]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Make it possible to give --libdir an absolute path
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
6738bf14 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ba881d3b
MC		 10#include <string.h>
11
2cb4b5f6
MC		 12#include <openssl/opensslconf.h>
13#include <openssl/bio.h>
14#include <openssl/crypto.h>
15#include <openssl/ssl.h>
ba881d3b 16#include <openssl/ocsp.h>
2cb4b5f6
MC		 17
18#include "ssltestlib.h"
c887104f 19#include "testutil.h"
176db6dc 20#include "internal/nelem.h"
ca0413ae 21#include "../ssl/ssl_locl.h"
2cb4b5f6
MC		 22
23static char *cert = NULL;
24static char *privkey = NULL;
25
6acdd3e5
CB		 26#define LOG_BUFFER_SIZE 1024
27static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 28static size_t server_log_buffer_index = 0;
6acdd3e5 29static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 30static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 31static int error_writing_log = 0;
32
8f8c11d8 33#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 34static const unsigned char orespder[] = "Dummy OCSP Response";
35static int ocsp_server_called = 0;
36static int ocsp_client_called = 0;
37
38static int cdummyarg = 1;
39static X509 *ocspcert = NULL;
8f8c11d8 40#endif
ba881d3b 41
84d5549e 42#define NUM_EXTRA_CERTS 40
cf72c757 43#define CLIENT_VERSION_LEN 2
84d5549e 44
f1a5939f
CB		 45/*
46 * This structure is used to validate that the correct number of log messages
47 * of various types are emitted when emitting secret logs.
48 */
49struct sslapitest_log_counts {
50 unsigned int rsa_key_exchange_count;
51 unsigned int master_secret_count;
52 unsigned int client_handshake_secret_count;
53 unsigned int server_handshake_secret_count;
54 unsigned int client_application_secret_count;
55 unsigned int server_application_secret_count;
56};
57
16afd71c
MC		 58
59static unsigned char serverinfov1[] = {
60 0xff, 0xff, /* Dummy extension type */
61 0x00, 0x01, /* Extension length is 1 byte */
62 0xff /* Dummy extension data */
63};
64
65static unsigned char serverinfov2[] = {
66 0x00, 0x00, 0x00,
67 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
68 0xff, 0xff, /* Dummy extension type */
69 0x00, 0x01, /* Extension length is 1 byte */
70 0xff /* Dummy extension data */
71};
72
710756a9
RS		 73static void client_keylog_callback(const SSL *ssl, const char *line)
74{
6acdd3e5
CB		 75 int line_length = strlen(line);
76
77 /* If the log doesn't fit, error out. */
710756a9
RS		 78 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
79 TEST_info("Client log too full");
6acdd3e5
CB		 80 error_writing_log = 1;
81 return;
82 }
83
84 strcat(client_log_buffer, line);
85 client_log_buffer_index += line_length;
710756a9 86 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 87}
88
710756a9
RS		 89static void server_keylog_callback(const SSL *ssl, const char *line)
90{
6acdd3e5
CB		 91 int line_length = strlen(line);
92
93 /* If the log doesn't fit, error out. */
710756a9 94 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 95 TEST_info("Server log too full");
6acdd3e5
CB		 96 error_writing_log = 1;
97 return;
98 }
99
100 strcat(server_log_buffer, line);
101 server_log_buffer_index += line_length;
710756a9 102 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 103}
104
105static int compare_hex_encoded_buffer(const char *hex_encoded,
106 size_t hex_length,
107 const uint8_t *raw,
710756a9
RS		 108 size_t raw_length)
109{
110 size_t i, j;
111 char hexed[3];
6acdd3e5 112
710756a9 113 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 114 return 1;
6acdd3e5 115
710756a9 116 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 117 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 118 if (!TEST_int_eq(hexed[0], hex_encoded[j])
119 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 120 return 1;
6acdd3e5
CB		 121 }
122
123 return 0;
124}
125
126static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 127 const SSL_SESSION *session,
710756a9
RS		 128 struct sslapitest_log_counts *expected)
129{
6acdd3e5
CB		 130 char *token = NULL;
131 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
132 size_t client_random_size = SSL3_RANDOM_SIZE;
133 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
134 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 135 unsigned int rsa_key_exchange_count = 0;
136 unsigned int master_secret_count = 0;
137 unsigned int client_handshake_secret_count = 0;
138 unsigned int server_handshake_secret_count = 0;
139 unsigned int client_application_secret_count = 0;
140 unsigned int server_application_secret_count = 0;
6acdd3e5 141
710756a9
RS		 142 for (token = strtok(buffer, " \n"); token != NULL;
143 token = strtok(NULL, " \n")) {
6acdd3e5 144 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 145 /*
146 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 147 * hex-encoded encrypted secret, then the hex-encoded pre-master
148 * secret.
149 */
710756a9 150 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 151 return 0;
710756a9 152 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 153 return 0;
710756a9 154 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 155 return 0;
f1a5939f
CB		 156 /*
157 * We can't sensibly check the log because the premaster secret is
158 * transient, and OpenSSL doesn't keep hold of it once the master
159 * secret is generated.
160 */
161 rsa_key_exchange_count++;
6acdd3e5 162 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 163 /*
164 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 165 * client random, then the hex-encoded master secret.
166 */
167 client_random_size = SSL_get_client_random(ssl,
168 actual_client_random,
169 SSL3_RANDOM_SIZE);
710756a9 170 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 171 return 0;
6acdd3e5 172
710756a9 173 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 174 return 0;
710756a9 175 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 176 return 0;
710756a9
RS		 177 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
178 actual_client_random,
179 client_random_size)))
f1a5939f 180 return 0;
6acdd3e5 181
710756a9 182 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 183 return 0;
6acdd3e5
CB		 184 master_key_size = SSL_SESSION_get_master_key(session,
185 actual_master_key,
186 master_key_size);
710756a9 187 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 188 return 0;
710756a9
RS		 189 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
190 actual_master_key,
191 master_key_size)))
f1a5939f 192 return 0;
f1a5939f 193 master_secret_count++;
710756a9
RS		 194 } else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
195 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
196 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
197 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0) {
f1a5939f
CB		 198 /*
199 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
200 * client random, and then the hex-encoded secret. In this case,
201 * we treat all of these secrets identically and then just
202 * distinguish between them when counting what we saw.
203 */
204 if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
205 client_handshake_secret_count++;
206 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
207 server_handshake_secret_count++;
208 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
209 client_application_secret_count++;
210 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
211 server_application_secret_count++;
212
213 client_random_size = SSL_get_client_random(ssl,
214 actual_client_random,
215 SSL3_RANDOM_SIZE);
710756a9 216 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 217 return 0;
f1a5939f 218
710756a9 219 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 220 return 0;
710756a9 221 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 222 return 0;
710756a9
RS		 223 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
224 actual_client_random,
225 client_random_size)))
f1a5939f 226 return 0;
6acdd3e5 227
710756a9 228 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 229 return 0;
f1a5939f
CB		 230
231 /*
232 * TODO(TLS1.3): test that application traffic secrets are what
233 * we expect */
6acdd3e5 234 } else {
710756a9 235 TEST_info("Unexpected token %s\n", token);
f1a5939f 236 return 0;
6acdd3e5 237 }
6acdd3e5
CB		 238 }
239
710756a9
RS		 240 /* Got what we expected? */
241 if (!TEST_size_t_eq(rsa_key_exchange_count,
242 expected->rsa_key_exchange_count)
243 || !TEST_size_t_eq(master_secret_count,
244 expected->master_secret_count)
245 || !TEST_size_t_eq(client_handshake_secret_count,
246 expected->client_handshake_secret_count)
247 || !TEST_size_t_eq(server_handshake_secret_count,
248 expected->server_handshake_secret_count)
249 || !TEST_size_t_eq(client_application_secret_count,
250 expected->client_application_secret_count)
251 || !TEST_size_t_eq(server_application_secret_count,
252 expected->server_application_secret_count))
253 return 0;
254 return 1;
6acdd3e5
CB		 255}
256
c423ecaa 257#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 258static int test_keylog(void)
259{
6acdd3e5
CB		 260 SSL_CTX *cctx = NULL, *sctx = NULL;
261 SSL *clientssl = NULL, *serverssl = NULL;
262 int testresult = 0;
f1a5939f 263 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 264
265 /* Clean up logging space */
710756a9
RS		 266 memset(client_log_buffer, 0, sizeof(client_log_buffer));
267 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 268 client_log_buffer_index = 0;
269 server_log_buffer_index = 0;
270 error_writing_log = 0;
271
710756a9
RS		 272 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
273 TLS_client_method(),
274 &sctx, &cctx, cert, privkey)))
6acdd3e5 275 return 0;
6acdd3e5
CB		 276
277 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
278 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
279 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
280
f0deb4d3 281 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 282 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 283 goto end;
f0deb4d3 284
cf10df81
RS		 285 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
286 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 287 goto end;
6acdd3e5 288 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 289 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
290 == client_keylog_callback))
6acdd3e5 291 goto end;
710756a9 292 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 293 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
294 == server_keylog_callback))
6acdd3e5 295 goto end;
6acdd3e5 296
710756a9
RS		 297 /* Now do a handshake and check that the logs have been written to. */
298 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
299 &clientssl, NULL, NULL))
300 || !TEST_true(create_ssl_connection(serverssl, clientssl,
301 SSL_ERROR_NONE))
302 || !TEST_false(error_writing_log)
303 || !TEST_int_gt(client_log_buffer_index, 0)
304 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 305 goto end;
6acdd3e5 306
f1a5939f
CB		 307 /*
308 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 309 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 310 * data we expect. For both client and server, we expect to see one master
311 * secret. The client should also see a RSA key exchange.
6acdd3e5 312 */
f1a5939f
CB		 313 expected.rsa_key_exchange_count = 1;
314 expected.master_secret_count = 1;
710756a9
RS		 315 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
316 SSL_get_session(clientssl), &expected)))
6acdd3e5 317 goto end;
f1a5939f
CB		 318
319 expected.rsa_key_exchange_count = 0;
710756a9
RS		 320 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
321 SSL_get_session(serverssl), &expected)))
6acdd3e5 322 goto end;
6acdd3e5
CB		 323
324 testresult = 1;
325
326end:
327 SSL_free(serverssl);
328 SSL_free(clientssl);
329 SSL_CTX_free(sctx);
330 SSL_CTX_free(cctx);
331
332 return testresult;
333}
c423ecaa 334#endif
6acdd3e5
CB		 335
336#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 337static int test_keylog_no_master_key(void)
338{
6acdd3e5
CB		 339 SSL_CTX *cctx = NULL, *sctx = NULL;
340 SSL *clientssl = NULL, *serverssl = NULL;
341 int testresult = 0;
f1a5939f 342 struct sslapitest_log_counts expected = {0};
6acdd3e5
CB		 343
344 /* Clean up logging space */
710756a9
RS		 345 memset(client_log_buffer, 0, sizeof(client_log_buffer));
346 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 347 client_log_buffer_index = 0;
348 server_log_buffer_index = 0;
349 error_writing_log = 0;
350
710756a9
RS		 351 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
352 TLS_client_method(), &sctx,
353 &cctx, cert, privkey)))
6acdd3e5 354 return 0;
6acdd3e5 355
cf10df81
RS		 356 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
357 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 358 goto end;
6acdd3e5
CB		 359
360 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 361 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
362 == client_keylog_callback))
6acdd3e5 363 goto end;
6acdd3e5 364
710756a9 365 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 366 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
367 == server_keylog_callback))
6acdd3e5 368 goto end;
6acdd3e5 369
710756a9
RS		 370 /* Now do a handshake and check that the logs have been written to. */
371 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
372 &clientssl, NULL, NULL))
373 || !TEST_true(create_ssl_connection(serverssl, clientssl,
374 SSL_ERROR_NONE))
375 || !TEST_false(error_writing_log))
6acdd3e5 376 goto end;
6acdd3e5 377
f1a5939f
CB		 378 /*
379 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 380 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 381 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 382 */
f1a5939f
CB		 383 expected.client_handshake_secret_count = 1;
384 expected.server_handshake_secret_count = 1;
385 expected.client_application_secret_count = 1;
386 expected.server_application_secret_count = 1;
710756a9
RS		 387 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
388 SSL_get_session(clientssl), &expected))
389 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
390 SSL_get_session(serverssl),
391 &expected)))
6acdd3e5 392 goto end;
6acdd3e5
CB		 393
394 testresult = 1;
395
396end:
397 SSL_free(serverssl);
398 SSL_free(clientssl);
399 SSL_CTX_free(sctx);
400 SSL_CTX_free(cctx);
401
402 return testresult;
403}
404#endif
405
e9ee6536 406#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 407static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 408{
409 int *ctr = arg;
410 const unsigned char *p;
8ea404fb 411 int *exts;
2afaee51
BK		 412 /* We only configure two ciphers, but the SCSV is added automatically. */
413#ifdef OPENSSL_NO_EC
414 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
415#else
416 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
417 0x2c, 0x00, 0xff};
418#endif
8ea404fb
BK		 419 const int expected_extensions[] = {
420#ifndef OPENSSL_NO_EC
421 11, 10,
422#endif
10ed1b72 423 35, 22, 23, 13};
2afaee51
BK		 424 size_t len;
425
426 /* Make sure we can defer processing and get called back. */
427 if ((*ctr)++ == 0)
f1b97da1 428 return SSL_CLIENT_HELLO_RETRY;
2afaee51 429
a9c0d8be 430 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 431 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 432 || !TEST_size_t_eq(
433 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 434 || !TEST_int_eq(*p, 0))
f1b97da1 435 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 436 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 437 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 438 if (len != OSSL_NELEM(expected_extensions) ||
439 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 440 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 441 OPENSSL_free(exts);
f1b97da1 442 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 443 }
444 OPENSSL_free(exts);
f1b97da1 445 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 446}
447
a9c0d8be 448static int test_client_hello_cb(void)
710756a9 449{
2afaee51
BK		 450 SSL_CTX *cctx = NULL, *sctx = NULL;
451 SSL *clientssl = NULL, *serverssl = NULL;
452 int testctr = 0, testresult = 0;
453
710756a9
RS		 454 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
455 TLS_client_method(), &sctx,
456 &cctx, cert, privkey)))
2afaee51 457 goto end;
a9c0d8be 458 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 459
2afaee51
BK		 460 /* The gimpy cipher list we configure can't do TLS 1.3. */
461 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 462
710756a9
RS		 463 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
464 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
465 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
466 &clientssl, NULL, NULL))
467 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 468 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 469 /*
470 * Passing a -1 literal is a hack since
471 * the real value was lost.
472 * */
a9c0d8be
DB		 473 || !TEST_int_eq(SSL_get_error(serverssl, -1),
474 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 475 || !TEST_true(create_ssl_connection(serverssl, clientssl,
476 SSL_ERROR_NONE)))
2afaee51 477 goto end;
2afaee51
BK		 478
479 testresult = 1;
480
481end:
482 SSL_free(serverssl);
483 SSL_free(clientssl);
484 SSL_CTX_free(sctx);
485 SSL_CTX_free(cctx);
486
487 return testresult;
488}
e9ee6536 489#endif
2afaee51 490
84d5549e 491static int execute_test_large_message(const SSL_METHOD *smeth,
7856332e 492 const SSL_METHOD *cmeth, int read_ahead)
84d5549e
MC		 493{
494 SSL_CTX *cctx = NULL, *sctx = NULL;
495 SSL *clientssl = NULL, *serverssl = NULL;
496 int testresult = 0;
497 int i;
710756a9 498 BIO *certbio = NULL;
84d5549e
MC		 499 X509 *chaincert = NULL;
500 int certlen;
501
710756a9 502 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 503 goto end;
84d5549e 504 chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
fa454945
MC		 505 BIO_free(certbio);
506 certbio = NULL;
710756a9 507 if (!TEST_ptr(chaincert))
fa454945 508 goto end;
84d5549e 509
710756a9
RS		 510 if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
511 &cctx, cert, privkey)))
84d5549e 512 goto end;
84d5549e 513
710756a9 514 if (read_ahead) {
7856332e
MC		 515 /*
516 * Test that read_ahead works correctly when dealing with large
517 * records
518 */
519 SSL_CTX_set_read_ahead(cctx, 1);
520 }
521
84d5549e
MC		 522 /*
523 * We assume the supplied certificate is big enough so that if we add
524 * NUM_EXTRA_CERTS it will make the overall message large enough. The
525 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 526 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
527 * test we need to have a message larger than that.
84d5549e
MC		 528 */
529 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 530 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
531 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 532 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 533 if (!X509_up_ref(chaincert))
84d5549e 534 goto end;
84d5549e 535 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 536 X509_free(chaincert);
537 goto end;
538 }
539 }
540
710756a9
RS		 541 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
542 NULL, NULL))
543 || !TEST_true(create_ssl_connection(serverssl, clientssl,
544 SSL_ERROR_NONE)))
84d5549e 545 goto end;
84d5549e 546
4bf08600
MC		 547 /*
548 * Calling SSL_clear() first is not required but this tests that SSL_clear()
549 * doesn't leak (when using enable-crypto-mdebug).
550 */
710756a9 551 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 552 goto end;
84d5549e 553
4bf08600 554 testresult = 1;
84d5549e
MC		 555 end:
556 X509_free(chaincert);
557 SSL_free(serverssl);
558 SSL_free(clientssl);
559 SSL_CTX_free(sctx);
560 SSL_CTX_free(cctx);
561
562 return testresult;
563}
564
565static int test_large_message_tls(void)
566{
7856332e
MC		 567 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
568 0);
569}
570
571static int test_large_message_tls_read_ahead(void)
572{
573 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
574 1);
84d5549e
MC		 575}
576
55386bef 577#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 578static int test_large_message_dtls(void)
579{
7856332e
MC		 580 /*
581 * read_ahead is not relevant to DTLS because DTLS always acts as if
582 * read_ahead is set.
583 */
84d5549e 584 return execute_test_large_message(DTLS_server_method(),
7856332e 585 DTLS_client_method(), 0);
84d5549e 586}
55386bef 587#endif
84d5549e 588
8f8c11d8 589#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 590static int ocsp_server_cb(SSL *s, void *arg)
591{
592 int *argi = (int *)arg;
710756a9 593 unsigned char *copy = NULL;
ba881d3b
MC		 594 STACK_OF(OCSP_RESPID) *ids = NULL;
595 OCSP_RESPID *id = NULL;
596
597 if (*argi == 2) {
598 /* In this test we are expecting exactly 1 OCSP_RESPID */
599 SSL_get_tlsext_status_ids(s, &ids);
600 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
601 return SSL_TLSEXT_ERR_ALERT_FATAL;
602
603 id = sk_OCSP_RESPID_value(ids, 0);
604 if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
605 return SSL_TLSEXT_ERR_ALERT_FATAL;
606 } else if (*argi != 1) {
607 return SSL_TLSEXT_ERR_ALERT_FATAL;
608 }
609
710756a9 610 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 611 return SSL_TLSEXT_ERR_ALERT_FATAL;
612
710756a9 613 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 614 ocsp_server_called = 1;
ba881d3b
MC		 615 return SSL_TLSEXT_ERR_OK;
616}
617
618static int ocsp_client_cb(SSL *s, void *arg)
619{
620 int *argi = (int *)arg;
621 const unsigned char *respderin;
622 size_t len;
623
624 if (*argi != 1 && *argi != 2)
625 return 0;
626
627 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 628 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 629 return 0;
630
631 ocsp_client_called = 1;
ba881d3b
MC		 632 return 1;
633}
634
2cb4b5f6
MC		 635static int test_tlsext_status_type(void)
636{
ba881d3b
MC		 637 SSL_CTX *cctx = NULL, *sctx = NULL;
638 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 639 int testresult = 0;
ba881d3b
MC		 640 STACK_OF(OCSP_RESPID) *ids = NULL;
641 OCSP_RESPID *id = NULL;
642 BIO *certbio = NULL;
2cb4b5f6 643
ba881d3b 644 if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
710756a9 645 &cctx, cert, privkey))
ba881d3b 646 return 0;
2cb4b5f6 647
710756a9 648 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 649 goto end;
2cb4b5f6 650
ba881d3b 651 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 652
ba881d3b 653 clientssl = SSL_new(cctx);
710756a9
RS		 654 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
655 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
656 TLSEXT_STATUSTYPE_ocsp))
657 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
658 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 659 goto end;
2cb4b5f6 660
ba881d3b
MC		 661 SSL_free(clientssl);
662 clientssl = NULL;
2cb4b5f6 663
710756a9
RS		 664 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
665 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 666 goto end;
2cb4b5f6 667
ba881d3b 668 clientssl = SSL_new(cctx);
710756a9 669 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 670 goto end;
ba881d3b
MC		 671 SSL_free(clientssl);
672 clientssl = NULL;
673
674 /*
675 * Now actually do a handshake and check OCSP information is exchanged and
676 * the callbacks get called
677 */
ba881d3b
MC		 678 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
679 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
680 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
681 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 682 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
683 &clientssl, NULL, NULL))
684 || !TEST_true(create_ssl_connection(serverssl, clientssl,
685 SSL_ERROR_NONE))
686 || !TEST_true(ocsp_client_called)
687 || !TEST_true(ocsp_server_called))
ba881d3b 688 goto end;
ba881d3b
MC		 689 SSL_free(serverssl);
690 SSL_free(clientssl);
691 serverssl = NULL;
692 clientssl = NULL;
693
694 /* Try again but this time force the server side callback to fail */
695 ocsp_client_called = 0;
696 ocsp_server_called = 0;
697 cdummyarg = 0;
710756a9
RS		 698 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
699 &clientssl, NULL, NULL))
700 /* This should fail because the callback will fail */
701 || !TEST_false(create_ssl_connection(serverssl, clientssl,
702 SSL_ERROR_NONE))
703 || !TEST_false(ocsp_client_called)
704 || !TEST_false(ocsp_server_called))
ba881d3b 705 goto end;
ba881d3b
MC		 706 SSL_free(serverssl);
707 SSL_free(clientssl);
708 serverssl = NULL;
709 clientssl = NULL;
710
711 /*
712 * This time we'll get the client to send an OCSP_RESPID that it will
713 * accept.
714 */
715 ocsp_client_called = 0;
716 ocsp_server_called = 0;
717 cdummyarg = 2;
710756a9
RS		 718 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
719 &clientssl, NULL, NULL)))
ba881d3b 720 goto end;
ba881d3b
MC		 721
722 /*
723 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 724 * specific one. We'll use the server cert.
ba881d3b 725 */
710756a9
RS		 726 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
727 || !TEST_ptr(id = OCSP_RESPID_new())
728 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
729 || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
730 NULL, NULL, NULL))
731 || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
732 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 733 goto end;
ba881d3b
MC		 734 id = NULL;
735 SSL_set_tlsext_status_ids(clientssl, ids);
736 /* Control has been transferred */
737 ids = NULL;
738
739 BIO_free(certbio);
740 certbio = NULL;
741
710756a9
RS		 742 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
743 SSL_ERROR_NONE))
744 || !TEST_true(ocsp_client_called)
745 || !TEST_true(ocsp_server_called))
ba881d3b 746 goto end;
ba881d3b 747
2cb4b5f6
MC		 748 testresult = 1;
749
750 end:
ba881d3b
MC		 751 SSL_free(serverssl);
752 SSL_free(clientssl);
753 SSL_CTX_free(sctx);
754 SSL_CTX_free(cctx);
755 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
756 OCSP_RESPID_free(id);
757 BIO_free(certbio);
758 X509_free(ocspcert);
759 ocspcert = NULL;
2cb4b5f6
MC		 760
761 return testresult;
762}
8f8c11d8 763#endif
2cb4b5f6 764
bf208d95 765#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 766static int new_called, remove_called, get_called;
eaa776da 767
eaa776da
MC		 768static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
769{
770 new_called++;
c0537ebd
MC		 771 /*
772 * sess has been up-refed for us, but we don't actually need it so free it
773 * immediately.
774 */
775 SSL_SESSION_free(sess);
eaa776da
MC		 776 return 1;
777}
778
779static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
780{
781 remove_called++;
782}
783
7a301f08
MC		 784static SSL_SESSION *get_sess_val = NULL;
785
786static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
787 int *copy)
788{
0afca811 789 get_called++;
7a301f08
MC		 790 *copy = 1;
791 return get_sess_val;
792}
793
7a301f08
MC		 794static int execute_test_session(int maxprot, int use_int_cache,
795 int use_ext_cache)
2cb4b5f6
MC		 796{
797 SSL_CTX *sctx = NULL, *cctx = NULL;
798 SSL *serverssl1 = NULL, *clientssl1 = NULL;
799 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 800# ifndef OPENSSL_NO_TLS1_1
eaa776da 801 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 802# endif
2cb4b5f6
MC		 803 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
804 int testresult = 0;
805
7e885b7b
P		 806 new_called = remove_called = 0;
807
710756a9
RS		 808 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
809 TLS_client_method(), &sctx,
810 &cctx, cert, privkey)))
2cb4b5f6 811 return 0;
2cb4b5f6 812
7a301f08
MC		 813 /*
814 * Only allow the max protocol version so we can force a connection failure
815 * later
816 */
817 SSL_CTX_set_min_proto_version(cctx, maxprot);
818 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 819
820 /* Set up session cache */
7e885b7b 821 if (use_ext_cache) {
eaa776da
MC		 822 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
823 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
824 }
7e885b7b 825 if (use_int_cache) {
eaa776da
MC		 826 /* Also covers instance where both are set */
827 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
828 } else {
829 SSL_CTX_set_session_cache_mode(cctx,
830 SSL_SESS_CACHE_CLIENT
831 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
832 }
2cb4b5f6 833
710756a9
RS		 834 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
835 NULL, NULL))
836 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
837 SSL_ERROR_NONE))
838 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 839 goto end;
2cb4b5f6 840
710756a9 841 /* Should fail because it should already be in the cache */
7e885b7b 842 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 843 goto end;
7a301f08
MC		 844 if (use_ext_cache
845 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
b4982125 846 goto end;
b4982125 847
c0537ebd
MC		 848 new_called = remove_called = 0;
849 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
850 &clientssl2, NULL, NULL))
851 || !TEST_true(SSL_set_session(clientssl2, sess1))
852 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
853 SSL_ERROR_NONE))
854 || !TEST_true(SSL_session_reused(clientssl2)))
855 goto end;
856
7a301f08
MC		 857 if (maxprot == TLS1_3_VERSION) {
858 /*
859 * In TLSv1.3 we should have created a new session even though we have
860 * resumed. The original session should also have been removed.
861 */
862 if (use_ext_cache
863 && (!TEST_int_eq(new_called, 1)
864 || !TEST_int_eq(remove_called, 1)))
865 goto end;
866 } else {
867 /*
868 * In TLSv1.2 we expect to have resumed so no sessions added or
869 * removed.
870 */
871 if (use_ext_cache
872 && (!TEST_int_eq(new_called, 0)
873 || !TEST_int_eq(remove_called, 0)))
874 goto end;
875 }
c0537ebd
MC		 876
877 SSL_SESSION_free(sess1);
878 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
879 goto end;
880 shutdown_ssl_connection(serverssl2, clientssl2);
881 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 882
883 new_called = remove_called = 0;
710756a9
RS		 884 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
885 &clientssl2, NULL, NULL))
886 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
887 SSL_ERROR_NONE)))
2cb4b5f6 888 goto end;
2cb4b5f6 889
710756a9 890 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 891 goto end;
2cb4b5f6 892
7a301f08
MC		 893 if (use_ext_cache
894 && (!TEST_int_eq(new_called, 1) || !TEST_int_eq(remove_called, 0)))
eaa776da 895 goto end;
eaa776da 896
c0537ebd 897 new_called = remove_called = 0;
2cb4b5f6 898 /*
710756a9
RS		 899 * This should clear sess2 from the cache because it is a "bad" session.
900 * See SSL_set_session() documentation.
2cb4b5f6 901 */
710756a9 902 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 903 goto end;
7a301f08
MC		 904 if (use_ext_cache
905 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 906 goto end;
710756a9 907 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 908 goto end;
2cb4b5f6 909
7e885b7b 910 if (use_int_cache) {
710756a9
RS		 911 /* Should succeeded because it should not already be in the cache */
912 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
913 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 914 goto end;
eaa776da
MC		 915 }
916
c0537ebd 917 new_called = remove_called = 0;
eaa776da 918 /* This shouldn't be in the cache so should fail */
710756a9 919 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 920 goto end;
2cb4b5f6 921
7a301f08
MC		 922 if (use_ext_cache
923 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 924 goto end;
2cb4b5f6 925
bf208d95 926# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 927 new_called = remove_called = 0;
eaa776da
MC		 928 /* Force a connection failure */
929 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 930 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
931 &clientssl3, NULL, NULL))
932 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 933 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 934 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
935 SSL_ERROR_NONE)))
eaa776da 936 goto end;
b4982125 937
eaa776da 938 /* We should have automatically removed the session from the cache */
7a301f08
MC		 939 if (use_ext_cache
940 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 941 goto end;
2cb4b5f6 942
710756a9 943 /* Should succeed because it should not already be in the cache */
7e885b7b 944 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 945 goto end;
bf208d95 946# endif
eaa776da 947
7a301f08
MC		 948 /* Now do some tests for server side caching */
949 if (use_ext_cache) {
950 SSL_CTX_sess_set_new_cb(cctx, NULL);
951 SSL_CTX_sess_set_remove_cb(cctx, NULL);
952 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
953 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
954 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
955 get_sess_val = NULL;
956 }
957
958 SSL_CTX_set_session_cache_mode(cctx, 0);
959 /* Internal caching is the default on the server side */
960 if (!use_int_cache)
961 SSL_CTX_set_session_cache_mode(sctx,
962 SSL_SESS_CACHE_SERVER
963 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
964
965 SSL_free(serverssl1);
966 SSL_free(clientssl1);
967 serverssl1 = clientssl1 = NULL;
968 SSL_free(serverssl2);
969 SSL_free(clientssl2);
970 serverssl2 = clientssl2 = NULL;
971 SSL_SESSION_free(sess1);
972 sess1 = NULL;
973 SSL_SESSION_free(sess2);
974 sess2 = NULL;
975
976 SSL_CTX_set_max_proto_version(sctx, maxprot);
977 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 978 new_called = remove_called = get_called = 0;
7a301f08
MC		 979 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
980 NULL, NULL))
981 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
982 SSL_ERROR_NONE))
983 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
984 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
985 goto end;
986
987 /* Should fail because it should already be in the cache */
988 if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2)))
989 goto end;
990
991 if (use_ext_cache) {
992 SSL_SESSION *tmp = sess2;
993
0afca811
KY		 994 if (!TEST_int_eq(new_called, 1)
995 || !TEST_int_eq(remove_called, 0)
996 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 997 goto end;
998 /*
999 * Delete the session from the internal cache to force a lookup from
1000 * the external cache. We take a copy first because
1001 * SSL_CTX_remove_session() also marks the session as non-resumable.
1002 */
3cb6a4d6
BK		 1003 if (use_int_cache) {
1004 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1005 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1006 goto end;
1007 SSL_SESSION_free(sess2);
1008 }
7a301f08
MC		 1009 sess2 = tmp;
1010 }
1011
0afca811 1012 new_called = remove_called = get_called = 0;
7a301f08
MC		 1013 get_sess_val = sess2;
1014 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1015 &clientssl2, NULL, NULL))
1016 || !TEST_true(SSL_set_session(clientssl2, sess1))
1017 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1018 SSL_ERROR_NONE))
1019 || !TEST_true(SSL_session_reused(clientssl2)))
1020 goto end;
1021
0afca811
KY		 1022 if (use_ext_cache) {
1023 if (!TEST_int_eq(new_called, 0)
1024 || !TEST_int_eq(remove_called, 0))
1025 goto end;
1026
1027 if (maxprot == TLS1_3_VERSION) {
1028 if (!TEST_int_eq(get_called, 0))
1029 goto end;
1030 } else {
1031 if (!TEST_int_eq(get_called, 1))
1032 goto end;
1033 }
1034 }
7a301f08 1035
2cb4b5f6 1036 testresult = 1;
eaa776da 1037
2cb4b5f6
MC		 1038 end:
1039 SSL_free(serverssl1);
1040 SSL_free(clientssl1);
1041 SSL_free(serverssl2);
1042 SSL_free(clientssl2);
bf208d95 1043# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1044 SSL_free(serverssl3);
1045 SSL_free(clientssl3);
bf208d95 1046# endif
2cb4b5f6
MC		 1047 SSL_SESSION_free(sess1);
1048 SSL_SESSION_free(sess2);
1049 SSL_CTX_free(sctx);
1050 SSL_CTX_free(cctx);
1051
1052 return testresult;
1053}
bf208d95 1054#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1055
7fb4c820
MC		 1056static int test_session_with_only_int_cache(void)
1057{
7a301f08
MC		 1058#ifndef OPENSSL_NO_TLS1_3
1059 if (!execute_test_session(TLS1_3_VERSION, 1, 0))
1060 return 0;
1061#endif
1062
1063#ifndef OPENSSL_NO_TLS1_2
1064 return execute_test_session(TLS1_2_VERSION, 1, 0);
1065#else
1066 return 1;
1067#endif
eaa776da
MC		 1068}
1069
7fb4c820
MC		 1070static int test_session_with_only_ext_cache(void)
1071{
7a301f08
MC		 1072#ifndef OPENSSL_NO_TLS1_3
1073 if (!execute_test_session(TLS1_3_VERSION, 0, 1))
1074 return 0;
1075#endif
1076
1077#ifndef OPENSSL_NO_TLS1_2
1078 return execute_test_session(TLS1_2_VERSION, 0, 1);
1079#else
1080 return 1;
1081#endif
eaa776da
MC		 1082}
1083
7fb4c820
MC		 1084static int test_session_with_both_cache(void)
1085{
7a301f08
MC		 1086#ifndef OPENSSL_NO_TLS1_3
1087 if (!execute_test_session(TLS1_3_VERSION, 1, 1))
1088 return 0;
1089#endif
1090
1091#ifndef OPENSSL_NO_TLS1_2
1092 return execute_test_session(TLS1_2_VERSION, 1, 1);
1093#else
1094 return 1;
1095#endif
eaa776da
MC		 1096}
1097
7fb4c820
MC		 1098#define USE_NULL 0
1099#define USE_BIO_1 1
1100#define USE_BIO_2 2
1101
1102#define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
1103
1104static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
1105{
1106 switch (type) {
1107 case USE_NULL:
1108 *res = NULL;
1109 break;
1110 case USE_BIO_1:
1111 *res = bio1;
1112 break;
1113 case USE_BIO_2:
1114 *res = bio2;
1115 break;
1116 }
1117}
1118
1119static int test_ssl_set_bio(int idx)
1120{
710756a9 1121 SSL_CTX *ctx;
7fb4c820
MC		 1122 BIO *bio1 = NULL;
1123 BIO *bio2 = NULL;
0fae8150 1124 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7fb4c820
MC		 1125 SSL *ssl = NULL;
1126 int initrbio, initwbio, newrbio, newwbio;
1127 int testresult = 0;
1128
7fb4c820
MC		 1129 initrbio = idx % 3;
1130 idx /= 3;
1131 initwbio = idx % 3;
1132 idx /= 3;
1133 newrbio = idx % 3;
1134 idx /= 3;
1135 newwbio = idx;
710756a9
RS		 1136 if (!TEST_int_le(newwbio, 2))
1137 return 0;
1138
1139 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1140 || !TEST_ptr(ssl = SSL_new(ctx)))
1141 goto end;
7fb4c820 1142
710756a9
RS		 1143 if (initrbio == USE_BIO_1
1144 || initwbio == USE_BIO_1
1145 || newrbio == USE_BIO_1
7fb4c820 1146 || newwbio == USE_BIO_1) {
710756a9 1147 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 1148 goto end;
7fb4c820
MC		 1149 }
1150
710756a9
RS		 1151 if (initrbio == USE_BIO_2
1152 || initwbio == USE_BIO_2
1153 || newrbio == USE_BIO_2
7fb4c820 1154 || newwbio == USE_BIO_2) {
710756a9 1155 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 1156 goto end;
7fb4c820
MC		 1157 }
1158
1159 setupbio(&irbio, bio1, bio2, initrbio);
1160 setupbio(&iwbio, bio1, bio2, initwbio);
1161
1162 /*
1163 * We want to maintain our own refs to these BIO, so do an up ref for each
69687aa8 1164 * BIO that will have ownership transferred in the SSL_set_bio() call
7fb4c820
MC		 1165 */
1166 if (irbio != NULL)
1167 BIO_up_ref(irbio);
1168 if (iwbio != NULL && iwbio != irbio)
1169 BIO_up_ref(iwbio);
1170
1171 SSL_set_bio(ssl, irbio, iwbio);
1172
1173 setupbio(&nrbio, bio1, bio2, newrbio);
1174 setupbio(&nwbio, bio1, bio2, newwbio);
1175
1176 /*
1177 * We will (maybe) transfer ownership again so do more up refs.
1178 * SSL_set_bio() has some really complicated ownership rules where BIOs have
1179 * already been set!
1180 */
710756a9
RS		 1181 if (nrbio != NULL
1182 && nrbio != irbio
1183 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 1184 BIO_up_ref(nrbio);
710756a9
RS		 1185 if (nwbio != NULL
1186 && nwbio != nrbio
1187 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 1188 BIO_up_ref(nwbio);
1189
1190 SSL_set_bio(ssl, nrbio, nwbio);
1191
1192 testresult = 1;
1193
1194 end:
1195 SSL_free(ssl);
1196 BIO_free(bio1);
1197 BIO_free(bio2);
710756a9 1198
7fb4c820
MC		 1199 /*
1200 * This test is checking that the ref counting for SSL_set_bio is correct.
1201 * If we get here and we did too many frees then we will fail in the above
1202 * functions. If we haven't done enough then this will only be detected in
1203 * a crypto-mdebug build
1204 */
1205 SSL_CTX_free(ctx);
7fb4c820
MC		 1206 return testresult;
1207}
1208
7e885b7b 1209typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 1210
7e885b7b 1211static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 1212{
1213 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 1214 SSL_CTX *ctx;
9a716987
MC		 1215 SSL *ssl = NULL;
1216 int testresult = 0;
1217
710756a9
RS		 1218 if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
1219 || !TEST_ptr(ssl = SSL_new(ctx))
1220 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
1221 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 1222 goto end;
9a716987
MC		 1223
1224 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
1225
1226 /*
1227 * If anything goes wrong here then we could leak memory, so this will
1228 * be caught in a crypto-mdebug build
1229 */
1230 BIO_push(sslbio, membio1);
1231
69687aa8 1232 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 1233 if (change_bio != NO_BIO_CHANGE) {
710756a9 1234 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 1235 goto end;
7e885b7b 1236 if (change_bio == CHANGE_RBIO)
65e2d672 1237 SSL_set0_rbio(ssl, membio2);
9a716987 1238 else
65e2d672 1239 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 1240 }
1241 ssl = NULL;
1242
7e885b7b 1243 if (pop_ssl)
9a716987
MC		 1244 BIO_pop(sslbio);
1245 else
1246 BIO_pop(membio1);
1247
1248 testresult = 1;
1249 end:
1250 BIO_free(membio1);
1251 BIO_free(sslbio);
1252 SSL_free(ssl);
1253 SSL_CTX_free(ctx);
1254
1255 return testresult;
1256}
1257
1258static int test_ssl_bio_pop_next_bio(void)
1259{
7e885b7b 1260 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 1261}
1262
1263static int test_ssl_bio_pop_ssl_bio(void)
1264{
7e885b7b 1265 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 1266}
1267
1268static int test_ssl_bio_change_rbio(void)
1269{
7e885b7b 1270 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 1271}
1272
1273static int test_ssl_bio_change_wbio(void)
1274{
7e885b7b 1275 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 1276}
1277
c423ecaa 1278#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 1279typedef struct {
1280 /* The list of sig algs */
1281 const int *list;
1282 /* The length of the list */
1283 size_t listlen;
1284 /* A sigalgs list in string format */
1285 const char *liststr;
1286 /* Whether setting the list should succeed */
1287 int valid;
1288 /* Whether creating a connection with the list should succeed */
1289 int connsuccess;
1290} sigalgs_list;
1291
1292static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 1293# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1294static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
1295static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 1296# endif
f1b25aae
MC		 1297static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
1298static const int invalidlist2[] = {NID_sha256, NID_undef};
1299static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
1300static const int invalidlist4[] = {NID_sha256};
1301static const sigalgs_list testsigalgs[] = {
1302 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 1303# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1304 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
1305 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 1306# endif
f1b25aae 1307 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 1308# ifndef OPENSSL_NO_EC
f1b25aae
MC		 1309 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
1310 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 1311# endif
f1b25aae
MC		 1312 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
1313 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
1314 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
1315 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
1316 {NULL, 0, "RSA", 0, 0},
1317 {NULL, 0, "SHA256", 0, 0},
1318 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 1319 {NULL, 0, "Invalid", 0, 0}
1320};
f1b25aae
MC		 1321
1322static int test_set_sigalgs(int idx)
1323{
1324 SSL_CTX *cctx = NULL, *sctx = NULL;
1325 SSL *clientssl = NULL, *serverssl = NULL;
1326 int testresult = 0;
1327 const sigalgs_list *curr;
1328 int testctx;
1329
1330 /* Should never happen */
710756a9 1331 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 1332 return 0;
1333
1334 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
1335 curr = testctx ? &testsigalgs[idx]
1336 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
1337
710756a9
RS		 1338 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1339 TLS_client_method(), &sctx,
1340 &cctx, cert, privkey)))
f1b25aae 1341 return 0;
f1b25aae 1342
d2e491f2
MC		 1343 /*
1344 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
1345 * for TLSv1.2 for now until we add a new API.
1346 */
1347 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
1348
f1b25aae
MC		 1349 if (testctx) {
1350 int ret;
710756a9 1351
f1b25aae
MC		 1352 if (curr->list != NULL)
1353 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
1354 else
1355 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
1356
1357 if (!ret) {
1358 if (curr->valid)
710756a9 1359 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1360 else
1361 testresult = 1;
1362 goto end;
1363 }
1364 if (!curr->valid) {
710756a9 1365 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 1366 goto end;
1367 }
1368 }
1369
710756a9
RS		 1370 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1371 &clientssl, NULL, NULL)))
f1b25aae 1372 goto end;
f1b25aae
MC		 1373
1374 if (!testctx) {
1375 int ret;
1376
1377 if (curr->list != NULL)
1378 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
1379 else
1380 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
1381 if (!ret) {
1382 if (curr->valid)
710756a9 1383 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 1384 else
1385 testresult = 1;
1386 goto end;
1387 }
710756a9 1388 if (!curr->valid)
f1b25aae 1389 goto end;
f1b25aae
MC		 1390 }
1391
710756a9
RS		 1392 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
1393 SSL_ERROR_NONE),
1394 curr->connsuccess))
f1b25aae 1395 goto end;
f1b25aae
MC		 1396
1397 testresult = 1;
1398
1399 end:
1400 SSL_free(serverssl);
1401 SSL_free(clientssl);
1402 SSL_CTX_free(sctx);
1403 SSL_CTX_free(cctx);
1404
1405 return testresult;
1406}
c423ecaa 1407#endif
f1b25aae 1408
fff202e5
MC		 1409#ifndef OPENSSL_NO_TLS1_3
1410
57dee9bb
MC		 1411static SSL_SESSION *clientpsk = NULL;
1412static SSL_SESSION *serverpsk = NULL;
02a3ed5a
MC		 1413static const char *pskid = "Identity";
1414static const char *srvid;
1415
1416static int use_session_cb_cnt = 0;
1417static int find_session_cb_cnt = 0;
1418
1419static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
1420 size_t *idlen, SSL_SESSION **sess)
1421{
1422 switch (++use_session_cb_cnt) {
1423 case 1:
1424 /* The first call should always have a NULL md */
1425 if (md != NULL)
1426 return 0;
1427 break;
1428
1429 case 2:
1430 /* The second call should always have an md */
1431 if (md == NULL)
1432 return 0;
1433 break;
1434
1435 default:
1436 /* We should only be called a maximum of twice */
1437 return 0;
1438 }
1439
57dee9bb
MC		 1440 if (clientpsk != NULL)
1441 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 1442
57dee9bb 1443 *sess = clientpsk;
02a3ed5a
MC		 1444 *id = (const unsigned char *)pskid;
1445 *idlen = strlen(pskid);
1446
1447 return 1;
1448}
1449
1450static int find_session_cb(SSL *ssl, const unsigned char *identity,
1451 size_t identity_len, SSL_SESSION **sess)
1452{
1453 find_session_cb_cnt++;
1454
1455 /* We should only ever be called a maximum of twice per connection */
1456 if (find_session_cb_cnt > 2)
1457 return 0;
1458
57dee9bb 1459 if (serverpsk == NULL)
02a3ed5a
MC		 1460 return 0;
1461
1462 /* Identity should match that set by the client */
1463 if (strlen(srvid) != identity_len
1464 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
1465 /* No PSK found, continue but without a PSK */
1466 *sess = NULL;
1467 return 1;
1468 }
1469
57dee9bb
MC		 1470 SSL_SESSION_up_ref(serverpsk);
1471 *sess = serverpsk;
02a3ed5a
MC		 1472
1473 return 1;
1474}
1475
5f982038
MC		 1476#define MSG1 "Hello"
1477#define MSG2 "World."
1478#define MSG3 "This"
1479#define MSG4 "is"
1480#define MSG5 "a"
90049cea
MC		 1481#define MSG6 "test"
1482#define MSG7 "message."
5f982038 1483
02a3ed5a
MC		 1484#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
1485
5f982038
MC		 1486/*
1487 * Helper method to setup objects for early data test. Caller frees objects on
1488 * error.
1489 */
1490static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 1491 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 1492{
710756a9
RS		 1493 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
1494 TLS_client_method(), sctx,
1495 cctx, cert, privkey)))
5f982038 1496 return 0;
5f982038 1497
02a3ed5a
MC		 1498 if (idx == 1) {
1499 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 1500 SSL_CTX_set_read_ahead(*cctx, 1);
1501 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 1502 } else if (idx == 2) {
1503 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
1504 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
1505 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
1506 use_session_cb_cnt = 0;
1507 find_session_cb_cnt = 0;
1508 srvid = pskid;
3cb47b4e
MC		 1509 }
1510
710756a9 1511 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 1512 NULL, NULL)))
1513 return 0;
1514
141e4709
MC		 1515 /*
1516 * For one of the run throughs (doesn't matter which one), we'll try sending
1517 * some SNI data in the initial ClientHello. This will be ignored (because
1518 * there is no SNI cb set up by the server), so it should not impact
1519 * early_data.
1520 */
1521 if (idx == 1
1522 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
1523 return 0;
1524
02a3ed5a
MC		 1525 if (idx == 2) {
1526 /* Create the PSK */
1527 const SSL_CIPHER *cipher = NULL;
1528 const unsigned char key[] = {
1529 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
1530 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1531 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
1532 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
1533 0x2c, 0x2d, 0x2e, 0x2f
1534 };
1535
1536 cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 1537 clientpsk = SSL_SESSION_new();
1538 if (!TEST_ptr(clientpsk)
02a3ed5a 1539 || !TEST_ptr(cipher)
57dee9bb 1540 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
02a3ed5a 1541 sizeof(key)))
57dee9bb 1542 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
02a3ed5a 1543 || !TEST_true(
57dee9bb 1544 SSL_SESSION_set_protocol_version(clientpsk,
02a3ed5a
MC		 1545 TLS1_3_VERSION))
1546 /*
1547 * We just choose an arbitrary value for max_early_data which
1548 * should be big enough for testing purposes.
1549 */
57dee9bb
MC		 1550 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
1551 0x100))
1552 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
1553 SSL_SESSION_free(clientpsk);
1554 clientpsk = NULL;
02a3ed5a
MC		 1555 return 0;
1556 }
57dee9bb 1557 serverpsk = clientpsk;
02a3ed5a
MC		 1558
1559 if (sess != NULL)
57dee9bb 1560 *sess = clientpsk;
02a3ed5a
MC		 1561 return 1;
1562 }
1563
1564 if (sess == NULL)
1565 return 1;
1566
1567 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
1568 SSL_ERROR_NONE)))
5f982038 1569 return 0;
5f982038
MC		 1570
1571 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 1572 SSL_shutdown(*clientssl);
1573 SSL_shutdown(*serverssl);
5f982038
MC		 1574 SSL_free(*serverssl);
1575 SSL_free(*clientssl);
1576 *serverssl = *clientssl = NULL;
1577
710756a9
RS		 1578 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
1579 clientssl, NULL, NULL))
1580 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 1581 return 0;
5f982038
MC		 1582
1583 return 1;
1584}
1585
3cb47b4e 1586static int test_early_data_read_write(int idx)
5f982038
MC		 1587{
1588 SSL_CTX *cctx = NULL, *sctx = NULL;
1589 SSL *clientssl = NULL, *serverssl = NULL;
1590 int testresult = 0;
1591 SSL_SESSION *sess = NULL;
9b5c865d
MC		 1592 unsigned char buf[20], data[1024];
1593 size_t readbytes, written, eoedlen, rawread, rawwritten;
1594 BIO *rbio;
5f982038 1595
710756a9
RS		 1596 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1597 &serverssl, &sess, idx)))
5f982038
MC		 1598 goto end;
1599
1600 /* Write and read some early data */
710756a9
RS		 1601 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1602 &written))
1603 || !TEST_size_t_eq(written, strlen(MSG1))
1604 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
1605 sizeof(buf), &readbytes),
1606 SSL_READ_EARLY_DATA_SUCCESS)
1607 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
1608 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1609 SSL_EARLY_DATA_ACCEPTED))
5f982038 1610 goto end;
5f982038
MC		 1611
1612 /*
09f28874 1613 * Server should be able to write data, and client should be able to
5f982038
MC		 1614 * read it.
1615 */
710756a9
RS		 1616 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
1617 &written))
1618 || !TEST_size_t_eq(written, strlen(MSG2))
1619 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1620 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1621 goto end;
5f982038
MC		 1622
1623 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 1624 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
1625 &written))
1626 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 1627 goto end;
5f982038 1628
09f28874 1629 /* Server should still be able read early data after writing data */
710756a9
RS		 1630 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1631 &readbytes),
1632 SSL_READ_EARLY_DATA_SUCCESS)
1633 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 1634 goto end;
5f982038 1635
09f28874 1636 /* Write more data from server and read it from client */
710756a9
RS		 1637 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
1638 &written))
1639 || !TEST_size_t_eq(written, strlen(MSG4))
1640 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1641 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 1642 goto end;
5f982038
MC		 1643
1644 /*
1645 * If client writes normal data it should mean writing early data is no
1646 * longer possible.
1647 */
710756a9
RS		 1648 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1649 || !TEST_size_t_eq(written, strlen(MSG5))
1650 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1651 SSL_EARLY_DATA_ACCEPTED))
5f982038 1652 goto end;
5f982038 1653
9b5c865d
MC		 1654 /*
1655 * At this point the client has written EndOfEarlyData, ClientFinished and
1656 * normal (fully protected) data. We are going to cause a delay between the
1657 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
1658 * in the read BIO, and then just put back the EndOfEarlyData message.
1659 */
1660 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 1661 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
1662 || !TEST_size_t_lt(rawread, sizeof(data))
1663 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 1664 goto end;
710756a9 1665
9b5c865d
MC		 1666 /* Record length is in the 4th and 5th bytes of the record header */
1667 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 1668 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
1669 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 1670 goto end;
9b5c865d 1671
5f982038 1672 /* Server should be told that there is no more early data */
710756a9
RS		 1673 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1674 &readbytes),
1675 SSL_READ_EARLY_DATA_FINISH)
1676 || !TEST_size_t_eq(readbytes, 0))
5f982038 1677 goto end;
5f982038 1678
9b5c865d
MC		 1679 /*
1680 * Server has not finished init yet, so should still be able to write early
1681 * data.
1682 */
710756a9
RS		 1683 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
1684 &written))
1685 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 1686 goto end;
9b5c865d 1687
f8a303fa 1688 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 1689 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
1690 &rawwritten))
1691 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 1692 goto end;
f8a303fa 1693
5f982038 1694 /* Server should be able to read normal data */
710756a9
RS		 1695 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1696 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 1697 goto end;
5f982038 1698
09f28874 1699 /* Client and server should not be able to write/read early data now */
710756a9
RS		 1700 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1701 &written)))
5f982038 1702 goto end;
5f982038 1703 ERR_clear_error();
710756a9
RS		 1704 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1705 &readbytes),
1706 SSL_READ_EARLY_DATA_ERROR))
5f982038 1707 goto end;
5f982038
MC		 1708 ERR_clear_error();
1709
9b5c865d 1710 /* Client should be able to read the data sent by the server */
710756a9
RS		 1711 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1712 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 1713 goto end;
710756a9 1714
f8a303fa
MC		 1715 /*
1716 * Make sure we process the NewSessionTicket. This arrives post-handshake.
1717 * We attempt a read which we do not expect to return any data.
1718 */
710756a9 1719 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
f8a303fa 1720 goto end;
5f982038 1721
90049cea 1722 /* Server should be able to write normal data */
710756a9
RS		 1723 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
1724 || !TEST_size_t_eq(written, strlen(MSG7))
1725 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1726 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 1727 goto end;
90049cea 1728
02a3ed5a
MC		 1729 /* We keep the PSK session around if using PSK */
1730 if (idx != 2)
1731 SSL_SESSION_free(sess);
5f982038 1732 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 1733 use_session_cb_cnt = 0;
1734 find_session_cb_cnt = 0;
5f982038
MC		 1735
1736 SSL_shutdown(clientssl);
1737 SSL_shutdown(serverssl);
5f982038
MC		 1738 SSL_free(serverssl);
1739 SSL_free(clientssl);
1740 serverssl = clientssl = NULL;
710756a9
RS		 1741 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1742 &clientssl, NULL, NULL))
1743 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 1744 goto end;
5f982038
MC		 1745
1746 /* Write and read some early data */
710756a9
RS		 1747 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1748 &written))
1749 || !TEST_size_t_eq(written, strlen(MSG1))
1750 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1751 &readbytes),
1752 SSL_READ_EARLY_DATA_SUCCESS)
1753 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 1754 goto end;
5f982038 1755
710756a9
RS		 1756 if (!TEST_int_gt(SSL_connect(clientssl), 0)
1757 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 1758 goto end;
5f982038 1759
09f28874 1760 /* Client and server should not be able to write/read early data now */
710756a9
RS		 1761 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
1762 &written)))
5f982038 1763 goto end;
5f982038 1764 ERR_clear_error();
710756a9
RS		 1765 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1766 &readbytes),
1767 SSL_READ_EARLY_DATA_ERROR))
5f982038 1768 goto end;
5f982038
MC		 1769 ERR_clear_error();
1770
1771 /* Client and server should be able to write/read normal data */
710756a9
RS		 1772 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
1773 || !TEST_size_t_eq(written, strlen(MSG5))
1774 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1775 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 1776 goto end;
5f982038
MC		 1777
1778 testresult = 1;
1779
1780 end:
57dee9bb
MC		 1781 if (sess != clientpsk)
1782 SSL_SESSION_free(sess);
1783 SSL_SESSION_free(clientpsk);
1784 SSL_SESSION_free(serverpsk);
1785 clientpsk = serverpsk = NULL;
5f982038
MC		 1786 SSL_free(serverssl);
1787 SSL_free(clientssl);
1788 SSL_CTX_free(sctx);
1789 SSL_CTX_free(cctx);
5f982038
MC		 1790 return testresult;
1791}
1792
710756a9 1793/*
6b84e6bf
MC		 1794 * Helper function to test that a server attempting to read early data can
1795 * handle a connection from a client where the early data should be skipped.
710756a9 1796 */
6b84e6bf 1797static int early_data_skip_helper(int hrr, int idx)
5f982038
MC		 1798{
1799 SSL_CTX *cctx = NULL, *sctx = NULL;
1800 SSL *clientssl = NULL, *serverssl = NULL;
1801 int testresult = 0;
018fcbec 1802 SSL_SESSION *sess = NULL;
5f982038
MC		 1803 unsigned char buf[20];
1804 size_t readbytes, written;
1805
710756a9
RS		 1806 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1807 &serverssl, &sess, idx)))
5f982038
MC		 1808 goto end;
1809
6b84e6bf
MC		 1810 if (hrr) {
1811 /* Force an HRR to occur */
1812 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
1813 goto end;
02a3ed5a
MC		 1814 } else if (idx == 2) {
1815 /*
1816 * We force early_data rejection by ensuring the PSK identity is
1817 * unrecognised
1818 */
1819 srvid = "Dummy Identity";
6b84e6bf
MC		 1820 } else {
1821 /*
1822 * Deliberately corrupt the creation time. We take 20 seconds off the
1823 * time. It could be any value as long as it is not within tolerance.
1824 * This should mean the ticket is rejected.
1825 */
5d99881e 1826 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 1827 goto end;
1828 }
5f982038
MC		 1829
1830 /* Write some early data */
710756a9
RS		 1831 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
1832 &written))
1833 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 1834 goto end;
5f982038
MC		 1835
1836 /* Server should reject the early data and skip over it */
710756a9
RS		 1837 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1838 &readbytes),
1839 SSL_READ_EARLY_DATA_FINISH)
1840 || !TEST_size_t_eq(readbytes, 0)
1841 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1842 SSL_EARLY_DATA_REJECTED))
5f982038 1843 goto end;
5f982038 1844
6b84e6bf
MC		 1845 if (hrr) {
1846 /*
1847 * Finish off the handshake. We perform the same writes and reads as
1848 * further down but we expect them to fail due to the incomplete
1849 * handshake.
1850 */
1851 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1852 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
1853 &readbytes)))
1854 goto end;
1855 }
1856
710756a9
RS		 1857 /* Should be able to send normal data despite rejection of early data */
1858 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
1859 || !TEST_size_t_eq(written, strlen(MSG2))
1860 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1861 SSL_EARLY_DATA_REJECTED)
1862 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1863 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1864 goto end;
5f982038
MC		 1865
1866 testresult = 1;
1867
1868 end:
57dee9bb
MC		 1869 if (sess != clientpsk)
1870 SSL_SESSION_free(clientpsk);
1871 SSL_SESSION_free(serverpsk);
1872 clientpsk = serverpsk = NULL;
5f982038
MC		 1873 SSL_SESSION_free(sess);
1874 SSL_free(serverssl);
1875 SSL_free(clientssl);
1876 SSL_CTX_free(sctx);
1877 SSL_CTX_free(cctx);
5f982038
MC		 1878 return testresult;
1879}
1880
6b84e6bf
MC		 1881/*
1882 * Test that a server attempting to read early data can handle a connection
1883 * from a client where the early data is not acceptable.
1884 */
1885static int test_early_data_skip(int idx)
1886{
1887 return early_data_skip_helper(0, idx);
1888}
1889
1890/*
1891 * Test that a server attempting to read early data can handle a connection
1892 * from a client where an HRR occurs.
1893 */
1894static int test_early_data_skip_hrr(int idx)
1895{
1896 return early_data_skip_helper(1, idx);
1897}
1898
710756a9
RS		 1899/*
1900 * Test that a server attempting to read early data can handle a connection
1901 * from a client that doesn't send any.
1902 */
3cb47b4e 1903static int test_early_data_not_sent(int idx)
5f982038
MC		 1904{
1905 SSL_CTX *cctx = NULL, *sctx = NULL;
1906 SSL *clientssl = NULL, *serverssl = NULL;
1907 int testresult = 0;
018fcbec 1908 SSL_SESSION *sess = NULL;
5f982038
MC		 1909 unsigned char buf[20];
1910 size_t readbytes, written;
1911
710756a9
RS		 1912 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
1913 &serverssl, &sess, idx)))
5f982038
MC		 1914 goto end;
1915
1916 /* Write some data - should block due to handshake with server */
1917 SSL_set_connect_state(clientssl);
710756a9 1918 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 1919 goto end;
5f982038
MC		 1920
1921 /* Server should detect that early data has not been sent */
710756a9
RS		 1922 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
1923 &readbytes),
1924 SSL_READ_EARLY_DATA_FINISH)
1925 || !TEST_size_t_eq(readbytes, 0)
1926 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
1927 SSL_EARLY_DATA_NOT_SENT)
1928 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
1929 SSL_EARLY_DATA_NOT_SENT))
5f982038 1930 goto end;
5f982038
MC		 1931
1932 /* Continue writing the message we started earlier */
710756a9
RS		 1933 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
1934 || !TEST_size_t_eq(written, strlen(MSG1))
1935 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
1936 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
1937 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
1938 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 1939 goto end;
5f982038 1940
3cb47b4e
MC		 1941 /*
1942 * Should block due to the NewSessionTicket arrival unless we're using
1943 * read_ahead
1944 */
02a3ed5a 1945 if (idx != 1) {
710756a9 1946 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)))
3cb47b4e 1947 goto end;
5f982038
MC		 1948 }
1949
710756a9
RS		 1950 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
1951 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 1952 goto end;
5f982038
MC		 1953
1954 testresult = 1;
1955
1956 end:
57dee9bb 1957 /* If using PSK then clientpsk and sess are the same */
5f982038 1958 SSL_SESSION_free(sess);
57dee9bb
MC		 1959 SSL_SESSION_free(serverpsk);
1960 clientpsk = serverpsk = NULL;
5f982038
MC		 1961 SSL_free(serverssl);
1962 SSL_free(clientssl);
1963 SSL_CTX_free(sctx);
1964 SSL_CTX_free(cctx);
5f982038
MC		 1965 return testresult;
1966}
1967
976e5323
MC		 1968static int hostname_cb(SSL *s, int *al, void *arg)
1969{
1970 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1971
281bf233 1972 if (hostname != NULL && strcmp(hostname, "goodhost") == 0)
976e5323
MC		 1973 return SSL_TLSEXT_ERR_OK;
1974
1975 return SSL_TLSEXT_ERR_NOACK;
1976}
1977
1978static const char *servalpn;
1979
c7558d5b
PY		 1980static int alpn_select_cb(SSL *ssl, const unsigned char **out,
1981 unsigned char *outlen, const unsigned char *in,
1982 unsigned int inlen, void *arg)
976e5323 1983{
c7558d5b 1984 unsigned int protlen = 0;
976e5323
MC		 1985 const unsigned char *prot;
1986
c7558d5b
PY		 1987 for (prot = in; prot < in + inlen; prot += protlen) {
1988 protlen = *prot++;
5d99881e 1989 if (in + inlen < prot + protlen)
976e5323
MC		 1990 return SSL_TLSEXT_ERR_NOACK;
1991
1992 if (protlen == strlen(servalpn)
0bd42fde 1993 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 1994 *out = prot;
1995 *outlen = protlen;
1996 return SSL_TLSEXT_ERR_OK;
1997 }
1998 }
1999
2000 return SSL_TLSEXT_ERR_NOACK;
2001}
2002
57dee9bb 2003/* Test that a PSK can be used to send early_data */
976e5323
MC		 2004static int test_early_data_psk(int idx)
2005{
2006 SSL_CTX *cctx = NULL, *sctx = NULL;
2007 SSL *clientssl = NULL, *serverssl = NULL;
2008 int testresult = 0;
2009 SSL_SESSION *sess = NULL;
57dee9bb
MC		 2010 unsigned char alpnlist[] = {
2011 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
2012 'l', 'p', 'n'
2013 };
2014#define GOODALPNLEN 9
2015#define BADALPNLEN 8
2016#define GOODALPN (alpnlist)
2017#define BADALPN (alpnlist + GOODALPNLEN)
2018 int err = 0;
976e5323
MC		 2019 unsigned char buf[20];
2020 size_t readbytes, written;
57dee9bb 2021 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 2022 int edstatus = SSL_EARLY_DATA_ACCEPTED;
2023
2024 /* We always set this up with a final parameter of "2" for PSK */
2025 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2026 &serverssl, &sess, 2)))
2027 goto end;
2028
976e5323
MC		 2029 servalpn = "goodalpn";
2030
57dee9bb
MC		 2031 /*
2032 * Note: There is no test for inconsistent SNI with late client detection.
2033 * This is because servers do not acknowledge SNI even if they are using
2034 * it in a resumption handshake - so it is not actually possible for a
2035 * client to detect a problem.
2036 */
976e5323
MC		 2037 switch (idx) {
2038 case 0:
57dee9bb 2039 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 2040 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
2041 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2042 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
2043 goto end;
2044 break;
2045
2046 case 1:
57dee9bb 2047 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 2048 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
2049 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 2050 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
2051 GOODALPNLEN))
2052 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
2053 BADALPNLEN)))
976e5323
MC		 2054 goto end;
2055 break;
2056
2057 case 2:
2058 /*
2059 * Set invalid protocol version. Technically this affects PSKs without
2060 * early_data too, but we test it here because it is similar to the
2061 * SNI/ALPN consistency tests.
2062 */
2063 err = SSL_R_BAD_PSK;
2064 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
2065 goto end;
2066 break;
2067
2068 case 3:
2069 /*
2070 * Set inconsistent SNI (server detected). In this case the connection
2071 * will succeed but reject early_data.
2072 */
281bf233
MC		 2073 SSL_SESSION_free(serverpsk);
2074 serverpsk = SSL_SESSION_dup(clientpsk);
2075 if (!TEST_ptr(serverpsk)
2076 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
2077 goto end;
976e5323
MC		 2078 edstatus = SSL_EARLY_DATA_REJECTED;
2079 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2080 /* Fall through */
2081 case 4:
2082 /* Set consistent SNI */
976e5323
MC		 2083 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
2084 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
2085 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
2086 hostname_cb)))
2087 goto end;
2088 break;
2089
2090 case 5:
2091 /*
2092 * Set inconsistent ALPN (server detected). In this case the connection
2093 * will succeed but reject early_data.
2094 */
2095 servalpn = "badalpn";
2096 edstatus = SSL_EARLY_DATA_REJECTED;
2097 readearlyres = SSL_READ_EARLY_DATA_FINISH;
2098 /* Fall through */
2099 case 6:
976e5323 2100 /*
57dee9bb 2101 * Set consistent ALPN.
976e5323
MC		 2102 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
2103 * accepts a list of protos (each one length prefixed).
2104 * SSL_set1_alpn_selected accepts a single protocol (not length
2105 * prefixed)
2106 */
57dee9bb
MC		 2107 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
2108 GOODALPNLEN - 1))
2109 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
2110 GOODALPNLEN)))
976e5323
MC		 2111 goto end;
2112
2113 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2114 break;
2115
57dee9bb
MC		 2116 case 7:
2117 /* Set inconsistent ALPN (late client detection) */
2118 SSL_SESSION_free(serverpsk);
2119 serverpsk = SSL_SESSION_dup(clientpsk);
2120 if (!TEST_ptr(serverpsk)
2121 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
2122 BADALPN + 1,
2123 BADALPNLEN - 1))
2124 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
2125 GOODALPN + 1,
2126 GOODALPNLEN - 1))
2127 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
2128 sizeof(alpnlist))))
2129 goto end;
2130 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
2131 edstatus = SSL_EARLY_DATA_ACCEPTED;
2132 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
2133 /* SSL_connect() call should fail */
2134 connectres = -1;
2135 break;
2136
976e5323
MC		 2137 default:
2138 TEST_error("Bad test index");
2139 goto end;
2140 }
2141
2142 SSL_set_connect_state(clientssl);
2143 if (err != 0) {
2144 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2145 &written))
2146 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
2147 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
2148 goto end;
2149 } else {
2150 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 2151 &written)))
2152 goto end;
2153
2154 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2155 &readbytes), readearlyres)
976e5323
MC		 2156 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
2157 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 2158 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
2159 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 2160 goto end;
2161 }
2162
2163 testresult = 1;
2164
2165 end:
57dee9bb
MC		 2166 SSL_SESSION_free(clientpsk);
2167 SSL_SESSION_free(serverpsk);
2168 clientpsk = serverpsk = NULL;
976e5323
MC		 2169 SSL_free(serverssl);
2170 SSL_free(clientssl);
2171 SSL_CTX_free(sctx);
2172 SSL_CTX_free(cctx);
2173 return testresult;
2174}
2175
710756a9
RS		 2176/*
2177 * Test that a server that doesn't try to read early data can handle a
2178 * client sending some.
2179 */
3cb47b4e 2180static int test_early_data_not_expected(int idx)
5f982038
MC		 2181{
2182 SSL_CTX *cctx = NULL, *sctx = NULL;
2183 SSL *clientssl = NULL, *serverssl = NULL;
2184 int testresult = 0;
018fcbec 2185 SSL_SESSION *sess = NULL;
5f982038
MC		 2186 unsigned char buf[20];
2187 size_t readbytes, written;
2188
710756a9
RS		 2189 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2190 &serverssl, &sess, idx)))
5f982038
MC		 2191 goto end;
2192
2193 /* Write some early data */
710756a9
RS		 2194 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
2195 &written)))
5f982038 2196 goto end;
5f982038
MC		 2197
2198 /*
2199 * Server should skip over early data and then block waiting for client to
2200 * continue handshake
2201 */
710756a9
RS		 2202 if (!TEST_int_le(SSL_accept(serverssl), 0)
2203 || !TEST_int_gt(SSL_connect(clientssl), 0)
2204 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2205 SSL_EARLY_DATA_REJECTED)
2206 || !TEST_int_gt(SSL_accept(serverssl), 0)
2207 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2208 SSL_EARLY_DATA_REJECTED))
5f982038 2209 goto end;
5f982038
MC		 2210
2211 /* Send some normal data from client to server */
710756a9
RS		 2212 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
2213 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 2214 goto end;
5f982038 2215
710756a9
RS		 2216 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2217 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2218 goto end;
5f982038
MC		 2219
2220 testresult = 1;
2221
2222 end:
57dee9bb 2223 /* If using PSK then clientpsk and sess are the same */
5f982038 2224 SSL_SESSION_free(sess);
57dee9bb
MC		 2225 SSL_SESSION_free(serverpsk);
2226 clientpsk = serverpsk = NULL;
5f982038
MC		 2227 SSL_free(serverssl);
2228 SSL_free(clientssl);
2229 SSL_CTX_free(sctx);
2230 SSL_CTX_free(cctx);
5f982038
MC		 2231 return testresult;
2232}
2233
2234
2235# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 2236/*
2237 * Test that a server attempting to read early data can handle a connection
2238 * from a TLSv1.2 client.
2239 */
3cb47b4e 2240static int test_early_data_tls1_2(int idx)
5f982038
MC		 2241{
2242 SSL_CTX *cctx = NULL, *sctx = NULL;
2243 SSL *clientssl = NULL, *serverssl = NULL;
2244 int testresult = 0;
2245 unsigned char buf[20];
2246 size_t readbytes, written;
2247
02a3ed5a
MC		 2248 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
2249 &serverssl, NULL, idx)))
5f982038 2250 goto end;
5f982038
MC		 2251
2252 /* Write some data - should block due to handshake with server */
2253 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
2254 SSL_set_connect_state(clientssl);
710756a9 2255 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 2256 goto end;
5f982038
MC		 2257
2258 /*
2259 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 2260 * messages from client after ServerDone. Then SSL_read_early_data should
2261 * finish and detect that early data has not been sent
5f982038 2262 */
710756a9
RS		 2263 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2264 &readbytes),
2265 SSL_READ_EARLY_DATA_ERROR))
5f982038 2266 goto end;
5f982038
MC		 2267
2268 /*
2269 * Continue writing the message we started earlier. Will still block waiting
2270 * for the CCS/Finished from server
2271 */
710756a9
RS		 2272 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2273 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
2274 &readbytes),
2275 SSL_READ_EARLY_DATA_FINISH)
2276 || !TEST_size_t_eq(readbytes, 0)
2277 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
2278 SSL_EARLY_DATA_NOT_SENT))
5f982038 2279 goto end;
5f982038
MC		 2280
2281 /* Continue writing the message we started earlier */
710756a9
RS		 2282 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
2283 || !TEST_size_t_eq(written, strlen(MSG1))
2284 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
2285 SSL_EARLY_DATA_NOT_SENT)
2286 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
2287 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
2288 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
2289 || !TEST_size_t_eq(written, strlen(MSG2))
2290 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
2291 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 2292 goto end;
5f982038
MC		 2293
2294 testresult = 1;
2295
2296 end:
57dee9bb
MC		 2297 /* If using PSK then clientpsk and sess are the same */
2298 SSL_SESSION_free(clientpsk);
2299 SSL_SESSION_free(serverpsk);
2300 clientpsk = serverpsk = NULL;
5f982038
MC		 2301 SSL_free(serverssl);
2302 SSL_free(clientssl);
2303 SSL_CTX_free(sctx);
2304 SSL_CTX_free(cctx);
2305
2306 return testresult;
2307}
ca0413ae
MC		 2308# endif /* OPENSSL_NO_TLS1_2 */
2309
2310static int test_ciphersuite_change(void)
2311{
2312 SSL_CTX *cctx = NULL, *sctx = NULL;
2313 SSL *clientssl = NULL, *serverssl = NULL;
2314 SSL_SESSION *clntsess = NULL;
2315 int testresult = 0;
2316 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
2317
2318 /* Create a session based on SHA-256 */
2319 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2320 TLS_client_method(), &sctx,
2321 &cctx, cert, privkey))
2322 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
2323 "TLS13-AES-128-GCM-SHA256"))
2324 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2325 &clientssl, NULL, NULL))
2326 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2327 SSL_ERROR_NONE)))
2328 goto end;
2329
2330 clntsess = SSL_get1_session(clientssl);
2331 /* Save for later */
2332 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
2333 SSL_shutdown(clientssl);
2334 SSL_shutdown(serverssl);
2335 SSL_free(serverssl);
2336 SSL_free(clientssl);
2337 serverssl = clientssl = NULL;
2338
71cff963 2339# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ca0413ae
MC		 2340 /* Check we can resume a session with a different SHA-256 ciphersuite */
2341 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2342 "TLS13-CHACHA20-POLY1305-SHA256"))
2343 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2344 NULL, NULL))
2345 || !TEST_true(SSL_set_session(clientssl, clntsess))
2346 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2347 SSL_ERROR_NONE))
2348 || !TEST_true(SSL_session_reused(clientssl)))
2349 goto end;
2350
2351 SSL_SESSION_free(clntsess);
2352 clntsess = SSL_get1_session(clientssl);
2353 SSL_shutdown(clientssl);
2354 SSL_shutdown(serverssl);
2355 SSL_free(serverssl);
2356 SSL_free(clientssl);
2357 serverssl = clientssl = NULL;
71cff963 2358# endif
ca0413ae
MC		 2359
2360 /*
2361 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 2362 * succeeds but does not resume.
ca0413ae
MC		 2363 */
2364 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2365 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2366 NULL, NULL))
2367 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 2368 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 2369 SSL_ERROR_SSL))
0de6d66d 2370 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 2371 goto end;
2372
2373 SSL_SESSION_free(clntsess);
2374 clntsess = NULL;
2375 SSL_shutdown(clientssl);
2376 SSL_shutdown(serverssl);
2377 SSL_free(serverssl);
2378 SSL_free(clientssl);
2379 serverssl = clientssl = NULL;
2380
2381 /* Create a session based on SHA384 */
2382 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "TLS13-AES-256-GCM-SHA384"))
2383 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2384 &clientssl, NULL, NULL))
2385 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2386 SSL_ERROR_NONE)))
2387 goto end;
2388
2389 clntsess = SSL_get1_session(clientssl);
2390 SSL_shutdown(clientssl);
2391 SSL_shutdown(serverssl);
2392 SSL_free(serverssl);
2393 SSL_free(clientssl);
2394 serverssl = clientssl = NULL;
2395
2396 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
2397 "TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384"))
0de6d66d
MC		 2398 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
2399 "TLS13-AES-256-GCM-SHA384"))
ca0413ae
MC		 2400 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2401 NULL, NULL))
2402 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 2403 /*
2404 * We use SSL_ERROR_WANT_READ below so that we can pause the
2405 * connection after the initial ClientHello has been sent to
2406 * enable us to make some session changes.
2407 */
ca0413ae
MC		 2408 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2409 SSL_ERROR_WANT_READ)))
2410 goto end;
2411
2412 /* Trick the client into thinking this session is for a different digest */
2413 clntsess->cipher = aes_128_gcm_sha256;
2414 clntsess->cipher_id = clntsess->cipher->id;
2415
2416 /*
3b0e88d3
MC		 2417 * Continue the previously started connection. Server has selected a SHA-384
2418 * ciphersuite, but client thinks the session is for SHA-256, so it should
2419 * bail out.
ca0413ae
MC		 2420 */
2421 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
2422 SSL_ERROR_SSL))
2423 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
2424 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
2425 goto end;
2426
2427 testresult = 1;
2428
2429 end:
2430 SSL_SESSION_free(clntsess);
2431 SSL_free(serverssl);
2432 SSL_free(clientssl);
2433 SSL_CTX_free(sctx);
2434 SSL_CTX_free(cctx);
2435
2436 return testresult;
2437}
2438
ca8c71ba
MC		 2439static int test_tls13_psk(void)
2440{
2441 SSL_CTX *sctx = NULL, *cctx = NULL;
2442 SSL *serverssl = NULL, *clientssl = NULL;
2443 const SSL_CIPHER *cipher = NULL;
2444 const unsigned char key[] = {
2445 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
2446 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 2447 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2448 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 2449 };
2450 int testresult = 0;
2451
2452 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2453 TLS_client_method(), &sctx,
2454 &cctx, cert, privkey)))
2455 goto end;
2456
2457 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2458 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2459 srvid = pskid;
02a3ed5a
MC		 2460 use_session_cb_cnt = 0;
2461 find_session_cb_cnt = 0;
ca8c71ba
MC		 2462
2463 /* Check we can create a connection if callback decides not to send a PSK */
2464 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2465 NULL, NULL))
2466 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2467 SSL_ERROR_NONE))
2468 || !TEST_false(SSL_session_reused(clientssl))
2469 || !TEST_false(SSL_session_reused(serverssl))
2470 || !TEST_true(use_session_cb_cnt == 1)
2471 || !TEST_true(find_session_cb_cnt == 0))
2472 goto end;
2473
2474 shutdown_ssl_connection(serverssl, clientssl);
2475 serverssl = clientssl = NULL;
2476 use_session_cb_cnt = 0;
2477
2478 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2479 NULL, NULL)))
2480 goto end;
2481
2482 /* Create the PSK */
2483 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
57dee9bb
MC		 2484 clientpsk = SSL_SESSION_new();
2485 if (!TEST_ptr(clientpsk)
ca8c71ba 2486 || !TEST_ptr(cipher)
57dee9bb
MC		 2487 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
2488 sizeof(key)))
2489 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
2490 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
2491 TLS1_3_VERSION))
2492 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 2493 goto end;
57dee9bb 2494 serverpsk = clientpsk;
ca8c71ba
MC		 2495
2496 /* Check we can create a connection and the PSK is used */
2497 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2498 || !TEST_true(SSL_session_reused(clientssl))
2499 || !TEST_true(SSL_session_reused(serverssl))
2500 || !TEST_true(use_session_cb_cnt == 1)
2501 || !TEST_true(find_session_cb_cnt == 1))
2502 goto end;
2503
2504 shutdown_ssl_connection(serverssl, clientssl);
2505 serverssl = clientssl = NULL;
2506 use_session_cb_cnt = find_session_cb_cnt = 0;
2507
2508 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2509 NULL, NULL)))
2510 goto end;
2511
2512 /* Force an HRR */
2513 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
2514 goto end;
2515
2516 /*
2517 * Check we can create a connection, the PSK is used and the callbacks are
2518 * called twice.
2519 */
2520 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
2521 || !TEST_true(SSL_session_reused(clientssl))
2522 || !TEST_true(SSL_session_reused(serverssl))
2523 || !TEST_true(use_session_cb_cnt == 2)
2524 || !TEST_true(find_session_cb_cnt == 2))
2525 goto end;
2526
2527 shutdown_ssl_connection(serverssl, clientssl);
2528 serverssl = clientssl = NULL;
2529 use_session_cb_cnt = find_session_cb_cnt = 0;
2530
2531 /*
2532 * Check that if the server rejects the PSK we can still connect, but with
2533 * a full handshake
2534 */
2535 srvid = "Dummy Identity";
2536 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2537 NULL, NULL))
2538 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2539 SSL_ERROR_NONE))
2540 || !TEST_false(SSL_session_reused(clientssl))
2541 || !TEST_false(SSL_session_reused(serverssl))
2542 || !TEST_true(use_session_cb_cnt == 1)
2543 || !TEST_true(find_session_cb_cnt == 1))
2544 goto end;
2545
2546 shutdown_ssl_connection(serverssl, clientssl);
2547 serverssl = clientssl = NULL;
2548 testresult = 1;
2549
2550 end:
57dee9bb
MC		 2551 SSL_SESSION_free(clientpsk);
2552 SSL_SESSION_free(serverpsk);
2553 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 2554 SSL_free(serverssl);
2555 SSL_free(clientssl);
2556 SSL_CTX_free(sctx);
2557 SSL_CTX_free(cctx);
2558 return testresult;
2559}
2560
c7b8ff25
MC		 2561static unsigned char cookie_magic_value[] = "cookie magic";
2562
2563static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
2564 unsigned int *cookie_len)
2565{
2566 /*
2567 * Not suitable as a real cookie generation function but good enough for
2568 * testing!
2569 */
97ea1e7f
MC		 2570 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
2571 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 2572
2573 return 1;
2574}
2575
2576static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
2577 unsigned int cookie_len)
2578{
97ea1e7f 2579 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 2580 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
2581 return 1;
2582
2583 return 0;
2584}
2585
2586static int test_stateless(void)
2587{
2588 SSL_CTX *sctx = NULL, *cctx = NULL;
2589 SSL *serverssl = NULL, *clientssl = NULL;
2590 int testresult = 0;
2591
2592 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2593 TLS_client_method(), &sctx,
2594 &cctx, cert, privkey)))
2595 goto end;
2596
2597 /* Set up the cookie generation and verification callbacks */
2598 SSL_CTX_set_cookie_generate_cb(sctx, generate_cookie_callback);
2599 SSL_CTX_set_cookie_verify_cb(sctx, verify_cookie_callback);
2600
2601 /* The arrival of CCS messages can confuse the test */
2602 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
2603
2604 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2605 NULL, NULL))
2606 /* Send the first ClientHello */
2607 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2608 SSL_ERROR_WANT_READ))
2609 /* This should fail because there is no cookie */
97ea1e7f 2610 || !TEST_false(SSL_stateless(serverssl)))
c7b8ff25
MC		 2611 goto end;
2612
2613 /* Abandon the connection from this client */
2614 SSL_free(clientssl);
2615 clientssl = NULL;
2616
2617 /*
2618 * Now create a connection from a new client but with the same server SSL
2619 * object
2620 */
2621 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2622 NULL, NULL))
2623 /* Send the first ClientHello */
2624 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2625 SSL_ERROR_WANT_READ))
2626 /* This should fail because there is no cookie */
97ea1e7f 2627 || !TEST_false(SSL_stateless(serverssl))
c7b8ff25
MC		 2628 /* Send the second ClientHello */
2629 || !TEST_false(create_ssl_connection(serverssl, clientssl,
2630 SSL_ERROR_WANT_READ))
2631 /* This should succeed because a cookie is now present */
97ea1e7f 2632 || !TEST_true(SSL_stateless(serverssl))
c7b8ff25
MC		 2633 /* Complete the connection */
2634 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2635 SSL_ERROR_NONE)))
2636 goto end;
2637
2638 shutdown_ssl_connection(serverssl, clientssl);
2639 serverssl = clientssl = NULL;
2640 testresult = 1;
2641
2642 end:
2643 SSL_free(serverssl);
2644 SSL_free(clientssl);
2645 SSL_CTX_free(sctx);
2646 SSL_CTX_free(cctx);
2647 return testresult;
2648
2649}
ca0413ae 2650#endif /* OPENSSL_NO_TLS1_3 */
5f982038 2651
a37008d9
MC		 2652static int clntaddoldcb = 0;
2653static int clntparseoldcb = 0;
2654static int srvaddoldcb = 0;
2655static int srvparseoldcb = 0;
2656static int clntaddnewcb = 0;
2657static int clntparsenewcb = 0;
2658static int srvaddnewcb = 0;
2659static int srvparsenewcb = 0;
bb01ef3f 2660static int snicb = 0;
a37008d9
MC		 2661
2662#define TEST_EXT_TYPE1 0xff00
2663
2664static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
2665 size_t *outlen, int *al, void *add_arg)
2666{
2667 int *server = (int *)add_arg;
2668 unsigned char *data;
2669
2670 if (SSL_is_server(s))
2671 srvaddoldcb++;
2672 else
2673 clntaddoldcb++;
2674
710756a9
RS		 2675 if (*server != SSL_is_server(s)
2676 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 2677 return -1;
2678
2679 *data = 1;
2680 *out = data;
2681 *outlen = sizeof(char);
a37008d9
MC		 2682 return 1;
2683}
2684
2685static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
2686 void *add_arg)
2687{
2688 OPENSSL_free((unsigned char *)out);
2689}
2690
2691static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
2692 size_t inlen, int *al, void *parse_arg)
2693{
2694 int *server = (int *)parse_arg;
2695
2696 if (SSL_is_server(s))
2697 srvparseoldcb++;
2698 else
2699 clntparseoldcb++;
2700
710756a9
RS		 2701 if (*server != SSL_is_server(s)
2702 || inlen != sizeof(char)
2703 || *in != 1)
a37008d9
MC		 2704 return -1;
2705
2706 return 1;
2707}
2708
2709static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
2710 const unsigned char **out, size_t *outlen, X509 *x,
2711 size_t chainidx, int *al, void *add_arg)
2712{
2713 int *server = (int *)add_arg;
2714 unsigned char *data;
2715
2716 if (SSL_is_server(s))
2717 srvaddnewcb++;
2718 else
2719 clntaddnewcb++;
2720
710756a9
RS		 2721 if (*server != SSL_is_server(s)
2722 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 2723 return -1;
2724
2725 *data = 1;
2726 *out = data;
710756a9 2727 *outlen = sizeof(*data);
a37008d9
MC		 2728 return 1;
2729}
2730
2731static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
2732 const unsigned char *out, void *add_arg)
2733{
2734 OPENSSL_free((unsigned char *)out);
2735}
2736
2737static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
2738 const unsigned char *in, size_t inlen, X509 *x,
2739 size_t chainidx, int *al, void *parse_arg)
2740{
2741 int *server = (int *)parse_arg;
2742
2743 if (SSL_is_server(s))
2744 srvparsenewcb++;
2745 else
2746 clntparsenewcb++;
2747
710756a9
RS		 2748 if (*server != SSL_is_server(s)
2749 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 2750 return -1;
2751
2752 return 1;
2753}
bb01ef3f
MC		 2754
2755static int sni_cb(SSL *s, int *al, void *arg)
2756{
2757 SSL_CTX *ctx = (SSL_CTX *)arg;
2758
2759 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
2760 *al = SSL_AD_INTERNAL_ERROR;
2761 return SSL_TLSEXT_ERR_ALERT_FATAL;
2762 }
2763 snicb++;
2764 return SSL_TLSEXT_ERR_OK;
2765}
2766
a37008d9
MC		 2767/*
2768 * Custom call back tests.
2769 * Test 0: Old style callbacks in TLSv1.2
2770 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 2771 * Test 2: New style callbacks in TLSv1.2 with SNI
2772 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
2773 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 2774 */
710756a9
RS		 2775static int test_custom_exts(int tst)
2776{
bb01ef3f 2777 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 2778 SSL *clientssl = NULL, *serverssl = NULL;
2779 int testresult = 0;
2780 static int server = 1;
2781 static int client = 0;
2782 SSL_SESSION *sess = NULL;
2783 unsigned int context;
2784
c423ecaa
MC		 2785#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
2786 /* Skip tests for TLSv1.2 and below in this case */
2787 if (tst < 3)
2788 return 1;
2789#endif
2790
a37008d9
MC		 2791 /* Reset callback counters */
2792 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
2793 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 2794 snicb = 0;
a37008d9 2795
710756a9
RS		 2796 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
2797 TLS_client_method(), &sctx,
2798 &cctx, cert, privkey)))
2799 goto end;
a37008d9 2800
bb01ef3f
MC		 2801 if (tst == 2
2802 && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
2803 NULL, cert, privkey)))
2804 goto end;
2805
2806
2807 if (tst < 3) {
a37008d9
MC		 2808 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
2809 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 2810 if (sctx2 != NULL)
2811 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 2812 }
2813
bb01ef3f 2814 if (tst == 4) {
710756a9
RS		 2815 context = SSL_EXT_CLIENT_HELLO
2816 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 2817 | SSL_EXT_TLS1_3_SERVER_HELLO
2818 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
2819 | SSL_EXT_TLS1_3_CERTIFICATE
2820 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
2821 } else {
710756a9
RS		 2822 context = SSL_EXT_CLIENT_HELLO
2823 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 2824 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
2825 }
2826
2827 /* Create a client side custom extension */
2828 if (tst == 0) {
710756a9
RS		 2829 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2830 old_add_cb, old_free_cb,
2831 &client, old_parse_cb,
2832 &client)))
2833 goto end;
a37008d9 2834 } else {
710756a9
RS		 2835 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
2836 new_add_cb, new_free_cb,
2837 &client, new_parse_cb, &client)))
2838 goto end;
a37008d9
MC		 2839 }
2840
2841 /* Should not be able to add duplicates */
710756a9
RS		 2842 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
2843 old_add_cb, old_free_cb,
2844 &client, old_parse_cb,
2845 &client))
2846 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
2847 context, new_add_cb,
2848 new_free_cb, &client,
2849 new_parse_cb, &client)))
2850 goto end;
a37008d9
MC		 2851
2852 /* Create a server side custom extension */
2853 if (tst == 0) {
710756a9
RS		 2854 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2855 old_add_cb, old_free_cb,
2856 &server, old_parse_cb,
2857 &server)))
2858 goto end;
a37008d9 2859 } else {
710756a9
RS		 2860 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
2861 new_add_cb, new_free_cb,
2862 &server, new_parse_cb, &server)))
2863 goto end;
bb01ef3f
MC		 2864 if (sctx2 != NULL
2865 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
2866 context, new_add_cb,
2867 new_free_cb, &server,
2868 new_parse_cb, &server)))
2869 goto end;
a37008d9
MC		 2870 }
2871
2872 /* Should not be able to add duplicates */
710756a9
RS		 2873 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
2874 old_add_cb, old_free_cb,
2875 &server, old_parse_cb,
2876 &server))
2877 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
2878 context, new_add_cb,
2879 new_free_cb, &server,
2880 new_parse_cb, &server)))
a37008d9 2881 goto end;
a37008d9 2882
bb01ef3f
MC		 2883 if (tst == 2) {
2884 /* Set up SNI */
2885 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
2886 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
2887 goto end;
2888 }
2889
710756a9
RS		 2890 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2891 &clientssl, NULL, NULL))
2892 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2893 SSL_ERROR_NONE)))
a37008d9 2894 goto end;
a37008d9
MC		 2895
2896 if (tst == 0) {
710756a9
RS		 2897 if (clntaddoldcb != 1
2898 || clntparseoldcb != 1
2899 || srvaddoldcb != 1
2900 || srvparseoldcb != 1)
a37008d9 2901 goto end;
bb01ef3f 2902 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 2903 if (clntaddnewcb != 1
2904 || clntparsenewcb != 1
2905 || srvaddnewcb != 1
bb01ef3f
MC		 2906 || srvparsenewcb != 1
2907 || (tst != 2 && snicb != 0)
2908 || (tst == 2 && snicb != 1))
a37008d9 2909 goto end;
a37008d9 2910 } else {
710756a9
RS		 2911 if (clntaddnewcb != 1
2912 || clntparsenewcb != 4
2913 || srvaddnewcb != 4
2914 || srvparsenewcb != 1)
a37008d9 2915 goto end;
a37008d9
MC		 2916 }
2917
2918 sess = SSL_get1_session(clientssl);
a37008d9
MC		 2919 SSL_shutdown(clientssl);
2920 SSL_shutdown(serverssl);
a37008d9
MC		 2921 SSL_free(serverssl);
2922 SSL_free(clientssl);
2923 serverssl = clientssl = NULL;
2924
bb01ef3f
MC		 2925 if (tst == 3) {
2926 /* We don't bother with the resumption aspects for this test */
2927 testresult = 1;
2928 goto end;
2929 }
2930
710756a9
RS		 2931 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2932 NULL, NULL))
2933 || !TEST_true(SSL_set_session(clientssl, sess))
2934 || !TEST_true(create_ssl_connection(serverssl, clientssl,
2935 SSL_ERROR_NONE)))
a37008d9 2936 goto end;
a37008d9
MC		 2937
2938 /*
2939 * For a resumed session we expect to add the ClientHello extension. For the
2940 * old style callbacks we ignore it on the server side because they set
2941 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
2942 * them.
2943 */
2944 if (tst == 0) {
710756a9
RS		 2945 if (clntaddoldcb != 2
2946 || clntparseoldcb != 1
2947 || srvaddoldcb != 1
2948 || srvparseoldcb != 1)
a37008d9 2949 goto end;
bb01ef3f 2950 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 2951 if (clntaddnewcb != 2
2952 || clntparsenewcb != 2
2953 || srvaddnewcb != 2
2954 || srvparsenewcb != 2)
a37008d9 2955 goto end;
a37008d9
MC		 2956 } else {
2957 /* No Certificate message extensions in the resumption handshake */
710756a9
RS		 2958 if (clntaddnewcb != 2
2959 || clntparsenewcb != 7
2960 || srvaddnewcb != 7
2961 || srvparsenewcb != 2)
a37008d9 2962 goto end;
a37008d9
MC		 2963 }
2964
2965 testresult = 1;
2966
2967end:
2968 SSL_SESSION_free(sess);
2969 SSL_free(serverssl);
2970 SSL_free(clientssl);
bb01ef3f 2971 SSL_CTX_free(sctx2);
a37008d9
MC		 2972 SSL_CTX_free(sctx);
2973 SSL_CTX_free(cctx);
a37008d9
MC		 2974 return testresult;
2975}
2976
16afd71c
MC		 2977/*
2978 * Test loading of serverinfo data in various formats. test_sslmessages actually
2979 * tests to make sure the extensions appear in the handshake
2980 */
2981static int test_serverinfo(int tst)
2982{
2983 unsigned int version;
2984 unsigned char *sibuf;
2985 size_t sibuflen;
2986 int ret, expected, testresult = 0;
2987 SSL_CTX *ctx;
2988
2989 ctx = SSL_CTX_new(TLS_method());
2990 if (!TEST_ptr(ctx))
2991 goto end;
2992
2993 if ((tst & 0x01) == 0x01)
2994 version = SSL_SERVERINFOV2;
2995 else
2996 version = SSL_SERVERINFOV1;
2997
2998 if ((tst & 0x02) == 0x02) {
2999 sibuf = serverinfov2;
3000 sibuflen = sizeof(serverinfov2);
3001 expected = (version == SSL_SERVERINFOV2);
3002 } else {
3003 sibuf = serverinfov1;
3004 sibuflen = sizeof(serverinfov1);
3005 expected = (version == SSL_SERVERINFOV1);
3006 }
3007
3008 if ((tst & 0x04) == 0x04) {
3009 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
3010 } else {
3011 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
3012
3013 /*
3014 * The version variable is irrelevant in this case - it's what is in the
3015 * buffer that matters
3016 */
3017 if ((tst & 0x02) == 0x02)
3018 expected = 0;
3019 else
3020 expected = 1;
3021 }
3022
3023 if (!TEST_true(ret == expected))
3024 goto end;
3025
3026 testresult = 1;
3027
3028 end:
3029 SSL_CTX_free(ctx);
3030
3031 return testresult;
3032}
3033
2197d1df
MC		 3034/*
3035 * Test that SSL_export_keying_material() produces expected results. There are
3036 * no test vectors so all we do is test that both sides of the communication
3037 * produce the same results for different protocol versions.
3038 */
3039static int test_export_key_mat(int tst)
3040{
a599574b 3041 int testresult = 0;
2197d1df
MC		 3042 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
3043 SSL *clientssl = NULL, *serverssl = NULL;
3044 const char label[] = "test label";
3045 const unsigned char context[] = "context";
3046 const unsigned char *emptycontext = NULL;
3047 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
3048 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
a599574b
MC		 3049 const int protocols[] = {
3050 TLS1_VERSION,
3051 TLS1_1_VERSION,
3052 TLS1_2_VERSION,
3053 TLS1_3_VERSION
3054 };
2197d1df
MC		 3055
3056#ifdef OPENSSL_NO_TLS1
3057 if (tst == 0)
3058 return 1;
3059#endif
3060#ifdef OPENSSL_NO_TLS1_1
3061 if (tst == 1)
3062 return 1;
3063#endif
3064#ifdef OPENSSL_NO_TLS1_2
3065 if (tst == 2)
3066 return 1;
3067#endif
3068#ifdef OPENSSL_NO_TLS1_3
3069 if (tst == 3)
3070 return 1;
3071#endif
3072 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3073 TLS_client_method(), &sctx,
3074 &cctx, cert, privkey)))
3075 goto end;
3076
a599574b
MC		 3077 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
3078 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
3079 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
2197d1df
MC		 3080
3081 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
3082 NULL))
3083 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3084 SSL_ERROR_NONE)))
3085 goto end;
3086
3087 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
3088 sizeof(ckeymat1), label,
3089 sizeof(label) - 1, context,
3090 sizeof(context) - 1, 1), 1)
3091 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
3092 sizeof(ckeymat2), label,
3093 sizeof(label) - 1,
3094 emptycontext,
3095 0, 1), 1)
3096 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
3097 sizeof(ckeymat3), label,
3098 sizeof(label) - 1,
3099 NULL, 0, 0), 1)
3100 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
3101 sizeof(skeymat1), label,
3102 sizeof(label) - 1,
3103 context,
3104 sizeof(context) -1, 1),
3105 1)
3106 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
3107 sizeof(skeymat2), label,
3108 sizeof(label) - 1,
3109 emptycontext,
3110 0, 1), 1)
3111 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
3112 sizeof(skeymat3), label,
3113 sizeof(label) - 1,
3114 NULL, 0, 0), 1)
3115 /*
3116 * Check that both sides created the same key material with the
3117 * same context.
3118 */
3119 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
3120 sizeof(skeymat1))
3121 /*
3122 * Check that both sides created the same key material with an
3123 * empty context.
3124 */
3125 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
3126 sizeof(skeymat2))
3127 /*
3128 * Check that both sides created the same key material without a
3129 * context.
3130 */
3131 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
3132 sizeof(skeymat3))
3133 /* Different contexts should produce different results */
3134 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
3135 sizeof(ckeymat2)))
3136 goto end;
3137
3138 /*
3139 * Check that an empty context and no context produce different results in
3140 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
3141 */
3142 if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
3143 sizeof(ckeymat3)))
3144 || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
3145 sizeof(ckeymat3))))
3146 goto end;
3147
3148 testresult = 1;
3149
3150 end:
3151 SSL_free(serverssl);
3152 SSL_free(clientssl);
3153 SSL_CTX_free(sctx2);
3154 SSL_CTX_free(sctx);
3155 SSL_CTX_free(cctx);
3156
3157 return testresult;
3158}
3159
e11b6aa4
MC		 3160static int test_ssl_clear(int idx)
3161{
3162 SSL_CTX *cctx = NULL, *sctx = NULL;
3163 SSL *clientssl = NULL, *serverssl = NULL;
3164 int testresult = 0;
3165
3166#ifdef OPENSSL_NO_TLS1_2
3167 if (idx == 1)
3168 return 1;
3169#endif
3170
3171 /* Create an initial connection */
3172 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3173 TLS_client_method(), &sctx,
3174 &cctx, cert, privkey))
3175 || (idx == 1
3176 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
3177 TLS1_2_VERSION)))
3178 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3179 &clientssl, NULL, NULL))
3180 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3181 SSL_ERROR_NONE)))
3182 goto end;
3183
3184 SSL_shutdown(clientssl);
3185 SSL_shutdown(serverssl);
3186 SSL_free(serverssl);
3187 serverssl = NULL;
3188
3189 /* Clear clientssl - we're going to reuse the object */
3190 if (!TEST_true(SSL_clear(clientssl)))
3191 goto end;
3192
3193 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3194 NULL, NULL))
3195 || !TEST_true(create_ssl_connection(serverssl, clientssl,
3196 SSL_ERROR_NONE))
3197 || !TEST_true(SSL_session_reused(clientssl)))
3198 goto end;
3199
3200 SSL_shutdown(clientssl);
3201 SSL_shutdown(serverssl);
3202
3203 testresult = 1;
3204
3205 end:
3206 SSL_free(serverssl);
3207 SSL_free(clientssl);
3208 SSL_CTX_free(sctx);
3209 SSL_CTX_free(cctx);
3210
3211 return testresult;
3212}
3213
cf72c757
F		 3214/* Parse CH and retrieve any MFL extension value if present */
3215static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
3216{
3217 long len;
3218 unsigned char *data;
3219 PACKET pkt = {0}, pkt2 = {0}, pkt3 = {0};
3220 unsigned int MFL_code = 0, type = 0;
3221
3222 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
3223 goto end;
3224
3225 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
3226 /* Skip the record header */
3227 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
3228 /* Skip the handshake message header */
3229 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
3230 /* Skip client version and random */
3231 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
3232 + SSL3_RANDOM_SIZE))
3233 /* Skip session id */
3234 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3235 /* Skip ciphers */
3236 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
3237 /* Skip compression */
3238 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
3239 /* Extensions len */
3240 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
3241 goto end;
3242
3243 /* Loop through all extensions */
3244 while (PACKET_remaining(&pkt2)) {
3245 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
3246 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
3247 goto end;
3248
3249 if (type == TLSEXT_TYPE_max_fragment_length) {
3250 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
3251 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
3252 goto end;
3253
3254 *mfl_codemfl_code = MFL_code;
3255 return 1;
3256 }
3257 }
3258
3259 end:
3260 return 0;
3261}
3262
3263/* Maximum-Fragment-Length TLS extension mode to test */
3264static const unsigned char max_fragment_len_test[] = {
3265 TLSEXT_max_fragment_length_512,
3266 TLSEXT_max_fragment_length_1024,
3267 TLSEXT_max_fragment_length_2048,
3268 TLSEXT_max_fragment_length_4096
3269};
3270
3271static int test_max_fragment_len_ext(int idx_tst)
3272{
3273 SSL_CTX *ctx;
3274 SSL *con = NULL;
3275 int testresult = 0, MFL_mode = 0;
3276 BIO *rbio, *wbio;
3277
3278 ctx = SSL_CTX_new(TLS_method());
3279 if (!TEST_ptr(ctx))
3280 goto end;
3281
3282 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
3283 ctx, max_fragment_len_test[idx_tst])))
3284 goto end;
3285
3286 con = SSL_new(ctx);
3287 if (!TEST_ptr(con))
3288 goto end;
3289
3290 rbio = BIO_new(BIO_s_mem());
3291 wbio = BIO_new(BIO_s_mem());
3292 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
3293 BIO_free(rbio);
3294 BIO_free(wbio);
3295 goto end;
3296 }
3297
3298 SSL_set_bio(con, rbio, wbio);
3299 SSL_set_connect_state(con);
3300
3301 if (!TEST_int_le(SSL_connect(con), 0)) {
3302 /* This shouldn't succeed because we don't have a server! */
3303 goto end;
3304 }
3305
3306 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
3307 /* no MFL in client hello */
3308 goto end;
3309 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
3310 goto end;
3311
3312 testresult = 1;
3313
3314end:
3315 SSL_free(con);
3316 SSL_CTX_free(ctx);
3317
3318 return testresult;
3319}
3320
9d75dce3
TS		 3321#ifndef OPENSSL_NO_TLS1_3
3322static int test_pha_key_update(void)
3323{
3324 SSL_CTX *cctx = NULL, *sctx = NULL;
3325 SSL *clientssl = NULL, *serverssl = NULL;
3326 int testresult = 0;
3327
3328 if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
3329 TLS_client_method(),
3330 &sctx, &cctx, cert, privkey)))
3331 return 0;
3332
3333 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
3334 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
3335 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
3336 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
3337 goto end;
3338
3339
3340 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
3341 NULL, NULL)))
3342 goto end;
3343
3344 SSL_force_post_handshake_auth(clientssl);
3345
3346 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3347 SSL_ERROR_NONE)))
3348 goto end;
3349
3350 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
3351 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
3352 goto end;
3353
3354 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
3355 goto end;
3356
3357 /* Start handshake on the server */
3358 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
3359 goto end;
3360
3361 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
3362 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
3363 SSL_ERROR_NONE)))
3364 goto end;
3365
3366 SSL_shutdown(clientssl);
3367 SSL_shutdown(serverssl);
3368
3369 testresult = 1;
3370
3371 end:
3372 SSL_free(serverssl);
3373 SSL_free(clientssl);
3374 SSL_CTX_free(sctx);
3375 SSL_CTX_free(cctx);
3376 return testresult;
3377}
3378#endif
3379
ad887416 3380int setup_tests(void)
2cb4b5f6 3381{
ad887416
P		 3382 if (!TEST_ptr(cert = test_get_argument(0))
3383 || !TEST_ptr(privkey = test_get_argument(1)))
710756a9 3384 return 0;
2cb4b5f6 3385
84d5549e 3386 ADD_TEST(test_large_message_tls);
7856332e 3387 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 3388#ifndef OPENSSL_NO_DTLS
84d5549e 3389 ADD_TEST(test_large_message_dtls);
55386bef 3390#endif
8f8c11d8 3391#ifndef OPENSSL_NO_OCSP
c887104f 3392 ADD_TEST(test_tlsext_status_type);
8f8c11d8 3393#endif
eaa776da
MC		 3394 ADD_TEST(test_session_with_only_int_cache);
3395 ADD_TEST(test_session_with_only_ext_cache);
3396 ADD_TEST(test_session_with_both_cache);
7fb4c820 3397 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 3398 ADD_TEST(test_ssl_bio_pop_next_bio);
3399 ADD_TEST(test_ssl_bio_pop_ssl_bio);
3400 ADD_TEST(test_ssl_bio_change_rbio);
3401 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 3402#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 3403 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 3404 ADD_TEST(test_keylog);
c423ecaa 3405#endif
6acdd3e5
CB		 3406#ifndef OPENSSL_NO_TLS1_3
3407 ADD_TEST(test_keylog_no_master_key);
3408#endif
e9ee6536 3409#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 3410 ADD_TEST(test_client_hello_cb);
5f982038
MC		 3411#endif
3412#ifndef OPENSSL_NO_TLS1_3
02a3ed5a
MC		 3413 ADD_ALL_TESTS(test_early_data_read_write, 3);
3414 ADD_ALL_TESTS(test_early_data_skip, 3);
3415 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
3416 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 3417 ADD_ALL_TESTS(test_early_data_psk, 8);
02a3ed5a 3418 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 3419# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 3420 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 3421# endif
e9ee6536 3422#endif
a273157a 3423#ifndef OPENSSL_NO_TLS1_3
ca0413ae 3424 ADD_TEST(test_ciphersuite_change);
ca8c71ba 3425 ADD_TEST(test_tls13_psk);
bb01ef3f 3426 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 3427 ADD_TEST(test_stateless);
9d75dce3 3428 ADD_TEST(test_pha_key_update);
a273157a 3429#else
bb01ef3f 3430 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 3431#endif
16afd71c 3432 ADD_ALL_TESTS(test_serverinfo, 8);
2197d1df 3433 ADD_ALL_TESTS(test_export_key_mat, 4);
e11b6aa4 3434 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 3435 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
ad887416
P		 3436 return 1;
3437}
2cb4b5f6 3438
ad887416
P		 3439void cleanup_tests(void)
3440{
fa454945 3441 bio_s_mempacket_test_free();
2cb4b5f6 3442}
A mirror of the official openssl repository