]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/sslapitest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Modify is_tls13_capable() to take account of the servername cb
[thirdparty/openssl.git] / test / sslapitest.c
CommitLineData
2cb4b5f6 1/*
33388b44 2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
2cb4b5f6 3 *
909f1a2e 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
2cb4b5f6
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
a76ce286
P		 10/*
11 * We need access to the deprecated low level HMAC APIs for legacy purposes
12 * when the deprecated calls are not hidden
13 */
14#ifndef OPENSSL_NO_DEPRECATED_3_0
15# define OPENSSL_SUPPRESS_DEPRECATED
16#endif
17
7c3a7561 18#include <stdio.h>
ba881d3b
MC		 19#include <string.h>
20
2cb4b5f6
MC		 21#include <openssl/opensslconf.h>
22#include <openssl/bio.h>
23#include <openssl/crypto.h>
24#include <openssl/ssl.h>
ba881d3b 25#include <openssl/ocsp.h>
76fd7a1d
MC		 26#include <openssl/srp.h>
27#include <openssl/txt_db.h>
d0191fe0 28#include <openssl/aes.h>
7c3a7561 29#include <openssl/rand.h>
a76ce286 30#include <openssl/core_names.h>
23c48d94 31#include <openssl/core_dispatch.h>
5e30f2fd 32#include <openssl/provider.h>
33c39a06 33#include <openssl/param_build.h>
2cb4b5f6 34
20f8bc72 35#include "helpers/ssltestlib.h"
c887104f 36#include "testutil.h"
f297e4ec 37#include "testutil/output.h"
176db6dc 38#include "internal/nelem.h"
fe5d9450 39#include "internal/ktls.h"
706457b7 40#include "../ssl/ssl_local.h"
2cb4b5f6 41
b3842539
MC		 42/* Defined in filterprov.c */
43OSSL_provider_init_fn filter_provider_init;
44int filter_provider_set_filter(int operation, const char *name);
45
0c13cdf8
MC		 46/* Defined in tls-provider.c */
47int tls_provider_init(const OSSL_CORE_HANDLE *handle,
48 const OSSL_DISPATCH *in,
49 const OSSL_DISPATCH **out,
50 void **provctx);
852c2ed2 51
b4250010 52static OSSL_LIB_CTX *libctx = NULL;
5e30f2fd
MC		 53static OSSL_PROVIDER *defctxnull = NULL;
54
8614a4eb
MC		 55#ifndef OPENSSL_NO_TLS1_3
56
57static SSL_SESSION *clientpsk = NULL;
58static SSL_SESSION *serverpsk = NULL;
59static const char *pskid = "Identity";
60static const char *srvid;
61
62static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
63 size_t *idlen, SSL_SESSION **sess);
64static int find_session_cb(SSL *ssl, const unsigned char *identity,
65 size_t identity_len, SSL_SESSION **sess);
66
67static int use_session_cb_cnt = 0;
68static int find_session_cb_cnt = 0;
69
70static SSL_SESSION *create_a_psk(SSL *ssl);
71#endif
72
1a2a3a42 73static char *certsdir = NULL;
2cb4b5f6
MC		 74static char *cert = NULL;
75static char *privkey = NULL;
b3842539
MC		 76static char *cert2 = NULL;
77static char *privkey2 = NULL;
3105d846
MC		 78static char *cert1024 = NULL;
79static char *privkey1024 = NULL;
80static char *cert3072 = NULL;
81static char *privkey3072 = NULL;
82static char *cert4096 = NULL;
83static char *privkey4096 = NULL;
84static char *cert8192 = NULL;
85static char *privkey8192 = NULL;
76fd7a1d
MC		 86static char *srpvfile = NULL;
87static char *tmpfilename = NULL;
2cb4b5f6 88
4f6c7044
MC		 89static int is_fips = 0;
90
cffe973c 91#define LOG_BUFFER_SIZE 2048
6acdd3e5 92static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 93static size_t server_log_buffer_index = 0;
6acdd3e5 94static char client_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
710756a9 95static size_t client_log_buffer_index = 0;
6acdd3e5
CB		 96static int error_writing_log = 0;
97
8f8c11d8 98#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 99static const unsigned char orespder[] = "Dummy OCSP Response";
100static int ocsp_server_called = 0;
101static int ocsp_client_called = 0;
102
103static int cdummyarg = 1;
104static X509 *ocspcert = NULL;
8f8c11d8 105#endif
ba881d3b 106
84d5549e 107#define NUM_EXTRA_CERTS 40
cf72c757 108#define CLIENT_VERSION_LEN 2
84d5549e 109
f1a5939f
CB		 110/*
111 * This structure is used to validate that the correct number of log messages
112 * of various types are emitted when emitting secret logs.
113 */
114struct sslapitest_log_counts {
115 unsigned int rsa_key_exchange_count;
116 unsigned int master_secret_count;
cffe973c 117 unsigned int client_early_secret_count;
f1a5939f
CB		 118 unsigned int client_handshake_secret_count;
119 unsigned int server_handshake_secret_count;
120 unsigned int client_application_secret_count;
121 unsigned int server_application_secret_count;
01a2a654 122 unsigned int early_exporter_secret_count;
6329ce8f 123 unsigned int exporter_secret_count;
f1a5939f
CB		 124};
125
16afd71c
MC		 126
127static unsigned char serverinfov1[] = {
128 0xff, 0xff, /* Dummy extension type */
129 0x00, 0x01, /* Extension length is 1 byte */
130 0xff /* Dummy extension data */
131};
132
133static unsigned char serverinfov2[] = {
134 0x00, 0x00, 0x00,
135 (unsigned char)(SSL_EXT_CLIENT_HELLO & 0xff), /* Dummy context - 4 bytes */
136 0xff, 0xff, /* Dummy extension type */
137 0x00, 0x01, /* Extension length is 1 byte */
138 0xff /* Dummy extension data */
139};
140
104a733d
MC		 141static int hostname_cb(SSL *s, int *al, void *arg)
142{
143 const char *hostname = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
144
145 if (hostname != NULL && (strcmp(hostname, "goodhost") == 0
146 || strcmp(hostname, "altgoodhost") == 0))
147 return SSL_TLSEXT_ERR_OK;
148
149 return SSL_TLSEXT_ERR_NOACK;
150}
151
710756a9
RS		 152static void client_keylog_callback(const SSL *ssl, const char *line)
153{
6acdd3e5
CB		 154 int line_length = strlen(line);
155
156 /* If the log doesn't fit, error out. */
710756a9
RS		 157 if (client_log_buffer_index + line_length > sizeof(client_log_buffer) - 1) {
158 TEST_info("Client log too full");
6acdd3e5
CB		 159 error_writing_log = 1;
160 return;
161 }
162
163 strcat(client_log_buffer, line);
164 client_log_buffer_index += line_length;
710756a9 165 client_log_buffer[client_log_buffer_index++] = '\n';
6acdd3e5
CB		 166}
167
710756a9
RS		 168static void server_keylog_callback(const SSL *ssl, const char *line)
169{
6acdd3e5
CB		 170 int line_length = strlen(line);
171
172 /* If the log doesn't fit, error out. */
710756a9 173 if (server_log_buffer_index + line_length > sizeof(server_log_buffer) - 1) {
bdcacd93 174 TEST_info("Server log too full");
6acdd3e5
CB		 175 error_writing_log = 1;
176 return;
177 }
178
179 strcat(server_log_buffer, line);
180 server_log_buffer_index += line_length;
710756a9 181 server_log_buffer[server_log_buffer_index++] = '\n';
6acdd3e5
CB		 182}
183
184static int compare_hex_encoded_buffer(const char *hex_encoded,
185 size_t hex_length,
186 const uint8_t *raw,
710756a9
RS		 187 size_t raw_length)
188{
189 size_t i, j;
190 char hexed[3];
6acdd3e5 191
710756a9 192 if (!TEST_size_t_eq(raw_length * 2, hex_length))
6acdd3e5 193 return 1;
6acdd3e5 194
710756a9 195 for (i = j = 0; i < raw_length && j + 1 < hex_length; i++, j += 2) {
6acdd3e5 196 sprintf(hexed, "%02x", raw[i]);
710756a9
RS		 197 if (!TEST_int_eq(hexed[0], hex_encoded[j])
198 || !TEST_int_eq(hexed[1], hex_encoded[j + 1]))
6acdd3e5 199 return 1;
6acdd3e5
CB		 200 }
201
202 return 0;
203}
204
205static int test_keylog_output(char *buffer, const SSL *ssl,
f1a5939f 206 const SSL_SESSION *session,
710756a9
RS		 207 struct sslapitest_log_counts *expected)
208{
6acdd3e5
CB		 209 char *token = NULL;
210 unsigned char actual_client_random[SSL3_RANDOM_SIZE] = {0};
211 size_t client_random_size = SSL3_RANDOM_SIZE;
212 unsigned char actual_master_key[SSL_MAX_MASTER_KEY_LENGTH] = {0};
213 size_t master_key_size = SSL_MAX_MASTER_KEY_LENGTH;
f1a5939f
CB		 214 unsigned int rsa_key_exchange_count = 0;
215 unsigned int master_secret_count = 0;
cffe973c 216 unsigned int client_early_secret_count = 0;
f1a5939f
CB		 217 unsigned int client_handshake_secret_count = 0;
218 unsigned int server_handshake_secret_count = 0;
219 unsigned int client_application_secret_count = 0;
220 unsigned int server_application_secret_count = 0;
01a2a654 221 unsigned int early_exporter_secret_count = 0;
6329ce8f 222 unsigned int exporter_secret_count = 0;
6acdd3e5 223
710756a9
RS		 224 for (token = strtok(buffer, " \n"); token != NULL;
225 token = strtok(NULL, " \n")) {
6acdd3e5 226 if (strcmp(token, "RSA") == 0) {
f1a5939f
CB		 227 /*
228 * Premaster secret. Tokens should be: 16 ASCII bytes of
6acdd3e5
CB		 229 * hex-encoded encrypted secret, then the hex-encoded pre-master
230 * secret.
231 */
710756a9 232 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 233 return 0;
710756a9 234 if (!TEST_size_t_eq(strlen(token), 16))
f1a5939f 235 return 0;
710756a9 236 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 237 return 0;
f1a5939f
CB		 238 /*
239 * We can't sensibly check the log because the premaster secret is
240 * transient, and OpenSSL doesn't keep hold of it once the master
241 * secret is generated.
242 */
243 rsa_key_exchange_count++;
6acdd3e5 244 } else if (strcmp(token, "CLIENT_RANDOM") == 0) {
f1a5939f
CB		 245 /*
246 * Master secret. Tokens should be: 64 ASCII bytes of hex-encoded
6acdd3e5
CB		 247 * client random, then the hex-encoded master secret.
248 */
249 client_random_size = SSL_get_client_random(ssl,
250 actual_client_random,
251 SSL3_RANDOM_SIZE);
710756a9 252 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 253 return 0;
6acdd3e5 254
710756a9 255 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 256 return 0;
710756a9 257 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 258 return 0;
710756a9
RS		 259 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
260 actual_client_random,
261 client_random_size)))
f1a5939f 262 return 0;
6acdd3e5 263
710756a9 264 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 265 return 0;
6acdd3e5
CB		 266 master_key_size = SSL_SESSION_get_master_key(session,
267 actual_master_key,
268 master_key_size);
710756a9 269 if (!TEST_size_t_ne(master_key_size, 0))
f1a5939f 270 return 0;
710756a9
RS		 271 if (!TEST_false(compare_hex_encoded_buffer(token, strlen(token),
272 actual_master_key,
273 master_key_size)))
f1a5939f 274 return 0;
f1a5939f 275 master_secret_count++;
cffe973c
PW		 276 } else if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0
277 || strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0
710756a9
RS		 278 || strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0
279 || strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0
6329ce8f 280 || strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0
01a2a654 281 || strcmp(token, "EARLY_EXPORTER_SECRET") == 0
6329ce8f 282 || strcmp(token, "EXPORTER_SECRET") == 0) {
f1a5939f
CB		 283 /*
284 * TLSv1.3 secret. Tokens should be: 64 ASCII bytes of hex-encoded
285 * client random, and then the hex-encoded secret. In this case,
286 * we treat all of these secrets identically and then just
287 * distinguish between them when counting what we saw.
288 */
cffe973c
PW		 289 if (strcmp(token, "CLIENT_EARLY_TRAFFIC_SECRET") == 0)
290 client_early_secret_count++;
291 else if (strcmp(token, "CLIENT_HANDSHAKE_TRAFFIC_SECRET") == 0)
f1a5939f
CB		 292 client_handshake_secret_count++;
293 else if (strcmp(token, "SERVER_HANDSHAKE_TRAFFIC_SECRET") == 0)
294 server_handshake_secret_count++;
295 else if (strcmp(token, "CLIENT_TRAFFIC_SECRET_0") == 0)
296 client_application_secret_count++;
297 else if (strcmp(token, "SERVER_TRAFFIC_SECRET_0") == 0)
298 server_application_secret_count++;
01a2a654
PW		 299 else if (strcmp(token, "EARLY_EXPORTER_SECRET") == 0)
300 early_exporter_secret_count++;
6329ce8f
PW		 301 else if (strcmp(token, "EXPORTER_SECRET") == 0)
302 exporter_secret_count++;
f1a5939f
CB		 303
304 client_random_size = SSL_get_client_random(ssl,
305 actual_client_random,
306 SSL3_RANDOM_SIZE);
710756a9 307 if (!TEST_size_t_eq(client_random_size, SSL3_RANDOM_SIZE))
f1a5939f 308 return 0;
f1a5939f 309
710756a9 310 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 311 return 0;
710756a9 312 if (!TEST_size_t_eq(strlen(token), 64))
f1a5939f 313 return 0;
710756a9
RS		 314 if (!TEST_false(compare_hex_encoded_buffer(token, 64,
315 actual_client_random,
316 client_random_size)))
f1a5939f 317 return 0;
6acdd3e5 318
710756a9 319 if (!TEST_ptr(token = strtok(NULL, " \n")))
f1a5939f 320 return 0;
f1a5939f
CB		 321
322 /*
323 * TODO(TLS1.3): test that application traffic secrets are what
324 * we expect */
6acdd3e5 325 } else {
710756a9 326 TEST_info("Unexpected token %s\n", token);
f1a5939f 327 return 0;
6acdd3e5 328 }
6acdd3e5
CB		 329 }
330
710756a9
RS		 331 /* Got what we expected? */
332 if (!TEST_size_t_eq(rsa_key_exchange_count,
333 expected->rsa_key_exchange_count)
334 || !TEST_size_t_eq(master_secret_count,
335 expected->master_secret_count)
cffe973c
PW		 336 || !TEST_size_t_eq(client_early_secret_count,
337 expected->client_early_secret_count)
710756a9
RS		 338 || !TEST_size_t_eq(client_handshake_secret_count,
339 expected->client_handshake_secret_count)
340 || !TEST_size_t_eq(server_handshake_secret_count,
341 expected->server_handshake_secret_count)
342 || !TEST_size_t_eq(client_application_secret_count,
343 expected->client_application_secret_count)
344 || !TEST_size_t_eq(server_application_secret_count,
6329ce8f 345 expected->server_application_secret_count)
01a2a654
PW		 346 || !TEST_size_t_eq(early_exporter_secret_count,
347 expected->early_exporter_secret_count)
6329ce8f
PW		 348 || !TEST_size_t_eq(exporter_secret_count,
349 expected->exporter_secret_count))
710756a9
RS		 350 return 0;
351 return 1;
6acdd3e5
CB		 352}
353
c423ecaa 354#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
710756a9
RS		 355static int test_keylog(void)
356{
6acdd3e5
CB		 357 SSL_CTX *cctx = NULL, *sctx = NULL;
358 SSL *clientssl = NULL, *serverssl = NULL;
359 int testresult = 0;
6fc1e624 360 struct sslapitest_log_counts expected;
6acdd3e5
CB		 361
362 /* Clean up logging space */
6fc1e624 363 memset(&expected, 0, sizeof(expected));
710756a9
RS		 364 memset(client_log_buffer, 0, sizeof(client_log_buffer));
365 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 366 client_log_buffer_index = 0;
367 server_log_buffer_index = 0;
368 error_writing_log = 0;
369
5e30f2fd 370 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
710756a9 371 TLS_client_method(),
5c587fb6 372 TLS1_VERSION, 0,
710756a9 373 &sctx, &cctx, cert, privkey)))
6acdd3e5 374 return 0;
6acdd3e5
CB		 375
376 /* We cannot log the master secret for TLSv1.3, so we should forbid it. */
377 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
378 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
379
f0deb4d3 380 /* We also want to ensure that we use RSA-based key exchange. */
710756a9 381 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "RSA")))
f0deb4d3 382 goto end;
f0deb4d3 383
cf10df81
RS		 384 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
385 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 386 goto end;
6acdd3e5 387 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 388 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
389 == client_keylog_callback))
6acdd3e5 390 goto end;
710756a9 391 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 392 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
393 == server_keylog_callback))
6acdd3e5 394 goto end;
6acdd3e5 395
710756a9
RS		 396 /* Now do a handshake and check that the logs have been written to. */
397 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
398 &clientssl, NULL, NULL))
399 || !TEST_true(create_ssl_connection(serverssl, clientssl,
400 SSL_ERROR_NONE))
401 || !TEST_false(error_writing_log)
402 || !TEST_int_gt(client_log_buffer_index, 0)
403 || !TEST_int_gt(server_log_buffer_index, 0))
6acdd3e5 404 goto end;
6acdd3e5 405
f1a5939f
CB		 406 /*
407 * Now we want to test that our output data was vaguely sensible. We
6acdd3e5 408 * do that by using strtok and confirming that we have more or less the
f1a5939f
CB		 409 * data we expect. For both client and server, we expect to see one master
410 * secret. The client should also see a RSA key exchange.
6acdd3e5 411 */
f1a5939f
CB		 412 expected.rsa_key_exchange_count = 1;
413 expected.master_secret_count = 1;
710756a9
RS		 414 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
415 SSL_get_session(clientssl), &expected)))
6acdd3e5 416 goto end;
f1a5939f
CB		 417
418 expected.rsa_key_exchange_count = 0;
710756a9
RS		 419 if (!TEST_true(test_keylog_output(server_log_buffer, serverssl,
420 SSL_get_session(serverssl), &expected)))
6acdd3e5 421 goto end;
6acdd3e5
CB		 422
423 testresult = 1;
424
425end:
426 SSL_free(serverssl);
427 SSL_free(clientssl);
428 SSL_CTX_free(sctx);
429 SSL_CTX_free(cctx);
430
431 return testresult;
432}
c423ecaa 433#endif
6acdd3e5
CB		 434
435#ifndef OPENSSL_NO_TLS1_3
710756a9
RS		 436static int test_keylog_no_master_key(void)
437{
6acdd3e5
CB		 438 SSL_CTX *cctx = NULL, *sctx = NULL;
439 SSL *clientssl = NULL, *serverssl = NULL;
cffe973c 440 SSL_SESSION *sess = NULL;
6acdd3e5 441 int testresult = 0;
6fc1e624 442 struct sslapitest_log_counts expected;
cffe973c
PW		 443 unsigned char buf[1];
444 size_t readbytes, written;
6acdd3e5
CB		 445
446 /* Clean up logging space */
6fc1e624 447 memset(&expected, 0, sizeof(expected));
710756a9
RS		 448 memset(client_log_buffer, 0, sizeof(client_log_buffer));
449 memset(server_log_buffer, 0, sizeof(server_log_buffer));
6acdd3e5
CB		 450 client_log_buffer_index = 0;
451 server_log_buffer_index = 0;
452 error_writing_log = 0;
453
5e30f2fd
MC		 454 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
455 TLS_client_method(), TLS1_VERSION, 0,
cffe973c
PW		 456 &sctx, &cctx, cert, privkey))
457 || !TEST_true(SSL_CTX_set_max_early_data(sctx,
cffe973c 458 SSL3_RT_MAX_PLAIN_LENGTH)))
6acdd3e5 459 return 0;
6acdd3e5 460
cf10df81
RS		 461 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
462 || !TEST_true(SSL_CTX_get_keylog_callback(sctx) == NULL))
6acdd3e5 463 goto end;
6acdd3e5
CB		 464
465 SSL_CTX_set_keylog_callback(cctx, client_keylog_callback);
cf10df81
RS		 466 if (!TEST_true(SSL_CTX_get_keylog_callback(cctx)
467 == client_keylog_callback))
6acdd3e5 468 goto end;
6acdd3e5 469
710756a9 470 SSL_CTX_set_keylog_callback(sctx, server_keylog_callback);
cf10df81
RS		 471 if (!TEST_true(SSL_CTX_get_keylog_callback(sctx)
472 == server_keylog_callback))
6acdd3e5 473 goto end;
6acdd3e5 474
710756a9
RS		 475 /* Now do a handshake and check that the logs have been written to. */
476 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
477 &clientssl, NULL, NULL))
478 || !TEST_true(create_ssl_connection(serverssl, clientssl,
479 SSL_ERROR_NONE))
480 || !TEST_false(error_writing_log))
6acdd3e5 481 goto end;
6acdd3e5 482
f1a5939f
CB		 483 /*
484 * Now we want to test that our output data was vaguely sensible. For this
69687aa8 485 * test, we expect no CLIENT_RANDOM entry because it doesn't make sense for
f1a5939f 486 * TLSv1.3, but we do expect both client and server to emit keys.
6acdd3e5 487 */
f1a5939f
CB		 488 expected.client_handshake_secret_count = 1;
489 expected.server_handshake_secret_count = 1;
490 expected.client_application_secret_count = 1;
491 expected.server_application_secret_count = 1;
6329ce8f 492 expected.exporter_secret_count = 1;
710756a9
RS		 493 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
494 SSL_get_session(clientssl), &expected))
495 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
496 SSL_get_session(serverssl),
497 &expected)))
6acdd3e5 498 goto end;
6acdd3e5 499
cffe973c
PW		 500 /* Terminate old session and resume with early data. */
501 sess = SSL_get1_session(clientssl);
502 SSL_shutdown(clientssl);
503 SSL_shutdown(serverssl);
504 SSL_free(serverssl);
505 SSL_free(clientssl);
506 serverssl = clientssl = NULL;
507
508 /* Reset key log */
509 memset(client_log_buffer, 0, sizeof(client_log_buffer));
510 memset(server_log_buffer, 0, sizeof(server_log_buffer));
511 client_log_buffer_index = 0;
512 server_log_buffer_index = 0;
513
514 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
515 &clientssl, NULL, NULL))
516 || !TEST_true(SSL_set_session(clientssl, sess))
517 /* Here writing 0 length early data is enough. */
518 || !TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
519 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
520 &readbytes),
521 SSL_READ_EARLY_DATA_ERROR)
522 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
523 SSL_EARLY_DATA_ACCEPTED)
524 || !TEST_true(create_ssl_connection(serverssl, clientssl,
525 SSL_ERROR_NONE))
526 || !TEST_true(SSL_session_reused(clientssl)))
527 goto end;
528
529 /* In addition to the previous entries, expect early secrets. */
530 expected.client_early_secret_count = 1;
01a2a654 531 expected.early_exporter_secret_count = 1;
cffe973c
PW		 532 if (!TEST_true(test_keylog_output(client_log_buffer, clientssl,
533 SSL_get_session(clientssl), &expected))
534 || !TEST_true(test_keylog_output(server_log_buffer, serverssl,
535 SSL_get_session(serverssl),
536 &expected)))
537 goto end;
538
6acdd3e5
CB		 539 testresult = 1;
540
541end:
cffe973c 542 SSL_SESSION_free(sess);
6acdd3e5
CB		 543 SSL_free(serverssl);
544 SSL_free(clientssl);
545 SSL_CTX_free(sctx);
546 SSL_CTX_free(cctx);
547
548 return testresult;
549}
550#endif
551
e9ee6536 552#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 553static int full_client_hello_callback(SSL *s, int *al, void *arg)
2afaee51
BK		 554{
555 int *ctr = arg;
556 const unsigned char *p;
8ea404fb 557 int *exts;
2afaee51
BK		 558 /* We only configure two ciphers, but the SCSV is added automatically. */
559#ifdef OPENSSL_NO_EC
560 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0x00, 0xff};
561#else
562 const unsigned char expected_ciphers[] = {0x00, 0x9d, 0xc0,
563 0x2c, 0x00, 0xff};
564#endif
8ea404fb
BK		 565 const int expected_extensions[] = {
566#ifndef OPENSSL_NO_EC
567 11, 10,
568#endif
10ed1b72 569 35, 22, 23, 13};
2afaee51
BK		 570 size_t len;
571
572 /* Make sure we can defer processing and get called back. */
573 if ((*ctr)++ == 0)
f1b97da1 574 return SSL_CLIENT_HELLO_RETRY;
2afaee51 575
a9c0d8be 576 len = SSL_client_hello_get0_ciphers(s, &p);
710756a9 577 if (!TEST_mem_eq(p, len, expected_ciphers, sizeof(expected_ciphers))
a9c0d8be
DB		 578 || !TEST_size_t_eq(
579 SSL_client_hello_get0_compression_methods(s, &p), 1)
710756a9 580 || !TEST_int_eq(*p, 0))
f1b97da1 581 return SSL_CLIENT_HELLO_ERROR;
a9c0d8be 582 if (!SSL_client_hello_get1_extensions_present(s, &exts, &len))
f1b97da1 583 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 584 if (len != OSSL_NELEM(expected_extensions) ||
585 memcmp(exts, expected_extensions, len * sizeof(*exts)) != 0) {
a9c0d8be 586 printf("ClientHello callback expected extensions mismatch\n");
8ea404fb 587 OPENSSL_free(exts);
f1b97da1 588 return SSL_CLIENT_HELLO_ERROR;
8ea404fb
BK		 589 }
590 OPENSSL_free(exts);
f1b97da1 591 return SSL_CLIENT_HELLO_SUCCESS;
2afaee51
BK		 592}
593
a9c0d8be 594static int test_client_hello_cb(void)
710756a9 595{
2afaee51
BK		 596 SSL_CTX *cctx = NULL, *sctx = NULL;
597 SSL *clientssl = NULL, *serverssl = NULL;
598 int testctr = 0, testresult = 0;
599
5e30f2fd
MC		 600 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
601 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 602 &sctx, &cctx, cert, privkey)))
2afaee51 603 goto end;
a9c0d8be 604 SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
710756a9 605
2afaee51
BK		 606 /* The gimpy cipher list we configure can't do TLS 1.3. */
607 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2afaee51 608
710756a9
RS		 609 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
610 "AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"))
611 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
612 &clientssl, NULL, NULL))
613 || !TEST_false(create_ssl_connection(serverssl, clientssl,
a9c0d8be 614 SSL_ERROR_WANT_CLIENT_HELLO_CB))
710756a9
RS		 615 /*
616 * Passing a -1 literal is a hack since
617 * the real value was lost.
618 * */
a9c0d8be
DB		 619 || !TEST_int_eq(SSL_get_error(serverssl, -1),
620 SSL_ERROR_WANT_CLIENT_HELLO_CB)
710756a9
RS		 621 || !TEST_true(create_ssl_connection(serverssl, clientssl,
622 SSL_ERROR_NONE)))
2afaee51 623 goto end;
2afaee51
BK		 624
625 testresult = 1;
626
088dfa13
TS		 627end:
628 SSL_free(serverssl);
629 SSL_free(clientssl);
630 SSL_CTX_free(sctx);
631 SSL_CTX_free(cctx);
632
633 return testresult;
634}
635
636static int test_no_ems(void)
637{
638 SSL_CTX *cctx = NULL, *sctx = NULL;
639 SSL *clientssl = NULL, *serverssl = NULL;
640 int testresult = 0;
641
5e30f2fd 642 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
088dfa13
TS		 643 TLS1_VERSION, TLS1_2_VERSION,
644 &sctx, &cctx, cert, privkey)) {
645 printf("Unable to create SSL_CTX pair\n");
646 goto end;
647 }
648
649 SSL_CTX_set_options(sctx, SSL_OP_NO_EXTENDED_MASTER_SECRET);
650
651 if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
652 printf("Unable to create SSL objects\n");
653 goto end;
654 }
655
656 if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
657 printf("Creating SSL connection failed\n");
658 goto end;
659 }
660
661 if (SSL_get_extms_support(serverssl)) {
662 printf("Server reports Extended Master Secret support\n");
663 goto end;
664 }
665
666 if (SSL_get_extms_support(clientssl)) {
667 printf("Client reports Extended Master Secret support\n");
668 goto end;
669 }
670 testresult = 1;
671
2afaee51
BK		 672end:
673 SSL_free(serverssl);
674 SSL_free(clientssl);
675 SSL_CTX_free(sctx);
676 SSL_CTX_free(cctx);
677
678 return testresult;
679}
680
3cd14e5e
BK		 681/*
682 * Very focused test to exercise a single case in the server-side state
683 * machine, when the ChangeCipherState message needs to actually change
684 * from one cipher to a different cipher (i.e., not changing from null
b3e6d666 685 * encryption to real encryption).
3cd14e5e
BK		 686 */
687static int test_ccs_change_cipher(void)
688{
689 SSL_CTX *cctx = NULL, *sctx = NULL;
690 SSL *clientssl = NULL, *serverssl = NULL;
691 SSL_SESSION *sess = NULL, *sesspre, *sesspost;
692 int testresult = 0;
693 int i;
694 unsigned char buf;
695 size_t readbytes;
696
697 /*
698 * Create a conection so we can resume and potentially (but not) use
699 * a different cipher in the second connection.
700 */
5e30f2fd 701 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3cd14e5e
BK		 702 TLS_client_method(),
703 TLS1_VERSION, TLS1_2_VERSION,
704 &sctx, &cctx, cert, privkey))
705 || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))
706 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
707 NULL, NULL))
708 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
709 || !TEST_true(create_ssl_connection(serverssl, clientssl,
710 SSL_ERROR_NONE))
711 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
712 || !TEST_ptr(sess = SSL_get1_session(clientssl)))
713 goto end;
714
715 shutdown_ssl_connection(serverssl, clientssl);
716 serverssl = clientssl = NULL;
717
718 /* Resume, preferring a different cipher. Our server will force the
719 * same cipher to be used as the initial handshake. */
720 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
721 NULL, NULL))
722 || !TEST_true(SSL_set_session(clientssl, sess))
723 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384:AES128-GCM-SHA256"))
724 || !TEST_true(create_ssl_connection(serverssl, clientssl,
725 SSL_ERROR_NONE))
726 || !TEST_true(SSL_session_reused(clientssl))
727 || !TEST_true(SSL_session_reused(serverssl))
728 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
729 || !TEST_ptr_eq(sesspre, sesspost)
730 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
731 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
732 goto end;
733 shutdown_ssl_connection(serverssl, clientssl);
734 serverssl = clientssl = NULL;
735
736 /*
737 * Now create a fresh connection and try to renegotiate a different
738 * cipher on it.
739 */
b3e6d666
BK		 740 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
741 NULL, NULL))
3cd14e5e
BK		 742 || !TEST_true(SSL_set_cipher_list(clientssl, "AES128-GCM-SHA256"))
743 || !TEST_true(create_ssl_connection(serverssl, clientssl,
744 SSL_ERROR_NONE))
745 || !TEST_ptr(sesspre = SSL_get0_session(serverssl))
746 || !TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384"))
747 || !TEST_true(SSL_renegotiate(clientssl))
748 || !TEST_true(SSL_renegotiate_pending(clientssl)))
749 goto end;
750 /* Actually drive the renegotiation. */
751 for (i = 0; i < 3; i++) {
752 if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
753 if (!TEST_ulong_eq(readbytes, 0))
754 goto end;
755 } else if (!TEST_int_eq(SSL_get_error(clientssl, 0),
756 SSL_ERROR_WANT_READ)) {
757 goto end;
758 }
759 if (SSL_read_ex(serverssl, &buf, sizeof(buf), &readbytes) > 0) {
760 if (!TEST_ulong_eq(readbytes, 0))
761 goto end;
762 } else if (!TEST_int_eq(SSL_get_error(serverssl, 0),
763 SSL_ERROR_WANT_READ)) {
764 goto end;
765 }
766 }
767 /* sesspre and sesspost should be different since the cipher changed. */
768 if (!TEST_false(SSL_renegotiate_pending(clientssl))
769 || !TEST_false(SSL_session_reused(clientssl))
770 || !TEST_false(SSL_session_reused(serverssl))
771 || !TEST_ptr(sesspost = SSL_get0_session(serverssl))
772 || !TEST_ptr_ne(sesspre, sesspost)
773 || !TEST_int_eq(TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
774 SSL_CIPHER_get_id(SSL_get_current_cipher(clientssl))))
775 goto end;
776
777 shutdown_ssl_connection(serverssl, clientssl);
778 serverssl = clientssl = NULL;
779
780 testresult = 1;
781
782end:
783 SSL_free(serverssl);
784 SSL_free(clientssl);
785 SSL_CTX_free(sctx);
786 SSL_CTX_free(cctx);
787 SSL_SESSION_free(sess);
788
789 return testresult;
790}
fb121631 791#endif
3cd14e5e 792
84d5549e 793static int execute_test_large_message(const SSL_METHOD *smeth,
7d7f6834
RL		 794 const SSL_METHOD *cmeth,
795 int min_version, int max_version,
796 int read_ahead)
84d5549e
MC		 797{
798 SSL_CTX *cctx = NULL, *sctx = NULL;
799 SSL *clientssl = NULL, *serverssl = NULL;
800 int testresult = 0;
801 int i;
710756a9 802 BIO *certbio = NULL;
84d5549e
MC		 803 X509 *chaincert = NULL;
804 int certlen;
805
710756a9 806 if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
84d5549e 807 goto end;
6725682d 808
d8652be0 809 if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
6725682d
SL		 810 goto end;
811
812 if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
813 goto end;
fa454945
MC		 814 BIO_free(certbio);
815 certbio = NULL;
84d5549e 816
5e30f2fd
MC		 817 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
818 max_version, &sctx, &cctx, cert,
819 privkey)))
84d5549e 820 goto end;
84d5549e 821
710756a9 822 if (read_ahead) {
7856332e
MC		 823 /*
824 * Test that read_ahead works correctly when dealing with large
825 * records
826 */
827 SSL_CTX_set_read_ahead(cctx, 1);
828 }
829
84d5549e
MC		 830 /*
831 * We assume the supplied certificate is big enough so that if we add
832 * NUM_EXTRA_CERTS it will make the overall message large enough. The
833 * default buffer size is requested to be 16k, but due to the way BUF_MEM
710756a9
RS		 834 * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
835 * test we need to have a message larger than that.
84d5549e
MC		 836 */
837 certlen = i2d_X509(chaincert, NULL);
710756a9
RS		 838 OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
839 (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
84d5549e 840 for (i = 0; i < NUM_EXTRA_CERTS; i++) {
710756a9 841 if (!X509_up_ref(chaincert))
84d5549e 842 goto end;
84d5549e 843 if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
84d5549e
MC		 844 X509_free(chaincert);
845 goto end;
846 }
847 }
848
710756a9
RS		 849 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
850 NULL, NULL))
851 || !TEST_true(create_ssl_connection(serverssl, clientssl,
852 SSL_ERROR_NONE)))
84d5549e 853 goto end;
84d5549e 854
4bf08600
MC		 855 /*
856 * Calling SSL_clear() first is not required but this tests that SSL_clear()
742ccab3 857 * doesn't leak.
4bf08600 858 */
710756a9 859 if (!TEST_true(SSL_clear(serverssl)))
4bf08600 860 goto end;
84d5549e 861
4bf08600 862 testresult = 1;
84d5549e 863 end:
6725682d 864 BIO_free(certbio);
84d5549e
MC		 865 X509_free(chaincert);
866 SSL_free(serverssl);
867 SSL_free(clientssl);
868 SSL_CTX_free(sctx);
869 SSL_CTX_free(cctx);
870
871 return testresult;
872}
873
da4db160
VF		 874#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
875 !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
876#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
fe5d9450
BP		 877/* sock must be connected */
878static int ktls_chk_platform(int sock)
879{
880 if (!ktls_enable(sock))
881 return 0;
882 return 1;
883}
884
da4db160 885static int ping_pong_query(SSL *clientssl, SSL *serverssl, int cfd, int sfd, int rec_seq_size)
fe5d9450
BP		 886{
887 static char count = 1;
888 unsigned char cbuf[16000] = {0};
889 unsigned char sbuf[16000];
890 size_t err = 0;
da4db160
VF		 891 char crec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
892 char crec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
893 char crec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
894 char crec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
895 char srec_wseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
896 char srec_wseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
897 char srec_rseq_before[TLS_CIPHER_MAX_REC_SEQ_SIZE];
898 char srec_rseq_after[TLS_CIPHER_MAX_REC_SEQ_SIZE];
fe5d9450
BP		 899
900 cbuf[0] = count++;
da4db160
VF		 901 memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, rec_seq_size);
902 memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, rec_seq_size);
903 memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, rec_seq_size);
904 memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 905
906 if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
907 goto end;
908
909 while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) {
910 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) {
911 goto end;
912 }
913 }
914
915 if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf)))
916 goto end;
917
918 while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) {
919 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) {
920 goto end;
921 }
922 }
923
da4db160
VF		 924 memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, rec_seq_size);
925 memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, rec_seq_size);
926 memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, rec_seq_size);
927 memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, rec_seq_size);
fe5d9450
BP		 928
929 /* verify the payload */
930 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
931 goto end;
932
933 /* ktls is used then kernel sequences are used instead of OpenSSL sequences */
934 if (clientssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 935 if (!TEST_mem_ne(crec_wseq_before, rec_seq_size,
936 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 937 goto end;
938 } else {
da4db160
VF		 939 if (!TEST_mem_eq(crec_wseq_before, rec_seq_size,
940 crec_wseq_after, rec_seq_size))
fe5d9450
BP		 941 goto end;
942 }
943
944 if (serverssl->mode & SSL_MODE_NO_KTLS_TX) {
da4db160
VF		 945 if (!TEST_mem_ne(srec_wseq_before, rec_seq_size,
946 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 947 goto end;
948 } else {
da4db160
VF		 949 if (!TEST_mem_eq(srec_wseq_before, rec_seq_size,
950 srec_wseq_after, rec_seq_size))
fe5d9450
BP		 951 goto end;
952 }
953
2fab79af 954 if (clientssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 955 if (!TEST_mem_ne(crec_rseq_before, rec_seq_size,
956 crec_rseq_after, rec_seq_size))
2fab79af
BP		 957 goto end;
958 } else {
da4db160
VF		 959 if (!TEST_mem_eq(crec_rseq_before, rec_seq_size,
960 crec_rseq_after, rec_seq_size))
2fab79af
BP		 961 goto end;
962 }
963
964 if (serverssl->mode & SSL_MODE_NO_KTLS_RX) {
da4db160
VF		 965 if (!TEST_mem_ne(srec_rseq_before, rec_seq_size,
966 srec_rseq_after, rec_seq_size))
2fab79af
BP		 967 goto end;
968 } else {
da4db160
VF		 969 if (!TEST_mem_eq(srec_rseq_before, rec_seq_size,
970 srec_rseq_after, rec_seq_size))
2fab79af
BP		 971 goto end;
972 }
fe5d9450
BP		 973
974 return 1;
975end:
976 return 0;
977}
978
2fab79af 979static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
da4db160
VF		 980 int sis_ktls_tx, int sis_ktls_rx,
981 int tls_version, const char *cipher,
982 int rec_seq_size)
fe5d9450
BP		 983{
984 SSL_CTX *cctx = NULL, *sctx = NULL;
985 SSL *clientssl = NULL, *serverssl = NULL;
986 int testresult = 0;
987 int cfd, sfd;
988
989 if (!TEST_true(create_test_sockets(&cfd, &sfd)))
990 goto end;
991
992 /* Skip this test if the platform does not support ktls */
993 if (!ktls_chk_platform(cfd))
994 return 1;
995
996 /* Create a session based on SHA-256 */
5e30f2fd 997 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fe5d9450 998 TLS_client_method(),
da4db160 999 tls_version, tls_version,
fe5d9450 1000 &sctx, &cctx, cert, privkey))
da4db160 1001 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1002 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
fe5d9450
BP		 1003 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1004 &clientssl, sfd, cfd)))
1005 goto end;
1006
1007 if (!cis_ktls_tx) {
1008 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_TX)))
1009 goto end;
1010 }
1011
1012 if (!sis_ktls_tx) {
1013 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_TX)))
1014 goto end;
1015 }
1016
2fab79af
BP		 1017 if (!cis_ktls_rx) {
1018 if (!TEST_true(SSL_set_mode(clientssl, SSL_MODE_NO_KTLS_RX)))
1019 goto end;
1020 }
1021
1022 if (!sis_ktls_rx) {
1023 if (!TEST_true(SSL_set_mode(serverssl, SSL_MODE_NO_KTLS_RX)))
1024 goto end;
1025 }
1026
fe5d9450
BP		 1027 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1028 SSL_ERROR_NONE)))
1029 goto end;
1030
1031 if (!cis_ktls_tx) {
1032 if (!TEST_false(BIO_get_ktls_send(clientssl->wbio)))
1033 goto end;
1034 } else {
1035 if (!TEST_true(BIO_get_ktls_send(clientssl->wbio)))
1036 goto end;
1037 }
1038
1039 if (!sis_ktls_tx) {
1040 if (!TEST_false(BIO_get_ktls_send(serverssl->wbio)))
1041 goto end;
1042 } else {
1043 if (!TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1044 goto end;
1045 }
1046
2fab79af
BP		 1047 if (!cis_ktls_rx) {
1048 if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
1049 goto end;
1050 } else {
1051 if (!TEST_true(BIO_get_ktls_recv(clientssl->rbio)))
1052 goto end;
1053 }
1054
1055 if (!sis_ktls_rx) {
1056 if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio)))
1057 goto end;
1058 } else {
1059 if (!TEST_true(BIO_get_ktls_recv(serverssl->rbio)))
1060 goto end;
1061 }
1062
da4db160
VF		 1063 if (!TEST_true(ping_pong_query(clientssl, serverssl, cfd, sfd,
1064 rec_seq_size)))
fe5d9450
BP		 1065 goto end;
1066
1067 testresult = 1;
1068end:
1069 if (clientssl) {
1070 SSL_shutdown(clientssl);
1071 SSL_free(clientssl);
1072 }
1073 if (serverssl) {
1074 SSL_shutdown(serverssl);
1075 SSL_free(serverssl);
1076 }
1077 SSL_CTX_free(sctx);
1078 SSL_CTX_free(cctx);
1079 serverssl = clientssl = NULL;
1080 return testresult;
1081}
1082
7c3a7561
BP		 1083#define SENDFILE_SZ (16 * 4096)
1084#define SENDFILE_CHUNK (4 * 4096)
1085#define min(a,b) ((a) > (b) ? (b) : (a))
1086
da4db160 1087static int test_ktls_sendfile(int tls_version, const char *cipher)
7c3a7561
BP		 1088{
1089 SSL_CTX *cctx = NULL, *sctx = NULL;
1090 SSL *clientssl = NULL, *serverssl = NULL;
1091 unsigned char *buf, *buf_dst;
1092 BIO *out = NULL, *in = NULL;
1093 int cfd, sfd, ffd, err;
1094 ssize_t chunk_size = 0;
1095 off_t chunk_off = 0;
1096 int testresult = 0;
1097 FILE *ffdp;
1098
1099 buf = OPENSSL_zalloc(SENDFILE_SZ);
1100 buf_dst = OPENSSL_zalloc(SENDFILE_SZ);
1101 if (!TEST_ptr(buf) || !TEST_ptr(buf_dst)
1102 || !TEST_true(create_test_sockets(&cfd, &sfd)))
1103 goto end;
1104
1105 /* Skip this test if the platform does not support ktls */
1106 if (!ktls_chk_platform(sfd)) {
1107 testresult = 1;
1108 goto end;
1109 }
1110
1111 /* Create a session based on SHA-256 */
5e30f2fd 1112 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7c3a7561 1113 TLS_client_method(),
da4db160 1114 tls_version, tls_version,
7c3a7561 1115 &sctx, &cctx, cert, privkey))
da4db160 1116 || !TEST_true(SSL_CTX_set_cipher_list(cctx, cipher))
ab114c6d 1117 || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))
7c3a7561
BP		 1118 || !TEST_true(create_ssl_objects2(sctx, cctx, &serverssl,
1119 &clientssl, sfd, cfd)))
1120 goto end;
1121
1122 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1123 SSL_ERROR_NONE))
1124 || !TEST_true(BIO_get_ktls_send(serverssl->wbio)))
1125 goto end;
1126
72c1e374
JB		 1127 if (!TEST_true(RAND_bytes_ex(libctx, buf, SENDFILE_SZ)))
1128 goto end;
1129
7c3a7561
BP		 1130 out = BIO_new_file(tmpfilename, "wb");
1131 if (!TEST_ptr(out))
1132 goto end;
1133
1134 if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ)
1135 goto end;
1136
1137 BIO_free(out);
1138 out = NULL;
1139 in = BIO_new_file(tmpfilename, "rb");
1140 BIO_get_fp(in, &ffdp);
1141 ffd = fileno(ffdp);
1142
1143 while (chunk_off < SENDFILE_SZ) {
1144 chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off);
1145 while ((err = SSL_sendfile(serverssl,
1146 ffd,
1147 chunk_off,
1148 chunk_size,
1149 0)) != chunk_size) {
1150 if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE)
1151 goto end;
1152 }
1153 while ((err = SSL_read(clientssl,
1154 buf_dst + chunk_off,
1155 chunk_size)) != chunk_size) {
1156 if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ)
1157 goto end;
1158 }
1159
1160 /* verify the payload */
1161 if (!TEST_mem_eq(buf_dst + chunk_off,
1162 chunk_size,
1163 buf + chunk_off,
1164 chunk_size))
1165 goto end;
1166
1167 chunk_off += chunk_size;
1168 }
1169
1170 testresult = 1;
1171end:
1172 if (clientssl) {
1173 SSL_shutdown(clientssl);
1174 SSL_free(clientssl);
1175 }
1176 if (serverssl) {
1177 SSL_shutdown(serverssl);
1178 SSL_free(serverssl);
1179 }
1180 SSL_CTX_free(sctx);
1181 SSL_CTX_free(cctx);
1182 serverssl = clientssl = NULL;
1183 BIO_free(out);
1184 BIO_free(in);
1185 OPENSSL_free(buf);
1186 OPENSSL_free(buf_dst);
1187 return testresult;
1188}
1189
da4db160
VF		 1190#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
1191static int test_ktls(int test)
1192{
eb818d23
JB		 1193 int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
1194 int tlsver, testresult;
da4db160
VF		 1195
1196 if (test > 15) {
1197#if defined(OPENSSL_NO_TLS1_3)
1198 return 1;
1199#else
1200 test -= 16;
1201 tlsver = TLS1_3_VERSION;
1202#endif
1203 } else {
1204#if defined(OPENSSL_NO_TLS1_2)
1205 return 1;
1206#else
1207 tlsver = TLS1_2_VERSION;
1208#endif
1209 }
1210
eb818d23
JB		 1211 cis_ktls_tx = (test & 1) != 0;
1212 cis_ktls_rx = (test & 2) != 0;
1213 sis_ktls_tx = (test & 4) != 0;
1214 sis_ktls_rx = (test & 8) != 0;
1215
cd03b5dc
JB		 1216#if defined(OPENSSL_NO_KTLS_RX)
1217 if (cis_ktls_rx || sis_ktls_rx)
1218 return 1;
1219#endif
18efb630
JB		 1220#if !defined(OPENSSL_NO_TLS1_3)
1221 if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
1222 return 1;
1223#endif
cd03b5dc 1224
eb818d23
JB		 1225 testresult = 1;
1226#ifdef OPENSSL_KTLS_AES_GCM_128
1227 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1228 sis_ktls_rx, tlsver, "AES128-GCM-SHA256",
1229 TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
1230#endif
1231#ifdef OPENSSL_KTLS_AES_CCM_128
1232 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
ab114c6d 1233 sis_ktls_rx, tlsver, "AES128-CCM",
eb818d23
JB		 1234 TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
1235#endif
1236#ifdef OPENSSL_KTLS_AES_GCM_256
1237 testresult &= execute_test_ktls(cis_ktls_tx, cis_ktls_rx, sis_ktls_tx,
1238 sis_ktls_rx, tlsver, "AES256-GCM-SHA384",
1239 TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
1240#endif
1241 return testresult;
2fab79af
BP		 1242}
1243
da4db160 1244static int test_ktls_sendfile_anytls(int tst)
fe5d9450 1245{
ab114c6d 1246 char *cipher[] = {"AES128-GCM-SHA256","AES128-CCM","AES256-GCM-SHA384"};
da4db160
VF		 1247 int tlsver;
1248
1249 if (tst > 2) {
1250#if defined(OPENSSL_NO_TLS1_3)
1251 return 1;
1252#else
1253 tst -= 3;
1254 tlsver = TLS1_3_VERSION;
1255#endif
1256 } else {
1257#if defined(OPENSSL_NO_TLS1_2)
1258 return 1;
1259#else
1260 tlsver = TLS1_2_VERSION;
1261#endif
1262 }
1263
1264#ifndef OPENSSL_KTLS_AES_GCM_128
1265 if(tst == 0) return 1;
1266#endif
1267#ifndef OPENSSL_KTLS_AES_CCM_128
1268 if(tst == 1) return 1;
1269#endif
1270#ifndef OPENSSL_KTLS_AES_GCM_256
1271 if(tst == 2) return 1;
1272#endif
1273 return test_ktls_sendfile(tlsver, cipher[tst]);
fe5d9450 1274}
da4db160
VF		 1275
1276#endif
fe5d9450
BP		 1277#endif
1278
84d5549e
MC		 1279static int test_large_message_tls(void)
1280{
7856332e 1281 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1282 TLS1_VERSION, 0, 0);
7856332e
MC		 1283}
1284
1285static int test_large_message_tls_read_ahead(void)
1286{
1287 return execute_test_large_message(TLS_server_method(), TLS_client_method(),
5c587fb6 1288 TLS1_VERSION, 0, 1);
84d5549e
MC		 1289}
1290
55386bef 1291#ifndef OPENSSL_NO_DTLS
84d5549e
MC		 1292static int test_large_message_dtls(void)
1293{
7856332e
MC		 1294 /*
1295 * read_ahead is not relevant to DTLS because DTLS always acts as if
1296 * read_ahead is set.
1297 */
84d5549e 1298 return execute_test_large_message(DTLS_server_method(),
7d7f6834 1299 DTLS_client_method(),
5c587fb6 1300 DTLS1_VERSION, 0, 0);
84d5549e 1301}
55386bef 1302#endif
84d5549e 1303
163b8016
ME		 1304static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
1305 const SSL_METHOD *cmeth,
1306 int min_version, int max_version)
1307{
1308 size_t i;
1309 SSL_CTX *cctx = NULL, *sctx = NULL;
1310 SSL *clientssl = NULL, *serverssl = NULL;
1311 int testresult = 0;
1312 SSL3_RECORD *rr;
1313 void *zbuf;
1314
1315 static unsigned char cbuf[16000];
1316 static unsigned char sbuf[16000];
1317
1318 if (!TEST_true(create_ssl_ctx_pair(libctx,
1319 smeth, cmeth,
1320 min_version, max_version,
1321 &sctx, &cctx, cert,
1322 privkey)))
1323 goto end;
1324
1325 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
1326 NULL, NULL)))
1327 goto end;
1328
1329 if (!TEST_true(SSL_set_options(serverssl, SSL_OP_CLEANSE_PLAINTEXT)))
1330 goto end;
1331
1332 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1333 SSL_ERROR_NONE)))
1334 goto end;
1335
1336 for (i = 0; i < sizeof(cbuf); i++) {
1337 cbuf[i] = i & 0xff;
1338 }
1339
1340 if (!TEST_int_eq(SSL_write(clientssl, cbuf, sizeof(cbuf)), sizeof(cbuf)))
1341 goto end;
1342
1343 if (!TEST_int_eq(SSL_peek(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1344 goto end;
1345
1346 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf)))
1347 goto end;
1348
1349 /*
1350 * Since we called SSL_peek(), we know the data in the record
1351 * layer is a plaintext record. We can gather the pointer to check
1352 * for zeroization after SSL_read().
1353 */
1354 rr = serverssl->rlayer.rrec;
1355 zbuf = &rr->data[rr->off];
1356 if (!TEST_int_eq(rr->length, sizeof(cbuf)))
1357 goto end;
1358
1359 /*
1360 * After SSL_peek() the plaintext must still be stored in the
1361 * record.
1362 */
1363 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1364 goto end;
1365
1366 memset(sbuf, 0, sizeof(sbuf));
1367 if (!TEST_int_eq(SSL_read(serverssl, &sbuf, sizeof(sbuf)), sizeof(sbuf)))
1368 goto end;
1369
1370 if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(cbuf)))
1371 goto end;
1372
1373 /* Check if rbuf is cleansed */
1374 memset(cbuf, 0, sizeof(cbuf));
1375 if (!TEST_mem_eq(cbuf, sizeof(cbuf), zbuf, sizeof(cbuf)))
1376 goto end;
1377
1378 testresult = 1;
1379 end:
1380 SSL_free(serverssl);
1381 SSL_free(clientssl);
1382 SSL_CTX_free(sctx);
1383 SSL_CTX_free(cctx);
1384
1385 return testresult;
1386}
1387
1388static int test_cleanse_plaintext(void)
1389{
1390#if !defined(OPENSSL_NO_TLS1_2)
1391 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1392 TLS_client_method(),
1393 TLS1_2_VERSION,
1394 TLS1_2_VERSION)))
1395 return 0;
1396
1397#endif
1398
1399#if !defined(OPENSSL_NO_TLS1_3)
1400 if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
1401 TLS_client_method(),
1402 TLS1_3_VERSION,
1403 TLS1_3_VERSION)))
1404 return 0;
1405#endif
1406
1407#if !defined(OPENSSL_NO_DTLS)
1408 if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
1409 DTLS_client_method(),
1410 DTLS1_VERSION,
1411 0)))
1412 return 0;
1413#endif
1414 return 1;
1415}
1416
8f8c11d8 1417#ifndef OPENSSL_NO_OCSP
ba881d3b
MC		 1418static int ocsp_server_cb(SSL *s, void *arg)
1419{
1420 int *argi = (int *)arg;
710756a9 1421 unsigned char *copy = NULL;
ba881d3b
MC		 1422 STACK_OF(OCSP_RESPID) *ids = NULL;
1423 OCSP_RESPID *id = NULL;
1424
1425 if (*argi == 2) {
1426 /* In this test we are expecting exactly 1 OCSP_RESPID */
1427 SSL_get_tlsext_status_ids(s, &ids);
1428 if (ids == NULL || sk_OCSP_RESPID_num(ids) != 1)
1429 return SSL_TLSEXT_ERR_ALERT_FATAL;
1430
1431 id = sk_OCSP_RESPID_value(ids, 0);
5e30f2fd 1432 if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
ba881d3b
MC		 1433 return SSL_TLSEXT_ERR_ALERT_FATAL;
1434 } else if (*argi != 1) {
1435 return SSL_TLSEXT_ERR_ALERT_FATAL;
1436 }
1437
710756a9 1438 if (!TEST_ptr(copy = OPENSSL_memdup(orespder, sizeof(orespder))))
ba881d3b
MC		 1439 return SSL_TLSEXT_ERR_ALERT_FATAL;
1440
710756a9 1441 SSL_set_tlsext_status_ocsp_resp(s, copy, sizeof(orespder));
ba881d3b 1442 ocsp_server_called = 1;
ba881d3b
MC		 1443 return SSL_TLSEXT_ERR_OK;
1444}
1445
1446static int ocsp_client_cb(SSL *s, void *arg)
1447{
1448 int *argi = (int *)arg;
1449 const unsigned char *respderin;
1450 size_t len;
1451
1452 if (*argi != 1 && *argi != 2)
1453 return 0;
1454
1455 len = SSL_get_tlsext_status_ocsp_resp(s, &respderin);
710756a9 1456 if (!TEST_mem_eq(orespder, len, respderin, len))
ba881d3b
MC		 1457 return 0;
1458
1459 ocsp_client_called = 1;
ba881d3b
MC		 1460 return 1;
1461}
1462
2cb4b5f6
MC		 1463static int test_tlsext_status_type(void)
1464{
ba881d3b
MC		 1465 SSL_CTX *cctx = NULL, *sctx = NULL;
1466 SSL *clientssl = NULL, *serverssl = NULL;
2cb4b5f6 1467 int testresult = 0;
ba881d3b
MC		 1468 STACK_OF(OCSP_RESPID) *ids = NULL;
1469 OCSP_RESPID *id = NULL;
1470 BIO *certbio = NULL;
2cb4b5f6 1471
5e30f2fd 1472 if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
5c587fb6 1473 TLS1_VERSION, 0,
7d7f6834 1474 &sctx, &cctx, cert, privkey))
ba881d3b 1475 return 0;
2cb4b5f6 1476
710756a9 1477 if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
2cb4b5f6 1478 goto end;
2cb4b5f6 1479
ba881d3b 1480 /* First just do various checks getting and setting tlsext_status_type */
2cb4b5f6 1481
ba881d3b 1482 clientssl = SSL_new(cctx);
710756a9
RS		 1483 if (!TEST_int_eq(SSL_get_tlsext_status_type(clientssl), -1)
1484 || !TEST_true(SSL_set_tlsext_status_type(clientssl,
1485 TLSEXT_STATUSTYPE_ocsp))
1486 || !TEST_int_eq(SSL_get_tlsext_status_type(clientssl),
1487 TLSEXT_STATUSTYPE_ocsp))
2cb4b5f6 1488 goto end;
2cb4b5f6 1489
ba881d3b
MC		 1490 SSL_free(clientssl);
1491 clientssl = NULL;
2cb4b5f6 1492
710756a9
RS		 1493 if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)
1494 || SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1495 goto end;
2cb4b5f6 1496
ba881d3b 1497 clientssl = SSL_new(cctx);
710756a9 1498 if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp)
2cb4b5f6 1499 goto end;
ba881d3b
MC		 1500 SSL_free(clientssl);
1501 clientssl = NULL;
1502
1503 /*
1504 * Now actually do a handshake and check OCSP information is exchanged and
1505 * the callbacks get called
1506 */
ba881d3b
MC		 1507 SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb);
1508 SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg);
1509 SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb);
1510 SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg);
710756a9
RS		 1511 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1512 &clientssl, NULL, NULL))
1513 || !TEST_true(create_ssl_connection(serverssl, clientssl,
1514 SSL_ERROR_NONE))
1515 || !TEST_true(ocsp_client_called)
1516 || !TEST_true(ocsp_server_called))
ba881d3b 1517 goto end;
ba881d3b
MC		 1518 SSL_free(serverssl);
1519 SSL_free(clientssl);
1520 serverssl = NULL;
1521 clientssl = NULL;
1522
1523 /* Try again but this time force the server side callback to fail */
1524 ocsp_client_called = 0;
1525 ocsp_server_called = 0;
1526 cdummyarg = 0;
710756a9
RS		 1527 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1528 &clientssl, NULL, NULL))
1529 /* This should fail because the callback will fail */
1530 || !TEST_false(create_ssl_connection(serverssl, clientssl,
1531 SSL_ERROR_NONE))
1532 || !TEST_false(ocsp_client_called)
1533 || !TEST_false(ocsp_server_called))
ba881d3b 1534 goto end;
ba881d3b
MC		 1535 SSL_free(serverssl);
1536 SSL_free(clientssl);
1537 serverssl = NULL;
1538 clientssl = NULL;
1539
1540 /*
1541 * This time we'll get the client to send an OCSP_RESPID that it will
1542 * accept.
1543 */
1544 ocsp_client_called = 0;
1545 ocsp_server_called = 0;
1546 cdummyarg = 2;
710756a9
RS		 1547 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
1548 &clientssl, NULL, NULL)))
ba881d3b 1549 goto end;
ba881d3b
MC		 1550
1551 /*
1552 * We'll just use any old cert for this test - it doesn't have to be an OCSP
69687aa8 1553 * specific one. We'll use the server cert.
ba881d3b 1554 */
710756a9
RS		 1555 if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))
1556 || !TEST_ptr(id = OCSP_RESPID_new())
1557 || !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
d8652be0 1558 || !TEST_ptr(ocspcert = X509_new_ex(libctx, NULL))
6725682d 1559 || !TEST_ptr(PEM_read_bio_X509(certbio, &ocspcert, NULL, NULL))
5e30f2fd 1560 || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
710756a9 1561 || !TEST_true(sk_OCSP_RESPID_push(ids, id)))
ba881d3b 1562 goto end;
ba881d3b
MC		 1563 id = NULL;
1564 SSL_set_tlsext_status_ids(clientssl, ids);
1565 /* Control has been transferred */
1566 ids = NULL;
1567
1568 BIO_free(certbio);
1569 certbio = NULL;
1570
710756a9
RS		 1571 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
1572 SSL_ERROR_NONE))
1573 || !TEST_true(ocsp_client_called)
1574 || !TEST_true(ocsp_server_called))
ba881d3b 1575 goto end;
ba881d3b 1576
2cb4b5f6
MC		 1577 testresult = 1;
1578
1579 end:
ba881d3b
MC		 1580 SSL_free(serverssl);
1581 SSL_free(clientssl);
1582 SSL_CTX_free(sctx);
1583 SSL_CTX_free(cctx);
1584 sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free);
1585 OCSP_RESPID_free(id);
1586 BIO_free(certbio);
1587 X509_free(ocspcert);
1588 ocspcert = NULL;
2cb4b5f6
MC		 1589
1590 return testresult;
1591}
8f8c11d8 1592#endif
2cb4b5f6 1593
bf208d95 1594#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
0afca811 1595static int new_called, remove_called, get_called;
eaa776da 1596
eaa776da
MC		 1597static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
1598{
1599 new_called++;
c0537ebd
MC		 1600 /*
1601 * sess has been up-refed for us, but we don't actually need it so free it
1602 * immediately.
1603 */
1604 SSL_SESSION_free(sess);
eaa776da
MC		 1605 return 1;
1606}
1607
1608static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1609{
1610 remove_called++;
1611}
1612
7a301f08
MC		 1613static SSL_SESSION *get_sess_val = NULL;
1614
1615static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
1616 int *copy)
1617{
0afca811 1618 get_called++;
7a301f08
MC		 1619 *copy = 1;
1620 return get_sess_val;
1621}
1622
7a301f08 1623static int execute_test_session(int maxprot, int use_int_cache,
90fc2c26 1624 int use_ext_cache, long s_options)
2cb4b5f6
MC		 1625{
1626 SSL_CTX *sctx = NULL, *cctx = NULL;
1627 SSL *serverssl1 = NULL, *clientssl1 = NULL;
1628 SSL *serverssl2 = NULL, *clientssl2 = NULL;
bf208d95 1629# ifndef OPENSSL_NO_TLS1_1
eaa776da 1630 SSL *serverssl3 = NULL, *clientssl3 = NULL;
bf208d95 1631# endif
2cb4b5f6 1632 SSL_SESSION *sess1 = NULL, *sess2 = NULL;
36ff232c 1633 int testresult = 0, numnewsesstick = 1;
2cb4b5f6 1634
7e885b7b
P		 1635 new_called = remove_called = 0;
1636
36ff232c
MC		 1637 /* TLSv1.3 sends 2 NewSessionTickets */
1638 if (maxprot == TLS1_3_VERSION)
1639 numnewsesstick = 2;
1640
5e30f2fd
MC		 1641 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
1642 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 1643 &sctx, &cctx, cert, privkey)))
2cb4b5f6 1644 return 0;
2cb4b5f6 1645
7a301f08
MC		 1646 /*
1647 * Only allow the max protocol version so we can force a connection failure
1648 * later
1649 */
1650 SSL_CTX_set_min_proto_version(cctx, maxprot);
1651 SSL_CTX_set_max_proto_version(cctx, maxprot);
eaa776da
MC		 1652
1653 /* Set up session cache */
7e885b7b 1654 if (use_ext_cache) {
eaa776da
MC		 1655 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
1656 SSL_CTX_sess_set_remove_cb(cctx, remove_session_cb);
1657 }
7e885b7b 1658 if (use_int_cache) {
eaa776da
MC		 1659 /* Also covers instance where both are set */
1660 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT);
1661 } else {
1662 SSL_CTX_set_session_cache_mode(cctx,
1663 SSL_SESS_CACHE_CLIENT
1664 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1665 }
2cb4b5f6 1666
90fc2c26
NM		 1667 if (s_options) {
1668 SSL_CTX_set_options(sctx, s_options);
1669 }
1670
710756a9
RS		 1671 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1672 NULL, NULL))
1673 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1674 SSL_ERROR_NONE))
1675 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1)))
2cb4b5f6 1676 goto end;
2cb4b5f6 1677
710756a9 1678 /* Should fail because it should already be in the cache */
7e885b7b 1679 if (use_int_cache && !TEST_false(SSL_CTX_add_session(cctx, sess1)))
eaa776da 1680 goto end;
7a301f08 1681 if (use_ext_cache
36ff232c
MC		 1682 && (!TEST_int_eq(new_called, numnewsesstick)
1683
1684 || !TEST_int_eq(remove_called, 0)))
b4982125 1685 goto end;
b4982125 1686
c0537ebd
MC		 1687 new_called = remove_called = 0;
1688 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1689 &clientssl2, NULL, NULL))
1690 || !TEST_true(SSL_set_session(clientssl2, sess1))
1691 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1692 SSL_ERROR_NONE))
1693 || !TEST_true(SSL_session_reused(clientssl2)))
1694 goto end;
1695
7a301f08
MC		 1696 if (maxprot == TLS1_3_VERSION) {
1697 /*
1698 * In TLSv1.3 we should have created a new session even though we have
4cb00457
MC		 1699 * resumed. Since we attempted a resume we should also have removed the
1700 * old ticket from the cache so that we try to only use tickets once.
7a301f08
MC		 1701 */
1702 if (use_ext_cache
1703 && (!TEST_int_eq(new_called, 1)
4cb00457 1704 || !TEST_int_eq(remove_called, 1)))
7a301f08
MC		 1705 goto end;
1706 } else {
1707 /*
1708 * In TLSv1.2 we expect to have resumed so no sessions added or
1709 * removed.
1710 */
1711 if (use_ext_cache
1712 && (!TEST_int_eq(new_called, 0)
1713 || !TEST_int_eq(remove_called, 0)))
1714 goto end;
1715 }
c0537ebd
MC		 1716
1717 SSL_SESSION_free(sess1);
1718 if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
1719 goto end;
1720 shutdown_ssl_connection(serverssl2, clientssl2);
1721 serverssl2 = clientssl2 = NULL;
c0537ebd
MC		 1722
1723 new_called = remove_called = 0;
710756a9
RS		 1724 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1725 &clientssl2, NULL, NULL))
1726 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1727 SSL_ERROR_NONE)))
2cb4b5f6 1728 goto end;
2cb4b5f6 1729
710756a9 1730 if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
2cb4b5f6 1731 goto end;
2cb4b5f6 1732
7a301f08 1733 if (use_ext_cache
36ff232c
MC		 1734 && (!TEST_int_eq(new_called, numnewsesstick)
1735 || !TEST_int_eq(remove_called, 0)))
eaa776da 1736 goto end;
eaa776da 1737
c0537ebd 1738 new_called = remove_called = 0;
2cb4b5f6 1739 /*
710756a9
RS		 1740 * This should clear sess2 from the cache because it is a "bad" session.
1741 * See SSL_set_session() documentation.
2cb4b5f6 1742 */
710756a9 1743 if (!TEST_true(SSL_set_session(clientssl2, sess1)))
2cb4b5f6 1744 goto end;
7a301f08
MC		 1745 if (use_ext_cache
1746 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
eaa776da 1747 goto end;
710756a9 1748 if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
2cb4b5f6 1749 goto end;
2cb4b5f6 1750
7e885b7b 1751 if (use_int_cache) {
710756a9
RS		 1752 /* Should succeeded because it should not already be in the cache */
1753 if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
1754 || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
eaa776da 1755 goto end;
eaa776da
MC		 1756 }
1757
c0537ebd 1758 new_called = remove_called = 0;
eaa776da 1759 /* This shouldn't be in the cache so should fail */
710756a9 1760 if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
2cb4b5f6 1761 goto end;
2cb4b5f6 1762
7a301f08
MC		 1763 if (use_ext_cache
1764 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1765 goto end;
2cb4b5f6 1766
bf208d95 1767# if !defined(OPENSSL_NO_TLS1_1)
c0537ebd 1768 new_called = remove_called = 0;
eaa776da
MC		 1769 /* Force a connection failure */
1770 SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
710756a9
RS		 1771 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
1772 &clientssl3, NULL, NULL))
1773 || !TEST_true(SSL_set_session(clientssl3, sess1))
c0537ebd 1774 /* This should fail because of the mismatched protocol versions */
710756a9
RS		 1775 || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
1776 SSL_ERROR_NONE)))
eaa776da 1777 goto end;
b4982125 1778
eaa776da 1779 /* We should have automatically removed the session from the cache */
7a301f08
MC		 1780 if (use_ext_cache
1781 && (!TEST_int_eq(new_called, 0) || !TEST_int_eq(remove_called, 1)))
2cb4b5f6 1782 goto end;
2cb4b5f6 1783
710756a9 1784 /* Should succeed because it should not already be in the cache */
7e885b7b 1785 if (use_int_cache && !TEST_true(SSL_CTX_add_session(cctx, sess2)))
eaa776da 1786 goto end;
bf208d95 1787# endif
eaa776da 1788
7a301f08
MC		 1789 /* Now do some tests for server side caching */
1790 if (use_ext_cache) {
1791 SSL_CTX_sess_set_new_cb(cctx, NULL);
1792 SSL_CTX_sess_set_remove_cb(cctx, NULL);
1793 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
1794 SSL_CTX_sess_set_remove_cb(sctx, remove_session_cb);
1795 SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
1796 get_sess_val = NULL;
1797 }
1798
1799 SSL_CTX_set_session_cache_mode(cctx, 0);
1800 /* Internal caching is the default on the server side */
1801 if (!use_int_cache)
1802 SSL_CTX_set_session_cache_mode(sctx,
1803 SSL_SESS_CACHE_SERVER
1804 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
1805
1806 SSL_free(serverssl1);
1807 SSL_free(clientssl1);
1808 serverssl1 = clientssl1 = NULL;
1809 SSL_free(serverssl2);
1810 SSL_free(clientssl2);
1811 serverssl2 = clientssl2 = NULL;
1812 SSL_SESSION_free(sess1);
1813 sess1 = NULL;
1814 SSL_SESSION_free(sess2);
1815 sess2 = NULL;
1816
1817 SSL_CTX_set_max_proto_version(sctx, maxprot);
6cc0b3c2
MC		 1818 if (maxprot == TLS1_2_VERSION)
1819 SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
0afca811 1820 new_called = remove_called = get_called = 0;
7a301f08
MC		 1821 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
1822 NULL, NULL))
1823 || !TEST_true(create_ssl_connection(serverssl1, clientssl1,
1824 SSL_ERROR_NONE))
1825 || !TEST_ptr(sess1 = SSL_get1_session(clientssl1))
1826 || !TEST_ptr(sess2 = SSL_get1_session(serverssl1)))
1827 goto end;
1828
ee94ec2e
MC		 1829 if (use_int_cache) {
1830 if (maxprot == TLS1_3_VERSION && !use_ext_cache) {
1831 /*
1832 * In TLSv1.3 it should not have been added to the internal cache,
1833 * except in the case where we also have an external cache (in that
1834 * case it gets added to the cache in order to generate remove
1835 * events after timeout).
1836 */
1837 if (!TEST_false(SSL_CTX_remove_session(sctx, sess2)))
1838 goto end;
1839 } else {
1840 /* Should fail because it should already be in the cache */
1841 if (!TEST_false(SSL_CTX_add_session(sctx, sess2)))
1842 goto end;
1843 }
1844 }
7a301f08
MC		 1845
1846 if (use_ext_cache) {
1847 SSL_SESSION *tmp = sess2;
1848
36ff232c 1849 if (!TEST_int_eq(new_called, numnewsesstick)
0afca811
KY		 1850 || !TEST_int_eq(remove_called, 0)
1851 || !TEST_int_eq(get_called, 0))
7a301f08
MC		 1852 goto end;
1853 /*
1854 * Delete the session from the internal cache to force a lookup from
1855 * the external cache. We take a copy first because
1856 * SSL_CTX_remove_session() also marks the session as non-resumable.
1857 */
ee94ec2e 1858 if (use_int_cache && maxprot != TLS1_3_VERSION) {
3cb6a4d6
BK		 1859 if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2))
1860 || !TEST_true(SSL_CTX_remove_session(sctx, sess2)))
1861 goto end;
1862 SSL_SESSION_free(sess2);
1863 }
7a301f08
MC		 1864 sess2 = tmp;
1865 }
1866
0afca811 1867 new_called = remove_called = get_called = 0;
7a301f08
MC		 1868 get_sess_val = sess2;
1869 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
1870 &clientssl2, NULL, NULL))
1871 || !TEST_true(SSL_set_session(clientssl2, sess1))
1872 || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
1873 SSL_ERROR_NONE))
1874 || !TEST_true(SSL_session_reused(clientssl2)))
1875 goto end;
1876
0afca811 1877 if (use_ext_cache) {
32305f88 1878 if (!TEST_int_eq(remove_called, 0))
0afca811
KY		 1879 goto end;
1880
1881 if (maxprot == TLS1_3_VERSION) {
32305f88
MC		 1882 if (!TEST_int_eq(new_called, 1)
1883 || !TEST_int_eq(get_called, 0))
0afca811
KY		 1884 goto end;
1885 } else {
32305f88
MC		 1886 if (!TEST_int_eq(new_called, 0)
1887 || !TEST_int_eq(get_called, 1))
0afca811
KY		 1888 goto end;
1889 }
1890 }
7a301f08 1891
2cb4b5f6 1892 testresult = 1;
eaa776da 1893
2cb4b5f6
MC		 1894 end:
1895 SSL_free(serverssl1);
1896 SSL_free(clientssl1);
1897 SSL_free(serverssl2);
1898 SSL_free(clientssl2);
bf208d95 1899# ifndef OPENSSL_NO_TLS1_1
eaa776da
MC		 1900 SSL_free(serverssl3);
1901 SSL_free(clientssl3);
bf208d95 1902# endif
2cb4b5f6
MC		 1903 SSL_SESSION_free(sess1);
1904 SSL_SESSION_free(sess2);
1905 SSL_CTX_free(sctx);
1906 SSL_CTX_free(cctx);
1907
1908 return testresult;
1909}
bf208d95 1910#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
2cb4b5f6 1911
7fb4c820
MC		 1912static int test_session_with_only_int_cache(void)
1913{
7a301f08 1914#ifndef OPENSSL_NO_TLS1_3
90fc2c26 1915 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
7a301f08
MC		 1916 return 0;
1917#endif
1918
1919#ifndef OPENSSL_NO_TLS1_2
90fc2c26 1920 return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
7a301f08
MC		 1921#else
1922 return 1;
1923#endif
eaa776da
MC		 1924}
1925
7fb4c820
MC		 1926static int test_session_with_only_ext_cache(void)
1927{
7a301f08 1928#ifndef OPENSSL_NO_TLS1_3
90fc2c26 1929 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
7a301f08
MC		 1930 return 0;
1931#endif
1932
1933#ifndef OPENSSL_NO_TLS1_2
90fc2c26 1934 return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
7a301f08
MC		 1935#else
1936 return 1;
1937#endif
eaa776da
MC		 1938}
1939
7fb4c820
MC		 1940static int test_session_with_both_cache(void)
1941{
7a301f08 1942#ifndef OPENSSL_NO_TLS1_3
90fc2c26
NM		 1943 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
1944 return 0;
1945#endif
1946
1947#ifndef OPENSSL_NO_TLS1_2
1948 return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
1949#else
1950 return 1;
1951#endif
1952}
1953
1954static int test_session_wo_ca_names(void)
1955{
1956#ifndef OPENSSL_NO_TLS1_3
1957 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
7a301f08
MC		 1958 return 0;
1959#endif
1960
1961#ifndef OPENSSL_NO_TLS1_2
90fc2c26 1962 return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
7a301f08
MC		 1963#else
1964 return 1;
1965#endif
eaa776da
MC		 1966}
1967
90fc2c26 1968
04225915 1969#ifndef OPENSSL_NO_TLS1_3
c22365b3
MC		 1970static SSL_SESSION *sesscache[6];
1971static int do_cache;
36ff232c
MC		 1972
1973static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess)
1974{
c22365b3
MC		 1975 if (do_cache) {
1976 sesscache[new_called] = sess;
1977 } else {
1978 /* We don't need the reference to the session, so free it */
1979 SSL_SESSION_free(sess);
1980 }
1981 new_called++;
1982
1983 return 1;
1984}
1985
1986static int post_handshake_verify(SSL *sssl, SSL *cssl)
1987{
1988 SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL);
1989 if (!TEST_true(SSL_verify_client_post_handshake(sssl)))
1990 return 0;
1991
1992 /* Start handshake on the server and client */
1993 if (!TEST_int_eq(SSL_do_handshake(sssl), 1)
1994 || !TEST_int_le(SSL_read(cssl, NULL, 0), 0)
1995 || !TEST_int_le(SSL_read(sssl, NULL, 0), 0)
1996 || !TEST_true(create_ssl_connection(sssl, cssl,
1997 SSL_ERROR_NONE)))
1998 return 0;
36ff232c
MC		 1999
2000 return 1;
2001}
2002
fbe9dafd 2003static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
03cdf559
MC		 2004 SSL_CTX **cctx)
2005{
2006 int sess_id_ctx = 1;
2007
5e30f2fd
MC		 2008 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2009 TLS_client_method(), TLS1_VERSION, 0,
2010 sctx, cctx, cert, privkey))
03cdf559
MC		 2011 || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
2012 || !TEST_true(SSL_CTX_set_session_id_context(*sctx,
2013 (void *)&sess_id_ctx,
2014 sizeof(sess_id_ctx))))
2015 return 0;
2016
2017 if (stateful)
2018 SSL_CTX_set_options(*sctx, SSL_OP_NO_TICKET);
2019
2020 SSL_CTX_set_session_cache_mode(*cctx, SSL_SESS_CACHE_CLIENT
2021 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2022 SSL_CTX_sess_set_new_cb(*cctx, new_cachesession_cb);
2023
2024 return 1;
2025}
2026
2027static int check_resumption(int idx, SSL_CTX *sctx, SSL_CTX *cctx, int succ)
2028{
2029 SSL *serverssl = NULL, *clientssl = NULL;
2030 int i;
2031
2032 /* Test that we can resume with all the tickets we got given */
2033 for (i = 0; i < idx * 2; i++) {
2034 new_called = 0;
2035 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2036 &clientssl, NULL, NULL))
2037 || !TEST_true(SSL_set_session(clientssl, sesscache[i])))
2038 goto end;
2039
32097b33 2040 SSL_set_post_handshake_auth(clientssl, 1);
03cdf559
MC		 2041
2042 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2043 SSL_ERROR_NONE)))
2044 goto end;
2045
2046 /*
2047 * Following a successful resumption we only get 1 ticket. After a
2048 * failed one we should get idx tickets.
2049 */
2050 if (succ) {
2051 if (!TEST_true(SSL_session_reused(clientssl))
2052 || !TEST_int_eq(new_called, 1))
2053 goto end;
2054 } else {
2055 if (!TEST_false(SSL_session_reused(clientssl))
2056 || !TEST_int_eq(new_called, idx))
2057 goto end;
2058 }
2059
2060 new_called = 0;
2061 /* After a post-handshake authentication we should get 1 new ticket */
2062 if (succ
2063 && (!post_handshake_verify(serverssl, clientssl)
2064 || !TEST_int_eq(new_called, 1)))
2065 goto end;
2066
2067 SSL_shutdown(clientssl);
2068 SSL_shutdown(serverssl);
2069 SSL_free(serverssl);
2070 SSL_free(clientssl);
2071 serverssl = clientssl = NULL;
2072 SSL_SESSION_free(sesscache[i]);
2073 sesscache[i] = NULL;
2074 }
2075
2076 return 1;
2077
2078 end:
2079 SSL_free(clientssl);
2080 SSL_free(serverssl);
2081 return 0;
2082}
2083
04d7814a 2084static int test_tickets(int stateful, int idx)
36ff232c
MC		 2085{
2086 SSL_CTX *sctx = NULL, *cctx = NULL;
2087 SSL *serverssl = NULL, *clientssl = NULL;
03cdf559 2088 int testresult = 0;
36ff232c
MC		 2089 size_t j;
2090
2091 /* idx is the test number, but also the number of tickets we want */
2092
2093 new_called = 0;
c22365b3 2094 do_cache = 1;
36ff232c 2095
fbe9dafd 2096 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
36ff232c
MC		 2097 goto end;
2098
03cdf559
MC		 2099 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2100 &clientssl, NULL, NULL)))
2101 goto end;
2102
2103 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2104 SSL_ERROR_NONE))
2105 /* Check we got the number of tickets we were expecting */
2106 || !TEST_int_eq(idx, new_called))
2107 goto end;
04d7814a 2108
03cdf559
MC		 2109 SSL_shutdown(clientssl);
2110 SSL_shutdown(serverssl);
2111 SSL_free(serverssl);
2112 SSL_free(clientssl);
2113 SSL_CTX_free(sctx);
2114 SSL_CTX_free(cctx);
2115 clientssl = serverssl = NULL;
2116 sctx = cctx = NULL;
2117
2118 /*
2119 * Now we try to resume with the tickets we previously created. The
2120 * resumption attempt is expected to fail (because we're now using a new
2121 * SSL_CTX). We should see idx number of tickets issued again.
2122 */
2123
2124 /* Stop caching sessions - just count them */
2125 do_cache = 0;
2126
fbe9dafd 2127 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559
MC		 2128 goto end;
2129
2130 if (!check_resumption(idx, sctx, cctx, 0))
2131 goto end;
2132
2133 /* Start again with caching sessions */
2134 new_called = 0;
2135 do_cache = 1;
fbe9dafd
MC		 2136 SSL_CTX_free(sctx);
2137 SSL_CTX_free(cctx);
2138 sctx = cctx = NULL;
03cdf559 2139
fbe9dafd 2140 if (!setup_ticket_test(stateful, idx, &sctx, &cctx))
03cdf559 2141 goto end;
36ff232c
MC		 2142
2143 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2144 &clientssl, NULL, NULL)))
2145 goto end;
2146
32097b33 2147 SSL_set_post_handshake_auth(clientssl, 1);
36ff232c
MC		 2148
2149 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2150 SSL_ERROR_NONE))
2151 /* Check we got the number of tickets we were expecting */
2152 || !TEST_int_eq(idx, new_called))
2153 goto end;
2154
2155 /* After a post-handshake authentication we should get new tickets issued */
c22365b3 2156 if (!post_handshake_verify(serverssl, clientssl)
36ff232c
MC		 2157 || !TEST_int_eq(idx * 2, new_called))
2158 goto end;
2159
36ff232c
MC		 2160 SSL_shutdown(clientssl);
2161 SSL_shutdown(serverssl);
2162 SSL_free(serverssl);
2163 SSL_free(clientssl);
2164 serverssl = clientssl = NULL;
2165
c22365b3
MC		 2166 /* Stop caching sessions - just count them */
2167 do_cache = 0;
2168
03cdf559
MC		 2169 /*
2170 * Check we can resume with all the tickets we created. This time around the
2171 * resumptions should all be successful.
2172 */
2173 if (!check_resumption(idx, sctx, cctx, 1))
2174 goto end;
36ff232c
MC		 2175
2176 testresult = 1;
2177
2178 end:
2179 SSL_free(serverssl);
2180 SSL_free(clientssl);
c22365b3 2181 for (j = 0; j < OSSL_NELEM(sesscache); j++) {
36ff232c 2182 SSL_SESSION_free(sesscache[j]);
c22365b3
MC		 2183 sesscache[j] = NULL;
2184 }
36ff232c
MC		 2185 SSL_CTX_free(sctx);
2186 SSL_CTX_free(cctx);
2187
2188 return testresult;
2189}
04d7814a
MC		 2190
2191static int test_stateless_tickets(int idx)
2192{
2193 return test_tickets(0, idx);
2194}
2195
2196static int test_stateful_tickets(int idx)
2197{
2198 return test_tickets(1, idx);
2199}
8614a4eb
MC		 2200
2201static int test_psk_tickets(void)
2202{
2203 SSL_CTX *sctx = NULL, *cctx = NULL;
2204 SSL *serverssl = NULL, *clientssl = NULL;
2205 int testresult = 0;
2206 int sess_id_ctx = 1;
2207
5e30f2fd
MC		 2208 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2209 TLS_client_method(), TLS1_VERSION, 0,
2210 &sctx, &cctx, NULL, NULL))
8614a4eb
MC		 2211 || !TEST_true(SSL_CTX_set_session_id_context(sctx,
2212 (void *)&sess_id_ctx,
2213 sizeof(sess_id_ctx))))
2214 goto end;
2215
2216 SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
2217 | SSL_SESS_CACHE_NO_INTERNAL_STORE);
2218 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
2219 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
2220 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2221 use_session_cb_cnt = 0;
2222 find_session_cb_cnt = 0;
2223 srvid = pskid;
2224 new_called = 0;
2225
2226 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2227 NULL, NULL)))
2228 goto end;
2229 clientpsk = serverpsk = create_a_psk(clientssl);
2230 if (!TEST_ptr(clientpsk))
2231 goto end;
2232 SSL_SESSION_up_ref(clientpsk);
2233
2234 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2235 SSL_ERROR_NONE))
2236 || !TEST_int_eq(1, find_session_cb_cnt)
2237 || !TEST_int_eq(1, use_session_cb_cnt)
2238 /* We should always get 1 ticket when using external PSK */
2239 || !TEST_int_eq(1, new_called))
2240 goto end;
2241
2242 testresult = 1;
2243
2244 end:
2245 SSL_free(serverssl);
2246 SSL_free(clientssl);
2247 SSL_CTX_free(sctx);
2248 SSL_CTX_free(cctx);
2249 SSL_SESSION_free(clientpsk);
2250 SSL_SESSION_free(serverpsk);
2251 clientpsk = serverpsk = NULL;
2252
2253 return testresult;
2254}
f0049b86
BK		 2255
2256static int test_extra_tickets(int idx)
2257{
2258 SSL_CTX *sctx = NULL, *cctx = NULL;
2259 SSL *serverssl = NULL, *clientssl = NULL;
2260 BIO *bretry = BIO_new(bio_s_always_retry());
2261 BIO *tmp = NULL;
2262 int testresult = 0;
2263 int stateful = 0;
2264 size_t nbytes;
2265 unsigned char c, buf[1];
2266
2267 new_called = 0;
2268 do_cache = 1;
2269
2270 if (idx >= 3) {
2271 idx -= 3;
2272 stateful = 1;
2273 }
2274
2275 if (!TEST_ptr(bretry) || !setup_ticket_test(stateful, idx, &sctx, &cctx))
2276 goto end;
2277 SSL_CTX_sess_set_new_cb(sctx, new_session_cb);
2278 /* setup_ticket_test() uses new_cachesession_cb which we don't need. */
2279 SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
2280
2281 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2282 &clientssl, NULL, NULL)))
2283 goto end;
2284
2285 /*
2286 * Note that we have new_session_cb on both sctx and cctx, so new_called is
2287 * incremented by both client and server.
2288 */
2289 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
2290 SSL_ERROR_NONE))
2291 /* Check we got the number of tickets we were expecting */
2292 || !TEST_int_eq(idx * 2, new_called)
2293 || !TEST_true(SSL_new_session_ticket(serverssl))
2294 || !TEST_true(SSL_new_session_ticket(serverssl))
2295 || !TEST_int_eq(idx * 2, new_called))
2296 goto end;
2297
2298 /* Now try a (real) write to actually send the tickets */
2299 c = '1';
2300 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2301 || !TEST_size_t_eq(1, nbytes)
2302 || !TEST_int_eq(idx * 2 + 2, new_called)
2303 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2304 || !TEST_int_eq(idx * 2 + 4, new_called)
2305 || !TEST_int_eq(sizeof(buf), nbytes)
2306 || !TEST_int_eq(c, buf[0])
2307 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2308 goto end;
2309
2310 /* Try with only requesting one new ticket, too */
2311 c = '2';
2312 new_called = 0;
2313 if (!TEST_true(SSL_new_session_ticket(serverssl))
2314 || !TEST_true(SSL_write_ex(serverssl, &c, sizeof(c), &nbytes))
2315 || !TEST_size_t_eq(sizeof(c), nbytes)
2316 || !TEST_int_eq(1, new_called)
2317 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2318 || !TEST_int_eq(2, new_called)
2319 || !TEST_size_t_eq(sizeof(buf), nbytes)
2320 || !TEST_int_eq(c, buf[0]))
2321 goto end;
2322
2323 /* Do it again but use dummy writes to drive the ticket generation */
2324 c = '3';
2325 new_called = 0;
2326 if (!TEST_true(SSL_new_session_ticket(serverssl))
2327 || !TEST_true(SSL_new_session_ticket(serverssl))
2328 || !TEST_true(SSL_write_ex(serverssl, &c, 0, &nbytes))
2329 || !TEST_size_t_eq(0, nbytes)
2330 || !TEST_int_eq(2, new_called)
2331 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2332 || !TEST_int_eq(4, new_called))
2333 goto end;
2334
2335 /*
2336 * Use the always-retry BIO to exercise the logic that forces ticket
2337 * generation to wait until a record boundary.
2338 */
2339 c = '4';
2340 new_called = 0;
2341 tmp = SSL_get_wbio(serverssl);
2342 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
2343 tmp = NULL;
2344 goto end;
2345 }
2346 SSL_set0_wbio(serverssl, bretry);
2347 bretry = NULL;
2348 if (!TEST_false(SSL_write_ex(serverssl, &c, 1, &nbytes))
2349 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_WANT_WRITE)
2350 || !TEST_size_t_eq(nbytes, 0))
2351 goto end;
2352 /* Restore a BIO that will let the write succeed */
2353 SSL_set0_wbio(serverssl, tmp);
2354 tmp = NULL;
2355 /* These calls should just queue the request and not send anything. */
2356 if (!TEST_true(SSL_new_session_ticket(serverssl))
2357 || !TEST_true(SSL_new_session_ticket(serverssl))
2358 || !TEST_int_eq(0, new_called))
2359 goto end;
2360 /* Re-do the write; still no tickets sent */
2361 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2362 || !TEST_size_t_eq(1, nbytes)
2363 || !TEST_int_eq(0, new_called)
2364 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2365 || !TEST_int_eq(0, new_called)
2366 || !TEST_int_eq(sizeof(buf), nbytes)
2367 || !TEST_int_eq(c, buf[0])
2368 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2369 goto end;
2370 /* Now the *next* write should send the tickets */
2371 c = '5';
2372 if (!TEST_true(SSL_write_ex(serverssl, &c, 1, &nbytes))
2373 || !TEST_size_t_eq(1, nbytes)
2374 || !TEST_int_eq(2, new_called)
2375 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes))
2376 || !TEST_int_eq(4, new_called)
2377 || !TEST_int_eq(sizeof(buf), nbytes)
2378 || !TEST_int_eq(c, buf[0])
2379 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &nbytes)))
2380 goto end;
2381
2382 SSL_shutdown(clientssl);
2383 SSL_shutdown(serverssl);
2384 testresult = 1;
2385
2386 end:
2387 BIO_free(bretry);
2388 BIO_free(tmp);
2389 SSL_free(serverssl);
2390 SSL_free(clientssl);
2391 SSL_CTX_free(sctx);
2392 SSL_CTX_free(cctx);
2393 clientssl = serverssl = NULL;
2394 sctx = cctx = NULL;
2395 return testresult;
2396}
04225915 2397#endif
36ff232c 2398
7d4488bb
MC		 2399#define USE_NULL 0
2400#define USE_BIO_1 1
2401#define USE_BIO_2 2
2402#define USE_DEFAULT 3
2403
2404#define CONNTYPE_CONNECTION_SUCCESS 0
2405#define CONNTYPE_CONNECTION_FAIL 1
2406#define CONNTYPE_NO_CONNECTION 2
2407
2408#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
2409#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
2410#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
2411# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
2412#else
2413# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
2414#endif
2415
7d4488bb
MC		 2416#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \
2417 + TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \
2418 + TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS
7fb4c820
MC		 2419
2420static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type)
2421{
2422 switch (type) {
2423 case USE_NULL:
2424 *res = NULL;
2425 break;
2426 case USE_BIO_1:
2427 *res = bio1;
2428 break;
2429 case USE_BIO_2:
2430 *res = bio2;
2431 break;
2432 }
2433}
2434
7d4488bb
MC		 2435
2436/*
2437 * Tests calls to SSL_set_bio() under various conditions.
2438 *
2439 * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with
2440 * various combinations of valid BIOs or NULL being set for the rbio/wbio. We
2441 * then do more tests where we create a successful connection first using our
2442 * standard connection setup functions, and then call SSL_set_bio() with
2443 * various combinations of valid BIOs or NULL. We then repeat these tests
2444 * following a failed connection. In this last case we are looking to check that
2445 * SSL_set_bio() functions correctly in the case where s->bbio is not NULL.
2446 */
7fb4c820
MC		 2447static int test_ssl_set_bio(int idx)
2448{
7d4488bb 2449 SSL_CTX *sctx = NULL, *cctx = NULL;
7fb4c820
MC		 2450 BIO *bio1 = NULL;
2451 BIO *bio2 = NULL;
0fae8150 2452 BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL;
7d4488bb
MC		 2453 SSL *serverssl = NULL, *clientssl = NULL;
2454 int initrbio, initwbio, newrbio, newwbio, conntype;
7fb4c820
MC		 2455 int testresult = 0;
2456
7d4488bb
MC		 2457 if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) {
2458 initrbio = idx % 3;
2459 idx /= 3;
2460 initwbio = idx % 3;
2461 idx /= 3;
2462 newrbio = idx % 3;
2463 idx /= 3;
2464 newwbio = idx % 3;
2465 conntype = CONNTYPE_NO_CONNECTION;
2466 } else {
2467 idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS;
2468 initrbio = initwbio = USE_DEFAULT;
2469 newrbio = idx % 2;
2470 idx /= 2;
2471 newwbio = idx % 2;
2472 idx /= 2;
2473 conntype = idx % 2;
2474 }
710756a9 2475
5e30f2fd
MC		 2476 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2477 TLS_client_method(), TLS1_VERSION, 0,
7d4488bb
MC		 2478 &sctx, &cctx, cert, privkey)))
2479 goto end;
2480
2481 if (conntype == CONNTYPE_CONNECTION_FAIL) {
2482 /*
2483 * We won't ever get here if either TLSv1.3 or TLSv1.2 is disabled
2484 * because we reduced the number of tests in the definition of
2485 * TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS to avoid this scenario. By setting
2486 * mismatched protocol versions we will force a connection failure.
2487 */
2488 SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION);
2489 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2490 }
2491
2492 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
2493 NULL, NULL)))
710756a9 2494 goto end;
7fb4c820 2495
710756a9
RS		 2496 if (initrbio == USE_BIO_1
2497 || initwbio == USE_BIO_1
2498 || newrbio == USE_BIO_1
7fb4c820 2499 || newwbio == USE_BIO_1) {
710756a9 2500 if (!TEST_ptr(bio1 = BIO_new(BIO_s_mem())))
7fb4c820 2501 goto end;
7fb4c820
MC		 2502 }
2503
710756a9
RS		 2504 if (initrbio == USE_BIO_2
2505 || initwbio == USE_BIO_2
2506 || newrbio == USE_BIO_2
7fb4c820 2507 || newwbio == USE_BIO_2) {
710756a9 2508 if (!TEST_ptr(bio2 = BIO_new(BIO_s_mem())))
7fb4c820 2509 goto end;
7fb4c820
MC		 2510 }
2511
7d4488bb
MC		 2512 if (initrbio != USE_DEFAULT) {
2513 setupbio(&irbio, bio1, bio2, initrbio);
2514 setupbio(&iwbio, bio1, bio2, initwbio);
2515 SSL_set_bio(clientssl, irbio, iwbio);
7fb4c820 2516
7d4488bb
MC		 2517 /*
2518 * We want to maintain our own refs to these BIO, so do an up ref for
2519 * each BIO that will have ownership transferred in the SSL_set_bio()
2520 * call
2521 */
2522 if (irbio != NULL)
2523 BIO_up_ref(irbio);
2524 if (iwbio != NULL && iwbio != irbio)
2525 BIO_up_ref(iwbio);
2526 }
7fb4c820 2527
7d4488bb
MC		 2528 if (conntype != CONNTYPE_NO_CONNECTION
2529 && !TEST_true(create_ssl_connection(serverssl, clientssl,
2530 SSL_ERROR_NONE)
2531 == (conntype == CONNTYPE_CONNECTION_SUCCESS)))
2532 goto end;
7fb4c820
MC		 2533
2534 setupbio(&nrbio, bio1, bio2, newrbio);
2535 setupbio(&nwbio, bio1, bio2, newwbio);
2536
2537 /*
2538 * We will (maybe) transfer ownership again so do more up refs.
2539 * SSL_set_bio() has some really complicated ownership rules where BIOs have
2540 * already been set!
2541 */
710756a9
RS		 2542 if (nrbio != NULL
2543 && nrbio != irbio
2544 && (nwbio != iwbio || nrbio != nwbio))
7fb4c820 2545 BIO_up_ref(nrbio);
710756a9
RS		 2546 if (nwbio != NULL
2547 && nwbio != nrbio
2548 && (nwbio != iwbio || (nwbio == iwbio && irbio == iwbio)))
7fb4c820
MC		 2549 BIO_up_ref(nwbio);
2550
7d4488bb 2551 SSL_set_bio(clientssl, nrbio, nwbio);
7fb4c820
MC		 2552
2553 testresult = 1;
2554
2555 end:
7fb4c820
MC		 2556 BIO_free(bio1);
2557 BIO_free(bio2);
710756a9 2558
7fb4c820
MC		 2559 /*
2560 * This test is checking that the ref counting for SSL_set_bio is correct.
2561 * If we get here and we did too many frees then we will fail in the above
742ccab3 2562 * functions.
7fb4c820 2563 */
7d4488bb
MC		 2564 SSL_free(serverssl);
2565 SSL_free(clientssl);
2566 SSL_CTX_free(sctx);
2567 SSL_CTX_free(cctx);
7fb4c820
MC		 2568 return testresult;
2569}
2570
7e885b7b 2571typedef enum { NO_BIO_CHANGE, CHANGE_RBIO, CHANGE_WBIO } bio_change_t;
9a716987 2572
7e885b7b 2573static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
9a716987
MC		 2574{
2575 BIO *sslbio = NULL, *membio1 = NULL, *membio2 = NULL;
710756a9 2576 SSL_CTX *ctx;
9a716987
MC		 2577 SSL *ssl = NULL;
2578 int testresult = 0;
2579
d8652be0 2580 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
710756a9
RS		 2581 || !TEST_ptr(ssl = SSL_new(ctx))
2582 || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
2583 || !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
9a716987 2584 goto end;
9a716987
MC		 2585
2586 BIO_set_ssl(sslbio, ssl, BIO_CLOSE);
2587
2588 /*
742ccab3 2589 * If anything goes wrong here then we could leak memory.
9a716987
MC		 2590 */
2591 BIO_push(sslbio, membio1);
2592
69687aa8 2593 /* Verify changing the rbio/wbio directly does not cause leaks */
7e885b7b 2594 if (change_bio != NO_BIO_CHANGE) {
710756a9 2595 if (!TEST_ptr(membio2 = BIO_new(BIO_s_mem())))
9a716987 2596 goto end;
7e885b7b 2597 if (change_bio == CHANGE_RBIO)
65e2d672 2598 SSL_set0_rbio(ssl, membio2);
9a716987 2599 else
65e2d672 2600 SSL_set0_wbio(ssl, membio2);
9a716987
MC		 2601 }
2602 ssl = NULL;
2603
7e885b7b 2604 if (pop_ssl)
9a716987
MC		 2605 BIO_pop(sslbio);
2606 else
2607 BIO_pop(membio1);
2608
2609 testresult = 1;
2610 end:
2611 BIO_free(membio1);
2612 BIO_free(sslbio);
2613 SSL_free(ssl);
2614 SSL_CTX_free(ctx);
2615
2616 return testresult;
2617}
2618
2619static int test_ssl_bio_pop_next_bio(void)
2620{
7e885b7b 2621 return execute_test_ssl_bio(0, NO_BIO_CHANGE);
9a716987
MC		 2622}
2623
2624static int test_ssl_bio_pop_ssl_bio(void)
2625{
7e885b7b 2626 return execute_test_ssl_bio(1, NO_BIO_CHANGE);
9a716987
MC		 2627}
2628
2629static int test_ssl_bio_change_rbio(void)
2630{
7e885b7b 2631 return execute_test_ssl_bio(0, CHANGE_RBIO);
9a716987
MC		 2632}
2633
2634static int test_ssl_bio_change_wbio(void)
2635{
7e885b7b 2636 return execute_test_ssl_bio(0, CHANGE_WBIO);
9a716987
MC		 2637}
2638
c423ecaa 2639#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae
MC		 2640typedef struct {
2641 /* The list of sig algs */
2642 const int *list;
2643 /* The length of the list */
2644 size_t listlen;
2645 /* A sigalgs list in string format */
2646 const char *liststr;
2647 /* Whether setting the list should succeed */
2648 int valid;
2649 /* Whether creating a connection with the list should succeed */
2650 int connsuccess;
2651} sigalgs_list;
2652
2653static const int validlist1[] = {NID_sha256, EVP_PKEY_RSA};
c423ecaa 2654# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2655static const int validlist2[] = {NID_sha256, EVP_PKEY_RSA, NID_sha512, EVP_PKEY_EC};
2656static const int validlist3[] = {NID_sha512, EVP_PKEY_EC};
c423ecaa 2657# endif
f1b25aae
MC		 2658static const int invalidlist1[] = {NID_undef, EVP_PKEY_RSA};
2659static const int invalidlist2[] = {NID_sha256, NID_undef};
2660static const int invalidlist3[] = {NID_sha256, EVP_PKEY_RSA, NID_sha256};
2661static const int invalidlist4[] = {NID_sha256};
2662static const sigalgs_list testsigalgs[] = {
2663 {validlist1, OSSL_NELEM(validlist1), NULL, 1, 1},
c423ecaa 2664# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2665 {validlist2, OSSL_NELEM(validlist2), NULL, 1, 1},
2666 {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
c423ecaa 2667# endif
f1b25aae 2668 {NULL, 0, "RSA+SHA256", 1, 1},
c423ecaa 2669# ifndef OPENSSL_NO_EC
f1b25aae
MC		 2670 {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
2671 {NULL, 0, "ECDSA+SHA512", 1, 0},
c423ecaa 2672# endif
f1b25aae
MC		 2673 {invalidlist1, OSSL_NELEM(invalidlist1), NULL, 0, 0},
2674 {invalidlist2, OSSL_NELEM(invalidlist2), NULL, 0, 0},
2675 {invalidlist3, OSSL_NELEM(invalidlist3), NULL, 0, 0},
2676 {invalidlist4, OSSL_NELEM(invalidlist4), NULL, 0, 0},
2677 {NULL, 0, "RSA", 0, 0},
2678 {NULL, 0, "SHA256", 0, 0},
2679 {NULL, 0, "RSA+SHA256:SHA256", 0, 0},
710756a9
RS		 2680 {NULL, 0, "Invalid", 0, 0}
2681};
f1b25aae
MC		 2682
2683static int test_set_sigalgs(int idx)
2684{
2685 SSL_CTX *cctx = NULL, *sctx = NULL;
2686 SSL *clientssl = NULL, *serverssl = NULL;
2687 int testresult = 0;
2688 const sigalgs_list *curr;
2689 int testctx;
2690
2691 /* Should never happen */
710756a9 2692 if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2))
f1b25aae
MC		 2693 return 0;
2694
2695 testctx = ((size_t)idx < OSSL_NELEM(testsigalgs));
2696 curr = testctx ? &testsigalgs[idx]
2697 : &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
2698
5e30f2fd
MC		 2699 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
2700 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 2701 &sctx, &cctx, cert, privkey)))
f1b25aae 2702 return 0;
f1b25aae 2703
d2e491f2
MC		 2704 /*
2705 * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
2706 * for TLSv1.2 for now until we add a new API.
2707 */
2708 SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
2709
f1b25aae
MC		 2710 if (testctx) {
2711 int ret;
710756a9 2712
f1b25aae
MC		 2713 if (curr->list != NULL)
2714 ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen);
2715 else
2716 ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr);
2717
2718 if (!ret) {
2719 if (curr->valid)
710756a9 2720 TEST_info("Failure setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2721 else
2722 testresult = 1;
2723 goto end;
2724 }
2725 if (!curr->valid) {
710756a9 2726 TEST_info("Not-failed setting sigalgs in SSL_CTX (%d)\n", idx);
f1b25aae
MC		 2727 goto end;
2728 }
2729 }
2730
710756a9
RS		 2731 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
2732 &clientssl, NULL, NULL)))
f1b25aae 2733 goto end;
f1b25aae
MC		 2734
2735 if (!testctx) {
2736 int ret;
2737
2738 if (curr->list != NULL)
2739 ret = SSL_set1_sigalgs(clientssl, curr->list, curr->listlen);
2740 else
2741 ret = SSL_set1_sigalgs_list(clientssl, curr->liststr);
2742 if (!ret) {
2743 if (curr->valid)
710756a9 2744 TEST_info("Failure setting sigalgs in SSL (%d)\n", idx);
f1b25aae
MC		 2745 else
2746 testresult = 1;
2747 goto end;
2748 }
710756a9 2749 if (!curr->valid)
f1b25aae 2750 goto end;
f1b25aae
MC		 2751 }
2752
710756a9
RS		 2753 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
2754 SSL_ERROR_NONE),
2755 curr->connsuccess))
f1b25aae 2756 goto end;
f1b25aae
MC		 2757
2758 testresult = 1;
2759
2760 end:
2761 SSL_free(serverssl);
2762 SSL_free(clientssl);
2763 SSL_CTX_free(sctx);
2764 SSL_CTX_free(cctx);
2765
2766 return testresult;
2767}
c423ecaa 2768#endif
f1b25aae 2769
fff202e5 2770#ifndef OPENSSL_NO_TLS1_3
532f9578
MC		 2771static int psk_client_cb_cnt = 0;
2772static int psk_server_cb_cnt = 0;
02a3ed5a
MC		 2773
2774static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
2775 size_t *idlen, SSL_SESSION **sess)
2776{
2777 switch (++use_session_cb_cnt) {
2778 case 1:
2779 /* The first call should always have a NULL md */
2780 if (md != NULL)
2781 return 0;
2782 break;
2783
2784 case 2:
2785 /* The second call should always have an md */
2786 if (md == NULL)
2787 return 0;
2788 break;
2789
2790 default:
2791 /* We should only be called a maximum of twice */
2792 return 0;
2793 }
2794
57dee9bb
MC		 2795 if (clientpsk != NULL)
2796 SSL_SESSION_up_ref(clientpsk);
02a3ed5a 2797
57dee9bb 2798 *sess = clientpsk;
02a3ed5a
MC		 2799 *id = (const unsigned char *)pskid;
2800 *idlen = strlen(pskid);
2801
2802 return 1;
2803}
2804
c2b290c3 2805#ifndef OPENSSL_NO_PSK
532f9578
MC		 2806static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
2807 unsigned int max_id_len,
2808 unsigned char *psk,
2809 unsigned int max_psk_len)
2810{
2811 unsigned int psklen = 0;
2812
2813 psk_client_cb_cnt++;
2814
2815 if (strlen(pskid) + 1 > max_id_len)
2816 return 0;
2817
2818 /* We should only ever be called a maximum of twice per connection */
2819 if (psk_client_cb_cnt > 2)
2820 return 0;
2821
2822 if (clientpsk == NULL)
2823 return 0;
2824
2825 /* We'll reuse the PSK we set up for TLSv1.3 */
2826 if (SSL_SESSION_get_master_key(clientpsk, NULL, 0) > max_psk_len)
2827 return 0;
2828 psklen = SSL_SESSION_get_master_key(clientpsk, psk, max_psk_len);
2829 strncpy(id, pskid, max_id_len);
2830
2831 return psklen;
2832}
c2b290c3 2833#endif /* OPENSSL_NO_PSK */
532f9578 2834
02a3ed5a
MC		 2835static int find_session_cb(SSL *ssl, const unsigned char *identity,
2836 size_t identity_len, SSL_SESSION **sess)
2837{
2838 find_session_cb_cnt++;
2839
2840 /* We should only ever be called a maximum of twice per connection */
2841 if (find_session_cb_cnt > 2)
2842 return 0;
2843
57dee9bb 2844 if (serverpsk == NULL)
02a3ed5a
MC		 2845 return 0;
2846
2847 /* Identity should match that set by the client */
2848 if (strlen(srvid) != identity_len
2849 || strncmp(srvid, (const char *)identity, identity_len) != 0) {
2850 /* No PSK found, continue but without a PSK */
2851 *sess = NULL;
2852 return 1;
2853 }
2854
57dee9bb
MC		 2855 SSL_SESSION_up_ref(serverpsk);
2856 *sess = serverpsk;
02a3ed5a
MC		 2857
2858 return 1;
2859}
2860
c2b290c3 2861#ifndef OPENSSL_NO_PSK
532f9578
MC		 2862static unsigned int psk_server_cb(SSL *ssl, const char *identity,
2863 unsigned char *psk, unsigned int max_psk_len)
2864{
2865 unsigned int psklen = 0;
2866
2867 psk_server_cb_cnt++;
2868
2869 /* We should only ever be called a maximum of twice per connection */
2870 if (find_session_cb_cnt > 2)
2871 return 0;
2872
2873 if (serverpsk == NULL)
2874 return 0;
2875
2876 /* Identity should match that set by the client */
2877 if (strcmp(srvid, identity) != 0) {
2878 return 0;
2879 }
2880
2881 /* We'll reuse the PSK we set up for TLSv1.3 */
2882 if (SSL_SESSION_get_master_key(serverpsk, NULL, 0) > max_psk_len)
2883 return 0;
2884 psklen = SSL_SESSION_get_master_key(serverpsk, psk, max_psk_len);
2885
2886 return psklen;
2887}
c2b290c3 2888#endif /* OPENSSL_NO_PSK */
532f9578 2889
5f982038
MC		 2890#define MSG1 "Hello"
2891#define MSG2 "World."
2892#define MSG3 "This"
2893#define MSG4 "is"
2894#define MSG5 "a"
90049cea
MC		 2895#define MSG6 "test"
2896#define MSG7 "message."
5f982038 2897
532f9578 2898#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
0b2b0be9 2899#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
2900#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
2901#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
2902#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
02a3ed5a 2903
8614a4eb
MC		 2904
2905static SSL_SESSION *create_a_psk(SSL *ssl)
2906{
2907 const SSL_CIPHER *cipher = NULL;
2908 const unsigned char key[] = {
2909 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
2910 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
2911 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
2912 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2913 0x2c, 0x2d, 0x2e, 0x2f
2914 };
2915 SSL_SESSION *sess = NULL;
2916
2917 cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
2918 sess = SSL_SESSION_new();
2919 if (!TEST_ptr(sess)
2920 || !TEST_ptr(cipher)
2921 || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
2922 sizeof(key)))
2923 || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
2924 || !TEST_true(
2925 SSL_SESSION_set_protocol_version(sess,
2926 TLS1_3_VERSION))) {
2927 SSL_SESSION_free(sess);
2928 return NULL;
2929 }
2930 return sess;
2931}
2932
5f982038
MC		 2933/*
2934 * Helper method to setup objects for early data test. Caller frees objects on
2935 * error.
2936 */
2937static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
3cb47b4e 2938 SSL **serverssl, SSL_SESSION **sess, int idx)
5f982038 2939{
5a421415 2940 if (*sctx == NULL
5e30f2fd 2941 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5a421415 2942 TLS_client_method(),
5c587fb6 2943 TLS1_VERSION, 0,
5a421415
MC		 2944 sctx, cctx, cert, privkey)))
2945 return 0;
2946
2947 if (!TEST_true(SSL_CTX_set_max_early_data(*sctx, SSL3_RT_MAX_PLAIN_LENGTH)))
5f982038 2948 return 0;
5f982038 2949
02a3ed5a
MC		 2950 if (idx == 1) {
2951 /* When idx == 1 we repeat the tests with read_ahead set */
3cb47b4e
MC		 2952 SSL_CTX_set_read_ahead(*cctx, 1);
2953 SSL_CTX_set_read_ahead(*sctx, 1);
02a3ed5a
MC		 2954 } else if (idx == 2) {
2955 /* When idx == 2 we are doing early_data with a PSK. Set up callbacks */
2956 SSL_CTX_set_psk_use_session_callback(*cctx, use_session_cb);
2957 SSL_CTX_set_psk_find_session_callback(*sctx, find_session_cb);
2958 use_session_cb_cnt = 0;
2959 find_session_cb_cnt = 0;
2960 srvid = pskid;
3cb47b4e
MC		 2961 }
2962
710756a9 2963 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl, clientssl,
02a3ed5a
MC		 2964 NULL, NULL)))
2965 return 0;
2966
141e4709
MC		 2967 /*
2968 * For one of the run throughs (doesn't matter which one), we'll try sending
2969 * some SNI data in the initial ClientHello. This will be ignored (because
2970 * there is no SNI cb set up by the server), so it should not impact
2971 * early_data.
2972 */
2973 if (idx == 1
2974 && !TEST_true(SSL_set_tlsext_host_name(*clientssl, "localhost")))
2975 return 0;
2976
02a3ed5a 2977 if (idx == 2) {
8614a4eb 2978 clientpsk = create_a_psk(*clientssl);
57dee9bb 2979 if (!TEST_ptr(clientpsk)
02a3ed5a
MC		 2980 /*
2981 * We just choose an arbitrary value for max_early_data which
2982 * should be big enough for testing purposes.
2983 */
57dee9bb
MC		 2984 || !TEST_true(SSL_SESSION_set_max_early_data(clientpsk,
2985 0x100))
2986 || !TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2987 SSL_SESSION_free(clientpsk);
2988 clientpsk = NULL;
02a3ed5a
MC		 2989 return 0;
2990 }
57dee9bb 2991 serverpsk = clientpsk;
02a3ed5a 2992
c20e3b28
MC		 2993 if (sess != NULL) {
2994 if (!TEST_true(SSL_SESSION_up_ref(clientpsk))) {
2995 SSL_SESSION_free(clientpsk);
2996 SSL_SESSION_free(serverpsk);
2997 clientpsk = serverpsk = NULL;
2998 return 0;
2999 }
57dee9bb 3000 *sess = clientpsk;
c20e3b28 3001 }
02a3ed5a
MC		 3002 return 1;
3003 }
3004
3005 if (sess == NULL)
3006 return 1;
3007
3008 if (!TEST_true(create_ssl_connection(*serverssl, *clientssl,
3009 SSL_ERROR_NONE)))
5f982038 3010 return 0;
5f982038
MC		 3011
3012 *sess = SSL_get1_session(*clientssl);
5f982038
MC		 3013 SSL_shutdown(*clientssl);
3014 SSL_shutdown(*serverssl);
5f982038
MC		 3015 SSL_free(*serverssl);
3016 SSL_free(*clientssl);
3017 *serverssl = *clientssl = NULL;
3018
710756a9
RS		 3019 if (!TEST_true(create_ssl_objects(*sctx, *cctx, serverssl,
3020 clientssl, NULL, NULL))
3021 || !TEST_true(SSL_set_session(*clientssl, *sess)))
5f982038 3022 return 0;
5f982038
MC		 3023
3024 return 1;
3025}
3026
3cb47b4e 3027static int test_early_data_read_write(int idx)
5f982038
MC		 3028{
3029 SSL_CTX *cctx = NULL, *sctx = NULL;
3030 SSL *clientssl = NULL, *serverssl = NULL;
3031 int testresult = 0;
3032 SSL_SESSION *sess = NULL;
9b5c865d
MC		 3033 unsigned char buf[20], data[1024];
3034 size_t readbytes, written, eoedlen, rawread, rawwritten;
3035 BIO *rbio;
5f982038 3036
710756a9
RS		 3037 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3038 &serverssl, &sess, idx)))
5f982038
MC		 3039 goto end;
3040
3041 /* Write and read some early data */
710756a9
RS		 3042 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3043 &written))
3044 || !TEST_size_t_eq(written, strlen(MSG1))
3045 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
3046 sizeof(buf), &readbytes),
3047 SSL_READ_EARLY_DATA_SUCCESS)
3048 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
3049 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3050 SSL_EARLY_DATA_ACCEPTED))
5f982038 3051 goto end;
5f982038
MC		 3052
3053 /*
09f28874 3054 * Server should be able to write data, and client should be able to
5f982038
MC		 3055 * read it.
3056 */
710756a9
RS		 3057 if (!TEST_true(SSL_write_early_data(serverssl, MSG2, strlen(MSG2),
3058 &written))
3059 || !TEST_size_t_eq(written, strlen(MSG2))
3060 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3061 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3062 goto end;
5f982038
MC		 3063
3064 /* Even after reading normal data, client should be able write early data */
710756a9
RS		 3065 if (!TEST_true(SSL_write_early_data(clientssl, MSG3, strlen(MSG3),
3066 &written))
3067 || !TEST_size_t_eq(written, strlen(MSG3)))
5f982038 3068 goto end;
5f982038 3069
09f28874 3070 /* Server should still be able read early data after writing data */
710756a9
RS		 3071 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3072 &readbytes),
3073 SSL_READ_EARLY_DATA_SUCCESS)
3074 || !TEST_mem_eq(buf, readbytes, MSG3, strlen(MSG3)))
5f982038 3075 goto end;
5f982038 3076
09f28874 3077 /* Write more data from server and read it from client */
710756a9
RS		 3078 if (!TEST_true(SSL_write_early_data(serverssl, MSG4, strlen(MSG4),
3079 &written))
3080 || !TEST_size_t_eq(written, strlen(MSG4))
3081 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3082 || !TEST_mem_eq(buf, readbytes, MSG4, strlen(MSG4)))
5f982038 3083 goto end;
5f982038
MC		 3084
3085 /*
3086 * If client writes normal data it should mean writing early data is no
3087 * longer possible.
3088 */
710756a9
RS		 3089 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3090 || !TEST_size_t_eq(written, strlen(MSG5))
3091 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3092 SSL_EARLY_DATA_ACCEPTED))
5f982038 3093 goto end;
5f982038 3094
9b5c865d
MC		 3095 /*
3096 * At this point the client has written EndOfEarlyData, ClientFinished and
3097 * normal (fully protected) data. We are going to cause a delay between the
3098 * arrival of EndOfEarlyData and ClientFinished. We read out all the data
3099 * in the read BIO, and then just put back the EndOfEarlyData message.
3100 */
3101 rbio = SSL_get_rbio(serverssl);
710756a9
RS		 3102 if (!TEST_true(BIO_read_ex(rbio, data, sizeof(data), &rawread))
3103 || !TEST_size_t_lt(rawread, sizeof(data))
3104 || !TEST_size_t_gt(rawread, SSL3_RT_HEADER_LENGTH))
9b5c865d 3105 goto end;
710756a9 3106
9b5c865d
MC		 3107 /* Record length is in the 4th and 5th bytes of the record header */
3108 eoedlen = SSL3_RT_HEADER_LENGTH + (data[3] << 8 | data[4]);
710756a9
RS		 3109 if (!TEST_true(BIO_write_ex(rbio, data, eoedlen, &rawwritten))
3110 || !TEST_size_t_eq(rawwritten, eoedlen))
9b5c865d 3111 goto end;
9b5c865d 3112
5f982038 3113 /* Server should be told that there is no more early data */
710756a9
RS		 3114 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3115 &readbytes),
3116 SSL_READ_EARLY_DATA_FINISH)
3117 || !TEST_size_t_eq(readbytes, 0))
5f982038 3118 goto end;
5f982038 3119
9b5c865d
MC		 3120 /*
3121 * Server has not finished init yet, so should still be able to write early
3122 * data.
3123 */
710756a9
RS		 3124 if (!TEST_true(SSL_write_early_data(serverssl, MSG6, strlen(MSG6),
3125 &written))
3126 || !TEST_size_t_eq(written, strlen(MSG6)))
9b5c865d 3127 goto end;
9b5c865d 3128
f8a303fa 3129 /* Push the ClientFinished and the normal data back into the server rbio */
710756a9
RS		 3130 if (!TEST_true(BIO_write_ex(rbio, data + eoedlen, rawread - eoedlen,
3131 &rawwritten))
3132 || !TEST_size_t_eq(rawwritten, rawread - eoedlen))
f8a303fa 3133 goto end;
f8a303fa 3134
5f982038 3135 /* Server should be able to read normal data */
710756a9
RS		 3136 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3137 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3138 goto end;
5f982038 3139
09f28874 3140 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3141 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3142 &written)))
5f982038 3143 goto end;
5f982038 3144 ERR_clear_error();
710756a9
RS		 3145 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3146 &readbytes),
3147 SSL_READ_EARLY_DATA_ERROR))
5f982038 3148 goto end;
5f982038
MC		 3149 ERR_clear_error();
3150
9b5c865d 3151 /* Client should be able to read the data sent by the server */
710756a9
RS		 3152 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3153 || !TEST_mem_eq(buf, readbytes, MSG6, strlen(MSG6)))
9b5c865d 3154 goto end;
710756a9 3155
f8a303fa 3156 /*
36ff232c
MC		 3157 * Make sure we process the two NewSessionTickets. These arrive
3158 * post-handshake. We attempt reads which we do not expect to return any
3159 * data.
f8a303fa 3160 */
36ff232c
MC		 3161 if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3162 || !TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf),
3163 &readbytes)))
f8a303fa 3164 goto end;
5f982038 3165
90049cea 3166 /* Server should be able to write normal data */
710756a9
RS		 3167 if (!TEST_true(SSL_write_ex(serverssl, MSG7, strlen(MSG7), &written))
3168 || !TEST_size_t_eq(written, strlen(MSG7))
3169 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3170 || !TEST_mem_eq(buf, readbytes, MSG7, strlen(MSG7)))
90049cea 3171 goto end;
90049cea 3172
c20e3b28 3173 SSL_SESSION_free(sess);
5f982038 3174 sess = SSL_get1_session(clientssl);
02a3ed5a
MC		 3175 use_session_cb_cnt = 0;
3176 find_session_cb_cnt = 0;
5f982038
MC		 3177
3178 SSL_shutdown(clientssl);
3179 SSL_shutdown(serverssl);
5f982038
MC		 3180 SSL_free(serverssl);
3181 SSL_free(clientssl);
3182 serverssl = clientssl = NULL;
710756a9
RS		 3183 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3184 &clientssl, NULL, NULL))
3185 || !TEST_true(SSL_set_session(clientssl, sess)))
5f982038 3186 goto end;
5f982038
MC		 3187
3188 /* Write and read some early data */
710756a9
RS		 3189 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3190 &written))
3191 || !TEST_size_t_eq(written, strlen(MSG1))
3192 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3193 &readbytes),
3194 SSL_READ_EARLY_DATA_SUCCESS)
3195 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
5f982038 3196 goto end;
5f982038 3197
710756a9
RS		 3198 if (!TEST_int_gt(SSL_connect(clientssl), 0)
3199 || !TEST_int_gt(SSL_accept(serverssl), 0))
5f982038 3200 goto end;
5f982038 3201
09f28874 3202 /* Client and server should not be able to write/read early data now */
710756a9
RS		 3203 if (!TEST_false(SSL_write_early_data(clientssl, MSG6, strlen(MSG6),
3204 &written)))
5f982038 3205 goto end;
5f982038 3206 ERR_clear_error();
710756a9
RS		 3207 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3208 &readbytes),
3209 SSL_READ_EARLY_DATA_ERROR))
5f982038 3210 goto end;
5f982038
MC		 3211 ERR_clear_error();
3212
3213 /* Client and server should be able to write/read normal data */
710756a9
RS		 3214 if (!TEST_true(SSL_write_ex(clientssl, MSG5, strlen(MSG5), &written))
3215 || !TEST_size_t_eq(written, strlen(MSG5))
3216 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3217 || !TEST_size_t_eq(readbytes, strlen(MSG5)))
5f982038 3218 goto end;
5f982038
MC		 3219
3220 testresult = 1;
3221
3222 end:
c20e3b28 3223 SSL_SESSION_free(sess);
57dee9bb
MC		 3224 SSL_SESSION_free(clientpsk);
3225 SSL_SESSION_free(serverpsk);
3226 clientpsk = serverpsk = NULL;
5f982038
MC		 3227 SSL_free(serverssl);
3228 SSL_free(clientssl);
3229 SSL_CTX_free(sctx);
3230 SSL_CTX_free(cctx);
5f982038
MC		 3231 return testresult;
3232}
3233
5a421415
MC		 3234static int allow_ed_cb_called = 0;
3235
3236static int allow_early_data_cb(SSL *s, void *arg)
3237{
3238 int *usecb = (int *)arg;
3239
3240 allow_ed_cb_called++;
3241
3242 if (*usecb == 1)
3243 return 0;
3244
3245 return 1;
3246}
3247
3248/*
3249 * idx == 0: Standard early_data setup
3250 * idx == 1: early_data setup using read_ahead
3251 * usecb == 0: Don't use a custom early data callback
3252 * usecb == 1: Use a custom early data callback and reject the early data
3253 * usecb == 2: Use a custom early data callback and accept the early data
3bb5e5b0
MC		 3254 * confopt == 0: Configure anti-replay directly
3255 * confopt == 1: Configure anti-replay using SSL_CONF
5a421415 3256 */
3bb5e5b0 3257static int test_early_data_replay_int(int idx, int usecb, int confopt)
78fb5374
MC		 3258{
3259 SSL_CTX *cctx = NULL, *sctx = NULL;
3260 SSL *clientssl = NULL, *serverssl = NULL;
3261 int testresult = 0;
3262 SSL_SESSION *sess = NULL;
5a421415
MC		 3263 size_t readbytes, written;
3264 unsigned char buf[20];
3265
3266 allow_ed_cb_called = 0;
3267
5e30f2fd
MC		 3268 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3269 TLS_client_method(), TLS1_VERSION, 0,
3270 &sctx, &cctx, cert, privkey)))
5a421415
MC		 3271 return 0;
3272
3273 if (usecb > 0) {
3bb5e5b0
MC		 3274 if (confopt == 0) {
3275 SSL_CTX_set_options(sctx, SSL_OP_NO_ANTI_REPLAY);
3276 } else {
3277 SSL_CONF_CTX *confctx = SSL_CONF_CTX_new();
3278
3279 if (!TEST_ptr(confctx))
3280 goto end;
3281 SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE
3282 | SSL_CONF_FLAG_SERVER);
3283 SSL_CONF_CTX_set_ssl_ctx(confctx, sctx);
3284 if (!TEST_int_eq(SSL_CONF_cmd(confctx, "Options", "-AntiReplay"),
3285 2)) {
3286 SSL_CONF_CTX_free(confctx);
3287 goto end;
3288 }
3289 SSL_CONF_CTX_free(confctx);
3290 }
5a421415
MC		 3291 SSL_CTX_set_allow_early_data_cb(sctx, allow_early_data_cb, &usecb);
3292 }
78fb5374
MC		 3293
3294 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3295 &serverssl, &sess, idx)))
3296 goto end;
3297
3298 /*
3299 * The server is configured to accept early data. Create a connection to
3300 * "use up" the ticket
3301 */
3302 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3303 || !TEST_true(SSL_session_reused(clientssl)))
3304 goto end;
3305
3306 SSL_shutdown(clientssl);
3307 SSL_shutdown(serverssl);
3308 SSL_free(serverssl);
3309 SSL_free(clientssl);
3310 serverssl = clientssl = NULL;
3311
3312 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
3313 &clientssl, NULL, NULL))
5a421415
MC		 3314 || !TEST_true(SSL_set_session(clientssl, sess)))
3315 goto end;
3316
3317 /* Write and read some early data */
3318 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3319 &written))
3320 || !TEST_size_t_eq(written, strlen(MSG1)))
3321 goto end;
3322
3323 if (usecb <= 1) {
3324 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3325 &readbytes),
3326 SSL_READ_EARLY_DATA_FINISH)
3327 /*
3328 * The ticket was reused, so the we should have rejected the
3329 * early data
3330 */
3331 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3332 SSL_EARLY_DATA_REJECTED))
3333 goto end;
3334 } else {
3335 /* In this case the callback decides to accept the early data */
3336 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3337 &readbytes),
3338 SSL_READ_EARLY_DATA_SUCCESS)
3339 || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
3340 /*
3341 * Server will have sent its flight so client can now send
3342 * end of early data and complete its half of the handshake
3343 */
3344 || !TEST_int_gt(SSL_connect(clientssl), 0)
3345 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3346 &readbytes),
3347 SSL_READ_EARLY_DATA_FINISH)
3348 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3349 SSL_EARLY_DATA_ACCEPTED))
3350 goto end;
3351 }
3352
3353 /* Complete the connection */
3354 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
3355 || !TEST_int_eq(SSL_session_reused(clientssl), (usecb > 0) ? 1 : 0)
3356 || !TEST_int_eq(allow_ed_cb_called, usecb > 0 ? 1 : 0))
78fb5374
MC		 3357 goto end;
3358
3359 testresult = 1;
3360
3361 end:
c20e3b28 3362 SSL_SESSION_free(sess);
78fb5374
MC		 3363 SSL_SESSION_free(clientpsk);
3364 SSL_SESSION_free(serverpsk);
3365 clientpsk = serverpsk = NULL;
3366 SSL_free(serverssl);
3367 SSL_free(clientssl);
3368 SSL_CTX_free(sctx);
3369 SSL_CTX_free(cctx);
3370 return testresult;
3371}
3372
5a421415
MC		 3373static int test_early_data_replay(int idx)
3374{
3bb5e5b0 3375 int ret = 1, usecb, confopt;
5a421415 3376
3bb5e5b0
MC		 3377 for (usecb = 0; usecb < 3; usecb++) {
3378 for (confopt = 0; confopt < 2; confopt++)
3379 ret &= test_early_data_replay_int(idx, usecb, confopt);
3380 }
5a421415
MC		 3381
3382 return ret;
3383}
3384
710756a9 3385/*
6b84e6bf
MC		 3386 * Helper function to test that a server attempting to read early data can
3387 * handle a connection from a client where the early data should be skipped.
0d1b7789
MC		 3388 * testtype: 0 == No HRR
3389 * testtype: 1 == HRR
0efa0ba4
MC		 3390 * testtype: 2 == HRR, invalid early_data sent after HRR
3391 * testtype: 3 == recv_max_early_data set to 0
710756a9 3392 */
0d1b7789 3393static int early_data_skip_helper(int testtype, int idx)
5f982038
MC		 3394{
3395 SSL_CTX *cctx = NULL, *sctx = NULL;
3396 SSL *clientssl = NULL, *serverssl = NULL;
3397 int testresult = 0;
018fcbec 3398 SSL_SESSION *sess = NULL;
5f982038
MC		 3399 unsigned char buf[20];
3400 size_t readbytes, written;
3401
710756a9
RS		 3402 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3403 &serverssl, &sess, idx)))
5f982038
MC		 3404 goto end;
3405
0efa0ba4 3406 if (testtype == 1 || testtype == 2) {
6b84e6bf 3407 /* Force an HRR to occur */
dbc6268f
MC		 3408#if defined(OPENSSL_NO_EC)
3409 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
3410 goto end;
3411#else
6b84e6bf
MC		 3412 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
3413 goto end;
dbc6268f 3414#endif
02a3ed5a
MC		 3415 } else if (idx == 2) {
3416 /*
3417 * We force early_data rejection by ensuring the PSK identity is
3418 * unrecognised
3419 */
3420 srvid = "Dummy Identity";
6b84e6bf
MC		 3421 } else {
3422 /*
3423 * Deliberately corrupt the creation time. We take 20 seconds off the
3424 * time. It could be any value as long as it is not within tolerance.
3425 * This should mean the ticket is rejected.
3426 */
5d99881e 3427 if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
6b84e6bf
MC		 3428 goto end;
3429 }
5f982038 3430
0efa0ba4 3431 if (testtype == 3
0d1b7789
MC		 3432 && !TEST_true(SSL_set_recv_max_early_data(serverssl, 0)))
3433 goto end;
3434
5f982038 3435 /* Write some early data */
710756a9
RS		 3436 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3437 &written))
3438 || !TEST_size_t_eq(written, strlen(MSG1)))
5f982038 3439 goto end;
5f982038 3440
0d1b7789 3441 /* Server should reject the early data */
710756a9
RS		 3442 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3443 &readbytes),
3444 SSL_READ_EARLY_DATA_FINISH)
3445 || !TEST_size_t_eq(readbytes, 0)
3446 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3447 SSL_EARLY_DATA_REJECTED))
5f982038 3448 goto end;
5f982038 3449
0efa0ba4
MC		 3450 switch (testtype) {
3451 case 0:
3452 /* Nothing to do */
3453 break;
3454
3455 case 1:
6b84e6bf
MC		 3456 /*
3457 * Finish off the handshake. We perform the same writes and reads as
3458 * further down but we expect them to fail due to the incomplete
3459 * handshake.
3460 */
3461 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3462 || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
3463 &readbytes)))
3464 goto end;
0efa0ba4
MC		 3465 break;
3466
3467 case 2:
3468 {
3469 BIO *wbio = SSL_get_wbio(clientssl);
3470 /* A record that will appear as bad early_data */
3471 const unsigned char bad_early_data[] = {
3472 0x17, 0x03, 0x03, 0x00, 0x01, 0x00
3473 };
3474
3475 /*
3476 * We force the client to attempt a write. This will fail because
3477 * we're still in the handshake. It will cause the second
3478 * ClientHello to be sent.
3479 */
3480 if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2),
3481 &written)))
3482 goto end;
3483
3484 /*
3485 * Inject some early_data after the second ClientHello. This should
3486 * cause the server to fail
3487 */
3488 if (!TEST_true(BIO_write_ex(wbio, bad_early_data,
3489 sizeof(bad_early_data), &written)))
3490 goto end;
3491 }
3492 /* fallthrough */
3493
3494 case 3:
0d1b7789 3495 /*
0efa0ba4
MC		 3496 * This client has sent more early_data than we are willing to skip
3497 * (case 3) or sent invalid early_data (case 2) so the connection should
3498 * abort.
0d1b7789
MC		 3499 */
3500 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3501 || !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL))
3502 goto end;
3503
3504 /* Connection has failed - nothing more to do */
3505 testresult = 1;
3506 goto end;
0efa0ba4
MC		 3507
3508 default:
3509 TEST_error("Invalid test type");
3510 goto end;
6b84e6bf
MC		 3511 }
3512
0d1b7789
MC		 3513 /*
3514 * Should be able to send normal data despite rejection of early data. The
3515 * early_data should be skipped.
3516 */
710756a9
RS		 3517 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3518 || !TEST_size_t_eq(written, strlen(MSG2))
3519 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3520 SSL_EARLY_DATA_REJECTED)
3521 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3522 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3523 goto end;
5f982038
MC		 3524
3525 testresult = 1;
3526
3527 end:
c20e3b28 3528 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3529 SSL_SESSION_free(serverpsk);
3530 clientpsk = serverpsk = NULL;
5f982038
MC		 3531 SSL_SESSION_free(sess);
3532 SSL_free(serverssl);
3533 SSL_free(clientssl);
3534 SSL_CTX_free(sctx);
3535 SSL_CTX_free(cctx);
5f982038
MC		 3536 return testresult;
3537}
3538
6b84e6bf
MC		 3539/*
3540 * Test that a server attempting to read early data can handle a connection
3541 * from a client where the early data is not acceptable.
3542 */
3543static int test_early_data_skip(int idx)
3544{
3545 return early_data_skip_helper(0, idx);
3546}
3547
3548/*
3549 * Test that a server attempting to read early data can handle a connection
3550 * from a client where an HRR occurs.
3551 */
3552static int test_early_data_skip_hrr(int idx)
3553{
3554 return early_data_skip_helper(1, idx);
3555}
3556
0efa0ba4
MC		 3557/*
3558 * Test that a server attempting to read early data can handle a connection
3559 * from a client where an HRR occurs and correctly fails if early_data is sent
3560 * after the HRR
3561 */
3562static int test_early_data_skip_hrr_fail(int idx)
3563{
3564 return early_data_skip_helper(2, idx);
3565}
3566
0d1b7789
MC		 3567/*
3568 * Test that a server attempting to read early data will abort if it tries to
3569 * skip over too much.
3570 */
3571static int test_early_data_skip_abort(int idx)
3572{
0efa0ba4 3573 return early_data_skip_helper(3, idx);
0d1b7789
MC		 3574}
3575
710756a9
RS		 3576/*
3577 * Test that a server attempting to read early data can handle a connection
3578 * from a client that doesn't send any.
3579 */
3cb47b4e 3580static int test_early_data_not_sent(int idx)
5f982038
MC		 3581{
3582 SSL_CTX *cctx = NULL, *sctx = NULL;
3583 SSL *clientssl = NULL, *serverssl = NULL;
3584 int testresult = 0;
018fcbec 3585 SSL_SESSION *sess = NULL;
5f982038
MC		 3586 unsigned char buf[20];
3587 size_t readbytes, written;
3588
710756a9
RS		 3589 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3590 &serverssl, &sess, idx)))
5f982038
MC		 3591 goto end;
3592
3593 /* Write some data - should block due to handshake with server */
3594 SSL_set_connect_state(clientssl);
710756a9 3595 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 3596 goto end;
5f982038
MC		 3597
3598 /* Server should detect that early data has not been sent */
710756a9
RS		 3599 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3600 &readbytes),
3601 SSL_READ_EARLY_DATA_FINISH)
3602 || !TEST_size_t_eq(readbytes, 0)
3603 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3604 SSL_EARLY_DATA_NOT_SENT)
3605 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3606 SSL_EARLY_DATA_NOT_SENT))
5f982038 3607 goto end;
5f982038
MC		 3608
3609 /* Continue writing the message we started earlier */
710756a9
RS		 3610 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
3611 || !TEST_size_t_eq(written, strlen(MSG1))
3612 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3613 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3614 || !SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written)
3615 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3616 goto end;
5f982038 3617
710756a9
RS		 3618 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
3619 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3620 goto end;
5f982038
MC		 3621
3622 testresult = 1;
3623
3624 end:
5f982038 3625 SSL_SESSION_free(sess);
c20e3b28 3626 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3627 SSL_SESSION_free(serverpsk);
3628 clientpsk = serverpsk = NULL;
5f982038
MC		 3629 SSL_free(serverssl);
3630 SSL_free(clientssl);
3631 SSL_CTX_free(sctx);
3632 SSL_CTX_free(cctx);
5f982038
MC		 3633 return testresult;
3634}
3635
976e5323
MC		 3636static const char *servalpn;
3637
c7558d5b
PY		 3638static int alpn_select_cb(SSL *ssl, const unsigned char **out,
3639 unsigned char *outlen, const unsigned char *in,
3640 unsigned int inlen, void *arg)
976e5323 3641{
c7558d5b 3642 unsigned int protlen = 0;
976e5323
MC		 3643 const unsigned char *prot;
3644
c7558d5b
PY		 3645 for (prot = in; prot < in + inlen; prot += protlen) {
3646 protlen = *prot++;
5d99881e 3647 if (in + inlen < prot + protlen)
976e5323
MC		 3648 return SSL_TLSEXT_ERR_NOACK;
3649
3650 if (protlen == strlen(servalpn)
0bd42fde 3651 && memcmp(prot, servalpn, protlen) == 0) {
976e5323
MC		 3652 *out = prot;
3653 *outlen = protlen;
3654 return SSL_TLSEXT_ERR_OK;
3655 }
3656 }
3657
3658 return SSL_TLSEXT_ERR_NOACK;
3659}
3660
57dee9bb 3661/* Test that a PSK can be used to send early_data */
976e5323
MC		 3662static int test_early_data_psk(int idx)
3663{
3664 SSL_CTX *cctx = NULL, *sctx = NULL;
3665 SSL *clientssl = NULL, *serverssl = NULL;
3666 int testresult = 0;
3667 SSL_SESSION *sess = NULL;
57dee9bb
MC		 3668 unsigned char alpnlist[] = {
3669 0x08, 'g', 'o', 'o', 'd', 'a', 'l', 'p', 'n', 0x07, 'b', 'a', 'd', 'a',
3670 'l', 'p', 'n'
3671 };
3672#define GOODALPNLEN 9
3673#define BADALPNLEN 8
3674#define GOODALPN (alpnlist)
3675#define BADALPN (alpnlist + GOODALPNLEN)
3676 int err = 0;
976e5323
MC		 3677 unsigned char buf[20];
3678 size_t readbytes, written;
57dee9bb 3679 int readearlyres = SSL_READ_EARLY_DATA_SUCCESS, connectres = 1;
976e5323
MC		 3680 int edstatus = SSL_EARLY_DATA_ACCEPTED;
3681
3682 /* We always set this up with a final parameter of "2" for PSK */
3683 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3684 &serverssl, &sess, 2)))
3685 goto end;
3686
976e5323
MC		 3687 servalpn = "goodalpn";
3688
57dee9bb
MC		 3689 /*
3690 * Note: There is no test for inconsistent SNI with late client detection.
3691 * This is because servers do not acknowledge SNI even if they are using
3692 * it in a resumption handshake - so it is not actually possible for a
3693 * client to detect a problem.
3694 */
976e5323
MC		 3695 switch (idx) {
3696 case 0:
57dee9bb 3697 /* Set inconsistent SNI (early client detection) */
976e5323
MC		 3698 err = SSL_R_INCONSISTENT_EARLY_DATA_SNI;
3699 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3700 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "badhost")))
3701 goto end;
3702 break;
3703
3704 case 1:
57dee9bb 3705 /* Set inconsistent ALPN (early client detection) */
976e5323
MC		 3706 err = SSL_R_INCONSISTENT_EARLY_DATA_ALPN;
3707 /* SSL_set_alpn_protos returns 0 for success and 1 for failure */
57dee9bb
MC		 3708 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN,
3709 GOODALPNLEN))
3710 || !TEST_false(SSL_set_alpn_protos(clientssl, BADALPN,
3711 BADALPNLEN)))
976e5323
MC		 3712 goto end;
3713 break;
3714
3715 case 2:
3716 /*
3717 * Set invalid protocol version. Technically this affects PSKs without
3718 * early_data too, but we test it here because it is similar to the
3719 * SNI/ALPN consistency tests.
3720 */
3721 err = SSL_R_BAD_PSK;
3722 if (!TEST_true(SSL_SESSION_set_protocol_version(sess, TLS1_2_VERSION)))
3723 goto end;
3724 break;
3725
3726 case 3:
3727 /*
49ef3d07
MC		 3728 * Set inconsistent SNI (server side). In this case the connection
3729 * will succeed and accept early_data. In TLSv1.3 on the server side SNI
3730 * is associated with each handshake - not the session. Therefore it
3731 * should not matter that we used a different server name last time.
976e5323 3732 */
281bf233
MC		 3733 SSL_SESSION_free(serverpsk);
3734 serverpsk = SSL_SESSION_dup(clientpsk);
3735 if (!TEST_ptr(serverpsk)
3736 || !TEST_true(SSL_SESSION_set1_hostname(serverpsk, "badhost")))
3737 goto end;
976e5323
MC		 3738 /* Fall through */
3739 case 4:
3740 /* Set consistent SNI */
976e5323
MC		 3741 if (!TEST_true(SSL_SESSION_set1_hostname(sess, "goodhost"))
3742 || !TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost"))
3743 || !TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
3744 hostname_cb)))
3745 goto end;
3746 break;
3747
3748 case 5:
3749 /*
3750 * Set inconsistent ALPN (server detected). In this case the connection
3751 * will succeed but reject early_data.
3752 */
3753 servalpn = "badalpn";
3754 edstatus = SSL_EARLY_DATA_REJECTED;
3755 readearlyres = SSL_READ_EARLY_DATA_FINISH;
3756 /* Fall through */
3757 case 6:
976e5323 3758 /*
57dee9bb 3759 * Set consistent ALPN.
976e5323
MC		 3760 * SSL_set_alpn_protos returns 0 for success and 1 for failure. It
3761 * accepts a list of protos (each one length prefixed).
3762 * SSL_set1_alpn_selected accepts a single protocol (not length
3763 * prefixed)
3764 */
57dee9bb
MC		 3765 if (!TEST_true(SSL_SESSION_set1_alpn_selected(sess, GOODALPN + 1,
3766 GOODALPNLEN - 1))
3767 || !TEST_false(SSL_set_alpn_protos(clientssl, GOODALPN,
3768 GOODALPNLEN)))
976e5323
MC		 3769 goto end;
3770
3771 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3772 break;
3773
57dee9bb
MC		 3774 case 7:
3775 /* Set inconsistent ALPN (late client detection) */
3776 SSL_SESSION_free(serverpsk);
3777 serverpsk = SSL_SESSION_dup(clientpsk);
3778 if (!TEST_ptr(serverpsk)
3779 || !TEST_true(SSL_SESSION_set1_alpn_selected(clientpsk,
3780 BADALPN + 1,
3781 BADALPNLEN - 1))
3782 || !TEST_true(SSL_SESSION_set1_alpn_selected(serverpsk,
3783 GOODALPN + 1,
3784 GOODALPNLEN - 1))
3785 || !TEST_false(SSL_set_alpn_protos(clientssl, alpnlist,
3786 sizeof(alpnlist))))
3787 goto end;
3788 SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb, NULL);
3789 edstatus = SSL_EARLY_DATA_ACCEPTED;
3790 readearlyres = SSL_READ_EARLY_DATA_SUCCESS;
3791 /* SSL_connect() call should fail */
3792 connectres = -1;
3793 break;
3794
976e5323
MC		 3795 default:
3796 TEST_error("Bad test index");
3797 goto end;
3798 }
3799
3800 SSL_set_connect_state(clientssl);
3801 if (err != 0) {
3802 if (!TEST_false(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3803 &written))
3804 || !TEST_int_eq(SSL_get_error(clientssl, 0), SSL_ERROR_SSL)
3805 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
3806 goto end;
3807 } else {
3808 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
57dee9bb
MC		 3809 &written)))
3810 goto end;
3811
3812 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3813 &readbytes), readearlyres)
976e5323
MC		 3814 || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
3815 && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
57dee9bb
MC		 3816 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
3817 || !TEST_int_eq(SSL_connect(clientssl), connectres))
976e5323
MC		 3818 goto end;
3819 }
3820
3821 testresult = 1;
3822
3823 end:
c20e3b28 3824 SSL_SESSION_free(sess);
57dee9bb
MC		 3825 SSL_SESSION_free(clientpsk);
3826 SSL_SESSION_free(serverpsk);
3827 clientpsk = serverpsk = NULL;
976e5323
MC		 3828 SSL_free(serverssl);
3829 SSL_free(clientssl);
3830 SSL_CTX_free(sctx);
3831 SSL_CTX_free(cctx);
3832 return testresult;
3833}
3834
0b2b0be9 3835/*
3836 * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
3837 * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
3838 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
3839 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3840 * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
3841 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
3842 */
3843static int test_early_data_psk_with_all_ciphers(int idx)
3844{
3845 SSL_CTX *cctx = NULL, *sctx = NULL;
3846 SSL *clientssl = NULL, *serverssl = NULL;
3847 int testresult = 0;
3848 SSL_SESSION *sess = NULL;
3849 unsigned char buf[20];
3850 size_t readbytes, written;
3851 const SSL_CIPHER *cipher;
3852 const char *cipher_str[] = {
3853 TLS1_3_RFC_AES_128_GCM_SHA256,
3854 TLS1_3_RFC_AES_256_GCM_SHA384,
3855# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3856 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
3857# else
3858 NULL,
3859# endif
3860 TLS1_3_RFC_AES_128_CCM_SHA256,
3861 TLS1_3_RFC_AES_128_CCM_8_SHA256
3862 };
3863 const unsigned char *cipher_bytes[] = {
3864 TLS13_AES_128_GCM_SHA256_BYTES,
3865 TLS13_AES_256_GCM_SHA384_BYTES,
3866# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
3867 TLS13_CHACHA20_POLY1305_SHA256_BYTES,
3868# else
3869 NULL,
3870# endif
3871 TLS13_AES_128_CCM_SHA256_BYTES,
3872 TLS13_AES_128_CCM_8_SHA256_BYTES
3873 };
3874
3875 if (cipher_str[idx] == NULL)
3876 return 1;
3877 /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */
3878 if (idx == 2 && is_fips == 1)
3879 return 1;
3880
3881 /* We always set this up with a final parameter of "2" for PSK */
3882 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3883 &serverssl, &sess, 2)))
3884 goto end;
3885
3886 if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
3887 || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
3888 goto end;
3889
3890 /*
3891 * 'setupearly_data_test' creates only one instance of SSL_SESSION
3892 * and assigns to both client and server with incremented reference
3893 * and the same instance is updated in 'sess'.
3894 * So updating ciphersuite in 'sess' which will get reflected in
3895 * PSK handshake using psk use sess and find sess cb.
3896 */
3897 cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
3898 if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
3899 goto end;
3900
3901 SSL_set_connect_state(clientssl);
3902 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3903 &written)))
3904 goto end;
3905
3906 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
3907 &readbytes),
3908 SSL_READ_EARLY_DATA_SUCCESS)
3909 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
3910 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3911 SSL_EARLY_DATA_ACCEPTED)
3912 || !TEST_int_eq(SSL_connect(clientssl), 1)
3913 || !TEST_int_eq(SSL_accept(serverssl), 1))
3914 goto end;
3915
3916 /* Send some normal data from client to server */
3917 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3918 || !TEST_size_t_eq(written, strlen(MSG2)))
3919 goto end;
3920
3921 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3922 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
3923 goto end;
3924
3925 testresult = 1;
3926 end:
3927 SSL_SESSION_free(sess);
3928 SSL_SESSION_free(clientpsk);
3929 SSL_SESSION_free(serverpsk);
3930 clientpsk = serverpsk = NULL;
3931 if (clientssl != NULL)
3932 SSL_shutdown(clientssl);
3933 if (serverssl != NULL)
3934 SSL_shutdown(serverssl);
3935 SSL_free(serverssl);
3936 SSL_free(clientssl);
3937 SSL_CTX_free(sctx);
3938 SSL_CTX_free(cctx);
3939 return testresult;
3940}
3941
710756a9
RS		 3942/*
3943 * Test that a server that doesn't try to read early data can handle a
3944 * client sending some.
3945 */
3cb47b4e 3946static int test_early_data_not_expected(int idx)
5f982038
MC		 3947{
3948 SSL_CTX *cctx = NULL, *sctx = NULL;
3949 SSL *clientssl = NULL, *serverssl = NULL;
3950 int testresult = 0;
018fcbec 3951 SSL_SESSION *sess = NULL;
5f982038
MC		 3952 unsigned char buf[20];
3953 size_t readbytes, written;
3954
710756a9
RS		 3955 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
3956 &serverssl, &sess, idx)))
5f982038
MC		 3957 goto end;
3958
3959 /* Write some early data */
710756a9
RS		 3960 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
3961 &written)))
5f982038 3962 goto end;
5f982038
MC		 3963
3964 /*
3965 * Server should skip over early data and then block waiting for client to
3966 * continue handshake
3967 */
710756a9
RS		 3968 if (!TEST_int_le(SSL_accept(serverssl), 0)
3969 || !TEST_int_gt(SSL_connect(clientssl), 0)
3970 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
3971 SSL_EARLY_DATA_REJECTED)
3972 || !TEST_int_gt(SSL_accept(serverssl), 0)
3973 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
3974 SSL_EARLY_DATA_REJECTED))
5f982038 3975 goto end;
5f982038
MC		 3976
3977 /* Send some normal data from client to server */
710756a9
RS		 3978 if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
3979 || !TEST_size_t_eq(written, strlen(MSG2)))
5f982038 3980 goto end;
5f982038 3981
710756a9
RS		 3982 if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
3983 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 3984 goto end;
5f982038
MC		 3985
3986 testresult = 1;
3987
3988 end:
5f982038 3989 SSL_SESSION_free(sess);
c20e3b28 3990 SSL_SESSION_free(clientpsk);
57dee9bb
MC		 3991 SSL_SESSION_free(serverpsk);
3992 clientpsk = serverpsk = NULL;
5f982038
MC		 3993 SSL_free(serverssl);
3994 SSL_free(clientssl);
3995 SSL_CTX_free(sctx);
3996 SSL_CTX_free(cctx);
5f982038
MC		 3997 return testresult;
3998}
3999
4000
4001# ifndef OPENSSL_NO_TLS1_2
710756a9
RS		 4002/*
4003 * Test that a server attempting to read early data can handle a connection
4004 * from a TLSv1.2 client.
4005 */
3cb47b4e 4006static int test_early_data_tls1_2(int idx)
5f982038
MC		 4007{
4008 SSL_CTX *cctx = NULL, *sctx = NULL;
4009 SSL *clientssl = NULL, *serverssl = NULL;
4010 int testresult = 0;
4011 unsigned char buf[20];
4012 size_t readbytes, written;
4013
02a3ed5a
MC		 4014 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
4015 &serverssl, NULL, idx)))
5f982038 4016 goto end;
5f982038
MC		 4017
4018 /* Write some data - should block due to handshake with server */
4019 SSL_set_max_proto_version(clientssl, TLS1_2_VERSION);
4020 SSL_set_connect_state(clientssl);
710756a9 4021 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written)))
5f982038 4022 goto end;
5f982038
MC		 4023
4024 /*
4025 * Server should do TLSv1.2 handshake. First it will block waiting for more
f533fbd4
MC		 4026 * messages from client after ServerDone. Then SSL_read_early_data should
4027 * finish and detect that early data has not been sent
5f982038 4028 */
710756a9
RS		 4029 if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4030 &readbytes),
4031 SSL_READ_EARLY_DATA_ERROR))
5f982038 4032 goto end;
5f982038
MC		 4033
4034 /*
4035 * Continue writing the message we started earlier. Will still block waiting
4036 * for the CCS/Finished from server
4037 */
710756a9
RS		 4038 if (!TEST_false(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4039 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
4040 &readbytes),
4041 SSL_READ_EARLY_DATA_FINISH)
4042 || !TEST_size_t_eq(readbytes, 0)
4043 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
4044 SSL_EARLY_DATA_NOT_SENT))
5f982038 4045 goto end;
5f982038
MC		 4046
4047 /* Continue writing the message we started earlier */
710756a9
RS		 4048 if (!TEST_true(SSL_write_ex(clientssl, MSG1, strlen(MSG1), &written))
4049 || !TEST_size_t_eq(written, strlen(MSG1))
4050 || !TEST_int_eq(SSL_get_early_data_status(clientssl),
4051 SSL_EARLY_DATA_NOT_SENT)
4052 || !TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
4053 || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
4054 || !TEST_true(SSL_write_ex(serverssl, MSG2, strlen(MSG2), &written))
4055 || !TEST_size_t_eq(written, strlen(MSG2))
4056 || !SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
4057 || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
5f982038 4058 goto end;
5f982038
MC		 4059
4060 testresult = 1;
4061
4062 end:
57dee9bb
MC		 4063 SSL_SESSION_free(clientpsk);
4064 SSL_SESSION_free(serverpsk);
4065 clientpsk = serverpsk = NULL;
5f982038
MC		 4066 SSL_free(serverssl);
4067 SSL_free(clientssl);
4068 SSL_CTX_free(sctx);
4069 SSL_CTX_free(cctx);
4070
4071 return testresult;
4072}
ca0413ae
MC		 4073# endif /* OPENSSL_NO_TLS1_2 */
4074
034cb87b
MC		 4075/*
4076 * Test configuring the TLSv1.3 ciphersuites
4077 *
4078 * Test 0: Set a default ciphersuite in the SSL_CTX (no explicit cipher_list)
4079 * Test 1: Set a non-default ciphersuite in the SSL_CTX (no explicit cipher_list)
4080 * Test 2: Set a default ciphersuite in the SSL (no explicit cipher_list)
4081 * Test 3: Set a non-default ciphersuite in the SSL (no explicit cipher_list)
4082 * Test 4: Set a default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4083 * Test 5: Set a non-default ciphersuite in the SSL_CTX (SSL_CTX cipher_list)
4084 * Test 6: Set a default ciphersuite in the SSL (SSL_CTX cipher_list)
4085 * Test 7: Set a non-default ciphersuite in the SSL (SSL_CTX cipher_list)
4086 * Test 8: Set a default ciphersuite in the SSL (SSL cipher_list)
4087 * Test 9: Set a non-default ciphersuite in the SSL (SSL cipher_list)
4088 */
4089static int test_set_ciphersuite(int idx)
4090{
4091 SSL_CTX *cctx = NULL, *sctx = NULL;
4092 SSL *clientssl = NULL, *serverssl = NULL;
4093 int testresult = 0;
4094
5e30f2fd
MC		 4095 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4096 TLS_client_method(), TLS1_VERSION, 0,
034cb87b
MC		 4097 &sctx, &cctx, cert, privkey))
4098 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4099 "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
4100 goto end;
4101
4102 if (idx >=4 && idx <= 7) {
4103 /* SSL_CTX explicit cipher list */
4104 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES256-GCM-SHA384")))
4105 goto end;
4106 }
4107
4108 if (idx == 0 || idx == 4) {
4109 /* Default ciphersuite */
4110 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4111 "TLS_AES_128_GCM_SHA256")))
4112 goto end;
4113 } else if (idx == 1 || idx == 5) {
4114 /* Non default ciphersuite */
4115 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4116 "TLS_AES_128_CCM_SHA256")))
4117 goto end;
4118 }
4119
4120 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4121 &clientssl, NULL, NULL)))
4122 goto end;
4123
4124 if (idx == 8 || idx == 9) {
4125 /* SSL explicit cipher list */
4126 if (!TEST_true(SSL_set_cipher_list(clientssl, "AES256-GCM-SHA384")))
4127 goto end;
4128 }
4129
4130 if (idx == 2 || idx == 6 || idx == 8) {
4131 /* Default ciphersuite */
4132 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4133 "TLS_AES_128_GCM_SHA256")))
4134 goto end;
4135 } else if (idx == 3 || idx == 7 || idx == 9) {
4136 /* Non default ciphersuite */
4137 if (!TEST_true(SSL_set_ciphersuites(clientssl,
4138 "TLS_AES_128_CCM_SHA256")))
4139 goto end;
4140 }
4141
4142 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
4143 goto end;
4144
4145 testresult = 1;
4146
4147 end:
4148 SSL_free(serverssl);
4149 SSL_free(clientssl);
4150 SSL_CTX_free(sctx);
4151 SSL_CTX_free(cctx);
4152
4153 return testresult;
4154}
4155
ca0413ae
MC		 4156static int test_ciphersuite_change(void)
4157{
4158 SSL_CTX *cctx = NULL, *sctx = NULL;
4159 SSL *clientssl = NULL, *serverssl = NULL;
4160 SSL_SESSION *clntsess = NULL;
4161 int testresult = 0;
4162 const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
4163
4164 /* Create a session based on SHA-256 */
5e30f2fd
MC		 4165 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4166 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4167 &sctx, &cctx, cert, privkey))
4f6c7044
MC		 4168 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4169 "TLS_AES_128_GCM_SHA256:"
4170 "TLS_AES_256_GCM_SHA384:"
4171 "TLS_AES_128_CCM_SHA256"))
f865b081
MC		 4172 || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
4173 "TLS_AES_128_GCM_SHA256"))
ca0413ae
MC		 4174 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4175 &clientssl, NULL, NULL))
4176 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4177 SSL_ERROR_NONE)))
4178 goto end;
4179
4180 clntsess = SSL_get1_session(clientssl);
4181 /* Save for later */
4182 aes_128_gcm_sha256 = SSL_SESSION_get0_cipher(clntsess);
4183 SSL_shutdown(clientssl);
4184 SSL_shutdown(serverssl);
4185 SSL_free(serverssl);
4186 SSL_free(clientssl);
4187 serverssl = clientssl = NULL;
4188
4189 /* Check we can resume a session with a different SHA-256 ciphersuite */
f865b081 4190 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4f6c7044
MC		 4191 "TLS_AES_128_CCM_SHA256"))
4192 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4193 &clientssl, NULL, NULL))
ca0413ae
MC		 4194 || !TEST_true(SSL_set_session(clientssl, clntsess))
4195 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4196 SSL_ERROR_NONE))
4197 || !TEST_true(SSL_session_reused(clientssl)))
4198 goto end;
4199
4200 SSL_SESSION_free(clntsess);
4201 clntsess = SSL_get1_session(clientssl);
4202 SSL_shutdown(clientssl);
4203 SSL_shutdown(serverssl);
4204 SSL_free(serverssl);
4205 SSL_free(clientssl);
4206 serverssl = clientssl = NULL;
4207
4208 /*
4209 * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
0de6d66d 4210 * succeeds but does not resume.
ca0413ae 4211 */
f865b081 4212 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4213 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4214 NULL, NULL))
4215 || !TEST_true(SSL_set_session(clientssl, clntsess))
0de6d66d 4216 || !TEST_true(create_ssl_connection(serverssl, clientssl,
ca0413ae 4217 SSL_ERROR_SSL))
0de6d66d 4218 || !TEST_false(SSL_session_reused(clientssl)))
ca0413ae
MC		 4219 goto end;
4220
4221 SSL_SESSION_free(clntsess);
4222 clntsess = NULL;
4223 SSL_shutdown(clientssl);
4224 SSL_shutdown(serverssl);
4225 SSL_free(serverssl);
4226 SSL_free(clientssl);
4227 serverssl = clientssl = NULL;
4228
4229 /* Create a session based on SHA384 */
f865b081 4230 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4231 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4232 &clientssl, NULL, NULL))
4233 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4234 SSL_ERROR_NONE)))
4235 goto end;
4236
4237 clntsess = SSL_get1_session(clientssl);
4238 SSL_shutdown(clientssl);
4239 SSL_shutdown(serverssl);
4240 SSL_free(serverssl);
4241 SSL_free(clientssl);
4242 serverssl = clientssl = NULL;
4243
f865b081
MC		 4244 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4245 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"))
4246 || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
4247 "TLS_AES_256_GCM_SHA384"))
ca0413ae
MC		 4248 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4249 NULL, NULL))
4250 || !TEST_true(SSL_set_session(clientssl, clntsess))
3b0e88d3
MC		 4251 /*
4252 * We use SSL_ERROR_WANT_READ below so that we can pause the
4253 * connection after the initial ClientHello has been sent to
4254 * enable us to make some session changes.
4255 */
ca0413ae
MC		 4256 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4257 SSL_ERROR_WANT_READ)))
4258 goto end;
4259
4260 /* Trick the client into thinking this session is for a different digest */
4261 clntsess->cipher = aes_128_gcm_sha256;
4262 clntsess->cipher_id = clntsess->cipher->id;
4263
4264 /*
3b0e88d3
MC		 4265 * Continue the previously started connection. Server has selected a SHA-384
4266 * ciphersuite, but client thinks the session is for SHA-256, so it should
4267 * bail out.
ca0413ae
MC		 4268 */
4269 if (!TEST_false(create_ssl_connection(serverssl, clientssl,
4270 SSL_ERROR_SSL))
4271 || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()),
4272 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED))
4273 goto end;
4274
4275 testresult = 1;
4276
4277 end:
4278 SSL_SESSION_free(clntsess);
4279 SSL_free(serverssl);
4280 SSL_free(clientssl);
4281 SSL_CTX_free(sctx);
4282 SSL_CTX_free(cctx);
4283
4284 return testresult;
4285}
4286
8e63900a 4287/*
5bf2eade 4288 * Test TLSv1.3 Key exchange
4289 * Test 0 = Test all ECDHE Key exchange with TLSv1.3 client and server
4290 * Test 1 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
4291 * Test 2 = Test NID_secp384r1 with TLSv1.3 client and server
4292 * Test 3 = Test NID_secp521r1 with TLSv1.3 client and server
4293 * Test 4 = Test NID_X25519 with TLSv1.3 client and server
4294 * Test 5 = Test NID_X448 with TLSv1.3 client and server
4295 * Test 6 = Test all FFDHE Key exchange with TLSv1.3 client and server
4296 * Test 7 = Test NID_ffdhe2048 with TLSv1.3 client and server
4297 * Test 8 = Test NID_ffdhe3072 with TLSv1.3 client and server
4298 * Test 9 = Test NID_ffdhe4096 with TLSv1.3 client and server
4299 * Test 10 = Test NID_ffdhe6144 with TLSv1.3 client and server
4300 * Test 11 = Test NID_ffdhe8192 with TLSv1.3 client and server
4301 * Test 12 = Test all ECDHE with TLSv1.2 client and server
4302 * Test 13 = Test all FFDHE with TLSv1.2 client and server
8e63900a 4303 */
db26ec80 4304static int test_key_exchange(int idx)
8e63900a 4305{
4306 SSL_CTX *sctx = NULL, *cctx = NULL;
4307 SSL *serverssl = NULL, *clientssl = NULL;
4308 int testresult = 0;
5bf2eade 4309# ifndef OPENSSL_NO_EC
4310 int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
4311 NID_secp521r1, NID_X25519, NID_X448};
4312# endif
4313# ifndef OPENSSL_NO_DH
8e63900a 4314 int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
4315 NID_ffdhe6144, NID_ffdhe8192};
5bf2eade 4316# endif
fb8c6db4 4317 int kexch_alg;
4318 int *kexch_groups = &kexch_alg;
4319 int kexch_groups_size = 1;
8e63900a 4320 int max_version = TLS1_3_VERSION;
8e63900a 4321
4322 switch (idx) {
5bf2eade 4323# ifndef OPENSSL_NO_EC
db26ec80 4324# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4325 case 12:
fb8c6db4 4326 max_version = TLS1_2_VERSION;
db26ec80 4327# endif
fb8c6db4 4328 /* Fall through */
4329 case 0:
4330 kexch_groups = ecdhe_kexch_groups;
4331 kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
4332 break;
5bf2eade 4333 case 1:
fb8c6db4 4334 kexch_alg = NID_X9_62_prime256v1;
4335 break;
5bf2eade 4336 case 2:
fb8c6db4 4337 kexch_alg = NID_secp384r1;
4338 break;
5bf2eade 4339 case 3:
fb8c6db4 4340 kexch_alg = NID_secp521r1;
4341 break;
5bf2eade 4342 case 4:
fb8c6db4 4343 kexch_alg = NID_X25519;
4344 break;
5bf2eade 4345 case 5:
fb8c6db4 4346 kexch_alg = NID_X448;
4347 break;
5bf2eade 4348# endif
4349# ifndef OPENSSL_NO_DH
db26ec80 4350# ifndef OPENSSL_NO_TLS1_2
5bf2eade 4351 case 13:
dbc6268f 4352 max_version = TLS1_2_VERSION;
db26ec80 4353# endif
dbc6268f 4354 /* Fall through */
5bf2eade 4355 case 6:
8e63900a 4356 kexch_groups = ffdhe_kexch_groups;
4357 kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
4358 break;
5bf2eade 4359 case 7:
fb8c6db4 4360 kexch_alg = NID_ffdhe2048;
4361 break;
5bf2eade 4362 case 8:
fb8c6db4 4363 kexch_alg = NID_ffdhe3072;
4364 break;
5bf2eade 4365 case 9:
fb8c6db4 4366 kexch_alg = NID_ffdhe4096;
4367 break;
5bf2eade 4368 case 10:
fb8c6db4 4369 kexch_alg = NID_ffdhe6144;
4370 break;
5bf2eade 4371 case 11:
fb8c6db4 4372 kexch_alg = NID_ffdhe8192;
8e63900a 4373 break;
5bf2eade 4374# endif
6597d62b
MC		 4375 default:
4376 /* We're skipping this test */
4377 return 1;
8e63900a 4378 }
4379
5e30f2fd
MC		 4380 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4381 TLS_client_method(), TLS1_VERSION,
4382 max_version, &sctx, &cctx, cert,
4383 privkey)))
8e63900a 4384 goto end;
4385
5bf2eade 4386 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
4387 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4388 goto end;
4389
5bf2eade 4390 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4391 TLS1_3_RFC_AES_128_GCM_SHA256)))
8e63900a 4392 goto end;
4393
5bf2eade 4394 if (!TEST_true(SSL_CTX_set_cipher_list(sctx,
4395 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4396 goto end;
4397
dbc6268f
MC		 4398 /*
4399 * Must include an EC ciphersuite so that we send supported groups in
4400 * TLSv1.2
4401 */
5bf2eade 4402# ifndef OPENSSL_NO_TLS1_2
dbc6268f
MC		 4403 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
4404 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":"
4405 TLS1_TXT_RSA_WITH_AES_128_SHA)))
8e63900a 4406 goto end;
5bf2eade 4407# endif
8e63900a 4408
4409 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4410 NULL, NULL)))
4411 goto end;
4412
4413 if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
4414 || !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
4415 goto end;
4416
5bf2eade 4417 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8e63900a 4418 goto end;
8e63900a 4419
dbc6268f 4420 /*
5bf2eade 4421 * If Handshake succeeds the negotiated kexch alg should be the first one in
4422 * configured, except in the case of FFDHE groups (idx 13), which are
4423 * TLSv1.3 only so we expect no shared group to exist.
dbc6268f
MC		 4424 */
4425 if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
5bf2eade 4426 idx == 13 ? 0 : kexch_groups[0]))
8e63900a 4427 goto end;
fb8c6db4 4428 if (max_version == TLS1_3_VERSION) {
4429 if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
4430 goto end;
4431 if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
4432 goto end;
4433 }
8e63900a 4434
4435 testresult = 1;
4436 end:
4437 SSL_free(serverssl);
4438 SSL_free(clientssl);
4439 SSL_CTX_free(sctx);
4440 SSL_CTX_free(cctx);
4441 return testresult;
4442}
4443
5bf2eade 4444/*
4445 * Test TLSv1.3 Cipher Suite
4446 * Test 0 = Set TLS1.3 cipher on context
4447 * Test 1 = Set TLS1.3 cipher on SSL
4448 * Test 2 = Set TLS1.3 and TLS1.2 cipher on context
4449 * Test 3 = Set TLS1.3 and TLS1.2 cipher on SSL
4450 */
4451static int test_tls13_ciphersuite(int idx)
4452{
4453 SSL_CTX *sctx = NULL, *cctx = NULL;
4454 SSL *serverssl = NULL, *clientssl = NULL;
4f6c7044
MC		 4455 static const struct {
4456 const char *ciphername;
4457 int fipscapable;
4458 } t13_ciphers[] = {
4459 { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
4460 { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
4461 { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
5bf2eade 4462# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
4f6c7044
MC		 4463 { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
4464 { TLS1_3_RFC_AES_256_GCM_SHA384
4465 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
5bf2eade 4466# endif
4f6c7044 4467 { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
5bf2eade 4468 };
4469 const char *t13_cipher = NULL;
4470 const char *t12_cipher = NULL;
4471 const char *negotiated_scipher;
4472 const char *negotiated_ccipher;
4473 int set_at_ctx = 0;
4474 int set_at_ssl = 0;
4475 int testresult = 0;
4476 int max_ver;
4477 size_t i;
4478
4479 switch (idx) {
4480 case 0:
4481 set_at_ctx = 1;
4482 break;
4483 case 1:
4484 set_at_ssl = 1;
4485 break;
4486 case 2:
4487 set_at_ctx = 1;
2d900758 4488 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4489 break;
4490 case 3:
4491 set_at_ssl = 1;
2d900758 4492 t12_cipher = TLS1_TXT_RSA_WITH_AES_128_SHA256;
5bf2eade 4493 break;
4494 }
4495
4496 for (max_ver = TLS1_2_VERSION; max_ver <= TLS1_3_VERSION; max_ver++) {
4497# ifdef OPENSSL_NO_TLS1_2
4498 if (max_ver == TLS1_2_VERSION)
4499 continue;
4500# endif
4501 for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
4f6c7044
MC		 4502 if (is_fips && !t13_ciphers[i].fipscapable)
4503 continue;
4504 t13_cipher = t13_ciphers[i].ciphername;
5e30f2fd 4505 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5bf2eade 4506 TLS_client_method(),
4507 TLS1_VERSION, max_ver,
4508 &sctx, &cctx, cert, privkey)))
4509 goto end;
4510
4511 if (set_at_ctx) {
4512 if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher))
4513 || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher)))
4514 goto end;
4515 if (t12_cipher != NULL) {
4516 if (!TEST_true(SSL_CTX_set_cipher_list(sctx, t12_cipher))
4517 || !TEST_true(SSL_CTX_set_cipher_list(cctx,
4518 t12_cipher)))
4519 goto end;
4520 }
4521 }
4522
4523 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
4524 &clientssl, NULL, NULL)))
4525 goto end;
4526
4527 if (set_at_ssl) {
4528 if (!TEST_true(SSL_set_ciphersuites(serverssl, t13_cipher))
4529 || !TEST_true(SSL_set_ciphersuites(clientssl, t13_cipher)))
4530 goto end;
4531 if (t12_cipher != NULL) {
4532 if (!TEST_true(SSL_set_cipher_list(serverssl, t12_cipher))
4533 || !TEST_true(SSL_set_cipher_list(clientssl,
4534 t12_cipher)))
4535 goto end;
4536 }
4537 }
4538
4539 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
4540 SSL_ERROR_NONE)))
4541 goto end;
4542
4543 negotiated_scipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4544 serverssl));
4545 negotiated_ccipher = SSL_CIPHER_get_name(SSL_get_current_cipher(
4546 clientssl));
4547 if (!TEST_str_eq(negotiated_scipher, negotiated_ccipher))
4548 goto end;
4549
4550 /*
4551 * TEST_strn_eq is used below because t13_cipher can contain
4552 * multiple ciphersuites
4553 */
4554 if (max_ver == TLS1_3_VERSION
4555 && !TEST_strn_eq(t13_cipher, negotiated_scipher,
4556 strlen(negotiated_scipher)))
4557 goto end;
4558
4559# ifndef OPENSSL_NO_TLS1_2
4560 /* Below validation is not done when t12_cipher is NULL */
4561 if (max_ver == TLS1_2_VERSION && t12_cipher != NULL
4562 && !TEST_str_eq(t12_cipher, negotiated_scipher))
4563 goto end;
4564# endif
4565
4566 SSL_free(serverssl);
4567 serverssl = NULL;
4568 SSL_free(clientssl);
4569 clientssl = NULL;
4570 SSL_CTX_free(sctx);
4571 sctx = NULL;
4572 SSL_CTX_free(cctx);
4573 cctx = NULL;
4574 }
4575 }
4576
4577 testresult = 1;
4578 end:
4579 SSL_free(serverssl);
4580 SSL_free(clientssl);
4581 SSL_CTX_free(sctx);
4582 SSL_CTX_free(cctx);
4583 return testresult;
4584}
4585
0d8da779
MC		 4586/*
4587 * Test TLSv1.3 PSKs
4588 * Test 0 = Test new style callbacks
4589 * Test 1 = Test both new and old style callbacks
4590 * Test 2 = Test old style callbacks
4591 * Test 3 = Test old style callbacks with no certificate
4592 */
532f9578 4593static int test_tls13_psk(int idx)
ca8c71ba
MC		 4594{
4595 SSL_CTX *sctx = NULL, *cctx = NULL;
4596 SSL *serverssl = NULL, *clientssl = NULL;
4597 const SSL_CIPHER *cipher = NULL;
4598 const unsigned char key[] = {
4599 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
4600 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
de2f409e
MC		 4601 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
4602 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
ca8c71ba
MC		 4603 };
4604 int testresult = 0;
4605
5e30f2fd
MC		 4606 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4607 TLS_client_method(), TLS1_VERSION, 0,
0d8da779
MC		 4608 &sctx, &cctx, idx == 3 ? NULL : cert,
4609 idx == 3 ? NULL : privkey)))
ca8c71ba
MC		 4610 goto end;
4611
0d8da779
MC		 4612 if (idx != 3) {
4613 /*
4614 * We use a ciphersuite with SHA256 to ease testing old style PSK
4615 * callbacks which will always default to SHA256. This should not be
4616 * necessary if we have no cert/priv key. In that case the server should
4617 * prefer SHA256 automatically.
4618 */
4619 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4620 "TLS_AES_128_GCM_SHA256")))
4621 goto end;
4f6c7044
MC		 4622 } else {
4623 /*
4624 * As noted above the server should prefer SHA256 automatically. However
4625 * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
4626 * code works even if we are testing with only the FIPS provider loaded.
4627 */
4628 if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
4629 "TLS_AES_256_GCM_SHA384:"
4630 "TLS_AES_128_GCM_SHA256")))
4631 goto end;
0d8da779 4632 }
532f9578
MC		 4633
4634 /*
4635 * Test 0: New style callbacks only
4636 * Test 1: New and old style callbacks (only the new ones should be used)
4637 * Test 2: Old style callbacks only
4638 */
4639 if (idx == 0 || idx == 1) {
4640 SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
4641 SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
4642 }
c2b290c3 4643#ifndef OPENSSL_NO_PSK
0d8da779 4644 if (idx >= 1) {
532f9578
MC		 4645 SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
4646 SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
4647 }
c2b290c3 4648#endif
ca8c71ba 4649 srvid = pskid;
02a3ed5a
MC		 4650 use_session_cb_cnt = 0;
4651 find_session_cb_cnt = 0;
532f9578
MC		 4652 psk_client_cb_cnt = 0;
4653 psk_server_cb_cnt = 0;
ca8c71ba 4654
0d8da779
MC		 4655 if (idx != 3) {
4656 /*
4657 * Check we can create a connection if callback decides not to send a
4658 * PSK
4659 */
4660 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4661 NULL, NULL))
4662 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4663 SSL_ERROR_NONE))
4664 || !TEST_false(SSL_session_reused(clientssl))
4665 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4666 goto end;
532f9578 4667
0d8da779
MC		 4668 if (idx == 0 || idx == 1) {
4669 if (!TEST_true(use_session_cb_cnt == 1)
4670 || !TEST_true(find_session_cb_cnt == 0)
4671 /*
4672 * If no old style callback then below should be 0
4673 * otherwise 1
4674 */
4675 || !TEST_true(psk_client_cb_cnt == idx)
4676 || !TEST_true(psk_server_cb_cnt == 0))
4677 goto end;
4678 } else {
4679 if (!TEST_true(use_session_cb_cnt == 0)
4680 || !TEST_true(find_session_cb_cnt == 0)
4681 || !TEST_true(psk_client_cb_cnt == 1)
4682 || !TEST_true(psk_server_cb_cnt == 0))
4683 goto end;
4684 }
4685
4686 shutdown_ssl_connection(serverssl, clientssl);
4687 serverssl = clientssl = NULL;
4688 use_session_cb_cnt = psk_client_cb_cnt = 0;
4689 }
ca8c71ba
MC		 4690
4691 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4692 NULL, NULL)))
4693 goto end;
4694
4695 /* Create the PSK */
532f9578 4696 cipher = SSL_CIPHER_find(clientssl, TLS13_AES_128_GCM_SHA256_BYTES);
57dee9bb
MC		 4697 clientpsk = SSL_SESSION_new();
4698 if (!TEST_ptr(clientpsk)
ca8c71ba 4699 || !TEST_ptr(cipher)
57dee9bb
MC		 4700 || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
4701 sizeof(key)))
4702 || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
4703 || !TEST_true(SSL_SESSION_set_protocol_version(clientpsk,
4704 TLS1_3_VERSION))
4705 || !TEST_true(SSL_SESSION_up_ref(clientpsk)))
ca8c71ba 4706 goto end;
57dee9bb 4707 serverpsk = clientpsk;
ca8c71ba
MC		 4708
4709 /* Check we can create a connection and the PSK is used */
4710 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4711 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4712 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4713 goto end;
4714
532f9578
MC		 4715 if (idx == 0 || idx == 1) {
4716 if (!TEST_true(use_session_cb_cnt == 1)
4717 || !TEST_true(find_session_cb_cnt == 1)
4718 || !TEST_true(psk_client_cb_cnt == 0)
4719 || !TEST_true(psk_server_cb_cnt == 0))
4720 goto end;
4721 } else {
4722 if (!TEST_true(use_session_cb_cnt == 0)
4723 || !TEST_true(find_session_cb_cnt == 0)
4724 || !TEST_true(psk_client_cb_cnt == 1)
4725 || !TEST_true(psk_server_cb_cnt == 1))
4726 goto end;
4727 }
4728
ca8c71ba
MC		 4729 shutdown_ssl_connection(serverssl, clientssl);
4730 serverssl = clientssl = NULL;
4731 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4732 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba
MC		 4733
4734 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4735 NULL, NULL)))
4736 goto end;
4737
4738 /* Force an HRR */
dbc6268f
MC		 4739#if defined(OPENSSL_NO_EC)
4740 if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
4741 goto end;
4742#else
ca8c71ba
MC		 4743 if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
4744 goto end;
dbc6268f 4745#endif
ca8c71ba
MC		 4746
4747 /*
4748 * Check we can create a connection, the PSK is used and the callbacks are
4749 * called twice.
4750 */
4751 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
4752 || !TEST_true(SSL_session_reused(clientssl))
532f9578 4753 || !TEST_true(SSL_session_reused(serverssl)))
ca8c71ba
MC		 4754 goto end;
4755
532f9578
MC		 4756 if (idx == 0 || idx == 1) {
4757 if (!TEST_true(use_session_cb_cnt == 2)
4758 || !TEST_true(find_session_cb_cnt == 2)
4759 || !TEST_true(psk_client_cb_cnt == 0)
4760 || !TEST_true(psk_server_cb_cnt == 0))
4761 goto end;
4762 } else {
4763 if (!TEST_true(use_session_cb_cnt == 0)
4764 || !TEST_true(find_session_cb_cnt == 0)
4765 || !TEST_true(psk_client_cb_cnt == 2)
4766 || !TEST_true(psk_server_cb_cnt == 2))
4767 goto end;
4768 }
4769
ca8c71ba
MC		 4770 shutdown_ssl_connection(serverssl, clientssl);
4771 serverssl = clientssl = NULL;
4772 use_session_cb_cnt = find_session_cb_cnt = 0;
532f9578 4773 psk_client_cb_cnt = psk_server_cb_cnt = 0;
ca8c71ba 4774
0d8da779
MC		 4775 if (idx != 3) {
4776 /*
4777 * Check that if the server rejects the PSK we can still connect, but with
4778 * a full handshake
4779 */
4780 srvid = "Dummy Identity";
4781 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4782 NULL, NULL))
4783 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4784 SSL_ERROR_NONE))
4785 || !TEST_false(SSL_session_reused(clientssl))
4786 || !TEST_false(SSL_session_reused(serverssl)))
532f9578 4787 goto end;
532f9578 4788
0d8da779
MC		 4789 if (idx == 0 || idx == 1) {
4790 if (!TEST_true(use_session_cb_cnt == 1)
4791 || !TEST_true(find_session_cb_cnt == 1)
4792 || !TEST_true(psk_client_cb_cnt == 0)
4793 /*
4794 * If no old style callback then below should be 0
4795 * otherwise 1
4796 */
4797 || !TEST_true(psk_server_cb_cnt == idx))
4798 goto end;
4799 } else {
4800 if (!TEST_true(use_session_cb_cnt == 0)
4801 || !TEST_true(find_session_cb_cnt == 0)
4802 || !TEST_true(psk_client_cb_cnt == 1)
4803 || !TEST_true(psk_server_cb_cnt == 1))
4804 goto end;
4805 }
4806
4807 shutdown_ssl_connection(serverssl, clientssl);
4808 serverssl = clientssl = NULL;
4809 }
ca8c71ba
MC		 4810 testresult = 1;
4811
4812 end:
57dee9bb
MC		 4813 SSL_SESSION_free(clientpsk);
4814 SSL_SESSION_free(serverpsk);
4815 clientpsk = serverpsk = NULL;
ca8c71ba
MC		 4816 SSL_free(serverssl);
4817 SSL_free(clientssl);
4818 SSL_CTX_free(sctx);
4819 SSL_CTX_free(cctx);
4820 return testresult;
4821}
4822
c7b8ff25
MC		 4823static unsigned char cookie_magic_value[] = "cookie magic";
4824
4825static int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
4826 unsigned int *cookie_len)
4827{
4828 /*
4829 * Not suitable as a real cookie generation function but good enough for
4830 * testing!
4831 */
97ea1e7f
MC		 4832 memcpy(cookie, cookie_magic_value, sizeof(cookie_magic_value) - 1);
4833 *cookie_len = sizeof(cookie_magic_value) - 1;
c7b8ff25
MC		 4834
4835 return 1;
4836}
4837
4838static int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
4839 unsigned int cookie_len)
4840{
97ea1e7f 4841 if (cookie_len == sizeof(cookie_magic_value) - 1
c7b8ff25
MC		 4842 && memcmp(cookie, cookie_magic_value, cookie_len) == 0)
4843 return 1;
4844
4845 return 0;
4846}
4847
3fa2812f
BS		 4848static int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
4849 size_t *cookie_len)
4850{
4851 unsigned int temp;
4852 int res = generate_cookie_callback(ssl, cookie, &temp);
4853 *cookie_len = temp;
4854 return res;
4855}
4856
4857static int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
4858 size_t cookie_len)
4859{
4860 return verify_cookie_callback(ssl, cookie, cookie_len);
4861}
4862
c7b8ff25
MC		 4863static int test_stateless(void)
4864{
4865 SSL_CTX *sctx = NULL, *cctx = NULL;
4866 SSL *serverssl = NULL, *clientssl = NULL;
4867 int testresult = 0;
4868
5e30f2fd
MC		 4869 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4870 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 4871 &sctx, &cctx, cert, privkey)))
c7b8ff25
MC		 4872 goto end;
4873
e440f513
MC		 4874 /* The arrival of CCS messages can confuse the test */
4875 SSL_CTX_clear_options(cctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
4876
4877 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4878 NULL, NULL))
4879 /* Send the first ClientHello */
4880 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4881 SSL_ERROR_WANT_READ))
4882 /*
4883 * This should fail with a -1 return because we have no callbacks
4884 * set up
4885 */
4886 || !TEST_int_eq(SSL_stateless(serverssl), -1))
4887 goto end;
4888
4889 /* Fatal error so abandon the connection from this client */
4890 SSL_free(clientssl);
4891 clientssl = NULL;
4892
c7b8ff25 4893 /* Set up the cookie generation and verification callbacks */
3fa2812f
BS		 4894 SSL_CTX_set_stateless_cookie_generate_cb(sctx, generate_stateless_cookie_callback);
4895 SSL_CTX_set_stateless_cookie_verify_cb(sctx, verify_stateless_cookie_callback);
c7b8ff25 4896
e440f513
MC		 4897 /*
4898 * Create a new connection from the client (we can reuse the server SSL
4899 * object).
4900 */
c7b8ff25
MC		 4901 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4902 NULL, NULL))
4903 /* Send the first ClientHello */
4904 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4905 SSL_ERROR_WANT_READ))
4906 /* This should fail because there is no cookie */
e440f513 4907 || !TEST_int_eq(SSL_stateless(serverssl), 0))
c7b8ff25
MC		 4908 goto end;
4909
4910 /* Abandon the connection from this client */
4911 SSL_free(clientssl);
4912 clientssl = NULL;
4913
4914 /*
4915 * Now create a connection from a new client but with the same server SSL
4916 * object
4917 */
4918 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
4919 NULL, NULL))
4920 /* Send the first ClientHello */
4921 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4922 SSL_ERROR_WANT_READ))
4923 /* This should fail because there is no cookie */
e440f513 4924 || !TEST_int_eq(SSL_stateless(serverssl), 0)
c7b8ff25
MC		 4925 /* Send the second ClientHello */
4926 || !TEST_false(create_ssl_connection(serverssl, clientssl,
4927 SSL_ERROR_WANT_READ))
4928 /* This should succeed because a cookie is now present */
e440f513 4929 || !TEST_int_eq(SSL_stateless(serverssl), 1)
c7b8ff25
MC		 4930 /* Complete the connection */
4931 || !TEST_true(create_ssl_connection(serverssl, clientssl,
4932 SSL_ERROR_NONE)))
4933 goto end;
4934
4935 shutdown_ssl_connection(serverssl, clientssl);
4936 serverssl = clientssl = NULL;
4937 testresult = 1;
4938
4939 end:
4940 SSL_free(serverssl);
4941 SSL_free(clientssl);
4942 SSL_CTX_free(sctx);
4943 SSL_CTX_free(cctx);
4944 return testresult;
4945
4946}
ca0413ae 4947#endif /* OPENSSL_NO_TLS1_3 */
5f982038 4948
a37008d9
MC		 4949static int clntaddoldcb = 0;
4950static int clntparseoldcb = 0;
4951static int srvaddoldcb = 0;
4952static int srvparseoldcb = 0;
4953static int clntaddnewcb = 0;
4954static int clntparsenewcb = 0;
4955static int srvaddnewcb = 0;
4956static int srvparsenewcb = 0;
bb01ef3f 4957static int snicb = 0;
a37008d9
MC		 4958
4959#define TEST_EXT_TYPE1 0xff00
4960
4961static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned char **out,
4962 size_t *outlen, int *al, void *add_arg)
4963{
4964 int *server = (int *)add_arg;
4965 unsigned char *data;
4966
4967 if (SSL_is_server(s))
4968 srvaddoldcb++;
4969 else
4970 clntaddoldcb++;
4971
710756a9
RS		 4972 if (*server != SSL_is_server(s)
4973 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 4974 return -1;
4975
4976 *data = 1;
4977 *out = data;
4978 *outlen = sizeof(char);
a37008d9
MC		 4979 return 1;
4980}
4981
4982static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned char *out,
4983 void *add_arg)
4984{
4985 OPENSSL_free((unsigned char *)out);
4986}
4987
4988static int old_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in,
4989 size_t inlen, int *al, void *parse_arg)
4990{
4991 int *server = (int *)parse_arg;
4992
4993 if (SSL_is_server(s))
4994 srvparseoldcb++;
4995 else
4996 clntparseoldcb++;
4997
710756a9
RS		 4998 if (*server != SSL_is_server(s)
4999 || inlen != sizeof(char)
5000 || *in != 1)
a37008d9
MC		 5001 return -1;
5002
5003 return 1;
5004}
5005
5006static int new_add_cb(SSL *s, unsigned int ext_type, unsigned int context,
5007 const unsigned char **out, size_t *outlen, X509 *x,
5008 size_t chainidx, int *al, void *add_arg)
5009{
5010 int *server = (int *)add_arg;
5011 unsigned char *data;
5012
5013 if (SSL_is_server(s))
5014 srvaddnewcb++;
5015 else
5016 clntaddnewcb++;
5017
710756a9
RS		 5018 if (*server != SSL_is_server(s)
5019 || (data = OPENSSL_malloc(sizeof(*data))) == NULL)
a37008d9
MC		 5020 return -1;
5021
5022 *data = 1;
5023 *out = data;
710756a9 5024 *outlen = sizeof(*data);
a37008d9
MC		 5025 return 1;
5026}
5027
5028static void new_free_cb(SSL *s, unsigned int ext_type, unsigned int context,
5029 const unsigned char *out, void *add_arg)
5030{
5031 OPENSSL_free((unsigned char *)out);
5032}
5033
5034static int new_parse_cb(SSL *s, unsigned int ext_type, unsigned int context,
5035 const unsigned char *in, size_t inlen, X509 *x,
5036 size_t chainidx, int *al, void *parse_arg)
5037{
5038 int *server = (int *)parse_arg;
5039
5040 if (SSL_is_server(s))
5041 srvparsenewcb++;
5042 else
5043 clntparsenewcb++;
5044
710756a9
RS		 5045 if (*server != SSL_is_server(s)
5046 || inlen != sizeof(char) || *in != 1)
a37008d9
MC		 5047 return -1;
5048
5049 return 1;
5050}
bb01ef3f
MC		 5051
5052static int sni_cb(SSL *s, int *al, void *arg)
5053{
5054 SSL_CTX *ctx = (SSL_CTX *)arg;
5055
5056 if (SSL_set_SSL_CTX(s, ctx) == NULL) {
5057 *al = SSL_AD_INTERNAL_ERROR;
5058 return SSL_TLSEXT_ERR_ALERT_FATAL;
5059 }
5060 snicb++;
5061 return SSL_TLSEXT_ERR_OK;
5062}
5063
a37008d9
MC		 5064/*
5065 * Custom call back tests.
5066 * Test 0: Old style callbacks in TLSv1.2
5067 * Test 1: New style callbacks in TLSv1.2
bb01ef3f
MC		 5068 * Test 2: New style callbacks in TLSv1.2 with SNI
5069 * Test 3: New style callbacks in TLSv1.3. Extensions in CH and EE
5070 * Test 4: New style callbacks in TLSv1.3. Extensions in CH, SH, EE, Cert + NST
a37008d9 5071 */
710756a9
RS		 5072static int test_custom_exts(int tst)
5073{
bb01ef3f 5074 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
a37008d9
MC		 5075 SSL *clientssl = NULL, *serverssl = NULL;
5076 int testresult = 0;
5077 static int server = 1;
5078 static int client = 0;
5079 SSL_SESSION *sess = NULL;
5080 unsigned int context;
5081
c423ecaa
MC		 5082#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
5083 /* Skip tests for TLSv1.2 and below in this case */
5084 if (tst < 3)
5085 return 1;
5086#endif
5087
a37008d9
MC		 5088 /* Reset callback counters */
5089 clntaddoldcb = clntparseoldcb = srvaddoldcb = srvparseoldcb = 0;
5090 clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
bb01ef3f 5091 snicb = 0;
a37008d9 5092
5e30f2fd
MC		 5093 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5094 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5095 &sctx, &cctx, cert, privkey)))
710756a9 5096 goto end;
a37008d9 5097
bb01ef3f 5098 if (tst == 2
5e30f2fd 5099 && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
5c587fb6 5100 TLS1_VERSION, 0,
7d7f6834 5101 &sctx2, NULL, cert, privkey)))
bb01ef3f
MC		 5102 goto end;
5103
5104
5105 if (tst < 3) {
a37008d9
MC		 5106 SSL_CTX_set_options(cctx, SSL_OP_NO_TLSv1_3);
5107 SSL_CTX_set_options(sctx, SSL_OP_NO_TLSv1_3);
bb01ef3f
MC		 5108 if (sctx2 != NULL)
5109 SSL_CTX_set_options(sctx2, SSL_OP_NO_TLSv1_3);
a37008d9
MC		 5110 }
5111
bb01ef3f 5112 if (tst == 4) {
710756a9
RS		 5113 context = SSL_EXT_CLIENT_HELLO
5114 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5115 | SSL_EXT_TLS1_3_SERVER_HELLO
5116 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
5117 | SSL_EXT_TLS1_3_CERTIFICATE
5118 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
5119 } else {
710756a9
RS		 5120 context = SSL_EXT_CLIENT_HELLO
5121 | SSL_EXT_TLS1_2_SERVER_HELLO
a37008d9
MC		 5122 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
5123 }
5124
5125 /* Create a client side custom extension */
5126 if (tst == 0) {
710756a9
RS		 5127 if (!TEST_true(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5128 old_add_cb, old_free_cb,
5129 &client, old_parse_cb,
5130 &client)))
5131 goto end;
a37008d9 5132 } else {
710756a9
RS		 5133 if (!TEST_true(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1, context,
5134 new_add_cb, new_free_cb,
5135 &client, new_parse_cb, &client)))
5136 goto end;
a37008d9
MC		 5137 }
5138
5139 /* Should not be able to add duplicates */
710756a9
RS		 5140 if (!TEST_false(SSL_CTX_add_client_custom_ext(cctx, TEST_EXT_TYPE1,
5141 old_add_cb, old_free_cb,
5142 &client, old_parse_cb,
5143 &client))
5144 || !TEST_false(SSL_CTX_add_custom_ext(cctx, TEST_EXT_TYPE1,
5145 context, new_add_cb,
5146 new_free_cb, &client,
5147 new_parse_cb, &client)))
5148 goto end;
a37008d9
MC		 5149
5150 /* Create a server side custom extension */
5151 if (tst == 0) {
710756a9
RS		 5152 if (!TEST_true(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5153 old_add_cb, old_free_cb,
5154 &server, old_parse_cb,
5155 &server)))
5156 goto end;
a37008d9 5157 } else {
710756a9
RS		 5158 if (!TEST_true(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1, context,
5159 new_add_cb, new_free_cb,
5160 &server, new_parse_cb, &server)))
5161 goto end;
bb01ef3f
MC		 5162 if (sctx2 != NULL
5163 && !TEST_true(SSL_CTX_add_custom_ext(sctx2, TEST_EXT_TYPE1,
5164 context, new_add_cb,
5165 new_free_cb, &server,
5166 new_parse_cb, &server)))
5167 goto end;
a37008d9
MC		 5168 }
5169
5170 /* Should not be able to add duplicates */
710756a9
RS		 5171 if (!TEST_false(SSL_CTX_add_server_custom_ext(sctx, TEST_EXT_TYPE1,
5172 old_add_cb, old_free_cb,
5173 &server, old_parse_cb,
5174 &server))
5175 || !TEST_false(SSL_CTX_add_custom_ext(sctx, TEST_EXT_TYPE1,
5176 context, new_add_cb,
5177 new_free_cb, &server,
5178 new_parse_cb, &server)))
a37008d9 5179 goto end;
a37008d9 5180
bb01ef3f
MC		 5181 if (tst == 2) {
5182 /* Set up SNI */
5183 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
5184 || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
5185 goto end;
5186 }
5187
710756a9
RS		 5188 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5189 &clientssl, NULL, NULL))
5190 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5191 SSL_ERROR_NONE)))
a37008d9 5192 goto end;
a37008d9
MC		 5193
5194 if (tst == 0) {
710756a9
RS		 5195 if (clntaddoldcb != 1
5196 || clntparseoldcb != 1
5197 || srvaddoldcb != 1
5198 || srvparseoldcb != 1)
a37008d9 5199 goto end;
bb01ef3f 5200 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5201 if (clntaddnewcb != 1
5202 || clntparsenewcb != 1
5203 || srvaddnewcb != 1
bb01ef3f
MC		 5204 || srvparsenewcb != 1
5205 || (tst != 2 && snicb != 0)
5206 || (tst == 2 && snicb != 1))
a37008d9 5207 goto end;
a37008d9 5208 } else {
36ff232c 5209 /* In this case there 2 NewSessionTicket messages created */
710756a9 5210 if (clntaddnewcb != 1
36ff232c
MC		 5211 || clntparsenewcb != 5
5212 || srvaddnewcb != 5
710756a9 5213 || srvparsenewcb != 1)
a37008d9 5214 goto end;
a37008d9
MC		 5215 }
5216
5217 sess = SSL_get1_session(clientssl);
a37008d9
MC		 5218 SSL_shutdown(clientssl);
5219 SSL_shutdown(serverssl);
a37008d9
MC		 5220 SSL_free(serverssl);
5221 SSL_free(clientssl);
5222 serverssl = clientssl = NULL;
5223
bb01ef3f
MC		 5224 if (tst == 3) {
5225 /* We don't bother with the resumption aspects for this test */
5226 testresult = 1;
5227 goto end;
5228 }
5229
710756a9
RS		 5230 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5231 NULL, NULL))
5232 || !TEST_true(SSL_set_session(clientssl, sess))
5233 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5234 SSL_ERROR_NONE)))
a37008d9 5235 goto end;
a37008d9
MC		 5236
5237 /*
5238 * For a resumed session we expect to add the ClientHello extension. For the
5239 * old style callbacks we ignore it on the server side because they set
5240 * SSL_EXT_IGNORE_ON_RESUMPTION. The new style callbacks do not ignore
5241 * them.
5242 */
5243 if (tst == 0) {
710756a9
RS		 5244 if (clntaddoldcb != 2
5245 || clntparseoldcb != 1
5246 || srvaddoldcb != 1
5247 || srvparseoldcb != 1)
a37008d9 5248 goto end;
bb01ef3f 5249 } else if (tst == 1 || tst == 2 || tst == 3) {
710756a9
RS		 5250 if (clntaddnewcb != 2
5251 || clntparsenewcb != 2
5252 || srvaddnewcb != 2
5253 || srvparsenewcb != 2)
a37008d9 5254 goto end;
a37008d9 5255 } else {
36ff232c
MC		 5256 /*
5257 * No Certificate message extensions in the resumption handshake,
5258 * 2 NewSessionTickets in the initial handshake, 1 in the resumption
5259 */
710756a9 5260 if (clntaddnewcb != 2
36ff232c
MC		 5261 || clntparsenewcb != 8
5262 || srvaddnewcb != 8
710756a9 5263 || srvparsenewcb != 2)
a37008d9 5264 goto end;
a37008d9
MC		 5265 }
5266
5267 testresult = 1;
5268
5269end:
5270 SSL_SESSION_free(sess);
5271 SSL_free(serverssl);
5272 SSL_free(clientssl);
bb01ef3f 5273 SSL_CTX_free(sctx2);
a37008d9
MC		 5274 SSL_CTX_free(sctx);
5275 SSL_CTX_free(cctx);
a37008d9
MC		 5276 return testresult;
5277}
5278
16afd71c
MC		 5279/*
5280 * Test loading of serverinfo data in various formats. test_sslmessages actually
5281 * tests to make sure the extensions appear in the handshake
5282 */
5283static int test_serverinfo(int tst)
5284{
5285 unsigned int version;
5286 unsigned char *sibuf;
5287 size_t sibuflen;
5288 int ret, expected, testresult = 0;
5289 SSL_CTX *ctx;
5290
d8652be0 5291 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
16afd71c
MC		 5292 if (!TEST_ptr(ctx))
5293 goto end;
5294
5295 if ((tst & 0x01) == 0x01)
5296 version = SSL_SERVERINFOV2;
5297 else
5298 version = SSL_SERVERINFOV1;
5299
5300 if ((tst & 0x02) == 0x02) {
5301 sibuf = serverinfov2;
5302 sibuflen = sizeof(serverinfov2);
5303 expected = (version == SSL_SERVERINFOV2);
5304 } else {
5305 sibuf = serverinfov1;
5306 sibuflen = sizeof(serverinfov1);
5307 expected = (version == SSL_SERVERINFOV1);
5308 }
5309
5310 if ((tst & 0x04) == 0x04) {
5311 ret = SSL_CTX_use_serverinfo_ex(ctx, version, sibuf, sibuflen);
5312 } else {
5313 ret = SSL_CTX_use_serverinfo(ctx, sibuf, sibuflen);
5314
5315 /*
5316 * The version variable is irrelevant in this case - it's what is in the
5317 * buffer that matters
5318 */
5319 if ((tst & 0x02) == 0x02)
5320 expected = 0;
5321 else
5322 expected = 1;
5323 }
5324
5325 if (!TEST_true(ret == expected))
5326 goto end;
5327
5328 testresult = 1;
5329
5330 end:
5331 SSL_CTX_free(ctx);
5332
5333 return testresult;
5334}
5335
2197d1df
MC		 5336/*
5337 * Test that SSL_export_keying_material() produces expected results. There are
5338 * no test vectors so all we do is test that both sides of the communication
5339 * produce the same results for different protocol versions.
5340 */
0fb2815b
MC		 5341#define SMALL_LABEL_LEN 10
5342#define LONG_LABEL_LEN 249
2197d1df
MC		 5343static int test_export_key_mat(int tst)
5344{
a599574b 5345 int testresult = 0;
2197d1df
MC		 5346 SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
5347 SSL *clientssl = NULL, *serverssl = NULL;
0fb2815b 5348 const char label[LONG_LABEL_LEN + 1] = "test label";
2197d1df
MC		 5349 const unsigned char context[] = "context";
5350 const unsigned char *emptycontext = NULL;
5351 unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80];
5352 unsigned char skeymat1[80], skeymat2[80], skeymat3[80];
0fb2815b 5353 size_t labellen;
a599574b
MC		 5354 const int protocols[] = {
5355 TLS1_VERSION,
5356 TLS1_1_VERSION,
5357 TLS1_2_VERSION,
0fb2815b
MC		 5358 TLS1_3_VERSION,
5359 TLS1_3_VERSION,
a599574b
MC		 5360 TLS1_3_VERSION
5361 };
2197d1df
MC		 5362
5363#ifdef OPENSSL_NO_TLS1
5364 if (tst == 0)
5365 return 1;
5366#endif
5367#ifdef OPENSSL_NO_TLS1_1
5368 if (tst == 1)
5369 return 1;
5370#endif
4f6c7044
MC		 5371 if (is_fips && (tst == 0 || tst == 1))
5372 return 1;
2197d1df
MC		 5373#ifdef OPENSSL_NO_TLS1_2
5374 if (tst == 2)
5375 return 1;
5376#endif
5377#ifdef OPENSSL_NO_TLS1_3
0fb2815b 5378 if (tst >= 3)
2197d1df
MC		 5379 return 1;
5380#endif
5e30f2fd
MC		 5381 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5382 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5383 &sctx, &cctx, cert, privkey)))
2197d1df
MC		 5384 goto end;
5385
a599574b
MC		 5386 OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
5387 SSL_CTX_set_max_proto_version(cctx, protocols[tst]);
5388 SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
aba03ae5
KR		 5389 if ((protocols[tst] < TLS1_2_VERSION) &&
5390 (!SSL_CTX_set_cipher_list(cctx, "DEFAULT:@SECLEVEL=0")
5391 || !SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0")))
5392 goto end;
2197d1df
MC		 5393
5394 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
ea9f6890
TM		 5395 NULL)))
5396 goto end;
5397
5398 /*
5399 * Premature call of SSL_export_keying_material should just fail.
5400 */
5401 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5402 sizeof(ckeymat1), label,
5403 SMALL_LABEL_LEN + 1, context,
5404 sizeof(context) - 1, 1), 0))
5405 goto end;
5406
5407 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5408 SSL_ERROR_NONE)))
2197d1df
MC		 5409 goto end;
5410
0fb2815b
MC		 5411 if (tst == 5) {
5412 /*
5413 * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we
5414 * go over that.
5415 */
5416 if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
5417 sizeof(ckeymat1), label,
5418 LONG_LABEL_LEN + 1, context,
5419 sizeof(context) - 1, 1), 0))
5420 goto end;
5421
5422 testresult = 1;
5423 goto end;
5424 } else if (tst == 4) {
5425 labellen = LONG_LABEL_LEN;
5426 } else {
5427 labellen = SMALL_LABEL_LEN;
5428 }
5429
2197d1df
MC		 5430 if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1,
5431 sizeof(ckeymat1), label,
0fb2815b 5432 labellen, context,
2197d1df
MC		 5433 sizeof(context) - 1, 1), 1)
5434 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2,
5435 sizeof(ckeymat2), label,
0fb2815b 5436 labellen,
2197d1df
MC		 5437 emptycontext,
5438 0, 1), 1)
5439 || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3,
5440 sizeof(ckeymat3), label,
0fb2815b 5441 labellen,
2197d1df
MC		 5442 NULL, 0, 0), 1)
5443 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1,
5444 sizeof(skeymat1), label,
0fb2815b 5445 labellen,
2197d1df
MC		 5446 context,
5447 sizeof(context) -1, 1),
5448 1)
5449 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2,
5450 sizeof(skeymat2), label,
0fb2815b 5451 labellen,
2197d1df
MC		 5452 emptycontext,
5453 0, 1), 1)
5454 || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3,
5455 sizeof(skeymat3), label,
0fb2815b 5456 labellen,
2197d1df
MC		 5457 NULL, 0, 0), 1)
5458 /*
5459 * Check that both sides created the same key material with the
5460 * same context.
5461 */
5462 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5463 sizeof(skeymat1))
5464 /*
5465 * Check that both sides created the same key material with an
5466 * empty context.
5467 */
5468 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5469 sizeof(skeymat2))
5470 /*
5471 * Check that both sides created the same key material without a
5472 * context.
5473 */
5474 || !TEST_mem_eq(ckeymat3, sizeof(ckeymat3), skeymat3,
5475 sizeof(skeymat3))
5476 /* Different contexts should produce different results */
5477 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5478 sizeof(ckeymat2)))
5479 goto end;
5480
5481 /*
5482 * Check that an empty context and no context produce different results in
5483 * protocols less than TLSv1.3. In TLSv1.3 they should be the same.
5484 */
0fb2815b 5485 if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3,
2197d1df 5486 sizeof(ckeymat3)))
0fb2815b
MC		 5487 || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3,
5488 sizeof(ckeymat3))))
2197d1df
MC		 5489 goto end;
5490
5491 testresult = 1;
5492
5493 end:
5494 SSL_free(serverssl);
5495 SSL_free(clientssl);
5496 SSL_CTX_free(sctx2);
5497 SSL_CTX_free(sctx);
5498 SSL_CTX_free(cctx);
5499
5500 return testresult;
5501}
5502
b38ede80
TT		 5503#ifndef OPENSSL_NO_TLS1_3
5504/*
5505 * Test that SSL_export_keying_material_early() produces expected
5506 * results. There are no test vectors so all we do is test that both
5507 * sides of the communication produce the same results for different
5508 * protocol versions.
5509 */
5510static int test_export_key_mat_early(int idx)
5511{
5512 static const char label[] = "test label";
5513 static const unsigned char context[] = "context";
5514 int testresult = 0;
5515 SSL_CTX *cctx = NULL, *sctx = NULL;
5516 SSL *clientssl = NULL, *serverssl = NULL;
5517 SSL_SESSION *sess = NULL;
5518 const unsigned char *emptycontext = NULL;
5519 unsigned char ckeymat1[80], ckeymat2[80];
5520 unsigned char skeymat1[80], skeymat2[80];
5521 unsigned char buf[1];
5522 size_t readbytes, written;
5523
5524 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl,
5525 &sess, idx)))
5526 goto end;
5527
5528 /* Here writing 0 length early data is enough. */
5529 if (!TEST_true(SSL_write_early_data(clientssl, NULL, 0, &written))
5530 || !TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
5531 &readbytes),
5532 SSL_READ_EARLY_DATA_ERROR)
5533 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
5534 SSL_EARLY_DATA_ACCEPTED))
5535 goto end;
5536
5537 if (!TEST_int_eq(SSL_export_keying_material_early(
5538 clientssl, ckeymat1, sizeof(ckeymat1), label,
5539 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5540 || !TEST_int_eq(SSL_export_keying_material_early(
5541 clientssl, ckeymat2, sizeof(ckeymat2), label,
5542 sizeof(label) - 1, emptycontext, 0), 1)
5543 || !TEST_int_eq(SSL_export_keying_material_early(
5544 serverssl, skeymat1, sizeof(skeymat1), label,
5545 sizeof(label) - 1, context, sizeof(context) - 1), 1)
5546 || !TEST_int_eq(SSL_export_keying_material_early(
5547 serverssl, skeymat2, sizeof(skeymat2), label,
5548 sizeof(label) - 1, emptycontext, 0), 1)
5549 /*
5550 * Check that both sides created the same key material with the
5551 * same context.
5552 */
5553 || !TEST_mem_eq(ckeymat1, sizeof(ckeymat1), skeymat1,
5554 sizeof(skeymat1))
5555 /*
5556 * Check that both sides created the same key material with an
5557 * empty context.
5558 */
5559 || !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), skeymat2,
5560 sizeof(skeymat2))
5561 /* Different contexts should produce different results */
5562 || !TEST_mem_ne(ckeymat1, sizeof(ckeymat1), ckeymat2,
5563 sizeof(ckeymat2)))
5564 goto end;
5565
5566 testresult = 1;
5567
5568 end:
c20e3b28 5569 SSL_SESSION_free(sess);
b38ede80
TT		 5570 SSL_SESSION_free(clientpsk);
5571 SSL_SESSION_free(serverpsk);
34ff74eb 5572 clientpsk = serverpsk = NULL;
b38ede80
TT		 5573 SSL_free(serverssl);
5574 SSL_free(clientssl);
5575 SSL_CTX_free(sctx);
5576 SSL_CTX_free(cctx);
5577
5578 return testresult;
5579}
3409a5ff
MC		 5580
5581#define NUM_KEY_UPDATE_MESSAGES 40
5582/*
5583 * Test KeyUpdate.
5584 */
5585static int test_key_update(void)
5586{
5587 SSL_CTX *cctx = NULL, *sctx = NULL;
5588 SSL *clientssl = NULL, *serverssl = NULL;
5589 int testresult = 0, i, j;
5590 char buf[20];
5591 static char *mess = "A test message";
5592
5e30f2fd 5593 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
3409a5ff
MC		 5594 TLS_client_method(),
5595 TLS1_3_VERSION,
5596 0,
5597 &sctx, &cctx, cert, privkey))
5598 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5599 NULL, NULL))
5600 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5601 SSL_ERROR_NONE)))
5602 goto end;
5603
5604 for (j = 0; j < 2; j++) {
5605 /* Send lots of KeyUpdate messages */
5606 for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) {
5607 if (!TEST_true(SSL_key_update(clientssl,
5608 (j == 0)
5609 ? SSL_KEY_UPDATE_NOT_REQUESTED
5610 : SSL_KEY_UPDATE_REQUESTED))
5611 || !TEST_true(SSL_do_handshake(clientssl)))
5612 goto end;
5613 }
5614
5615 /* Check that sending and receiving app data is ok */
5616 if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess))
5617 || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
5618 strlen(mess)))
5619 goto end;
a77b4dba
MC		 5620
5621 if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
5622 || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
5623 strlen(mess)))
5624 goto end;
3409a5ff
MC		 5625 }
5626
5627 testresult = 1;
5628
5629 end:
5630 SSL_free(serverssl);
5631 SSL_free(clientssl);
5632 SSL_CTX_free(sctx);
5633 SSL_CTX_free(cctx);
5634
5635 return testresult;
5636}
a77b4dba
MC		 5637
5638/*
5639 * Test we can handle a KeyUpdate (update requested) message while write data
5640 * is pending.
5641 * Test 0: Client sends KeyUpdate while Server is writing
5642 * Test 1: Server sends KeyUpdate while Client is writing
5643 */
5644static int test_key_update_in_write(int tst)
5645{
5646 SSL_CTX *cctx = NULL, *sctx = NULL;
5647 SSL *clientssl = NULL, *serverssl = NULL;
5648 int testresult = 0;
5649 char buf[20];
5650 static char *mess = "A test message";
5651 BIO *bretry = BIO_new(bio_s_always_retry());
5652 BIO *tmp = NULL;
5653 SSL *peerupdate = NULL, *peerwrite = NULL;
5654
5655 if (!TEST_ptr(bretry)
5e30f2fd 5656 || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
a77b4dba
MC		 5657 TLS_client_method(),
5658 TLS1_3_VERSION,
5659 0,
5660 &sctx, &cctx, cert, privkey))
5661 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5662 NULL, NULL))
5663 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5664 SSL_ERROR_NONE)))
5665 goto end;
5666
5667 peerupdate = tst == 0 ? clientssl : serverssl;
5668 peerwrite = tst == 0 ? serverssl : clientssl;
5669
5670 if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
5671 || !TEST_true(SSL_do_handshake(peerupdate)))
5672 goto end;
5673
5674 /* Swap the writing endpoint's write BIO to force a retry */
5675 tmp = SSL_get_wbio(peerwrite);
5676 if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
5677 tmp = NULL;
5678 goto end;
5679 }
5680 SSL_set0_wbio(peerwrite, bretry);
5681 bretry = NULL;
5682
5683 /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
5684 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
5685 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
5686 goto end;
5687
5688 /* Reinstate the original writing endpoint's write BIO */
5689 SSL_set0_wbio(peerwrite, tmp);
5690 tmp = NULL;
5691
5692 /* Now read some data - we will read the key update */
5693 if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
5694 || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
5695 goto end;
5696
5697 /*
5698 * Complete the write we started previously and read it from the other
5699 * endpoint
5700 */
5701 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5702 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5703 goto end;
5704
5705 /* Write more data to ensure we send the KeyUpdate message back */
5706 if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
5707 || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
5708 goto end;
5709
5710 testresult = 1;
5711
5712 end:
5713 SSL_free(serverssl);
5714 SSL_free(clientssl);
5715 SSL_CTX_free(sctx);
5716 SSL_CTX_free(cctx);
5717 BIO_free(bretry);
5718 BIO_free(tmp);
5719
5720 return testresult;
5721}
b38ede80
TT		 5722#endif /* OPENSSL_NO_TLS1_3 */
5723
e11b6aa4
MC		 5724static int test_ssl_clear(int idx)
5725{
5726 SSL_CTX *cctx = NULL, *sctx = NULL;
5727 SSL *clientssl = NULL, *serverssl = NULL;
5728 int testresult = 0;
5729
5730#ifdef OPENSSL_NO_TLS1_2
5731 if (idx == 1)
5732 return 1;
5733#endif
5734
5735 /* Create an initial connection */
5e30f2fd
MC		 5736 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5737 TLS_client_method(), TLS1_VERSION, 0,
7d7f6834 5738 &sctx, &cctx, cert, privkey))
e11b6aa4
MC		 5739 || (idx == 1
5740 && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
5741 TLS1_2_VERSION)))
5742 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
5743 &clientssl, NULL, NULL))
5744 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5745 SSL_ERROR_NONE)))
5746 goto end;
5747
5748 SSL_shutdown(clientssl);
5749 SSL_shutdown(serverssl);
5750 SSL_free(serverssl);
5751 serverssl = NULL;
5752
5753 /* Clear clientssl - we're going to reuse the object */
5754 if (!TEST_true(SSL_clear(clientssl)))
5755 goto end;
5756
5757 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5758 NULL, NULL))
5759 || !TEST_true(create_ssl_connection(serverssl, clientssl,
5760 SSL_ERROR_NONE))
5761 || !TEST_true(SSL_session_reused(clientssl)))
5762 goto end;
5763
5764 SSL_shutdown(clientssl);
5765 SSL_shutdown(serverssl);
5766
5767 testresult = 1;
5768
5769 end:
5770 SSL_free(serverssl);
5771 SSL_free(clientssl);
5772 SSL_CTX_free(sctx);
5773 SSL_CTX_free(cctx);
5774
5775 return testresult;
5776}
5777
cf72c757
F		 5778/* Parse CH and retrieve any MFL extension value if present */
5779static int get_MFL_from_client_hello(BIO *bio, int *mfl_codemfl_code)
5780{
5781 long len;
5782 unsigned char *data;
72962d02 5783 PACKET pkt, pkt2, pkt3;
cf72c757
F		 5784 unsigned int MFL_code = 0, type = 0;
5785
5786 if (!TEST_uint_gt( len = BIO_get_mem_data( bio, (char **) &data ), 0 ) )
5787 goto end;
5788
72962d02
P		 5789 memset(&pkt, 0, sizeof(pkt));
5790 memset(&pkt2, 0, sizeof(pkt2));
5791 memset(&pkt3, 0, sizeof(pkt3));
5792
cf72c757
F		 5793 if (!TEST_true( PACKET_buf_init( &pkt, data, len ) )
5794 /* Skip the record header */
5795 || !PACKET_forward(&pkt, SSL3_RT_HEADER_LENGTH)
5796 /* Skip the handshake message header */
5797 || !TEST_true(PACKET_forward(&pkt, SSL3_HM_HEADER_LENGTH))
5798 /* Skip client version and random */
5799 || !TEST_true(PACKET_forward(&pkt, CLIENT_VERSION_LEN
5800 + SSL3_RANDOM_SIZE))
5801 /* Skip session id */
5802 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5803 /* Skip ciphers */
5804 || !TEST_true(PACKET_get_length_prefixed_2(&pkt, &pkt2))
5805 /* Skip compression */
5806 || !TEST_true(PACKET_get_length_prefixed_1(&pkt, &pkt2))
5807 /* Extensions len */
5808 || !TEST_true(PACKET_as_length_prefixed_2(&pkt, &pkt2)))
5809 goto end;
5810
5811 /* Loop through all extensions */
5812 while (PACKET_remaining(&pkt2)) {
5813 if (!TEST_true(PACKET_get_net_2(&pkt2, &type))
5814 || !TEST_true(PACKET_get_length_prefixed_2(&pkt2, &pkt3)))
5815 goto end;
5816
5817 if (type == TLSEXT_TYPE_max_fragment_length) {
5818 if (!TEST_uint_ne(PACKET_remaining(&pkt3), 0)
5819 || !TEST_true(PACKET_get_1(&pkt3, &MFL_code)))
5820 goto end;
5821
5822 *mfl_codemfl_code = MFL_code;
5823 return 1;
5824 }
5825 }
5826
5827 end:
5828 return 0;
5829}
5830
5831/* Maximum-Fragment-Length TLS extension mode to test */
5832static const unsigned char max_fragment_len_test[] = {
5833 TLSEXT_max_fragment_length_512,
5834 TLSEXT_max_fragment_length_1024,
5835 TLSEXT_max_fragment_length_2048,
5836 TLSEXT_max_fragment_length_4096
5837};
5838
5839static int test_max_fragment_len_ext(int idx_tst)
5840{
5841 SSL_CTX *ctx;
5842 SSL *con = NULL;
5843 int testresult = 0, MFL_mode = 0;
5844 BIO *rbio, *wbio;
5845
d8652be0 5846 ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
cf72c757
F		 5847 if (!TEST_ptr(ctx))
5848 goto end;
5849
5850 if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
5851 ctx, max_fragment_len_test[idx_tst])))
5852 goto end;
5853
5854 con = SSL_new(ctx);
5855 if (!TEST_ptr(con))
5856 goto end;
5857
5858 rbio = BIO_new(BIO_s_mem());
5859 wbio = BIO_new(BIO_s_mem());
5860 if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) {
5861 BIO_free(rbio);
5862 BIO_free(wbio);
5863 goto end;
5864 }
5865
5866 SSL_set_bio(con, rbio, wbio);
5867 SSL_set_connect_state(con);
5868
5869 if (!TEST_int_le(SSL_connect(con), 0)) {
5870 /* This shouldn't succeed because we don't have a server! */
5871 goto end;
5872 }
5873
5874 if (!TEST_true(get_MFL_from_client_hello(wbio, &MFL_mode)))
5875 /* no MFL in client hello */
5876 goto end;
5877 if (!TEST_true(max_fragment_len_test[idx_tst] == MFL_mode))
5878 goto end;
5879
5880 testresult = 1;
5881
5882end:
5883 SSL_free(con);
5884 SSL_CTX_free(ctx);
5885
5886 return testresult;
5887}
5888
9d75dce3
TS		 5889#ifndef OPENSSL_NO_TLS1_3
5890static int test_pha_key_update(void)
5891{
5892 SSL_CTX *cctx = NULL, *sctx = NULL;
5893 SSL *clientssl = NULL, *serverssl = NULL;
5894 int testresult = 0;
5895
5e30f2fd
MC		 5896 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5897 TLS_client_method(), TLS1_VERSION, 0,
9d75dce3
TS		 5898 &sctx, &cctx, cert, privkey)))
5899 return 0;
5900
5901 if (!TEST_true(SSL_CTX_set_min_proto_version(sctx, TLS1_3_VERSION))
5902 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_3_VERSION))
5903 || !TEST_true(SSL_CTX_set_min_proto_version(cctx, TLS1_3_VERSION))
5904 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
5905 goto end;
5906
e97be718 5907 SSL_CTX_set_post_handshake_auth(cctx, 1);
9d75dce3
TS		 5908
5909 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
5910 NULL, NULL)))
5911 goto end;
5912
9d75dce3
TS		 5913 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5914 SSL_ERROR_NONE)))
5915 goto end;
5916
5917 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
5918 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
5919 goto end;
5920
5921 if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED)))
5922 goto end;
5923
5924 /* Start handshake on the server */
5925 if (!TEST_int_eq(SSL_do_handshake(serverssl), 1))
5926 goto end;
5927
5928 /* Starts with SSL_connect(), but it's really just SSL_do_handshake() */
5929 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
5930 SSL_ERROR_NONE)))
5931 goto end;
5932
5933 SSL_shutdown(clientssl);
5934 SSL_shutdown(serverssl);
5935
5936 testresult = 1;
5937
5938 end:
5939 SSL_free(serverssl);
5940 SSL_free(clientssl);
5941 SSL_CTX_free(sctx);
5942 SSL_CTX_free(cctx);
5943 return testresult;
5944}
5945#endif
5946
76fd7a1d
MC		 5947#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
5948
5949static SRP_VBASE *vbase = NULL;
5950
5951static int ssl_srp_cb(SSL *s, int *ad, void *arg)
5952{
5953 int ret = SSL3_AL_FATAL;
5954 char *username;
5955 SRP_user_pwd *user = NULL;
5956
5957 username = SSL_get_srp_username(s);
5958 if (username == NULL) {
5959 *ad = SSL_AD_INTERNAL_ERROR;
5960 goto err;
5961 }
5962
5963 user = SRP_VBASE_get1_by_user(vbase, username);
5964 if (user == NULL) {
5965 *ad = SSL_AD_INTERNAL_ERROR;
5966 goto err;
5967 }
5968
5969 if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
5970 user->info) <= 0) {
5971 *ad = SSL_AD_INTERNAL_ERROR;
5972 goto err;
5973 }
5974
5975 ret = 0;
5976
5977 err:
5978 SRP_user_pwd_free(user);
5979 return ret;
5980}
5981
5982static int create_new_vfile(char *userid, char *password, const char *filename)
5983{
5984 char *gNid = NULL;
5985 OPENSSL_STRING *row = OPENSSL_zalloc(sizeof(row) * (DB_NUMBER + 1));
5986 TXT_DB *db = NULL;
5987 int ret = 0;
5988 BIO *out = NULL, *dummy = BIO_new_mem_buf("", 0);
5989 size_t i;
5990
5991 if (!TEST_ptr(dummy) || !TEST_ptr(row))
5992 goto end;
5993
20c00d0a 5994 gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
5e30f2fd 5995 &row[DB_srpverifier], NULL, NULL, libctx, NULL);
76fd7a1d
MC		 5996 if (!TEST_ptr(gNid))
5997 goto end;
5998
5999 /*
6000 * The only way to create an empty TXT_DB is to provide a BIO with no data
6001 * in it!
6002 */
6003 db = TXT_DB_read(dummy, DB_NUMBER);
6004 if (!TEST_ptr(db))
6005 goto end;
6006
6007 out = BIO_new_file(filename, "w");
6008 if (!TEST_ptr(out))
6009 goto end;
6010
6011 row[DB_srpid] = OPENSSL_strdup(userid);
6012 row[DB_srptype] = OPENSSL_strdup("V");
6013 row[DB_srpgN] = OPENSSL_strdup(gNid);
6014
6015 if (!TEST_ptr(row[DB_srpid])
6016 || !TEST_ptr(row[DB_srptype])
6017 || !TEST_ptr(row[DB_srpgN])
6018 || !TEST_true(TXT_DB_insert(db, row)))
6019 goto end;
6020
6021 row = NULL;
6022
6023 if (!TXT_DB_write(out, db))
6024 goto end;
6025
6026 ret = 1;
6027 end:
6028 if (row != NULL) {
6029 for (i = 0; i < DB_NUMBER; i++)
6030 OPENSSL_free(row[i]);
6031 }
6032 OPENSSL_free(row);
6033 BIO_free(dummy);
6034 BIO_free(out);
6035 TXT_DB_free(db);
6036
6037 return ret;
6038}
6039
6040static int create_new_vbase(char *userid, char *password)
6041{
6042 BIGNUM *verifier = NULL, *salt = NULL;
6043 const SRP_gN *lgN = NULL;
6044 SRP_user_pwd *user_pwd = NULL;
6045 int ret = 0;
6046
6047 lgN = SRP_get_default_gN(NULL);
6048 if (!TEST_ptr(lgN))
6049 goto end;
6050
20c00d0a 6051 if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
5e30f2fd 6052 lgN->N, lgN->g, libctx, NULL)))
76fd7a1d
MC		 6053 goto end;
6054
6055 user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
6056 if (!TEST_ptr(user_pwd))
6057 goto end;
6058
6059 user_pwd->N = lgN->N;
6060 user_pwd->g = lgN->g;
6061 user_pwd->id = OPENSSL_strdup(userid);
6062 if (!TEST_ptr(user_pwd->id))
6063 goto end;
6064
6065 user_pwd->v = verifier;
6066 user_pwd->s = salt;
6067 verifier = salt = NULL;
6068
6069 if (sk_SRP_user_pwd_insert(vbase->users_pwd, user_pwd, 0) == 0)
6070 goto end;
6071 user_pwd = NULL;
6072
6073 ret = 1;
6074end:
6075 SRP_user_pwd_free(user_pwd);
6076 BN_free(salt);
6077 BN_free(verifier);
6078
6079 return ret;
6080}
6081
6082/*
6083 * SRP tests
6084 *
6085 * Test 0: Simple successful SRP connection, new vbase
6086 * Test 1: Connection failure due to bad password, new vbase
6087 * Test 2: Simple successful SRP connection, vbase loaded from existing file
6088 * Test 3: Connection failure due to bad password, vbase loaded from existing
6089 * file
6090 * Test 4: Simple successful SRP connection, vbase loaded from new file
6091 * Test 5: Connection failure due to bad password, vbase loaded from new file
6092 */
6093static int test_srp(int tst)
6094{
6095 char *userid = "test", *password = "password", *tstsrpfile;
6096 SSL_CTX *cctx = NULL, *sctx = NULL;
6097 SSL *clientssl = NULL, *serverssl = NULL;
6098 int ret, testresult = 0;
6099
6100 vbase = SRP_VBASE_new(NULL);
6101 if (!TEST_ptr(vbase))
6102 goto end;
6103
6104 if (tst == 0 || tst == 1) {
6105 if (!TEST_true(create_new_vbase(userid, password)))
6106 goto end;
6107 } else {
6108 if (tst == 4 || tst == 5) {
6109 if (!TEST_true(create_new_vfile(userid, password, tmpfilename)))
6110 goto end;
6111 tstsrpfile = tmpfilename;
6112 } else {
6113 tstsrpfile = srpvfile;
6114 }
6115 if (!TEST_int_eq(SRP_VBASE_init(vbase, tstsrpfile), SRP_NO_ERROR))
6116 goto end;
6117 }
6118
5e30f2fd
MC		 6119 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6120 TLS_client_method(), TLS1_VERSION, 0,
76fd7a1d
MC		 6121 &sctx, &cctx, cert, privkey)))
6122 goto end;
6123
6124 if (!TEST_int_gt(SSL_CTX_set_srp_username_callback(sctx, ssl_srp_cb), 0)
6125 || !TEST_true(SSL_CTX_set_cipher_list(cctx, "SRP-AES-128-CBC-SHA"))
6126 || !TEST_true(SSL_CTX_set_max_proto_version(sctx, TLS1_2_VERSION))
6127 || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION))
6128 || !TEST_int_gt(SSL_CTX_set_srp_username(cctx, userid), 0))
6129 goto end;
6130
6131 if (tst % 2 == 1) {
6132 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, "badpass"), 0))
6133 goto end;
6134 } else {
6135 if (!TEST_int_gt(SSL_CTX_set_srp_password(cctx, password), 0))
6136 goto end;
6137 }
6138
6139 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6140 NULL, NULL)))
6141 goto end;
6142
6143 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
6144 if (ret) {
6145 if (!TEST_true(tst % 2 == 0))
6146 goto end;
6147 } else {
6148 if (!TEST_true(tst % 2 == 1))
6149 goto end;
6150 }
6151
6152 testresult = 1;
6153
6154 end:
6155 SRP_VBASE_free(vbase);
6156 vbase = NULL;
6157 SSL_free(serverssl);
6158 SSL_free(clientssl);
6159 SSL_CTX_free(sctx);
6160 SSL_CTX_free(cctx);
6161
6162 return testresult;
6163}
6164#endif
6165
5718fe45
MC		 6166static int info_cb_failed = 0;
6167static int info_cb_offset = 0;
6168static int info_cb_this_state = -1;
6169
6170static struct info_cb_states_st {
6171 int where;
6172 const char *statestr;
6173} info_cb_states[][60] = {
6174 {
6175 /* TLSv1.2 server followed by resumption */
6176 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6177 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6178 {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TWSKE"}, {SSL_CB_LOOP, "TWSD"},
6179 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWSD"}, {SSL_CB_LOOP, "TRCKE"},
6180 {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWST"},
6181 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6182 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6183 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6184 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"},
6185 {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6186 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TRCCS"},
6187 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6188 {SSL_CB_EXIT, NULL}, {0, NULL},
6189 }, {
6190 /* TLSv1.2 client followed by resumption */
6191 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6192 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6193 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSKE"},
6194 {SSL_CB_LOOP, "TRSD"}, {SSL_CB_LOOP, "TWCKE"}, {SSL_CB_LOOP, "TWCCS"},
6195 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWFIN"},
6196 {SSL_CB_LOOP, "TRST"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6197 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6198 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6199 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6200 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TRCCS"}, {SSL_CB_LOOP, "TRFIN"},
6201 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6202 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL},
6203 }, {
6204 /* TLSv1.3 server followed by resumption */
6205 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6206 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6207 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"},
6208 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"},
6209 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b
MC		 6210 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
6211 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL},
6212 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6213 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6214 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6215 {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"},
6216 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
6217 {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6218 }, {
6219 /* TLSv1.3 client followed by resumption */
6220 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6221 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"},
6222 {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"},
6223 {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"},
6224 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6225 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6226 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "},
6227 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL},
5718fe45
MC		 6228 {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL},
6229 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL},
6230 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6231 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"},
6232 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
4af5836b
MC		 6233 {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"},
6234 {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6235 }, {
6236 /* TLSv1.3 server, early_data */
6237 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6238 {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"},
6239 {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"},
6240 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6241 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6242 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"},
4af5836b 6243 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"},
5718fe45
MC		 6244 {SSL_CB_EXIT, NULL}, {0, NULL},
6245 }, {
6246 /* TLSv1.3 client, early_data */
6247 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "},
6248 {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TWCCS"},
6249 {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL},
6250 {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"},
6251 {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"},
6252 {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"},
6253 {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL},
4af5836b
MC		 6254 {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "},
6255 {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL},
5718fe45
MC		 6256 }, {
6257 {0, NULL},
6258 }
6259};
6260
6261static void sslapi_info_callback(const SSL *s, int where, int ret)
6262{
6263 struct info_cb_states_st *state = info_cb_states[info_cb_offset];
6264
6265 /* We do not ever expect a connection to fail in this test */
6266 if (!TEST_false(ret == 0)) {
6267 info_cb_failed = 1;
6268 return;
6269 }
6270
6271 /*
6272 * Do some sanity checks. We never expect these things to happen in this
6273 * test
6274 */
6275 if (!TEST_false((SSL_is_server(s) && (where & SSL_ST_CONNECT) != 0))
6276 || !TEST_false(!SSL_is_server(s) && (where & SSL_ST_ACCEPT) != 0)
6277 || !TEST_int_ne(state[++info_cb_this_state].where, 0)) {
6278 info_cb_failed = 1;
6279 return;
6280 }
6281
6282 /* Now check we're in the right state */
6283 if (!TEST_true((where & state[info_cb_this_state].where) != 0)) {
6284 info_cb_failed = 1;
6285 return;
6286 }
6287 if ((where & SSL_CB_LOOP) != 0
6288 && !TEST_int_eq(strcmp(SSL_state_string(s),
6289 state[info_cb_this_state].statestr), 0)) {
6290 info_cb_failed = 1;
6291 return;
6292 }
033c181b 6293
4af5836b
MC		 6294 /*
6295 * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init
6296 */
6297 if ((where & SSL_CB_HANDSHAKE_DONE)
6298 && SSL_in_init((SSL *)s) != 0) {
033c181b
MC		 6299 info_cb_failed = 1;
6300 return;
6301 }
5718fe45
MC		 6302}
6303
6304/*
6305 * Test the info callback gets called when we expect it to.
6306 *
6307 * Test 0: TLSv1.2, server
6308 * Test 1: TLSv1.2, client
6309 * Test 2: TLSv1.3, server
6310 * Test 3: TLSv1.3, client
6311 * Test 4: TLSv1.3, server, early_data
6312 * Test 5: TLSv1.3, client, early_data
6313 */
6314static int test_info_callback(int tst)
6315{
6316 SSL_CTX *cctx = NULL, *sctx = NULL;
6317 SSL *clientssl = NULL, *serverssl = NULL;
6318 SSL_SESSION *clntsess = NULL;
6319 int testresult = 0;
6320 int tlsvers;
6321
6322 if (tst < 2) {
1aac20f5
MC		 6323/* We need either ECDHE or DHE for the TLSv1.2 test to work */
6324#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \
6325 || !defined(OPENSSL_NO_DH))
5718fe45
MC		 6326 tlsvers = TLS1_2_VERSION;
6327#else
6328 return 1;
6329#endif
6330 } else {
6331#ifndef OPENSSL_NO_TLS1_3
6332 tlsvers = TLS1_3_VERSION;
6333#else
6334 return 1;
6335#endif
6336 }
6337
6338 /* Reset globals */
6339 info_cb_failed = 0;
6340 info_cb_this_state = -1;
6341 info_cb_offset = tst;
6342
6e07834c 6343#ifndef OPENSSL_NO_TLS1_3
5718fe45
MC		 6344 if (tst >= 4) {
6345 SSL_SESSION *sess = NULL;
6346 size_t written, readbytes;
6347 unsigned char buf[80];
6348
6349 /* early_data tests */
6350 if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
6351 &serverssl, &sess, 0)))
6352 goto end;
6353
6354 /* We don't actually need this reference */
6355 SSL_SESSION_free(sess);
6356
6357 SSL_set_info_callback((tst % 2) == 0 ? serverssl : clientssl,
6358 sslapi_info_callback);
6359
6360 /* Write and read some early data and then complete the connection */
6361 if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
6362 &written))
6363 || !TEST_size_t_eq(written, strlen(MSG1))
6364 || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
6365 sizeof(buf), &readbytes),
6366 SSL_READ_EARLY_DATA_SUCCESS)
6367 || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
6368 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
6369 SSL_EARLY_DATA_ACCEPTED)
6370 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6371 SSL_ERROR_NONE))
6372 || !TEST_false(info_cb_failed))
6373 goto end;
6374
6375 testresult = 1;
6376 goto end;
6377 }
6e07834c 6378#endif
5718fe45 6379
5e30f2fd 6380 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
5718fe45
MC		 6381 TLS_client_method(),
6382 tlsvers, tlsvers, &sctx, &cctx, cert,
6383 privkey)))
6384 goto end;
6385
33c39a06
MC		 6386 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
6387 goto end;
6388
5718fe45
MC		 6389 /*
6390 * For even numbered tests we check the server callbacks. For odd numbers we
6391 * check the client.
6392 */
6393 SSL_CTX_set_info_callback((tst % 2) == 0 ? sctx : cctx,
6394 sslapi_info_callback);
6395
6396 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
6397 &clientssl, NULL, NULL))
6398 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6399 SSL_ERROR_NONE))
6400 || !TEST_false(info_cb_failed))
6401 goto end;
6402
6403
6404
6405 clntsess = SSL_get1_session(clientssl);
6406 SSL_shutdown(clientssl);
6407 SSL_shutdown(serverssl);
6408 SSL_free(serverssl);
6409 SSL_free(clientssl);
6410 serverssl = clientssl = NULL;
6411
6412 /* Now do a resumption */
6413 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6414 NULL))
6415 || !TEST_true(SSL_set_session(clientssl, clntsess))
6416 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6417 SSL_ERROR_NONE))
6418 || !TEST_true(SSL_session_reused(clientssl))
6419 || !TEST_false(info_cb_failed))
6420 goto end;
6421
6422 testresult = 1;
6423
6424 end:
6425 SSL_free(serverssl);
6426 SSL_free(clientssl);
6427 SSL_SESSION_free(clntsess);
6428 SSL_CTX_free(sctx);
6429 SSL_CTX_free(cctx);
6430 return testresult;
6431}
6432
4a432af8
MC		 6433static int test_ssl_pending(int tst)
6434{
6435 SSL_CTX *cctx = NULL, *sctx = NULL;
6436 SSL *clientssl = NULL, *serverssl = NULL;
6437 int testresult = 0;
6438 char msg[] = "A test message";
6439 char buf[5];
6440 size_t written, readbytes;
6441
6442 if (tst == 0) {
5e30f2fd 6443 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
4a432af8 6444 TLS_client_method(),
5c587fb6 6445 TLS1_VERSION, 0,
4a432af8
MC		 6446 &sctx, &cctx, cert, privkey)))
6447 goto end;
6448 } else {
6449#ifndef OPENSSL_NO_DTLS
5e30f2fd 6450 if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
4a432af8 6451 DTLS_client_method(),
5c587fb6 6452 DTLS1_VERSION, 0,
4a432af8
MC		 6453 &sctx, &cctx, cert, privkey)))
6454 goto end;
6455#else
6456 return 1;
6457#endif
6458 }
6459
6460 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6461 NULL, NULL))
6462 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6463 SSL_ERROR_NONE)))
6464 goto end;
6465
e8251092
MC		 6466 if (!TEST_int_eq(SSL_pending(clientssl), 0)
6467 || !TEST_false(SSL_has_pending(clientssl))
6468 || !TEST_int_eq(SSL_pending(serverssl), 0)
6469 || !TEST_false(SSL_has_pending(serverssl))
6470 || !TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
4a432af8
MC		 6471 || !TEST_size_t_eq(written, sizeof(msg))
6472 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))
6473 || !TEST_size_t_eq(readbytes, sizeof(buf))
e8251092
MC		 6474 || !TEST_int_eq(SSL_pending(clientssl), (int)(written - readbytes))
6475 || !TEST_true(SSL_has_pending(clientssl)))
4a432af8
MC		 6476 goto end;
6477
6478 testresult = 1;
6479
6480 end:
6481 SSL_free(serverssl);
6482 SSL_free(clientssl);
6483 SSL_CTX_free(sctx);
6484 SSL_CTX_free(cctx);
6485
6486 return testresult;
6487}
6488
e401389a
MC		 6489static struct {
6490 unsigned int maxprot;
6491 const char *clntciphers;
6492 const char *clnttls13ciphers;
6493 const char *srvrciphers;
6494 const char *srvrtls13ciphers;
6495 const char *shared;
a96e6c34 6496 const char *fipsshared;
e401389a 6497} shared_ciphers_data[] = {
60155b9a
MC		 6498/*
6499 * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
6500 * TLSv1.3 is enabled but TLSv1.2 is disabled.
6501 */
6502#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
e401389a
MC		 6503 {
6504 TLS1_2_VERSION,
6505 "AES128-SHA:AES256-SHA",
6506 NULL,
6507 "AES256-SHA:DHE-RSA-AES128-SHA",
6508 NULL,
a96e6c34 6509 "AES256-SHA",
e401389a
MC		 6510 "AES256-SHA"
6511 },
a96e6c34
MC		 6512# if !defined(OPENSSL_NO_CHACHA) \
6513 && !defined(OPENSSL_NO_POLY1305) \
6514 && !defined(OPENSSL_NO_EC)
6515 {
6516 TLS1_2_VERSION,
6517 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6518 NULL,
6519 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6520 NULL,
6521 "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
6522 "AES128-SHA"
6523 },
6524# endif
e401389a
MC		 6525 {
6526 TLS1_2_VERSION,
6527 "AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
6528 NULL,
6529 "AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
6530 NULL,
a96e6c34 6531 "AES128-SHA:AES256-SHA",
e401389a
MC		 6532 "AES128-SHA:AES256-SHA"
6533 },
6534 {
6535 TLS1_2_VERSION,
6536 "AES128-SHA:AES256-SHA",
6537 NULL,
6538 "AES128-SHA:DHE-RSA-AES128-SHA",
6539 NULL,
a96e6c34 6540 "AES128-SHA",
e401389a
MC		 6541 "AES128-SHA"
6542 },
60155b9a
MC		 6543#endif
6544/*
6545 * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
6546 * enabled.
6547 */
6548#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
6549 && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
e401389a
MC		 6550 {
6551 TLS1_3_VERSION,
6552 "AES128-SHA:AES256-SHA",
6553 NULL,
6554 "AES256-SHA:AES128-SHA256",
6555 NULL,
6556 "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
a96e6c34
MC		 6557 "TLS_AES_128_GCM_SHA256:AES256-SHA",
6558 "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
e401389a 6559 },
60155b9a
MC		 6560#endif
6561#ifndef OPENSSL_NO_TLS1_3
e401389a
MC		 6562 {
6563 TLS1_3_VERSION,
6564 "AES128-SHA",
6565 "TLS_AES_256_GCM_SHA384",
6566 "AES256-SHA",
6567 "TLS_AES_256_GCM_SHA384",
a96e6c34 6568 "TLS_AES_256_GCM_SHA384",
e401389a
MC		 6569 "TLS_AES_256_GCM_SHA384"
6570 },
6571#endif
6572};
6573
a96e6c34 6574static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
e401389a
MC		 6575{
6576 SSL_CTX *cctx = NULL, *sctx = NULL;
6577 SSL *clientssl = NULL, *serverssl = NULL;
6578 int testresult = 0;
6579 char buf[1024];
b4250010 6580 OSSL_LIB_CTX *tmplibctx = OSSL_LIB_CTX_new();
a96e6c34
MC		 6581
6582 if (!TEST_ptr(tmplibctx))
6583 goto end;
6584
6585 /*
6586 * Regardless of whether we're testing with the FIPS provider loaded into
6587 * libctx, we want one peer to always use the full set of ciphersuites
6588 * available. Therefore we use a separate libctx with the default provider
6589 * loaded into it. We run the same tests twice - once with the client side
6590 * having the full set of ciphersuites and once with the server side.
6591 */
6592 if (clnt) {
d8652be0 6593 cctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_client_method());
a96e6c34
MC		 6594 if (!TEST_ptr(cctx))
6595 goto end;
6596 } else {
d8652be0 6597 sctx = SSL_CTX_new_ex(tmplibctx, NULL, TLS_server_method());
a96e6c34
MC		 6598 if (!TEST_ptr(sctx))
6599 goto end;
6600 }
e401389a 6601
5e30f2fd 6602 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
e401389a
MC		 6603 TLS_client_method(),
6604 TLS1_VERSION,
6605 shared_ciphers_data[tst].maxprot,
6606 &sctx, &cctx, cert, privkey)))
6607 goto end;
6608
6609 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
6610 shared_ciphers_data[tst].clntciphers))
6611 || (shared_ciphers_data[tst].clnttls13ciphers != NULL
6612 && !TEST_true(SSL_CTX_set_ciphersuites(cctx,
6613 shared_ciphers_data[tst].clnttls13ciphers)))
6614 || !TEST_true(SSL_CTX_set_cipher_list(sctx,
6615 shared_ciphers_data[tst].srvrciphers))
6616 || (shared_ciphers_data[tst].srvrtls13ciphers != NULL
6617 && !TEST_true(SSL_CTX_set_ciphersuites(sctx,
6618 shared_ciphers_data[tst].srvrtls13ciphers))))
6619 goto end;
6620
6621
6622 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6623 NULL, NULL))
6624 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6625 SSL_ERROR_NONE)))
6626 goto end;
6627
6628 if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
a96e6c34
MC		 6629 || !TEST_int_eq(strcmp(buf,
6630 is_fips
6631 ? shared_ciphers_data[tst].fipsshared
6632 : shared_ciphers_data[tst].shared),
6633 0)) {
e401389a
MC		 6634 TEST_info("Shared ciphers are: %s\n", buf);
6635 goto end;
6636 }
6637
6638 testresult = 1;
6639
6640 end:
6641 SSL_free(serverssl);
6642 SSL_free(clientssl);
6643 SSL_CTX_free(sctx);
6644 SSL_CTX_free(cctx);
b4250010 6645 OSSL_LIB_CTX_free(tmplibctx);
e401389a
MC		 6646
6647 return testresult;
6648}
6649
a96e6c34
MC		 6650static int test_ssl_get_shared_ciphers(int tst)
6651{
6652 return int_test_ssl_get_shared_ciphers(tst, 0)
6653 && int_test_ssl_get_shared_ciphers(tst, 1);
6654}
6655
6656
d0191fe0 6657static const char *appdata = "Hello World";
61fb5923
MC		 6658static int gen_tick_called, dec_tick_called, tick_key_cb_called;
6659static int tick_key_renew = 0;
6660static SSL_TICKET_RETURN tick_dec_ret = SSL_TICKET_RETURN_ABORT;
d0191fe0
MC		 6661
6662static int gen_tick_cb(SSL *s, void *arg)
6663{
6664 gen_tick_called = 1;
6665
6666 return SSL_SESSION_set1_ticket_appdata(SSL_get_session(s), appdata,
6667 strlen(appdata));
6668}
6669
6670static SSL_TICKET_RETURN dec_tick_cb(SSL *s, SSL_SESSION *ss,
6671 const unsigned char *keyname,
6672 size_t keyname_length,
61fb5923
MC		 6673 SSL_TICKET_STATUS status,
6674 void *arg)
d0191fe0
MC		 6675{
6676 void *tickdata;
6677 size_t tickdlen;
6678
6679 dec_tick_called = 1;
6680
61fb5923
MC		 6681 if (status == SSL_TICKET_EMPTY)
6682 return SSL_TICKET_RETURN_IGNORE_RENEW;
d0191fe0 6683
61fb5923
MC		 6684 if (!TEST_true(status == SSL_TICKET_SUCCESS
6685 || status == SSL_TICKET_SUCCESS_RENEW))
6686 return SSL_TICKET_RETURN_ABORT;
6687
6688 if (!TEST_true(SSL_SESSION_get0_ticket_appdata(ss, &tickdata,
6689 &tickdlen))
d0191fe0
MC		 6690 || !TEST_size_t_eq(tickdlen, strlen(appdata))
6691 || !TEST_int_eq(memcmp(tickdata, appdata, tickdlen), 0))
61fb5923 6692 return SSL_TICKET_RETURN_ABORT;
d0191fe0 6693
61fb5923
MC		 6694 if (tick_key_cb_called) {
6695 /* Don't change what the ticket key callback wanted to do */
6696 switch (status) {
6697 case SSL_TICKET_NO_DECRYPT:
6698 return SSL_TICKET_RETURN_IGNORE_RENEW;
6699
6700 case SSL_TICKET_SUCCESS:
6701 return SSL_TICKET_RETURN_USE;
d0191fe0 6702
61fb5923
MC		 6703 case SSL_TICKET_SUCCESS_RENEW:
6704 return SSL_TICKET_RETURN_USE_RENEW;
6705
6706 default:
6707 return SSL_TICKET_RETURN_ABORT;
6708 }
6709 }
6710 return tick_dec_ret;
6711
6712}
d0191fe0 6713
a76ce286 6714#ifndef OPENSSL_NO_DEPRECATED_3_0
d0191fe0
MC		 6715static int tick_key_cb(SSL *s, unsigned char key_name[16],
6716 unsigned char iv[EVP_MAX_IV_LENGTH], EVP_CIPHER_CTX *ctx,
6717 HMAC_CTX *hctx, int enc)
6718{
6719 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6720 const unsigned char tick_hmac_key[16] = "0123456789abcdef";
5e30f2fd
MC		 6721 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6722 EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
6723 int ret;
d0191fe0 6724
61fb5923 6725 tick_key_cb_called = 1;
d0191fe0
MC		 6726 memset(iv, 0, AES_BLOCK_SIZE);
6727 memset(key_name, 0, 16);
5e30f2fd
MC		 6728 if (aes128cbc == NULL
6729 || sha256 == NULL
6730 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
6731 || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
6732 NULL))
6733 ret = -1;
6734 else
6735 ret = tick_key_renew ? 2 : 1;
d0191fe0 6736
5e30f2fd
MC		 6737 EVP_CIPHER_free(aes128cbc);
6738 EVP_MD_free(sha256);
6739
6740 return ret;
d0191fe0 6741}
a76ce286
P		 6742#endif
6743
6744static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
6745 unsigned char iv[EVP_MAX_IV_LENGTH],
6746 EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int enc)
6747{
6748 const unsigned char tick_aes_key[16] = "0123456789abcdef";
6749 unsigned char tick_hmac_key[16] = "0123456789abcdef";
6750 OSSL_PARAM params[3];
5e30f2fd
MC		 6751 EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
6752 int ret;
a76ce286
P		 6753
6754 tick_key_cb_called = 1;
6755 memset(iv, 0, AES_BLOCK_SIZE);
6756 memset(key_name, 0, 16);
6757 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
6758 "SHA256", 0);
6759 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
6760 tick_hmac_key,
6761 sizeof(tick_hmac_key));
6762 params[2] = OSSL_PARAM_construct_end();
5e30f2fd
MC		 6763 if (aes128cbc == NULL
6764 || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
865adf97 6765 || !EVP_MAC_CTX_set_params(hctx, params)
a76ce286 6766 || !EVP_MAC_init(hctx))
5e30f2fd
MC		 6767 ret = -1;
6768 else
6769 ret = tick_key_renew ? 2 : 1;
6770
6771 EVP_CIPHER_free(aes128cbc);
a76ce286 6772
5e30f2fd 6773 return ret;
a76ce286 6774}
d0191fe0
MC		 6775
6776/*
6777 * Test the various ticket callbacks
61fb5923
MC		 6778 * Test 0: TLSv1.2, no ticket key callback, no ticket, no renewal
6779 * Test 1: TLSv1.3, no ticket key callback, no ticket, no renewal
6780 * Test 2: TLSv1.2, no ticket key callback, no ticket, renewal
6781 * Test 3: TLSv1.3, no ticket key callback, no ticket, renewal
6782 * Test 4: TLSv1.2, no ticket key callback, ticket, no renewal
6783 * Test 5: TLSv1.3, no ticket key callback, ticket, no renewal
6784 * Test 6: TLSv1.2, no ticket key callback, ticket, renewal
6785 * Test 7: TLSv1.3, no ticket key callback, ticket, renewal
a76ce286
P		 6786 * Test 8: TLSv1.2, old ticket key callback, ticket, no renewal
6787 * Test 9: TLSv1.3, old ticket key callback, ticket, no renewal
6788 * Test 10: TLSv1.2, old ticket key callback, ticket, renewal
6789 * Test 11: TLSv1.3, old ticket key callback, ticket, renewal
6790 * Test 12: TLSv1.2, ticket key callback, ticket, no renewal
6791 * Test 13: TLSv1.3, ticket key callback, ticket, no renewal
6792 * Test 14: TLSv1.2, ticket key callback, ticket, renewal
6793 * Test 15: TLSv1.3, ticket key callback, ticket, renewal
d0191fe0
MC		 6794 */
6795static int test_ticket_callbacks(int tst)
6796{
6797 SSL_CTX *cctx = NULL, *sctx = NULL;
6798 SSL *clientssl = NULL, *serverssl = NULL;
6799 SSL_SESSION *clntsess = NULL;
6800 int testresult = 0;
6801
6802#ifdef OPENSSL_NO_TLS1_2
ba8b48e9 6803 if (tst % 2 == 0)
d0191fe0
MC		 6804 return 1;
6805#endif
6806#ifdef OPENSSL_NO_TLS1_3
ba8b48e9 6807 if (tst % 2 == 1)
d0191fe0
MC		 6808 return 1;
6809#endif
a76ce286
P		 6810#ifdef OPENSSL_NO_DEPRECATED_3_0
6811 if (tst >= 8 && tst <= 11)
6812 return 1;
6813#endif
d0191fe0 6814
61fb5923 6815 gen_tick_called = dec_tick_called = tick_key_cb_called = 0;
d0191fe0
MC		 6816
6817 /* Which tests the ticket key callback should request renewal for */
a76ce286 6818 if (tst == 10 || tst == 11 || tst == 14 || tst == 15)
61fb5923 6819 tick_key_renew = 1;
d0191fe0 6820 else
61fb5923
MC		 6821 tick_key_renew = 0;
6822
6823 /* Which tests the decrypt ticket callback should request renewal for */
6824 switch (tst) {
6825 case 0:
6826 case 1:
6827 tick_dec_ret = SSL_TICKET_RETURN_IGNORE;
6828 break;
6829
6830 case 2:
6831 case 3:
6832 tick_dec_ret = SSL_TICKET_RETURN_IGNORE_RENEW;
6833 break;
6834
6835 case 4:
6836 case 5:
6837 tick_dec_ret = SSL_TICKET_RETURN_USE;
6838 break;
6839
6840 case 6:
6841 case 7:
6842 tick_dec_ret = SSL_TICKET_RETURN_USE_RENEW;
6843 break;
6844
6845 default:
6846 tick_dec_ret = SSL_TICKET_RETURN_ABORT;
6847 }
d0191fe0 6848
5e30f2fd 6849 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
d0191fe0
MC		 6850 TLS_client_method(),
6851 TLS1_VERSION,
61fb5923
MC		 6852 ((tst % 2) == 0) ? TLS1_2_VERSION
6853 : TLS1_3_VERSION,
d0191fe0
MC		 6854 &sctx, &cctx, cert, privkey)))
6855 goto end;
6856
61fb5923
MC		 6857 /*
6858 * We only want sessions to resume from tickets - not the session cache. So
6859 * switch the cache off.
6860 */
6861 if (!TEST_true(SSL_CTX_set_session_cache_mode(sctx, SSL_SESS_CACHE_OFF)))
6862 goto end;
6863
d0191fe0
MC		 6864 if (!TEST_true(SSL_CTX_set_session_ticket_cb(sctx, gen_tick_cb, dec_tick_cb,
6865 NULL)))
6866 goto end;
6867
a76ce286
P		 6868 if (tst >= 12) {
6869 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_evp_cb(sctx, tick_key_evp_cb)))
6870 goto end;
6871#ifndef OPENSSL_NO_DEPRECATED_3_0
6872 } else if (tst >= 8) {
6873 if (!TEST_true(SSL_CTX_set_tlsext_ticket_key_cb(sctx, tick_key_cb)))
6874 goto end;
6875#endif
6876 }
d0191fe0
MC		 6877
6878 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6879 NULL, NULL))
6880 || !TEST_true(create_ssl_connection(serverssl, clientssl,
6881 SSL_ERROR_NONE)))
6882 goto end;
6883
61fb5923
MC		 6884 /*
6885 * The decrypt ticket key callback in TLSv1.2 should be called even though
6886 * we have no ticket yet, because it gets called with a status of
6887 * SSL_TICKET_EMPTY (the client indicates support for tickets but does not
6888 * actually send any ticket data). This does not happen in TLSv1.3 because
6889 * it is not valid to send empty ticket data in TLSv1.3.
6890 */
d0191fe0 6891 if (!TEST_int_eq(gen_tick_called, 1)
61fb5923 6892 || !TEST_int_eq(dec_tick_called, ((tst % 2) == 0) ? 1 : 0))
d0191fe0
MC		 6893 goto end;
6894
6895 gen_tick_called = dec_tick_called = 0;
6896
6897 clntsess = SSL_get1_session(clientssl);
6898 SSL_shutdown(clientssl);
6899 SSL_shutdown(serverssl);
6900 SSL_free(serverssl);
6901 SSL_free(clientssl);
6902 serverssl = clientssl = NULL;
6903
6904 /* Now do a resumption */
6905 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
6906 NULL))
6907 || !TEST_true(SSL_set_session(clientssl, clntsess))
6908 || !TEST_true(create_ssl_connection(serverssl, clientssl,
61fb5923 6909 SSL_ERROR_NONE)))
d0191fe0
MC		 6910 goto end;
6911
61fb5923
MC		 6912 if (tick_dec_ret == SSL_TICKET_RETURN_IGNORE
6913 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW) {
6914 if (!TEST_false(SSL_session_reused(clientssl)))
6915 goto end;
6916 } else {
6917 if (!TEST_true(SSL_session_reused(clientssl)))
6918 goto end;
6919 }
6920
d0191fe0 6921 if (!TEST_int_eq(gen_tick_called,
61fb5923
MC		 6922 (tick_key_renew
6923 || tick_dec_ret == SSL_TICKET_RETURN_IGNORE_RENEW
6924 || tick_dec_ret == SSL_TICKET_RETURN_USE_RENEW)
6925 ? 1 : 0)
d0191fe0
MC		 6926 || !TEST_int_eq(dec_tick_called, 1))
6927 goto end;
6928
6929 testresult = 1;
6930
6931 end:
6932 SSL_SESSION_free(clntsess);
6933 SSL_free(serverssl);
6934 SSL_free(clientssl);
6935 SSL_CTX_free(sctx);
6936 SSL_CTX_free(cctx);
6937
6938 return testresult;
6939}
6940
e638112e
DB		 6941/*
6942 * Test incorrect shutdown.
6943 * Test 0: client does not shutdown properly,
6944 * server does not set SSL_OP_IGNORE_UNEXPECTED_EOF,
6945 * server should get SSL_ERROR_SSL
6946 * Test 1: client does not shutdown properly,
6947 * server sets SSL_OP_IGNORE_UNEXPECTED_EOF,
6948 * server should get SSL_ERROR_ZERO_RETURN
6949 */
6950static int test_incorrect_shutdown(int tst)
6951{
6952 SSL_CTX *cctx = NULL, *sctx = NULL;
6953 SSL *clientssl = NULL, *serverssl = NULL;
6954 int testresult = 0;
6955 char buf[80];
6956 BIO *c2s;
6957
6958 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6959 TLS_client_method(), 0, 0,
6960 &sctx, &cctx, cert, privkey)))
6961 goto end;
6962
6963 if (tst == 1)
6964 SSL_CTX_set_options(sctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
6965
6966 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
6967 NULL, NULL)))
6968 goto end;
6969
6970 if (!TEST_true(create_ssl_connection(serverssl, clientssl,
6971 SSL_ERROR_NONE)))
6972 goto end;
6973
6974 c2s = SSL_get_rbio(serverssl);
6975 BIO_set_mem_eof_return(c2s, 0);
6976
6977 if (!TEST_false(SSL_read(serverssl, buf, sizeof(buf))))
6978 goto end;
6979
6980 if (tst == 0 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_SSL) )
6981 goto end;
6982 if (tst == 1 && !TEST_int_eq(SSL_get_error(serverssl, 0), SSL_ERROR_ZERO_RETURN) )
6983 goto end;
6984
6985 testresult = 1;
6986
6987 end:
6988 SSL_free(serverssl);
6989 SSL_free(clientssl);
6990 SSL_CTX_free(sctx);
6991 SSL_CTX_free(cctx);
6992
6993 return testresult;
6994}
6995
c748834f
MC		 6996/*
6997 * Test bi-directional shutdown.
6998 * Test 0: TLSv1.2
6999 * Test 1: TLSv1.2, server continues to read/write after client shutdown
7000 * Test 2: TLSv1.3, no pending NewSessionTicket messages
7001 * Test 3: TLSv1.3, pending NewSessionTicket messages
80eff008
KR		 7002 * Test 4: TLSv1.3, server continues to read/write after client shutdown, server
7003 * sends key update, client reads it
57d7b988
MC		 7004 * Test 5: TLSv1.3, server continues to read/write after client shutdown, server
7005 * sends CertificateRequest, client reads and ignores it
7006 * Test 6: TLSv1.3, server continues to read/write after client shutdown, client
c748834f
MC		 7007 * doesn't read it
7008 */
7009static int test_shutdown(int tst)
7010{
7011 SSL_CTX *cctx = NULL, *sctx = NULL;
7012 SSL *clientssl = NULL, *serverssl = NULL;
7013 int testresult = 0;
7014 char msg[] = "A test message";
7015 char buf[80];
7016 size_t written, readbytes;
80eff008 7017 SSL_SESSION *sess;
c748834f
MC		 7018
7019#ifdef OPENSSL_NO_TLS1_2
a97d19f7 7020 if (tst <= 1)
c748834f
MC		 7021 return 1;
7022#endif
7023#ifdef OPENSSL_NO_TLS1_3
a97d19f7 7024 if (tst >= 2)
c748834f
MC		 7025 return 1;
7026#endif
7027
5e30f2fd 7028 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
c748834f
MC		 7029 TLS_client_method(),
7030 TLS1_VERSION,
7031 (tst <= 1) ? TLS1_2_VERSION
7032 : TLS1_3_VERSION,
57d7b988
MC		 7033 &sctx, &cctx, cert, privkey)))
7034 goto end;
7035
7036 if (tst == 5)
7037 SSL_CTX_set_post_handshake_auth(cctx, 1);
7038
7039 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
c748834f
MC		 7040 NULL, NULL)))
7041 goto end;
7042
7043 if (tst == 3) {
7044 if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
80c455d5 7045 SSL_ERROR_NONE, 1))
80eff008
KR		 7046 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7047 || !TEST_false(SSL_SESSION_is_resumable(sess)))
c748834f
MC		 7048 goto end;
7049 } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
80eff008
KR		 7050 SSL_ERROR_NONE))
7051 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7052 || !TEST_true(SSL_SESSION_is_resumable(sess))) {
c748834f
MC		 7053 goto end;
7054 }
7055
7056 if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
7057 goto end;
7058
7059 if (tst >= 4) {
7060 /*
7061 * Reading on the server after the client has sent close_notify should
7062 * fail and provide SSL_ERROR_ZERO_RETURN
7063 */
7064 if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
7065 || !TEST_int_eq(SSL_get_error(serverssl, 0),
7066 SSL_ERROR_ZERO_RETURN)
7067 || !TEST_int_eq(SSL_get_shutdown(serverssl),
7068 SSL_RECEIVED_SHUTDOWN)
7069 /*
7070 * Even though we're shutdown on receive we should still be
7071 * able to write.
7072 */
80eff008
KR		 7073 || !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
7074 goto end;
57d7b988
MC		 7075 if (tst == 4
7076 && !TEST_true(SSL_key_update(serverssl,
7077 SSL_KEY_UPDATE_REQUESTED)))
7078 goto end;
7079 if (tst == 5) {
7080 SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
7081 if (!TEST_true(SSL_verify_client_post_handshake(serverssl)))
7082 goto end;
7083 }
7084 if ((tst == 4 || tst == 5)
7085 && !TEST_true(SSL_write(serverssl, msg, sizeof(msg))))
80eff008
KR		 7086 goto end;
7087 if (!TEST_int_eq(SSL_shutdown(serverssl), 1))
c748834f 7088 goto end;
57d7b988 7089 if (tst == 4 || tst == 5) {
80eff008 7090 /* Should still be able to read data from server */
c748834f 7091 if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
80eff008
KR		 7092 &readbytes))
7093 || !TEST_size_t_eq(readbytes, sizeof(msg))
7094 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0)
7095 || !TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
7096 &readbytes))
c748834f
MC		 7097 || !TEST_size_t_eq(readbytes, sizeof(msg))
7098 || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
7099 goto end;
7100 }
7101 }
7102
7103 /* Writing on the client after sending close_notify shouldn't be possible */
ba709049 7104 if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
c748834f
MC		 7105 goto end;
7106
7107 if (tst < 4) {
7108 /*
7109 * For these tests the client has sent close_notify but it has not yet
7110 * been received by the server. The server has not sent close_notify
7111 * yet.
7112 */
7113 if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
ba709049
MC		 7114 /*
7115 * Writing on the server after sending close_notify shouldn't
7116 * be possible.
7117 */
7118 || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
c748834f 7119 || !TEST_int_eq(SSL_shutdown(clientssl), 1)
80eff008
KR		 7120 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7121 || !TEST_true(SSL_SESSION_is_resumable(sess))
c748834f
MC		 7122 || !TEST_int_eq(SSL_shutdown(serverssl), 1))
7123 goto end;
57d7b988 7124 } else if (tst == 4 || tst == 5) {
c748834f
MC		 7125 /*
7126 * In this test the client has sent close_notify and it has been
7127 * received by the server which has responded with a close_notify. The
358ffa05 7128 * client needs to read the close_notify sent by the server.
c748834f 7129 */
80eff008
KR		 7130 if (!TEST_int_eq(SSL_shutdown(clientssl), 1)
7131 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
7132 || !TEST_true(SSL_SESSION_is_resumable(sess)))
c748834f 7133 goto end;
358ffa05
MC		 7134 } else {
7135 /*
57d7b988 7136 * tst == 6
358ffa05
MC		 7137 *
7138 * The client has sent close_notify and is expecting a close_notify
7139 * back, but instead there is application data first. The shutdown
7140 * should fail with a fatal error.
7141 */
7142 if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
7143 || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
7144 goto end;
c748834f
MC		 7145 }
7146
7147 testresult = 1;
7148
7149 end:
7150 SSL_free(serverssl);
7151 SSL_free(clientssl);
7152 SSL_CTX_free(sctx);
7153 SSL_CTX_free(cctx);
7154
7155 return testresult;
7156}
7157
7f1d923a 7158#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
cd6fe29f
MC		 7159static int cert_cb_cnt;
7160
7161static int cert_cb(SSL *s, void *arg)
7162{
7163 SSL_CTX *ctx = (SSL_CTX *)arg;
7cb8fb07
BK		 7164 BIO *in = NULL;
7165 EVP_PKEY *pkey = NULL;
1a2a3a42
MC		 7166 X509 *x509 = NULL, *rootx = NULL;
7167 STACK_OF(X509) *chain = NULL;
7168 char *rootfile = NULL, *ecdsacert = NULL, *ecdsakey = NULL;
7169 int ret = 0;
cd6fe29f
MC		 7170
7171 if (cert_cb_cnt == 0) {
7172 /* Suspend the handshake */
7173 cert_cb_cnt++;
7174 return -1;
7175 } else if (cert_cb_cnt == 1) {
7176 /*
7177 * Update the SSL_CTX, set the certificate and private key and then
7178 * continue the handshake normally.
7179 */
7180 if (ctx != NULL && !TEST_ptr(SSL_set_SSL_CTX(s, ctx)))
7181 return 0;
7182
7183 if (!TEST_true(SSL_use_certificate_file(s, cert, SSL_FILETYPE_PEM))
7184 || !TEST_true(SSL_use_PrivateKey_file(s, privkey,
7185 SSL_FILETYPE_PEM))
7186 || !TEST_true(SSL_check_private_key(s)))
7187 return 0;
7188 cert_cb_cnt++;
7189 return 1;
7cb8fb07
BK		 7190 } else if (cert_cb_cnt == 3) {
7191 int rv;
1a2a3a42
MC		 7192
7193 rootfile = test_mk_file_path(certsdir, "rootcert.pem");
7194 ecdsacert = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
7195 ecdsakey = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
7196 if (!TEST_ptr(rootfile) || !TEST_ptr(ecdsacert) || !TEST_ptr(ecdsakey))
7197 goto out;
7198 chain = sk_X509_new_null();
7199 if (!TEST_ptr(chain))
7200 goto out;
7cb8fb07 7201 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7202 || !TEST_int_ge(BIO_read_filename(in, rootfile), 0)
d8652be0 7203 || !TEST_ptr(rootx = X509_new_ex(libctx, NULL))
6725682d 7204 || !TEST_ptr(PEM_read_bio_X509(in, &rootx, NULL, NULL))
1a2a3a42
MC		 7205 || !TEST_true(sk_X509_push(chain, rootx)))
7206 goto out;
7207 rootx = NULL;
7208 BIO_free(in);
7209 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
7210 || !TEST_int_ge(BIO_read_filename(in, ecdsacert), 0)
d8652be0 7211 || !TEST_ptr(x509 = X509_new_ex(libctx, NULL))
6725682d 7212 || !TEST_ptr(PEM_read_bio_X509(in, &x509, NULL, NULL)))
7cb8fb07
BK		 7213 goto out;
7214 BIO_free(in);
7215 if (!TEST_ptr(in = BIO_new(BIO_s_file()))
1a2a3a42 7216 || !TEST_int_ge(BIO_read_filename(in, ecdsakey), 0)
5f2b7db0
RL		 7217 || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(in, NULL,
7218 NULL, NULL,
7219 libctx, NULL)))
7cb8fb07 7220 goto out;
1a2a3a42 7221 rv = SSL_check_chain(s, x509, pkey, chain);
7cb8fb07
BK		 7222 /*
7223 * If the cert doesn't show as valid here (e.g., because we don't
7224 * have any shared sigalgs), then we will not set it, and there will
7225 * be no certificate at all on the SSL or SSL_CTX. This, in turn,
7226 * will cause tls_choose_sigalgs() to fail the connection.
7227 */
1a2a3a42
MC		 7228 if ((rv & (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE))
7229 == (CERT_PKEY_VALID | CERT_PKEY_CA_SIGNATURE)) {
7cb8fb07
BK		 7230 if (!SSL_use_cert_and_key(s, x509, pkey, NULL, 1))
7231 goto out;
7232 }
1a2a3a42
MC		 7233
7234 ret = 1;
cd6fe29f
MC		 7235 }
7236
7237 /* Abort the handshake */
7cb8fb07 7238 out:
1a2a3a42
MC		 7239 OPENSSL_free(ecdsacert);
7240 OPENSSL_free(ecdsakey);
7241 OPENSSL_free(rootfile);
7cb8fb07
BK		 7242 BIO_free(in);
7243 EVP_PKEY_free(pkey);
7244 X509_free(x509);
1a2a3a42
MC		 7245 X509_free(rootx);
7246 sk_X509_pop_free(chain, X509_free);
7247 return ret;
cd6fe29f
MC		 7248}
7249
7250/*
7251 * Test the certificate callback.
7252 * Test 0: Callback fails
7253 * Test 1: Success - no SSL_set_SSL_CTX() in the callback
7254 * Test 2: Success - SSL_set_SSL_CTX() in the callback
1a2a3a42
MC		 7255 * Test 3: Success - Call SSL_check_chain from the callback
7256 * Test 4: Failure - SSL_check_chain fails from callback due to bad cert in the
7257 * chain
7258 * Test 5: Failure - SSL_check_chain fails from callback due to bad ee cert
cd6fe29f
MC		 7259 */
7260static int test_cert_cb_int(int prot, int tst)
7261{
7262 SSL_CTX *cctx = NULL, *sctx = NULL, *snictx = NULL;
7263 SSL *clientssl = NULL, *serverssl = NULL;
7264 int testresult = 0, ret;
7265
1a2a3a42
MC		 7266#ifdef OPENSSL_NO_EC
7267 /* We use an EC cert in these tests, so we skip in a no-ec build */
7268 if (tst >= 3)
7269 return 1;
7270#endif
7271
5e30f2fd 7272 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
cd6fe29f
MC		 7273 TLS_client_method(),
7274 TLS1_VERSION,
7275 prot,
7276 &sctx, &cctx, NULL, NULL)))
7277 goto end;
7278
7279 if (tst == 0)
7280 cert_cb_cnt = -1;
1a2a3a42 7281 else if (tst >= 3)
7cb8fb07 7282 cert_cb_cnt = 3;
cd6fe29f
MC		 7283 else
7284 cert_cb_cnt = 0;
1a2a3a42 7285
cd6fe29f
MC		 7286 if (tst == 2)
7287 snictx = SSL_CTX_new(TLS_server_method());
7288 SSL_CTX_set_cert_cb(sctx, cert_cb, snictx);
7289
7290 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7291 NULL, NULL)))
7292 goto end;
7293
1a2a3a42
MC		 7294 if (tst == 4) {
7295 /*
7296 * We cause SSL_check_chain() to fail by specifying sig_algs that
7297 * the chain doesn't meet (the root uses an RSA cert)
7298 */
7299 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7300 "ecdsa_secp256r1_sha256")))
7301 goto end;
7302 } else if (tst == 5) {
7303 /*
7304 * We cause SSL_check_chain() to fail by specifying sig_algs that
7305 * the ee cert doesn't meet (the ee uses an ECDSA cert)
7306 */
7307 if (!TEST_true(SSL_set1_sigalgs_list(clientssl,
7308 "rsa_pss_rsae_sha256:rsa_pkcs1_sha256")))
7309 goto end;
7310 }
7311
cd6fe29f 7312 ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
1a2a3a42 7313 if (!TEST_true(tst == 0 || tst == 4 || tst == 5 ? !ret : ret)
7cb8fb07
BK		 7314 || (tst > 0
7315 && !TEST_int_eq((cert_cb_cnt - 2) * (cert_cb_cnt - 3), 0))) {
cd6fe29f
MC		 7316 goto end;
7317 }
7318
7319 testresult = 1;
7320
7321 end:
7322 SSL_free(serverssl);
7323 SSL_free(clientssl);
7324 SSL_CTX_free(sctx);
7325 SSL_CTX_free(cctx);
7326 SSL_CTX_free(snictx);
7327
7328 return testresult;
7329}
7f1d923a 7330#endif
cd6fe29f
MC		 7331
7332static int test_cert_cb(int tst)
7333{
7334 int testresult = 1;
7335
7336#ifndef OPENSSL_NO_TLS1_2
7337 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
7338#endif
7f1d923a 7339#ifndef OPENSSL_NO_TLS1_3
cd6fe29f
MC		 7340 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
7341#endif
7342
7343 return testresult;
7344}
7345
6e46c065
MC		 7346static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
7347{
8c2bfd25 7348 X509 *xcert;
6e46c065
MC		 7349 EVP_PKEY *privpkey;
7350 BIO *in = NULL;
6725682d 7351 BIO *priv_in = NULL;
6e46c065 7352
8c2bfd25
TS		 7353 /* Check that SSL_get0_peer_certificate() returns something sensible */
7354 if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
6e46c065 7355 return 0;
6e46c065
MC		 7356
7357 in = BIO_new_file(cert, "r");
7358 if (!TEST_ptr(in))
7359 return 0;
7360
d8652be0 7361 if (!TEST_ptr(xcert = X509_new_ex(libctx, NULL))
6725682d
SL		 7362 || !TEST_ptr(PEM_read_bio_X509(in, &xcert, NULL, NULL))
7363 || !TEST_ptr(priv_in = BIO_new_file(privkey, "r"))
5f2b7db0
RL		 7364 || !TEST_ptr(privpkey = PEM_read_bio_PrivateKey_ex(priv_in, NULL,
7365 NULL, NULL,
7366 libctx, NULL)))
6725682d 7367 goto err;
6e46c065
MC		 7368
7369 *x509 = xcert;
7370 *pkey = privpkey;
7371
6725682d
SL		 7372 BIO_free(in);
7373 BIO_free(priv_in);
6e46c065 7374 return 1;
6725682d
SL		 7375err:
7376 X509_free(xcert);
7377 BIO_free(in);
7378 BIO_free(priv_in);
7379 return 0;
6e46c065
MC		 7380}
7381
7382static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
7383{
7384 return 1;
7385}
7386
7387static int test_client_cert_cb(int tst)
7388{
7389 SSL_CTX *cctx = NULL, *sctx = NULL;
7390 SSL *clientssl = NULL, *serverssl = NULL;
7391 int testresult = 0;
7392
7393#ifdef OPENSSL_NO_TLS1_2
7394 if (tst == 0)
7395 return 1;
7396#endif
7397#ifdef OPENSSL_NO_TLS1_3
7398 if (tst == 1)
7399 return 1;
7400#endif
7401
5e30f2fd 7402 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
6e46c065
MC		 7403 TLS_client_method(),
7404 TLS1_VERSION,
7405 tst == 0 ? TLS1_2_VERSION
7406 : TLS1_3_VERSION,
7407 &sctx, &cctx, cert, privkey)))
7408 goto end;
7409
7410 /*
7411 * Test that setting a client_cert_cb results in a client certificate being
7412 * sent.
7413 */
7414 SSL_CTX_set_client_cert_cb(cctx, client_cert_cb);
7415 SSL_CTX_set_verify(sctx,
7416 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
7417 verify_cb);
fb8c8359
MC		 7418
7419 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7420 NULL, NULL))
7421 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7422 SSL_ERROR_NONE)))
7423 goto end;
7424
7425 testresult = 1;
7426
7427 end:
7428 SSL_free(serverssl);
7429 SSL_free(clientssl);
7430 SSL_CTX_free(sctx);
7431 SSL_CTX_free(cctx);
7432
7433 return testresult;
7434}
7435
7436#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
7437/*
7438 * Test setting certificate authorities on both client and server.
7439 *
7440 * Test 0: SSL_CTX_set0_CA_list() only
7441 * Test 1: Both SSL_CTX_set0_CA_list() and SSL_CTX_set_client_CA_list()
7442 * Test 2: Only SSL_CTX_set_client_CA_list()
7443 */
7444static int test_ca_names_int(int prot, int tst)
7445{
7446 SSL_CTX *cctx = NULL, *sctx = NULL;
7447 SSL *clientssl = NULL, *serverssl = NULL;
7448 int testresult = 0;
7449 size_t i;
7450 X509_NAME *name[] = { NULL, NULL, NULL, NULL };
7451 char *strnames[] = { "Jack", "Jill", "John", "Joanne" };
7452 STACK_OF(X509_NAME) *sk1 = NULL, *sk2 = NULL;
7453 const STACK_OF(X509_NAME) *sktmp = NULL;
7454
7455 for (i = 0; i < OSSL_NELEM(name); i++) {
7456 name[i] = X509_NAME_new();
7457 if (!TEST_ptr(name[i])
7458 || !TEST_true(X509_NAME_add_entry_by_txt(name[i], "CN",
7459 MBSTRING_ASC,
7460 (unsigned char *)
7461 strnames[i],
7462 -1, -1, 0)))
7463 goto end;
7464 }
7465
5e30f2fd 7466 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
fb8c8359
MC		 7467 TLS_client_method(),
7468 TLS1_VERSION,
7469 prot,
7470 &sctx, &cctx, cert, privkey)))
7471 goto end;
7472
7473 SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
7474
7475 if (tst == 0 || tst == 1) {
7476 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7477 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[0])))
7478 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[1])))
7479 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7480 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[0])))
7481 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[1]))))
7482 goto end;
7483
7484 SSL_CTX_set0_CA_list(sctx, sk1);
7485 SSL_CTX_set0_CA_list(cctx, sk2);
7486 sk1 = sk2 = NULL;
7487 }
7488 if (tst == 1 || tst == 2) {
7489 if (!TEST_ptr(sk1 = sk_X509_NAME_new_null())
7490 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[2])))
7491 || !TEST_true(sk_X509_NAME_push(sk1, X509_NAME_dup(name[3])))
7492 || !TEST_ptr(sk2 = sk_X509_NAME_new_null())
7493 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[2])))
7494 || !TEST_true(sk_X509_NAME_push(sk2, X509_NAME_dup(name[3]))))
7495 goto end;
7496
7497 SSL_CTX_set_client_CA_list(sctx, sk1);
7498 SSL_CTX_set_client_CA_list(cctx, sk2);
7499 sk1 = sk2 = NULL;
7500 }
7501
6e46c065
MC		 7502 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7503 NULL, NULL))
7504 || !TEST_true(create_ssl_connection(serverssl, clientssl,
7505 SSL_ERROR_NONE)))
7506 goto end;
7507
fb8c8359
MC		 7508 /*
7509 * We only expect certificate authorities to have been sent to the server
7510 * if we are using TLSv1.3 and SSL_set0_CA_list() was used
7511 */
7512 sktmp = SSL_get0_peer_CA_list(serverssl);
7513 if (prot == TLS1_3_VERSION
7514 && (tst == 0 || tst == 1)) {
7515 if (!TEST_ptr(sktmp)
7516 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7517 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7518 name[0]), 0)
7519 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7520 name[1]), 0))
7521 goto end;
7522 } else if (!TEST_ptr_null(sktmp)) {
7523 goto end;
7524 }
7525
7526 /*
7527 * In all tests we expect certificate authorities to have been sent to the
7528 * client. However, SSL_set_client_CA_list() should override
7529 * SSL_set0_CA_list()
7530 */
7531 sktmp = SSL_get0_peer_CA_list(clientssl);
7532 if (!TEST_ptr(sktmp)
7533 || !TEST_int_eq(sk_X509_NAME_num(sktmp), 2)
7534 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 0),
7535 name[tst == 0 ? 0 : 2]), 0)
7536 || !TEST_int_eq(X509_NAME_cmp(sk_X509_NAME_value(sktmp, 1),
7537 name[tst == 0 ? 1 : 3]), 0))
7538 goto end;
7539
6e46c065
MC		 7540 testresult = 1;
7541
7542 end:
7543 SSL_free(serverssl);
7544 SSL_free(clientssl);
7545 SSL_CTX_free(sctx);
7546 SSL_CTX_free(cctx);
fb8c8359
MC		 7547 for (i = 0; i < OSSL_NELEM(name); i++)
7548 X509_NAME_free(name[i]);
7549 sk_X509_NAME_pop_free(sk1, X509_NAME_free);
7550 sk_X509_NAME_pop_free(sk2, X509_NAME_free);
7551
7552 return testresult;
7553}
7554#endif
7555
7556static int test_ca_names(int tst)
7557{
7558 int testresult = 1;
7559
7560#ifndef OPENSSL_NO_TLS1_2
7561 testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
7562#endif
7563#ifndef OPENSSL_NO_TLS1_3
7564 testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
7565#endif
6e46c065
MC		 7566
7567 return testresult;
7568}
7569
0d2bfe52
SL		 7570#ifndef OPENSSL_NO_TLS1_2
7571static const char *multiblock_cipherlist_data[]=
7572{
7573 "AES128-SHA",
7574 "AES128-SHA256",
7575 "AES256-SHA",
7576 "AES256-SHA256",
7577};
7578
7579/* Reduce the fragment size - so the multiblock test buffer can be small */
7580# define MULTIBLOCK_FRAGSIZE 512
7581
7582static int test_multiblock_write(int test_index)
7583{
7584 static const char *fetchable_ciphers[]=
7585 {
7586 "AES-128-CBC-HMAC-SHA1",
7587 "AES-128-CBC-HMAC-SHA256",
7588 "AES-256-CBC-HMAC-SHA1",
7589 "AES-256-CBC-HMAC-SHA256"
7590 };
7591 const char *cipherlist = multiblock_cipherlist_data[test_index];
7592 const SSL_METHOD *smeth = TLS_server_method();
7593 const SSL_METHOD *cmeth = TLS_client_method();
7594 int min_version = TLS1_VERSION;
7595 int max_version = TLS1_2_VERSION; /* Don't select TLS1_3 */
7596 SSL_CTX *cctx = NULL, *sctx = NULL;
7597 SSL *clientssl = NULL, *serverssl = NULL;
7598 int testresult = 0;
7599
7600 /*
7601 * Choose a buffer large enough to perform a multi-block operation
7602 * i.e: write_len >= 4 * frag_size
7603 * 9 * is chosen so that multiple multiblocks are used + some leftover.
7604 */
7605 unsigned char msg[MULTIBLOCK_FRAGSIZE * 9];
7606 unsigned char buf[sizeof(msg)], *p = buf;
7607 size_t readbytes, written, len;
7608 EVP_CIPHER *ciph = NULL;
7609
7610 /*
7611 * Check if the cipher exists before attempting to use it since it only has
7612 * a hardware specific implementation.
7613 */
7614 ciph = EVP_CIPHER_fetch(NULL, fetchable_ciphers[test_index], "");
7615 if (ciph == NULL) {
7616 TEST_skip("Multiblock cipher is not available for %s", cipherlist);
7617 return 1;
7618 }
7619 EVP_CIPHER_free(ciph);
7620
7621 /* Set up a buffer with some data that will be sent to the client */
7622 RAND_bytes(msg, sizeof(msg));
7623
5e30f2fd
MC		 7624 if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
7625 max_version, &sctx, &cctx, cert,
7626 privkey)))
0d2bfe52
SL		 7627 goto end;
7628
7629 if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
7630 goto end;
7631
7632 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7633 NULL, NULL)))
7634 goto end;
7635
7636 /* settings to force it to use AES-CBC-HMAC_SHA */
7637 SSL_set_options(serverssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
7638 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipherlist)))
7639 goto end;
7640
7641 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7642 goto end;
7643
7644 if (!TEST_true(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
7645 || !TEST_size_t_eq(written, sizeof(msg)))
7646 goto end;
7647
7648 len = written;
7649 while (len > 0) {
7650 if (!TEST_true(SSL_read_ex(clientssl, p, MULTIBLOCK_FRAGSIZE, &readbytes)))
7651 goto end;
7652 p += readbytes;
7653 len -= readbytes;
7654 }
7655 if (!TEST_mem_eq(msg, sizeof(msg), buf, sizeof(buf)))
7656 goto end;
7657
7658 testresult = 1;
7659end:
7660 SSL_free(serverssl);
7661 SSL_free(clientssl);
7662 SSL_CTX_free(sctx);
7663 SSL_CTX_free(cctx);
7664
7665 return testresult;
7666}
7667#endif /* OPENSSL_NO_TLS1_2 */
a43ce58f 7668
49ef3d07
MC		 7669/*
7670 * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
7671 * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
7672 * Test 2: Client sets inconsistent servername on resumption (TLSv1.2)
7673 * Test 3: Client does not set servername on initial handshake (TLSv1.2)
7674 * Test 4: Client does not set servername on resumption handshake (TLSv1.2)
7675 * Test 5: Client sets servername and server acknowledges it (TLSv1.3)
7676 * Test 6: Client sets servername and server does not acknowledge it (TLSv1.3)
7677 * Test 7: Client sets inconsistent servername on resumption (TLSv1.3)
7678 * Test 8: Client does not set servername on initial handshake(TLSv1.3)
7679 * Test 9: Client does not set servername on resumption handshake (TLSv1.3)
7680 */
7681static int test_servername(int tst)
7682{
7683 SSL_CTX *cctx = NULL, *sctx = NULL;
7684 SSL *clientssl = NULL, *serverssl = NULL;
7685 int testresult = 0;
7686 SSL_SESSION *sess = NULL;
7687 const char *sexpectedhost = NULL, *cexpectedhost = NULL;
7688
7689#ifdef OPENSSL_NO_TLS1_2
7690 if (tst <= 4)
7691 return 1;
7692#endif
7693#ifdef OPENSSL_NO_TLS1_3
7694 if (tst >= 5)
7695 return 1;
7696#endif
7697
5e30f2fd 7698 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
49ef3d07
MC		 7699 TLS_client_method(),
7700 TLS1_VERSION,
7701 (tst <= 4) ? TLS1_2_VERSION
7702 : TLS1_3_VERSION,
7703 &sctx, &cctx, cert, privkey))
7704 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7705 NULL, NULL)))
7706 goto end;
7707
7708 if (tst != 1 && tst != 6) {
7709 if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx,
7710 hostname_cb)))
7711 goto end;
7712 }
7713
7714 if (tst != 3 && tst != 8) {
7715 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7716 goto end;
7717 sexpectedhost = cexpectedhost = "goodhost";
7718 }
7719
7720 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7721 goto end;
7722
7723 if (!TEST_str_eq(SSL_get_servername(clientssl, TLSEXT_NAMETYPE_host_name),
7724 cexpectedhost)
7725 || !TEST_str_eq(SSL_get_servername(serverssl,
7726 TLSEXT_NAMETYPE_host_name),
7727 sexpectedhost))
7728 goto end;
7729
7730 /* Now repeat with a resumption handshake */
7731
7732 if (!TEST_int_eq(SSL_shutdown(clientssl), 0)
7733 || !TEST_ptr_ne(sess = SSL_get1_session(clientssl), NULL)
7734 || !TEST_true(SSL_SESSION_is_resumable(sess))
7735 || !TEST_int_eq(SSL_shutdown(serverssl), 0))
7736 goto end;
7737
7738 SSL_free(clientssl);
7739 SSL_free(serverssl);
7740 clientssl = serverssl = NULL;
7741
7742 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
7743 NULL)))
7744 goto end;
7745
7746 if (!TEST_true(SSL_set_session(clientssl, sess)))
7747 goto end;
7748
7749 sexpectedhost = cexpectedhost = "goodhost";
7750 if (tst == 2 || tst == 7) {
7751 /* Set an inconsistent hostname */
7752 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "altgoodhost")))
7753 goto end;
7754 /*
7755 * In TLSv1.2 we expect the hostname from the original handshake, in
7756 * TLSv1.3 we expect the hostname from this handshake
7757 */
7758 if (tst == 7)
7759 sexpectedhost = cexpectedhost = "altgoodhost";
7760
7761 if (!TEST_str_eq(SSL_get_servername(clientssl,
7762 TLSEXT_NAMETYPE_host_name),
7763 "altgoodhost"))
7764 goto end;
7765 } else if (tst == 4 || tst == 9) {
7766 /*
7767 * A TLSv1.3 session does not associate a session with a servername,
7768 * but a TLSv1.2 session does.
7769 */
7770 if (tst == 9)
7771 sexpectedhost = cexpectedhost = NULL;
7772
7773 if (!TEST_str_eq(SSL_get_servername(clientssl,
7774 TLSEXT_NAMETYPE_host_name),
7775 cexpectedhost))
7776 goto end;
7777 } else {
7778 if (!TEST_true(SSL_set_tlsext_host_name(clientssl, "goodhost")))
7779 goto end;
7780 /*
7781 * In a TLSv1.2 resumption where the hostname was not acknowledged
7782 * we expect the hostname on the server to be empty. On the client we
7783 * return what was requested in this case.
7784 *
7785 * Similarly if the client didn't set a hostname on an original TLSv1.2
7786 * session but is now, the server hostname will be empty, but the client
7787 * is as we set it.
7788 */
7789 if (tst == 1 || tst == 3)
7790 sexpectedhost = NULL;
7791
7792 if (!TEST_str_eq(SSL_get_servername(clientssl,
7793 TLSEXT_NAMETYPE_host_name),
7794 "goodhost"))
7795 goto end;
7796 }
7797
7798 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7799 goto end;
7800
7801 if (!TEST_true(SSL_session_reused(clientssl))
7802 || !TEST_true(SSL_session_reused(serverssl))
7803 || !TEST_str_eq(SSL_get_servername(clientssl,
7804 TLSEXT_NAMETYPE_host_name),
7805 cexpectedhost)
7806 || !TEST_str_eq(SSL_get_servername(serverssl,
7807 TLSEXT_NAMETYPE_host_name),
7808 sexpectedhost))
7809 goto end;
7810
7811 testresult = 1;
7812
7813 end:
7814 SSL_SESSION_free(sess);
7815 SSL_free(serverssl);
7816 SSL_free(clientssl);
7817 SSL_CTX_free(sctx);
7818 SSL_CTX_free(cctx);
7819
7820 return testresult;
7821}
7822
b1fdbc68
MC		 7823#if !defined(OPENSSL_NO_EC) \
7824 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539
MC		 7825/*
7826 * Test that if signature algorithms are not available, then we do not offer or
7827 * accept them.
7828 * Test 0: Two RSA sig algs available: both RSA sig algs shared
7829 * Test 1: The client only has SHA2-256: only SHA2-256 algorithms shared
7830 * Test 2: The server only has SHA2-256: only SHA2-256 algorithms shared
7831 * Test 3: An RSA and an ECDSA sig alg available: both sig algs shared
7832 * Test 4: The client only has an ECDSA sig alg: only ECDSA algorithms shared
7833 * Test 5: The server only has an ECDSA sig alg: only ECDSA algorithms shared
7834 */
7835static int test_sigalgs_available(int idx)
7836{
7837 SSL_CTX *cctx = NULL, *sctx = NULL;
7838 SSL *clientssl = NULL, *serverssl = NULL;
7839 int testresult = 0;
b4250010
DMSP		 7840 OSSL_LIB_CTX *tmpctx = OSSL_LIB_CTX_new();
7841 OSSL_LIB_CTX *clientctx = libctx, *serverctx = libctx;
b3842539
MC		 7842 OSSL_PROVIDER *filterprov = NULL;
7843 int sig, hash;
7844
7845 if (!TEST_ptr(tmpctx))
7846 goto end;
7847
7848 if (idx != 0 && idx != 3) {
7849 if (!TEST_true(OSSL_PROVIDER_add_builtin(tmpctx, "filter",
7850 filter_provider_init)))
7851 goto end;
7852
7853 filterprov = OSSL_PROVIDER_load(tmpctx, "filter");
7854 if (!TEST_ptr(filterprov))
7855 goto end;
7856
7857 if (idx < 3) {
7858 /*
7859 * Only enable SHA2-256 so rsa_pss_rsae_sha384 should not be offered
7860 * or accepted for the peer that uses this libctx. Note that libssl
7861 * *requires* SHA2-256 to be available so we cannot disable that. We
7862 * also need SHA1 for our certificate.
7863 */
7864 if (!TEST_true(filter_provider_set_filter(OSSL_OP_DIGEST,
7865 "SHA2-256:SHA1")))
7866 goto end;
7867 } else {
7868 if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
7869 "ECDSA"))
7870 || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
7871 "EC:X25519:X448")))
7872 goto end;
7873 }
7874
7875 if (idx == 1 || idx == 4)
7876 clientctx = tmpctx;
7877 else
7878 serverctx = tmpctx;
7879 }
7880
d8652be0
MC		 7881 cctx = SSL_CTX_new_ex(clientctx, NULL, TLS_client_method());
7882 sctx = SSL_CTX_new_ex(serverctx, NULL, TLS_server_method());
9d2d857f
MC		 7883 if (!TEST_ptr(cctx) || !TEST_ptr(sctx))
7884 goto end;
b3842539
MC		 7885
7886 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7887 TLS_client_method(),
7888 TLS1_VERSION,
7889 0,
7890 &sctx, &cctx, cert, privkey)))
7891 goto end;
7892
b1fdbc68
MC		 7893 /* Ensure we only use TLSv1.2 ciphersuites based on SHA256 */
7894 if (idx < 4) {
7895 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7896 "ECDHE-RSA-AES128-GCM-SHA256")))
7897 goto end;
7898 } else {
7899 if (!TEST_true(SSL_CTX_set_cipher_list(cctx,
7900 "ECDHE-ECDSA-AES128-GCM-SHA256")))
7901 goto end;
7902 }
7903
b3842539
MC		 7904 if (idx < 3) {
7905 if (!SSL_CTX_set1_sigalgs_list(cctx,
7906 "rsa_pss_rsae_sha384"
7907 ":rsa_pss_rsae_sha256")
7908 || !SSL_CTX_set1_sigalgs_list(sctx,
7909 "rsa_pss_rsae_sha384"
7910 ":rsa_pss_rsae_sha256"))
7911 goto end;
7912 } else {
7913 if (!SSL_CTX_set1_sigalgs_list(cctx, "rsa_pss_rsae_sha256:ECDSA+SHA256")
7914 || !SSL_CTX_set1_sigalgs_list(sctx,
7915 "rsa_pss_rsae_sha256:ECDSA+SHA256"))
7916 goto end;
7917 }
7918
7919 if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, cert2,
7920 SSL_FILETYPE_PEM), 1)
7921 || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx,
7922 privkey2,
7923 SSL_FILETYPE_PEM), 1)
7924 || !TEST_int_eq(SSL_CTX_check_private_key(sctx), 1))
7925 goto end;
7926
7927 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7928 NULL, NULL)))
7929 goto end;
7930
7931 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7932 goto end;
7933
7934 /* For tests 0 and 3 we expect 2 shared sigalgs, otherwise exactly 1 */
7935 if (!TEST_int_eq(SSL_get_shared_sigalgs(serverssl, 0, &sig, &hash, NULL,
7936 NULL, NULL),
7937 (idx == 0 || idx == 3) ? 2 : 1))
7938 goto end;
7939
7940 if (!TEST_int_eq(hash, idx == 0 ? NID_sha384 : NID_sha256))
7941 goto end;
7942
7943 if (!TEST_int_eq(sig, (idx == 4 || idx == 5) ? EVP_PKEY_EC
7944 : NID_rsassaPss))
7945 goto end;
7946
7947 testresult = 1;
7948
7949 end:
7950 SSL_free(serverssl);
7951 SSL_free(clientssl);
7952 SSL_CTX_free(sctx);
7953 SSL_CTX_free(cctx);
7954 OSSL_PROVIDER_unload(filterprov);
b4250010 7955 OSSL_LIB_CTX_free(tmpctx);
b3842539
MC		 7956
7957 return testresult;
7958}
b1fdbc68
MC		 7959#endif /*
7960 * !defined(OPENSSL_NO_EC) \
7961 * && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
7962 */
b3842539 7963
0c13cdf8 7964#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 7965static int test_pluggable_group(int idx)
0c13cdf8
MC		 7966{
7967 SSL_CTX *cctx = NULL, *sctx = NULL;
7968 SSL *clientssl = NULL, *serverssl = NULL;
7969 int testresult = 0;
7970 OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider");
146aebc6
MC		 7971 /* Check that we are not impacted by a provider without any groups */
7972 OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
c8e3a4c6 7973 const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
0c13cdf8 7974
146aebc6 7975 if (!TEST_ptr(tlsprov) || !TEST_ptr(legacyprov))
0c13cdf8
MC		 7976 goto end;
7977
7978 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
7979 TLS_client_method(),
7980 TLS1_3_VERSION,
7981 TLS1_3_VERSION,
7982 &sctx, &cctx, cert, privkey))
7983 || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
7984 NULL, NULL)))
7985 goto end;
7986
c8e3a4c6
NT		 7987 if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
7988 || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
0c13cdf8
MC		 7989 goto end;
7990
7991 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
7992 goto end;
7993
7994 testresult = 1;
7995
7996 end:
7997 SSL_free(serverssl);
7998 SSL_free(clientssl);
7999 SSL_CTX_free(sctx);
8000 SSL_CTX_free(cctx);
8001 OSSL_PROVIDER_unload(tlsprov);
146aebc6 8002 OSSL_PROVIDER_unload(legacyprov);
0c13cdf8
MC		 8003
8004 return testresult;
8005}
8006#endif
b3842539 8007
49a36a52
MC		 8008#ifndef OPENSSL_NO_TLS1_2
8009static int test_ssl_dup(void)
8010{
8011 SSL_CTX *cctx = NULL, *sctx = NULL;
8012 SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
8013 int testresult = 0;
8014 BIO *rbio = NULL, *wbio = NULL;
8015
8016 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8017 TLS_client_method(),
8018 0,
8019 0,
8020 &sctx, &cctx, cert, privkey)))
8021 goto end;
8022
8023 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8024 NULL, NULL)))
8025 goto end;
8026
8027 if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
8028 || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
8029 goto end;
8030
8031 client2ssl = SSL_dup(clientssl);
8032 rbio = SSL_get_rbio(clientssl);
8033 if (!TEST_ptr(rbio)
8034 || !TEST_true(BIO_up_ref(rbio)))
8035 goto end;
8036 SSL_set0_rbio(client2ssl, rbio);
8037 rbio = NULL;
8038
8039 wbio = SSL_get_wbio(clientssl);
8040 if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
8041 goto end;
8042 SSL_set0_wbio(client2ssl, wbio);
8043 rbio = NULL;
8044
8045 if (!TEST_ptr(client2ssl)
8046 /* Handshake not started so pointers should be different */
8047 || !TEST_ptr_ne(clientssl, client2ssl))
8048 goto end;
8049
8050 if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
8051 || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
8052 goto end;
8053
8054 if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
8055 goto end;
8056
8057 SSL_free(clientssl);
8058 clientssl = SSL_dup(client2ssl);
8059 if (!TEST_ptr(clientssl)
8060 /* Handshake has finished so pointers should be the same */
8061 || !TEST_ptr_eq(clientssl, client2ssl))
8062 goto end;
8063
8064 testresult = 1;
8065
8066 end:
8067 SSL_free(serverssl);
8068 SSL_free(clientssl);
8069 SSL_free(client2ssl);
8070 SSL_CTX_free(sctx);
8071 SSL_CTX_free(cctx);
8072
8073 return testresult;
8074}
33c39a06
MC		 8075
8076# ifndef OPENSSL_NO_DH
8077
8078static EVP_PKEY *tmp_dh_params = NULL;
8079
8080/* Helper function for the test_set_tmp_dh() tests */
8081static EVP_PKEY *get_tmp_dh_params(void)
8082{
8083 if (tmp_dh_params == NULL) {
8084 BIGNUM *p = NULL;
8085 OSSL_PARAM_BLD *tmpl = NULL;
8086 EVP_PKEY_CTX *pctx = NULL;
8087 OSSL_PARAM *params = NULL;
8088 EVP_PKEY *dhpkey = NULL;
8089
8090 p = BN_get_rfc3526_prime_2048(NULL);
8091 if (!TEST_ptr(p))
8092 goto end;
8093
8094 pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
8095 if (!TEST_ptr(pctx)
8096 || !TEST_true(EVP_PKEY_key_fromdata_init(pctx)))
8097 goto end;
8098
8099 tmpl = OSSL_PARAM_BLD_new();
8100 if (!TEST_ptr(tmpl)
8101 || !TEST_true(OSSL_PARAM_BLD_push_BN(tmpl,
8102 OSSL_PKEY_PARAM_FFC_P,
8103 p))
8104 || !TEST_true(OSSL_PARAM_BLD_push_uint(tmpl,
8105 OSSL_PKEY_PARAM_FFC_G,
8106 2)))
8107 goto end;
8108
8109 params = OSSL_PARAM_BLD_to_param(tmpl);
8110 if (!TEST_ptr(params)
8111 || !TEST_true(EVP_PKEY_fromdata(pctx, &dhpkey, params)))
8112 goto end;
8113
8114 tmp_dh_params = dhpkey;
8115 end:
8116 BN_free(p);
8117 EVP_PKEY_CTX_free(pctx);
8118 OSSL_PARAM_BLD_free(tmpl);
8119 OSSL_PARAM_BLD_free_params(params);
8120 }
8121
8122 if (!EVP_PKEY_up_ref(tmp_dh_params))
8123 return NULL;
8124
8125 return tmp_dh_params;
8126}
8127
8128# ifndef OPENSSL_NO_DEPRECATED
8129/* Callback used by test_set_tmp_dh() */
8130static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
8131{
8132 EVP_PKEY *dhpkey = get_tmp_dh_params();
8133 DH *ret = NULL;
8134
8135 if (!TEST_ptr(dhpkey))
8136 return NULL;
8137
8138 ret = EVP_PKEY_get0_DH(dhpkey);
8139
8140 EVP_PKEY_free(dhpkey);
8141
8142 return ret;
8143}
8144# endif
8145
8146/*
8147 * Test the various methods for setting temporary DH parameters
8148 *
8149 * Test 0: Default (no auto) setting
8150 * Test 1: Explicit SSL_CTX auto off
8151 * Test 2: Explicit SSL auto off
8152 * Test 3: Explicit SSL_CTX auto on
8153 * Test 4: Explicit SSL auto on
8154 * Test 5: Explicit SSL_CTX auto off, custom DH params via EVP_PKEY
8155 * Test 6: Explicit SSL auto off, custom DH params via EVP_PKEY
8156 *
8157 * The following are testing deprecated APIs, so we only run them if available
8158 * Test 7: Explicit SSL_CTX auto off, custom DH params via DH
8159 * Test 8: Explicit SSL auto off, custom DH params via DH
8160 * Test 9: Explicit SSL_CTX auto off, custom DH params via callback
8161 * Test 10: Explicit SSL auto off, custom DH params via callback
8162 */
8163static int test_set_tmp_dh(int idx)
8164{
8165 SSL_CTX *cctx = NULL, *sctx = NULL;
8166 SSL *clientssl = NULL, *serverssl = NULL;
8167 int testresult = 0;
8168 int dhauto = (idx == 3 || idx == 4) ? 1 : 0;
8169 int expected = (idx <= 2) ? 0 : 1;
8170 EVP_PKEY *dhpkey = NULL;
8171# ifndef OPENSSL_NO_DEPRECATED_3_0
8172 DH *dh = NULL;
8173# else
8174
8175 if (idx >= 7)
8176 return 1;
8177# endif
8178
8179 if (idx >= 5 && idx <= 8) {
8180 dhpkey = get_tmp_dh_params();
8181 if (!TEST_ptr(dhpkey))
8182 goto end;
8183 }
8184# ifndef OPENSSL_NO_DEPRECATED_3_0
8185 if (idx == 7 || idx == 8) {
8186 dh = EVP_PKEY_get0_DH(dhpkey);
8187 if (!TEST_ptr(dh))
8188 goto end;
8189 }
8190# endif
8191
8192 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8193 TLS_client_method(),
8194 0,
8195 0,
8196 &sctx, &cctx, cert, privkey)))
8197 goto end;
8198
8199 if ((idx & 1) == 1) {
8200 if (!TEST_true(SSL_CTX_set_dh_auto(sctx, dhauto)))
8201 goto end;
8202 }
8203
8204 if (idx == 5) {
8205 if (!TEST_true(SSL_CTX_set0_tmp_dh_pkey(sctx, dhpkey)))
8206 goto end;
8207 dhpkey = NULL;
8208 }
8209# ifndef OPENSSL_NO_DEPRECATED_3_0
8210 else if (idx == 7) {
8211 if (!TEST_true(SSL_CTX_set_tmp_dh(sctx, dh)))
8212 goto end;
8213 } else if (idx == 9) {
8214 SSL_CTX_set_tmp_dh_callback(sctx, tmp_dh_callback);
8215 }
8216# endif
8217
8218 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8219 NULL, NULL)))
8220 goto end;
8221
8222 if ((idx & 1) == 0 && idx != 0) {
8223 if (!TEST_true(SSL_set_dh_auto(serverssl, dhauto)))
8224 goto end;
8225 }
8226 if (idx == 6) {
8227 if (!TEST_true(SSL_set0_tmp_dh_pkey(serverssl, dhpkey)))
8228 goto end;
8229 dhpkey = NULL;
8230 }
8231# ifndef OPENSSL_NO_DEPRECATED_3_0
8232 else if (idx == 8) {
8233 if (!TEST_true(SSL_set_tmp_dh(serverssl, dh)))
8234 goto end;
8235 } else if (idx == 10) {
8236 SSL_set_tmp_dh_callback(serverssl, tmp_dh_callback);
8237 }
8238# endif
8239
8240 if (!TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8241 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8242 || !TEST_true(SSL_set_cipher_list(serverssl, "DHE-RSA-AES128-SHA")))
8243 goto end;
8244
8245 /*
8246 * If autoon then we should succeed. Otherwise we expect failure because
8247 * there are no parameters
8248 */
8249 if (!TEST_int_eq(create_ssl_connection(serverssl, clientssl,
8250 SSL_ERROR_NONE), expected))
8251 goto end;
8252
8253 testresult = 1;
8254
8255 end:
8256 SSL_free(serverssl);
8257 SSL_free(clientssl);
8258 SSL_CTX_free(sctx);
8259 SSL_CTX_free(cctx);
8260 EVP_PKEY_free(dhpkey);
8261
8262 return testresult;
8263}
3105d846
MC		 8264
8265/*
8266 * Test the auto DH keys are appropriately sized
8267 */
8268static int test_dh_auto(int idx)
8269{
8270 SSL_CTX *cctx = NULL, *sctx = NULL;
8271 SSL *clientssl = NULL, *serverssl = NULL;
8272 int testresult = 0;
8273 EVP_PKEY *tmpkey = NULL;
8274 char *thiscert = NULL, *thiskey = NULL;
8275 size_t expdhsize = 0;
8276 const char *ciphersuite = "DHE-RSA-AES128-SHA";
8277
8278 switch (idx) {
8279 case 0:
8280 /* The FIPS provider doesn't support this DH size - so we ignore it */
8281 if (is_fips)
8282 return 1;
8283 thiscert = cert1024;
8284 thiskey = privkey1024;
8285 expdhsize = 1024;
8286 break;
8287 case 1:
8288 /* 2048 bit prime */
8289 thiscert = cert;
8290 thiskey = privkey;
8291 expdhsize = 2048;
8292 break;
8293 case 2:
8294 thiscert = cert3072;
8295 thiskey = privkey3072;
8296 expdhsize = 3072;
8297 break;
8298 case 3:
8299 thiscert = cert4096;
8300 thiskey = privkey4096;
8301 expdhsize = 4096;
8302 break;
8303 case 4:
8304 thiscert = cert8192;
8305 thiskey = privkey8192;
8306 expdhsize = 8192;
8307 break;
8308 /* No certificate cases */
8309 case 5:
8310 /* The FIPS provider doesn't support this DH size - so we ignore it */
8311 if (is_fips)
8312 return 1;
8313 ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
8314 expdhsize = 1024;
8315 break;
8316 case 6:
8317 ciphersuite = "ADH-AES256-SHA256:@SECLEVEL=0";
8318 expdhsize = 3072;
8319 break;
8320 default:
8321 TEST_error("Invalid text index");
8322 goto end;
8323 }
8324
8325 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
8326 TLS_client_method(),
8327 0,
8328 0,
8329 &sctx, &cctx, thiscert, thiskey)))
8330 goto end;
8331
8332 if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
8333 NULL, NULL)))
8334 goto end;
8335
8336 if (!TEST_true(SSL_set_dh_auto(serverssl, 1))
8337 || !TEST_true(SSL_set_min_proto_version(serverssl, TLS1_2_VERSION))
8338 || !TEST_true(SSL_set_max_proto_version(serverssl, TLS1_2_VERSION))
8339 || !TEST_true(SSL_set_cipher_list(serverssl, ciphersuite))
8340 || !TEST_true(SSL_set_cipher_list(clientssl, ciphersuite)))
8341 goto end;
8342
8343 /*
8344 * Send the server's first flight. At this point the server has created the
8345 * temporary DH key but hasn't finished using it yet. Once used it is
8346 * removed, so we cannot test it.
8347 */
8348 if (!TEST_int_le(SSL_connect(clientssl), 0)
8349 || !TEST_int_le(SSL_accept(serverssl), 0))
8350 goto end;
8351
8352 if (!TEST_int_gt(SSL_get_tmp_key(serverssl, &tmpkey), 0))
8353 goto end;
8354 if (!TEST_size_t_eq(EVP_PKEY_bits(tmpkey), expdhsize))
8355 goto end;
8356
8357 if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
8358 goto end;
8359
8360 testresult = 1;
8361
8362 end:
8363 SSL_free(serverssl);
8364 SSL_free(clientssl);
8365 SSL_CTX_free(sctx);
8366 SSL_CTX_free(cctx);
8367 EVP_PKEY_free(tmpkey);
8368
8369 return testresult;
8370
8371}
33c39a06
MC		 8372# endif /* OPENSSL_NO_DH */
8373#endif /* OPENSSL_NO_TLS1_2 */
49a36a52 8374
5e30f2fd 8375OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
a43ce58f 8376
ad887416 8377int setup_tests(void)
2cb4b5f6 8378{
5e30f2fd
MC		 8379 char *modulename;
8380 char *configfile;
8381
b4250010 8382 libctx = OSSL_LIB_CTX_new();
5e30f2fd
MC		 8383 if (!TEST_ptr(libctx))
8384 return 0;
8385
8386 defctxnull = OSSL_PROVIDER_load(NULL, "null");
8387
8388 /*
8389 * Verify that the default and fips providers in the default libctx are not
8390 * available
8391 */
8392 if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
8393 || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
8394 return 0;
8395
8d242823
MC		 8396 if (!test_skip_common_options()) {
8397 TEST_error("Error parsing test options\n");
8398 return 0;
8399 }
8400
1a2a3a42
MC		 8401 if (!TEST_ptr(certsdir = test_get_argument(0))
8402 || !TEST_ptr(srpvfile = test_get_argument(1))
5e30f2fd
MC		 8403 || !TEST_ptr(tmpfilename = test_get_argument(2))
8404 || !TEST_ptr(modulename = test_get_argument(3))
8405 || !TEST_ptr(configfile = test_get_argument(4)))
8406 return 0;
8407
b4250010 8408 if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile)))
5e30f2fd
MC		 8409 return 0;
8410
8411 /* Check we have the expected provider available */
8412 if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
8413 return 0;
8414
8415 /* Check the default provider is not available */
8416 if (strcmp(modulename, "default") != 0
8417 && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
710756a9 8418 return 0;
2cb4b5f6 8419
4f6c7044
MC		 8420 if (strcmp(modulename, "fips") == 0)
8421 is_fips = 1;
8422
0c13cdf8
MC		 8423 /*
8424 * We add, but don't load the test "tls-provider". We'll load it when we
8425 * need it.
8426 */
8427 if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, "tls-provider",
8428 tls_provider_init)))
8429 return 0;
8430
8431
f297e4ec
RS		 8432 if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
8433#ifdef OPENSSL_NO_CRYPTO_MDEBUG
8434 TEST_error("not supported in this build");
8435 return 0;
8436#else
8437 int i, mcount, rcount, fcount;
8438
8439 for (i = 0; i < 4; i++)
8440 test_export_key_mat(i);
8441 CRYPTO_get_alloc_counts(&mcount, &rcount, &fcount);
8442 test_printf_stdout("malloc %d realloc %d free %d\n",
8443 mcount, rcount, fcount);
8444 return 1;
8445#endif
8446 }
8447
1a2a3a42
MC		 8448 cert = test_mk_file_path(certsdir, "servercert.pem");
8449 if (cert == NULL)
b3842539 8450 goto err;
1a2a3a42
MC		 8451
8452 privkey = test_mk_file_path(certsdir, "serverkey.pem");
b3842539
MC		 8453 if (privkey == NULL)
8454 goto err;
8455
8456 cert2 = test_mk_file_path(certsdir, "server-ecdsa-cert.pem");
8457 if (cert2 == NULL)
8458 goto err;
8459
8460 privkey2 = test_mk_file_path(certsdir, "server-ecdsa-key.pem");
8461 if (privkey2 == NULL)
8462 goto err;
1a2a3a42 8463
3105d846
MC		 8464 cert1024 = test_mk_file_path(certsdir, "ee-cert-1024.pem");
8465 if (cert1024 == NULL)
8466 goto err;
8467
8468 privkey1024 = test_mk_file_path(certsdir, "ee-key-1024.pem");
8469 if (privkey1024 == NULL)
8470 goto err;
8471
8472 cert3072 = test_mk_file_path(certsdir, "ee-cert-3072.pem");
8473 if (cert3072 == NULL)
8474 goto err;
8475
8476 privkey3072 = test_mk_file_path(certsdir, "ee-key-3072.pem");
8477 if (privkey3072 == NULL)
8478 goto err;
8479
8480 cert4096 = test_mk_file_path(certsdir, "ee-cert-4096.pem");
8481 if (cert4096 == NULL)
8482 goto err;
8483
8484 privkey4096 = test_mk_file_path(certsdir, "ee-key-4096.pem");
8485 if (privkey4096 == NULL)
8486 goto err;
8487
8488 cert8192 = test_mk_file_path(certsdir, "ee-cert-8192.pem");
8489 if (cert8192 == NULL)
8490 goto err;
8491
8492 privkey8192 = test_mk_file_path(certsdir, "ee-key-8192.pem");
8493 if (privkey8192 == NULL)
8494 goto err;
8495
da4db160 8496#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
c8e3a4c6 8497# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
da4db160
VF		 8498 ADD_ALL_TESTS(test_ktls, 32);
8499 ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
c8e3a4c6 8500# endif
fe5d9450 8501#endif
84d5549e 8502 ADD_TEST(test_large_message_tls);
7856332e 8503 ADD_TEST(test_large_message_tls_read_ahead);
55386bef 8504#ifndef OPENSSL_NO_DTLS
84d5549e 8505 ADD_TEST(test_large_message_dtls);
55386bef 8506#endif
163b8016 8507 ADD_TEST(test_cleanse_plaintext);
8f8c11d8 8508#ifndef OPENSSL_NO_OCSP
c887104f 8509 ADD_TEST(test_tlsext_status_type);
8f8c11d8 8510#endif
eaa776da
MC		 8511 ADD_TEST(test_session_with_only_int_cache);
8512 ADD_TEST(test_session_with_only_ext_cache);
8513 ADD_TEST(test_session_with_both_cache);
90fc2c26 8514 ADD_TEST(test_session_wo_ca_names);
36ff232c 8515#ifndef OPENSSL_NO_TLS1_3
04d7814a
MC		 8516 ADD_ALL_TESTS(test_stateful_tickets, 3);
8517 ADD_ALL_TESTS(test_stateless_tickets, 3);
8614a4eb 8518 ADD_TEST(test_psk_tickets);
f0049b86 8519 ADD_ALL_TESTS(test_extra_tickets, 6);
36ff232c 8520#endif
7fb4c820 8521 ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
9a716987
MC		 8522 ADD_TEST(test_ssl_bio_pop_next_bio);
8523 ADD_TEST(test_ssl_bio_pop_ssl_bio);
8524 ADD_TEST(test_ssl_bio_change_rbio);
8525 ADD_TEST(test_ssl_bio_change_wbio);
c423ecaa 8526#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
f1b25aae 8527 ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
6acdd3e5 8528 ADD_TEST(test_keylog);
c423ecaa 8529#endif
6acdd3e5
CB		 8530#ifndef OPENSSL_NO_TLS1_3
8531 ADD_TEST(test_keylog_no_master_key);
8532#endif
e9ee6536 8533#ifndef OPENSSL_NO_TLS1_2
a9c0d8be 8534 ADD_TEST(test_client_hello_cb);
088dfa13 8535 ADD_TEST(test_no_ems);
3cd14e5e 8536 ADD_TEST(test_ccs_change_cipher);
5f982038
MC		 8537#endif
8538#ifndef OPENSSL_NO_TLS1_3
02a3ed5a 8539 ADD_ALL_TESTS(test_early_data_read_write, 3);
78fb5374
MC		 8540 /*
8541 * We don't do replay tests for external PSK. Replay protection isn't used
8542 * in that scenario.
8543 */
8544 ADD_ALL_TESTS(test_early_data_replay, 2);
02a3ed5a
MC		 8545 ADD_ALL_TESTS(test_early_data_skip, 3);
8546 ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
0efa0ba4 8547 ADD_ALL_TESTS(test_early_data_skip_hrr_fail, 3);
0d1b7789 8548 ADD_ALL_TESTS(test_early_data_skip_abort, 3);
02a3ed5a 8549 ADD_ALL_TESTS(test_early_data_not_sent, 3);
57dee9bb 8550 ADD_ALL_TESTS(test_early_data_psk, 8);
0b2b0be9 8551 ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
02a3ed5a 8552 ADD_ALL_TESTS(test_early_data_not_expected, 3);
5f982038 8553# ifndef OPENSSL_NO_TLS1_2
02a3ed5a 8554 ADD_ALL_TESTS(test_early_data_tls1_2, 3);
5f982038 8555# endif
e9ee6536 8556#endif
a273157a 8557#ifndef OPENSSL_NO_TLS1_3
034cb87b 8558 ADD_ALL_TESTS(test_set_ciphersuite, 10);
ca0413ae 8559 ADD_TEST(test_ciphersuite_change);
5bf2eade 8560 ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
8561# ifdef OPENSSL_NO_PSK
c2b290c3 8562 ADD_ALL_TESTS(test_tls13_psk, 1);
5bf2eade 8563# else
0d8da779 8564 ADD_ALL_TESTS(test_tls13_psk, 4);
5bf2eade 8565# endif /* OPENSSL_NO_PSK */
8566# ifndef OPENSSL_NO_TLS1_2
8567 /* Test with both TLSv1.3 and 1.2 versions */
db26ec80 8568 ADD_ALL_TESTS(test_key_exchange, 14);
5bf2eade 8569# else
8570 /* Test with only TLSv1.3 versions */
8571 ADD_ALL_TESTS(test_key_exchange, 12);
8572# endif
bb01ef3f 8573 ADD_ALL_TESTS(test_custom_exts, 5);
c7b8ff25 8574 ADD_TEST(test_stateless);
9d75dce3 8575 ADD_TEST(test_pha_key_update);
a273157a 8576#else
bb01ef3f 8577 ADD_ALL_TESTS(test_custom_exts, 3);
a273157a 8578#endif
16afd71c 8579 ADD_ALL_TESTS(test_serverinfo, 8);
0fb2815b 8580 ADD_ALL_TESTS(test_export_key_mat, 6);
b38ede80
TT		 8581#ifndef OPENSSL_NO_TLS1_3
8582 ADD_ALL_TESTS(test_export_key_mat_early, 3);
3409a5ff 8583 ADD_TEST(test_key_update);
a77b4dba 8584 ADD_ALL_TESTS(test_key_update_in_write, 2);
b38ede80 8585#endif
e11b6aa4 8586 ADD_ALL_TESTS(test_ssl_clear, 2);
cf72c757 8587 ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
76fd7a1d
MC		 8588#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
8589 ADD_ALL_TESTS(test_srp, 6);
8590#endif
5718fe45 8591 ADD_ALL_TESTS(test_info_callback, 6);
4a432af8 8592 ADD_ALL_TESTS(test_ssl_pending, 2);
e401389a 8593 ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
a76ce286 8594 ADD_ALL_TESTS(test_ticket_callbacks, 16);
57d7b988 8595 ADD_ALL_TESTS(test_shutdown, 7);
e638112e 8596 ADD_ALL_TESTS(test_incorrect_shutdown, 2);
1a2a3a42 8597 ADD_ALL_TESTS(test_cert_cb, 6);
6e46c065 8598 ADD_ALL_TESTS(test_client_cert_cb, 2);
fb8c8359 8599 ADD_ALL_TESTS(test_ca_names, 3);
0d2bfe52
SL		 8600#ifndef OPENSSL_NO_TLS1_2
8601 ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
8602#endif
49ef3d07 8603 ADD_ALL_TESTS(test_servername, 10);
b1fdbc68
MC		 8604#if !defined(OPENSSL_NO_EC) \
8605 && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
b3842539 8606 ADD_ALL_TESTS(test_sigalgs_available, 6);
0c13cdf8
MC		 8607#endif
8608#ifndef OPENSSL_NO_TLS1_3
c8e3a4c6 8609 ADD_ALL_TESTS(test_pluggable_group, 2);
49a36a52
MC		 8610#endif
8611#ifndef OPENSSL_NO_TLS1_2
8612 ADD_TEST(test_ssl_dup);
33c39a06
MC		 8613# ifndef OPENSSL_NO_DH
8614 ADD_ALL_TESTS(test_set_tmp_dh, 11);
3105d846 8615 ADD_ALL_TESTS(test_dh_auto, 7);
33c39a06 8616# endif
b3842539 8617#endif
ad887416 8618 return 1;
b3842539
MC		 8619
8620 err:
8621 OPENSSL_free(cert);
8622 OPENSSL_free(privkey);
8623 OPENSSL_free(cert2);
8624 OPENSSL_free(privkey2);
8625 return 0;
ad887416 8626}
2cb4b5f6 8627
ad887416
P		 8628void cleanup_tests(void)
8629{
8778f0eb 8630# if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DH)
33c39a06
MC		 8631 EVP_PKEY_free(tmp_dh_params);
8632#endif
1a2a3a42
MC		 8633 OPENSSL_free(cert);
8634 OPENSSL_free(privkey);
b3842539
MC		 8635 OPENSSL_free(cert2);
8636 OPENSSL_free(privkey2);
3105d846
MC		 8637 OPENSSL_free(cert1024);
8638 OPENSSL_free(privkey1024);
8639 OPENSSL_free(cert3072);
8640 OPENSSL_free(privkey3072);
8641 OPENSSL_free(cert4096);
8642 OPENSSL_free(privkey4096);
8643 OPENSSL_free(cert8192);
8644 OPENSSL_free(privkey8192);
fa454945 8645 bio_s_mempacket_test_free();
a77b4dba 8646 bio_s_always_retry_free();
5e30f2fd 8647 OSSL_PROVIDER_unload(defctxnull);
b4250010 8648 OSSL_LIB_CTX_free(libctx);
2cb4b5f6 8649}
A mirror of the official openssl repository