfov1);
3639 expected = (version == SSL_SERVERINFOV1);
3640 }
3641
3642 if ((tst & 0x04) == 0x04) {
3643 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3644 } else {
3645 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3646
3647 /*
3648 * The version variable is irrelevant in this case - it's what is in the
3649 * buffer that matters
3650 */
3651 if ((tst & 0x02) == 0x02)
3652 expected = 0;
3653 else
3654 expected = 1;
3655 }
3656
3657 if (!TEST_true(ret == expected))
3658 goto end;
3659
3660 testresult = 1;
3661
3662 end:
3663 SSL_CTX_free(ctx);
3664
3665 return testresult;
3666}
3667
2197d1df
MC		 3668/*
3669 * Test that SSL_export_keying_material() produces expected results. There are
3670 * no test vectors so all we do is test that both sides of the communication
3671 * produce the same results for different protocol versions.
3672 */
3673static int test_export_key_mat(int tst)
3674{
a599574b 3675 int testresult = 0;
2197d1df
MC		 3676 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3677 SSL *clientssl = NULL, *serverssl = NULL;
3678 const char label[] = "test label";
3679 const unsigned char context[] = "context";
3680 const unsigned char *emptycontext = NULL;
3681 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3682 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 3683 const int protocols[] = {
3684 TLS1_VERSION,
3685 TLS1_1_VERSION,
3686 TLS1_2_VERSION,
3687 TLS1_3_VERSION
3688 };
2197d1df
MC		 3689
3690#ifdef OPENSSL_NO_TLS1
3691 if (tst == 0)
3692 return 1;
3693#endif
3694#ifdef OPENSSL_NO_TLS1_1
3695 if (tst == 1)
3696 return 1;
3697#endif
3698#ifdef OPENSSL_NO_TLS1_2
3699 if (tst == 2)
3700 return 1;
3701#endif
3702#ifdef OPENSSL_NO_TLS1_3
3703 if (tst == 3)
3704 return 1;
3705#endif
7d7f6834
RL		 3706 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3707 TLS1_VERSION, TLS_MAX_VERSION,
3708 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 3709 goto end;
3710
a599574b
MC		 3711 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3712 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3713 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 3714
3715 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3716 NULL))
3717 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3718 SSL_ERROR_NONE)))
3719 goto end;
3720
3721 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3722 sizeof(ckeymat1), label,
3723 sizeof(label) - 1, context,
3724 sizeof(context) - 1, 1), 1)
3725 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3726 sizeof(ckeymat2), label,
3727 sizeof(label) - 1,
3728 emptycontext,
3729 0, 1), 1)
3730 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3731 sizeof(ckeymat3), label,
3732 sizeof(label) - 1,
3733 NULL, 0, 0), 1)
3734 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3735 sizeof(skeymat1), label,
3736 sizeof(label) - 1,
3737 context,
3738 sizeof(context) -1, 1),
3739 1)
3740 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3741 sizeof(skeymat2), label,
3742 sizeof(label) - 1,
3743 emptycontext,
3744 0, 1), 1)
3745 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3746 sizeof(skeymat3), label,
3747 sizeof(label) - 1,
3748 NULL, 0, 0), 1)
3749 /*
3750 * Check that both sides created the same key material with the
3751 * same context.
3752 */
3753 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3754 sizeof(skeymat1))
3755 /*
3756 * Check that both sides created the same key material with an
3757 * empty context.
3758 */
3759 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3760 sizeof(skeymat2))
3761 /*
3762 * Check that both sides created the same key material without a
3763 * context.
3764 */
3765 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3766 sizeof(skeymat3))
3767 /* Different contexts should produce different results */
3768 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3769 sizeof(ckeymat2)))
3770 goto end;
3771
3772 /*
3773 * Check that an empty context and no context produce different results in
3774 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3775 */
3776 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3777 sizeof(ckeymat3)))
3778 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3779 sizeof(ckeymat3))))
3780 goto end;
3781
3782 testresult = 1;
3783
3784 end:
3785 SSL_free(serverssl);
3786 SSL_free(clientssl);
3787 SSL_CTX_free(sctx2);
3788 SSL_CTX_free(sctx);
3789 SSL_CTX_free(cctx);
3790
3791 return testresult;
3792}
3793
b38ede80
TT		 3794#ifndef OPENSSL_NO_TLS1_3
3795/*
3796 * Test that SSL_export_keying_material_early() produces expected
3797 * results. There are no test vectors so all we do is test that both
3798 * sides of the communication produce the same results for different
3799 * protocol versions.
3800 */
3801static int test_export_key_mat_early(int idx)
3802{
3803 static const char label[] = "test label";
3804 static const unsigned char context[] = "context";
3805 int testresult = 0;
3806 SSL_CTX *cctx = NULL, *sctx = NULL;
3807 SSL *clientssl = NULL, *serverssl = NULL;
3808 SSL_SESSION *sess = NULL;
3809 const unsigned char *emptycontext = NULL;
3810 unsigned char ckeymat1[80], ckeymat2[80];
3811 unsigned char skeymat1[80], skeymat2[80];
3812 unsigned char buf[1];
3813 size_t readbytes, written;
3814
3815 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
3816 &sess, idx)))
3817 goto end;
3818
3819 /* Here writing 0 length early data is enough. */
3820 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
3821 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3822 &readbytes),
3823 SSL_READ_EARLY_DATA_ERROR)
3824 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3825 SSL_EARLY_DATA_ACCEPTED))
3826 goto end;
3827
3828 if (!TEST_int_eq(SSL_export_keying_material_early(
3829 clientssl, ckeymat1, sizeof(ckeymat1), label,
3830 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3831 || !TEST_int_eq(SSL_export_keying_material_early(
3832 clientssl, ckeymat2, sizeof(ckeymat2), label,
3833 sizeof(label) - 1, emptycontext, 0), 1)
3834 || !TEST_int_eq(SSL_export_keying_material_early(
3835 serverssl, skeymat1, sizeof(skeymat1), label,
3836 sizeof(label) - 1, context, sizeof(context) - 1), 1)
3837 || !TEST_int_eq(SSL_export_keying_material_early(
3838 serverssl, skeymat2, sizeof(skeymat2), label,
3839 sizeof(label) - 1, emptycontext, 0), 1)
3840 /*
3841 * Check that both sides created the same key material with the
3842 * same context.
3843 */
3844 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3845 sizeof(skeymat1))
3846 /*
3847 * Check that both sides created the same key material with an
3848 * empty context.
3849 */
3850 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3851 sizeof(skeymat2))
3852 /* Different contexts should produce different results */
3853 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3854 sizeof(ckeymat2)))
3855 goto end;
3856
3857 testresult = 1;
3858
3859 end:
c20e3b28 3860 SSL_SESSION_free(sess);
b38ede80
TT		 3861 SSL_SESSION_free(clientpsk);
3862 SSL_SESSION_free(serverpsk);
34ff74eb 3863 clientpsk = serverpsk = NULL;
b38ede80
TT		 3864 SSL_free(serverssl);
3865 SSL_free(clientssl);
3866 SSL_CTX_free(sctx);
3867 SSL_CTX_free(cctx);
3868
3869 return testresult;
3870}
3871#endif /* OPENSSL_NO_TLS1_3 */
3872
e11b6aa4
MC		 3873static int test_ssl_clear(int idx)
3874{
3875 SSL_CTX *cctx = NULL, *sctx = NULL;
3876 SSL *clientssl = NULL, *serverssl = NULL;
3877 int testresult = 0;
3878
3879#ifdef OPENSSL_NO_TLS1_2
3880 if (idx == 1)
3881 return 1;
3882#endif
3883
3884 /* Create an initial connection */
7d7f6834
RL		 3885 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
3886 TLS1_VERSION, TLS_MAX_VERSION,
3887 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 3888 || (idx == 1
3889 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3890 TLS1_2_VERSION)))
3891 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3892 &clientssl, NULL, NULL))
3893 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3894 SSL_ERROR_NONE)))
3895 goto end;
3896
3897 SSL_shutdown(clientssl);
3898 SSL_shutdown(serverssl);
3899 SSL_free(serverssl);
3900 serverssl = NULL;
3901
3902 /* Clear clientssl - we're going to reuse the object */
3903 if (!TEST_true(SSL_clear(clientssl)))
3904 goto end;
3905
3906 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3907 NULL, NULL))
3908 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3909 SSL_ERROR_NONE))
3910 || !TEST_true(SSL_session_reused(clientssl)))
3911 goto end;
3912
3913 SSL_shutdown(clientssl);
3914 SSL_shutdown(serverssl);
3915
3916 testresult = 1;
3917
3918 end:
3919 SSL_free(serverssl);
3920 SSL_free(clientssl);
3921 SSL_CTX_free(sctx);
3922 SSL_CTX_free(cctx);
3923
3924 return testresult;
3925}
3926
cf72c757
F		 3927/* Parse CH and retrieve any MFL extension value if present */
3928static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3929{
3930 long len;
3931 unsigned char *data;
3932 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3933 unsigned int MFL_code = 0, type = 0;
3934
3935 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3936 goto end;
3937
3938 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3939 /* Skip the record header */
3940 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3941 /* Skip the handshake message header */
3942 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3943 /* Skip client version and random */
3944 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3945 + SSL3_RANDOM_SIZE))
3946 /* Skip session id */
3947 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3948 /* Skip ciphers */
3949 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3950 /* Skip compression */
3951 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3952 /* Extensions len */
3953 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3954 goto end;
3955
3956 /* Loop through all extensions */
3957 while (PACKET_remaining(&pkt2)) {
3958 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3959 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3960 goto end;
3961
3962 if (type == TLSEXT_TYPE_max_fragment_length) {
3963 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3964 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3965 goto end;
3966
3967 *mfl_codemfl_code = MFL_code;
3968 return 1;
3969 }
3970 }
3971
3972 end:
3973 return 0;
3974}
3975
3976/* Maximum-Fragment-Length TLS extension mode to test */
3977static const unsigned char max_fragment_len_test[] = {
3978 TLSEXT_max_fragment_length_512,
3979 TLSEXT_max_fragment_length_1024,
3980 TLSEXT_max_fragment_length_2048,
3981 TLSEXT_max_fragment_length_4096
3982};
3983
3984static int test_max_fragment_len_ext(int idx_tst)
3985{
3986 SSL_CTX *ctx;
3987 SSL *con = NULL;
3988 int testresult = 0, MFL_mode = 0;
3989 BIO *rbio, *wbio;
3990
3991 ctx = SSL_CTX_new(TLS_method());
3992 if (!TEST_ptr(ctx))
3993 goto end;
3994
3995 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3996 ctx, max_fragment_len_test[idx_tst])))
3997 goto end;
3998
3999 con = SSL_new(ctx);
4000 if (!TEST_ptr(con))
4001 goto end;
4002
4003 rbio = BIO_new(BIO_s_mem());
4004 wbio = BIO_new(BIO_s_mem());
4005 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
4006 BIO_free(rbio);
4007 BIO_free(wbio);
4008 goto end;
4009 }
4010
4011 SSL_set_bio(con, rbio, wbio);
4012 SSL_set_connect_state(con);
4013
4014 if (!TEST_int_le(SSL_connect(con), 0)) {
4015 /* This shouldn't succeed because we don't have a server! */
4016 goto end;
4017 }
4018
4019 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
4020 /* no MFL in client hello */
4021 goto end;
4022 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
4023 goto end;
4024
4025 testresult = 1;
4026
4027end:
4028 SSL_free(con);
4029 SSL_CTX_free(ctx);
4030
4031 return testresult;
4032}
4033
9d75dce3
TS		 4034#ifndef OPENSSL_NO_TLS1_3
4035static int test_pha_key_update(void)
4036{
4037 SSL_CTX *cctx = NULL, *sctx = NULL;
4038 SSL *clientssl = NULL, *serverssl = NULL;
4039 int testresult = 0;
4040
7d7f6834
RL		 4041 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4042 TLS1_VERSION, TLS_MAX_VERSION,
9d75dce3
TS		 4043 &sctx, &cctx, cert, privkey)))
4044 return 0;
4045
4046 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
4047 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
4048 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
4049 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
4050 goto end;
4051
4052
4053 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4054 NULL, NULL)))
4055 goto end;
4056
4057 SSL_force_post_handshake_auth(clientssl);
4058
4059 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4060 SSL_ERROR_NONE)))
4061 goto end;
4062
4063 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
4064 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
4065 goto end;
4066
4067 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
4068 goto end;
4069
4070 /* Start handshake on the server */
4071 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
4072 goto end;
4073
4074 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
4075 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4076 SSL_ERROR_NONE)))
4077 goto end;
4078
4079 SSL_shutdown(clientssl);
4080 SSL_shutdown(serverssl);
4081
4082 testresult = 1;
4083
4084 end:
4085 SSL_free(serverssl);
4086 SSL_free(clientssl);
4087 SSL_CTX_free(sctx);
4088 SSL_CTX_free(cctx);
4089 return testresult;
4090}
4091#endif
4092
76fd7a1d
MC		 4093#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
4094
4095static SRP_VBASE *vbase = NULL;
4096
4097static int ssl_srp_cb(SSL *s, int *ad, void *arg)
4098{
4099 int ret = SSL3_AL_FATAL;
4100 char *username;
4101 SRP_user_pwd *user = NULL;
4102
4103 username = SSL_get_srp_username(s);
4104 if (username == NULL) {
4105 *ad = SSL_AD_INTERNAL_ERROR;
4106 goto err;
4107 }
4108
4109 user = SRP_VBASE_get1_by_user(vbase, username);
4110 if (user == NULL) {
4111 *ad = SSL_AD_INTERNAL_ERROR;
4112 goto err;
4113 }
4114
4115 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
4116 user->info) <= 0) {
4117 *ad = SSL_AD_INTERNAL_ERROR;
4118 goto err;
4119 }
4120
4121 ret = 0;
4122
4123 err:
4124 SRP_user_pwd_free(user);
4125 return ret;
4126}
4127
4128static int create_new_vfile(char *userid, char *password, const char *filename)
4129{
4130 char *gNid = NULL;
4131 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
4132 TXT_DB *db = NULL;
4133 int ret = 0;
4134 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
4135 size_t i;
4136
4137 if (!TEST_ptr(dummy) || !TEST_ptr(row))
4138 goto end;
4139
4140 gNid = SRP_create_verifier(userid, password, &row[DB_srpsalt],
4141 &row[DB_srpverifier], NULL, NULL);
4142 if (!TEST_ptr(gNid))
4143 goto end;
4144
4145 /*
4146 * The only way to create an empty TXT_DB is to provide a BIO with no data
4147 * in it!
4148 */
4149 db = TXT_DB_read(dummy, DB_NUMBER);
4150 if (!TEST_ptr(db))
4151 goto end;
4152
4153 out = BIO_new_file(filename, "w");
4154 if (!TEST_ptr(out))
4155 goto end;
4156
4157 row[DB_srpid] = OPENSSL_strdup(userid);
4158 row[DB_srptype] = OPENSSL_strdup("V");
4159 row[DB_srpgN] = OPENSSL_strdup(gNid);
4160
4161 if (!TEST_ptr(row[DB_srpid])
4162 || !TEST_ptr(row[DB_srptype])
4163 || !TEST_ptr(row[DB_srpgN])
4164 || !TEST_true(TXT_DB_insert(db, row)))
4165 goto end;
4166
4167 row = NULL;
4168
4169 if (!TXT_DB_write(out, db))
4170 goto end;
4171
4172 ret = 1;
4173 end:
4174 if (row != NULL) {
4175 for (i = 0; i < DB_NUMBER; i++)
4176 OPENSSL_free(row[i]);
4177 }
4178 OPENSSL_free(row);
4179 BIO_free(dummy);
4180 BIO_free(out);
4181 TXT_DB_free(db);
4182
4183 return ret;
4184}
4185
4186static int create_new_vbase(char *userid, char *password)
4187{
4188 BIGNUM *verifier = NULL, *salt = NULL;
4189 const SRP_gN *lgN = NULL;
4190 SRP_user_pwd *user_pwd = NULL;
4191 int ret = 0;
4192
4193 lgN = SRP_get_default_gN(NULL);
4194 if (!TEST_ptr(lgN))
4195 goto end;
4196
4197 if (!TEST_true(SRP_create_verifier_BN(userid, password, &salt, &verifier,
4198 lgN->N, lgN->g)))
4199 goto end;
4200
4201 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
4202 if (!TEST_ptr(user_pwd))
4203 goto end;
4204
4205 user_pwd->N = lgN->N;
4206 user_pwd->g = lgN->g;
4207 user_pwd->id = OPENSSL_strdup(userid);
4208 if (!TEST_ptr(user_pwd->id))
4209 goto end;
4210
4211 user_pwd->v = verifier;
4212 user_pwd->s = salt;
4213 verifier = salt = NULL;
4214
4215 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
4216 goto end;
4217 user_pwd = NULL;
4218
4219 ret = 1;
4220end:
4221 SRP_user_pwd_free(user_pwd);
4222 BN_free(salt);
4223 BN_free(verifier);
4224
4225 return ret;
4226}
4227
4228/*
4229 * SRP tests
4230 *
4231 * Test 0: Simple successful SRP connection, new vbase
4232 * Test 1: Connection failure due to bad password, new vbase
4233 * Test 2: Simple successful SRP connection, vbase loaded from existing file
4234 * Test 3: Connection failure due to bad password, vbase loaded from existing
4235 * file
4236 * Test 4: Simple successful SRP connection, vbase loaded from new file
4237 * Test 5: Connection failure due to bad password, vbase loaded from new file
4238 */
4239static int test_srp(int tst)
4240{
4241 char *userid = "test", *password = "password", *tstsrpfile;
4242 SSL_CTX *cctx = NULL, *sctx = NULL;
4243 SSL *clientssl = NULL, *serverssl = NULL;
4244 int ret, testresult = 0;
4245
4246 vbase = SRP_VBASE_new(NULL);
4247 if (!TEST_ptr(vbase))
4248 goto end;
4249
4250 if (tst == 0 || tst == 1) {
4251 if (!TEST_true(create_new_vbase(userid, password)))
4252 goto end;
4253 } else {
4254 if (tst == 4 || tst == 5) {
4255 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
4256 goto end;
4257 tstsrpfile = tmpfilename;
4258 } else {
4259 tstsrpfile = srpvfile;
4260 }
4261 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
4262 goto end;
4263 }
4264
4265 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
4266 TLS1_VERSION, TLS_MAX_VERSION,
4267 &sctx, &cctx, cert, privkey)))
4268 goto end;
4269
4270 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
4271 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
4272 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
4273 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
4274 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
4275 goto end;
4276
4277 if (tst % 2 == 1) {
4278 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
4279 goto end;
4280 } else {
4281 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
4282 goto end;
4283 }
4284
4285 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4286 NULL, NULL)))
4287 goto end;
4288
4289 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
4290 if (ret) {
4291 if (!TEST_true(tst % 2 == 0))
4292 goto end;
4293 } else {
4294 if (!TEST_true(tst % 2 == 1))
4295 goto end;
4296 }
4297
4298 testresult = 1;
4299
4300 end:
4301 SRP_VBASE_free(vbase);
4302 vbase = NULL;
4303 SSL_free(serverssl);
4304 SSL_free(clientssl);
4305 SSL_CTX_free(sctx);
4306 SSL_CTX_free(cctx);
4307
4308 return testresult;
4309}
4310#endif
4311
5718fe45
MC		 4312static int info_cb_failed = 0;
4313static int info_cb_offset = 0;
4314static int info_cb_this_state = -1;
4315
4316static struct info_cb_states_st {
4317 int where;
4318 const char *statestr;
4319} info_cb_states[][60] = {
4320 {
4321 /* TLSv1.2 server followed by resumption */
4322 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4323 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4324 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
4325 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
4326 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
4327 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4328 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4329 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4330 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4331 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4332 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
4333 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4334 {SSL_CB_EXIT, NULL}, {0, NULL},
4335 }, {
4336 /* TLSv1.2 client followed by resumption */
4337 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4338 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4339 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
4340 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
4341 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
4342 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4343 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
4344 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4345 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4346 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
4347 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4348 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4349 }, {
4350 /* TLSv1.3 server followed by resumption */
4351 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4352 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4353 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
4354 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
4355 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4356 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4357 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
5718fe45 4358 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"},
36ff232c
MC		 4359 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4360 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4361 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
4362 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"},
4363 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL},
4364 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4365 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4366 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4367 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 4368 }, {
4369 /* TLSv1.3 client followed by resumption */
4370 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4371 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
4372 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
4373 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
4374 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4375 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4376 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4377 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
36ff232c
MC		 4378 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4379 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4380 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 4381 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4382 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
4383 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4384 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
4385 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4386 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "},
4387 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4388 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4389 }, {
4390 /* TLSv1.3 server, early_data */
4391 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4392 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
4393 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
4394 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4395 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4396 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4397 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4398 {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4399 {SSL_CB_EXIT, NULL}, {0, NULL},
4400 }, {
4401 /* TLSv1.3 client, early_data */
4402 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
4403 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
4404 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4405 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
4406 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
4407 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
4408 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4409 {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
4410 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
4411 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
4412 }, {
4413 {0, NULL},
4414 }
4415};
4416
4417static void sslapi_info_callback(const SSL *s, int where, int ret)
4418{
4419 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
4420
4421 /* We do not ever expect a connection to fail in this test */
4422 if (!TEST_false(ret == 0)) {
4423 info_cb_failed = 1;
4424 return;
4425 }
4426
4427 /*
4428 * Do some sanity checks. We never expect these things to happen in this
4429 * test
4430 */
4431 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
4432 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
4433 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
4434 info_cb_failed = 1;
4435 return;
4436 }
4437
4438 /* Now check we're in the right state */
4439 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
4440 info_cb_failed = 1;
4441 return;
4442 }
4443 if ((where & SSL_CB_LOOP) != 0
4444 && !TEST_int_eq(strcmp(SSL_state_string(s),
4445 state[info_cb_this_state].statestr), 0)) {
4446 info_cb_failed = 1;
4447 return;
4448 }
033c181b
MC		 4449
4450 /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */
4451 if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) {
4452 info_cb_failed = 1;
4453 return;
4454 }
5718fe45
MC		 4455}
4456
4457/*
4458 * Test the info callback gets called when we expect it to.
4459 *
4460 * Test 0: TLSv1.2, server
4461 * Test 1: TLSv1.2, client
4462 * Test 2: TLSv1.3, server
4463 * Test 3: TLSv1.3, client
4464 * Test 4: TLSv1.3, server, early_data
4465 * Test 5: TLSv1.3, client, early_data
4466 */
4467static int test_info_callback(int tst)
4468{
4469 SSL_CTX *cctx = NULL, *sctx = NULL;
4470 SSL *clientssl = NULL, *serverssl = NULL;
4471 SSL_SESSION *clntsess = NULL;
4472 int testresult = 0;
4473 int tlsvers;
4474
4475 if (tst < 2) {
4476#ifndef OPENSSL_NO_TLS1_2
4477 tlsvers = TLS1_2_VERSION;
4478#else
4479 return 1;
4480#endif
4481 } else {
4482#ifndef OPENSSL_NO_TLS1_3
4483 tlsvers = TLS1_3_VERSION;
4484#else
4485 return 1;
4486#endif
4487 }
4488
4489 /* Reset globals */
4490 info_cb_failed = 0;
4491 info_cb_this_state = -1;
4492 info_cb_offset = tst;
4493
6e07834c 4494#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 4495 if (tst >= 4) {
4496 SSL_SESSION *sess = NULL;
4497 size_t written, readbytes;
4498 unsigned char buf[80];
4499
4500 /* early_data tests */
4501 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4502 &serverssl, &sess, 0)))
4503 goto end;
4504
4505 /* We don't actually need this reference */
4506 SSL_SESSION_free(sess);
4507
4508 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
4509 sslapi_info_callback);
4510
4511 /* Write and read some early data and then complete the connection */
4512 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4513 &written))
4514 || !TEST_size_t_eq(written, strlen(MSG1))
4515 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
4516 sizeof(buf), &readbytes),
4517 SSL_READ_EARLY_DATA_SUCCESS)
4518 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
4519 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4520 SSL_EARLY_DATA_ACCEPTED)
4521 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4522 SSL_ERROR_NONE))
4523 || !TEST_false(info_cb_failed))
4524 goto end;
4525
4526 testresult = 1;
4527 goto end;
4528 }
6e07834c 4529#endif
5718fe45
MC		 4530
4531 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4532 TLS_client_method(),
4533 tlsvers, tlsvers, &sctx, &cctx, cert,
4534 privkey)))
4535 goto end;
4536
4537 /*
4538 * For even numbered tests we check the server callbacks. For odd numbers we
4539 * check the client.
4540 */
4541 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
4542 sslapi_info_callback);
4543
4544 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4545 &clientssl, NULL, NULL))
4546 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4547 SSL_ERROR_NONE))
4548 || !TEST_false(info_cb_failed))
4549 goto end;
4550
4551
4552
4553 clntsess = SSL_get1_session(clientssl);
4554 SSL_shutdown(clientssl);
4555 SSL_shutdown(serverssl);
4556 SSL_free(serverssl);
4557 SSL_free(clientssl);
4558 serverssl = clientssl = NULL;
4559
4560 /* Now do a resumption */
4561 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4562 NULL))
4563 || !TEST_true(SSL_set_session(clientssl, clntsess))
4564 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4565 SSL_ERROR_NONE))
4566 || !TEST_true(SSL_session_reused(clientssl))
4567 || !TEST_false(info_cb_failed))
4568 goto end;
4569
4570 testresult = 1;
4571
4572 end:
4573 SSL_free(serverssl);
4574 SSL_free(clientssl);
4575 SSL_SESSION_free(clntsess);
4576 SSL_CTX_free(sctx);
4577 SSL_CTX_free(cctx);
4578 return testresult;
4579}
4580
4a432af8
MC		 4581static int test_ssl_pending(int tst)
4582{
4583 SSL_CTX *cctx = NULL, *sctx = NULL;
4584 SSL *clientssl = NULL, *serverssl = NULL;
4585 int testresult = 0;
4586 char msg[] = "A test message";
4587 char buf[5];
4588 size_t written, readbytes;
4589
4590 if (tst == 0) {
4591 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4592 TLS_client_method(),
4593 TLS1_VERSION, TLS_MAX_VERSION,
4594 &sctx, &cctx, cert, privkey)))
4595 goto end;
4596 } else {
4597#ifndef OPENSSL_NO_DTLS
4598 if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
4599 DTLS_client_method(),
4600 DTLS1_VERSION, DTLS_MAX_VERSION,
4601 &sctx, &cctx, cert, privkey)))
4602 goto end;
4603#else
4604 return 1;
4605#endif
4606 }
4607
4608 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4609 NULL, NULL))
4610 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4611 SSL_ERROR_NONE)))
4612 goto end;
4613
e8251092
MC		 4614 if (!TEST_int_eq(SSL_pending(clientssl), 0)
4615 || !TEST_false(SSL_has_pending(clientssl))
4616 || !TEST_int_eq(SSL_pending(serverssl), 0)
4617 || !TEST_false(SSL_has_pending(serverssl))
4618 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 4619 || !TEST_size_t_eq(written, sizeof(msg))
4620 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
4621 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 4622 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
4623 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 4624 goto end;
4625
4626 testresult = 1;
4627
4628 end:
4629 SSL_free(serverssl);
4630 SSL_free(clientssl);
4631 SSL_CTX_free(sctx);
4632 SSL_CTX_free(cctx);
4633
4634 return testresult;
4635}
4636
e401389a
MC		 4637static struct {
4638 unsigned int maxprot;
4639 const char *clntciphers;
4640 const char *clnttls13ciphers;
4641 const char *srvrciphers;
4642 const char *srvrtls13ciphers;
4643 const char *shared;
4644} shared_ciphers_data[] = {
60155b9a
MC		 4645/*
4646 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
4647 * TLSv1.3 is enabled but TLSv1.2 is disabled.
4648 */
4649#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 4650 {
4651 TLS1_2_VERSION,
4652 "AES128-SHA:AES256-SHA",
4653 NULL,
4654 "AES256-SHA:DHE-RSA-AES128-SHA",
4655 NULL,
4656 "AES256-SHA"
4657 },
4658 {
4659 TLS1_2_VERSION,
4660 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
4661 NULL,
4662 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
4663 NULL,
4664 "AES128-SHA:AES256-SHA"
4665 },
4666 {
4667 TLS1_2_VERSION,
4668 "AES128-SHA:AES256-SHA",
4669 NULL,
4670 "AES128-SHA:DHE-RSA-AES128-SHA",
4671 NULL,
4672 "AES128-SHA"
4673 },
60155b9a
MC		 4674#endif
4675/*
4676 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
4677 * enabled.
4678 */
4679#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
4680 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 4681 {
4682 TLS1_3_VERSION,
4683 "AES128-SHA:AES256-SHA",
4684 NULL,
4685 "AES256-SHA:AES128-SHA256",
4686 NULL,
4687 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
4688 "TLS_AES_128_GCM_SHA256:AES256-SHA"
4689 },
60155b9a
MC		 4690#endif
4691#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 4692 {
4693 TLS1_3_VERSION,
4694 "AES128-SHA",
4695 "TLS_AES_256_GCM_SHA384",
4696 "AES256-SHA",
4697 "TLS_AES_256_GCM_SHA384",
4698 "TLS_AES_256_GCM_SHA384"
4699 },
4700#endif
4701};
4702
4703static int test_ssl_get_shared_ciphers(int tst)
4704{
4705 SSL_CTX *cctx = NULL, *sctx = NULL;
4706 SSL *clientssl = NULL, *serverssl = NULL;
4707 int testresult = 0;
4708 char buf[1024];
4709
4710 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4711 TLS_client_method(),
4712 TLS1_VERSION,
4713 shared_ciphers_data[tst].maxprot,
4714 &sctx, &cctx, cert, privkey)))
4715 goto end;
4716
4717 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4718 shared_ciphers_data[tst].clntciphers))
4719 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
4720 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4721 shared_ciphers_data[tst].clnttls13ciphers)))
4722 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
4723 shared_ciphers_data[tst].srvrciphers))
4724 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
4725 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4726 shared_ciphers_data[tst].srvrtls13ciphers))))
4727 goto end;
4728
4729
4730 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4731 NULL, NULL))
4732 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4733 SSL_ERROR_NONE)))
4734 goto end;
4735
4736 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
4737 || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
4738 TEST_info("Shared ciphers are: %s\n", buf);
4739 goto end;
4740 }
4741
4742 testresult = 1;
4743
4744 end:
4745 SSL_free(serverssl);
4746 SSL_free(clientssl);
4747 SSL_CTX_free(sctx);
4748 SSL_CTX_free(cctx);
4749
4750 return testresult;
4751}
4752
d0191fe0 4753static const char *appdata = "Hello World";
61fb5923
MC		 4754static int gen_tick_called, dec_tick_called, tick_key_cb_called;
4755static int tick_key_renew = 0;
4756static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 4757
4758static int gen_tick_cb(SSL *s, void *arg)
4759{
4760 gen_tick_called = 1;
4761
4762 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
4763 strlen(appdata));
4764}
4765
4766static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
4767 const unsigned char *keyname,
4768 size_t keyname_length,
61fb5923
MC		 4769 SSL_TICKET_STATUS status,
4770 void *arg)
d0191fe0
MC		 4771{
4772 void *tickdata;
4773 size_t tickdlen;
4774
4775 dec_tick_called = 1;
4776
61fb5923
MC		 4777 if (status == SSL_TICKET_EMPTY)
4778 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 4779
61fb5923
MC		 4780 if (!TEST_true(status == SSL_TICKET_SUCCESS
4781 || status == SSL_TICKET_SUCCESS_RENEW))
4782 return SSL_TICKET_RETURN_ABORT;
4783
4784 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
4785 &tickdlen))
d0191fe0
MC		 4786 || !TEST_size_t_eq(tickdlen, strlen(appdata))
4787 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 4788 return SSL_TICKET_RETURN_ABORT;
d0191fe0 4789
61fb5923
MC		 4790 if (tick_key_cb_called) {
4791 /* Don't change what the ticket key callback wanted to do */
4792 switch (status) {
4793 case SSL_TICKET_NO_DECRYPT:
4794 return SSL_TICKET_RETURN_IGNORE_RENEW;
4795
4796 case SSL_TICKET_SUCCESS:
4797 return SSL_TICKET_RETURN_USE;
d0191fe0 4798
61fb5923
MC		 4799 case SSL_TICKET_SUCCESS_RENEW:
4800 return SSL_TICKET_RETURN_USE_RENEW;
4801
4802 default:
4803 return SSL_TICKET_RETURN_ABORT;
4804 }
4805 }
4806 return tick_dec_ret;
4807
4808}
d0191fe0
MC		 4809
4810static int tick_key_cb(SSL *s, unsigned char key_name[16],
4811 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
4812 HMAC_CTX *hctx, int enc)
4813{
4814 const unsigned char tick_aes_key[16] = "0123456789abcdef";
4815 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
4816
61fb5923 4817 tick_key_cb_called = 1;
d0191fe0
MC		 4818 memset(iv, 0, AES_BLOCK_SIZE);
4819 memset(key_name, 0, 16);
4820 if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
4821 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
4822 EVP_sha256(), NULL))
4823 return -1;
4824
61fb5923 4825 return tick_key_renew ? 2 : 1;
d0191fe0
MC		 4826}
4827
4828/*
4829 * Test the various ticket callbacks
61fb5923
MC		 4830 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
4831 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
4832 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
4833 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
4834 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
4835 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
4836 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
4837 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
4838 * Test 8: TLSv1.2, ticket key callback, ticket, no renewal
4839 * Test 9: TLSv1.3, ticket key callback, ticket, no renewal
4840 * Test 10: TLSv1.2, ticket key callback, ticket, renewal
4841 * Test 11: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 4842 */
4843static int test_ticket_callbacks(int tst)
4844{
4845 SSL_CTX *cctx = NULL, *sctx = NULL;
4846 SSL *clientssl = NULL, *serverssl = NULL;
4847 SSL_SESSION *clntsess = NULL;
4848 int testresult = 0;
4849
4850#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 4851 if (tst % 2 == 0)
d0191fe0
MC		 4852 return 1;
4853#endif
4854#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 4855 if (tst % 2 == 1)
d0191fe0
MC		 4856 return 1;
4857#endif
4858
61fb5923 4859 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 4860
4861 /* Which tests the ticket key callback should request renewal for */
61fb5923
MC		 4862 if (tst == 10 || tst == 11)
4863 tick_key_renew = 1;
d0191fe0 4864 else
61fb5923
MC		 4865 tick_key_renew = 0;
4866
4867 /* Which tests the decrypt ticket callback should request renewal for */
4868 switch (tst) {
4869 case 0:
4870 case 1:
4871 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
4872 break;
4873
4874 case 2:
4875 case 3:
4876 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
4877 break;
4878
4879 case 4:
4880 case 5:
4881 tick_dec_ret = SSL_TICKET_RETURN_USE;
4882 break;
4883
4884 case 6:
4885 case 7:
4886 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
4887 break;
4888
4889 default:
4890 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
4891 }
d0191fe0
MC		 4892
4893 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
4894 TLS_client_method(),
4895 TLS1_VERSION,
61fb5923
MC		 4896 ((tst % 2) == 0) ? TLS1_2_VERSION
4897 : TLS1_3_VERSION,
d0191fe0
MC		 4898 &sctx, &cctx, cert, privkey)))
4899 goto end;
4900
61fb5923
MC		 4901 /*
4902 * We only want sessions to resume from tickets - not the session cache. So
4903 * switch the cache off.
4904 */
4905 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
4906 goto end;
4907
d0191fe0
MC		 4908 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
4909 NULL)))
4910 goto end;
4911
61fb5923 4912 if (tst >= 8
d0191fe0
MC		 4913 && !TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
4914 goto end;
4915
4916 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4917 NULL, NULL))
4918 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4919 SSL_ERROR_NONE)))
4920 goto end;
4921
61fb5923
MC		 4922 /*
4923 * The decrypt ticket key callback in TLSv1.2 should be called even though
4924 * we have no ticket yet, because it gets called with a status of
4925 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
4926 * actually send any ticket data). This does not happen in TLSv1.3 because
4927 * it is not valid to send empty ticket data in TLSv1.3.
4928 */
d0191fe0 4929 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 4930 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 4931 goto end;
4932
4933 gen_tick_called = dec_tick_called = 0;
4934
4935 clntsess = SSL_get1_session(clientssl);
4936 SSL_shutdown(clientssl);
4937 SSL_shutdown(serverssl);
4938 SSL_free(serverssl);
4939 SSL_free(clientssl);
4940 serverssl = clientssl = NULL;
4941
4942 /* Now do a resumption */
4943 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
4944 NULL))
4945 || !TEST_true(SSL_set_session(clientssl, clntsess))
4946 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 4947 SSL_ERROR_NONE)))
d0191fe0
MC		 4948 goto end;
4949
61fb5923
MC		 4950 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
4951 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
4952 if (!TEST_false(SSL_session_reused(clientssl)))
4953 goto end;
4954 } else {
4955 if (!TEST_true(SSL_session_reused(clientssl)))
4956 goto end;
4957 }
4958
d0191fe0 4959 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 4960 (tick_key_renew
4961 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
4962 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
4963 ? 1 : 0)
d0191fe0
MC		 4964 || !TEST_int_eq(dec_tick_called, 1))
4965 goto end;
4966
4967 testresult = 1;
4968
4969 end:
4970 SSL_SESSION_free(clntsess);
4971 SSL_free(serverssl);
4972 SSL_free(clientssl);
4973 SSL_CTX_free(sctx);
4974 SSL_CTX_free(cctx);
4975
4976 return testresult;
4977}
4978
ad887416 4979int setup_tests(void)
2cb4b5f6 4980{
ad887416 4981 if (!TEST_ptr(cert = test_get_argument(0))
76fd7a1d
MC		 4982 || !TEST_ptr(privkey = test_get_argument(1))
4983 || !TEST_ptr(srpvfile = test_get_argument(2))
4984 || !TEST_ptr(tmpfilename = test_get_argument(3)))
710756a9 4985 return 0;
2cb4b5f6 4986
f297e4ec
RS		 4987 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
4988#ifdef OPENSSL_NO_CRYPTO_MDEBUG
4989 TEST_error("not supported in this build");
4990 return 0;
4991#else
4992 int i, mcount, rcount, fcount;
4993
4994 for (i = 0; i < 4; i++)
4995 test_export_key_mat(i);
4996 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
4997 test_printf_stdout("malloc %d realloc %d free %d\n",
4998 mcount, rcount, fcount);
4999 return 1;
5000#endif
5001 }
5002
84d5549e 5003 ADD_TEST(test_large_message_tls);
7856332e 5004 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 5005#ifndef OPENSSL_NO_DTLS
84d5549e 5006 ADD_TEST(test_large_message_dtls);
55386bef 5007#endif
8f8c11d8 5008#ifndef OPENSSL_NO_OCSP
c887104f 5009 ADD_TEST(test_tlsext_status_type);
8f8c11d8 5010#endif
eaa776da
MC		 5011 ADD_TEST(test_session_with_only_int_cache);
5012 ADD_TEST(test_session_with_only_ext_cache);
5013 ADD_TEST(test_session_with_both_cache);
36ff232c
MC		 5014#ifndef OPENSSL_NO_TLS1_3
5015 ADD_ALL_TESTS(test_tickets, 3);
5016#endif
7fb4c820 5017 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 5018 ADD_TEST(test_ssl_bio_pop_next_bio);
5019 ADD_TEST(test_ssl_bio_pop_ssl_bio);
5020 ADD_TEST(test_ssl_bio_change_rbio);
5021 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 5022#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 5023 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 5024 ADD_TEST(test_keylog);
c423ecaa 5025#endif
6acdd3e5
CB		 5026#ifndef OPENSSL_NO_TLS1_3
5027 ADD_TEST(test_keylog_no_master_key);
5028#endif
e9ee6536 5029#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 5030 ADD_TEST(test_client_hello_cb);
5f982038
MC		 5031#endif
5032#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 5033 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 5034 /*
5035 * We don't do replay tests for external PSK. Replay protection isn't used
5036 * in that scenario.
5037 */
5038 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 5039 ADD_ALL_TESTS(test_early_data_skip, 3);
5040 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
5041 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 5042 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 5043 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 5044# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 5045 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 5046# endif
e9ee6536 5047#endif
a273157a 5048#ifndef OPENSSL_NO_TLS1_3
034cb87b 5049 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 5050 ADD_TEST(test_ciphersuite_change);
c2b290c3
MC		 5051#ifdef OPENSSL_NO_PSK
5052 ADD_ALL_TESTS(test_tls13_psk, 1);
5053#else
0d8da779 5054 ADD_ALL_TESTS(test_tls13_psk, 4);
c2b290c3 5055#endif /* OPENSSL_NO_PSK */
bb01ef3f 5056 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 5057 ADD_TEST(test_stateless);
9d75dce3 5058 ADD_TEST(test_pha_key_update);
a273157a 5059#else
bb01ef3f 5060 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 5061#endif
16afd71c 5062 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 5063 ADD_ALL_TESTS(test_export_key_mat, 4);
b38ede80
TT		 5064#ifndef OPENSSL_NO_TLS1_3
5065 ADD_ALL_TESTS(test_export_key_mat_early, 3);
5066#endif
e11b6aa4 5067 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 5068 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 5069#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5070 ADD_ALL_TESTS(test_srp, 6);
5071#endif
5718fe45 5072 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 5073 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 5074 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
61fb5923 5075 ADD_ALL_TESTS(test_ticket_callbacks, 12);
ad887416
P		 5076 return 1;
5077}
2cb4b5f6 5078
ad887416
P		 5079void cleanup_tests(void)
5080{
fa454945 5081 bio_s_mempacket_test_free();
2cb4b5f6 5082}
A mirror of the official openssl repository