]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Refactor KTLS tests to better support TLS 1.3.
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
4333b89f 2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
dfccfde0 34#include <openssl/x509v3.h>
2cb4b5f6 35
20f8bc72 36#include "helpers/ssltestlib.h"
c887104f 37#include "testutil.h"
f297e4ec 38#include "testutil/output.h"
176db6dc 39#include "internal/nelem.h"
fe5d9450 40#include "internal/ktls.h"
706457b7 41#include "../ssl/ssl_local.h"
b0001d0c 42#include "filterprov.h"
2cb4b5f6 43
a763ca11
MC		 44#undef OSSL_NO_USABLE_TLS1_3
45#if defined(OPENSSL_NO_TLS1_3) \
46 || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
47/*
48 * If we don't have ec or dh then there are no built-in groups that are usable
49 * with TLSv1.3
50 */
51# define OSSL_NO_USABLE_TLS1_3
52#endif
53
0c13cdf8
MC		 54/* Defined in tls-provider.c */
55int tls_provider_init(const OSSL_CORE_HANDLE *handle,
56 const OSSL_DISPATCH *in,
57 const OSSL_DISPATCH **out,
58 void **provctx);
852c2ed2 59
b4250010 60static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 61static OSSL_PROVIDER *defctxnull = NULL;
62
a763ca11 63#ifndef OSSL_NO_USABLE_TLS1_3
8614a4eb
MC		 64
65static SSL_SESSION *clientpsk = NULL;
66static SSL_SESSION *serverpsk = NULL;
67static const char *pskid = "Identity";
68static const char *srvid;
69
70static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
71 size_t *idlen, SSL_SESSION **sess);
72static int find_session_cb(SSL *ssl, const unsigned char *identity,
73 size_t identity_len, SSL_SESSION **sess);
74
75static int use_session_cb_cnt = 0;
76static int find_session_cb_cnt = 0;
77
78static SSL_SESSION *create_a_psk(SSL *ssl);
79#endif
80
1a2a3a42 81static char *certsdir = NULL;
2cb4b5f6
MC		 82static char *cert = NULL;
83static char *privkey = NULL;
b3842539
MC		 84static char *cert2 = NULL;
85static char *privkey2 = NULL;
3105d846
MC		 86static char *cert1024 = NULL;
87static char *privkey1024 = NULL;
88static char *cert3072 = NULL;
89static char *privkey3072 = NULL;
90static char *cert4096 = NULL;
91static char *privkey4096 = NULL;
92static char *cert8192 = NULL;
93static char *privkey8192 = NULL;
76fd7a1d
MC		 94static char *srpvfile = NULL;
95static char *tmpfilename = NULL;
2cb4b5f6 96
4f6c7044
MC		 97static int is_fips = 0;
98
cffe973c 99#define LOG_BUFFER_SIZE 2048
6acdd3e5 100static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 101static size_t server_log_buffer_index = 0;
6acdd3e5 102static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 103static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 104static int error_writing_log = 0;
105
8f8c11d8 106#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 107static const unsigned char orespder[] = "Dummy OCSP Response";
108static int ocsp_server_called = 0;
109static int ocsp_client_called = 0;
110
111static int cdummyarg = 1;
112static X509 *ocspcert = NULL;
8f8c11d8 113#endif
ba881d3b 114
84d5549e 115#define NUM_EXTRA_CERTS 40
cf72c757 116#define CLIENT_VERSION_LEN 2
84d5549e 117
f1a5939f
CB		 118/*
119 * This structure is used to validate that the correct number of log messages
120 * of various types are emitted when emitting secret logs.
121 */
122struct sslapitest_log_counts {
123 unsigned int rsa_key_exchange_count;
124 unsigned int master_secret_count;
cffe973c 125 unsigned int client_early_secret_count;
f1a5939f
CB		 126 unsigned int client_handshake_secret_count;
127 unsigned int server_handshake_secret_count;
128 unsigned int client_application_secret_count;
129 unsigned int server_application_secret_count;
01a2a654 130 unsigned int early_exporter_secret_count;
6329ce8f 131 unsigned int exporter_secret_count;
f1a5939f
CB		 132};
133
16afd71c
MC		 134
135static unsigned char serverinfov1[] = {
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
139};
140
141static unsigned char serverinfov2[] = {
142 0x00, 0x00, 0x00,
143 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
144 0xff, 0xff, /* Dummy extension type */
145 0x00, 0x01, /* Extension length is 1 byte */
146 0xff /* Dummy extension data */
147};
148
104a733d
MC		 149static int hostname_cb(SSL *s, int *al, void *arg)
150{
151 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
152
153 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
154 || strcmp(hostname, "altgoodhost") == 0))
155 return SSL_TLSEXT_ERR_OK;
156
157 return SSL_TLSEXT_ERR_NOACK;
158}
159
710756a9
RS		 160static void client_keylog_callback(const SSL *ssl, const char *line)
161{
6acdd3e5
CB		 162 int line_length = strlen(line);
163
164 /* If the log doesn't fit, error out. */
710756a9
RS		 165 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
166 TEST_info("Client log too full");
6acdd3e5
CB		 167 error_writing_log = 1;
168 return;
169 }
170
171 strcat(client_log_buffer, line);
172 client_log_buffer_index += line_length;
710756a9 173 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 174}
175
710756a9
RS		 176static void server_keylog_callback(const SSL *ssl, const char *line)
177{
6acdd3e5
CB		 178 int line_length = strlen(line);
179
180 /* If the log doesn't fit, error out. */
710756a9 181 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 182 TEST_info("Server log too full");
6acdd3e5
CB		 183 error_writing_log = 1;
184 return;
185 }
186
187 strcat(server_log_buffer, line);
188 server_log_buffer_index += line_length;
710756a9 189 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 190}
191
192static int compare_hex_encoded_buffer(const char *hex_encoded,
193 size_t hex_length,
194 const uint8_t *raw,
710756a9
RS		 195 size_t raw_length)
196{
197 size_t i, j;
198 char hexed[3];
6acdd3e5 199
710756a9 200 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 201 return 1;
6acdd3e5 202
710756a9 203 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 204 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 205 if (!TEST_int_eq(hexed[0], hex_encoded[j])
206 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 207 return 1;
6acdd3e5
CB		 208 }
209
210 return 0;
211}
212
213static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 214 const SSL_SESSION *session,
710756a9
RS		 215 struct sslapitest_log_counts *expected)
216{
6acdd3e5
CB		 217 char *token = NULL;
218 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
219 size_t client_random_size = SSL3_RANDOM_SIZE;
220 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
221 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 222 unsigned int rsa_key_exchange_count = 0;
223 unsigned int master_secret_count = 0;
cffe973c 224 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 225 unsigned int client_handshake_secret_count = 0;
226 unsigned int server_handshake_secret_count = 0;
227 unsigned int client_application_secret_count = 0;
228 unsigned int server_application_secret_count = 0;
01a2a654 229 unsigned int early_exporter_secret_count = 0;
6329ce8f 230 unsigned int exporter_secret_count = 0;
6acdd3e5 231
710756a9
RS		 232 for (token = strtok(buffer, " \n"); token != NULL;
233 token = strtok(NULL, " \n")) {
6acdd3e5 234 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 235 /*
236 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 237 * hex-encoded encrypted secret, then the hex-encoded pre-master
238 * secret.
239 */
710756a9 240 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 241 return 0;
710756a9 242 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 243 return 0;
710756a9 244 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 245 return 0;
f1a5939f
CB		 246 /*
247 * We can't sensibly check the log because the premaster secret is
248 * transient, and OpenSSL doesn't keep hold of it once the master
249 * secret is generated.
250 */
251 rsa_key_exchange_count++;
6acdd3e5 252 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 253 /*
254 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 255 * client random, then the hex-encoded master secret.
256 */
257 client_random_size = SSL_get_client_random(ssl,
258 actual_client_random,
259 SSL3_RANDOM_SIZE);
710756a9 260 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 261 return 0;
6acdd3e5 262
710756a9 263 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 264 return 0;
710756a9 265 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 266 return 0;
710756a9
RS		 267 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
268 actual_client_random,
269 client_random_size)))
f1a5939f 270 return 0;
6acdd3e5 271
710756a9 272 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 273 return 0;
6acdd3e5
CB		 274 master_key_size = SSL_SESSION_get_master_key(session,
275 actual_master_key,
276 master_key_size);
710756a9 277 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 278 return 0;
710756a9
RS		 279 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
280 actual_master_key,
281 master_key_size)))
f1a5939f 282 return 0;
f1a5939f 283 master_secret_count++;
cffe973c
PW		 284 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
285 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 286 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
287 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 288 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 289 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 290 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 291 /*
292 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
293 * client random, and then the hex-encoded secret. In this case,
294 * we treat all of these secrets identically and then just
295 * distinguish between them when counting what we saw.
296 */
cffe973c
PW		 297 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
298 client_early_secret_count++;
299 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 300 client_handshake_secret_count++;
301 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
302 server_handshake_secret_count++;
303 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
304 client_application_secret_count++;
305 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
306 server_application_secret_count++;
01a2a654
PW		 307 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
308 early_exporter_secret_count++;
6329ce8f
PW		 309 else if (strcmp(token, "EXPORTER_SECRET") == 0)
310 exporter_secret_count++;
f1a5939f
CB		 311
312 client_random_size = SSL_get_client_random(ssl,
313 actual_client_random,
314 SSL3_RANDOM_SIZE);
710756a9 315 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 316 return 0;
f1a5939f 317
710756a9 318 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 319 return 0;
710756a9 320 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 321 return 0;
710756a9
RS		 322 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
323 actual_client_random,
324 client_random_size)))
f1a5939f 325 return 0;
6acdd3e5 326
710756a9 327 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 328 return 0;
6acdd3e5 329 } else {
710756a9 330 TEST_info("Unexpected token %s\n", token);
f1a5939f 331 return 0;
6acdd3e5 332 }
6acdd3e5
CB		 333 }
334
710756a9
RS		 335 /* Got what we expected? */
336 if (!TEST_size_t_eq(rsa_key_exchange_count,
337 expected->rsa_key_exchange_count)
338 || !TEST_size_t_eq(master_secret_count,
339 expected->master_secret_count)
cffe973c
PW		 340 || !TEST_size_t_eq(client_early_secret_count,
341 expected->client_early_secret_count)
710756a9
RS		 342 || !TEST_size_t_eq(client_handshake_secret_count,
343 expected->client_handshake_secret_count)
344 || !TEST_size_t_eq(server_handshake_secret_count,
345 expected->server_handshake_secret_count)
346 || !TEST_size_t_eq(client_application_secret_count,
347 expected->client_application_secret_count)
348 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 349 expected->server_application_secret_count)
01a2a654
PW		 350 || !TEST_size_t_eq(early_exporter_secret_count,
351 expected->early_exporter_secret_count)
6329ce8f
PW		 352 || !TEST_size_t_eq(exporter_secret_count,
353 expected->exporter_secret_count))
710756a9
RS		 354 return 0;
355 return 1;
6acdd3e5
CB		 356}
357
a763ca11 358#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
710756a9
RS		 359static int test_keylog(void)
360{
6acdd3e5
CB		 361 SSL_CTX *cctx = NULL, *sctx = NULL;
362 SSL *clientssl = NULL, *serverssl = NULL;
363 int testresult = 0;
6fc1e624 364 struct sslapitest_log_counts expected;
6acdd3e5
CB		 365
366 /* Clean up logging space */
6fc1e624 367 memset(&expected, 0, sizeof(expected));
710756a9
RS		 368 memset(client_log_buffer, 0, sizeof(client_log_buffer));
369 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 370 client_log_buffer_index = 0;
371 server_log_buffer_index = 0;
372 error_writing_log = 0;
373
5e30f2fd 374 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 375 TLS_client_method(),
5c587fb6 376 TLS1_VERSION, 0,
710756a9 377 &sctx, &cctx, cert, privkey)))
6acdd3e5 378 return 0;
6acdd3e5
CB		 379
380 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
381 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
382 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
383
f0deb4d3 384 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 385 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 386 goto end;
f0deb4d3 387
cf10df81
RS		 388 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
389 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 390 goto end;
6acdd3e5 391 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 392 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
393 == client_keylog_callback))
6acdd3e5 394 goto end;
710756a9 395 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 396 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
397 == server_keylog_callback))
6acdd3e5 398 goto end;
6acdd3e5 399
710756a9
RS		 400 /* Now do a handshake and check that the logs have been written to. */
401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
402 &clientssl, NULL, NULL))
403 || !TEST_true(create_ssl_connection(serverssl, clientssl,
404 SSL_ERROR_NONE))
405 || !TEST_false(error_writing_log)
406 || !TEST_int_gt(client_log_buffer_index, 0)
407 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 408 goto end;
6acdd3e5 409
f1a5939f
CB		 410 /*
411 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 412 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 413 * data we expect. For both client and server, we expect to see one master
414 * secret. The client should also see a RSA key exchange.
6acdd3e5 415 */
f1a5939f
CB		 416 expected.rsa_key_exchange_count = 1;
417 expected.master_secret_count = 1;
710756a9
RS		 418 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
419 SSL_get_session(clientssl), &expected)))
6acdd3e5 420 goto end;
f1a5939f
CB		 421
422 expected.rsa_key_exchange_count = 0;
710756a9
RS		 423 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
424 SSL_get_session(serverssl), &expected)))
6acdd3e5 425 goto end;
6acdd3e5
CB		 426
427 testresult = 1;
428
429end:
430 SSL_free(serverssl);
431 SSL_free(clientssl);
432 SSL_CTX_free(sctx);
433 SSL_CTX_free(cctx);
434
435 return testresult;
436}
c423ecaa 437#endif
6acdd3e5 438
a763ca11 439#ifndef OSSL_NO_USABLE_TLS1_3
710756a9
RS		 440static int test_keylog_no_master_key(void)
441{
6acdd3e5
CB		 442 SSL_CTX *cctx = NULL, *sctx = NULL;
443 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 444 SSL_SESSION *sess = NULL;
6acdd3e5 445 int testresult = 0;
6fc1e624 446 struct sslapitest_log_counts expected;
cffe973c
PW		 447 unsigned char buf[1];
448 size_t readbytes, written;
6acdd3e5
CB		 449
450 /* Clean up logging space */
6fc1e624 451 memset(&expected, 0, sizeof(expected));
710756a9
RS		 452 memset(client_log_buffer, 0, sizeof(client_log_buffer));
453 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 454 client_log_buffer_index = 0;
455 server_log_buffer_index = 0;
456 error_writing_log = 0;
457
5e30f2fd
MC		 458 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
459 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 460 &sctx, &cctx, cert, privkey))
461 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 462 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 463 return 0;
6acdd3e5 464
cf10df81
RS		 465 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
466 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 467 goto end;
6acdd3e5
CB		 468
469 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 470 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
471 == client_keylog_callback))
6acdd3e5 472 goto end;
6acdd3e5 473
710756a9 474 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 475 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
476 == server_keylog_callback))
6acdd3e5 477 goto end;
6acdd3e5 478
710756a9
RS		 479 /* Now do a handshake and check that the logs have been written to. */
480 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
481 &clientssl, NULL, NULL))
482 || !TEST_true(create_ssl_connection(serverssl, clientssl,
483 SSL_ERROR_NONE))
484 || !TEST_false(error_writing_log))
6acdd3e5 485 goto end;
6acdd3e5 486
f1a5939f
CB		 487 /*
488 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 489 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 490 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 491 */
f1a5939f
CB		 492 expected.client_handshake_secret_count = 1;
493 expected.server_handshake_secret_count = 1;
494 expected.client_application_secret_count = 1;
495 expected.server_application_secret_count = 1;
6329ce8f 496 expected.exporter_secret_count = 1;
710756a9
RS		 497 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
498 SSL_get_session(clientssl), &expected))
499 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
500 SSL_get_session(serverssl),
501 &expected)))
6acdd3e5 502 goto end;
6acdd3e5 503
cffe973c
PW		 504 /* Terminate old session and resume with early data. */
505 sess = SSL_get1_session(clientssl);
506 SSL_shutdown(clientssl);
507 SSL_shutdown(serverssl);
508 SSL_free(serverssl);
509 SSL_free(clientssl);
510 serverssl = clientssl = NULL;
511
512 /* Reset key log */
513 memset(client_log_buffer, 0, sizeof(client_log_buffer));
514 memset(server_log_buffer, 0, sizeof(server_log_buffer));
515 client_log_buffer_index = 0;
516 server_log_buffer_index = 0;
517
518 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
519 &clientssl, NULL, NULL))
520 || !TEST_true(SSL_set_session(clientssl, sess))
521 /* Here writing 0 length early data is enough. */
522 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
523 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
524 &readbytes),
525 SSL_READ_EARLY_DATA_ERROR)
526 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
527 SSL_EARLY_DATA_ACCEPTED)
528 || !TEST_true(create_ssl_connection(serverssl, clientssl,
529 SSL_ERROR_NONE))
530 || !TEST_true(SSL_session_reused(clientssl)))
531 goto end;
532
533 /* In addition to the previous entries, expect early secrets. */
534 expected.client_early_secret_count = 1;
01a2a654 535 expected.early_exporter_secret_count = 1;
cffe973c
PW		 536 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
537 SSL_get_session(clientssl), &expected))
538 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
539 SSL_get_session(serverssl),
540 &expected)))
541 goto end;
542
6acdd3e5
CB		 543 testresult = 1;
544
545end:
cffe973c 546 SSL_SESSION_free(sess);
6acdd3e5
CB		 547 SSL_free(serverssl);
548 SSL_free(clientssl);
549 SSL_CTX_free(sctx);
550 SSL_CTX_free(cctx);
551
552 return testresult;
553}
554#endif
555
0c3eb279
DDO		 556static int verify_retry_cb(X509_STORE_CTX *ctx, void *arg)
557{
558 int res = X509_verify_cert(ctx);
559
560 if (res == 0 && X509_STORE_CTX_get_error(ctx) ==
561 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
562 return -1; /* indicate SSL_ERROR_WANT_RETRY_VERIFY */
563 return res;
564}
565
566static int test_client_cert_verify_cb(void)
567{
568 /* server key, cert, chain, and root */
569 char *skey = test_mk_file_path(certsdir, "leaf.key");
570 char *leaf = test_mk_file_path(certsdir, "leaf.pem");
571 char *int2 = test_mk_file_path(certsdir, "subinterCA.pem");
572 char *int1 = test_mk_file_path(certsdir, "interCA.pem");
573 char *root = test_mk_file_path(certsdir, "rootCA.pem");
574 X509 *crt1 = NULL, *crt2 = NULL;
575 STACK_OF(X509) *server_chain;
576 SSL_CTX *cctx = NULL, *sctx = NULL;
577 SSL *clientssl = NULL, *serverssl = NULL;
578 int testresult = 0;
579
580 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
581 TLS_client_method(), TLS1_VERSION, 0,
582 &sctx, &cctx, NULL, NULL)))
583 goto end;
584 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(sctx, leaf), 1)
585 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, skey,
586 SSL_FILETYPE_PEM), 1)
587 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
588 goto end;
589 if (!TEST_true(SSL_CTX_load_verify_locations(cctx, root, NULL)))
590 goto end;
591 SSL_CTX_set_verify(cctx, SSL_VERIFY_PEER, NULL);
592 SSL_CTX_set_cert_verify_callback(cctx, verify_retry_cb, NULL);
593 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
594 &clientssl, NULL, NULL)))
595 goto end;
596
597 /* attempt SSL_connect() with incomplete server chain */
598 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
599 SSL_ERROR_WANT_RETRY_VERIFY)))
600 goto end;
601
602 /* application provides intermediate certs needed to verify server cert */
603 if (!TEST_ptr((crt1 = load_cert_pem(int1, libctx)))
604 || !TEST_ptr((crt2 = load_cert_pem(int2, libctx)))
605 || !TEST_ptr((server_chain = SSL_get_peer_cert_chain(clientssl))))
606 goto end;
607 /* add certs in reverse order to demonstrate real chain building */
608 if (!TEST_true(sk_X509_push(server_chain, crt1)))
609 goto end;
610 crt1 = NULL;
611 if (!TEST_true(sk_X509_push(server_chain, crt2)))
612 goto end;
613 crt2 = NULL;
614
615 /* continue SSL_connect(), must now succeed with completed server chain */
616 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
617 SSL_ERROR_NONE)))
618 goto end;
619
620 testresult = 1;
621
622end:
623 X509_free(crt1);
624 X509_free(crt2);
c38048e7
P		 625 if (clientssl != NULL) {
626 SSL_shutdown(clientssl);
627 SSL_free(clientssl);
628 }
629 if (serverssl != NULL) {
630 SSL_shutdown(serverssl);
631 SSL_free(serverssl);
632 }
0c3eb279
DDO		 633 SSL_CTX_free(sctx);
634 SSL_CTX_free(cctx);
635
636 OPENSSL_free(skey);
637 OPENSSL_free(leaf);
638 OPENSSL_free(int2);
639 OPENSSL_free(int1);
640 OPENSSL_free(root);
641
642 return testresult;
643}
644
4e4ae840
SL		 645static int test_ssl_build_cert_chain(void)
646{
647 int ret = 0;
648 SSL_CTX *ssl_ctx = NULL;
649 SSL *ssl = NULL;
650 char *skey = test_mk_file_path(certsdir, "leaf.key");
651 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
652
653 if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
654 goto end;
655 if (!TEST_ptr(ssl = SSL_new(ssl_ctx)))
656 goto end;
657 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
658 if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1)
659 || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1)
660 || !TEST_int_eq(SSL_check_private_key(ssl), 1))
661 goto end;
662 if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT
663 | SSL_BUILD_CHAIN_FLAG_CHECK)))
664 goto end;
665 ret = 1;
666end:
667 SSL_free(ssl);
668 SSL_CTX_free(ssl_ctx);
669 OPENSSL_free(leaf_chain);
670 OPENSSL_free(skey);
671 return ret;
672}
673
674static int test_ssl_ctx_build_cert_chain(void)
675{
676 int ret = 0;
677 SSL_CTX *ctx = NULL;
678 char *skey = test_mk_file_path(certsdir, "leaf.key");
679 char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem");
680
681 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
682 goto end;
683 /* leaf_chain contains leaf + subinterCA + interCA + rootCA */
684 if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1)
685 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey,
686 SSL_FILETYPE_PEM), 1)
687 || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1))
688 goto end;
689 if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT
690 | SSL_BUILD_CHAIN_FLAG_CHECK)))
691 goto end;
692 ret = 1;
693end:
694 SSL_CTX_free(ctx);
695 OPENSSL_free(leaf_chain);
696 OPENSSL_free(skey);
697 return ret;
698}
699
e9ee6536 700#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 701static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 702{
703 int *ctr = arg;
704 const unsigned char *p;
8ea404fb 705 int *exts;
2afaee51
BK		 706 /* We only configure two ciphers, but the SCSV is added automatically. */
707#ifdef OPENSSL_NO_EC
708 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
709#else
710 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
711 0x2c, 0x00, 0xff};
712#endif
8ea404fb
BK		 713 const int expected_extensions[] = {
714#ifndef OPENSSL_NO_EC
715 11, 10,
716#endif
10ed1b72 717 35, 22, 23, 13};
2afaee51
BK		 718 size_t len;
719
720 /* Make sure we can defer processing and get called back. */
721 if ((*ctr)++ == 0)
f1b97da1 722 return SSL_CLIENT_HELLO_RETRY;
2afaee51 723
a9c0d8be 724 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 725 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 726 || !TEST_size_t_eq(
727 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 728 || !TEST_int_eq(*p, 0))
f1b97da1 729 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 730 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 731 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 732 if (len != OSSL_NELEM(expected_extensions) ||
733 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 734 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 735 OPENSSL_free(exts);
f1b97da1 736 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 737 }
738 OPENSSL_free(exts);
f1b97da1 739 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 740}
741
a9c0d8be 742static int test_client_hello_cb(void)
710756a9 743{
2afaee51
BK		 744 SSL_CTX *cctx = NULL, *sctx = NULL;
745 SSL *clientssl = NULL, *serverssl = NULL;
746 int testctr = 0, testresult = 0;
747
5e30f2fd
MC		 748 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
749 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 750 &sctx, &cctx, cert, privkey)))
2afaee51 751 goto end;
a9c0d8be 752 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 753
2afaee51
BK		 754 /* The gimpy cipher list we configure can't do TLS 1.3. */
755 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 756
710756a9
RS		 757 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
758 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
759 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
760 &clientssl, NULL, NULL))
761 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 762 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 763 /*
764 * Passing a -1 literal is a hack since
765 * the real value was lost.
766 * */
a9c0d8be
DB		 767 || !TEST_int_eq(SSL_get_error(serverssl, -1),
768 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 769 || !TEST_true(create_ssl_connection(serverssl, clientssl,
770 SSL_ERROR_NONE)))
2afaee51 771 goto end;
2afaee51
BK		 772
773 testresult = 1;
774
088dfa13
TS		 775end:
776 SSL_free(serverssl);
777 SSL_free(clientssl);
778 SSL_CTX_free(sctx);
779 SSL_CTX_free(cctx);
780
781 return testresult;
782}
783
784static int test_no_ems(void)
785{
786 SSL_CTX *cctx = NULL, *sctx = NULL;
787 SSL *clientssl = NULL, *serverssl = NULL;
788 int testresult = 0;
789
5e30f2fd 790 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 791 TLS1_VERSION, TLS1_2_VERSION,
792 &sctx, &cctx, cert, privkey)) {
793 printf("Unable to create SSL_CTX pair\n");
794 goto end;
795 }
796
797 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
798
799 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
800 printf("Unable to create SSL objects\n");
801 goto end;
802 }
803
804 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
805 printf("Creating SSL connection failed\n");
806 goto end;
807 }
808
809 if (SSL_get_extms_support(serverssl)) {
810 printf("Server reports Extended Master Secret support\n");
811 goto end;
812 }
813
814 if (SSL_get_extms_support(clientssl)) {
815 printf("Client reports Extended Master Secret support\n");
816 goto end;
817 }
818 testresult = 1;
819
2afaee51
BK		 820end:
821 SSL_free(serverssl);
822 SSL_free(clientssl);
823 SSL_CTX_free(sctx);
824 SSL_CTX_free(cctx);
825
826 return testresult;
827}
828
3cd14e5e
BK		 829/*
830 * Very focused test to exercise a single case in the server-side state
831 * machine, when the ChangeCipherState message needs to actually change
832 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 833 * encryption to real encryption).
3cd14e5e
BK		 834 */
835static int test_ccs_change_cipher(void)
836{
837 SSL_CTX *cctx = NULL, *sctx = NULL;
838 SSL *clientssl = NULL, *serverssl = NULL;
839 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
840 int testresult = 0;
841 int i;
842 unsigned char buf;
843 size_t readbytes;
844
845 /*
846 * Create a conection so we can resume and potentially (but not) use
847 * a different cipher in the second connection.
848 */
5e30f2fd 849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 850 TLS_client_method(),
851 TLS1_VERSION, TLS1_2_VERSION,
852 &sctx, &cctx, cert, privkey))
853 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
854 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
855 NULL, NULL))
856 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
857 || !TEST_true(create_ssl_connection(serverssl, clientssl,
858 SSL_ERROR_NONE))
859 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
860 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
861 goto end;
862
863 shutdown_ssl_connection(serverssl, clientssl);
864 serverssl = clientssl = NULL;
865
866 /* Resume, preferring a different cipher. Our server will force the
867 * same cipher to be used as the initial handshake. */
868 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
869 NULL, NULL))
870 || !TEST_true(SSL_set_session(clientssl, sess))
871 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
872 || !TEST_true(create_ssl_connection(serverssl, clientssl,
873 SSL_ERROR_NONE))
874 || !TEST_true(SSL_session_reused(clientssl))
875 || !TEST_true(SSL_session_reused(serverssl))
876 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
877 || !TEST_ptr_eq(sesspre, sesspost)
878 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
879 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
880 goto end;
881 shutdown_ssl_connection(serverssl, clientssl);
882 serverssl = clientssl = NULL;
883
884 /*
885 * Now create a fresh connection and try to renegotiate a different
886 * cipher on it.
887 */
b3e6d666
BK		 888 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
889 NULL, NULL))
3cd14e5e
BK		 890 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
891 || !TEST_true(create_ssl_connection(serverssl, clientssl,
892 SSL_ERROR_NONE))
893 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
894 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
895 || !TEST_true(SSL_renegotiate(clientssl))
896 || !TEST_true(SSL_renegotiate_pending(clientssl)))
897 goto end;
898 /* Actually drive the renegotiation. */
899 for (i = 0; i < 3; i++) {
900 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
901 if (!TEST_ulong_eq(readbytes, 0))
902 goto end;
903 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
904 SSL_ERROR_WANT_READ)) {
905 goto end;
906 }
907 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
908 if (!TEST_ulong_eq(readbytes, 0))
909 goto end;
910 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
911 SSL_ERROR_WANT_READ)) {
912 goto end;
913 }
914 }
915 /* sesspre and sesspost should be different since the cipher changed. */
916 if (!TEST_false(SSL_renegotiate_pending(clientssl))
917 || !TEST_false(SSL_session_reused(clientssl))
918 || !TEST_false(SSL_session_reused(serverssl))
919 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
920 || !TEST_ptr_ne(sesspre, sesspost)
921 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
922 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
923 goto end;
924
925 shutdown_ssl_connection(serverssl, clientssl);
926 serverssl = clientssl = NULL;
927
928 testresult = 1;
929
930end:
931 SSL_free(serverssl);
932 SSL_free(clientssl);
933 SSL_CTX_free(sctx);
934 SSL_CTX_free(cctx);
935 SSL_SESSION_free(sess);
936
937 return testresult;
938}
fb121631 939#endif
3cd14e5e 940
84d5549e 941static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 942 const SSL_METHOD *cmeth,
943 int min_version, int max_version,
944 int read_ahead)
84d5549e
MC		 945{
946 SSL_CTX *cctx = NULL, *sctx = NULL;
947 SSL *clientssl = NULL, *serverssl = NULL;
948 int testresult = 0;
949 int i;
710756a9 950 BIO *certbio = NULL;
84d5549e
MC		 951 X509 *chaincert = NULL;
952 int certlen;
953
710756a9 954 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 955 goto end;
6725682d 956
d8652be0 957 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 958 goto end;
959
960 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
961 goto end;
fa454945
MC		 962 BIO_free(certbio);
963 certbio = NULL;
84d5549e 964
5e30f2fd
MC		 965 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
966 max_version, &sctx, &cctx, cert,
967 privkey)))
84d5549e 968 goto end;
84d5549e 969
8ce390e1
MC		 970#ifdef OPENSSL_NO_DTLS1_2
971 if (smeth == DTLS_server_method()) {
972 /*
973 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
974 * level 0
975 */
976 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
977 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
978 "DEFAULT:@SECLEVEL=0")))
979 goto end;
980 }
981#endif
982
710756a9 983 if (read_ahead) {
7856332e
MC		 984 /*
985 * Test that read_ahead works correctly when dealing with large
986 * records
987 */
988 SSL_CTX_set_read_ahead(cctx, 1);
989 }
990
84d5549e
MC		 991 /*
992 * We assume the supplied certificate is big enough so that if we add
993 * NUM_EXTRA_CERTS it will make the overall message large enough. The
994 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 995 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
996 * test we need to have a message larger than that.
84d5549e
MC		 997 */
998 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 999 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
1000 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 1001 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 1002 if (!X509_up_ref(chaincert))
84d5549e 1003 goto end;
84d5549e 1004 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 1005 X509_free(chaincert);
1006 goto end;
1007 }
1008 }
1009
710756a9
RS		 1010 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1011 NULL, NULL))
1012 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1013 SSL_ERROR_NONE)))
84d5549e 1014 goto end;
84d5549e 1015
4bf08600
MC		 1016 /*
1017 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 1018 * doesn't leak.
4bf08600 1019 */
710756a9 1020 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 1021 goto end;
84d5549e 1022
4bf08600 1023 testresult = 1;
84d5549e 1024 end:
6725682d 1025 BIO_free(certbio);
84d5549e
MC		 1026 X509_free(chaincert);
1027 SSL_free(serverssl);
1028 SSL_free(clientssl);
1029 SSL_CTX_free(sctx);
1030 SSL_CTX_free(cctx);
1031
1032 return testresult;
1033}
1034
da4db160 1035#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
a763ca11 1036 !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
fe5d9450
BP		 1037/* sock must be connected */
1038static int ktls_chk_platform(int sock)
1039{
1040 if (!ktls_enable(sock))
1041 return 0;
1042 return 1;
1043}
1044
e1fdd526 1045static int ping_pong_query(SSL *clientssl, SSL *serverssl)
fe5d9450
BP		 1046{
1047 static char count = 1;
1048 unsigned char cbuf[16000] = {0};
1049 unsigned char sbuf[16000];
1050 size_t err = 0;
e1fdd526
JB		 1051 char crec_wseq_before[SEQ_NUM_SIZE];
1052 char crec_wseq_after[SEQ_NUM_SIZE];
1053 char crec_rseq_before[SEQ_NUM_SIZE];
1054 char crec_rseq_after[SEQ_NUM_SIZE];
1055 char srec_wseq_before[SEQ_NUM_SIZE];
1056 char srec_wseq_after[SEQ_NUM_SIZE];
1057 char srec_rseq_before[SEQ_NUM_SIZE];
1058 char srec_rseq_after[SEQ_NUM_SIZE];
fe5d9450
BP		 1059
1060 cbuf[0] = count++;
e1fdd526
JB		 1061 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1062 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1063 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1064 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1065
1066 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
1067 goto end;
1068
1069 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
1070 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
1071 goto end;
1072 }
1073 }
1074
1075 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
1076 goto end;
1077
1078 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
1079 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
1080 goto end;
1081 }
1082 }
1083
e1fdd526
JB		 1084 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1085 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE);
1086 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE);
1087 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE);
fe5d9450
BP		 1088
1089 /* verify the payload */
1090 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1091 goto end;
1092
e1fdd526
JB		 1093 /*
1094 * If ktls is used then kernel sequences are used instead of
1095 * OpenSSL sequences
1096 */
1097 if (!BIO_get_ktls_send(clientssl->wbio)) {
1098 if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE,
1099 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1100 goto end;
1101 } else {
e1fdd526
JB		 1102 if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE,
1103 crec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1104 goto end;
1105 }
1106
e1fdd526
JB		 1107 if (!BIO_get_ktls_send(serverssl->wbio)) {
1108 if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE,
1109 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1110 goto end;
1111 } else {
e1fdd526
JB		 1112 if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE,
1113 srec_wseq_after, SEQ_NUM_SIZE))
fe5d9450
BP		 1114 goto end;
1115 }
1116
e1fdd526
JB		 1117 if (!BIO_get_ktls_recv(clientssl->wbio)) {
1118 if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE,
1119 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1120 goto end;
1121 } else {
e1fdd526
JB		 1122 if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE,
1123 crec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1124 goto end;
1125 }
1126
e1fdd526
JB		 1127 if (!BIO_get_ktls_recv(serverssl->wbio)) {
1128 if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE,
1129 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1130 goto end;
1131 } else {
e1fdd526
JB		 1132 if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE,
1133 srec_rseq_after, SEQ_NUM_SIZE))
2fab79af
BP		 1134 goto end;
1135 }
fe5d9450
BP		 1136
1137 return 1;
1138end:
1139 return 0;
1140}
1141
a3a54179 1142static int execute_test_ktls(int cis_ktls, int sis_ktls,
e1fdd526 1143 int tls_version, const char *cipher)
fe5d9450
BP		 1144{
1145 SSL_CTX *cctx = NULL, *sctx = NULL;
1146 SSL *clientssl = NULL, *serverssl = NULL;
e1fdd526
JB		 1147 int ktls_used = 0, testresult = 0;
1148 int cfd = -1, sfd = -1;
1149 int rx_supported;
fe5d9450
BP		 1150
1151 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
1152 goto end;
1153
1154 /* Skip this test if the platform does not support ktls */
e1fdd526
JB		 1155 if (!ktls_chk_platform(cfd)) {
1156 testresult = TEST_skip("Kernel does not support KTLS");
1157 goto end;
1158 }
fe5d9450
BP		 1159
1160 /* Create a session based on SHA-256 */
5e30f2fd 1161 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 1162 TLS_client_method(),
da4db160 1163 tls_version, tls_version,
e1fdd526
JB		 1164 &sctx, &cctx, cert, privkey)))
1165 goto end;
1166
1167 if (tls_version == TLS1_3_VERSION) {
1168 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1169 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1170 goto end;
1171 } else {
1172 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1173 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1174 goto end;
1175 }
1176
1177 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1178 &clientssl, sfd, cfd)))
fe5d9450
BP		 1179 goto end;
1180
a3a54179
MC		 1181 if (cis_ktls) {
1182 if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS)))
fe5d9450
BP		 1183 goto end;
1184 }
1185
a3a54179 1186 if (sis_ktls) {
e1fdd526 1187 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
2fab79af
BP		 1188 goto end;
1189 }
1190
e1fdd526 1191 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
fe5d9450
BP		 1192 goto end;
1193
e1fdd526
JB		 1194 /*
1195 * The running kernel may not support a given cipher suite
1196 * or direction, so just check that KTLS isn't used when it
1197 * isn't enabled.
1198 */
a3a54179 1199 if (!cis_ktls) {
fe5d9450
BP		 1200 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1201 goto end;
1202 } else {
e1fdd526
JB		 1203 if (BIO_get_ktls_send(clientssl->wbio))
1204 ktls_used = 1;
fe5d9450
BP		 1205 }
1206
a3a54179 1207 if (!sis_ktls) {
fe5d9450
BP		 1208 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1209 goto end;
1210 } else {
e1fdd526
JB		 1211 if (BIO_get_ktls_send(serverssl->wbio))
1212 ktls_used = 1;
fe5d9450
BP		 1213 }
1214
a3a54179 1215#if defined(OPENSSL_NO_KTLS_RX)
e1fdd526
JB		 1216 rx_supported = 0;
1217#else
1218 rx_supported = (tls_version != TLS1_3_VERSION);
a3a54179 1219#endif
e1fdd526 1220 if (!cis_ktls || !rx_supported) {
2fab79af
BP		 1221 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1222 goto end;
1223 } else {
e1fdd526
JB		 1224 if (BIO_get_ktls_send(clientssl->rbio))
1225 ktls_used = 1;
2fab79af
BP		 1226 }
1227
e1fdd526 1228 if (!sis_ktls || !rx_supported) {
2fab79af
BP		 1229 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1230 goto end;
1231 } else {
e1fdd526
JB		 1232 if (BIO_get_ktls_send(serverssl->rbio))
1233 ktls_used = 1;
1234 }
1235
1236 if ((cis_ktls || sis_ktls) && !ktls_used) {
1237 testresult = TEST_skip("KTLS not supported for %s cipher %s",
1238 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1239 "TLS 1.2", cipher);
1240 goto end;
2fab79af
BP		 1241 }
1242
e1fdd526 1243 if (!TEST_true(ping_pong_query(clientssl, serverssl)))
fe5d9450
BP		 1244 goto end;
1245
1246 testresult = 1;
1247end:
1248 if (clientssl) {
1249 SSL_shutdown(clientssl);
1250 SSL_free(clientssl);
1251 }
1252 if (serverssl) {
1253 SSL_shutdown(serverssl);
1254 SSL_free(serverssl);
1255 }
1256 SSL_CTX_free(sctx);
1257 SSL_CTX_free(cctx);
1258 serverssl = clientssl = NULL;
e1fdd526
JB		 1259 if (cfd != -1)
1260 close(cfd);
1261 if (sfd != -1)
1262 close(sfd);
fe5d9450
BP		 1263 return testresult;
1264}
1265
7c3a7561
BP		 1266#define SENDFILE_SZ (16 * 4096)
1267#define SENDFILE_CHUNK (4 * 4096)
1268#define min(a,b) ((a) > (b) ? (b) : (a))
1269
e1fdd526 1270static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1271{
1272 SSL_CTX *cctx = NULL, *sctx = NULL;
1273 SSL *clientssl = NULL, *serverssl = NULL;
1274 unsigned char *buf, *buf_dst;
1275 BIO *out = NULL, *in = NULL;
e1fdd526 1276 int cfd = -1, sfd = -1, ffd, err;
7c3a7561
BP		 1277 ssize_t chunk_size = 0;
1278 off_t chunk_off = 0;
1279 int testresult = 0;
1280 FILE *ffdp;
1281
1282 buf = OPENSSL_zalloc(SENDFILE_SZ);
1283 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1284 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1285 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1286 goto end;
1287
1288 /* Skip this test if the platform does not support ktls */
1289 if (!ktls_chk_platform(sfd)) {
e1fdd526 1290 testresult = TEST_skip("Kernel does not support KTLS");
7c3a7561
BP		 1291 goto end;
1292 }
1293
1294 /* Create a session based on SHA-256 */
5e30f2fd 1295 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1296 TLS_client_method(),
da4db160 1297 tls_version, tls_version,
e1fdd526
JB		 1298 &sctx, &cctx, cert, privkey)))
1299 goto end;
1300
1301 if (tls_version == TLS1_3_VERSION) {
1302 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher))
1303 || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher)))
1304 goto end;
1305 } else {
1306 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
1307 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher)))
1308 goto end;
1309 }
1310
1311 if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1312 &clientssl, sfd, cfd)))
1313 goto end;
1314
1315 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS)))
7c3a7561
BP		 1316 goto end;
1317
1318 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
e1fdd526 1319 SSL_ERROR_NONE)))
7c3a7561
BP		 1320 goto end;
1321
e1fdd526
JB		 1322 if (!BIO_get_ktls_send(serverssl->wbio)) {
1323 testresult = TEST_skip("Failed to enable KTLS for %s cipher %s",
1324 tls_version == TLS1_3_VERSION ? "TLS 1.3" :
1325 "TLS 1.2", cipher);
1326 goto end;
1327 }
1328
23e97567 1329 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ, 0)))
72c1e374
JB		 1330 goto end;
1331
7c3a7561
BP		 1332 out = BIO_new_file(tmpfilename, "wb");
1333 if (!TEST_ptr(out))
1334 goto end;
1335
1336 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1337 goto end;
1338
1339 BIO_free(out);
1340 out = NULL;
1341 in = BIO_new_file(tmpfilename, "rb");
1342 BIO_get_fp(in, &ffdp);
1343 ffd = fileno(ffdp);
1344
1345 while (chunk_off < SENDFILE_SZ) {
1346 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1347 while ((err = SSL_sendfile(serverssl,
1348 ffd,
1349 chunk_off,
1350 chunk_size,
1351 0)) != chunk_size) {
1352 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1353 goto end;
1354 }
1355 while ((err = SSL_read(clientssl,
1356 buf_dst + chunk_off,
1357 chunk_size)) != chunk_size) {
1358 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1359 goto end;
1360 }
1361
1362 /* verify the payload */
1363 if (!TEST_mem_eq(buf_dst + chunk_off,
1364 chunk_size,
1365 buf + chunk_off,
1366 chunk_size))
1367 goto end;
1368
1369 chunk_off += chunk_size;
1370 }
1371
1372 testresult = 1;
1373end:
1374 if (clientssl) {
1375 SSL_shutdown(clientssl);
1376 SSL_free(clientssl);
1377 }
1378 if (serverssl) {
1379 SSL_shutdown(serverssl);
1380 SSL_free(serverssl);
1381 }
1382 SSL_CTX_free(sctx);
1383 SSL_CTX_free(cctx);
1384 serverssl = clientssl = NULL;
1385 BIO_free(out);
1386 BIO_free(in);
e1fdd526
JB		 1387 if (cfd != -1)
1388 close(cfd);
1389 if (sfd != -1)
1390 close(sfd);
7c3a7561
BP		 1391 OPENSSL_free(buf);
1392 OPENSSL_free(buf_dst);
1393 return testresult;
1394}
1395
e1fdd526
JB		 1396static struct ktls_test_cipher {
1397 int tls_version;
1398 const char *cipher;
1399} ktls_test_ciphers[] = {
1400# if !defined(OPENSSL_NO_TLS1_2)
1401# ifdef OPENSSL_KTLS_AES_GCM_128
1402 { TLS1_2_VERSION, "AES128-GCM-SHA256" },
1403# endif
1404# ifdef OPENSSL_KTLS_AES_CCM_128
1405 { TLS1_2_VERSION, "AES128-CCM"},
1406# endif
1407# ifdef OPENSSL_KTLS_AES_GCM_256
1408 { TLS1_2_VERSION, "AES256-GCM-SHA384"},
1409# endif
1410# endif
1411# if !defined(OSSL_NO_USABLE_TLS1_3)
1412# ifdef OPENSSL_KTLS_AES_GCM_128
1413 { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" },
1414# endif
1415# ifdef OPENSSL_KTLS_AES_CCM_128
1416 { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" },
1417# endif
1418# ifdef OPENSSL_KTLS_AES_GCM_256
1419 { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" },
1420# endif
1421# endif
1422};
1423
1424#define NUM_KTLS_TEST_CIPHERS \
1425 (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0]))
1426
da4db160
VF		 1427static int test_ktls(int test)
1428{
e1fdd526 1429 struct ktls_test_cipher *cipher;
a3a54179 1430 int cis_ktls, sis_ktls;
da4db160 1431
e1fdd526
JB		 1432 OPENSSL_assert(test / 4 < NUM_KTLS_TEST_CIPHERS);
1433 cipher = &ktls_test_ciphers[test / 4];
da4db160 1434
a3a54179
MC		 1435 cis_ktls = (test & 1) != 0;
1436 sis_ktls = (test & 2) != 0;
cd03b5dc 1437
e1fdd526
JB		 1438 return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version,
1439 cipher->cipher);
2fab79af
BP		 1440}
1441
e1fdd526 1442static int test_ktls_sendfile(int tst)
fe5d9450 1443{
e1fdd526 1444 struct ktls_test_cipher *cipher;
da4db160 1445
e1fdd526
JB		 1446 OPENSSL_assert(tst < NUM_KTLS_TEST_CIPHERS);
1447 cipher = &ktls_test_ciphers[tst];
da4db160 1448
e1fdd526 1449 return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher);
fe5d9450 1450}
fe5d9450
BP		 1451#endif
1452
84d5549e
MC		 1453static int test_large_message_tls(void)
1454{
7856332e 1455 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1456 TLS1_VERSION, 0, 0);
7856332e
MC		 1457}
1458
1459static int test_large_message_tls_read_ahead(void)
1460{
1461 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1462 TLS1_VERSION, 0, 1);
84d5549e
MC		 1463}
1464
55386bef 1465#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1466static int test_large_message_dtls(void)
1467{
8ce390e1
MC		 1468# ifdef OPENSSL_NO_DTLS1_2
1469 /* Not supported in the FIPS provider */
1470 if (is_fips)
1471 return 1;
1472# endif
7856332e
MC		 1473 /*
1474 * read_ahead is not relevant to DTLS because DTLS always acts as if
1475 * read_ahead is set.
1476 */
84d5549e 1477 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1478 DTLS_client_method(),
5c587fb6 1479 DTLS1_VERSION, 0, 0);
84d5549e 1480}
55386bef 1481#endif
84d5549e 1482
163b8016
ME		 1483static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1484 const SSL_METHOD *cmeth,
1485 int min_version, int max_version)
1486{
1487 size_t i;
1488 SSL_CTX *cctx = NULL, *sctx = NULL;
1489 SSL *clientssl = NULL, *serverssl = NULL;
1490 int testresult = 0;
1491 SSL3_RECORD *rr;
1492 void *zbuf;
1493
1494 static unsigned char cbuf[16000];
1495 static unsigned char sbuf[16000];
1496
1497 if (!TEST_true(create_ssl_ctx_pair(libctx,
1498 smeth, cmeth,
1499 min_version, max_version,
1500 &sctx, &cctx, cert,
1501 privkey)))
1502 goto end;
1503
8ce390e1
MC		 1504#ifdef OPENSSL_NO_DTLS1_2
1505 if (smeth == DTLS_server_method()) {
1506# ifdef OPENSSL_NO_DTLS1_2
1507 /* Not supported in the FIPS provider */
1508 if (is_fips) {
1509 testresult = 1;
1510 goto end;
1511 };
1512# endif
1513 /*
1514 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
1515 * level 0
1516 */
1517 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
1518 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
1519 "DEFAULT:@SECLEVEL=0")))
1520 goto end;
1521 }
1522#endif
1523
163b8016
ME		 1524 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1525 NULL, NULL)))
1526 goto end;
1527
1528 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1529 goto end;
1530
1531 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1532 SSL_ERROR_NONE)))
1533 goto end;
1534
1535 for (i = 0; i < sizeof(cbuf); i++) {
1536 cbuf[i] = i & 0xff;
1537 }
1538
1539 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1540 goto end;
1541
1542 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1543 goto end;
1544
1545 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1546 goto end;
1547
1548 /*
1549 * Since we called SSL_peek(), we know the data in the record
1550 * layer is a plaintext record. We can gather the pointer to check
1551 * for zeroization after SSL_read().
1552 */
1553 rr = serverssl->rlayer.rrec;
1554 zbuf = &rr->data[rr->off];
1555 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1556 goto end;
1557
1558 /*
1559 * After SSL_peek() the plaintext must still be stored in the
1560 * record.
1561 */
1562 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1563 goto end;
1564
1565 memset(sbuf, 0, sizeof(sbuf));
1566 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1567 goto end;
1568
1569 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1570 goto end;
1571
1572 /* Check if rbuf is cleansed */
1573 memset(cbuf, 0, sizeof(cbuf));
1574 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1575 goto end;
1576
1577 testresult = 1;
1578 end:
1579 SSL_free(serverssl);
1580 SSL_free(clientssl);
1581 SSL_CTX_free(sctx);
1582 SSL_CTX_free(cctx);
1583
1584 return testresult;
1585}
1586
1587static int test_cleanse_plaintext(void)
1588{
1589#if !defined(OPENSSL_NO_TLS1_2)
1590 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1591 TLS_client_method(),
1592 TLS1_2_VERSION,
1593 TLS1_2_VERSION)))
1594 return 0;
1595
1596#endif
1597
a763ca11 1598#if !defined(OSSL_NO_USABLE_TLS1_3)
163b8016
ME		 1599 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1600 TLS_client_method(),
1601 TLS1_3_VERSION,
1602 TLS1_3_VERSION)))
1603 return 0;
1604#endif
1605
1606#if !defined(OPENSSL_NO_DTLS)
8ce390e1 1607
163b8016
ME		 1608 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1609 DTLS_client_method(),
1610 DTLS1_VERSION,
1611 0)))
1612 return 0;
1613#endif
1614 return 1;
1615}
1616
8f8c11d8 1617#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1618static int ocsp_server_cb(SSL *s, void *arg)
1619{
1620 int *argi = (int *)arg;
710756a9 1621 unsigned char *copy = NULL;
ba881d3b
MC		 1622 STACK_OF(OCSP_RESPID) *ids = NULL;
1623 OCSP_RESPID *id = NULL;
1624
1625 if (*argi == 2) {
1626 /* In this test we are expecting exactly 1 OCSP_RESPID */
1627 SSL_get_tlsext_status_ids(s, &ids);
1628 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1629 return SSL_TLSEXT_ERR_ALERT_FATAL;
1630
1631 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1632 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1633 return SSL_TLSEXT_ERR_ALERT_FATAL;
1634 } else if (*argi != 1) {
1635 return SSL_TLSEXT_ERR_ALERT_FATAL;
1636 }
1637
710756a9 1638 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1639 return SSL_TLSEXT_ERR_ALERT_FATAL;
1640
710756a9 1641 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1642 ocsp_server_called = 1;
ba881d3b
MC		 1643 return SSL_TLSEXT_ERR_OK;
1644}
1645
1646static int ocsp_client_cb(SSL *s, void *arg)
1647{
1648 int *argi = (int *)arg;
1649 const unsigned char *respderin;
1650 size_t len;
1651
1652 if (*argi != 1 && *argi != 2)
1653 return 0;
1654
1655 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1656 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1657 return 0;
1658
1659 ocsp_client_called = 1;
ba881d3b
MC		 1660 return 1;
1661}
1662
2cb4b5f6
MC		 1663static int test_tlsext_status_type(void)
1664{
ba881d3b
MC		 1665 SSL_CTX *cctx = NULL, *sctx = NULL;
1666 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1667 int testresult = 0;
ba881d3b
MC		 1668 STACK_OF(OCSP_RESPID) *ids = NULL;
1669 OCSP_RESPID *id = NULL;
1670 BIO *certbio = NULL;
2cb4b5f6 1671
5e30f2fd 1672 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1673 TLS1_VERSION, 0,
7d7f6834 1674 &sctx, &cctx, cert, privkey))
ba881d3b 1675 return 0;
2cb4b5f6 1676
710756a9 1677 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1678 goto end;
2cb4b5f6 1679
ba881d3b 1680 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1681
ba881d3b 1682 clientssl = SSL_new(cctx);
710756a9
RS		 1683 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1684 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1685 TLSEXT_STATUSTYPE_ocsp))
1686 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1687 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1688 goto end;
2cb4b5f6 1689
ba881d3b
MC		 1690 SSL_free(clientssl);
1691 clientssl = NULL;
2cb4b5f6 1692
710756a9
RS		 1693 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1694 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1695 goto end;
2cb4b5f6 1696
ba881d3b 1697 clientssl = SSL_new(cctx);
710756a9 1698 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1699 goto end;
ba881d3b
MC		 1700 SSL_free(clientssl);
1701 clientssl = NULL;
1702
1703 /*
1704 * Now actually do a handshake and check OCSP information is exchanged and
1705 * the callbacks get called
1706 */
ba881d3b
MC		 1707 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1708 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1709 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1710 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1711 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1712 &clientssl, NULL, NULL))
1713 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1714 SSL_ERROR_NONE))
1715 || !TEST_true(ocsp_client_called)
1716 || !TEST_true(ocsp_server_called))
ba881d3b 1717 goto end;
ba881d3b
MC		 1718 SSL_free(serverssl);
1719 SSL_free(clientssl);
1720 serverssl = NULL;
1721 clientssl = NULL;
1722
1723 /* Try again but this time force the server side callback to fail */
1724 ocsp_client_called = 0;
1725 ocsp_server_called = 0;
1726 cdummyarg = 0;
710756a9
RS		 1727 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1728 &clientssl, NULL, NULL))
1729 /* This should fail because the callback will fail */
1730 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1731 SSL_ERROR_NONE))
1732 || !TEST_false(ocsp_client_called)
1733 || !TEST_false(ocsp_server_called))
ba881d3b 1734 goto end;
ba881d3b
MC		 1735 SSL_free(serverssl);
1736 SSL_free(clientssl);
1737 serverssl = NULL;
1738 clientssl = NULL;
1739
1740 /*
1741 * This time we'll get the client to send an OCSP_RESPID that it will
1742 * accept.
1743 */
1744 ocsp_client_called = 0;
1745 ocsp_server_called = 0;
1746 cdummyarg = 2;
710756a9
RS		 1747 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1748 &clientssl, NULL, NULL)))
ba881d3b 1749 goto end;
ba881d3b
MC		 1750
1751 /*
1752 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1753 * specific one. We'll use the server cert.
ba881d3b 1754 */
710756a9
RS		 1755 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1756 || !TEST_ptr(id = OCSP_RESPID_new())
1757 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1758 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1759 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1760 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1761 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1762 goto end;
ba881d3b
MC		 1763 id = NULL;
1764 SSL_set_tlsext_status_ids(clientssl, ids);
1765 /* Control has been transferred */
1766 ids = NULL;
1767
1768 BIO_free(certbio);
1769 certbio = NULL;
1770
710756a9
RS		 1771 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1772 SSL_ERROR_NONE))
1773 || !TEST_true(ocsp_client_called)
1774 || !TEST_true(ocsp_server_called))
ba881d3b 1775 goto end;
ba881d3b 1776
2cb4b5f6
MC		 1777 testresult = 1;
1778
1779 end:
ba881d3b
MC		 1780 SSL_free(serverssl);
1781 SSL_free(clientssl);
1782 SSL_CTX_free(sctx);
1783 SSL_CTX_free(cctx);
1784 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1785 OCSP_RESPID_free(id);
1786 BIO_free(certbio);
1787 X509_free(ocspcert);
1788 ocspcert = NULL;
2cb4b5f6
MC		 1789
1790 return testresult;
1791}
8f8c11d8 1792#endif
2cb4b5f6 1793
a763ca11 1794#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1795static int new_called, remove_called, get_called;
eaa776da 1796
eaa776da
MC		 1797static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1798{
1799 new_called++;
c0537ebd
MC		 1800 /*
1801 * sess has been up-refed for us, but we don't actually need it so free it
1802 * immediately.
1803 */
1804 SSL_SESSION_free(sess);
eaa776da
MC		 1805 return 1;
1806}
1807
1808static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1809{
1810 remove_called++;
1811}
1812
7a301f08
MC		 1813static SSL_SESSION *get_sess_val = NULL;
1814
1815static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1816 int *copy)
1817{
0afca811 1818 get_called++;
7a301f08
MC		 1819 *copy = 1;
1820 return get_sess_val;
1821}
1822
7a301f08 1823static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1824 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1825{
1826 SSL_CTX *sctx = NULL, *cctx = NULL;
1827 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1828 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1829# ifndef OPENSSL_NO_TLS1_1
eaa776da 1830 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1831# endif
2cb4b5f6 1832 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1833 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1834
7e885b7b
P		 1835 new_called = remove_called = 0;
1836
36ff232c
MC		 1837 /* TLSv1.3 sends 2 NewSessionTickets */
1838 if (maxprot == TLS1_3_VERSION)
1839 numnewsesstick = 2;
1840
5e30f2fd
MC		 1841 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1842 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1843 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1844 return 0;
2cb4b5f6 1845
7a301f08
MC		 1846 /*
1847 * Only allow the max protocol version so we can force a connection failure
1848 * later
1849 */
1850 SSL_CTX_set_min_proto_version(cctx, maxprot);
1851 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1852
1853 /* Set up session cache */
7e885b7b 1854 if (use_ext_cache) {
eaa776da
MC		 1855 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1856 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1857 }
7e885b7b 1858 if (use_int_cache) {
eaa776da
MC		 1859 /* Also covers instance where both are set */
1860 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1861 } else {
1862 SSL_CTX_set_session_cache_mode(cctx,
1863 SSL_SESS_CACHE_CLIENT
1864 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1865 }
2cb4b5f6 1866
90fc2c26
NM		 1867 if (s_options) {
1868 SSL_CTX_set_options(sctx, s_options);
1869 }
1870
710756a9
RS		 1871 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1872 NULL, NULL))
1873 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1874 SSL_ERROR_NONE))
1875 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1876 goto end;
2cb4b5f6 1877
710756a9 1878 /* Should fail because it should already be in the cache */
7e885b7b 1879 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1880 goto end;
7a301f08 1881 if (use_ext_cache
36ff232c
MC		 1882 && (!TEST_int_eq(new_called, numnewsesstick)
1883
1884 || !TEST_int_eq(remove_called, 0)))
b4982125 1885 goto end;
b4982125 1886
c0537ebd
MC		 1887 new_called = remove_called = 0;
1888 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1889 &clientssl2, NULL, NULL))
1890 || !TEST_true(SSL_set_session(clientssl2, sess1))
1891 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1892 SSL_ERROR_NONE))
1893 || !TEST_true(SSL_session_reused(clientssl2)))
1894 goto end;
1895
7a301f08
MC		 1896 if (maxprot == TLS1_3_VERSION) {
1897 /*
1898 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1899 * resumed. Since we attempted a resume we should also have removed the
1900 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1901 */
1902 if (use_ext_cache
1903 && (!TEST_int_eq(new_called, 1)
4cb00457 1904 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1905 goto end;
1906 } else {
1907 /*
1908 * In TLSv1.2 we expect to have resumed so no sessions added or
1909 * removed.
1910 */
1911 if (use_ext_cache
1912 && (!TEST_int_eq(new_called, 0)
1913 || !TEST_int_eq(remove_called, 0)))
1914 goto end;
1915 }
c0537ebd
MC		 1916
1917 SSL_SESSION_free(sess1);
1918 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1919 goto end;
1920 shutdown_ssl_connection(serverssl2, clientssl2);
1921 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1922
1923 new_called = remove_called = 0;
710756a9
RS		 1924 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1925 &clientssl2, NULL, NULL))
1926 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1927 SSL_ERROR_NONE)))
2cb4b5f6 1928 goto end;
2cb4b5f6 1929
710756a9 1930 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1931 goto end;
2cb4b5f6 1932
7a301f08 1933 if (use_ext_cache
36ff232c
MC		 1934 && (!TEST_int_eq(new_called, numnewsesstick)
1935 || !TEST_int_eq(remove_called, 0)))
eaa776da 1936 goto end;
eaa776da 1937
c0537ebd 1938 new_called = remove_called = 0;
2cb4b5f6 1939 /*
710756a9
RS		 1940 * This should clear sess2 from the cache because it is a "bad" session.
1941 * See SSL_set_session() documentation.
2cb4b5f6 1942 */
710756a9 1943 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1944 goto end;
7a301f08
MC		 1945 if (use_ext_cache
1946 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1947 goto end;
710756a9 1948 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1949 goto end;
2cb4b5f6 1950
7e885b7b 1951 if (use_int_cache) {
710756a9
RS		 1952 /* Should succeeded because it should not already be in the cache */
1953 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1954 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1955 goto end;
eaa776da
MC		 1956 }
1957
c0537ebd 1958 new_called = remove_called = 0;
eaa776da 1959 /* This shouldn't be in the cache so should fail */
710756a9 1960 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1961 goto end;
2cb4b5f6 1962
7a301f08
MC		 1963 if (use_ext_cache
1964 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1965 goto end;
2cb4b5f6 1966
bf208d95 1967# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1968 new_called = remove_called = 0;
eaa776da
MC		 1969 /* Force a connection failure */
1970 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1971 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1972 &clientssl3, NULL, NULL))
1973 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1974 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1975 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1976 SSL_ERROR_NONE)))
eaa776da 1977 goto end;
b4982125 1978
eaa776da 1979 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1980 if (use_ext_cache
1981 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1982 goto end;
2cb4b5f6 1983
710756a9 1984 /* Should succeed because it should not already be in the cache */
7e885b7b 1985 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1986 goto end;
bf208d95 1987# endif
eaa776da 1988
7a301f08
MC		 1989 /* Now do some tests for server side caching */
1990 if (use_ext_cache) {
1991 SSL_CTX_sess_set_new_cb(cctx, NULL);
1992 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1993 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1994 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1995 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1996 get_sess_val = NULL;
1997 }
1998
1999 SSL_CTX_set_session_cache_mode(cctx, 0);
2000 /* Internal caching is the default on the server side */
2001 if (!use_int_cache)
2002 SSL_CTX_set_session_cache_mode(sctx,
2003 SSL_SESS_CACHE_SERVER
2004 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2005
2006 SSL_free(serverssl1);
2007 SSL_free(clientssl1);
2008 serverssl1 = clientssl1 = NULL;
2009 SSL_free(serverssl2);
2010 SSL_free(clientssl2);
2011 serverssl2 = clientssl2 = NULL;
2012 SSL_SESSION_free(sess1);
2013 sess1 = NULL;
2014 SSL_SESSION_free(sess2);
2015 sess2 = NULL;
2016
2017 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 2018 if (maxprot == TLS1_2_VERSION)
2019 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 2020 new_called = remove_called = get_called = 0;
7a301f08
MC		 2021 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
2022 NULL, NULL))
2023 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
2024 SSL_ERROR_NONE))
2025 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
2026 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
2027 goto end;
2028
ee94ec2e
MC		 2029 if (use_int_cache) {
2030 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
2031 /*
2032 * In TLSv1.3 it should not have been added to the internal cache,
2033 * except in the case where we also have an external cache (in that
2034 * case it gets added to the cache in order to generate remove
2035 * events after timeout).
2036 */
2037 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
2038 goto end;
2039 } else {
2040 /* Should fail because it should already be in the cache */
2041 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
2042 goto end;
2043 }
2044 }
7a301f08
MC		 2045
2046 if (use_ext_cache) {
2047 SSL_SESSION *tmp = sess2;
2048
36ff232c 2049 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 2050 || !TEST_int_eq(remove_called, 0)
2051 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 2052 goto end;
2053 /*
2054 * Delete the session from the internal cache to force a lookup from
2055 * the external cache. We take a copy first because
2056 * SSL_CTX_remove_session() also marks the session as non-resumable.
2057 */
ee94ec2e 2058 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 2059 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
2060 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
2061 goto end;
2062 SSL_SESSION_free(sess2);
2063 }
7a301f08
MC		 2064 sess2 = tmp;
2065 }
2066
0afca811 2067 new_called = remove_called = get_called = 0;
7a301f08
MC		 2068 get_sess_val = sess2;
2069 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
2070 &clientssl2, NULL, NULL))
2071 || !TEST_true(SSL_set_session(clientssl2, sess1))
2072 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
2073 SSL_ERROR_NONE))
2074 || !TEST_true(SSL_session_reused(clientssl2)))
2075 goto end;
2076
0afca811 2077 if (use_ext_cache) {
32305f88 2078 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 2079 goto end;
2080
2081 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 2082 if (!TEST_int_eq(new_called, 1)
2083 || !TEST_int_eq(get_called, 0))
0afca811
KY		 2084 goto end;
2085 } else {
32305f88
MC		 2086 if (!TEST_int_eq(new_called, 0)
2087 || !TEST_int_eq(get_called, 1))
0afca811
KY		 2088 goto end;
2089 }
2090 }
7a301f08 2091
2cb4b5f6 2092 testresult = 1;
eaa776da 2093
2cb4b5f6
MC		 2094 end:
2095 SSL_free(serverssl1);
2096 SSL_free(clientssl1);
2097 SSL_free(serverssl2);
2098 SSL_free(clientssl2);
bf208d95 2099# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 2100 SSL_free(serverssl3);
2101 SSL_free(clientssl3);
bf208d95 2102# endif
2cb4b5f6
MC		 2103 SSL_SESSION_free(sess1);
2104 SSL_SESSION_free(sess2);
2105 SSL_CTX_free(sctx);
2106 SSL_CTX_free(cctx);
2107
2108 return testresult;
2109}
a763ca11 2110#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 2111
7fb4c820
MC		 2112static int test_session_with_only_int_cache(void)
2113{
a763ca11 2114#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2115 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 2116 return 0;
2117#endif
2118
2119#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2120 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 2121#else
2122 return 1;
2123#endif
eaa776da
MC		 2124}
2125
7fb4c820
MC		 2126static int test_session_with_only_ext_cache(void)
2127{
a763ca11 2128#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2129 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 2130 return 0;
2131#endif
2132
2133#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2134 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 2135#else
2136 return 1;
2137#endif
eaa776da
MC		 2138}
2139
7fb4c820
MC		 2140static int test_session_with_both_cache(void)
2141{
a763ca11 2142#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26
NM		 2143 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
2144 return 0;
2145#endif
2146
2147#ifndef OPENSSL_NO_TLS1_2
2148 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
2149#else
2150 return 1;
2151#endif
2152}
2153
2154static int test_session_wo_ca_names(void)
2155{
a763ca11 2156#ifndef OSSL_NO_USABLE_TLS1_3
90fc2c26 2157 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 2158 return 0;
2159#endif
2160
2161#ifndef OPENSSL_NO_TLS1_2
90fc2c26 2162 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 2163#else
2164 return 1;
2165#endif
eaa776da
MC		 2166}
2167
90fc2c26 2168
a763ca11 2169#ifndef OSSL_NO_USABLE_TLS1_3
c22365b3
MC		 2170static SSL_SESSION *sesscache[6];
2171static int do_cache;
36ff232c
MC		 2172
2173static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
2174{
c22365b3
MC		 2175 if (do_cache) {
2176 sesscache[new_called] = sess;
2177 } else {
2178 /* We don't need the reference to the session, so free it */
2179 SSL_SESSION_free(sess);
2180 }
2181 new_called++;
2182
2183 return 1;
2184}
2185
2186static int post_handshake_verify(SSL *sssl, SSL *cssl)
2187{
2188 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
2189 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
2190 return 0;
2191
2192 /* Start handshake on the server and client */
2193 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
2194 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
2195 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
2196 || !TEST_true(create_ssl_connection(sssl, cssl,
2197 SSL_ERROR_NONE)))
2198 return 0;
36ff232c
MC		 2199
2200 return 1;
2201}
2202
fbe9dafd 2203static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2204 SSL_CTX **cctx)
2205{
2206 int sess_id_ctx = 1;
2207
5e30f2fd
MC		 2208 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2209 TLS_client_method(), TLS1_VERSION, 0,
2210 sctx, cctx, cert, privkey))
03cdf559
MC		 2211 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2212 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2213 (void *)&sess_id_ctx,
2214 sizeof(sess_id_ctx))))
2215 return 0;
2216
2217 if (stateful)
2218 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2219
2220 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2221 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2222 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2223
2224 return 1;
2225}
2226
2227static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2228{
2229 SSL *serverssl = NULL, *clientssl = NULL;
2230 int i;
2231
2232 /* Test that we can resume with all the tickets we got given */
2233 for (i = 0; i < idx * 2; i++) {
2234 new_called = 0;
2235 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2236 &clientssl, NULL, NULL))
2237 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2238 goto end;
2239
32097b33 2240 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2241
2242 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2243 SSL_ERROR_NONE)))
2244 goto end;
2245
2246 /*
2247 * Following a successful resumption we only get 1 ticket. After a
2248 * failed one we should get idx tickets.
2249 */
2250 if (succ) {
2251 if (!TEST_true(SSL_session_reused(clientssl))
2252 || !TEST_int_eq(new_called, 1))
2253 goto end;
2254 } else {
2255 if (!TEST_false(SSL_session_reused(clientssl))
2256 || !TEST_int_eq(new_called, idx))
2257 goto end;
2258 }
2259
2260 new_called = 0;
2261 /* After a post-handshake authentication we should get 1 new ticket */
2262 if (succ
2263 && (!post_handshake_verify(serverssl, clientssl)
2264 || !TEST_int_eq(new_called, 1)))
2265 goto end;
2266
2267 SSL_shutdown(clientssl);
2268 SSL_shutdown(serverssl);
2269 SSL_free(serverssl);
2270 SSL_free(clientssl);
2271 serverssl = clientssl = NULL;
2272 SSL_SESSION_free(sesscache[i]);
2273 sesscache[i] = NULL;
2274 }
2275
2276 return 1;
2277
2278 end:
2279 SSL_free(clientssl);
2280 SSL_free(serverssl);
2281 return 0;
2282}
2283
04d7814a 2284static int test_tickets(int stateful, int idx)
36ff232c
MC		 2285{
2286 SSL_CTX *sctx = NULL, *cctx = NULL;
2287 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2288 int testresult = 0;
36ff232c
MC		 2289 size_t j;
2290
2291 /* idx is the test number, but also the number of tickets we want */
2292
2293 new_called = 0;
c22365b3 2294 do_cache = 1;
36ff232c 2295
fbe9dafd 2296 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2297 goto end;
2298
03cdf559
MC		 2299 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2300 &clientssl, NULL, NULL)))
2301 goto end;
2302
2303 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2304 SSL_ERROR_NONE))
2305 /* Check we got the number of tickets we were expecting */
2306 || !TEST_int_eq(idx, new_called))
2307 goto end;
04d7814a 2308
03cdf559
MC		 2309 SSL_shutdown(clientssl);
2310 SSL_shutdown(serverssl);
2311 SSL_free(serverssl);
2312 SSL_free(clientssl);
2313 SSL_CTX_free(sctx);
2314 SSL_CTX_free(cctx);
2315 clientssl = serverssl = NULL;
2316 sctx = cctx = NULL;
2317
2318 /*
2319 * Now we try to resume with the tickets we previously created. The
2320 * resumption attempt is expected to fail (because we're now using a new
2321 * SSL_CTX). We should see idx number of tickets issued again.
2322 */
2323
2324 /* Stop caching sessions - just count them */
2325 do_cache = 0;
2326
fbe9dafd 2327 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2328 goto end;
2329
2330 if (!check_resumption(idx, sctx, cctx, 0))
2331 goto end;
2332
2333 /* Start again with caching sessions */
2334 new_called = 0;
2335 do_cache = 1;
fbe9dafd
MC		 2336 SSL_CTX_free(sctx);
2337 SSL_CTX_free(cctx);
2338 sctx = cctx = NULL;
03cdf559 2339
fbe9dafd 2340 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2341 goto end;
36ff232c
MC		 2342
2343 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2344 &clientssl, NULL, NULL)))
2345 goto end;
2346
32097b33 2347 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2348
2349 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2350 SSL_ERROR_NONE))
2351 /* Check we got the number of tickets we were expecting */
2352 || !TEST_int_eq(idx, new_called))
2353 goto end;
2354
2355 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2356 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2357 || !TEST_int_eq(idx * 2, new_called))
2358 goto end;
2359
36ff232c
MC		 2360 SSL_shutdown(clientssl);
2361 SSL_shutdown(serverssl);
2362 SSL_free(serverssl);
2363 SSL_free(clientssl);
2364 serverssl = clientssl = NULL;
2365
c22365b3
MC		 2366 /* Stop caching sessions - just count them */
2367 do_cache = 0;
2368
03cdf559
MC		 2369 /*
2370 * Check we can resume with all the tickets we created. This time around the
2371 * resumptions should all be successful.
2372 */
2373 if (!check_resumption(idx, sctx, cctx, 1))
2374 goto end;
36ff232c
MC		 2375
2376 testresult = 1;
2377
2378 end:
2379 SSL_free(serverssl);
2380 SSL_free(clientssl);
c22365b3 2381 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2382 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2383 sesscache[j] = NULL;
2384 }
36ff232c
MC		 2385 SSL_CTX_free(sctx);
2386 SSL_CTX_free(cctx);
2387
2388 return testresult;
2389}
04d7814a
MC		 2390
2391static int test_stateless_tickets(int idx)
2392{
2393 return test_tickets(0, idx);
2394}
2395
2396static int test_stateful_tickets(int idx)
2397{
2398 return test_tickets(1, idx);
2399}
8614a4eb
MC		 2400
2401static int test_psk_tickets(void)
2402{
2403 SSL_CTX *sctx = NULL, *cctx = NULL;
2404 SSL *serverssl = NULL, *clientssl = NULL;
2405 int testresult = 0;
2406 int sess_id_ctx = 1;
2407
5e30f2fd
MC		 2408 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2409 TLS_client_method(), TLS1_VERSION, 0,
2410 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2411 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2412 (void *)&sess_id_ctx,
2413 sizeof(sess_id_ctx))))
2414 goto end;
2415
2416 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2417 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2418 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2419 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2420 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2421 use_session_cb_cnt = 0;
2422 find_session_cb_cnt = 0;
2423 srvid = pskid;
2424 new_called = 0;
2425
2426 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2427 NULL, NULL)))
2428 goto end;
2429 clientpsk = serverpsk = create_a_psk(clientssl);
2430 if (!TEST_ptr(clientpsk))
2431 goto end;
2432 SSL_SESSION_up_ref(clientpsk);
2433
2434 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2435 SSL_ERROR_NONE))
2436 || !TEST_int_eq(1, find_session_cb_cnt)
2437 || !TEST_int_eq(1, use_session_cb_cnt)
2438 /* We should always get 1 ticket when using external PSK */
2439 || !TEST_int_eq(1, new_called))
2440 goto end;
2441
2442 testresult = 1;
2443
2444 end:
2445 SSL_free(serverssl);
2446 SSL_free(clientssl);
2447 SSL_CTX_free(sctx);
2448 SSL_CTX_free(cctx);
2449 SSL_SESSION_free(clientpsk);
2450 SSL_SESSION_free(serverpsk);
2451 clientpsk = serverpsk = NULL;
2452
2453 return testresult;
2454}
f0049b86
BK		 2455
2456static int test_extra_tickets(int idx)
2457{
2458 SSL_CTX *sctx = NULL, *cctx = NULL;
2459 SSL *serverssl = NULL, *clientssl = NULL;
2460 BIO *bretry = BIO_new(bio_s_always_retry());
2461 BIO *tmp = NULL;
2462 int testresult = 0;
2463 int stateful = 0;
2464 size_t nbytes;
2465 unsigned char c, buf[1];
2466
2467 new_called = 0;
2468 do_cache = 1;
2469
2470 if (idx >= 3) {
2471 idx -= 3;
2472 stateful = 1;
2473 }
2474
2475 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2476 goto end;
2477 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2478 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2479 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2480
2481 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2482 &clientssl, NULL, NULL)))
2483 goto end;
2484
2485 /*
2486 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2487 * incremented by both client and server.
2488 */
2489 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2490 SSL_ERROR_NONE))
2491 /* Check we got the number of tickets we were expecting */
2492 || !TEST_int_eq(idx * 2, new_called)
2493 || !TEST_true(SSL_new_session_ticket(serverssl))
2494 || !TEST_true(SSL_new_session_ticket(serverssl))
2495 || !TEST_int_eq(idx * 2, new_called))
2496 goto end;
2497
2498 /* Now try a (real) write to actually send the tickets */
2499 c = '1';
2500 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2501 || !TEST_size_t_eq(1, nbytes)
2502 || !TEST_int_eq(idx * 2 + 2, new_called)
2503 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2504 || !TEST_int_eq(idx * 2 + 4, new_called)
2505 || !TEST_int_eq(sizeof(buf), nbytes)
2506 || !TEST_int_eq(c, buf[0])
2507 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2508 goto end;
2509
2510 /* Try with only requesting one new ticket, too */
2511 c = '2';
2512 new_called = 0;
2513 if (!TEST_true(SSL_new_session_ticket(serverssl))
2514 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2515 || !TEST_size_t_eq(sizeof(c), nbytes)
2516 || !TEST_int_eq(1, new_called)
2517 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2518 || !TEST_int_eq(2, new_called)
2519 || !TEST_size_t_eq(sizeof(buf), nbytes)
2520 || !TEST_int_eq(c, buf[0]))
2521 goto end;
2522
2523 /* Do it again but use dummy writes to drive the ticket generation */
2524 c = '3';
2525 new_called = 0;
2526 if (!TEST_true(SSL_new_session_ticket(serverssl))
2527 || !TEST_true(SSL_new_session_ticket(serverssl))
2528 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2529 || !TEST_size_t_eq(0, nbytes)
2530 || !TEST_int_eq(2, new_called)
2531 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2532 || !TEST_int_eq(4, new_called))
2533 goto end;
2534
a0bbcb42
BK		 2535 /* Once more, but with SSL_do_handshake() to drive the ticket generation */
2536 c = '4';
2537 new_called = 0;
2538 if (!TEST_true(SSL_new_session_ticket(serverssl))
2539 || !TEST_true(SSL_new_session_ticket(serverssl))
2540 || !TEST_true(SSL_do_handshake(serverssl))
2541 || !TEST_int_eq(2, new_called)
2542 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2543 || !TEST_int_eq(4, new_called))
2544 goto end;
2545
f0049b86
BK		 2546 /*
2547 * Use the always-retry BIO to exercise the logic that forces ticket
2548 * generation to wait until a record boundary.
2549 */
a0bbcb42 2550 c = '5';
f0049b86
BK		 2551 new_called = 0;
2552 tmp = SSL_get_wbio(serverssl);
2553 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2554 tmp = NULL;
2555 goto end;
2556 }
2557 SSL_set0_wbio(serverssl, bretry);
2558 bretry = NULL;
2559 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2560 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2561 || !TEST_size_t_eq(nbytes, 0))
2562 goto end;
2563 /* Restore a BIO that will let the write succeed */
2564 SSL_set0_wbio(serverssl, tmp);
2565 tmp = NULL;
a0bbcb42
BK		 2566 /*
2567 * These calls should just queue the request and not send anything
2568 * even if we explicitly try to hit the state machine.
2569 */
f0049b86
BK		 2570 if (!TEST_true(SSL_new_session_ticket(serverssl))
2571 || !TEST_true(SSL_new_session_ticket(serverssl))
a0bbcb42
BK		 2572 || !TEST_int_eq(0, new_called)
2573 || !TEST_true(SSL_do_handshake(serverssl))
f0049b86
BK		 2574 || !TEST_int_eq(0, new_called))
2575 goto end;
2576 /* Re-do the write; still no tickets sent */
2577 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2578 || !TEST_size_t_eq(1, nbytes)
2579 || !TEST_int_eq(0, new_called)
2580 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2581 || !TEST_int_eq(0, new_called)
2582 || !TEST_int_eq(sizeof(buf), nbytes)
2583 || !TEST_int_eq(c, buf[0])
2584 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2585 goto end;
a0bbcb42
BK		 2586 /* Even trying to hit the state machine now will still not send tickets */
2587 if (!TEST_true(SSL_do_handshake(serverssl))
2588 || !TEST_int_eq(0, new_called))
2589 goto end;
f0049b86 2590 /* Now the *next* write should send the tickets */
a0bbcb42 2591 c = '6';
f0049b86
BK		 2592 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2593 || !TEST_size_t_eq(1, nbytes)
2594 || !TEST_int_eq(2, new_called)
2595 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2596 || !TEST_int_eq(4, new_called)
2597 || !TEST_int_eq(sizeof(buf), nbytes)
2598 || !TEST_int_eq(c, buf[0])
2599 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2600 goto end;
2601
2602 SSL_shutdown(clientssl);
2603 SSL_shutdown(serverssl);
2604 testresult = 1;
2605
2606 end:
2607 BIO_free(bretry);
2608 BIO_free(tmp);
2609 SSL_free(serverssl);
2610 SSL_free(clientssl);
2611 SSL_CTX_free(sctx);
2612 SSL_CTX_free(cctx);
2613 clientssl = serverssl = NULL;
2614 sctx = cctx = NULL;
2615 return testresult;
2616}
04225915 2617#endif
36ff232c 2618
7d4488bb
MC		 2619#define USE_NULL 0
2620#define USE_BIO_1 1
2621#define USE_BIO_2 2
2622#define USE_DEFAULT 3
2623
2624#define CONNTYPE_CONNECTION_SUCCESS 0
2625#define CONNTYPE_CONNECTION_FAIL 1
2626#define CONNTYPE_NO_CONNECTION 2
2627
2628#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2629#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
a763ca11 2630#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
7d4488bb
MC		 2631# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2632#else
2633# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2634#endif
2635
7d4488bb
MC		 2636#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2637 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2638 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2639
2640static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2641{
2642 switch (type) {
2643 case USE_NULL:
2644 *res = NULL;
2645 break;
2646 case USE_BIO_1:
2647 *res = bio1;
2648 break;
2649 case USE_BIO_2:
2650 *res = bio2;
2651 break;
2652 }
2653}
2654
7d4488bb
MC		 2655
2656/*
2657 * Tests calls to SSL_set_bio() under various conditions.
2658 *
2659 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2660 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2661 * then do more tests where we create a successful connection first using our
2662 * standard connection setup functions, and then call SSL_set_bio() with
2663 * various combinations of valid BIOs or NULL. We then repeat these tests
2664 * following a failed connection. In this last case we are looking to check that
2665 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2666 */
7fb4c820
MC		 2667static int test_ssl_set_bio(int idx)
2668{
7d4488bb 2669 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2670 BIO *bio1 = NULL;
2671 BIO *bio2 = NULL;
0fae8150 2672 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2673 SSL *serverssl = NULL, *clientssl = NULL;
2674 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2675 int testresult = 0;
2676
7d4488bb
MC		 2677 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2678 initrbio = idx % 3;
2679 idx /= 3;
2680 initwbio = idx % 3;
2681 idx /= 3;
2682 newrbio = idx % 3;
2683 idx /= 3;
2684 newwbio = idx % 3;
2685 conntype = CONNTYPE_NO_CONNECTION;
2686 } else {
2687 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2688 initrbio = initwbio = USE_DEFAULT;
2689 newrbio = idx % 2;
2690 idx /= 2;
2691 newwbio = idx % 2;
2692 idx /= 2;
2693 conntype = idx % 2;
2694 }
710756a9 2695
5e30f2fd
MC		 2696 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2697 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2698 &sctx, &cctx, cert, privkey)))
2699 goto end;
2700
2701 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2702 /*
2703 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2704 * because we reduced the number of tests in the definition of
2705 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2706 * mismatched protocol versions we will force a connection failure.
2707 */
2708 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2709 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2710 }
2711
2712 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2713 NULL, NULL)))
710756a9 2714 goto end;
7fb4c820 2715
710756a9
RS		 2716 if (initrbio == USE_BIO_1
2717 || initwbio == USE_BIO_1
2718 || newrbio == USE_BIO_1
7fb4c820 2719 || newwbio == USE_BIO_1) {
710756a9 2720 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2721 goto end;
7fb4c820
MC		 2722 }
2723
710756a9
RS		 2724 if (initrbio == USE_BIO_2
2725 || initwbio == USE_BIO_2
2726 || newrbio == USE_BIO_2
7fb4c820 2727 || newwbio == USE_BIO_2) {
710756a9 2728 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2729 goto end;
7fb4c820
MC		 2730 }
2731
7d4488bb
MC		 2732 if (initrbio != USE_DEFAULT) {
2733 setupbio(&irbio, bio1, bio2, initrbio);
2734 setupbio(&iwbio, bio1, bio2, initwbio);
2735 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2736
7d4488bb
MC		 2737 /*
2738 * We want to maintain our own refs to these BIO, so do an up ref for
2739 * each BIO that will have ownership transferred in the SSL_set_bio()
2740 * call
2741 */
2742 if (irbio != NULL)
2743 BIO_up_ref(irbio);
2744 if (iwbio != NULL && iwbio != irbio)
2745 BIO_up_ref(iwbio);
2746 }
7fb4c820 2747
7d4488bb
MC		 2748 if (conntype != CONNTYPE_NO_CONNECTION
2749 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2750 SSL_ERROR_NONE)
2751 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2752 goto end;
7fb4c820
MC		 2753
2754 setupbio(&nrbio, bio1, bio2, newrbio);
2755 setupbio(&nwbio, bio1, bio2, newwbio);
2756
2757 /*
2758 * We will (maybe) transfer ownership again so do more up refs.
2759 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2760 * already been set!
2761 */
710756a9
RS		 2762 if (nrbio != NULL
2763 && nrbio != irbio
2764 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2765 BIO_up_ref(nrbio);
710756a9
RS		 2766 if (nwbio != NULL
2767 && nwbio != nrbio
2768 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2769 BIO_up_ref(nwbio);
2770
7d4488bb 2771 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2772
2773 testresult = 1;
2774
2775 end:
7fb4c820
MC		 2776 BIO_free(bio1);
2777 BIO_free(bio2);
710756a9 2778
7fb4c820
MC		 2779 /*
2780 * This test is checking that the ref counting for SSL_set_bio is correct.
2781 * If we get here and we did too many frees then we will fail in the above
742ccab3 2782 * functions.
7fb4c820 2783 */
7d4488bb
MC		 2784 SSL_free(serverssl);
2785 SSL_free(clientssl);
2786 SSL_CTX_free(sctx);
2787 SSL_CTX_free(cctx);
7fb4c820
MC		 2788 return testresult;
2789}
2790
7e885b7b 2791typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2792
7e885b7b 2793static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2794{
2795 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2796 SSL_CTX *ctx;
9a716987
MC		 2797 SSL *ssl = NULL;
2798 int testresult = 0;
2799
d8652be0 2800 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2801 || !TEST_ptr(ssl = SSL_new(ctx))
2802 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2803 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2804 goto end;
9a716987
MC		 2805
2806 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2807
2808 /*
742ccab3 2809 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2810 */
2811 BIO_push(sslbio, membio1);
2812
69687aa8 2813 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2814 if (change_bio != NO_BIO_CHANGE) {
493e7898
NX		 2815 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem()))) {
2816 ssl = NULL;
9a716987 2817 goto end;
493e7898 2818 }
7e885b7b 2819 if (change_bio == CHANGE_RBIO)
65e2d672 2820 SSL_set0_rbio(ssl, membio2);
9a716987 2821 else
65e2d672 2822 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2823 }
2824 ssl = NULL;
2825
7e885b7b 2826 if (pop_ssl)
9a716987
MC		 2827 BIO_pop(sslbio);
2828 else
2829 BIO_pop(membio1);
2830
2831 testresult = 1;
2832 end:
2833 BIO_free(membio1);
2834 BIO_free(sslbio);
2835 SSL_free(ssl);
2836 SSL_CTX_free(ctx);
2837
2838 return testresult;
2839}
2840
2841static int test_ssl_bio_pop_next_bio(void)
2842{
7e885b7b 2843 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2844}
2845
2846static int test_ssl_bio_pop_ssl_bio(void)
2847{
7e885b7b 2848 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2849}
2850
2851static int test_ssl_bio_change_rbio(void)
2852{
7e885b7b 2853 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2854}
2855
2856static int test_ssl_bio_change_wbio(void)
2857{
7e885b7b 2858 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2859}
2860
a763ca11 2861#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae
MC		 2862typedef struct {
2863 /* The list of sig algs */
2864 const int *list;
2865 /* The length of the list */
2866 size_t listlen;
2867 /* A sigalgs list in string format */
2868 const char *liststr;
2869 /* Whether setting the list should succeed */
2870 int valid;
2871 /* Whether creating a connection with the list should succeed */
2872 int connsuccess;
2873} sigalgs_list;
2874
2875static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2876# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2877static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2878static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2879# endif
f1b25aae
MC		 2880static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2881static const int invalidlist2[] = {NID_sha256, NID_undef};
2882static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2883static const int invalidlist4[] = {NID_sha256};
2884static const sigalgs_list testsigalgs[] = {
2885 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2886# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2887 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2888 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2889# endif
f1b25aae 2890 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2891# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2892 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2893 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2894# endif
f1b25aae
MC		 2895 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2896 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2897 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2898 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2899 {NULL, 0, "RSA", 0, 0},
2900 {NULL, 0, "SHA256", 0, 0},
2901 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2902 {NULL, 0, "Invalid", 0, 0}
2903};
f1b25aae
MC		 2904
2905static int test_set_sigalgs(int idx)
2906{
2907 SSL_CTX *cctx = NULL, *sctx = NULL;
2908 SSL *clientssl = NULL, *serverssl = NULL;
2909 int testresult = 0;
2910 const sigalgs_list *curr;
2911 int testctx;
2912
2913 /* Should never happen */
710756a9 2914 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2915 return 0;
2916
2917 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2918 curr = testctx ? &testsigalgs[idx]
2919 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2920
5e30f2fd
MC		 2921 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2922 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2923 &sctx, &cctx, cert, privkey)))
f1b25aae 2924 return 0;
f1b25aae 2925
d2e491f2
MC		 2926 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2927
f1b25aae
MC		 2928 if (testctx) {
2929 int ret;
710756a9 2930
f1b25aae
MC		 2931 if (curr->list != NULL)
2932 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2933 else
2934 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2935
2936 if (!ret) {
2937 if (curr->valid)
710756a9 2938 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2939 else
2940 testresult = 1;
2941 goto end;
2942 }
2943 if (!curr->valid) {
710756a9 2944 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2945 goto end;
2946 }
2947 }
2948
710756a9
RS		 2949 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2950 &clientssl, NULL, NULL)))
f1b25aae 2951 goto end;
f1b25aae
MC		 2952
2953 if (!testctx) {
2954 int ret;
2955
2956 if (curr->list != NULL)
2957 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2958 else
2959 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2960 if (!ret) {
2961 if (curr->valid)
710756a9 2962 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2963 else
2964 testresult = 1;
2965 goto end;
2966 }
710756a9 2967 if (!curr->valid)
f1b25aae 2968 goto end;
f1b25aae
MC		 2969 }
2970
710756a9
RS		 2971 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2972 SSL_ERROR_NONE),
2973 curr->connsuccess))
f1b25aae 2974 goto end;
f1b25aae
MC		 2975
2976 testresult = 1;
2977
2978 end:
2979 SSL_free(serverssl);
2980 SSL_free(clientssl);
2981 SSL_CTX_free(sctx);
2982 SSL_CTX_free(cctx);
2983
2984 return testresult;
2985}
c423ecaa 2986#endif
f1b25aae 2987
a763ca11 2988#ifndef OSSL_NO_USABLE_TLS1_3
532f9578
MC		 2989static int psk_client_cb_cnt = 0;
2990static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2991
2992static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2993 size_t *idlen, SSL_SESSION **sess)
2994{
2995 switch (++use_session_cb_cnt) {
2996 case 1:
2997 /* The first call should always have a NULL md */
2998 if (md != NULL)
2999 return 0;
3000 break;
3001
3002 case 2:
3003 /* The second call should always have an md */
3004 if (md == NULL)
3005 return 0;
3006 break;
3007
3008 default:
3009 /* We should only be called a maximum of twice */
3010 return 0;
3011 }
3012
57dee9bb
MC		 3013 if (clientpsk != NULL)
3014 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 3015
57dee9bb 3016 *sess = clientpsk;
02a3ed5a
MC		 3017 *id = (const unsigned char *)pskid;
3018 *idlen = strlen(pskid);
3019
3020 return 1;
3021}
3022
c2b290c3 3023#ifndef OPENSSL_NO_PSK
532f9578
MC		 3024static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
3025 unsigned int max_id_len,
3026 unsigned char *psk,
3027 unsigned int max_psk_len)
3028{
3029 unsigned int psklen = 0;
3030
3031 psk_client_cb_cnt++;
3032
3033 if (strlen(pskid) + 1 > max_id_len)
3034 return 0;
3035
3036 /* We should only ever be called a maximum of twice per connection */
3037 if (psk_client_cb_cnt > 2)
3038 return 0;
3039
3040 if (clientpsk == NULL)
3041 return 0;
3042
3043 /* We'll reuse the PSK we set up for TLSv1.3 */
3044 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
3045 return 0;
3046 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
3047 strncpy(id, pskid, max_id_len);
3048
3049 return psklen;
3050}
c2b290c3 3051#endif /* OPENSSL_NO_PSK */
532f9578 3052
02a3ed5a
MC		 3053static int find_session_cb(SSL *ssl, const unsigned char *identity,
3054 size_t identity_len, SSL_SESSION **sess)
3055{
3056 find_session_cb_cnt++;
3057
3058 /* We should only ever be called a maximum of twice per connection */
3059 if (find_session_cb_cnt > 2)
3060 return 0;
3061
57dee9bb 3062 if (serverpsk == NULL)
02a3ed5a
MC		 3063 return 0;
3064
3065 /* Identity should match that set by the client */
3066 if (strlen(srvid) != identity_len
3067 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
3068 /* No PSK found, continue but without a PSK */
3069 *sess = NULL;
3070 return 1;
3071 }
3072
57dee9bb
MC		 3073 SSL_SESSION_up_ref(serverpsk);
3074 *sess = serverpsk;
02a3ed5a
MC		 3075
3076 return 1;
3077}
3078
c2b290c3 3079#ifndef OPENSSL_NO_PSK
532f9578
MC		 3080static unsigned int psk_server_cb(SSL *ssl, const char *identity,
3081 unsigned char *psk, unsigned int max_psk_len)
3082{
3083 unsigned int psklen = 0;
3084
3085 psk_server_cb_cnt++;
3086
3087 /* We should only ever be called a maximum of twice per connection */
3088 if (find_session_cb_cnt > 2)
3089 return 0;
3090
3091 if (serverpsk == NULL)
3092 return 0;
3093
3094 /* Identity should match that set by the client */
3095 if (strcmp(srvid, identity) != 0) {
3096 return 0;
3097 }
3098
3099 /* We'll reuse the PSK we set up for TLSv1.3 */
3100 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
3101 return 0;
3102 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
3103
3104 return psklen;
3105}
c2b290c3 3106#endif /* OPENSSL_NO_PSK */
532f9578 3107
5f982038
MC		 3108#define MSG1 "Hello"
3109#define MSG2 "World."
3110#define MSG3 "This"
3111#define MSG4 "is"
3112#define MSG5 "a"
90049cea
MC		 3113#define MSG6 "test"
3114#define MSG7 "message."
5f982038 3115
532f9578 3116#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 3117#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
3118#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
3119#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
3120#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 3121
8614a4eb
MC		 3122
3123static SSL_SESSION *create_a_psk(SSL *ssl)
3124{
3125 const SSL_CIPHER *cipher = NULL;
3126 const unsigned char key[] = {
3127 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
3128 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
3129 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
3130 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3131 0x2c, 0x2d, 0x2e, 0x2f
3132 };
3133 SSL_SESSION *sess = NULL;
3134
3135 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
3136 sess = SSL_SESSION_new();
3137 if (!TEST_ptr(sess)
3138 || !TEST_ptr(cipher)
3139 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
3140 sizeof(key)))
3141 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
3142 || !TEST_true(
3143 SSL_SESSION_set_protocol_version(sess,
3144 TLS1_3_VERSION))) {
3145 SSL_SESSION_free(sess);
3146 return NULL;
3147 }
3148 return sess;
3149}
3150
5f982038
MC		 3151/*
3152 * Helper method to setup objects for early data test. Caller frees objects on
3153 * error.
3154 */
3155static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 3156 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 3157{
5a421415 3158 if (*sctx == NULL
5e30f2fd 3159 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 3160 TLS_client_method(),
5c587fb6 3161 TLS1_VERSION, 0,
5a421415
MC		 3162 sctx, cctx, cert, privkey)))
3163 return 0;
3164
3165 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 3166 return 0;
5f982038 3167
02a3ed5a
MC		 3168 if (idx == 1) {
3169 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 3170 SSL_CTX_set_read_ahead(*cctx, 1);
3171 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 3172 } else if (idx == 2) {
3173 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
3174 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
3175 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
3176 use_session_cb_cnt = 0;
3177 find_session_cb_cnt = 0;
3178 srvid = pskid;
3cb47b4e
MC		 3179 }
3180
710756a9 3181 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 3182 NULL, NULL)))
3183 return 0;
3184
141e4709
MC		 3185 /*
3186 * For one of the run throughs (doesn't matter which one), we'll try sending
3187 * some SNI data in the initial ClientHello. This will be ignored (because
3188 * there is no SNI cb set up by the server), so it should not impact
3189 * early_data.
3190 */
3191 if (idx == 1
3192 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
3193 return 0;
3194
02a3ed5a 3195 if (idx == 2) {
8614a4eb 3196 clientpsk = create_a_psk(*clientssl);
57dee9bb 3197 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 3198 /*
3199 * We just choose an arbitrary value for max_early_data which
3200 * should be big enough for testing purposes.
3201 */
57dee9bb
MC		 3202 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
3203 0x100))
3204 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3205 SSL_SESSION_free(clientpsk);
3206 clientpsk = NULL;
02a3ed5a
MC		 3207 return 0;
3208 }
57dee9bb 3209 serverpsk = clientpsk;
02a3ed5a 3210
c20e3b28
MC		 3211 if (sess != NULL) {
3212 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
3213 SSL_SESSION_free(clientpsk);
3214 SSL_SESSION_free(serverpsk);
3215 clientpsk = serverpsk = NULL;
3216 return 0;
3217 }
57dee9bb 3218 *sess = clientpsk;
c20e3b28 3219 }
02a3ed5a
MC		 3220 return 1;
3221 }
3222
3223 if (sess == NULL)
3224 return 1;
3225
3226 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3227 SSL_ERROR_NONE)))
5f982038 3228 return 0;
5f982038
MC		 3229
3230 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3231 SSL_shutdown(*clientssl);
3232 SSL_shutdown(*serverssl);
5f982038
MC		 3233 SSL_free(*serverssl);
3234 SSL_free(*clientssl);
3235 *serverssl = *clientssl = NULL;
3236
710756a9
RS		 3237 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3238 clientssl, NULL, NULL))
3239 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3240 return 0;
5f982038
MC		 3241
3242 return 1;
3243}
3244
3cb47b4e 3245static int test_early_data_read_write(int idx)
5f982038
MC		 3246{
3247 SSL_CTX *cctx = NULL, *sctx = NULL;
3248 SSL *clientssl = NULL, *serverssl = NULL;
3249 int testresult = 0;
3250 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3251 unsigned char buf[20], data[1024];
3252 size_t readbytes, written, eoedlen, rawread, rawwritten;
3253 BIO *rbio;
5f982038 3254
710756a9
RS		 3255 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3256 &serverssl, &sess, idx)))
5f982038
MC		 3257 goto end;
3258
3259 /* Write and read some early data */
710756a9
RS		 3260 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3261 &written))
3262 || !TEST_size_t_eq(written, strlen(MSG1))
3263 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3264 sizeof(buf), &readbytes),
3265 SSL_READ_EARLY_DATA_SUCCESS)
3266 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3267 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3268 SSL_EARLY_DATA_ACCEPTED))
5f982038 3269 goto end;
5f982038
MC		 3270
3271 /*
09f28874 3272 * Server should be able to write data, and client should be able to
5f982038
MC		 3273 * read it.
3274 */
710756a9
RS		 3275 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3276 &written))
3277 || !TEST_size_t_eq(written, strlen(MSG2))
3278 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3279 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3280 goto end;
5f982038
MC		 3281
3282 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3283 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3284 &written))
3285 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3286 goto end;
5f982038 3287
09f28874 3288 /* Server should still be able read early data after writing data */
710756a9
RS		 3289 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3290 &readbytes),
3291 SSL_READ_EARLY_DATA_SUCCESS)
3292 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3293 goto end;
5f982038 3294
09f28874 3295 /* Write more data from server and read it from client */
710756a9
RS		 3296 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3297 &written))
3298 || !TEST_size_t_eq(written, strlen(MSG4))
3299 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3300 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3301 goto end;
5f982038
MC		 3302
3303 /*
3304 * If client writes normal data it should mean writing early data is no
3305 * longer possible.
3306 */
710756a9
RS		 3307 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3308 || !TEST_size_t_eq(written, strlen(MSG5))
3309 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3310 SSL_EARLY_DATA_ACCEPTED))
5f982038 3311 goto end;
5f982038 3312
9b5c865d
MC		 3313 /*
3314 * At this point the client has written EndOfEarlyData, ClientFinished and
3315 * normal (fully protected) data. We are going to cause a delay between the
3316 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3317 * in the read BIO, and then just put back the EndOfEarlyData message.
3318 */
3319 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3320 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3321 || !TEST_size_t_lt(rawread, sizeof(data))
3322 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3323 goto end;
710756a9 3324
9b5c865d
MC		 3325 /* Record length is in the 4th and 5th bytes of the record header */
3326 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3327 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3328 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3329 goto end;
9b5c865d 3330
5f982038 3331 /* Server should be told that there is no more early data */
710756a9
RS		 3332 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3333 &readbytes),
3334 SSL_READ_EARLY_DATA_FINISH)
3335 || !TEST_size_t_eq(readbytes, 0))
5f982038 3336 goto end;
5f982038 3337
9b5c865d
MC		 3338 /*
3339 * Server has not finished init yet, so should still be able to write early
3340 * data.
3341 */
710756a9
RS		 3342 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3343 &written))
3344 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3345 goto end;
9b5c865d 3346
f8a303fa 3347 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3348 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3349 &rawwritten))
3350 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3351 goto end;
f8a303fa 3352
5f982038 3353 /* Server should be able to read normal data */
710756a9
RS		 3354 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3355 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3356 goto end;
5f982038 3357
09f28874 3358 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3359 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3360 &written)))
5f982038 3361 goto end;
5f982038 3362 ERR_clear_error();
710756a9
RS		 3363 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3364 &readbytes),
3365 SSL_READ_EARLY_DATA_ERROR))
5f982038 3366 goto end;
5f982038
MC		 3367 ERR_clear_error();
3368
9b5c865d 3369 /* Client should be able to read the data sent by the server */
710756a9
RS		 3370 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3371 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3372 goto end;
710756a9 3373
f8a303fa 3374 /*
36ff232c
MC		 3375 * Make sure we process the two NewSessionTickets. These arrive
3376 * post-handshake. We attempt reads which we do not expect to return any
3377 * data.
f8a303fa 3378 */
36ff232c
MC		 3379 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3380 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3381 &readbytes)))
f8a303fa 3382 goto end;
5f982038 3383
90049cea 3384 /* Server should be able to write normal data */
710756a9
RS		 3385 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3386 || !TEST_size_t_eq(written, strlen(MSG7))
3387 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3388 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3389 goto end;
90049cea 3390
c20e3b28 3391 SSL_SESSION_free(sess);
5f982038 3392 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3393 use_session_cb_cnt = 0;
3394 find_session_cb_cnt = 0;
5f982038
MC		 3395
3396 SSL_shutdown(clientssl);
3397 SSL_shutdown(serverssl);
5f982038
MC		 3398 SSL_free(serverssl);
3399 SSL_free(clientssl);
3400 serverssl = clientssl = NULL;
710756a9
RS		 3401 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3402 &clientssl, NULL, NULL))
3403 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3404 goto end;
5f982038
MC		 3405
3406 /* Write and read some early data */
710756a9
RS		 3407 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3408 &written))
3409 || !TEST_size_t_eq(written, strlen(MSG1))
3410 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3411 &readbytes),
3412 SSL_READ_EARLY_DATA_SUCCESS)
3413 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3414 goto end;
5f982038 3415
710756a9
RS		 3416 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3417 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3418 goto end;
5f982038 3419
09f28874 3420 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3421 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3422 &written)))
5f982038 3423 goto end;
5f982038 3424 ERR_clear_error();
710756a9
RS		 3425 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3426 &readbytes),
3427 SSL_READ_EARLY_DATA_ERROR))
5f982038 3428 goto end;
5f982038
MC		 3429 ERR_clear_error();
3430
3431 /* Client and server should be able to write/read normal data */
710756a9
RS		 3432 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3433 || !TEST_size_t_eq(written, strlen(MSG5))
3434 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3435 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3436 goto end;
5f982038
MC		 3437
3438 testresult = 1;
3439
3440 end:
c20e3b28 3441 SSL_SESSION_free(sess);
57dee9bb
MC		 3442 SSL_SESSION_free(clientpsk);
3443 SSL_SESSION_free(serverpsk);
3444 clientpsk = serverpsk = NULL;
5f982038
MC		 3445 SSL_free(serverssl);
3446 SSL_free(clientssl);
3447 SSL_CTX_free(sctx);
3448 SSL_CTX_free(cctx);
5f982038
MC		 3449 return testresult;
3450}
3451
5a421415
MC		 3452static int allow_ed_cb_called = 0;
3453
3454static int allow_early_data_cb(SSL *s, void *arg)
3455{
3456 int *usecb = (int *)arg;
3457
3458 allow_ed_cb_called++;
3459
3460 if (*usecb == 1)
3461 return 0;
3462
3463 return 1;
3464}
3465
3466/*
3467 * idx == 0: Standard early_data setup
3468 * idx == 1: early_data setup using read_ahead
3469 * usecb == 0: Don't use a custom early data callback
3470 * usecb == 1: Use a custom early data callback and reject the early data
3471 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3472 * confopt == 0: Configure anti-replay directly
3473 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3474 */
3bb5e5b0 3475static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3476{
3477 SSL_CTX *cctx = NULL, *sctx = NULL;
3478 SSL *clientssl = NULL, *serverssl = NULL;
3479 int testresult = 0;
3480 SSL_SESSION *sess = NULL;
5a421415
MC		 3481 size_t readbytes, written;
3482 unsigned char buf[20];
3483
3484 allow_ed_cb_called = 0;
3485
5e30f2fd
MC		 3486 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3487 TLS_client_method(), TLS1_VERSION, 0,
3488 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3489 return 0;
3490
3491 if (usecb > 0) {
3bb5e5b0
MC		 3492 if (confopt == 0) {
3493 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3494 } else {
3495 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3496
3497 if (!TEST_ptr(confctx))
3498 goto end;
3499 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3500 | SSL_CONF_FLAG_SERVER);
3501 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3502 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3503 2)) {
3504 SSL_CONF_CTX_free(confctx);
3505 goto end;
3506 }
3507 SSL_CONF_CTX_free(confctx);
3508 }
5a421415
MC		 3509 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3510 }
78fb5374
MC		 3511
3512 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3513 &serverssl, &sess, idx)))
3514 goto end;
3515
3516 /*
3517 * The server is configured to accept early data. Create a connection to
3518 * "use up" the ticket
3519 */
3520 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3521 || !TEST_true(SSL_session_reused(clientssl)))
3522 goto end;
3523
3524 SSL_shutdown(clientssl);
3525 SSL_shutdown(serverssl);
3526 SSL_free(serverssl);
3527 SSL_free(clientssl);
3528 serverssl = clientssl = NULL;
3529
3530 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3531 &clientssl, NULL, NULL))
5a421415
MC		 3532 || !TEST_true(SSL_set_session(clientssl, sess)))
3533 goto end;
3534
3535 /* Write and read some early data */
3536 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3537 &written))
3538 || !TEST_size_t_eq(written, strlen(MSG1)))
3539 goto end;
3540
3541 if (usecb <= 1) {
3542 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3543 &readbytes),
3544 SSL_READ_EARLY_DATA_FINISH)
3545 /*
3546 * The ticket was reused, so the we should have rejected the
3547 * early data
3548 */
3549 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3550 SSL_EARLY_DATA_REJECTED))
3551 goto end;
3552 } else {
3553 /* In this case the callback decides to accept the early data */
3554 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3555 &readbytes),
3556 SSL_READ_EARLY_DATA_SUCCESS)
3557 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3558 /*
3559 * Server will have sent its flight so client can now send
3560 * end of early data and complete its half of the handshake
3561 */
3562 || !TEST_int_gt(SSL_connect(clientssl), 0)
3563 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3564 &readbytes),
3565 SSL_READ_EARLY_DATA_FINISH)
3566 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3567 SSL_EARLY_DATA_ACCEPTED))
3568 goto end;
3569 }
3570
3571 /* Complete the connection */
3572 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3573 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3574 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3575 goto end;
3576
3577 testresult = 1;
3578
3579 end:
c20e3b28 3580 SSL_SESSION_free(sess);
78fb5374
MC		 3581 SSL_SESSION_free(clientpsk);
3582 SSL_SESSION_free(serverpsk);
3583 clientpsk = serverpsk = NULL;
3584 SSL_free(serverssl);
3585 SSL_free(clientssl);
3586 SSL_CTX_free(sctx);
3587 SSL_CTX_free(cctx);
3588 return testresult;
3589}
3590
5a421415
MC		 3591static int test_early_data_replay(int idx)
3592{
3bb5e5b0 3593 int ret = 1, usecb, confopt;
5a421415 3594
3bb5e5b0
MC		 3595 for (usecb = 0; usecb < 3; usecb++) {
3596 for (confopt = 0; confopt < 2; confopt++)
3597 ret &= test_early_data_replay_int(idx, usecb, confopt);
3598 }
5a421415
MC		 3599
3600 return ret;
3601}
3602
710756a9 3603/*
6b84e6bf
MC		 3604 * Helper function to test that a server attempting to read early data can
3605 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3606 * testtype: 0 == No HRR
3607 * testtype: 1 == HRR
0efa0ba4
MC		 3608 * testtype: 2 == HRR, invalid early_data sent after HRR
3609 * testtype: 3 == recv_max_early_data set to 0
710756a9 3610 */
0d1b7789 3611static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3612{
3613 SSL_CTX *cctx = NULL, *sctx = NULL;
3614 SSL *clientssl = NULL, *serverssl = NULL;
3615 int testresult = 0;
018fcbec 3616 SSL_SESSION *sess = NULL;
5f982038
MC		 3617 unsigned char buf[20];
3618 size_t readbytes, written;
3619
710756a9
RS		 3620 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3621 &serverssl, &sess, idx)))
5f982038
MC		 3622 goto end;
3623
0efa0ba4 3624 if (testtype == 1 || testtype == 2) {
6b84e6bf 3625 /* Force an HRR to occur */
dbc6268f
MC		 3626#if defined(OPENSSL_NO_EC)
3627 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3628 goto end;
3629#else
6b84e6bf
MC		 3630 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3631 goto end;
dbc6268f 3632#endif
02a3ed5a
MC		 3633 } else if (idx == 2) {
3634 /*
3635 * We force early_data rejection by ensuring the PSK identity is
3636 * unrecognised
3637 */
3638 srvid = "Dummy Identity";
6b84e6bf
MC		 3639 } else {
3640 /*
3641 * Deliberately corrupt the creation time. We take 20 seconds off the
3642 * time. It could be any value as long as it is not within tolerance.
3643 * This should mean the ticket is rejected.
3644 */
5d99881e 3645 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3646 goto end;
3647 }
5f982038 3648
0efa0ba4 3649 if (testtype == 3
0d1b7789
MC		 3650 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3651 goto end;
3652
5f982038 3653 /* Write some early data */
710756a9
RS		 3654 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3655 &written))
3656 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3657 goto end;
5f982038 3658
0d1b7789 3659 /* Server should reject the early data */
710756a9
RS		 3660 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3661 &readbytes),
3662 SSL_READ_EARLY_DATA_FINISH)
3663 || !TEST_size_t_eq(readbytes, 0)
3664 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3665 SSL_EARLY_DATA_REJECTED))
5f982038 3666 goto end;
5f982038 3667
0efa0ba4
MC		 3668 switch (testtype) {
3669 case 0:
3670 /* Nothing to do */
3671 break;
3672
3673 case 1:
6b84e6bf
MC		 3674 /*
3675 * Finish off the handshake. We perform the same writes and reads as
3676 * further down but we expect them to fail due to the incomplete
3677 * handshake.
3678 */
3679 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3680 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3681 &readbytes)))
3682 goto end;
0efa0ba4
MC		 3683 break;
3684
3685 case 2:
3686 {
3687 BIO *wbio = SSL_get_wbio(clientssl);
3688 /* A record that will appear as bad early_data */
3689 const unsigned char bad_early_data[] = {
3690 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3691 };
3692
3693 /*
3694 * We force the client to attempt a write. This will fail because
3695 * we're still in the handshake. It will cause the second
3696 * ClientHello to be sent.
3697 */
3698 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3699 &written)))
3700 goto end;
3701
3702 /*
3703 * Inject some early_data after the second ClientHello. This should
3704 * cause the server to fail
3705 */
3706 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3707 sizeof(bad_early_data), &written)))
3708 goto end;
3709 }
3710 /* fallthrough */
3711
3712 case 3:
0d1b7789 3713 /*
0efa0ba4
MC		 3714 * This client has sent more early_data than we are willing to skip
3715 * (case 3) or sent invalid early_data (case 2) so the connection should
3716 * abort.
0d1b7789
MC		 3717 */
3718 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3719 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3720 goto end;
3721
3722 /* Connection has failed - nothing more to do */
3723 testresult = 1;
3724 goto end;
0efa0ba4
MC		 3725
3726 default:
3727 TEST_error("Invalid test type");
3728 goto end;
6b84e6bf
MC		 3729 }
3730
0d1b7789
MC		 3731 /*
3732 * Should be able to send normal data despite rejection of early data. The
3733 * early_data should be skipped.
3734 */
710756a9
RS		 3735 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3736 || !TEST_size_t_eq(written, strlen(MSG2))
3737 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3738 SSL_EARLY_DATA_REJECTED)
3739 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3740 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3741 goto end;
5f982038
MC		 3742
3743 testresult = 1;
3744
3745 end:
c20e3b28 3746 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3747 SSL_SESSION_free(serverpsk);
3748 clientpsk = serverpsk = NULL;
5f982038
MC		 3749 SSL_SESSION_free(sess);
3750 SSL_free(serverssl);
3751 SSL_free(clientssl);
3752 SSL_CTX_free(sctx);
3753 SSL_CTX_free(cctx);
5f982038
MC		 3754 return testresult;
3755}
3756
6b84e6bf
MC		 3757/*
3758 * Test that a server attempting to read early data can handle a connection
3759 * from a client where the early data is not acceptable.
3760 */
3761static int test_early_data_skip(int idx)
3762{
3763 return early_data_skip_helper(0, idx);
3764}
3765
3766/*
3767 * Test that a server attempting to read early data can handle a connection
3768 * from a client where an HRR occurs.
3769 */
3770static int test_early_data_skip_hrr(int idx)
3771{
3772 return early_data_skip_helper(1, idx);
3773}
3774
0efa0ba4
MC		 3775/*
3776 * Test that a server attempting to read early data can handle a connection
3777 * from a client where an HRR occurs and correctly fails if early_data is sent
3778 * after the HRR
3779 */
3780static int test_early_data_skip_hrr_fail(int idx)
3781{
3782 return early_data_skip_helper(2, idx);
3783}
3784
0d1b7789
MC		 3785/*
3786 * Test that a server attempting to read early data will abort if it tries to
3787 * skip over too much.
3788 */
3789static int test_early_data_skip_abort(int idx)
3790{
0efa0ba4 3791 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3792}
3793
710756a9
RS		 3794/*
3795 * Test that a server attempting to read early data can handle a connection
3796 * from a client that doesn't send any.
3797 */
3cb47b4e 3798static int test_early_data_not_sent(int idx)
5f982038
MC		 3799{
3800 SSL_CTX *cctx = NULL, *sctx = NULL;
3801 SSL *clientssl = NULL, *serverssl = NULL;
3802 int testresult = 0;
018fcbec 3803 SSL_SESSION *sess = NULL;
5f982038
MC		 3804 unsigned char buf[20];
3805 size_t readbytes, written;
3806
710756a9
RS		 3807 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3808 &serverssl, &sess, idx)))
5f982038
MC		 3809 goto end;
3810
3811 /* Write some data - should block due to handshake with server */
3812 SSL_set_connect_state(clientssl);
710756a9 3813 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3814 goto end;
5f982038
MC		 3815
3816 /* Server should detect that early data has not been sent */
710756a9
RS		 3817 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3818 &readbytes),
3819 SSL_READ_EARLY_DATA_FINISH)
3820 || !TEST_size_t_eq(readbytes, 0)
3821 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3822 SSL_EARLY_DATA_NOT_SENT)
3823 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3824 SSL_EARLY_DATA_NOT_SENT))
5f982038 3825 goto end;
5f982038
MC		 3826
3827 /* Continue writing the message we started earlier */
710756a9
RS		 3828 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3829 || !TEST_size_t_eq(written, strlen(MSG1))
3830 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3831 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3832 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3833 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3834 goto end;
5f982038 3835
710756a9
RS		 3836 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3837 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3838 goto end;
5f982038
MC		 3839
3840 testresult = 1;
3841
3842 end:
5f982038 3843 SSL_SESSION_free(sess);
c20e3b28 3844 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3845 SSL_SESSION_free(serverpsk);
3846 clientpsk = serverpsk = NULL;
5f982038
MC		 3847 SSL_free(serverssl);
3848 SSL_free(clientssl);
3849 SSL_CTX_free(sctx);
3850 SSL_CTX_free(cctx);
5f982038
MC		 3851 return testresult;
3852}
3853
976e5323
MC		 3854static const char *servalpn;
3855
c7558d5b
PY		 3856static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3857 unsigned char *outlen, const unsigned char *in,
3858 unsigned int inlen, void *arg)
976e5323 3859{
c7558d5b 3860 unsigned int protlen = 0;
976e5323
MC		 3861 const unsigned char *prot;
3862
c7558d5b
PY		 3863 for (prot = in; prot < in + inlen; prot += protlen) {
3864 protlen = *prot++;
5d99881e 3865 if (in + inlen < prot + protlen)
976e5323
MC		 3866 return SSL_TLSEXT_ERR_NOACK;
3867
3868 if (protlen == strlen(servalpn)
0bd42fde 3869 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3870 *out = prot;
3871 *outlen = protlen;
3872 return SSL_TLSEXT_ERR_OK;
3873 }
3874 }
3875
3876 return SSL_TLSEXT_ERR_NOACK;
3877}
3878
57dee9bb 3879/* Test that a PSK can be used to send early_data */
976e5323
MC		 3880static int test_early_data_psk(int idx)
3881{
3882 SSL_CTX *cctx = NULL, *sctx = NULL;
3883 SSL *clientssl = NULL, *serverssl = NULL;
3884 int testresult = 0;
3885 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3886 unsigned char alpnlist[] = {
3887 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3888 'l', 'p', 'n'
3889 };
3890#define GOODALPNLEN 9
3891#define BADALPNLEN 8
3892#define GOODALPN (alpnlist)
3893#define BADALPN (alpnlist + GOODALPNLEN)
3894 int err = 0;
976e5323
MC		 3895 unsigned char buf[20];
3896 size_t readbytes, written;
57dee9bb 3897 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3898 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3899
3900 /* We always set this up with a final parameter of "2" for PSK */
3901 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3902 &serverssl, &sess, 2)))
3903 goto end;
3904
976e5323
MC		 3905 servalpn = "goodalpn";
3906
57dee9bb
MC		 3907 /*
3908 * Note: There is no test for inconsistent SNI with late client detection.
3909 * This is because servers do not acknowledge SNI even if they are using
3910 * it in a resumption handshake - so it is not actually possible for a
3911 * client to detect a problem.
3912 */
976e5323
MC		 3913 switch (idx) {
3914 case 0:
57dee9bb 3915 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3916 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3917 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3918 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3919 goto end;
3920 break;
3921
3922 case 1:
57dee9bb 3923 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3924 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3925 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3926 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3927 GOODALPNLEN))
3928 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3929 BADALPNLEN)))
976e5323
MC		 3930 goto end;
3931 break;
3932
3933 case 2:
3934 /*
3935 * Set invalid protocol version. Technically this affects PSKs without
3936 * early_data too, but we test it here because it is similar to the
3937 * SNI/ALPN consistency tests.
3938 */
3939 err = SSL_R_BAD_PSK;
3940 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3941 goto end;
3942 break;
3943
3944 case 3:
3945 /*
49ef3d07
MC		 3946 * Set inconsistent SNI (server side). In this case the connection
3947 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3948 * is associated with each handshake - not the session. Therefore it
3949 * should not matter that we used a different server name last time.
976e5323 3950 */
281bf233
MC		 3951 SSL_SESSION_free(serverpsk);
3952 serverpsk = SSL_SESSION_dup(clientpsk);
3953 if (!TEST_ptr(serverpsk)
3954 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3955 goto end;
976e5323
MC		 3956 /* Fall through */
3957 case 4:
3958 /* Set consistent SNI */
976e5323
MC		 3959 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3960 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3961 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3962 hostname_cb)))
3963 goto end;
3964 break;
3965
3966 case 5:
3967 /*
3968 * Set inconsistent ALPN (server detected). In this case the connection
3969 * will succeed but reject early_data.
3970 */
3971 servalpn = "badalpn";
3972 edstatus = SSL_EARLY_DATA_REJECTED;
3973 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3974 /* Fall through */
3975 case 6:
976e5323 3976 /*
57dee9bb 3977 * Set consistent ALPN.
976e5323
MC		 3978 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3979 * accepts a list of protos (each one length prefixed).
3980 * SSL_set1_alpn_selected accepts a single protocol (not length
3981 * prefixed)
3982 */
57dee9bb
MC		 3983 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3984 GOODALPNLEN - 1))
3985 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3986 GOODALPNLEN)))
976e5323
MC		 3987 goto end;
3988
3989 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3990 break;
3991
57dee9bb
MC		 3992 case 7:
3993 /* Set inconsistent ALPN (late client detection) */
3994 SSL_SESSION_free(serverpsk);
3995 serverpsk = SSL_SESSION_dup(clientpsk);
3996 if (!TEST_ptr(serverpsk)
3997 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3998 BADALPN + 1,
3999 BADALPNLEN - 1))
4000 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
4001 GOODALPN + 1,
4002 GOODALPNLEN - 1))
4003 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
4004 sizeof(alpnlist))))
4005 goto end;
4006 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
4007 edstatus = SSL_EARLY_DATA_ACCEPTED;
4008 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
4009 /* SSL_connect() call should fail */
4010 connectres = -1;
4011 break;
4012
976e5323
MC		 4013 default:
4014 TEST_error("Bad test index");
4015 goto end;
4016 }
4017
4018 SSL_set_connect_state(clientssl);
4019 if (err != 0) {
4020 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4021 &written))
4022 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
4023 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
4024 goto end;
4025 } else {
4026 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 4027 &written)))
4028 goto end;
4029
4030 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4031 &readbytes), readearlyres)
976e5323
MC		 4032 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
4033 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 4034 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
4035 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 4036 goto end;
4037 }
4038
4039 testresult = 1;
4040
4041 end:
c20e3b28 4042 SSL_SESSION_free(sess);
57dee9bb
MC		 4043 SSL_SESSION_free(clientpsk);
4044 SSL_SESSION_free(serverpsk);
4045 clientpsk = serverpsk = NULL;
976e5323
MC		 4046 SSL_free(serverssl);
4047 SSL_free(clientssl);
4048 SSL_CTX_free(sctx);
4049 SSL_CTX_free(cctx);
4050 return testresult;
4051}
4052
0b2b0be9 4053/*
4054 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
4055 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
4056 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
4057 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4058 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
4059 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
4060 */
4061static int test_early_data_psk_with_all_ciphers(int idx)
4062{
4063 SSL_CTX *cctx = NULL, *sctx = NULL;
4064 SSL *clientssl = NULL, *serverssl = NULL;
4065 int testresult = 0;
4066 SSL_SESSION *sess = NULL;
4067 unsigned char buf[20];
4068 size_t readbytes, written;
4069 const SSL_CIPHER *cipher;
4070 const char *cipher_str[] = {
4071 TLS1_3_RFC_AES_128_GCM_SHA256,
4072 TLS1_3_RFC_AES_256_GCM_SHA384,
4073# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4074 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
4075# else
4076 NULL,
4077# endif
4078 TLS1_3_RFC_AES_128_CCM_SHA256,
4079 TLS1_3_RFC_AES_128_CCM_8_SHA256
4080 };
4081 const unsigned char *cipher_bytes[] = {
4082 TLS13_AES_128_GCM_SHA256_BYTES,
4083 TLS13_AES_256_GCM_SHA384_BYTES,
4084# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4085 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
4086# else
4087 NULL,
4088# endif
4089 TLS13_AES_128_CCM_SHA256_BYTES,
4090 TLS13_AES_128_CCM_8_SHA256_BYTES
4091 };
4092
4093 if (cipher_str[idx] == NULL)
4094 return 1;
4095 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
4096 if (idx == 2 && is_fips == 1)
4097 return 1;
4098
4099 /* We always set this up with a final parameter of "2" for PSK */
4100 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4101 &serverssl, &sess, 2)))
4102 goto end;
4103
4104 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
4105 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
4106 goto end;
4107
4108 /*
4109 * 'setupearly_data_test' creates only one instance of SSL_SESSION
4110 * and assigns to both client and server with incremented reference
4111 * and the same instance is updated in 'sess'.
4112 * So updating ciphersuite in 'sess' which will get reflected in
4113 * PSK handshake using psk use sess and find sess cb.
4114 */
4115 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
4116 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
4117 goto end;
4118
4119 SSL_set_connect_state(clientssl);
4120 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4121 &written)))
4122 goto end;
4123
4124 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4125 &readbytes),
4126 SSL_READ_EARLY_DATA_SUCCESS)
4127 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4128 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4129 SSL_EARLY_DATA_ACCEPTED)
4130 || !TEST_int_eq(SSL_connect(clientssl), 1)
4131 || !TEST_int_eq(SSL_accept(serverssl), 1))
4132 goto end;
4133
4134 /* Send some normal data from client to server */
4135 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4136 || !TEST_size_t_eq(written, strlen(MSG2)))
4137 goto end;
4138
4139 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4140 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
4141 goto end;
4142
4143 testresult = 1;
4144 end:
4145 SSL_SESSION_free(sess);
4146 SSL_SESSION_free(clientpsk);
4147 SSL_SESSION_free(serverpsk);
4148 clientpsk = serverpsk = NULL;
4149 if (clientssl != NULL)
4150 SSL_shutdown(clientssl);
4151 if (serverssl != NULL)
4152 SSL_shutdown(serverssl);
4153 SSL_free(serverssl);
4154 SSL_free(clientssl);
4155 SSL_CTX_free(sctx);
4156 SSL_CTX_free(cctx);
4157 return testresult;
4158}
4159
710756a9
RS		 4160/*
4161 * Test that a server that doesn't try to read early data can handle a
4162 * client sending some.
4163 */
3cb47b4e 4164static int test_early_data_not_expected(int idx)
5f982038
MC		 4165{
4166 SSL_CTX *cctx = NULL, *sctx = NULL;
4167 SSL *clientssl = NULL, *serverssl = NULL;
4168 int testresult = 0;
018fcbec 4169 SSL_SESSION *sess = NULL;
5f982038
MC		 4170 unsigned char buf[20];
4171 size_t readbytes, written;
4172
710756a9
RS		 4173 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4174 &serverssl, &sess, idx)))
5f982038
MC		 4175 goto end;
4176
4177 /* Write some early data */
710756a9
RS		 4178 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
4179 &written)))
5f982038 4180 goto end;
5f982038
MC		 4181
4182 /*
4183 * Server should skip over early data and then block waiting for client to
4184 * continue handshake
4185 */
710756a9
RS		 4186 if (!TEST_int_le(SSL_accept(serverssl), 0)
4187 || !TEST_int_gt(SSL_connect(clientssl), 0)
4188 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4189 SSL_EARLY_DATA_REJECTED)
4190 || !TEST_int_gt(SSL_accept(serverssl), 0)
4191 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4192 SSL_EARLY_DATA_REJECTED))
5f982038 4193 goto end;
5f982038
MC		 4194
4195 /* Send some normal data from client to server */
710756a9
RS		 4196 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
4197 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 4198 goto end;
5f982038 4199
710756a9
RS		 4200 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4201 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4202 goto end;
5f982038
MC		 4203
4204 testresult = 1;
4205
4206 end:
5f982038 4207 SSL_SESSION_free(sess);
c20e3b28 4208 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 4209 SSL_SESSION_free(serverpsk);
4210 clientpsk = serverpsk = NULL;
5f982038
MC		 4211 SSL_free(serverssl);
4212 SSL_free(clientssl);
4213 SSL_CTX_free(sctx);
4214 SSL_CTX_free(cctx);
5f982038
MC		 4215 return testresult;
4216}
4217
4218
4219# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4220/*
4221 * Test that a server attempting to read early data can handle a connection
4222 * from a TLSv1.2 client.
4223 */
3cb47b4e 4224static int test_early_data_tls1_2(int idx)
5f982038
MC		 4225{
4226 SSL_CTX *cctx = NULL, *sctx = NULL;
4227 SSL *clientssl = NULL, *serverssl = NULL;
4228 int testresult = 0;
4229 unsigned char buf[20];
4230 size_t readbytes, written;
4231
02a3ed5a
MC		 4232 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4233 &serverssl, NULL, idx)))
5f982038 4234 goto end;
5f982038
MC		 4235
4236 /* Write some data - should block due to handshake with server */
4237 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4238 SSL_set_connect_state(clientssl);
710756a9 4239 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4240 goto end;
5f982038
MC		 4241
4242 /*
4243 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4244 * messages from client after ServerDone. Then SSL_read_early_data should
4245 * finish and detect that early data has not been sent
5f982038 4246 */
710756a9
RS		 4247 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4248 &readbytes),
4249 SSL_READ_EARLY_DATA_ERROR))
5f982038 4250 goto end;
5f982038
MC		 4251
4252 /*
4253 * Continue writing the message we started earlier. Will still block waiting
4254 * for the CCS/Finished from server
4255 */
710756a9
RS		 4256 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4257 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4258 &readbytes),
4259 SSL_READ_EARLY_DATA_FINISH)
4260 || !TEST_size_t_eq(readbytes, 0)
4261 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4262 SSL_EARLY_DATA_NOT_SENT))
5f982038 4263 goto end;
5f982038
MC		 4264
4265 /* Continue writing the message we started earlier */
710756a9
RS		 4266 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4267 || !TEST_size_t_eq(written, strlen(MSG1))
4268 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4269 SSL_EARLY_DATA_NOT_SENT)
4270 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4271 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4272 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4273 || !TEST_size_t_eq(written, strlen(MSG2))
4274 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4275 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4276 goto end;
5f982038
MC		 4277
4278 testresult = 1;
4279
4280 end:
57dee9bb
MC		 4281 SSL_SESSION_free(clientpsk);
4282 SSL_SESSION_free(serverpsk);
4283 clientpsk = serverpsk = NULL;
5f982038
MC		 4284 SSL_free(serverssl);
4285 SSL_free(clientssl);
4286 SSL_CTX_free(sctx);
4287 SSL_CTX_free(cctx);
4288
4289 return testresult;
4290}
ca0413ae
MC		 4291# endif /* OPENSSL_NO_TLS1_2 */
4292
034cb87b
MC		 4293/*
4294 * Test configuring the TLSv1.3 ciphersuites
4295 *
4296 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4297 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4298 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4299 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4300 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4301 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4302 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4303 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4304 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4305 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4306 */
4307static int test_set_ciphersuite(int idx)
4308{
4309 SSL_CTX *cctx = NULL, *sctx = NULL;
4310 SSL *clientssl = NULL, *serverssl = NULL;
4311 int testresult = 0;
4312
5e30f2fd
MC		 4313 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4314 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4315 &sctx, &cctx, cert, privkey))
4316 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4317 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4318 goto end;
4319
4320 if (idx >=4 && idx <= 7) {
4321 /* SSL_CTX explicit cipher list */
4322 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4323 goto end;
4324 }
4325
4326 if (idx == 0 || idx == 4) {
4327 /* Default ciphersuite */
4328 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4329 "TLS_AES_128_GCM_SHA256")))
4330 goto end;
4331 } else if (idx == 1 || idx == 5) {
4332 /* Non default ciphersuite */
4333 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4334 "TLS_AES_128_CCM_SHA256")))
4335 goto end;
4336 }
4337
4338 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4339 &clientssl, NULL, NULL)))
4340 goto end;
4341
4342 if (idx == 8 || idx == 9) {
4343 /* SSL explicit cipher list */
4344 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4345 goto end;
4346 }
4347
4348 if (idx == 2 || idx == 6 || idx == 8) {
4349 /* Default ciphersuite */
4350 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4351 "TLS_AES_128_GCM_SHA256")))
4352 goto end;
4353 } else if (idx == 3 || idx == 7 || idx == 9) {
4354 /* Non default ciphersuite */
4355 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4356 "TLS_AES_128_CCM_SHA256")))
4357 goto end;
4358 }
4359
4360 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4361 goto end;
4362
4363 testresult = 1;
4364
4365 end:
4366 SSL_free(serverssl);
4367 SSL_free(clientssl);
4368 SSL_CTX_free(sctx);
4369 SSL_CTX_free(cctx);
4370
4371 return testresult;
4372}
4373
ca0413ae
MC		 4374static int test_ciphersuite_change(void)
4375{
4376 SSL_CTX *cctx = NULL, *sctx = NULL;
4377 SSL *clientssl = NULL, *serverssl = NULL;
4378 SSL_SESSION *clntsess = NULL;
4379 int testresult = 0;
4380 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4381
4382 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4383 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4384 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4385 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4386 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4387 "TLS_AES_128_GCM_SHA256:"
4388 "TLS_AES_256_GCM_SHA384:"
4389 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 4390 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4391 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 4392 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4393 &clientssl, NULL, NULL))
4394 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4395 SSL_ERROR_NONE)))
4396 goto end;
4397
4398 clntsess = SSL_get1_session(clientssl);
4399 /* Save for later */
4400 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4401 SSL_shutdown(clientssl);
4402 SSL_shutdown(serverssl);
4403 SSL_free(serverssl);
4404 SSL_free(clientssl);
4405 serverssl = clientssl = NULL;
4406
4407 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4408 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4409 "TLS_AES_128_CCM_SHA256"))
4410 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4411 &clientssl, NULL, NULL))
ca0413ae
MC		 4412 || !TEST_true(SSL_set_session(clientssl, clntsess))
4413 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4414 SSL_ERROR_NONE))
4415 || !TEST_true(SSL_session_reused(clientssl)))
4416 goto end;
4417
4418 SSL_SESSION_free(clntsess);
4419 clntsess = SSL_get1_session(clientssl);
4420 SSL_shutdown(clientssl);
4421 SSL_shutdown(serverssl);
4422 SSL_free(serverssl);
4423 SSL_free(clientssl);
4424 serverssl = clientssl = NULL;
4425
4426 /*
4427 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4428 * succeeds but does not resume.
ca0413ae 4429 */
f865b081 4430 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4431 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4432 NULL, NULL))
4433 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4434 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4435 SSL_ERROR_SSL))
0de6d66d 4436 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4437 goto end;
4438
4439 SSL_SESSION_free(clntsess);
4440 clntsess = NULL;
4441 SSL_shutdown(clientssl);
4442 SSL_shutdown(serverssl);
4443 SSL_free(serverssl);
4444 SSL_free(clientssl);
4445 serverssl = clientssl = NULL;
4446
4447 /* Create a session based on SHA384 */
f865b081 4448 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4449 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4450 &clientssl, NULL, NULL))
4451 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4452 SSL_ERROR_NONE)))
4453 goto end;
4454
4455 clntsess = SSL_get1_session(clientssl);
4456 SSL_shutdown(clientssl);
4457 SSL_shutdown(serverssl);
4458 SSL_free(serverssl);
4459 SSL_free(clientssl);
4460 serverssl = clientssl = NULL;
4461
f865b081
MC		 4462 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4463 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4464 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4465 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4466 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4467 NULL, NULL))
4468 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4469 /*
4470 * We use SSL_ERROR_WANT_READ below so that we can pause the
4471 * connection after the initial ClientHello has been sent to
4472 * enable us to make some session changes.
4473 */
ca0413ae
MC		 4474 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4475 SSL_ERROR_WANT_READ)))
4476 goto end;
4477
4478 /* Trick the client into thinking this session is for a different digest */
4479 clntsess->cipher = aes_128_gcm_sha256;
4480 clntsess->cipher_id = clntsess->cipher->id;
4481
4482 /*
3b0e88d3
MC		 4483 * Continue the previously started connection. Server has selected a SHA-384
4484 * ciphersuite, but client thinks the session is for SHA-256, so it should
4485 * bail out.
ca0413ae
MC		 4486 */
4487 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4488 SSL_ERROR_SSL))
4489 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4490 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4491 goto end;
4492
4493 testresult = 1;
4494
4495 end:
4496 SSL_SESSION_free(clntsess);
4497 SSL_free(serverssl);
4498 SSL_free(clientssl);
4499 SSL_CTX_free(sctx);
4500 SSL_CTX_free(cctx);
4501
4502 return testresult;
4503}
4504
8e63900a 4505/*
5bf2eade 4506 * Test TLSv1.3 Key exchange
4507 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4508 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4509 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4510 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4511 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4512 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4513 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4514 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4515 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4516 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4517 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4518 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4519 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4520 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4521 */
f89d3d69
BK		 4522# ifndef OPENSSL_NO_EC
4523static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4524 NID_secp521r1, NID_X25519, NID_X448};
4525# endif
4526# ifndef OPENSSL_NO_DH
4527static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4528 NID_ffdhe6144, NID_ffdhe8192};
4529# endif
db26ec80 4530static int test_key_exchange(int idx)
8e63900a 4531{
4532 SSL_CTX *sctx = NULL, *cctx = NULL;
4533 SSL *serverssl = NULL, *clientssl = NULL;
4534 int testresult = 0;
fb8c6db4 4535 int kexch_alg;
4536 int *kexch_groups = &kexch_alg;
4537 int kexch_groups_size = 1;
8e63900a 4538 int max_version = TLS1_3_VERSION;
becbacd7 4539 char *kexch_name0 = NULL;
8e63900a 4540
4541 switch (idx) {
5bf2eade 4542# ifndef OPENSSL_NO_EC
db26ec80 4543# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4544 case 12:
fb8c6db4 4545 max_version = TLS1_2_VERSION;
db26ec80 4546# endif
fb8c6db4 4547 /* Fall through */
4548 case 0:
4549 kexch_groups = ecdhe_kexch_groups;
4550 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
becbacd7 4551 kexch_name0 = "secp256r1";
fb8c6db4 4552 break;
5bf2eade 4553 case 1:
fb8c6db4 4554 kexch_alg = NID_X9_62_prime256v1;
becbacd7 4555 kexch_name0 = "secp256r1";
fb8c6db4 4556 break;
5bf2eade 4557 case 2:
fb8c6db4 4558 kexch_alg = NID_secp384r1;
becbacd7 4559 kexch_name0 = "secp384r1";
fb8c6db4 4560 break;
5bf2eade 4561 case 3:
fb8c6db4 4562 kexch_alg = NID_secp521r1;
becbacd7 4563 kexch_name0 = "secp521r1";
fb8c6db4 4564 break;
5bf2eade 4565 case 4:
fb8c6db4 4566 kexch_alg = NID_X25519;
becbacd7 4567 kexch_name0 = "x25519";
fb8c6db4 4568 break;
5bf2eade 4569 case 5:
fb8c6db4 4570 kexch_alg = NID_X448;
becbacd7 4571 kexch_name0 = "x448";
fb8c6db4 4572 break;
5bf2eade 4573# endif
4574# ifndef OPENSSL_NO_DH
db26ec80 4575# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4576 case 13:
dbc6268f 4577 max_version = TLS1_2_VERSION;
becbacd7 4578 kexch_name0 = "ffdhe2048";
db26ec80 4579# endif
dbc6268f 4580 /* Fall through */
5bf2eade 4581 case 6:
8e63900a 4582 kexch_groups = ffdhe_kexch_groups;
4583 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
becbacd7 4584 kexch_name0 = "ffdhe2048";
8e63900a 4585 break;
5bf2eade 4586 case 7:
fb8c6db4 4587 kexch_alg = NID_ffdhe2048;
becbacd7 4588 kexch_name0 = "ffdhe2048";
fb8c6db4 4589 break;
5bf2eade 4590 case 8:
fb8c6db4 4591 kexch_alg = NID_ffdhe3072;
becbacd7 4592 kexch_name0 = "ffdhe3072";
fb8c6db4 4593 break;
5bf2eade 4594 case 9:
fb8c6db4 4595 kexch_alg = NID_ffdhe4096;
becbacd7 4596 kexch_name0 = "ffdhe4096";
fb8c6db4 4597 break;
5bf2eade 4598 case 10:
fb8c6db4 4599 kexch_alg = NID_ffdhe6144;
becbacd7 4600 kexch_name0 = "ffdhe6144";
fb8c6db4 4601 break;
5bf2eade 4602 case 11:
fb8c6db4 4603 kexch_alg = NID_ffdhe8192;
becbacd7 4604 kexch_name0 = "ffdhe8192";
8e63900a 4605 break;
5bf2eade 4606# endif
6597d62b
MC		 4607 default:
4608 /* We're skipping this test */
4609 return 1;
8e63900a 4610 }
4611
5e30f2fd
MC		 4612 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4613 TLS_client_method(), TLS1_VERSION,
4614 max_version, &sctx, &cctx, cert,
4615 privkey)))
8e63900a 4616 goto end;
4617
5bf2eade 4618 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4619 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4620 goto end;
4621
5bf2eade 4622 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4623 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4624 goto end;
4625
5bf2eade 4626 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
75d48520
BK		 4627 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4628 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4629 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
8e63900a 4630 goto end;
4631
dbc6268f
MC		 4632 /*
4633 * Must include an EC ciphersuite so that we send supported groups in
4634 * TLSv1.2
4635 */
5bf2eade 4636# ifndef OPENSSL_NO_TLS1_2
dbc6268f 4637 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
75d48520
BK		 4638 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4639 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
8e63900a 4640 goto end;
5bf2eade 4641# endif
8e63900a 4642
4643 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4644 NULL, NULL)))
4645 goto end;
4646
4647 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4648 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4649 goto end;
4650
5bf2eade 4651 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4652 goto end;
8e63900a 4653
dbc6268f 4654 /*
5bf2eade 4655 * If Handshake succeeds the negotiated kexch alg should be the first one in
4656 * configured, except in the case of FFDHE groups (idx 13), which are
4657 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4658 */
4659 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4660 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4661 goto end;
becbacd7
MB		 4662
4663 if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]),
4664 kexch_name0))
4665 goto end;
4666
75d48520
BK		 4667 /* We don't implement RFC 7919 named groups for TLS 1.2. */
4668 if (idx != 13) {
fb8c6db4 4669 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4670 goto end;
4671 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4672 goto end;
4673 }
8e63900a 4674
4675 testresult = 1;
4676 end:
4677 SSL_free(serverssl);
4678 SSL_free(clientssl);
4679 SSL_CTX_free(sctx);
4680 SSL_CTX_free(cctx);
4681 return testresult;
4682}
4683
c9cddf05
P		 4684# if !defined(OPENSSL_NO_TLS1_2) \
4685 && !defined(OPENSSL_NO_EC) \
4686 && !defined(OPENSSL_NO_DH)
6dc56df2
BK		 4687static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti,
4688 int isecdhe, int idx)
4689{
4690 int kexch_alg;
4691 int *kexch_groups = &kexch_alg;
4692 int numec, numff;
4693
4694 numec = OSSL_NELEM(ecdhe_kexch_groups);
4695 numff = OSSL_NELEM(ffdhe_kexch_groups);
4696 if (isecdhe)
4697 kexch_alg = ecdhe_kexch_groups[idx];
4698 else
4699 kexch_alg = ffdhe_kexch_groups[idx];
4700
4701 if (clientmulti) {
4702 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, 1)))
4703 return 0;
4704 if (isecdhe) {
4705 if (!TEST_true(SSL_set1_groups(clientssl, ecdhe_kexch_groups,
4706 numec)))
4707 return 0;
4708 } else {
4709 if (!TEST_true(SSL_set1_groups(clientssl, ffdhe_kexch_groups,
4710 numff)))
4711 return 0;
4712 }
4713 } else {
4714 if (!TEST_true(SSL_set1_groups(clientssl, kexch_groups, 1)))
4715 return 0;
4716 if (isecdhe) {
4717 if (!TEST_true(SSL_set1_groups(serverssl, ecdhe_kexch_groups,
4718 numec)))
4719 return 0;
4720 } else {
4721 if (!TEST_true(SSL_set1_groups(serverssl, ffdhe_kexch_groups,
4722 numff)))
4723 return 0;
4724 }
4725 }
4726 return 1;
4727}
4728
4729/*-
4730 * Test the SSL_get_negotiated_group() API across a battery of scenarios.
4731 * Run through both the ECDHE and FFDHE group lists used in the previous
4732 * test, for both TLS 1.2 and TLS 1.3, negotiating each group in turn,
4733 * confirming the expected result; then perform a resumption handshake
4734 * while offering the same group list, and another resumption handshake
4735 * offering a different group list. The returned value should be the
4736 * negotiated group for the initial handshake; for TLS 1.3 resumption
4737 * handshakes the returned value will be negotiated on the resumption
4738 * handshake itself, but for TLS 1.2 resumption handshakes the value will
4739 * be cached in the session from the original handshake, regardless of what
4740 * was offered in the resumption ClientHello.
4741 *
4742 * Using E for the number of EC groups and F for the number of FF groups:
4743 * E tests of ECDHE with TLS 1.3, client sends only one group
4744 * F tests of FFDHE with TLS 1.3, client sends only one group
4745 * E tests of ECDHE with TLS 1.2, client sends only one group
4746 * F tests of FFDHE with TLS 1.2, client sends only one group
4747 * E tests of ECDHE with TLS 1.3, server only has one group
4748 * F tests of FFDHE with TLS 1.3, server only has one group
4749 * E tests of ECDHE with TLS 1.2, server only has one group
4750 * F tests of FFDHE with TLS 1.2, server only has one group
4751 */
4752static int test_negotiated_group(int idx)
4753{
4754 int clientmulti, istls13, isecdhe, numec, numff, numgroups;
4755 int expectednid;
4756 SSL_CTX *sctx = NULL, *cctx = NULL;
4757 SSL *serverssl = NULL, *clientssl = NULL;
4758 SSL_SESSION *origsess = NULL;
4759 int testresult = 0;
4760 int kexch_alg;
4761 int max_version = TLS1_3_VERSION;
4762
4763 numec = OSSL_NELEM(ecdhe_kexch_groups);
4764 numff = OSSL_NELEM(ffdhe_kexch_groups);
4765 numgroups = numec + numff;
4766 clientmulti = (idx < 2 * numgroups);
4767 idx = idx % (2 * numgroups);
4768 istls13 = (idx < numgroups);
4769 idx = idx % numgroups;
4770 isecdhe = (idx < numec);
4771 if (!isecdhe)
4772 idx -= numec;
4773 /* Now 'idx' is an index into ecdhe_kexch_groups or ffdhe_kexch_groups */
4774 if (isecdhe)
4775 kexch_alg = ecdhe_kexch_groups[idx];
4776 else
4777 kexch_alg = ffdhe_kexch_groups[idx];
4778 /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
4779 if (!istls13 && !isecdhe)
4780 expectednid = NID_undef;
4781 else
4782 expectednid = kexch_alg;
4783
4784 if (!istls13)
4785 max_version = TLS1_2_VERSION;
4786
4787 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4788 TLS_client_method(), TLS1_VERSION,
4789 max_version, &sctx, &cctx, cert,
4790 privkey)))
4791 goto end;
4792
4793 /*
4794 * Force (EC)DHE ciphers for TLS 1.2.
4795 * Be sure to enable auto tmp DH so that FFDHE can succeed.
4796 */
4797 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4798 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4799 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256))
4800 || !TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
4801 goto end;
4802 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4803 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
4804 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256)))
4805 goto end;
4806
4807 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4808 NULL, NULL)))
4809 goto end;
4810
4811 if (!TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti, isecdhe,
4812 idx)))
4813 goto end;
4814
4815 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4816 goto end;
4817
4818 /* Initial handshake; always the configured one */
4819 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4820 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4821 goto end;
4822
4823 if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
4824 goto end;
4825
4826 SSL_shutdown(clientssl);
4827 SSL_shutdown(serverssl);
4828 SSL_free(serverssl);
4829 SSL_free(clientssl);
4830 serverssl = clientssl = NULL;
4831
4832 /* First resumption attempt; use the same config as initial handshake */
4833 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4834 NULL, NULL))
4835 || !TEST_true(SSL_set_session(clientssl, origsess))
4836 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4837 isecdhe, idx)))
4838 goto end;
4839
4840 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4841 || !TEST_true(SSL_session_reused(clientssl)))
4842 goto end;
4843
4844 /* Still had better agree, since nothing changed... */
4845 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4846 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4847 goto end;
4848
4849 SSL_shutdown(clientssl);
4850 SSL_shutdown(serverssl);
4851 SSL_free(serverssl);
4852 SSL_free(clientssl);
4853 serverssl = clientssl = NULL;
4854
4855 /*-
4856 * Second resumption attempt
4857 * The party that picks one group changes it, which we effectuate by
4858 * changing 'idx' and updating what we expect.
4859 */
4860 if (idx == 0)
4861 idx = 1;
4862 else
4863 idx--;
4864 if (istls13) {
4865 if (isecdhe)
4866 expectednid = ecdhe_kexch_groups[idx];
4867 else
4868 expectednid = ffdhe_kexch_groups[idx];
4869 /* Verify that we are changing what we expect. */
4870 if (!TEST_int_ne(expectednid, kexch_alg))
4871 goto end;
4872 } else {
4873 /* TLS 1.2 only supports named groups for ECDHE. */
4874 if (isecdhe)
4875 expectednid = kexch_alg;
4876 else
4877 expectednid = 0;
4878 }
4879 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4880 NULL, NULL))
4881 || !TEST_true(SSL_set_session(clientssl, origsess))
4882 || !TEST_true(set_ssl_groups(serverssl, clientssl, clientmulti,
4883 isecdhe, idx)))
4884 goto end;
4885
4886 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4887 || !TEST_true(SSL_session_reused(clientssl)))
4888 goto end;
4889
4890 /* Check that we get what we expected */
4891 if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
4892 || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
4893 goto end;
4894
4895 testresult = 1;
4896 end:
4897 SSL_free(serverssl);
4898 SSL_free(clientssl);
4899 SSL_CTX_free(sctx);
4900 SSL_CTX_free(cctx);
4901 SSL_SESSION_free(origsess);
4902 return testresult;
4903}
4904# endif /* !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH) */
4905
5bf2eade 4906/*
4907 * Test TLSv1.3 Cipher Suite
4908 * Test 0 = Set TLS1.3 cipher on context
4909 * Test 1 = Set TLS1.3 cipher on SSL
4910 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4911 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4912 */
4913static int test_tls13_ciphersuite(int idx)
4914{
4915 SSL_CTX *sctx = NULL, *cctx = NULL;
4916 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4917 static const struct {
4918 const char *ciphername;
4919 int fipscapable;
4920 } t13_ciphers[] = {
4921 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4922 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4923 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4924# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4925 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4926 { TLS1_3_RFC_AES_256_GCM_SHA384
4927 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4928# endif
4f6c7044 4929 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4930 };
4931 const char *t13_cipher = NULL;
4932 const char *t12_cipher = NULL;
4933 const char *negotiated_scipher;
4934 const char *negotiated_ccipher;
4935 int set_at_ctx = 0;
4936 int set_at_ssl = 0;
4937 int testresult = 0;
4938 int max_ver;
4939 size_t i;
4940
4941 switch (idx) {
4942 case 0:
4943 set_at_ctx = 1;
4944 break;
4945 case 1:
4946 set_at_ssl = 1;
4947 break;
4948 case 2:
4949 set_at_ctx = 1;
2d900758 4950 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4951 break;
4952 case 3:
4953 set_at_ssl = 1;
2d900758 4954 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4955 break;
4956 }
4957
4958 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4959# ifdef OPENSSL_NO_TLS1_2
4960 if (max_ver == TLS1_2_VERSION)
4961 continue;
4962# endif
4963 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4964 if (is_fips && !t13_ciphers[i].fipscapable)
4965 continue;
4966 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4967 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4968 TLS_client_method(),
4969 TLS1_VERSION, max_ver,
4970 &sctx, &cctx, cert, privkey)))
4971 goto end;
4972
4973 if (set_at_ctx) {
4974 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4975 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4976 goto end;
4977 if (t12_cipher != NULL) {
4978 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4979 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4980 t12_cipher)))
4981 goto end;
4982 }
4983 }
4984
4985 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4986 &clientssl, NULL, NULL)))
4987 goto end;
4988
4989 if (set_at_ssl) {
4990 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4991 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4992 goto end;
4993 if (t12_cipher != NULL) {
4994 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4995 || !TEST_true(SSL_set_cipher_list(clientssl,
4996 t12_cipher)))
4997 goto end;
4998 }
4999 }
5000
5001 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5002 SSL_ERROR_NONE)))
5003 goto end;
5004
5005 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5006 serverssl));
5007 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
5008 clientssl));
5009 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
5010 goto end;
5011
5012 /*
5013 * TEST_strn_eq is used below because t13_cipher can contain
5014 * multiple ciphersuites
5015 */
5016 if (max_ver == TLS1_3_VERSION
5017 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
5018 strlen(negotiated_scipher)))
5019 goto end;
5020
5021# ifndef OPENSSL_NO_TLS1_2
5022 /* Below validation is not done when t12_cipher is NULL */
5023 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
5024 && !TEST_str_eq(t12_cipher, negotiated_scipher))
5025 goto end;
5026# endif
5027
5028 SSL_free(serverssl);
5029 serverssl = NULL;
5030 SSL_free(clientssl);
5031 clientssl = NULL;
5032 SSL_CTX_free(sctx);
5033 sctx = NULL;
5034 SSL_CTX_free(cctx);
5035 cctx = NULL;
5036 }
5037 }
5038
5039 testresult = 1;
5040 end:
5041 SSL_free(serverssl);
5042 SSL_free(clientssl);
5043 SSL_CTX_free(sctx);
5044 SSL_CTX_free(cctx);
5045 return testresult;
5046}
5047
0d8da779
MC		 5048/*
5049 * Test TLSv1.3 PSKs
5050 * Test 0 = Test new style callbacks
5051 * Test 1 = Test both new and old style callbacks
5052 * Test 2 = Test old style callbacks
5053 * Test 3 = Test old style callbacks with no certificate
5054 */
532f9578 5055static int test_tls13_psk(int idx)
ca8c71ba
MC		 5056{
5057 SSL_CTX *sctx = NULL, *cctx = NULL;
5058 SSL *serverssl = NULL, *clientssl = NULL;
5059 const SSL_CIPHER *cipher = NULL;
5060 const unsigned char key[] = {
5061 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
5062 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 5063 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
5064 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 5065 };
5066 int testresult = 0;
5067
5e30f2fd
MC		 5068 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5069 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 5070 &sctx, &cctx, idx == 3 ? NULL : cert,
5071 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 5072 goto end;
5073
0d8da779
MC		 5074 if (idx != 3) {
5075 /*
5076 * We use a ciphersuite with SHA256 to ease testing old style PSK
5077 * callbacks which will always default to SHA256. This should not be
5078 * necessary if we have no cert/priv key. In that case the server should
5079 * prefer SHA256 automatically.
5080 */
5081 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5082 "TLS_AES_128_GCM_SHA256")))
5083 goto end;
4f6c7044
MC		 5084 } else {
5085 /*
5086 * As noted above the server should prefer SHA256 automatically. However
5087 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
5088 * code works even if we are testing with only the FIPS provider loaded.
5089 */
5090 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
5091 "TLS_AES_256_GCM_SHA384:"
5092 "TLS_AES_128_GCM_SHA256")))
5093 goto end;
0d8da779 5094 }
532f9578
MC		 5095
5096 /*
5097 * Test 0: New style callbacks only
5098 * Test 1: New and old style callbacks (only the new ones should be used)
5099 * Test 2: Old style callbacks only
5100 */
5101 if (idx == 0 || idx == 1) {
5102 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
5103 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
5104 }
c2b290c3 5105#ifndef OPENSSL_NO_PSK
0d8da779 5106 if (idx >= 1) {
532f9578
MC		 5107 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
5108 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
5109 }
c2b290c3 5110#endif
ca8c71ba 5111 srvid = pskid;
02a3ed5a
MC		 5112 use_session_cb_cnt = 0;
5113 find_session_cb_cnt = 0;
532f9578
MC		 5114 psk_client_cb_cnt = 0;
5115 psk_server_cb_cnt = 0;
ca8c71ba 5116
0d8da779
MC		 5117 if (idx != 3) {
5118 /*
5119 * Check we can create a connection if callback decides not to send a
5120 * PSK
5121 */
5122 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5123 NULL, NULL))
5124 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5125 SSL_ERROR_NONE))
5126 || !TEST_false(SSL_session_reused(clientssl))
5127 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5128 goto end;
532f9578 5129
0d8da779
MC		 5130 if (idx == 0 || idx == 1) {
5131 if (!TEST_true(use_session_cb_cnt == 1)
5132 || !TEST_true(find_session_cb_cnt == 0)
5133 /*
5134 * If no old style callback then below should be 0
5135 * otherwise 1
5136 */
5137 || !TEST_true(psk_client_cb_cnt == idx)
5138 || !TEST_true(psk_server_cb_cnt == 0))
5139 goto end;
5140 } else {
5141 if (!TEST_true(use_session_cb_cnt == 0)
5142 || !TEST_true(find_session_cb_cnt == 0)
5143 || !TEST_true(psk_client_cb_cnt == 1)
5144 || !TEST_true(psk_server_cb_cnt == 0))
5145 goto end;
5146 }
5147
5148 shutdown_ssl_connection(serverssl, clientssl);
5149 serverssl = clientssl = NULL;
5150 use_session_cb_cnt = psk_client_cb_cnt = 0;
5151 }
ca8c71ba
MC		 5152
5153 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5154 NULL, NULL)))
5155 goto end;
5156
5157 /* Create the PSK */
532f9578 5158 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 5159 clientpsk = SSL_SESSION_new();
5160 if (!TEST_ptr(clientpsk)
ca8c71ba 5161 || !TEST_ptr(cipher)
57dee9bb
MC		 5162 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
5163 sizeof(key)))
5164 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
5165 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
5166 TLS1_3_VERSION))
5167 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 5168 goto end;
57dee9bb 5169 serverpsk = clientpsk;
ca8c71ba
MC		 5170
5171 /* Check we can create a connection and the PSK is used */
5172 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5173 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5174 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5175 goto end;
5176
532f9578
MC		 5177 if (idx == 0 || idx == 1) {
5178 if (!TEST_true(use_session_cb_cnt == 1)
5179 || !TEST_true(find_session_cb_cnt == 1)
5180 || !TEST_true(psk_client_cb_cnt == 0)
5181 || !TEST_true(psk_server_cb_cnt == 0))
5182 goto end;
5183 } else {
5184 if (!TEST_true(use_session_cb_cnt == 0)
5185 || !TEST_true(find_session_cb_cnt == 0)
5186 || !TEST_true(psk_client_cb_cnt == 1)
5187 || !TEST_true(psk_server_cb_cnt == 1))
5188 goto end;
5189 }
5190
ca8c71ba
MC		 5191 shutdown_ssl_connection(serverssl, clientssl);
5192 serverssl = clientssl = NULL;
5193 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5194 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 5195
5196 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5197 NULL, NULL)))
5198 goto end;
5199
5200 /* Force an HRR */
dbc6268f
MC		 5201#if defined(OPENSSL_NO_EC)
5202 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
5203 goto end;
5204#else
ca8c71ba
MC		 5205 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
5206 goto end;
dbc6268f 5207#endif
ca8c71ba
MC		 5208
5209 /*
5210 * Check we can create a connection, the PSK is used and the callbacks are
5211 * called twice.
5212 */
5213 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
5214 || !TEST_true(SSL_session_reused(clientssl))
532f9578 5215 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 5216 goto end;
5217
532f9578
MC		 5218 if (idx == 0 || idx == 1) {
5219 if (!TEST_true(use_session_cb_cnt == 2)
5220 || !TEST_true(find_session_cb_cnt == 2)
5221 || !TEST_true(psk_client_cb_cnt == 0)
5222 || !TEST_true(psk_server_cb_cnt == 0))
5223 goto end;
5224 } else {
5225 if (!TEST_true(use_session_cb_cnt == 0)
5226 || !TEST_true(find_session_cb_cnt == 0)
5227 || !TEST_true(psk_client_cb_cnt == 2)
5228 || !TEST_true(psk_server_cb_cnt == 2))
5229 goto end;
5230 }
5231
ca8c71ba
MC		 5232 shutdown_ssl_connection(serverssl, clientssl);
5233 serverssl = clientssl = NULL;
5234 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 5235 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 5236
0d8da779
MC		 5237 if (idx != 3) {
5238 /*
5239 * Check that if the server rejects the PSK we can still connect, but with
5240 * a full handshake
5241 */
5242 srvid = "Dummy Identity";
5243 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5244 NULL, NULL))
5245 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5246 SSL_ERROR_NONE))
5247 || !TEST_false(SSL_session_reused(clientssl))
5248 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 5249 goto end;
532f9578 5250
0d8da779
MC		 5251 if (idx == 0 || idx == 1) {
5252 if (!TEST_true(use_session_cb_cnt == 1)
5253 || !TEST_true(find_session_cb_cnt == 1)
5254 || !TEST_true(psk_client_cb_cnt == 0)
5255 /*
5256 * If no old style callback then below should be 0
5257 * otherwise 1
5258 */
5259 || !TEST_true(psk_server_cb_cnt == idx))
5260 goto end;
5261 } else {
5262 if (!TEST_true(use_session_cb_cnt == 0)
5263 || !TEST_true(find_session_cb_cnt == 0)
5264 || !TEST_true(psk_client_cb_cnt == 1)
5265 || !TEST_true(psk_server_cb_cnt == 1))
5266 goto end;
5267 }
5268
5269 shutdown_ssl_connection(serverssl, clientssl);
5270 serverssl = clientssl = NULL;
5271 }
ca8c71ba
MC		 5272 testresult = 1;
5273
5274 end:
57dee9bb
MC		 5275 SSL_SESSION_free(clientpsk);
5276 SSL_SESSION_free(serverpsk);
5277 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 5278 SSL_free(serverssl);
5279 SSL_free(clientssl);
5280 SSL_CTX_free(sctx);
5281 SSL_CTX_free(cctx);
5282 return testresult;
5283}
5284
c7b8ff25
MC		 5285static unsigned char cookie_magic_value[] = "cookie magic";
5286
5287static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
5288 unsigned int *cookie_len)
5289{
5290 /*
5291 * Not suitable as a real cookie generation function but good enough for
5292 * testing!
5293 */
97ea1e7f
MC		 5294 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
5295 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 5296
5297 return 1;
5298}
5299
5300static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
5301 unsigned int cookie_len)
5302{
97ea1e7f 5303 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 5304 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
5305 return 1;
5306
5307 return 0;
5308}
5309
3fa2812f
BS		 5310static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
5311 size_t *cookie_len)
5312{
5313 unsigned int temp;
5314 int res = generate_cookie_callback(ssl, cookie, &temp);
5315 *cookie_len = temp;
5316 return res;
5317}
5318
5319static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
5320 size_t cookie_len)
5321{
5322 return verify_cookie_callback(ssl, cookie, cookie_len);
5323}
5324
c7b8ff25
MC		 5325static int test_stateless(void)
5326{
5327 SSL_CTX *sctx = NULL, *cctx = NULL;
5328 SSL *serverssl = NULL, *clientssl = NULL;
5329 int testresult = 0;
5330
5e30f2fd
MC		 5331 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5332 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5333 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 5334 goto end;
5335
e440f513
MC		 5336 /* The arrival of CCS messages can confuse the test */
5337 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
5338
5339 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5340 NULL, NULL))
5341 /* Send the first ClientHello */
5342 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5343 SSL_ERROR_WANT_READ))
5344 /*
5345 * This should fail with a -1 return because we have no callbacks
5346 * set up
5347 */
5348 || !TEST_int_eq(SSL_stateless(serverssl), -1))
5349 goto end;
5350
5351 /* Fatal error so abandon the connection from this client */
5352 SSL_free(clientssl);
5353 clientssl = NULL;
5354
c7b8ff25 5355 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 5356 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
5357 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 5358
e440f513
MC		 5359 /*
5360 * Create a new connection from the client (we can reuse the server SSL
5361 * object).
5362 */
c7b8ff25
MC		 5363 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5364 NULL, NULL))
5365 /* Send the first ClientHello */
5366 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5367 SSL_ERROR_WANT_READ))
5368 /* This should fail because there is no cookie */
e440f513 5369 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 5370 goto end;
5371
5372 /* Abandon the connection from this client */
5373 SSL_free(clientssl);
5374 clientssl = NULL;
5375
5376 /*
5377 * Now create a connection from a new client but with the same server SSL
5378 * object
5379 */
5380 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5381 NULL, NULL))
5382 /* Send the first ClientHello */
5383 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5384 SSL_ERROR_WANT_READ))
5385 /* This should fail because there is no cookie */
e440f513 5386 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 5387 /* Send the second ClientHello */
5388 || !TEST_false(create_ssl_connection(serverssl, clientssl,
5389 SSL_ERROR_WANT_READ))
5390 /* This should succeed because a cookie is now present */
e440f513 5391 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 5392 /* Complete the connection */
5393 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5394 SSL_ERROR_NONE)))
5395 goto end;
5396
5397 shutdown_ssl_connection(serverssl, clientssl);
5398 serverssl = clientssl = NULL;
5399 testresult = 1;
5400
5401 end:
5402 SSL_free(serverssl);
5403 SSL_free(clientssl);
5404 SSL_CTX_free(sctx);
5405 SSL_CTX_free(cctx);
5406 return testresult;
5407
5408}
a763ca11 5409#endif /* OSSL_NO_USABLE_TLS1_3 */
5f982038 5410
a37008d9
MC		 5411static int clntaddoldcb = 0;
5412static int clntparseoldcb = 0;
5413static int srvaddoldcb = 0;
5414static int srvparseoldcb = 0;
5415static int clntaddnewcb = 0;
5416static int clntparsenewcb = 0;
5417static int srvaddnewcb = 0;
5418static int srvparsenewcb = 0;
bb01ef3f 5419static int snicb = 0;
a37008d9
MC		 5420
5421#define TEST_EXT_TYPE1 0xff00
5422
5423static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
5424 size_t *outlen, int *al, void *add_arg)
5425{
5426 int *server = (int *)add_arg;
5427 unsigned char *data;
5428
5429 if (SSL_is_server(s))
5430 srvaddoldcb++;
5431 else
5432 clntaddoldcb++;
5433
710756a9
RS		 5434 if (*server != SSL_is_server(s)
5435 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5436 return -1;
5437
5438 *data = 1;
5439 *out = data;
5440 *outlen = sizeof(char);
a37008d9
MC		 5441 return 1;
5442}
5443
5444static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
5445 void *add_arg)
5446{
5447 OPENSSL_free((unsigned char *)out);
5448}
5449
5450static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
5451 size_t inlen, int *al, void *parse_arg)
5452{
5453 int *server = (int *)parse_arg;
5454
5455 if (SSL_is_server(s))
5456 srvparseoldcb++;
5457 else
5458 clntparseoldcb++;
5459
710756a9
RS		 5460 if (*server != SSL_is_server(s)
5461 || inlen != sizeof(char)
5462 || *in != 1)
a37008d9
MC		 5463 return -1;
5464
5465 return 1;
5466}
5467
5468static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5469 const unsigned char **out, size_t *outlen, X509 *x,
5470 size_t chainidx, int *al, void *add_arg)
5471{
5472 int *server = (int *)add_arg;
5473 unsigned char *data;
5474
5475 if (SSL_is_server(s))
5476 srvaddnewcb++;
5477 else
5478 clntaddnewcb++;
5479
710756a9
RS		 5480 if (*server != SSL_is_server(s)
5481 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5482 return -1;
5483
5484 *data = 1;
5485 *out = data;
710756a9 5486 *outlen = sizeof(*data);
a37008d9
MC		 5487 return 1;
5488}
5489
5490static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5491 const unsigned char *out, void *add_arg)
5492{
5493 OPENSSL_free((unsigned char *)out);
5494}
5495
5496static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5497 const unsigned char *in, size_t inlen, X509 *x,
5498 size_t chainidx, int *al, void *parse_arg)
5499{
5500 int *server = (int *)parse_arg;
5501
5502 if (SSL_is_server(s))
5503 srvparsenewcb++;
5504 else
5505 clntparsenewcb++;
5506
710756a9
RS		 5507 if (*server != SSL_is_server(s)
5508 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5509 return -1;
5510
5511 return 1;
5512}
bb01ef3f
MC		 5513
5514static int sni_cb(SSL *s, int *al, void *arg)
5515{
5516 SSL_CTX *ctx = (SSL_CTX *)arg;
5517
5518 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5519 *al = SSL_AD_INTERNAL_ERROR;
5520 return SSL_TLSEXT_ERR_ALERT_FATAL;
5521 }
5522 snicb++;
5523 return SSL_TLSEXT_ERR_OK;
5524}
5525
a37008d9
MC		 5526/*
5527 * Custom call back tests.
5528 * Test 0: Old style callbacks in TLSv1.2
5529 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5530 * Test 2: New style callbacks in TLSv1.2 with SNI
5531 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5532 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 5533 */
710756a9
RS		 5534static int test_custom_exts(int tst)
5535{
bb01ef3f 5536 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5537 SSL *clientssl = NULL, *serverssl = NULL;
5538 int testresult = 0;
5539 static int server = 1;
5540 static int client = 0;
5541 SSL_SESSION *sess = NULL;
5542 unsigned int context;
5543
a763ca11 5544#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
c423ecaa
MC		 5545 /* Skip tests for TLSv1.2 and below in this case */
5546 if (tst < 3)
5547 return 1;
5548#endif
5549
a37008d9
MC		 5550 /* Reset callback counters */
5551 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5552 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5553 snicb = 0;
a37008d9 5554
5e30f2fd
MC		 5555 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5556 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5557 &sctx, &cctx, cert, privkey)))
710756a9 5558 goto end;
a37008d9 5559
bb01ef3f 5560 if (tst == 2
5e30f2fd 5561 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5562 TLS1_VERSION, 0,
7d7f6834 5563 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5564 goto end;
5565
5566
5567 if (tst < 3) {
a37008d9
MC		 5568 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5569 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5570 if (sctx2 != NULL)
5571 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5572 }
5573
bb01ef3f 5574 if (tst == 4) {
710756a9
RS		 5575 context = SSL_EXT_CLIENT_HELLO
5576 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5577 | SSL_EXT_TLS1_3_SERVER_HELLO
5578 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5579 | SSL_EXT_TLS1_3_CERTIFICATE
5580 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5581 } else {
710756a9
RS		 5582 context = SSL_EXT_CLIENT_HELLO
5583 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5584 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5585 }
5586
5587 /* Create a client side custom extension */
5588 if (tst == 0) {
710756a9
RS		 5589 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5590 old_add_cb, old_free_cb,
5591 &client, old_parse_cb,
5592 &client)))
5593 goto end;
a37008d9 5594 } else {
710756a9
RS		 5595 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5596 new_add_cb, new_free_cb,
5597 &client, new_parse_cb, &client)))
5598 goto end;
a37008d9
MC		 5599 }
5600
5601 /* Should not be able to add duplicates */
710756a9
RS		 5602 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5603 old_add_cb, old_free_cb,
5604 &client, old_parse_cb,
5605 &client))
5606 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5607 context, new_add_cb,
5608 new_free_cb, &client,
5609 new_parse_cb, &client)))
5610 goto end;
a37008d9
MC		 5611
5612 /* Create a server side custom extension */
5613 if (tst == 0) {
710756a9
RS		 5614 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5615 old_add_cb, old_free_cb,
5616 &server, old_parse_cb,
5617 &server)))
5618 goto end;
a37008d9 5619 } else {
710756a9
RS		 5620 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5621 new_add_cb, new_free_cb,
5622 &server, new_parse_cb, &server)))
5623 goto end;
bb01ef3f
MC		 5624 if (sctx2 != NULL
5625 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5626 context, new_add_cb,
5627 new_free_cb, &server,
5628 new_parse_cb, &server)))
5629 goto end;
a37008d9
MC		 5630 }
5631
5632 /* Should not be able to add duplicates */
710756a9
RS		 5633 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5634 old_add_cb, old_free_cb,
5635 &server, old_parse_cb,
5636 &server))
5637 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5638 context, new_add_cb,
5639 new_free_cb, &server,
5640 new_parse_cb, &server)))
a37008d9 5641 goto end;
a37008d9 5642
bb01ef3f
MC		 5643 if (tst == 2) {
5644 /* Set up SNI */
5645 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5646 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5647 goto end;
5648 }
5649
710756a9
RS		 5650 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5651 &clientssl, NULL, NULL))
5652 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5653 SSL_ERROR_NONE)))
a37008d9 5654 goto end;
a37008d9
MC		 5655
5656 if (tst == 0) {
710756a9
RS		 5657 if (clntaddoldcb != 1
5658 || clntparseoldcb != 1
5659 || srvaddoldcb != 1
5660 || srvparseoldcb != 1)
a37008d9 5661 goto end;
bb01ef3f 5662 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5663 if (clntaddnewcb != 1
5664 || clntparsenewcb != 1
5665 || srvaddnewcb != 1
bb01ef3f
MC		 5666 || srvparsenewcb != 1
5667 || (tst != 2 && snicb != 0)
5668 || (tst == 2 && snicb != 1))
a37008d9 5669 goto end;
a37008d9 5670 } else {
36ff232c 5671 /* In this case there 2 NewSessionTicket messages created */
710756a9 5672 if (clntaddnewcb != 1
36ff232c
MC		 5673 || clntparsenewcb != 5
5674 || srvaddnewcb != 5
710756a9 5675 || srvparsenewcb != 1)
a37008d9 5676 goto end;
a37008d9
MC		 5677 }
5678
5679 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5680 SSL_shutdown(clientssl);
5681 SSL_shutdown(serverssl);
a37008d9
MC		 5682 SSL_free(serverssl);
5683 SSL_free(clientssl);
5684 serverssl = clientssl = NULL;
5685
bb01ef3f
MC		 5686 if (tst == 3) {
5687 /* We don't bother with the resumption aspects for this test */
5688 testresult = 1;
5689 goto end;
5690 }
5691
710756a9
RS		 5692 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5693 NULL, NULL))
5694 || !TEST_true(SSL_set_session(clientssl, sess))
5695 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5696 SSL_ERROR_NONE)))
a37008d9 5697 goto end;
a37008d9
MC		 5698
5699 /*
5700 * For a resumed session we expect to add the ClientHello extension. For the
5701 * old style callbacks we ignore it on the server side because they set
5702 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5703 * them.
5704 */
5705 if (tst == 0) {
710756a9
RS		 5706 if (clntaddoldcb != 2
5707 || clntparseoldcb != 1
5708 || srvaddoldcb != 1
5709 || srvparseoldcb != 1)
a37008d9 5710 goto end;
bb01ef3f 5711 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5712 if (clntaddnewcb != 2
5713 || clntparsenewcb != 2
5714 || srvaddnewcb != 2
5715 || srvparsenewcb != 2)
a37008d9 5716 goto end;
a37008d9 5717 } else {
36ff232c
MC		 5718 /*
5719 * No Certificate message extensions in the resumption handshake,
5720 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5721 */
710756a9 5722 if (clntaddnewcb != 2
36ff232c
MC		 5723 || clntparsenewcb != 8
5724 || srvaddnewcb != 8
710756a9 5725 || srvparsenewcb != 2)
a37008d9 5726 goto end;
a37008d9
MC		 5727 }
5728
5729 testresult = 1;
5730
5731end:
5732 SSL_SESSION_free(sess);
5733 SSL_free(serverssl);
5734 SSL_free(clientssl);
bb01ef3f 5735 SSL_CTX_free(sctx2);
a37008d9
MC		 5736 SSL_CTX_free(sctx);
5737 SSL_CTX_free(cctx);
a37008d9
MC		 5738 return testresult;
5739}
5740
16afd71c
MC		 5741/*
5742 * Test loading of serverinfo data in various formats. test_sslmessages actually
5743 * tests to make sure the extensions appear in the handshake
5744 */
5745static int test_serverinfo(int tst)
5746{
5747 unsigned int version;
5748 unsigned char *sibuf;
5749 size_t sibuflen;
5750 int ret, expected, testresult = 0;
5751 SSL_CTX *ctx;
5752
d8652be0 5753 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5754 if (!TEST_ptr(ctx))
5755 goto end;
5756
5757 if ((tst & 0x01) == 0x01)
5758 version = SSL_SERVERINFOV2;
5759 else
5760 version = SSL_SERVERINFOV1;
5761
5762 if ((tst & 0x02) == 0x02) {
5763 sibuf = serverinfov2;
5764 sibuflen = sizeof(serverinfov2);
5765 expected = (version == SSL_SERVERINFOV2);
5766 } else {
5767 sibuf = serverinfov1;
5768 sibuflen = sizeof(serverinfov1);
5769 expected = (version == SSL_SERVERINFOV1);
5770 }
5771
5772 if ((tst & 0x04) == 0x04) {
5773 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5774 } else {
5775 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5776
5777 /*
5778 * The version variable is irrelevant in this case - it's what is in the
5779 * buffer that matters
5780 */
5781 if ((tst & 0x02) == 0x02)
5782 expected = 0;
5783 else
5784 expected = 1;
5785 }
5786
5787 if (!TEST_true(ret == expected))
5788 goto end;
5789
5790 testresult = 1;
5791
5792 end:
5793 SSL_CTX_free(ctx);
5794
5795 return testresult;
5796}
5797
2197d1df
MC		 5798/*
5799 * Test that SSL_export_keying_material() produces expected results. There are
5800 * no test vectors so all we do is test that both sides of the communication
5801 * produce the same results for different protocol versions.
5802 */
0fb2815b
MC		 5803#define SMALL_LABEL_LEN 10
5804#define LONG_LABEL_LEN 249
2197d1df
MC		 5805static int test_export_key_mat(int tst)
5806{
a599574b 5807 int testresult = 0;
2197d1df
MC		 5808 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5809 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5810 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5811 const unsigned char context[] = "context";
5812 const unsigned char *emptycontext = NULL;
5813 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5814 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5815 size_t labellen;
a599574b
MC		 5816 const int protocols[] = {
5817 TLS1_VERSION,
5818 TLS1_1_VERSION,
5819 TLS1_2_VERSION,
0fb2815b
MC		 5820 TLS1_3_VERSION,
5821 TLS1_3_VERSION,
a599574b
MC		 5822 TLS1_3_VERSION
5823 };
2197d1df
MC		 5824
5825#ifdef OPENSSL_NO_TLS1
5826 if (tst == 0)
5827 return 1;
5828#endif
5829#ifdef OPENSSL_NO_TLS1_1
5830 if (tst == 1)
5831 return 1;
5832#endif
4f6c7044
MC		 5833 if (is_fips && (tst == 0 || tst == 1))
5834 return 1;
2197d1df
MC		 5835#ifdef OPENSSL_NO_TLS1_2
5836 if (tst == 2)
5837 return 1;
5838#endif
a763ca11 5839#ifdef OSSL_NO_USABLE_TLS1_3
0fb2815b 5840 if (tst >= 3)
2197d1df
MC		 5841 return 1;
5842#endif
5e30f2fd
MC		 5843 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5844 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5845 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5846 goto end;
5847
a599574b
MC		 5848 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5849 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5850 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5851 if ((protocols[tst] < TLS1_2_VERSION) &&
5852 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5853 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5854 goto end;
2197d1df
MC		 5855
5856 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5857 NULL)))
5858 goto end;
5859
5860 /*
5861 * Premature call of SSL_export_keying_material should just fail.
5862 */
5863 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5864 sizeof(ckeymat1), label,
5865 SMALL_LABEL_LEN + 1, context,
5866 sizeof(context) - 1, 1), 0))
5867 goto end;
5868
5869 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5870 SSL_ERROR_NONE)))
2197d1df
MC		 5871 goto end;
5872
0fb2815b
MC		 5873 if (tst == 5) {
5874 /*
5875 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5876 * go over that.
5877 */
5878 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5879 sizeof(ckeymat1), label,
5880 LONG_LABEL_LEN + 1, context,
5881 sizeof(context) - 1, 1), 0))
5882 goto end;
5883
5884 testresult = 1;
5885 goto end;
5886 } else if (tst == 4) {
5887 labellen = LONG_LABEL_LEN;
5888 } else {
5889 labellen = SMALL_LABEL_LEN;
5890 }
5891
2197d1df
MC		 5892 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5893 sizeof(ckeymat1), label,
0fb2815b 5894 labellen, context,
2197d1df
MC		 5895 sizeof(context) - 1, 1), 1)
5896 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5897 sizeof(ckeymat2), label,
0fb2815b 5898 labellen,
2197d1df
MC		 5899 emptycontext,
5900 0, 1), 1)
5901 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5902 sizeof(ckeymat3), label,
0fb2815b 5903 labellen,
2197d1df
MC		 5904 NULL, 0, 0), 1)
5905 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5906 sizeof(skeymat1), label,
0fb2815b 5907 labellen,
2197d1df
MC		 5908 context,
5909 sizeof(context) -1, 1),
5910 1)
5911 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5912 sizeof(skeymat2), label,
0fb2815b 5913 labellen,
2197d1df
MC		 5914 emptycontext,
5915 0, 1), 1)
5916 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5917 sizeof(skeymat3), label,
0fb2815b 5918 labellen,
2197d1df
MC		 5919 NULL, 0, 0), 1)
5920 /*
5921 * Check that both sides created the same key material with the
5922 * same context.
5923 */
5924 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5925 sizeof(skeymat1))
5926 /*
5927 * Check that both sides created the same key material with an
5928 * empty context.
5929 */
5930 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5931 sizeof(skeymat2))
5932 /*
5933 * Check that both sides created the same key material without a
5934 * context.
5935 */
5936 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5937 sizeof(skeymat3))
5938 /* Different contexts should produce different results */
5939 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5940 sizeof(ckeymat2)))
5941 goto end;
5942
5943 /*
5944 * Check that an empty context and no context produce different results in
5945 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5946 */
0fb2815b 5947 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5948 sizeof(ckeymat3)))
0fb2815b
MC		 5949 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5950 sizeof(ckeymat3))))
2197d1df
MC		 5951 goto end;
5952
5953 testresult = 1;
5954
5955 end:
5956 SSL_free(serverssl);
5957 SSL_free(clientssl);
5958 SSL_CTX_free(sctx2);
5959 SSL_CTX_free(sctx);
5960 SSL_CTX_free(cctx);
5961
5962 return testresult;
5963}
5964
a763ca11 5965#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80
TT		 5966/*
5967 * Test that SSL_export_keying_material_early() produces expected
5968 * results. There are no test vectors so all we do is test that both
5969 * sides of the communication produce the same results for different
5970 * protocol versions.
5971 */
5972static int test_export_key_mat_early(int idx)
5973{
5974 static const char label[] = "test label";
5975 static const unsigned char context[] = "context";
5976 int testresult = 0;
5977 SSL_CTX *cctx = NULL, *sctx = NULL;
5978 SSL *clientssl = NULL, *serverssl = NULL;
5979 SSL_SESSION *sess = NULL;
5980 const unsigned char *emptycontext = NULL;
5981 unsigned char ckeymat1[80], ckeymat2[80];
5982 unsigned char skeymat1[80], skeymat2[80];
5983 unsigned char buf[1];
5984 size_t readbytes, written;
5985
5986 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5987 &sess, idx)))
5988 goto end;
5989
5990 /* Here writing 0 length early data is enough. */
5991 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5992 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5993 &readbytes),
5994 SSL_READ_EARLY_DATA_ERROR)
5995 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5996 SSL_EARLY_DATA_ACCEPTED))
5997 goto end;
5998
5999 if (!TEST_int_eq(SSL_export_keying_material_early(
6000 clientssl, ckeymat1, sizeof(ckeymat1), label,
6001 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6002 || !TEST_int_eq(SSL_export_keying_material_early(
6003 clientssl, ckeymat2, sizeof(ckeymat2), label,
6004 sizeof(label) - 1, emptycontext, 0), 1)
6005 || !TEST_int_eq(SSL_export_keying_material_early(
6006 serverssl, skeymat1, sizeof(skeymat1), label,
6007 sizeof(label) - 1, context, sizeof(context) - 1), 1)
6008 || !TEST_int_eq(SSL_export_keying_material_early(
6009 serverssl, skeymat2, sizeof(skeymat2), label,
6010 sizeof(label) - 1, emptycontext, 0), 1)
6011 /*
6012 * Check that both sides created the same key material with the
6013 * same context.
6014 */
6015 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
6016 sizeof(skeymat1))
6017 /*
6018 * Check that both sides created the same key material with an
6019 * empty context.
6020 */
6021 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
6022 sizeof(skeymat2))
6023 /* Different contexts should produce different results */
6024 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
6025 sizeof(ckeymat2)))
6026 goto end;
6027
6028 testresult = 1;
6029
6030 end:
c20e3b28 6031 SSL_SESSION_free(sess);
b38ede80
TT		 6032 SSL_SESSION_free(clientpsk);
6033 SSL_SESSION_free(serverpsk);
34ff74eb 6034 clientpsk = serverpsk = NULL;
b38ede80
TT		 6035 SSL_free(serverssl);
6036 SSL_free(clientssl);
6037 SSL_CTX_free(sctx);
6038 SSL_CTX_free(cctx);
6039
6040 return testresult;
6041}
3409a5ff
MC		 6042
6043#define NUM_KEY_UPDATE_MESSAGES 40
6044/*
6045 * Test KeyUpdate.
6046 */
6047static int test_key_update(void)
6048{
6049 SSL_CTX *cctx = NULL, *sctx = NULL;
6050 SSL *clientssl = NULL, *serverssl = NULL;
6051 int testresult = 0, i, j;
6052 char buf[20];
6053 static char *mess = "A test message";
6054
5e30f2fd 6055 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 6056 TLS_client_method(),
6057 TLS1_3_VERSION,
6058 0,
6059 &sctx, &cctx, cert, privkey))
6060 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6061 NULL, NULL))
6062 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6063 SSL_ERROR_NONE)))
6064 goto end;
6065
6066 for (j = 0; j < 2; j++) {
6067 /* Send lots of KeyUpdate messages */
6068 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
6069 if (!TEST_true(SSL_key_update(clientssl,
6070 (j == 0)
6071 ? SSL_KEY_UPDATE_NOT_REQUESTED
6072 : SSL_KEY_UPDATE_REQUESTED))
6073 || !TEST_true(SSL_do_handshake(clientssl)))
6074 goto end;
6075 }
6076
6077 /* Check that sending and receiving app data is ok */
6078 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
6079 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
6080 strlen(mess)))
6081 goto end;
a77b4dba
MC		 6082
6083 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
6084 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
6085 strlen(mess)))
6086 goto end;
3409a5ff
MC		 6087 }
6088
6089 testresult = 1;
6090
6091 end:
6092 SSL_free(serverssl);
6093 SSL_free(clientssl);
6094 SSL_CTX_free(sctx);
6095 SSL_CTX_free(cctx);
6096
6097 return testresult;
6098}
a77b4dba
MC		 6099
6100/*
6101 * Test we can handle a KeyUpdate (update requested) message while write data
6102 * is pending.
6103 * Test 0: Client sends KeyUpdate while Server is writing
6104 * Test 1: Server sends KeyUpdate while Client is writing
6105 */
6106static int test_key_update_in_write(int tst)
6107{
6108 SSL_CTX *cctx = NULL, *sctx = NULL;
6109 SSL *clientssl = NULL, *serverssl = NULL;
6110 int testresult = 0;
6111 char buf[20];
6112 static char *mess = "A test message";
6113 BIO *bretry = BIO_new(bio_s_always_retry());
6114 BIO *tmp = NULL;
6115 SSL *peerupdate = NULL, *peerwrite = NULL;
6116
6117 if (!TEST_ptr(bretry)
5e30f2fd 6118 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 6119 TLS_client_method(),
6120 TLS1_3_VERSION,
6121 0,
6122 &sctx, &cctx, cert, privkey))
6123 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6124 NULL, NULL))
6125 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6126 SSL_ERROR_NONE)))
6127 goto end;
6128
6129 peerupdate = tst == 0 ? clientssl : serverssl;
6130 peerwrite = tst == 0 ? serverssl : clientssl;
6131
6132 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
6133 || !TEST_true(SSL_do_handshake(peerupdate)))
6134 goto end;
6135
6136 /* Swap the writing endpoint's write BIO to force a retry */
6137 tmp = SSL_get_wbio(peerwrite);
6138 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
6139 tmp = NULL;
6140 goto end;
6141 }
6142 SSL_set0_wbio(peerwrite, bretry);
6143 bretry = NULL;
6144
6145 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
6146 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
6147 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
6148 goto end;
6149
6150 /* Reinstate the original writing endpoint's write BIO */
6151 SSL_set0_wbio(peerwrite, tmp);
6152 tmp = NULL;
6153
6154 /* Now read some data - we will read the key update */
6155 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
6156 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
6157 goto end;
6158
6159 /*
6160 * Complete the write we started previously and read it from the other
6161 * endpoint
6162 */
6163 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6164 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6165 goto end;
6166
6167 /* Write more data to ensure we send the KeyUpdate message back */
6168 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
6169 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
6170 goto end;
6171
6172 testresult = 1;
6173
6174 end:
6175 SSL_free(serverssl);
6176 SSL_free(clientssl);
6177 SSL_CTX_free(sctx);
6178 SSL_CTX_free(cctx);
6179 BIO_free(bretry);
6180 BIO_free(tmp);
6181
6182 return testresult;
6183}
a763ca11 6184#endif /* OSSL_NO_USABLE_TLS1_3 */
b38ede80 6185
e11b6aa4
MC		 6186static int test_ssl_clear(int idx)
6187{
6188 SSL_CTX *cctx = NULL, *sctx = NULL;
6189 SSL *clientssl = NULL, *serverssl = NULL;
6190 int testresult = 0;
6191
6192#ifdef OPENSSL_NO_TLS1_2
6193 if (idx == 1)
6194 return 1;
6195#endif
6196
6197 /* Create an initial connection */
5e30f2fd
MC		 6198 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6199 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 6200 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 6201 || (idx == 1
6202 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
6203 TLS1_2_VERSION)))
6204 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6205 &clientssl, NULL, NULL))
6206 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6207 SSL_ERROR_NONE)))
6208 goto end;
6209
6210 SSL_shutdown(clientssl);
6211 SSL_shutdown(serverssl);
6212 SSL_free(serverssl);
6213 serverssl = NULL;
6214
6215 /* Clear clientssl - we're going to reuse the object */
6216 if (!TEST_true(SSL_clear(clientssl)))
6217 goto end;
6218
6219 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6220 NULL, NULL))
6221 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6222 SSL_ERROR_NONE))
6223 || !TEST_true(SSL_session_reused(clientssl)))
6224 goto end;
6225
6226 SSL_shutdown(clientssl);
6227 SSL_shutdown(serverssl);
6228
6229 testresult = 1;
6230
6231 end:
6232 SSL_free(serverssl);
6233 SSL_free(clientssl);
6234 SSL_CTX_free(sctx);
6235 SSL_CTX_free(cctx);
6236
6237 return testresult;
6238}
6239
cf72c757
F		 6240/* Parse CH and retrieve any MFL extension value if present */
6241static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
6242{
6243 long len;
6244 unsigned char *data;
72962d02 6245 PACKET pkt, pkt2, pkt3;
cf72c757
F		 6246 unsigned int MFL_code = 0, type = 0;
6247
6248 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
6249 goto end;
6250
72962d02
P		 6251 memset(&pkt, 0, sizeof(pkt));
6252 memset(&pkt2, 0, sizeof(pkt2));
6253 memset(&pkt3, 0, sizeof(pkt3));
6254
9ba18520
P		 6255 if (!TEST_long_gt(len, 0)
6256 || !TEST_true( PACKET_buf_init( &pkt, data, len ) )
cf72c757
F		 6257 /* Skip the record header */
6258 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
6259 /* Skip the handshake message header */
6260 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
6261 /* Skip client version and random */
6262 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
6263 + SSL3_RANDOM_SIZE))
6264 /* Skip session id */
6265 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6266 /* Skip ciphers */
6267 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
6268 /* Skip compression */
6269 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
6270 /* Extensions len */
6271 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
6272 goto end;
6273
6274 /* Loop through all extensions */
6275 while (PACKET_remaining(&pkt2)) {
6276 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
6277 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
6278 goto end;
6279
6280 if (type == TLSEXT_TYPE_max_fragment_length) {
6281 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
6282 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
6283 goto end;
6284
6285 *mfl_codemfl_code = MFL_code;
6286 return 1;
6287 }
6288 }
6289
6290 end:
6291 return 0;
6292}
6293
6294/* Maximum-Fragment-Length TLS extension mode to test */
6295static const unsigned char max_fragment_len_test[] = {
6296 TLSEXT_max_fragment_length_512,
6297 TLSEXT_max_fragment_length_1024,
6298 TLSEXT_max_fragment_length_2048,
6299 TLSEXT_max_fragment_length_4096
6300};
6301
6302static int test_max_fragment_len_ext(int idx_tst)
6303{
a763ca11 6304 SSL_CTX *ctx = NULL;
cf72c757
F		 6305 SSL *con = NULL;
6306 int testresult = 0, MFL_mode = 0;
6307 BIO *rbio, *wbio;
6308
a763ca11
MC		 6309 if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
6310 TLS1_VERSION, 0, NULL, &ctx, NULL,
6311 NULL)))
6312 return 0;
cf72c757
F		 6313
6314 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
6315 ctx, max_fragment_len_test[idx_tst])))
6316 goto end;
6317
6318 con = SSL_new(ctx);
6319 if (!TEST_ptr(con))
6320 goto end;
6321
6322 rbio = BIO_new(BIO_s_mem());
6323 wbio = BIO_new(BIO_s_mem());
6324 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
6325 BIO_free(rbio);
6326 BIO_free(wbio);
6327 goto end;
6328 }
6329
6330 SSL_set_bio(con, rbio, wbio);
cf72c757
F		 6331
6332 if (!TEST_int_le(SSL_connect(con), 0)) {
6333 /* This shouldn't succeed because we don't have a server! */
6334 goto end;
6335 }
6336
6337 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
6338 /* no MFL in client hello */
6339 goto end;
6340 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
6341 goto end;
6342
6343 testresult = 1;
6344
6345end:
6346 SSL_free(con);
6347 SSL_CTX_free(ctx);
6348
6349 return testresult;
6350}
6351
a763ca11 6352#ifndef OSSL_NO_USABLE_TLS1_3
9d75dce3
TS		 6353static int test_pha_key_update(void)
6354{
6355 SSL_CTX *cctx = NULL, *sctx = NULL;
6356 SSL *clientssl = NULL, *serverssl = NULL;
6357 int testresult = 0;
6358
5e30f2fd
MC		 6359 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6360 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 6361 &sctx, &cctx, cert, privkey)))
6362 return 0;
6363
6364 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
6365 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
6366 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
6367 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
6368 goto end;
6369
e97be718 6370 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 6371
6372 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6373 NULL, NULL)))
6374 goto end;
6375
9d75dce3
TS		 6376 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6377 SSL_ERROR_NONE)))
6378 goto end;
6379
6380 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
6381 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
6382 goto end;
6383
6384 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
6385 goto end;
6386
6387 /* Start handshake on the server */
6388 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
6389 goto end;
6390
6391 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
6392 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6393 SSL_ERROR_NONE)))
6394 goto end;
6395
6396 SSL_shutdown(clientssl);
6397 SSL_shutdown(serverssl);
6398
6399 testresult = 1;
6400
6401 end:
6402 SSL_free(serverssl);
6403 SSL_free(clientssl);
6404 SSL_CTX_free(sctx);
6405 SSL_CTX_free(cctx);
6406 return testresult;
6407}
6408#endif
6409
76fd7a1d
MC		 6410#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
6411
6412static SRP_VBASE *vbase = NULL;
6413
6414static int ssl_srp_cb(SSL *s, int *ad, void *arg)
6415{
6416 int ret = SSL3_AL_FATAL;
6417 char *username;
6418 SRP_user_pwd *user = NULL;
6419
6420 username = SSL_get_srp_username(s);
6421 if (username == NULL) {
6422 *ad = SSL_AD_INTERNAL_ERROR;
6423 goto err;
6424 }
6425
6426 user = SRP_VBASE_get1_by_user(vbase, username);
6427 if (user == NULL) {
6428 *ad = SSL_AD_INTERNAL_ERROR;
6429 goto err;
6430 }
6431
6432 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
6433 user->info) <= 0) {
6434 *ad = SSL_AD_INTERNAL_ERROR;
6435 goto err;
6436 }
6437
6438 ret = 0;
6439
6440 err:
6441 SRP_user_pwd_free(user);
6442 return ret;
6443}
6444
6445static int create_new_vfile(char *userid, char *password, const char *filename)
6446{
6447 char *gNid = NULL;
6448 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
6449 TXT_DB *db = NULL;
6450 int ret = 0;
6451 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
6452 size_t i;
6453
6454 if (!TEST_ptr(dummy) || !TEST_ptr(row))
6455 goto end;
6456
20c00d0a 6457 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 6458 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 6459 if (!TEST_ptr(gNid))
6460 goto end;
6461
6462 /*
6463 * The only way to create an empty TXT_DB is to provide a BIO with no data
6464 * in it!
6465 */
6466 db = TXT_DB_read(dummy, DB_NUMBER);
6467 if (!TEST_ptr(db))
6468 goto end;
6469
6470 out = BIO_new_file(filename, "w");
6471 if (!TEST_ptr(out))
6472 goto end;
6473
6474 row[DB_srpid] = OPENSSL_strdup(userid);
6475 row[DB_srptype] = OPENSSL_strdup("V");
6476 row[DB_srpgN] = OPENSSL_strdup(gNid);
6477
6478 if (!TEST_ptr(row[DB_srpid])
6479 || !TEST_ptr(row[DB_srptype])
6480 || !TEST_ptr(row[DB_srpgN])
6481 || !TEST_true(TXT_DB_insert(db, row)))
6482 goto end;
6483
6484 row = NULL;
6485
6486 if (!TXT_DB_write(out, db))
6487 goto end;
6488
6489 ret = 1;
6490 end:
6491 if (row != NULL) {
6492 for (i = 0; i < DB_NUMBER; i++)
6493 OPENSSL_free(row[i]);
6494 }
6495 OPENSSL_free(row);
6496 BIO_free(dummy);
6497 BIO_free(out);
6498 TXT_DB_free(db);
6499
6500 return ret;
6501}
6502
6503static int create_new_vbase(char *userid, char *password)
6504{
6505 BIGNUM *verifier = NULL, *salt = NULL;
6506 const SRP_gN *lgN = NULL;
6507 SRP_user_pwd *user_pwd = NULL;
6508 int ret = 0;
6509
6510 lgN = SRP_get_default_gN(NULL);
6511 if (!TEST_ptr(lgN))
6512 goto end;
6513
20c00d0a 6514 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6515 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6516 goto end;
6517
6518 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6519 if (!TEST_ptr(user_pwd))
6520 goto end;
6521
6522 user_pwd->N = lgN->N;
6523 user_pwd->g = lgN->g;
6524 user_pwd->id = OPENSSL_strdup(userid);
6525 if (!TEST_ptr(user_pwd->id))
6526 goto end;
6527
6528 user_pwd->v = verifier;
6529 user_pwd->s = salt;
6530 verifier = salt = NULL;
6531
6532 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6533 goto end;
6534 user_pwd = NULL;
6535
6536 ret = 1;
6537end:
6538 SRP_user_pwd_free(user_pwd);
6539 BN_free(salt);
6540 BN_free(verifier);
6541
6542 return ret;
6543}
6544
6545/*
6546 * SRP tests
6547 *
6548 * Test 0: Simple successful SRP connection, new vbase
6549 * Test 1: Connection failure due to bad password, new vbase
6550 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6551 * Test 3: Connection failure due to bad password, vbase loaded from existing
6552 * file
6553 * Test 4: Simple successful SRP connection, vbase loaded from new file
6554 * Test 5: Connection failure due to bad password, vbase loaded from new file
6555 */
6556static int test_srp(int tst)
6557{
6558 char *userid = "test", *password = "password", *tstsrpfile;
6559 SSL_CTX *cctx = NULL, *sctx = NULL;
6560 SSL *clientssl = NULL, *serverssl = NULL;
6561 int ret, testresult = 0;
6562
6563 vbase = SRP_VBASE_new(NULL);
6564 if (!TEST_ptr(vbase))
6565 goto end;
6566
6567 if (tst == 0 || tst == 1) {
6568 if (!TEST_true(create_new_vbase(userid, password)))
6569 goto end;
6570 } else {
6571 if (tst == 4 || tst == 5) {
6572 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6573 goto end;
6574 tstsrpfile = tmpfilename;
6575 } else {
6576 tstsrpfile = srpvfile;
6577 }
6578 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6579 goto end;
6580 }
6581
5e30f2fd
MC		 6582 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6583 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6584 &sctx, &cctx, cert, privkey)))
6585 goto end;
6586
6587 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6588 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6589 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6590 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6591 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6592 goto end;
6593
6594 if (tst % 2 == 1) {
6595 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6596 goto end;
6597 } else {
6598 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6599 goto end;
6600 }
6601
6602 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6603 NULL, NULL)))
6604 goto end;
6605
6606 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6607 if (ret) {
6608 if (!TEST_true(tst % 2 == 0))
6609 goto end;
6610 } else {
6611 if (!TEST_true(tst % 2 == 1))
6612 goto end;
6613 }
6614
6615 testresult = 1;
6616
6617 end:
6618 SRP_VBASE_free(vbase);
6619 vbase = NULL;
6620 SSL_free(serverssl);
6621 SSL_free(clientssl);
6622 SSL_CTX_free(sctx);
6623 SSL_CTX_free(cctx);
6624
6625 return testresult;
6626}
6627#endif
6628
5718fe45
MC		 6629static int info_cb_failed = 0;
6630static int info_cb_offset = 0;
6631static int info_cb_this_state = -1;
6632
6633static struct info_cb_states_st {
6634 int where;
6635 const char *statestr;
6636} info_cb_states[][60] = {
6637 {
6638 /* TLSv1.2 server followed by resumption */
6639 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6640 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6641 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6642 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6643 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6644 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6645 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6646 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6647 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6648 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6649 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6650 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6651 {SSL_CB_EXIT, NULL}, {0, NULL},
6652 }, {
6653 /* TLSv1.2 client followed by resumption */
6654 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6655 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6656 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6657 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6658 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6659 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6660 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6661 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6662 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6663 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6664 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6665 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6666 }, {
6667 /* TLSv1.3 server followed by resumption */
6668 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6669 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6670 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6671 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6672 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6673 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6674 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6675 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6676 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6677 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6678 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6679 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6680 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6681 }, {
6682 /* TLSv1.3 client followed by resumption */
6683 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6684 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6685 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6686 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6687 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6688 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6689 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6690 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 6691 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6692 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6693 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6694 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6695 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 6696 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6697 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6698 }, {
6699 /* TLSv1.3 server, early_data */
6700 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6701 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6702 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6703 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6704 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6705 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 6706 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 6707 {SSL_CB_EXIT, NULL}, {0, NULL},
6708 }, {
6709 /* TLSv1.3 client, early_data */
6710 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6711 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6712 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6713 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6714 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6715 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6716 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6717 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6718 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6719 }, {
6720 {0, NULL},
6721 }
6722};
6723
6724static void sslapi_info_callback(const SSL *s, int where, int ret)
6725{
6726 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6727
6728 /* We do not ever expect a connection to fail in this test */
6729 if (!TEST_false(ret == 0)) {
6730 info_cb_failed = 1;
6731 return;
6732 }
6733
6734 /*
6735 * Do some sanity checks. We never expect these things to happen in this
6736 * test
6737 */
6738 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6739 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6740 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6741 info_cb_failed = 1;
6742 return;
6743 }
6744
6745 /* Now check we're in the right state */
6746 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6747 info_cb_failed = 1;
6748 return;
6749 }
6750 if ((where & SSL_CB_LOOP) != 0
6751 && !TEST_int_eq(strcmp(SSL_state_string(s),
6752 state[info_cb_this_state].statestr), 0)) {
6753 info_cb_failed = 1;
6754 return;
6755 }
033c181b 6756
4af5836b
MC		 6757 /*
6758 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6759 */
6760 if ((where & SSL_CB_HANDSHAKE_DONE)
6761 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 6762 info_cb_failed = 1;
6763 return;
6764 }
5718fe45
MC		 6765}
6766
6767/*
6768 * Test the info callback gets called when we expect it to.
6769 *
6770 * Test 0: TLSv1.2, server
6771 * Test 1: TLSv1.2, client
6772 * Test 2: TLSv1.3, server
6773 * Test 3: TLSv1.3, client
6774 * Test 4: TLSv1.3, server, early_data
6775 * Test 5: TLSv1.3, client, early_data
6776 */
6777static int test_info_callback(int tst)
6778{
6779 SSL_CTX *cctx = NULL, *sctx = NULL;
6780 SSL *clientssl = NULL, *serverssl = NULL;
6781 SSL_SESSION *clntsess = NULL;
6782 int testresult = 0;
6783 int tlsvers;
6784
6785 if (tst < 2) {
1aac20f5
MC		 6786/* We need either ECDHE or DHE for the TLSv1.2 test to work */
6787#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6788 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 6789 tlsvers = TLS1_2_VERSION;
6790#else
6791 return 1;
6792#endif
6793 } else {
a763ca11 6794#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 6795 tlsvers = TLS1_3_VERSION;
6796#else
6797 return 1;
6798#endif
6799 }
6800
6801 /* Reset globals */
6802 info_cb_failed = 0;
6803 info_cb_this_state = -1;
6804 info_cb_offset = tst;
6805
a763ca11 6806#ifndef OSSL_NO_USABLE_TLS1_3
5718fe45
MC		 6807 if (tst >= 4) {
6808 SSL_SESSION *sess = NULL;
6809 size_t written, readbytes;
6810 unsigned char buf[80];
6811
6812 /* early_data tests */
6813 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6814 &serverssl, &sess, 0)))
6815 goto end;
6816
6817 /* We don't actually need this reference */
6818 SSL_SESSION_free(sess);
6819
6820 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6821 sslapi_info_callback);
6822
6823 /* Write and read some early data and then complete the connection */
6824 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6825 &written))
6826 || !TEST_size_t_eq(written, strlen(MSG1))
6827 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6828 sizeof(buf), &readbytes),
6829 SSL_READ_EARLY_DATA_SUCCESS)
6830 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6831 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6832 SSL_EARLY_DATA_ACCEPTED)
6833 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6834 SSL_ERROR_NONE))
6835 || !TEST_false(info_cb_failed))
6836 goto end;
6837
6838 testresult = 1;
6839 goto end;
6840 }
6e07834c 6841#endif
5718fe45 6842
5e30f2fd 6843 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 6844 TLS_client_method(),
6845 tlsvers, tlsvers, &sctx, &cctx, cert,
6846 privkey)))
6847 goto end;
6848
33c39a06
MC		 6849 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6850 goto end;
6851
5718fe45
MC		 6852 /*
6853 * For even numbered tests we check the server callbacks. For odd numbers we
6854 * check the client.
6855 */
6856 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6857 sslapi_info_callback);
6858
6859 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6860 &clientssl, NULL, NULL))
6861 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6862 SSL_ERROR_NONE))
6863 || !TEST_false(info_cb_failed))
6864 goto end;
6865
6866
6867
6868 clntsess = SSL_get1_session(clientssl);
6869 SSL_shutdown(clientssl);
6870 SSL_shutdown(serverssl);
6871 SSL_free(serverssl);
6872 SSL_free(clientssl);
6873 serverssl = clientssl = NULL;
6874
6875 /* Now do a resumption */
6876 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6877 NULL))
6878 || !TEST_true(SSL_set_session(clientssl, clntsess))
6879 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6880 SSL_ERROR_NONE))
6881 || !TEST_true(SSL_session_reused(clientssl))
6882 || !TEST_false(info_cb_failed))
6883 goto end;
6884
6885 testresult = 1;
6886
6887 end:
6888 SSL_free(serverssl);
6889 SSL_free(clientssl);
6890 SSL_SESSION_free(clntsess);
6891 SSL_CTX_free(sctx);
6892 SSL_CTX_free(cctx);
6893 return testresult;
6894}
6895
4a432af8
MC		 6896static int test_ssl_pending(int tst)
6897{
6898 SSL_CTX *cctx = NULL, *sctx = NULL;
6899 SSL *clientssl = NULL, *serverssl = NULL;
6900 int testresult = 0;
6901 char msg[] = "A test message";
6902 char buf[5];
6903 size_t written, readbytes;
6904
6905 if (tst == 0) {
5e30f2fd 6906 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6907 TLS_client_method(),
5c587fb6 6908 TLS1_VERSION, 0,
4a432af8
MC		 6909 &sctx, &cctx, cert, privkey)))
6910 goto end;
6911 } else {
6912#ifndef OPENSSL_NO_DTLS
5e30f2fd 6913 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6914 DTLS_client_method(),
5c587fb6 6915 DTLS1_VERSION, 0,
4a432af8
MC		 6916 &sctx, &cctx, cert, privkey)))
6917 goto end;
8ce390e1
MC		 6918
6919# ifdef OPENSSL_NO_DTLS1_2
6920 /* Not supported in the FIPS provider */
6921 if (is_fips) {
6922 testresult = 1;
6923 goto end;
6924 };
6925 /*
6926 * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
6927 * level 0
6928 */
6929 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
6930 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
6931 "DEFAULT:@SECLEVEL=0")))
6932 goto end;
6933# endif
4a432af8
MC		 6934#else
6935 return 1;
6936#endif
6937 }
6938
6939 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6940 NULL, NULL))
6941 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6942 SSL_ERROR_NONE)))
6943 goto end;
6944
e8251092
MC		 6945 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6946 || !TEST_false(SSL_has_pending(clientssl))
6947 || !TEST_int_eq(SSL_pending(serverssl), 0)
6948 || !TEST_false(SSL_has_pending(serverssl))
6949 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6950 || !TEST_size_t_eq(written, sizeof(msg))
6951 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6952 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6953 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6954 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6955 goto end;
6956
6957 testresult = 1;
6958
6959 end:
6960 SSL_free(serverssl);
6961 SSL_free(clientssl);
6962 SSL_CTX_free(sctx);
6963 SSL_CTX_free(cctx);
6964
6965 return testresult;
6966}
6967
e401389a
MC		 6968static struct {
6969 unsigned int maxprot;
6970 const char *clntciphers;
6971 const char *clnttls13ciphers;
6972 const char *srvrciphers;
6973 const char *srvrtls13ciphers;
6974 const char *shared;
a96e6c34 6975 const char *fipsshared;
e401389a 6976} shared_ciphers_data[] = {
60155b9a
MC		 6977/*
6978 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6979 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6980 */
a763ca11 6981#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6982 {
6983 TLS1_2_VERSION,
6984 "AES128-SHA:AES256-SHA",
6985 NULL,
6986 "AES256-SHA:DHE-RSA-AES128-SHA",
6987 NULL,
a96e6c34 6988 "AES256-SHA",
e401389a
MC		 6989 "AES256-SHA"
6990 },
a96e6c34
MC		 6991# if !defined(OPENSSL_NO_CHACHA) \
6992 && !defined(OPENSSL_NO_POLY1305) \
6993 && !defined(OPENSSL_NO_EC)
6994 {
6995 TLS1_2_VERSION,
6996 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6997 NULL,
6998 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6999 NULL,
7000 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
7001 "AES128-SHA"
7002 },
7003# endif
e401389a
MC		 7004 {
7005 TLS1_2_VERSION,
7006 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
7007 NULL,
7008 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
7009 NULL,
a96e6c34 7010 "AES128-SHA:AES256-SHA",
e401389a
MC		 7011 "AES128-SHA:AES256-SHA"
7012 },
7013 {
7014 TLS1_2_VERSION,
7015 "AES128-SHA:AES256-SHA",
7016 NULL,
7017 "AES128-SHA:DHE-RSA-AES128-SHA",
7018 NULL,
a96e6c34 7019 "AES128-SHA",
e401389a
MC		 7020 "AES128-SHA"
7021 },
60155b9a
MC		 7022#endif
7023/*
7024 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
7025 * enabled.
7026 */
a763ca11 7027#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
60155b9a 7028 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 7029 {
7030 TLS1_3_VERSION,
7031 "AES128-SHA:AES256-SHA",
7032 NULL,
7033 "AES256-SHA:AES128-SHA256",
7034 NULL,
7035 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 7036 "TLS_AES_128_GCM_SHA256:AES256-SHA",
7037 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 7038 },
60155b9a 7039#endif
a763ca11 7040#ifndef OSSL_NO_USABLE_TLS1_3
e401389a
MC		 7041 {
7042 TLS1_3_VERSION,
7043 "AES128-SHA",
7044 "TLS_AES_256_GCM_SHA384",
7045 "AES256-SHA",
7046 "TLS_AES_256_GCM_SHA384",
a96e6c34 7047 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 7048 "TLS_AES_256_GCM_SHA384"
7049 },
7050#endif
7051};
7052
a96e6c34 7053static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 7054{
7055 SSL_CTX *cctx = NULL, *sctx = NULL;
7056 SSL *clientssl = NULL, *serverssl = NULL;
7057 int testresult = 0;
7058 char buf[1024];
b4250010 7059 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 7060
7061 if (!TEST_ptr(tmplibctx))
7062 goto end;
7063
7064 /*
7065 * Regardless of whether we're testing with the FIPS provider loaded into
7066 * libctx, we want one peer to always use the full set of ciphersuites
7067 * available. Therefore we use a separate libctx with the default provider
7068 * loaded into it. We run the same tests twice - once with the client side
7069 * having the full set of ciphersuites and once with the server side.
7070 */
7071 if (clnt) {
d8652be0 7072 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 7073 if (!TEST_ptr(cctx))
7074 goto end;
7075 } else {
d8652be0 7076 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 7077 if (!TEST_ptr(sctx))
7078 goto end;
7079 }
e401389a 7080
5e30f2fd 7081 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 7082 TLS_client_method(),
7083 TLS1_VERSION,
7084 shared_ciphers_data[tst].maxprot,
7085 &sctx, &cctx, cert, privkey)))
7086 goto end;
7087
7088 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7089 shared_ciphers_data[tst].clntciphers))
7090 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
7091 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
7092 shared_ciphers_data[tst].clnttls13ciphers)))
7093 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
7094 shared_ciphers_data[tst].srvrciphers))
7095 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
7096 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
7097 shared_ciphers_data[tst].srvrtls13ciphers))))
7098 goto end;
7099
7100
7101 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7102 NULL, NULL))
7103 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7104 SSL_ERROR_NONE)))
7105 goto end;
7106
7107 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 7108 || !TEST_int_eq(strcmp(buf,
7109 is_fips
7110 ? shared_ciphers_data[tst].fipsshared
7111 : shared_ciphers_data[tst].shared),
7112 0)) {
e401389a
MC		 7113 TEST_info("Shared ciphers are: %s\n", buf);
7114 goto end;
7115 }
7116
7117 testresult = 1;
7118
7119 end:
7120 SSL_free(serverssl);
7121 SSL_free(clientssl);
7122 SSL_CTX_free(sctx);
7123 SSL_CTX_free(cctx);
b4250010 7124 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 7125
7126 return testresult;
7127}
7128
a96e6c34
MC		 7129static int test_ssl_get_shared_ciphers(int tst)
7130{
7131 return int_test_ssl_get_shared_ciphers(tst, 0)
7132 && int_test_ssl_get_shared_ciphers(tst, 1);
7133}
7134
7135
d0191fe0 7136static const char *appdata = "Hello World";
61fb5923
MC		 7137static int gen_tick_called, dec_tick_called, tick_key_cb_called;
7138static int tick_key_renew = 0;
7139static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 7140
7141static int gen_tick_cb(SSL *s, void *arg)
7142{
7143 gen_tick_called = 1;
7144
7145 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
7146 strlen(appdata));
7147}
7148
7149static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
7150 const unsigned char *keyname,
7151 size_t keyname_length,
61fb5923
MC		 7152 SSL_TICKET_STATUS status,
7153 void *arg)
d0191fe0
MC		 7154{
7155 void *tickdata;
7156 size_t tickdlen;
7157
7158 dec_tick_called = 1;
7159
61fb5923
MC		 7160 if (status == SSL_TICKET_EMPTY)
7161 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 7162
61fb5923
MC		 7163 if (!TEST_true(status == SSL_TICKET_SUCCESS
7164 || status == SSL_TICKET_SUCCESS_RENEW))
7165 return SSL_TICKET_RETURN_ABORT;
7166
7167 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
7168 &tickdlen))
d0191fe0
MC		 7169 || !TEST_size_t_eq(tickdlen, strlen(appdata))
7170 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 7171 return SSL_TICKET_RETURN_ABORT;
d0191fe0 7172
61fb5923
MC		 7173 if (tick_key_cb_called) {
7174 /* Don't change what the ticket key callback wanted to do */
7175 switch (status) {
7176 case SSL_TICKET_NO_DECRYPT:
7177 return SSL_TICKET_RETURN_IGNORE_RENEW;
7178
7179 case SSL_TICKET_SUCCESS:
7180 return SSL_TICKET_RETURN_USE;
d0191fe0 7181
61fb5923
MC		 7182 case SSL_TICKET_SUCCESS_RENEW:
7183 return SSL_TICKET_RETURN_USE_RENEW;
7184
7185 default:
7186 return SSL_TICKET_RETURN_ABORT;
7187 }
7188 }
7189 return tick_dec_ret;
7190
7191}
d0191fe0 7192
a76ce286 7193#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 7194static int tick_key_cb(SSL *s, unsigned char key_name[16],
7195 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
7196 HMAC_CTX *hctx, int enc)
7197{
7198 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7199 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 7200 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7201 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
7202 int ret;
d0191fe0 7203
61fb5923 7204 tick_key_cb_called = 1;
d0191fe0
MC		 7205 memset(iv, 0, AES_BLOCK_SIZE);
7206 memset(key_name, 0, 16);
5e30f2fd
MC		 7207 if (aes128cbc == NULL
7208 || sha256 == NULL
7209 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
7210 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
7211 NULL))
7212 ret = -1;
7213 else
7214 ret = tick_key_renew ? 2 : 1;
d0191fe0 7215
5e30f2fd
MC		 7216 EVP_CIPHER_free(aes128cbc);
7217 EVP_MD_free(sha256);
7218
7219 return ret;
d0191fe0 7220}
a76ce286
P		 7221#endif
7222
7223static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
7224 unsigned char iv[EVP_MAX_IV_LENGTH],
7225 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
7226{
7227 const unsigned char tick_aes_key[16] = "0123456789abcdef";
7228 unsigned char tick_hmac_key[16] = "0123456789abcdef";
77e4ae58 7229 OSSL_PARAM params[2];
5e30f2fd
MC		 7230 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
7231 int ret;
a76ce286
P		 7232
7233 tick_key_cb_called = 1;
7234 memset(iv, 0, AES_BLOCK_SIZE);
7235 memset(key_name, 0, 16);
7236 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
7237 "SHA256", 0);
77e4ae58 7238 params[1] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 7239 if (aes128cbc == NULL
7240 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
77e4ae58
P		 7241 || !EVP_MAC_init(hctx, tick_hmac_key, sizeof(tick_hmac_key),
7242 params))
5e30f2fd
MC		 7243 ret = -1;
7244 else
7245 ret = tick_key_renew ? 2 : 1;
7246
7247 EVP_CIPHER_free(aes128cbc);
a76ce286 7248
5e30f2fd 7249 return ret;
a76ce286 7250}
d0191fe0
MC		 7251
7252/*
7253 * Test the various ticket callbacks
61fb5923
MC		 7254 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
7255 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
7256 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
7257 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
7258 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
7259 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
7260 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
7261 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 7262 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
7263 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
7264 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
7265 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
7266 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
7267 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
7268 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
7269 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 7270 */
7271static int test_ticket_callbacks(int tst)
7272{
7273 SSL_CTX *cctx = NULL, *sctx = NULL;
7274 SSL *clientssl = NULL, *serverssl = NULL;
7275 SSL_SESSION *clntsess = NULL;
7276 int testresult = 0;
7277
7278#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 7279 if (tst % 2 == 0)
d0191fe0
MC		 7280 return 1;
7281#endif
a763ca11 7282#ifdef OSSL_NO_USABLE_TLS1_3
ba8b48e9 7283 if (tst % 2 == 1)
d0191fe0
MC		 7284 return 1;
7285#endif
a76ce286
P		 7286#ifdef OPENSSL_NO_DEPRECATED_3_0
7287 if (tst >= 8 && tst <= 11)
7288 return 1;
7289#endif
d0191fe0 7290
61fb5923 7291 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 7292
7293 /* Which tests the ticket key callback should request renewal for */
a76ce286 7294 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 7295 tick_key_renew = 1;
d0191fe0 7296 else
61fb5923
MC		 7297 tick_key_renew = 0;
7298
7299 /* Which tests the decrypt ticket callback should request renewal for */
7300 switch (tst) {
7301 case 0:
7302 case 1:
7303 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
7304 break;
7305
7306 case 2:
7307 case 3:
7308 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
7309 break;
7310
7311 case 4:
7312 case 5:
7313 tick_dec_ret = SSL_TICKET_RETURN_USE;
7314 break;
7315
7316 case 6:
7317 case 7:
7318 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
7319 break;
7320
7321 default:
7322 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
7323 }
d0191fe0 7324
5e30f2fd 7325 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 7326 TLS_client_method(),
7327 TLS1_VERSION,
61fb5923
MC		 7328 ((tst % 2) == 0) ? TLS1_2_VERSION
7329 : TLS1_3_VERSION,
d0191fe0
MC		 7330 &sctx, &cctx, cert, privkey)))
7331 goto end;
7332
61fb5923
MC		 7333 /*
7334 * We only want sessions to resume from tickets - not the session cache. So
7335 * switch the cache off.
7336 */
7337 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
7338 goto end;
7339
d0191fe0
MC		 7340 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
7341 NULL)))
7342 goto end;
7343
a76ce286
P		 7344 if (tst >= 12) {
7345 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
7346 goto end;
7347#ifndef OPENSSL_NO_DEPRECATED_3_0
7348 } else if (tst >= 8) {
7349 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
7350 goto end;
7351#endif
7352 }
d0191fe0
MC		 7353
7354 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7355 NULL, NULL))
7356 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7357 SSL_ERROR_NONE)))
7358 goto end;
7359
61fb5923
MC		 7360 /*
7361 * The decrypt ticket key callback in TLSv1.2 should be called even though
7362 * we have no ticket yet, because it gets called with a status of
7363 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
7364 * actually send any ticket data). This does not happen in TLSv1.3 because
7365 * it is not valid to send empty ticket data in TLSv1.3.
7366 */
d0191fe0 7367 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 7368 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 7369 goto end;
7370
7371 gen_tick_called = dec_tick_called = 0;
7372
7373 clntsess = SSL_get1_session(clientssl);
7374 SSL_shutdown(clientssl);
7375 SSL_shutdown(serverssl);
7376 SSL_free(serverssl);
7377 SSL_free(clientssl);
7378 serverssl = clientssl = NULL;
7379
7380 /* Now do a resumption */
7381 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7382 NULL))
7383 || !TEST_true(SSL_set_session(clientssl, clntsess))
7384 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 7385 SSL_ERROR_NONE)))
d0191fe0
MC		 7386 goto end;
7387
61fb5923
MC		 7388 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
7389 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
7390 if (!TEST_false(SSL_session_reused(clientssl)))
7391 goto end;
7392 } else {
7393 if (!TEST_true(SSL_session_reused(clientssl)))
7394 goto end;
7395 }
7396
d0191fe0 7397 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 7398 (tick_key_renew
7399 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
7400 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
7401 ? 1 : 0)
d0191fe0
MC		 7402 || !TEST_int_eq(dec_tick_called, 1))
7403 goto end;
7404
7405 testresult = 1;
7406
7407 end:
7408 SSL_SESSION_free(clntsess);
7409 SSL_free(serverssl);
7410 SSL_free(clientssl);
7411 SSL_CTX_free(sctx);
7412 SSL_CTX_free(cctx);
7413
7414 return testresult;
7415}
7416
e638112e
DB		 7417/*
7418 * Test incorrect shutdown.
7419 * Test 0: client does not shutdown properly,
7420 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
7421 * server should get SSL_ERROR_SSL
7422 * Test 1: client does not shutdown properly,
7423 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
7424 * server should get SSL_ERROR_ZERO_RETURN
7425 */
7426static int test_incorrect_shutdown(int tst)
7427{
7428 SSL_CTX *cctx = NULL, *sctx = NULL;
7429 SSL *clientssl = NULL, *serverssl = NULL;
7430 int testresult = 0;
7431 char buf[80];
7432 BIO *c2s;
7433
7434 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7435 TLS_client_method(), 0, 0,
7436 &sctx, &cctx, cert, privkey)))
7437 goto end;
7438
7439 if (tst == 1)
7440 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
7441
7442 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7443 NULL, NULL)))
7444 goto end;
7445
7446 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
7447 SSL_ERROR_NONE)))
7448 goto end;
7449
7450 c2s = SSL_get_rbio(serverssl);
7451 BIO_set_mem_eof_return(c2s, 0);
7452
7453 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
7454 goto end;
7455
7456 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
7457 goto end;
7458 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
7459 goto end;
7460
7461 testresult = 1;
7462
7463 end:
7464 SSL_free(serverssl);
7465 SSL_free(clientssl);
7466 SSL_CTX_free(sctx);
7467 SSL_CTX_free(cctx);
7468
7469 return testresult;
7470}
7471
c748834f
MC		 7472/*
7473 * Test bi-directional shutdown.
7474 * Test 0: TLSv1.2
7475 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7476 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7477 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7478 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7479 * sends key update, client reads it
57d7b988
MC		 7480 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7481 * sends CertificateRequest, client reads and ignores it
7482 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7483 * doesn't read it
7484 */
7485static int test_shutdown(int tst)
7486{
7487 SSL_CTX *cctx = NULL, *sctx = NULL;
7488 SSL *clientssl = NULL, *serverssl = NULL;
7489 int testresult = 0;
7490 char msg[] = "A test message";
7491 char buf[80];
7492 size_t written, readbytes;
80eff008 7493 SSL_SESSION *sess;
c748834f
MC		 7494
7495#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7496 if (tst <= 1)
c748834f
MC		 7497 return 1;
7498#endif
a763ca11 7499#ifdef OSSL_NO_USABLE_TLS1_3
a97d19f7 7500 if (tst >= 2)
c748834f
MC		 7501 return 1;
7502#endif
7503
5e30f2fd 7504 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7505 TLS_client_method(),
7506 TLS1_VERSION,
7507 (tst <= 1) ? TLS1_2_VERSION
7508 : TLS1_3_VERSION,
57d7b988
MC		 7509 &sctx, &cctx, cert, privkey)))
7510 goto end;
7511
7512 if (tst == 5)
7513 SSL_CTX_set_post_handshake_auth(cctx, 1);
7514
7515 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7516 NULL, NULL)))
7517 goto end;
7518
7519 if (tst == 3) {
7520 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7521 SSL_ERROR_NONE, 1))
80eff008
KR		 7522 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7523 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7524 goto end;
7525 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7526 SSL_ERROR_NONE))
7527 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7528 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7529 goto end;
7530 }
7531
7532 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7533 goto end;
7534
7535 if (tst >= 4) {
7536 /*
7537 * Reading on the server after the client has sent close_notify should
7538 * fail and provide SSL_ERROR_ZERO_RETURN
7539 */
7540 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7541 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7542 SSL_ERROR_ZERO_RETURN)
7543 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7544 SSL_RECEIVED_SHUTDOWN)
7545 /*
7546 * Even though we're shutdown on receive we should still be
7547 * able to write.
7548 */
80eff008
KR		 7549 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7550 goto end;
57d7b988
MC		 7551 if (tst == 4
7552 && !TEST_true(SSL_key_update(serverssl,
7553 SSL_KEY_UPDATE_REQUESTED)))
7554 goto end;
7555 if (tst == 5) {
7556 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7557 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7558 goto end;
7559 }
7560 if ((tst == 4 || tst == 5)
7561 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7562 goto end;
7563 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7564 goto end;
57d7b988 7565 if (tst == 4 || tst == 5) {
80eff008 7566 /* Should still be able to read data from server */
c748834f 7567 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7568 &readbytes))
7569 || !TEST_size_t_eq(readbytes, sizeof(msg))
7570 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7571 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7572 &readbytes))
c748834f
MC		 7573 || !TEST_size_t_eq(readbytes, sizeof(msg))
7574 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7575 goto end;
7576 }
7577 }
7578
7579 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7580 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7581 goto end;
7582
7583 if (tst < 4) {
7584 /*
7585 * For these tests the client has sent close_notify but it has not yet
7586 * been received by the server. The server has not sent close_notify
7587 * yet.
7588 */
7589 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7590 /*
7591 * Writing on the server after sending close_notify shouldn't
7592 * be possible.
7593 */
7594 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7595 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7596 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7597 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7598 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7599 goto end;
57d7b988 7600 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7601 /*
7602 * In this test the client has sent close_notify and it has been
7603 * received by the server which has responded with a close_notify. The
358ffa05 7604 * client needs to read the close_notify sent by the server.
c748834f 7605 */
80eff008
KR		 7606 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7607 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7608 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7609 goto end;
358ffa05
MC		 7610 } else {
7611 /*
57d7b988 7612 * tst == 6
358ffa05
MC		 7613 *
7614 * The client has sent close_notify and is expecting a close_notify
7615 * back, but instead there is application data first. The shutdown
7616 * should fail with a fatal error.
7617 */
7618 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7619 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7620 goto end;
c748834f
MC		 7621 }
7622
7623 testresult = 1;
7624
7625 end:
7626 SSL_free(serverssl);
7627 SSL_free(clientssl);
7628 SSL_CTX_free(sctx);
7629 SSL_CTX_free(cctx);
7630
7631 return testresult;
7632}
7633
a763ca11 7634#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
cd6fe29f
MC		 7635static int cert_cb_cnt;
7636
7637static int cert_cb(SSL *s, void *arg)
7638{
7639 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7640 BIO *in = NULL;
7641 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7642 X509 *x509 = NULL, *rootx = NULL;
7643 STACK_OF(X509) *chain = NULL;
7644 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7645 int ret = 0;
cd6fe29f
MC		 7646
7647 if (cert_cb_cnt == 0) {
7648 /* Suspend the handshake */
7649 cert_cb_cnt++;
7650 return -1;
7651 } else if (cert_cb_cnt == 1) {
7652 /*
7653 * Update the SSL_CTX, set the certificate and private key and then
7654 * continue the handshake normally.
7655 */
7656 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7657 return 0;
7658
7659 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7660 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7661 SSL_FILETYPE_PEM))
7662 || !TEST_true(SSL_check_private_key(s)))
7663 return 0;
7664 cert_cb_cnt++;
7665 return 1;
7cb8fb07
BK		 7666 } else if (cert_cb_cnt == 3) {
7667 int rv;
1a2a3a42
MC		 7668
7669 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7670 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7671 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7672 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7673 goto out;
7674 chain = sk_X509_new_null();
7675 if (!TEST_ptr(chain))
7676 goto out;
7cb8fb07 7677 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7678 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
d8652be0 7679 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 7680 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 7681 || !TEST_true(sk_X509_push(chain, rootx)))
7682 goto out;
7683 rootx = NULL;
7684 BIO_free(in);
7685 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7686 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
d8652be0 7687 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 7688 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 7689 goto out;
7690 BIO_free(in);
7691 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7692 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 7693 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7694 NULL, NULL,
7695 libctx, NULL)))
7cb8fb07 7696 goto out;
1a2a3a42 7697 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 7698 /*
7699 * If the cert doesn't show as valid here (e.g., because we don't
7700 * have any shared sigalgs), then we will not set it, and there will
7701 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7702 * will cause tls_choose_sigalgs() to fail the connection.
7703 */
1a2a3a42
MC		 7704 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7705 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 7706 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7707 goto out;
7708 }
1a2a3a42
MC		 7709
7710 ret = 1;
cd6fe29f
MC		 7711 }
7712
7713 /* Abort the handshake */
7cb8fb07 7714 out:
1a2a3a42
MC		 7715 OPENSSL_free(ecdsacert);
7716 OPENSSL_free(ecdsakey);
7717 OPENSSL_free(rootfile);
7cb8fb07
BK		 7718 BIO_free(in);
7719 EVP_PKEY_free(pkey);
7720 X509_free(x509);
1a2a3a42
MC		 7721 X509_free(rootx);
7722 sk_X509_pop_free(chain, X509_free);
7723 return ret;
cd6fe29f
MC		 7724}
7725
7726/*
7727 * Test the certificate callback.
7728 * Test 0: Callback fails
7729 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7730 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 7731 * Test 3: Success - Call SSL_check_chain from the callback
7732 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7733 * chain
7734 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 7735 */
7736static int test_cert_cb_int(int prot, int tst)
7737{
7738 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7739 SSL *clientssl = NULL, *serverssl = NULL;
7740 int testresult = 0, ret;
7741
1a2a3a42
MC		 7742#ifdef OPENSSL_NO_EC
7743 /* We use an EC cert in these tests, so we skip in a no-ec build */
7744 if (tst >= 3)
7745 return 1;
7746#endif
7747
5e30f2fd 7748 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 7749 TLS_client_method(),
7750 TLS1_VERSION,
7751 prot,
7752 &sctx, &cctx, NULL, NULL)))
7753 goto end;
7754
7755 if (tst == 0)
7756 cert_cb_cnt = -1;
1a2a3a42 7757 else if (tst >= 3)
7cb8fb07 7758 cert_cb_cnt = 3;
cd6fe29f
MC		 7759 else
7760 cert_cb_cnt = 0;
1a2a3a42 7761
cd6fe29f
MC		 7762 if (tst == 2)
7763 snictx = SSL_CTX_new(TLS_server_method());
7764 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7765
7766 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7767 NULL, NULL)))
7768 goto end;
7769
1a2a3a42
MC		 7770 if (tst == 4) {
7771 /*
7772 * We cause SSL_check_chain() to fail by specifying sig_algs that
7773 * the chain doesn't meet (the root uses an RSA cert)
7774 */
7775 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7776 "ecdsa_secp256r1_sha256")))
7777 goto end;
7778 } else if (tst == 5) {
7779 /*
7780 * We cause SSL_check_chain() to fail by specifying sig_algs that
7781 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7782 */
7783 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7784 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7785 goto end;
7786 }
7787
cd6fe29f 7788 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 7789 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 7790 || (tst > 0
7791 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 7792 goto end;
7793 }
7794
7795 testresult = 1;
7796
7797 end:
7798 SSL_free(serverssl);
7799 SSL_free(clientssl);
7800 SSL_CTX_free(sctx);
7801 SSL_CTX_free(cctx);
7802 SSL_CTX_free(snictx);
7803
7804 return testresult;
7805}
7f1d923a 7806#endif
cd6fe29f
MC		 7807
7808static int test_cert_cb(int tst)
7809{
7810 int testresult = 1;
7811
7812#ifndef OPENSSL_NO_TLS1_2
7813 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7814#endif
a763ca11 7815#ifndef OSSL_NO_USABLE_TLS1_3
cd6fe29f
MC		 7816 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7817#endif
7818
7819 return testresult;
7820}
7821
6e46c065
MC		 7822static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7823{
8c2bfd25 7824 X509 *xcert;
6e46c065
MC		 7825 EVP_PKEY *privpkey;
7826 BIO *in = NULL;
6725682d 7827 BIO *priv_in = NULL;
6e46c065 7828
8c2bfd25
TS		 7829 /* Check that SSL_get0_peer_certificate() returns something sensible */
7830 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 7831 return 0;
6e46c065
MC		 7832
7833 in = BIO_new_file(cert, "r");
7834 if (!TEST_ptr(in))
7835 return 0;
7836
d8652be0 7837 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 7838 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7839 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 7840 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7841 NULL, NULL,
7842 libctx, NULL)))
6725682d 7843 goto err;
6e46c065
MC		 7844
7845 *x509 = xcert;
7846 *pkey = privpkey;
7847
6725682d
SL		 7848 BIO_free(in);
7849 BIO_free(priv_in);
6e46c065 7850 return 1;
6725682d
SL		 7851err:
7852 X509_free(xcert);
7853 BIO_free(in);
7854 BIO_free(priv_in);
7855 return 0;
6e46c065
MC		 7856}
7857
7858static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7859{
7860 return 1;
7861}
7862
7863static int test_client_cert_cb(int tst)
7864{
7865 SSL_CTX *cctx = NULL, *sctx = NULL;
7866 SSL *clientssl = NULL, *serverssl = NULL;
7867 int testresult = 0;
7868
7869#ifdef OPENSSL_NO_TLS1_2
7870 if (tst == 0)
7871 return 1;
7872#endif
a763ca11 7873#ifdef OSSL_NO_USABLE_TLS1_3
6e46c065
MC		 7874 if (tst == 1)
7875 return 1;
7876#endif
7877
5e30f2fd 7878 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 7879 TLS_client_method(),
7880 TLS1_VERSION,
7881 tst == 0 ? TLS1_2_VERSION
7882 : TLS1_3_VERSION,
7883 &sctx, &cctx, cert, privkey)))
7884 goto end;
7885
7886 /*
7887 * Test that setting a client_cert_cb results in a client certificate being
7888 * sent.
7889 */
7890 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7891 SSL_CTX_set_verify(sctx,
7892 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7893 verify_cb);
fb8c8359
MC		 7894
7895 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7896 NULL, NULL))
7897 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7898 SSL_ERROR_NONE)))
7899 goto end;
7900
7901 testresult = 1;
7902
7903 end:
7904 SSL_free(serverssl);
7905 SSL_free(clientssl);
7906 SSL_CTX_free(sctx);
7907 SSL_CTX_free(cctx);
7908
7909 return testresult;
7910}
7911
a763ca11 7912#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
fb8c8359
MC		 7913/*
7914 * Test setting certificate authorities on both client and server.
7915 *
7916 * Test 0: SSL_CTX_set0_CA_list() only
7917 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7918 * Test 2: Only SSL_CTX_set_client_CA_list()
7919 */
7920static int test_ca_names_int(int prot, int tst)
7921{
7922 SSL_CTX *cctx = NULL, *sctx = NULL;
7923 SSL *clientssl = NULL, *serverssl = NULL;
7924 int testresult = 0;
7925 size_t i;
7926 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7927 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7928 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7929 const STACK_OF(X509_NAME) *sktmp = NULL;
7930
7931 for (i = 0; i < OSSL_NELEM(name); i++) {
7932 name[i] = X509_NAME_new();
7933 if (!TEST_ptr(name[i])
7934 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7935 MBSTRING_ASC,
7936 (unsigned char *)
7937 strnames[i],
7938 -1, -1, 0)))
7939 goto end;
7940 }
7941
5e30f2fd 7942 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 7943 TLS_client_method(),
7944 TLS1_VERSION,
7945 prot,
7946 &sctx, &cctx, cert, privkey)))
7947 goto end;
7948
7949 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7950
7951 if (tst == 0 || tst == 1) {
7952 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7953 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7954 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7955 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7956 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7957 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7958 goto end;
7959
7960 SSL_CTX_set0_CA_list(sctx, sk1);
7961 SSL_CTX_set0_CA_list(cctx, sk2);
7962 sk1 = sk2 = NULL;
7963 }
7964 if (tst == 1 || tst == 2) {
7965 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7966 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7967 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7968 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7969 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7970 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7971 goto end;
7972
7973 SSL_CTX_set_client_CA_list(sctx, sk1);
7974 SSL_CTX_set_client_CA_list(cctx, sk2);
7975 sk1 = sk2 = NULL;
7976 }
7977
6e46c065
MC		 7978 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7979 NULL, NULL))
7980 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7981 SSL_ERROR_NONE)))
7982 goto end;
7983
fb8c8359
MC		 7984 /*
7985 * We only expect certificate authorities to have been sent to the server
7986 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7987 */
7988 sktmp = SSL_get0_peer_CA_list(serverssl);
7989 if (prot == TLS1_3_VERSION
7990 && (tst == 0 || tst == 1)) {
7991 if (!TEST_ptr(sktmp)
7992 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7993 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7994 name[0]), 0)
7995 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7996 name[1]), 0))
7997 goto end;
7998 } else if (!TEST_ptr_null(sktmp)) {
7999 goto end;
8000 }
8001
8002 /*
8003 * In all tests we expect certificate authorities to have been sent to the
8004 * client. However, SSL_set_client_CA_list() should override
8005 * SSL_set0_CA_list()
8006 */
8007 sktmp = SSL_get0_peer_CA_list(clientssl);
8008 if (!TEST_ptr(sktmp)
8009 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
8010 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
8011 name[tst == 0 ? 0 : 2]), 0)
8012 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
8013 name[tst == 0 ? 1 : 3]), 0))
8014 goto end;
8015
6e46c065
MC		 8016 testresult = 1;
8017
8018 end:
8019 SSL_free(serverssl);
8020 SSL_free(clientssl);
8021 SSL_CTX_free(sctx);
8022 SSL_CTX_free(cctx);
fb8c8359
MC		 8023 for (i = 0; i < OSSL_NELEM(name); i++)
8024 X509_NAME_free(name[i]);
8025 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
8026 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
8027
8028 return testresult;
8029}
8030#endif
8031
8032static int test_ca_names(int tst)
8033{
8034 int testresult = 1;
8035
8036#ifndef OPENSSL_NO_TLS1_2
8037 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
8038#endif
a763ca11 8039#ifndef OSSL_NO_USABLE_TLS1_3
fb8c8359
MC		 8040 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
8041#endif
6e46c065
MC		 8042
8043 return testresult;
8044}
8045
0d2bfe52
SL		 8046#ifndef OPENSSL_NO_TLS1_2
8047static const char *multiblock_cipherlist_data[]=
8048{
8049 "AES128-SHA",
8050 "AES128-SHA256",
8051 "AES256-SHA",
8052 "AES256-SHA256",
8053};
8054
8055/* Reduce the fragment size - so the multiblock test buffer can be small */
8056# define MULTIBLOCK_FRAGSIZE 512
8057
8058static int test_multiblock_write(int test_index)
8059{
8060 static const char *fetchable_ciphers[]=
8061 {
8062 "AES-128-CBC-HMAC-SHA1",
8063 "AES-128-CBC-HMAC-SHA256",
8064 "AES-256-CBC-HMAC-SHA1",
8065 "AES-256-CBC-HMAC-SHA256"
8066 };
8067 const char *cipherlist = multiblock_cipherlist_data[test_index];
8068 const SSL_METHOD *smeth = TLS_server_method();
8069 const SSL_METHOD *cmeth = TLS_client_method();
8070 int min_version = TLS1_VERSION;
8071 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
8072 SSL_CTX *cctx = NULL, *sctx = NULL;
8073 SSL *clientssl = NULL, *serverssl = NULL;
8074 int testresult = 0;
8075
8076 /*
8077 * Choose a buffer large enough to perform a multi-block operation
8078 * i.e: write_len >= 4 * frag_size
8079 * 9 * is chosen so that multiple multiblocks are used + some leftover.
8080 */
8081 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
8082 unsigned char buf[sizeof(msg)], *p = buf;
8083 size_t readbytes, written, len;
8084 EVP_CIPHER *ciph = NULL;
8085
8086 /*
8087 * Check if the cipher exists before attempting to use it since it only has
8088 * a hardware specific implementation.
8089 */
8090 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
8091 if (ciph == NULL) {
8092 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
8093 return 1;
8094 }
8095 EVP_CIPHER_free(ciph);
8096
8097 /* Set up a buffer with some data that will be sent to the client */
8098 RAND_bytes(msg, sizeof(msg));
8099
5e30f2fd
MC		 8100 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
8101 max_version, &sctx, &cctx, cert,
8102 privkey)))
0d2bfe52
SL		 8103 goto end;
8104
8105 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
8106 goto end;
8107
8108 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8109 NULL, NULL)))
8110 goto end;
8111
8112 /* settings to force it to use AES-CBC-HMAC_SHA */
8113 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
8114 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
8115 goto end;
8116
8117 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8118 goto end;
8119
8120 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
8121 || !TEST_size_t_eq(written, sizeof(msg)))
8122 goto end;
8123
8124 len = written;
8125 while (len > 0) {
8126 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
8127 goto end;
8128 p += readbytes;
8129 len -= readbytes;
8130 }
8131 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
8132 goto end;
8133
8134 testresult = 1;
8135end:
8136 SSL_free(serverssl);
8137 SSL_free(clientssl);
8138 SSL_CTX_free(sctx);
8139 SSL_CTX_free(cctx);
8140
8141 return testresult;
8142}
8143#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 8144
25959e04
TS		 8145static int test_session_timeout(int test)
8146{
8147 /*
8148 * Test session ordering and timeout
8149 * Can't explicitly test performance of the new code,
8150 * but can test to see if the ordering of the sessions
8151 * are correct, and they they are removed as expected
8152 */
8153 SSL_SESSION *early = NULL;
8154 SSL_SESSION *middle = NULL;
8155 SSL_SESSION *late = NULL;
8156 SSL_CTX *ctx;
8157 int testresult = 0;
8158 long now = (long)time(NULL);
8159#define TIMEOUT 10
8160
8161 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
8162 || !TEST_ptr(early = SSL_SESSION_new())
8163 || !TEST_ptr(middle = SSL_SESSION_new())
8164 || !TEST_ptr(late = SSL_SESSION_new()))
8165 goto end;
8166
8167 /* assign unique session ids */
8168 early->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8169 memset(early->session_id, 1, SSL3_SSL_SESSION_ID_LENGTH);
8170 middle->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8171 memset(middle->session_id, 2, SSL3_SSL_SESSION_ID_LENGTH);
8172 late->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
8173 memset(late->session_id, 3, SSL3_SSL_SESSION_ID_LENGTH);
8174
8175 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8176 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8177 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8178 goto end;
8179
8180 /* Make sure they are all added */
8181 if (!TEST_ptr(early->prev)
8182 || !TEST_ptr(middle->prev)
8183 || !TEST_ptr(late->prev))
8184 goto end;
8185
8186 if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
8187 || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
8188 || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
8189 goto end;
8190
8191 if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
8192 || !TEST_int_ne(SSL_SESSION_set_timeout(middle, TIMEOUT), 0)
8193 || !TEST_int_ne(SSL_SESSION_set_timeout(late, TIMEOUT), 0))
8194 goto end;
8195
8196 /* Make sure they are all still there */
8197 if (!TEST_ptr(early->prev)
8198 || !TEST_ptr(middle->prev)
8199 || !TEST_ptr(late->prev))
8200 goto end;
8201
8202 /* Make sure they are in the expected order */
8203 if (!TEST_ptr_eq(late->next, middle)
8204 || !TEST_ptr_eq(middle->next, early)
8205 || !TEST_ptr_eq(early->prev, middle)
8206 || !TEST_ptr_eq(middle->prev, late))
8207 goto end;
8208
8209 /* This should remove "early" */
8210 SSL_CTX_flush_sessions(ctx, now + TIMEOUT - 1);
8211 if (!TEST_ptr_null(early->prev)
8212 || !TEST_ptr(middle->prev)
8213 || !TEST_ptr(late->prev))
8214 goto end;
8215
8216 /* This should remove "middle" */
8217 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 1);
8218 if (!TEST_ptr_null(early->prev)
8219 || !TEST_ptr_null(middle->prev)
8220 || !TEST_ptr(late->prev))
8221 goto end;
8222
8223 /* This should remove "late" */
8224 SSL_CTX_flush_sessions(ctx, now + TIMEOUT + 11);
8225 if (!TEST_ptr_null(early->prev)
8226 || !TEST_ptr_null(middle->prev)
8227 || !TEST_ptr_null(late->prev))
8228 goto end;
8229
8230 /* Add them back in again */
8231 if (!TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8232 || !TEST_int_eq(SSL_CTX_add_session(ctx, middle), 1)
8233 || !TEST_int_eq(SSL_CTX_add_session(ctx, late), 1))
8234 goto end;
8235
8236 /* Make sure they are all added */
8237 if (!TEST_ptr(early->prev)
8238 || !TEST_ptr(middle->prev)
8239 || !TEST_ptr(late->prev))
8240 goto end;
8241
8242 /* This should remove all of them */
8243 SSL_CTX_flush_sessions(ctx, 0);
8244 if (!TEST_ptr_null(early->prev)
8245 || !TEST_ptr_null(middle->prev)
8246 || !TEST_ptr_null(late->prev))
8247 goto end;
8248
8249 (void)SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_UPDATE_TIME
8250 | SSL_CTX_get_session_cache_mode(ctx));
8251
8252 /* make sure |now| is NOT equal to the current time */
8253 now -= 10;
8254 if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
8255 || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
8256 || !TEST_long_ne(SSL_SESSION_get_time(early), now))
8257 goto end;
8258
8259 testresult = 1;
8260 end:
8261 SSL_CTX_free(ctx);
8262 SSL_SESSION_free(early);
8263 SSL_SESSION_free(middle);
8264 SSL_SESSION_free(late);
8265 return testresult;
8266}
8267
49ef3d07
MC		 8268/*
8269 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
8270 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
8271 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
8272 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
8273 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
8274 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
8275 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
8276 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
8277 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
8278 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
8279 */
8280static int test_servername(int tst)
8281{
8282 SSL_CTX *cctx = NULL, *sctx = NULL;
8283 SSL *clientssl = NULL, *serverssl = NULL;
8284 int testresult = 0;
8285 SSL_SESSION *sess = NULL;
8286 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
8287
8288#ifdef OPENSSL_NO_TLS1_2
8289 if (tst <= 4)
8290 return 1;
8291#endif
a763ca11 8292#ifdef OSSL_NO_USABLE_TLS1_3
49ef3d07
MC		 8293 if (tst >= 5)
8294 return 1;
8295#endif
8296
5e30f2fd 8297 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 8298 TLS_client_method(),
8299 TLS1_VERSION,
8300 (tst <= 4) ? TLS1_2_VERSION
8301 : TLS1_3_VERSION,
8302 &sctx, &cctx, cert, privkey))
8303 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8304 NULL, NULL)))
8305 goto end;
8306
8307 if (tst != 1 && tst != 6) {
8308 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
8309 hostname_cb)))
8310 goto end;
8311 }
8312
8313 if (tst != 3 && tst != 8) {
8314 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8315 goto end;
8316 sexpectedhost = cexpectedhost = "goodhost";
8317 }
8318
8319 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8320 goto end;
8321
8322 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
8323 cexpectedhost)
8324 || !TEST_str_eq(SSL_get_servername(serverssl,
8325 TLSEXT_NAMETYPE_host_name),
8326 sexpectedhost))
8327 goto end;
8328
8329 /* Now repeat with a resumption handshake */
8330
8331 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
8332 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
8333 || !TEST_true(SSL_SESSION_is_resumable(sess))
8334 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
8335 goto end;
8336
8337 SSL_free(clientssl);
8338 SSL_free(serverssl);
8339 clientssl = serverssl = NULL;
8340
8341 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
8342 NULL)))
8343 goto end;
8344
8345 if (!TEST_true(SSL_set_session(clientssl, sess)))
8346 goto end;
8347
8348 sexpectedhost = cexpectedhost = "goodhost";
8349 if (tst == 2 || tst == 7) {
8350 /* Set an inconsistent hostname */
8351 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
8352 goto end;
8353 /*
8354 * In TLSv1.2 we expect the hostname from the original handshake, in
8355 * TLSv1.3 we expect the hostname from this handshake
8356 */
8357 if (tst == 7)
8358 sexpectedhost = cexpectedhost = "altgoodhost";
8359
8360 if (!TEST_str_eq(SSL_get_servername(clientssl,
8361 TLSEXT_NAMETYPE_host_name),
8362 "altgoodhost"))
8363 goto end;
8364 } else if (tst == 4 || tst == 9) {
8365 /*
8366 * A TLSv1.3 session does not associate a session with a servername,
8367 * but a TLSv1.2 session does.
8368 */
8369 if (tst == 9)
8370 sexpectedhost = cexpectedhost = NULL;
8371
8372 if (!TEST_str_eq(SSL_get_servername(clientssl,
8373 TLSEXT_NAMETYPE_host_name),
8374 cexpectedhost))
8375 goto end;
8376 } else {
8377 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
8378 goto end;
8379 /*
8380 * In a TLSv1.2 resumption where the hostname was not acknowledged
8381 * we expect the hostname on the server to be empty. On the client we
8382 * return what was requested in this case.
8383 *
8384 * Similarly if the client didn't set a hostname on an original TLSv1.2
8385 * session but is now, the server hostname will be empty, but the client
8386 * is as we set it.
8387 */
8388 if (tst == 1 || tst == 3)
8389 sexpectedhost = NULL;
8390
8391 if (!TEST_str_eq(SSL_get_servername(clientssl,
8392 TLSEXT_NAMETYPE_host_name),
8393 "goodhost"))
8394 goto end;
8395 }
8396
8397 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8398 goto end;
8399
8400 if (!TEST_true(SSL_session_reused(clientssl))
8401 || !TEST_true(SSL_session_reused(serverssl))
8402 || !TEST_str_eq(SSL_get_servername(clientssl,
8403 TLSEXT_NAMETYPE_host_name),
8404 cexpectedhost)
8405 || !TEST_str_eq(SSL_get_servername(serverssl,
8406 TLSEXT_NAMETYPE_host_name),
8407 sexpectedhost))
8408 goto end;
8409
8410 testresult = 1;
8411
8412 end:
8413 SSL_SESSION_free(sess);
8414 SSL_free(serverssl);
8415 SSL_free(clientssl);
8416 SSL_CTX_free(sctx);
8417 SSL_CTX_free(cctx);
8418
8419 return testresult;
8420}
8421
b1fdbc68 8422#if !defined(OPENSSL_NO_EC) \
a763ca11 8423 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 8424/*
8425 * Test that if signature algorithms are not available, then we do not offer or
8426 * accept them.
8427 * Test 0: Two RSA sig algs available: both RSA sig algs shared
8428 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
8429 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
8430 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
8431 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
8432 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
8433 */
8434static int test_sigalgs_available(int idx)
8435{
8436 SSL_CTX *cctx = NULL, *sctx = NULL;
8437 SSL *clientssl = NULL, *serverssl = NULL;
8438 int testresult = 0;
b4250010
DMSP		 8439 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
8440 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 8441 OSSL_PROVIDER *filterprov = NULL;
8442 int sig, hash;
8443
8444 if (!TEST_ptr(tmpctx))
8445 goto end;
8446
8447 if (idx != 0 && idx != 3) {
8448 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
8449 filter_provider_init)))
8450 goto end;
8451
8452 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
8453 if (!TEST_ptr(filterprov))
8454 goto end;
8455
8456 if (idx < 3) {
8457 /*
8458 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
8459 * or accepted for the peer that uses this libctx. Note that libssl
8460 * *requires* SHA2-256 to be available so we cannot disable that. We
8461 * also need SHA1 for our certificate.
8462 */
8463 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
8464 "SHA2-256:SHA1")))
8465 goto end;
8466 } else {
8467 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
8468 "ECDSA"))
8469 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
8470 "EC:X25519:X448")))
8471 goto end;
8472 }
8473
8474 if (idx == 1 || idx == 4)
8475 clientctx = tmpctx;
8476 else
8477 serverctx = tmpctx;
8478 }
8479
d8652be0
MC		 8480 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
8481 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 8482 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
8483 goto end;
b3842539 8484
b4c4a2c6
TM		 8485 if (idx != 5) {
8486 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8487 TLS_client_method(),
8488 TLS1_VERSION,
8489 0,
8490 &sctx, &cctx, cert, privkey)))
8491 goto end;
8492 } else {
8493 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8494 TLS_client_method(),
8495 TLS1_VERSION,
8496 0,
8497 &sctx, &cctx, cert2, privkey2)))
8498 goto end;
8499 }
b3842539 8500
b1fdbc68
MC		 8501 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
8502 if (idx < 4) {
8503 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8504 "ECDHE-RSA-AES128-GCM-SHA256")))
8505 goto end;
8506 } else {
8507 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
8508 "ECDHE-ECDSA-AES128-GCM-SHA256")))
8509 goto end;
8510 }
8511
b3842539
MC		 8512 if (idx < 3) {
8513 if (!SSL_CTX_set1_sigalgs_list(cctx,
8514 "rsa_pss_rsae_sha384"
8515 ":rsa_pss_rsae_sha256")
8516 || !SSL_CTX_set1_sigalgs_list(sctx,
8517 "rsa_pss_rsae_sha384"
8518 ":rsa_pss_rsae_sha256"))
8519 goto end;
8520 } else {
8521 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
8522 || !SSL_CTX_set1_sigalgs_list(sctx,
8523 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
8524 goto end;
8525 }
8526
b4c4a2c6
TM		 8527 if (idx != 5
8528 && (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
8529 SSL_FILETYPE_PEM), 1)
b3842539
MC		 8530 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
8531 privkey2,
8532 SSL_FILETYPE_PEM), 1)
b4c4a2c6 8533 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)))
b3842539
MC		 8534 goto end;
8535
8536 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
b4c4a2c6 8537 NULL, NULL)))
b3842539
MC		 8538 goto end;
8539
8540 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8541 goto end;
8542
8543 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
8544 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
8545 NULL, NULL),
8546 (idx == 0 || idx == 3) ? 2 : 1))
8547 goto end;
8548
8549 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
8550 goto end;
8551
8552 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
8553 : NID_rsassaPss))
8554 goto end;
8555
b0001d0c 8556 testresult = filter_provider_check_clean_finish();
b3842539
MC		 8557
8558 end:
8559 SSL_free(serverssl);
8560 SSL_free(clientssl);
8561 SSL_CTX_free(sctx);
8562 SSL_CTX_free(cctx);
8563 OSSL_PROVIDER_unload(filterprov);
b4250010 8564 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 8565
8566 return testresult;
8567}
b1fdbc68
MC		 8568#endif /*
8569 * !defined(OPENSSL_NO_EC) \
a763ca11 8570 * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b1fdbc68 8571 */
b3842539 8572
0c13cdf8 8573#ifndef OPENSSL_NO_TLS1_3
a763ca11 8574/* This test can run in TLSv1.3 even if ec and dh are disabled */
c8e3a4c6 8575static int test_pluggable_group(int idx)
0c13cdf8
MC		 8576{
8577 SSL_CTX *cctx = NULL, *sctx = NULL;
8578 SSL *clientssl = NULL, *serverssl = NULL;
8579 int testresult = 0;
8580 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 8581 /* Check that we are not impacted by a provider without any groups */
8582 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 8583 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 8584
5ae54dba 8585 if (!TEST_ptr(tlsprov))
0c13cdf8
MC		 8586 goto end;
8587
5ae54dba
MC		 8588 if (legacyprov == NULL) {
8589 /*
8590 * In this case we assume we've been built with "no-legacy" and skip
8591 * this test (there is no OPENSSL_NO_LEGACY)
8592 */
8593 testresult = 1;
8594 goto end;
8595 }
8596
0c13cdf8
MC		 8597 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8598 TLS_client_method(),
8599 TLS1_3_VERSION,
8600 TLS1_3_VERSION,
8601 &sctx, &cctx, cert, privkey))
8602 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8603 NULL, NULL)))
8604 goto end;
8605
c8e3a4c6
NT		 8606 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
8607 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 8608 goto end;
8609
8610 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8611 goto end;
8612
becbacd7
MB		 8613 if (!TEST_str_eq(group_name,
8614 SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0))))
8615 goto end;
8616
0c13cdf8
MC		 8617 testresult = 1;
8618
8619 end:
8620 SSL_free(serverssl);
8621 SSL_free(clientssl);
8622 SSL_CTX_free(sctx);
8623 SSL_CTX_free(cctx);
8624 OSSL_PROVIDER_unload(tlsprov);
146aebc6 8625 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 8626
8627 return testresult;
8628}
8629#endif
b3842539 8630
49a36a52
MC		 8631#ifndef OPENSSL_NO_TLS1_2
8632static int test_ssl_dup(void)
8633{
8634 SSL_CTX *cctx = NULL, *sctx = NULL;
8635 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8636 int testresult = 0;
8637 BIO *rbio = NULL, *wbio = NULL;
8638
8639 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8640 TLS_client_method(),
8641 0,
8642 0,
8643 &sctx, &cctx, cert, privkey)))
8644 goto end;
8645
8646 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8647 NULL, NULL)))
8648 goto end;
8649
8650 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8651 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8652 goto end;
8653
8654 client2ssl = SSL_dup(clientssl);
8655 rbio = SSL_get_rbio(clientssl);
8656 if (!TEST_ptr(rbio)
8657 || !TEST_true(BIO_up_ref(rbio)))
8658 goto end;
8659 SSL_set0_rbio(client2ssl, rbio);
8660 rbio = NULL;
8661
8662 wbio = SSL_get_wbio(clientssl);
8663 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8664 goto end;
8665 SSL_set0_wbio(client2ssl, wbio);
8666 rbio = NULL;
8667
8668 if (!TEST_ptr(client2ssl)
8669 /* Handshake not started so pointers should be different */
8670 || !TEST_ptr_ne(clientssl, client2ssl))
8671 goto end;
8672
8673 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8674 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8675 goto end;
8676
8677 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8678 goto end;
8679
8680 SSL_free(clientssl);
8681 clientssl = SSL_dup(client2ssl);
8682 if (!TEST_ptr(clientssl)
8683 /* Handshake has finished so pointers should be the same */
8684 || !TEST_ptr_eq(clientssl, client2ssl))
8685 goto end;
8686
8687 testresult = 1;
8688
8689 end:
8690 SSL_free(serverssl);
8691 SSL_free(clientssl);
8692 SSL_free(client2ssl);
8693 SSL_CTX_free(sctx);
8694 SSL_CTX_free(cctx);
8695
8696 return testresult;
8697}
33c39a06
MC		 8698
8699# ifndef OPENSSL_NO_DH
8700
8701static EVP_PKEY *tmp_dh_params = NULL;
8702
8703/* Helper function for the test_set_tmp_dh() tests */
8704static EVP_PKEY *get_tmp_dh_params(void)
8705{
8706 if (tmp_dh_params == NULL) {
8707 BIGNUM *p = NULL;
8708 OSSL_PARAM_BLD *tmpl = NULL;
8709 EVP_PKEY_CTX *pctx = NULL;
8710 OSSL_PARAM *params = NULL;
8711 EVP_PKEY *dhpkey = NULL;
8712
8713 p = BN_get_rfc3526_prime_2048(NULL);
8714 if (!TEST_ptr(p))
8715 goto end;
8716
8717 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8718 if (!TEST_ptr(pctx)
2db985b7 8719 || !TEST_true(EVP_PKEY_fromdata_init(pctx)))
33c39a06
MC		 8720 goto end;
8721
8722 tmpl = OSSL_PARAM_BLD_new();
8723 if (!TEST_ptr(tmpl)
8724 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8725 OSSL_PKEY_PARAM_FFC_P,
8726 p))
8727 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8728 OSSL_PKEY_PARAM_FFC_G,
8729 2)))
8730 goto end;
8731
8732 params = OSSL_PARAM_BLD_to_param(tmpl);
8733 if (!TEST_ptr(params)
2db985b7
SL		 8734 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey,
8735 EVP_PKEY_KEY_PARAMETERS, params)))
33c39a06
MC		 8736 goto end;
8737
8738 tmp_dh_params = dhpkey;
8739 end:
8740 BN_free(p);
8741 EVP_PKEY_CTX_free(pctx);
8742 OSSL_PARAM_BLD_free(tmpl);
3f883c7c 8743 OSSL_PARAM_free(params);
33c39a06
MC		 8744 }
8745
f1619160 8746 if (tmp_dh_params != NULL && !EVP_PKEY_up_ref(tmp_dh_params))
33c39a06
MC		 8747 return NULL;
8748
8749 return tmp_dh_params;
8750}
8751
39f3427d 8752# ifndef OPENSSL_NO_DEPRECATED_3_0
33c39a06
MC		 8753/* Callback used by test_set_tmp_dh() */
8754static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8755{
8756 EVP_PKEY *dhpkey = get_tmp_dh_params();
8757 DH *ret = NULL;
8758
8759 if (!TEST_ptr(dhpkey))
8760 return NULL;
8761
7bc0fdd3
MC		 8762 /*
8763 * libssl does not free the returned DH, so we free it now knowing that even
8764 * after we free dhpkey, there will still be a reference to the owning
8765 * EVP_PKEY in tmp_dh_params, and so the DH object will live for the length
8766 * of time we need it for.
8767 */
8768 ret = EVP_PKEY_get1_DH(dhpkey);
8769 DH_free(ret);
33c39a06
MC		 8770
8771 EVP_PKEY_free(dhpkey);
8772
8773 return ret;
8774}
8775# endif
8776
8777/*
8778 * Test the various methods for setting temporary DH parameters
8779 *
8780 * Test 0: Default (no auto) setting
8781 * Test 1: Explicit SSL_CTX auto off
8782 * Test 2: Explicit SSL auto off
8783 * Test 3: Explicit SSL_CTX auto on
8784 * Test 4: Explicit SSL auto on
8785 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8786 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8787 *
8788 * The following are testing deprecated APIs, so we only run them if available
8789 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8790 * Test 8: Explicit SSL auto off, custom DH params via DH
8791 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8792 * Test 10: Explicit SSL auto off, custom DH params via callback
8793 */
8794static int test_set_tmp_dh(int idx)
8795{
8796 SSL_CTX *cctx = NULL, *sctx = NULL;
8797 SSL *clientssl = NULL, *serverssl = NULL;
8798 int testresult = 0;
8799 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8800 int expected = (idx <= 2) ? 0 : 1;
8801 EVP_PKEY *dhpkey = NULL;
8802# ifndef OPENSSL_NO_DEPRECATED_3_0
8803 DH *dh = NULL;
8804# else
8805
8806 if (idx >= 7)
8807 return 1;
8808# endif
8809
8810 if (idx >= 5 && idx <= 8) {
8811 dhpkey = get_tmp_dh_params();
8812 if (!TEST_ptr(dhpkey))
8813 goto end;
8814 }
8815# ifndef OPENSSL_NO_DEPRECATED_3_0
8816 if (idx == 7 || idx == 8) {
7bc0fdd3 8817 dh = EVP_PKEY_get1_DH(dhpkey);
33c39a06
MC		 8818 if (!TEST_ptr(dh))
8819 goto end;
8820 }
8821# endif
8822
8823 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8824 TLS_client_method(),
8825 0,
8826 0,
8827 &sctx, &cctx, cert, privkey)))
8828 goto end;
8829
8830 if ((idx & 1) == 1) {
8831 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8832 goto end;
8833 }
8834
8835 if (idx == 5) {
8836 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8837 goto end;
8838 dhpkey = NULL;
8839 }
8840# ifndef OPENSSL_NO_DEPRECATED_3_0
8841 else if (idx == 7) {
8842 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8843 goto end;
8844 } else if (idx == 9) {
8845 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8846 }
8847# endif
8848
8849 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8850 NULL, NULL)))
8851 goto end;
8852
8853 if ((idx & 1) == 0 && idx != 0) {
8854 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8855 goto end;
8856 }
8857 if (idx == 6) {
8858 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8859 goto end;
8860 dhpkey = NULL;
8861 }
8862# ifndef OPENSSL_NO_DEPRECATED_3_0
8863 else if (idx == 8) {
8864 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8865 goto end;
8866 } else if (idx == 10) {
8867 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8868 }
8869# endif
8870
8871 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8872 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8873 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8874 goto end;
8875
8876 /*
8877 * If autoon then we should succeed. Otherwise we expect failure because
8878 * there are no parameters
8879 */
8880 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8881 SSL_ERROR_NONE), expected))
8882 goto end;
8883
8884 testresult = 1;
8885
8886 end:
7bc0fdd3
MC		 8887# ifndef OPENSSL_NO_DEPRECATED_3_0
8888 DH_free(dh);
8889# endif
33c39a06
MC		 8890 SSL_free(serverssl);
8891 SSL_free(clientssl);
8892 SSL_CTX_free(sctx);
8893 SSL_CTX_free(cctx);
8894 EVP_PKEY_free(dhpkey);
8895
8896 return testresult;
8897}
3105d846
MC		 8898
8899/*
8900 * Test the auto DH keys are appropriately sized
8901 */
8902static int test_dh_auto(int idx)
8903{
8904 SSL_CTX *cctx = NULL, *sctx = NULL;
8905 SSL *clientssl = NULL, *serverssl = NULL;
8906 int testresult = 0;
8907 EVP_PKEY *tmpkey = NULL;
8908 char *thiscert = NULL, *thiskey = NULL;
8909 size_t expdhsize = 0;
8910 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8911
8912 switch (idx) {
8913 case 0:
8914 /* The FIPS provider doesn't support this DH size - so we ignore it */
8915 if (is_fips)
8916 return 1;
8917 thiscert = cert1024;
8918 thiskey = privkey1024;
8919 expdhsize = 1024;
8920 break;
8921 case 1:
8922 /* 2048 bit prime */
8923 thiscert = cert;
8924 thiskey = privkey;
8925 expdhsize = 2048;
8926 break;
8927 case 2:
8928 thiscert = cert3072;
8929 thiskey = privkey3072;
8930 expdhsize = 3072;
8931 break;
8932 case 3:
8933 thiscert = cert4096;
8934 thiskey = privkey4096;
8935 expdhsize = 4096;
8936 break;
8937 case 4:
8938 thiscert = cert8192;
8939 thiskey = privkey8192;
8940 expdhsize = 8192;
8941 break;
8942 /* No certificate cases */
8943 case 5:
8944 /* The FIPS provider doesn't support this DH size - so we ignore it */
8945 if (is_fips)
8946 return 1;
8947 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8948 expdhsize = 1024;
8949 break;
8950 case 6:
8951 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8952 expdhsize = 3072;
8953 break;
8954 default:
8955 TEST_error("Invalid text index");
8956 goto end;
8957 }
8958
8959 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8960 TLS_client_method(),
8961 0,
8962 0,
8963 &sctx, &cctx, thiscert, thiskey)))
8964 goto end;
8965
8966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8967 NULL, NULL)))
8968 goto end;
8969
8970 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8971 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8972 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8973 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8974 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8975 goto end;
8976
8977 /*
8978 * Send the server's first flight. At this point the server has created the
8979 * temporary DH key but hasn't finished using it yet. Once used it is
8980 * removed, so we cannot test it.
8981 */
8982 if (!TEST_int_le(SSL_connect(clientssl), 0)
8983 || !TEST_int_le(SSL_accept(serverssl), 0))
8984 goto end;
8985
8986 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8987 goto end;
ed576acd 8988 if (!TEST_size_t_eq(EVP_PKEY_get_bits(tmpkey), expdhsize))
3105d846
MC		 8989 goto end;
8990
8991 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8992 goto end;
8993
8994 testresult = 1;
8995
8996 end:
8997 SSL_free(serverssl);
8998 SSL_free(clientssl);
8999 SSL_CTX_free(sctx);
9000 SSL_CTX_free(cctx);
9001 EVP_PKEY_free(tmpkey);
9002
9003 return testresult;
9004
9005}
33c39a06
MC		 9006# endif /* OPENSSL_NO_DH */
9007#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 9008
a763ca11 9009#ifndef OSSL_NO_USABLE_TLS1_3
6582661f
MC		 9010/*
9011 * Test that setting an SNI callback works with TLSv1.3. Specifically we check
9012 * that it works even without a certificate configured for the original
9013 * SSL_CTX
9014 */
9015static int test_sni_tls13(void)
9016{
9017 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
9018 SSL *clientssl = NULL, *serverssl = NULL;
9019 int testresult = 0;
9020
9021 /* Reset callback counter */
9022 snicb = 0;
9023
9024 /* Create an initial SSL_CTX with no certificate configured */
9025 sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9026 if (!TEST_ptr(sctx))
9027 goto end;
9028 /* Require TLSv1.3 as a minimum */
9029 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
9030 TLS_client_method(), TLS1_3_VERSION, 0,
9031 &sctx2, &cctx, cert, privkey)))
9032 goto end;
9033
9034 /* Set up SNI */
9035 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
9036 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
9037 goto end;
9038
9039 /*
9040 * Connection should still succeed because the final SSL_CTX has the right
9041 * certificates configured.
9042 */
9043 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
9044 &clientssl, NULL, NULL))
9045 || !TEST_true(create_ssl_connection(serverssl, clientssl,
9046 SSL_ERROR_NONE)))
9047 goto end;
9048
9049 /* We should have had the SNI callback called exactly once */
9050 if (!TEST_int_eq(snicb, 1))
9051 goto end;
9052
9053 testresult = 1;
9054
9055end:
9056 SSL_free(serverssl);
9057 SSL_free(clientssl);
9058 SSL_CTX_free(sctx2);
9059 SSL_CTX_free(sctx);
9060 SSL_CTX_free(cctx);
9061 return testresult;
9062}
9063#endif
feba11cf
TS		 9064/*
9065 * Test that setting an ALPN does not violate RFC
9066 */
9067static int test_set_alpn(void)
9068{
9069 SSL_CTX *ctx = NULL;
9070 SSL *ssl = NULL;
9071 int testresult = 0;
9072
9073 unsigned char bad0[] = { 0x00, 'b', 'a', 'd' };
9074 unsigned char good[] = { 0x04, 'g', 'o', 'o', 'd' };
9075 unsigned char bad1[] = { 0x01, 'b', 'a', 'd' };
9076 unsigned char bad2[] = { 0x03, 'b', 'a', 'd', 0x00};
9077 unsigned char bad3[] = { 0x03, 'b', 'a', 'd', 0x01, 'b', 'a', 'd'};
9078 unsigned char bad4[] = { 0x03, 'b', 'a', 'd', 0x06, 'b', 'a', 'd'};
9079
9080 /* Create an initial SSL_CTX with no certificate configured */
9081 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9082 if (!TEST_ptr(ctx))
9083 goto end;
9084
9085 /* the set_alpn functions return 0 (false) on success, non-zero (true) on failure */
9086 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, NULL, 2)))
9087 goto end;
9088 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, 0)))
9089 goto end;
9090 if (!TEST_false(SSL_CTX_set_alpn_protos(ctx, good, sizeof(good))))
9091 goto end;
9092 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, good, 1)))
9093 goto end;
9094 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad0, sizeof(bad0))))
9095 goto end;
9096 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad1, sizeof(bad1))))
9097 goto end;
9098 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad2, sizeof(bad2))))
9099 goto end;
9100 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad3, sizeof(bad3))))
9101 goto end;
9102 if (!TEST_true(SSL_CTX_set_alpn_protos(ctx, bad4, sizeof(bad4))))
9103 goto end;
9104
9105 ssl = SSL_new(ctx);
9106 if (!TEST_ptr(ssl))
9107 goto end;
9108
9109 if (!TEST_false(SSL_set_alpn_protos(ssl, NULL, 2)))
9110 goto end;
9111 if (!TEST_false(SSL_set_alpn_protos(ssl, good, 0)))
9112 goto end;
9113 if (!TEST_false(SSL_set_alpn_protos(ssl, good, sizeof(good))))
9114 goto end;
9115 if (!TEST_true(SSL_set_alpn_protos(ssl, good, 1)))
9116 goto end;
9117 if (!TEST_true(SSL_set_alpn_protos(ssl, bad0, sizeof(bad0))))
9118 goto end;
9119 if (!TEST_true(SSL_set_alpn_protos(ssl, bad1, sizeof(bad1))))
9120 goto end;
9121 if (!TEST_true(SSL_set_alpn_protos(ssl, bad2, sizeof(bad2))))
9122 goto end;
9123 if (!TEST_true(SSL_set_alpn_protos(ssl, bad3, sizeof(bad3))))
9124 goto end;
9125 if (!TEST_true(SSL_set_alpn_protos(ssl, bad4, sizeof(bad4))))
9126 goto end;
9127
9128 testresult = 1;
9129
9130end:
9131 SSL_free(ssl);
9132 SSL_CTX_free(ctx);
9133 return testresult;
9134}
6582661f 9135
dfccfde0
CH		 9136static int test_inherit_verify_param(void)
9137{
9138 int testresult = 0;
9139
9140 SSL_CTX *ctx = NULL;
9141 X509_VERIFY_PARAM *cp = NULL;
9142 SSL *ssl = NULL;
9143 X509_VERIFY_PARAM *sp = NULL;
9144 int hostflags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
9145
9146 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
9147 if (!TEST_ptr(ctx))
9148 goto end;
9149
9150 cp = SSL_CTX_get0_param(ctx);
9151 if (!TEST_ptr(cp))
9152 goto end;
9153 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(cp), 0))
9154 goto end;
9155
9156 X509_VERIFY_PARAM_set_hostflags(cp, hostflags);
9157
9158 ssl = SSL_new(ctx);
9159 if (!TEST_ptr(ssl))
9160 goto end;
9161
9162 sp = SSL_get0_param(ssl);
9163 if (!TEST_ptr(sp))
9164 goto end;
9165 if (!TEST_int_eq(X509_VERIFY_PARAM_get_hostflags(sp), hostflags))
9166 goto end;
9167
9168 testresult = 1;
9169
9170 end:
9171 SSL_free(ssl);
9172 SSL_CTX_free(ctx);
9173
9174 return testresult;
9175}
9176
5e30f2fd 9177OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 9178
ad887416 9179int setup_tests(void)
2cb4b5f6 9180{
5e30f2fd
MC		 9181 char *modulename;
9182 char *configfile;
9183
b4250010 9184 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 9185 if (!TEST_ptr(libctx))
9186 return 0;
9187
9188 defctxnull = OSSL_PROVIDER_load(NULL, "null");
9189
9190 /*
9191 * Verify that the default and fips providers in the default libctx are not
9192 * available
9193 */
9194 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
9195 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
9196 return 0;
9197
8d242823
MC		 9198 if (!test_skip_common_options()) {
9199 TEST_error("Error parsing test options\n");
9200 return 0;
9201 }
9202
1a2a3a42
MC		 9203 if (!TEST_ptr(certsdir = test_get_argument(0))
9204 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 9205 || !TEST_ptr(tmpfilename = test_get_argument(2))
9206 || !TEST_ptr(modulename = test_get_argument(3))
9207 || !TEST_ptr(configfile = test_get_argument(4)))
9208 return 0;
9209
b4250010 9210 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 9211 return 0;
9212
9213 /* Check we have the expected provider available */
9214 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
9215 return 0;
9216
9217 /* Check the default provider is not available */
9218 if (strcmp(modulename, "default") != 0
9219 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 9220 return 0;
2cb4b5f6 9221
4f6c7044
MC		 9222 if (strcmp(modulename, "fips") == 0)
9223 is_fips = 1;
9224
0c13cdf8
MC		 9225 /*
9226 * We add, but don't load the test "tls-provider". We'll load it when we
9227 * need it.
9228 */
9229 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
9230 tls_provider_init)))
9231 return 0;
9232
9233
f297e4ec
RS		 9234 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
9235#ifdef OPENSSL_NO_CRYPTO_MDEBUG
9236 TEST_error("not supported in this build");
9237 return 0;
9238#else
9239 int i, mcount, rcount, fcount;
9240
9241 for (i = 0; i < 4; i++)
9242 test_export_key_mat(i);
9243 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
9244 test_printf_stdout("malloc %d realloc %d free %d\n",
9245 mcount, rcount, fcount);
9246 return 1;
9247#endif
9248 }
9249
1a2a3a42
MC		 9250 cert = test_mk_file_path(certsdir, "servercert.pem");
9251 if (cert == NULL)
b3842539 9252 goto err;
1a2a3a42
MC		 9253
9254 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 9255 if (privkey == NULL)
9256 goto err;
9257
9258 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
9259 if (cert2 == NULL)
9260 goto err;
9261
9262 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
9263 if (privkey2 == NULL)
9264 goto err;
1a2a3a42 9265
3105d846
MC		 9266 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
9267 if (cert1024 == NULL)
9268 goto err;
9269
9270 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
9271 if (privkey1024 == NULL)
9272 goto err;
9273
9274 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
9275 if (cert3072 == NULL)
9276 goto err;
9277
9278 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
9279 if (privkey3072 == NULL)
9280 goto err;
9281
9282 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
9283 if (cert4096 == NULL)
9284 goto err;
9285
9286 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
9287 if (privkey4096 == NULL)
9288 goto err;
9289
9290 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
9291 if (cert8192 == NULL)
9292 goto err;
9293
9294 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
9295 if (privkey8192 == NULL)
9296 goto err;
9297
da4db160 9298#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
a763ca11 9299# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
e1fdd526
JB		 9300 ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
9301 ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS);
c8e3a4c6 9302# endif
fe5d9450 9303#endif
84d5549e 9304 ADD_TEST(test_large_message_tls);
7856332e 9305 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 9306#ifndef OPENSSL_NO_DTLS
84d5549e 9307 ADD_TEST(test_large_message_dtls);
55386bef 9308#endif
163b8016 9309 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 9310#ifndef OPENSSL_NO_OCSP
c887104f 9311 ADD_TEST(test_tlsext_status_type);
8f8c11d8 9312#endif
eaa776da
MC		 9313 ADD_TEST(test_session_with_only_int_cache);
9314 ADD_TEST(test_session_with_only_ext_cache);
9315 ADD_TEST(test_session_with_both_cache);
90fc2c26 9316 ADD_TEST(test_session_wo_ca_names);
a763ca11 9317#ifndef OSSL_NO_USABLE_TLS1_3
04d7814a
MC		 9318 ADD_ALL_TESTS(test_stateful_tickets, 3);
9319 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 9320 ADD_TEST(test_psk_tickets);
f0049b86 9321 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 9322#endif
7fb4c820 9323 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 9324 ADD_TEST(test_ssl_bio_pop_next_bio);
9325 ADD_TEST(test_ssl_bio_pop_ssl_bio);
9326 ADD_TEST(test_ssl_bio_change_rbio);
9327 ADD_TEST(test_ssl_bio_change_wbio);
a763ca11 9328#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
f1b25aae 9329 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 9330 ADD_TEST(test_keylog);
c423ecaa 9331#endif
a763ca11 9332#ifndef OSSL_NO_USABLE_TLS1_3
6acdd3e5
CB		 9333 ADD_TEST(test_keylog_no_master_key);
9334#endif
0c3eb279 9335 ADD_TEST(test_client_cert_verify_cb);
4e4ae840
SL		 9336 ADD_TEST(test_ssl_build_cert_chain);
9337 ADD_TEST(test_ssl_ctx_build_cert_chain);
e9ee6536 9338#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 9339 ADD_TEST(test_client_hello_cb);
088dfa13 9340 ADD_TEST(test_no_ems);
3cd14e5e 9341 ADD_TEST(test_ccs_change_cipher);
5f982038 9342#endif
a763ca11 9343#ifndef OSSL_NO_USABLE_TLS1_3
02a3ed5a 9344 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 9345 /*
9346 * We don't do replay tests for external PSK. Replay protection isn't used
9347 * in that scenario.
9348 */
9349 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 9350 ADD_ALL_TESTS(test_early_data_skip, 3);
9351 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 9352 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 9353 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 9354 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 9355 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 9356 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 9357 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 9358# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 9359 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 9360# endif
e9ee6536 9361#endif
a763ca11 9362#ifndef OSSL_NO_USABLE_TLS1_3
034cb87b 9363 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 9364 ADD_TEST(test_ciphersuite_change);
5bf2eade 9365 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
9366# ifdef OPENSSL_NO_PSK
c2b290c3 9367 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 9368# else
0d8da779 9369 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 9370# endif /* OPENSSL_NO_PSK */
9371# ifndef OPENSSL_NO_TLS1_2
9372 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 9373 ADD_ALL_TESTS(test_key_exchange, 14);
6dc56df2
BK		 9374# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
9375 ADD_ALL_TESTS(test_negotiated_group,
9376 4 * (OSSL_NELEM(ecdhe_kexch_groups)
9377 + OSSL_NELEM(ffdhe_kexch_groups)));
9378# endif
5bf2eade 9379# else
9380 /* Test with only TLSv1.3 versions */
9381 ADD_ALL_TESTS(test_key_exchange, 12);
9382# endif
bb01ef3f 9383 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 9384 ADD_TEST(test_stateless);
9d75dce3 9385 ADD_TEST(test_pha_key_update);
a273157a 9386#else
bb01ef3f 9387 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 9388#endif
16afd71c 9389 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 9390 ADD_ALL_TESTS(test_export_key_mat, 6);
a763ca11 9391#ifndef OSSL_NO_USABLE_TLS1_3
b38ede80 9392 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 9393 ADD_TEST(test_key_update);
a77b4dba 9394 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 9395#endif
e11b6aa4 9396 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 9397 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 9398#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
9399 ADD_ALL_TESTS(test_srp, 6);
9400#endif
5718fe45 9401 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 9402 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 9403 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 9404 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 9405 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 9406 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 9407 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 9408 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 9409 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 9410#ifndef OPENSSL_NO_TLS1_2
9411 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
9412#endif
49ef3d07 9413 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68 9414#if !defined(OPENSSL_NO_EC) \
a763ca11 9415 && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 9416 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 9417#endif
9418#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 9419 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 9420#endif
9421#ifndef OPENSSL_NO_TLS1_2
9422 ADD_TEST(test_ssl_dup);
33c39a06
MC		 9423# ifndef OPENSSL_NO_DH
9424 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 9425 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 9426# endif
6582661f 9427#endif
a763ca11 9428#ifndef OSSL_NO_USABLE_TLS1_3
6582661f 9429 ADD_TEST(test_sni_tls13);
b3842539 9430#endif
dfccfde0 9431 ADD_TEST(test_inherit_verify_param);
feba11cf 9432 ADD_TEST(test_set_alpn);
25959e04 9433 ADD_ALL_TESTS(test_session_timeout, 1);
ad887416 9434 return 1;
b3842539
MC		 9435
9436 err:
9437 OPENSSL_free(cert);
9438 OPENSSL_free(privkey);
9439 OPENSSL_free(cert2);
9440 OPENSSL_free(privkey2);
9441 return 0;
ad887416 9442}
2cb4b5f6 9443
ad887416
P		 9444void cleanup_tests(void)
9445{
8778f0eb 9446# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 9447 EVP_PKEY_free(tmp_dh_params);
9448#endif
1a2a3a42
MC		 9449 OPENSSL_free(cert);
9450 OPENSSL_free(privkey);
b3842539
MC		 9451 OPENSSL_free(cert2);
9452 OPENSSL_free(privkey2);
3105d846
MC		 9453 OPENSSL_free(cert1024);
9454 OPENSSL_free(privkey1024);
9455 OPENSSL_free(cert3072);
9456 OPENSSL_free(privkey3072);
9457 OPENSSL_free(cert4096);
9458 OPENSSL_free(privkey4096);
9459 OPENSSL_free(cert8192);
9460 OPENSSL_free(privkey8192);
fa454945 9461 bio_s_mempacket_test_free();
a77b4dba 9462 bio_s_always_retry_free();
5e30f2fd 9463 OSSL_PROVIDER_unload(defctxnull);
b4250010 9464 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 9465}
A mirror of the official openssl repository